Blackhat Windows 2004 Report

[Dave Aitel <dave () immunitysec com>]

Here's my BlackHat Windows 2004 Report. (Seattle)

My talk:
Here is a picture of people during my talk. For those of you with wussy 
mail servers that can only handle a teeny tiny message of 50K or 
whatever, please check the archives to see it, cause this message is 
going to bounce.



Ok. That's not entirely accurate. This is a picture of people right 
before my talk. The room did eventually fill up. At the begginning of my 
talk I said: "Free "Hacker's Handbook" to the best question, so think of 
a good question." Of course, I completely forgot to keep track of which 
question I thought was best, and who they were from, so at the end I 
just gave it out randomly. I rewrote my talk. After you give a talk, any 
talk, three times, it starts to bore you, so I did some massive 
elaboration and had a "bonus talk" at the end which was about 6 0days 
entitled "Enterprise-ware is your chewy center". I'll release my 
slidepack as soon as those vendors release patches, so probably next 
week. There was one guy sitting in front (not pictured above) who wrote 
every 0day down and then I asked him who he worked for, and he said, 
"Nobody". I think he worked for the FBI. Of course, the point of my talk 
was not that "there are 0day" but that Enterprise-ware is so weak that 
even a CISSP can find 0day in it. So one or two 0day in any given 
product really doesn't make a dent.

One of the things I always do after a conference is go down the list and 
say which talks I liked, which I didn't like, and which I heard were 
really good, but I didn't get a chance to go to.

I liked David Litchfield's heap overflow talk, especially the last 5 
minutes. Most of the talk was a good overview of heap overflows on 
Windows, which is something a lot of people need, but the last bit was 
counter-intuitive stuff, which pretty much everyone needs.

For some reason I was scheduled across from Halvar, which was a tough 
call for a lot of people, I hear. After my talk, I was pretty burnt out, 
so I didn't get to see Capturing Windows Passwords Using the Network 
Provider API (Sergey Polak) or Auditing ActiveX Controls (Cesar 
Cerrudo), both of which were probably good. I did catch Hidenobu Seki's 
"Fingerprinting through Windows RPC". His native language is Japanese, 
not english. I find whenever this is the case, that often the slow pace 
of a talk can hide the really good stuff. He demonstrated some programs 
he'd written for doing password brute forcing against a Windows box. He 
also showed how you could enumerate users on a Windows box, even with 
the security setting against that turned on. He also showed how you 
could start an AT job if you had a username and password, using RPC. 
Nothing rocket science, but it's very good to see it all put together in 
one thing. I.E. Another CANVAS module that I think people will find 
useful is going to be a enumeration, brute-forcing, and AT-job starting 
module chain. (For kicks, I'll probably also add a "AT Service" starting 
module)

I hear "Nobody's Anonymous - Tracking Spam" (Curtis Kret) was really 
really good. The title makes it sound fairly fluffy, but apparantly it 
was highly amusing.

2nd day:

I missed Richard Thieme's keynote. That second day keynote is a TOUGH 
one to make. Microsoft had a big party the night before in the space 
needle and it swayed in the rain, making us all think we were really 
drunker than we were. I don't know how this made us drink more, but it 
did. It was funny to see Halvar and the Microsoft prefix guy talk for a 
while.

By the time I woke up and got downstairs, Steve Hofmeyr (Sana Security) 
was partly through his talk on "Preventing Intrusions and Tolerating 
False Positives". My rum-addled opinion the night before was that ANY 
physical-world analogy to the information security space was a poor 
match. In the light of day, I still think that when you compare the 
computer security space to a person's immune system, you're making a lot 
of implicit assumptions that a good hacker won't make. I know this goes 
against the grain for a lot of people, but I think a good example is the 
"house" metaphor, which seems to gain new life with every new class of 
CISSPs. Physical metaphors, if they give us new insights into computer 
security, carry a high price tag of implicit assumptions and built-in 
weaknesses. This talk had some really interesting approaches to defeat 
worms. The defeating worms problem is a lot easier than the defeating 
multi-stage attackers problem.

I also saw the "Lessons learned when the cisco guys went to windows" 
talk from FX, which was really good. Some highlights:
o A Ollydbg script to find good return addresses
o Better Unicode shellcode (20% better than mine!) :>
o SAP 0day a-plenty!


The final talk I went to, since Iwas pretty burned out by talks by now, 
was the Trusted Computing 101 (David Blight). The thing about Palladium 
talks is they never walk through the real examples in the beginning. 
Here is how the talk would work if I did it:
Slide 1. GPG on a unix machine where root gets hacked but the GPG key is 
still safe because of Pd storage
Slide 2. Dell signs my machine, which is why this works (a diagram)
Slide 3. Your bank authenticates your machine in order to let you do a 
wire transfer with Pd, even though your box is haxored.

See, those three slides explain Pd better than a thousand slides on the 
"Nexus" et. al.

Anyways, that's the end of this report. My fingers are tired and I have 
to do real work now. Feel free to comment.

Dave Aitel
Immunity, Inc.



_______________________________________________
Dailydave mailing list
Dailydave () lists immunitysec com
http://www.immunitysec.com/mailman/listinfo/dailydave