http://www.networkworld.com/news/2007/072307-black-hat.html By Ellen Messmer Network World 07/23/07 Rigorous and sometimes raw disclosure of network vulnerabilities will all be part of the action at next weeks back-to-back hackfests, Black Hat and Defcon in Las Vegas. Exploits that can lure wireless LAN users into phony access control points, plus discussions of how to break into computers by manipulating coding errors will be hot topics. At one session, AirTight Networks will demonstrate how phony WLAN access points can be set up to trick a WLAN user into using them -- an attack AirTight says neither its intrusion-prevention system (IPS) nor anyone elses can stop. We call it multipot, and we accidentally stumbled upon this observation in our own testing, says Pravin Bhagwat, CTO at AirTight, about its planned demo at Defcon. The multipot attack, according to Bhagwat, is a variation on the Evil Twin ploy, in which a single WLAN access point is given a spoofed Service Set Identifier based on the SSID of a legitimate wireless access point, something done through WLAN sniffing. With Evil Twin, the attacker sits in the path of the network, monitoring the user with the purpose of stealing log-in credentials and observing other traffic, says Bhagwat. Todays IPS can thwart this by breaking the connection by keeping track of authorized access points, he says. But to his dismay, Bhagwat says AirTight has found if the attacker has set up two or more controlled Evil Twin access points to lure in a single WLAN user, the IPS is ineffective at repelling the attack. You kill one connection but the new one is enabled, says Bhagwat. Why cant you knock both off at the same time? Because you need a sensor to transmit and it can only transmit one at a time. Its a cat-and-mouse game. Bhagwat says AirTight will be doing the Multipot demonstration at Defcon because theres a need in this industry to become aware of this so new technologies can be developed. AirTight says its experimenting with a new defense but doesnt expect to be able to publicly reveal it until later in October. A session at Black Hat that could provoke discussion will show how its possible to remotely compromise servers by exploiting poor software coding called dangling pointers that developers might leave in C or C++ applications. Danny Allen, director of security research at Watchfire, which will be demonstrating the attack, describes a dangling pointer as a software error in which a pointer thats supposed to indicate a specific address in memory holding a particular software object is actually pointing to an address in memory that doesnt hold anything. Dangling pointers were never deemed to be a security risk, but well show a way to automate remote command execution to alter the pointer to look at the place where we have the ability to write code, says Allen. You can automate where you want malicious code to be. Were not trying to find your dangling pointers for you, but well show how they can be exploited to take root control of the machine. Microsoft earlier this month released a patch for Microsoft Internet Information Server after Watchfire recently showed Microsoft how a dangling-pointer code flaw it had left unfixed for two years could be manipulated, says Allen. Microsoft never fixed this before because it wasnt considered a security issue, says Allen. But in the Black Hat demonstration, Watchfire will present a too -- which it wont generally release -- that will show how to redirect dangling pointers and upload a malicious-code payload to a target, in this case an upatched version of Microsoft IIS. Understanding about security risk of dangling pointers is in its infancy, says Allen, but it should be on the radar screen. Other sessions scheduled for Black Hat and Defcon next week include: * Several presentations on the topic of fuzzing, the investigative process of using specialized tools to run scripts that are tuned to throw garbled data at an application in order to see how it handles it in order to discover unwanted code-execution risks. At one such session, researchers from TippingPoint, which are expected to discuss Sulley, an open source fuzzing tool being released at Black Hat. * Security in VoIP will get a critical review from Barrie Dempster, senior security consultant at NGS Software and in a separate session, from Himanshu Dwivedi, founding partner at iSec Partners, who will detail exploits against VoIP protocols IAX and H.323. NGS Software director of research John Heasman will also present on the security implications of Apples preboot environment for Intel-based Macintoshes, the Extensible Firmware Interface. * Sipera Systems product manager Sachin Jogelar is expected to discuss vulnerabilities associated with dual-mode VoIP phones that can automatically switch between Wi-Fi and cellular networks. * Researcher Roger Dingledine will discuss how the Tor anonymity network he helped develop will be extended to make it harder to block users accessing it. * In a session entitled Hacking Capitalism, Matasano Security researchers will detail the specialized protocols used by the financial industry to execute billions of dollars in trades, and discuss the flaws inherent in them. In a separate session, Matasano Security promises to reveal vulnerabilities in data-leakage prevention products. * Researchers from Germany-based ERNW GmbH are scheduled for a talk about Cisco Network Admission Control and its purported design flaws. * Security researchers Joanna Rutkowska and Alexander Tereshkin, both with Invisible Things Lab, are scheduled to present some new findings about virtualization-based malware, new methods for compromising the Vista x64 kernel and the supposed irrelevance of the Trusted Platform Module and BitLocker. Rutkowska gave a presentation on rootkits and Microsoft software at last years Black Hat that won a standing ovation from the audience. As a counterpoint at this years event, though, Symantec researchers will take an opposing view in their presentation entitled Dont tell Joanna, the Virtualized Rootkit is Dead. At this session, Symantec will disclose techniques for detecting any trace of virtual-machine malware though not necessarily eliminating it. Symantec says theres a friendly competition going on now between Rutkowska and Symantec on this. * IBM Internet Security Systems researchers Mark Dowd, John McDonald and Neel Mehta will discuss C++-based security and vulnerabilities that can exist in C++ applications, some which may not have been publicly disclosed before. * HD Moore, director of security at BreakingPoint Systems and founder of the Metasploit Project, will discuss new techniques for compromising organizations, along with new modules that will available for the Metasploit Framework, an open source exploit-development platform. * Websense researchers Stephen Chenette and Moti Joseph plan to discuss how to defend against techniques disclosed earlier this year that allow an attacker to manipulate the browser heap layout using specific sequences of JavaScript allocation. Social issues wont be overlooked at Black Hat, as Gadi Evron, security evangelist at Beyond Security, takes up the topic of Estonia: Information Warfare and Strategic Lessons in a talk on what happened in Estonia during the massive denial-of-service cyberattack there last April. And Kenneth Geers, author of several books on nations and terrorists interests in cyberspace, war and security, promises to take up provocative topics, including Which countries have the worst Orwellian computer networks? Some controversy already has swirled around the Black Hat conference as last moth a presentation that promised to undermine chip-based desktop and laptop security was suddenly withdrawn without explanation. The briefing, TPMkit: Breaking the Legend of [Trusted Computing Groups Trusted Platform Module] and Vista (BitLocker), promised to show how computer security based on trusted platform module hardware could be circumvented. No explanation was forthcoming by Black Hat or the researchers. All contents copyright 1995-2007 Network World, Inc. _____________________________________________________ Attend Black Hat USA, July 28-August 2 in Las Vegas, the world's premier technical event for ICT security experts. Featuring 30 hands-on training courses and 90 Briefings presentations with lots of new content and new tools. Network with 4,000 delegates from 70 nations. Visit product displays by 30 top sponsors in a relaxed setting. Rates increase on June 1 so register today. http://www.blackhat.com
This archive was generated by hypermail 2.1.3 : Mon Jul 23 2007 - 22:36:31 PDT