Hundreds of security professionals and system administrators attended Black Hat USA 2010 in Las Vegas. Black Hat conferences always attract thought leaders from all facets of the information security world, including corporate and government sectors, as well a large group of researchers. The following are a few highlights of the presentations delivered during the Black Hat USA 2010 briefings.
On Wednesday, July 28, Ben Feinstein, Jeff Jarmoc and Dan King, from SecureWorks, delivered a presentation titled “The Emperor Has No Clothes: Insecurities in Security Infrastructure.” On their presentation, they described several vulnerabilities in Cisco ASA and McAfee’s Network Security Manager console. All the vulnerabilities described in the presentation were responsibly coordinated with Cisco prior to disclosure. Mr. Jarmoc demonstrated a vulnerability in Cisco ASA that could allow an attacker to bypass access control lists (ACLs). This vulnerability was addressed in a Cisco Security Advisory published on April 8, 2009, and it has been fixed in all affected releases. Successful exploitation of this vulnerability may allow an attacker to access resources that should be protected by the Cisco ASA.
Jarmoc also found issues with Cisco’s Adaptive Security Device Manager (ASDM) authentication mechanisms. These limitations could allow an attacker to gain administrator credentials and execute code by leveraging a cross-site request forgery (CSRF) attack. Mr. King demonstrated a cross-site scripting (XSS) attack against the centralized management console of McAfee’s Network Security Manager. XSS is a flaw within web applications that enables malicious users, vulnerable websites, or owners of malicious websites to send malicious code to the browsers of unsuspecting users. The malicious code is usually in the form of a script embedded in the URL of a link or the code may be stored on the vulnerable server or malicious website.
Note: The Cisco Applied Mitigation Bulletin titled “Understanding Cross-Site Scripting (XSS) Threat Vectors” describes the different types of XSS attacks and provides more information about mitigation and user education.
The presentation “Jackpotting Automated Teller Machines” was originally on the schedule at Black Hat USA 2009, but the talk was pulled at the last minute. However, this year Barnaby Jack elaborated on attacks against standalone Automated Teller Machines (ATMs). His presentation was quite informative and, at the same time, entertaining. Barnaby demonstrated how to locally and remotely exploit vulnerabilities by making these ATMs dispense numerous fake dollar bills in front of the audience.
Dan Kaminksi’s presentation “Black Ops Of Fundamental Defense: Web Edition DNS” started with an introduction to the state of DNSSEC and its relevancy to address some of the most fundamental security problems in the Internet. He followed by demonstrating how to deploy a full end-to-end DNSSEC implementation within 2 minutes by using Freebird. Freebird is an extremely fast server built with a little over 400 lines of code. He also introduced the concept of DNS over HTTP. Dan demonstrated how to acquire end-to-end trust via DNSSEC by using Domain Key Infrastructure (DKI).
Craig Heffner delivered a presentation titled “How to Hack Millions of Routers.” Craig’s talk did not disclose any new vulnerabilities in end point devices; however, it demonstrated how to leverage a flaw in modern browsers to attack consumer networking devices via default credentials and known vulnerabilities. The attacks could potentially be mitigated by following the recommendations provided by Cisco Linksys.
This year Black Hat offered a demo area called “The Arsenal.” The Arsenal allowed independent researchers and the open source community to showcase their work. A few of the presentations included Jason Nehrboss’s presentation titled “Cisco IOS rootkits and malware: a practical guide,” Airtight Networks’ presentation titled “WPA Too!,” and Moxie Marlinspike’s “RedPhone and TextSecure.“
Jason Nehrboss demonstrated how someone, should they gain the ability to install arbitrary TCL or EEM scripts, could “trojan the affected device” or leverage a compromised device to perform network packet captures, and how to forward and reverse shell connections. His work is expanding on concepts that have previously been disclosed by several other researchers, such as Felix Lindner (FX) and Christoph Weber, as well as research done by IRM Research.
Sohail Ahmad’s demo called WPA Too! (aka Hole 196) described a deficiency in the Wi-Fi Protected Access 2 (WPA2) protocol. The vulnerability could allow an attacker to steal user’s information by injecting spoofed Group Temporal Key (GTK) encrypted packets. The attacker must already be logged in to the wireless network in order to successfully launch the attack. If successful, an attacker can sniff and decrypt data from other authorized users.
Note: In autonomous APs, Public Secure Packet Forwarding (PSPF) can be used to mitigate this issue. It is used to prevent client devices associated to this AP from inadvertently sharing files with other client devices on the wireless network. In Lightweight APs, the feature or the mode that performs a similar function of PSPF is called peer-to-peer blocking mode and is configured in the Wireless Controller.
Moxie Marlinspike demonstrated two free secure calling and text messaging applications for Android phones, as well as other tools such as sslstrip, tortunnel, knockknock, and the wpacracker.com service.
Cisco will continue to monitor the outcomes of the research and activities related to Black Hat, updating our intelligence content as necessary.