[ISN] Black Hat Conference puts spotlight on NAC, Vista and rootkits

From: InfoSec News (alerts@private)
Date: Thu Jul 27 2006 - 22:30:48 PDT


By Ellen Messmer and Tim Greene 

The annual Black Hat Conference, which opens July 29 at Caesar's Palace in 
Las Vegas, brings together security researchers and vendors in a 
freewheeling atmosphere aimed at laying bare the risks and vulnerabilities 
in IT products.

Like Vegas itself, Black Hat is a gamble where anything can happen, and 
this year will be no exception, with security specialists taking 
well-aimed shots at two of the industry's biggest targets: Microsoft's 
Vista software and myriad vendors with network access control (NAC)  

With Vista still in beta, Microsoft, a key sponsor of Black Hat this year, 
is inviting Black Hat attendees - 3,000 are anticipated - to identify any 
security shortcomings they can in the Vista code. In a novel and candid 
way, Microsoft product managers and engineers will present six sessions on 
Windows Vista and its security during the conference, challenging anyone 
there to rip Vista security apart.

Microsoft will find more than enough takers for that challenge.

Joanna Rutkowska, senior security researcher at Singapore-based security 
firm COSEINC, will demonstrate a new rootkit for Vista during her 
presentation "Subverting Vista kernel for fun and profit." A rootkit is 
software that hides malicious code or computer processes, making it a 
danger to users.

Called Blue Pill, Rutkowsk's rootkit is based on Advanced Micro Devices' 
Storage Virtualization Manager Pacifica's virtualization technology. She 
says Blue Pill is undetectable and easily installed, and doesn't require 
the perpetrator to exploit a weakness in the underlying operating system.

In addition to demonstrating Blue Pill, Rutkowska will show how it's 
possible to circumvent Vista security by loading only digitally signed 
code into the kernel. "It's very impressive," says Marc Maiffret, founder 
and chief hacking officer at eEye Digital Security, who saw the Blue Pill 
rootkit and technique for bypassing Vista's security in Singapore a week 
ago at the SyScan Conference, where Rutkowska first made them public.

Her bypass technique might not be a flaw Microsoft can fix easily with a 
software patch, says Maiffret. "It seems to be an architectural problem 
with Vista," he says. Rutkowska agrees it's a design issue and will 
propose a few ways Microsoft might consider changing Vista to eliminate 
the security-bypass problem. Vista's code-signing protection was devised 
as a way to stop malware, such as kernel rootkits and back doors, from 
being loaded into the Vista kernel, says Rutkowska, but her Black Hat 
presentation will show Vista is as vulnerable to the same kernel malware 
threats as its predecessors.

Although the first version of Blue Pill she developed is for Vista, 
there's no reason a Blue Pill couldn't be made for other operating systems 
as well, she says. She adds neither she nor her firm will release the 
code, which could be used for malicious purposes.

Microsoft had no comment when questioned about Blue Pill and the Vista 
security-bypass technique. Black Hat will present other sessions on 
rootkits, including ones by Greg Hoglund, founder of the Rootkit.com Web 
site, Jamie Butler, CTO at Komoku, and Komoku's president, William 

Among the other sure-to-be-controversial conference topics: Ofir Arkin, 
CTO of Insightix, is expected to detail the risks inherent in using the 
array of NAC products on the market today. NAC is a term now used to 
describe an array of methods to determine and enforce endpoint security. 
(Read about what Pitney Bowes is doing with NAC technology.  [1])  Cisco 
and Microsoft are prominent among the scores of companies offering NAC 
products, and the Trusted Computing Group has devised standards for it.

Arkin's session at Black Hat, "Bypassing network access control systems," 
is expected to cover the "flaws associated with each and every NAC 
solution" and how "these flaws allow the complete bypass of each and every 
[NAC] mechanism currently offered in the market," according to the Black 
Hat agenda's description. He says he won't mention specific NAC products 
in his talk but will explain the various categories of NAC products and 
point out potential bypasses, so customers considering buying them will 
recognize there may be holes to plug. "The purpose of the presentation is 
to educate people that they need to look better into this market and 
understand what they are receiving from [NAC] solutions so they can fill 
the gap they might currently have," Arkin says.

Insightix itself makes NAC software that Arkin says gets around some of 
the problems, but he says he will refrain from making a product pitch. 
Some vendors could see his talk as denigrating the competition while 
boosting his own fortunes. Cisco, for one, which expects to monitor the 
Arkin talk, says it's reserving comment until Arkin's presentation on 

Arkin says he will detail NAC's inherent problems by discussing the broad 
categories of technical elements NAC schemes typically use, including DHCP 
proxies, broadcast listeners, 802.1x and endpoint security assessment. For 
example, he says he will point out that the DHCP proxies used to enforce 
network access controls can be bypassed by a network insider issuing a 
static IP address to a malicious device that wouldn't have to deal with 
DHCP, or spoofing the device as a printer, switch or other device likely 
to be exempt from NAC assessment.

"As long as users understand these solutions are not perfect and take 
other measures, then I do my job right," Arkin says.

All contents copyright 1995-2006 Network World, Inc.  

[1] http://www.networkworld.com/news/2006/073106-pitney-bowes.html

Attend the Black Hat Briefings and
Training, Las Vegas July 29 - August 3
2,500+ international security experts from 40 nations,
10 tracks, no vendor pitches.

This archive was generated by hypermail 2.1.3 : Thu Jul 27 2006 - 22:40:29 PDT