Intrepidus Group
Insight

Corey’s 2010 Las Vegas BlackHat DefCon summary

Posted: August 4, 2010 – 10:12 am | Author: | Filed under: Conferences, Mobile Security, Tools

Hey, Corey here, I’ll get the Intrepidus Group con wrap up started, followed by some more posts from the crew.

The IG gang spent last week out in Vegas for the annual BlackHat and DefCon trips. While I missed a handful of high profile talks (like Barnaby Jack making it rain twenties) and even one or two of the talks from the NYC security crew (sorry Marcin, didn’t realize it was a joke when you told us to leave), there were still a number of them that were interesting and I’d recommend checking out when you get the chance.

I’m amazed there’s not more buzz about Craig Heffner’s awesome “How to Hack Millions of Routers” talk. He demonstrated a DNS rebinding trick that appears to be very pervasive across a number of devices. It can allow you to remotely access services on the internal interface of the device. There’s a few conditions required to allow this to happen, but it brings up a point we recently dealt with for one of our servers. Instead of relying on just firewall rules to block a port you don’t want exposed, lock down the service to only listen on the interface you want. So for that webserver you should only hit over an SSH tunnel instead of seeing this in netstat

Proto Recv-Q Send-Q Local Address Foreign Address State
tcp 0 0 0.0.0.0:80 0.0.0.0:* LISTEN

and then having a firewall rule to block access, lock it down to just the loopback interface:

Proto Recv-Q Send-Q Local Address Foreign Address State
tcp 0 0 127.0.0.1:80 0.0.0.0:* LISTEN

There were quite a few mobile security talks this year. While the demos failed, I think Grugq’s slides on GSM base station attacks give a great GSM overview for anyone who is unfamiliar with some of the key terms and architecture. Of course Chris Paget’s talks are always entertaining. If you’ve been keeping up with his posts or previous GSM work, the talk was pretty much what you expected. I think one of his best posts recently was just after the iPad hack and really making clear the relationship between ICCIDs and IMSIs here in the US.

Hats off to the Trustwave crew for the Android rootkit and releasing their proof of concept. They did a great job, but I’m a little surprised how much response this has gotten. It seems like this was just waiting for someone to do since day one of Android. Maybe it’s just people don’t realize Android runs Linux under the hood. To me, it just always seemed like a forgone threat that if you’ve got root on a Linux box, you’ll probably be able to have some sort of root kit installed. Guess you need a working demo to drive home the point sometimes.

The Lookout team also had a good overview of Android permissions and some ways around a few of them. They’ve come up with a system for two way internet communication without asking for the INTERNET permission in their manifest.xml file. We’ve been testing their other claim about rebooting the device by creating over 2000 toast messages. While it works in our emulators, it seems the Nexus 1 and Droid Incredible allow the user to force close the application when it starts acting up.

One of the key take always though was to make sure your Android apps in production don’t dump too much  into the logs. We’ve been surprised by the wealth of information we’ve seen Android applications spew, which is great for us during a review, but is not fit for a release version. The talks brought up a good point that other apps can access the log file and mine for data. They can install and just ask for the READ_LOGS permission and the consequence of that for most users would not be obvious.

And no BlackHat 2010 wrap up would be complete without a mention of Mallory. I know others will post more on that, but in case it wasn’t stressed enough, Mallory is a huge time saver if you’re testing mobile applications. The guys did a lot of extra to make sure even SSL wrapped protocols aren’t a problem to get between and man-in-the-middle. It’s really a great tool and cuts down on so much setup time after you’ve got Mallory set up once. (If you’ve ever experienced the pain of realtime editing a packet stream via netsed or ettercap, you will understand why Mallory is the way to go…)

Oh, and in case you missed our t-shirts this year, hit up HigB soon. You want a shirt? He can get you a shirt, believe me. There are ways, dude… but there’s only a few left.

Till next year,,,

(Left to Right: Corey, Clark, and Heitzman)

Both comments and trackbacks are currently closed.

2 Trackbacks

  1. [...] This post was mentioned on Twitter by Rohyt Belani, Intrepidus Group. Intrepidus Group said: One ninja’s #BlackHat and #DefCon summary is here: http://cot.ag/cYLvtP A couple more to come..stay tuned [...]

  2. By Week 31 in Review – 2010 | Infosec Events on August 9, 2010 at 3:58 am

    [...] Corey’s 2010 Las Vegas BlackHat DefCon summary – intrepidusgroup.com The IG gang spent last week out in Vegas for the annual BlackHat and DefCon trips. While I missed a handful of high profile talks. [...]

image

This site is protected with Urban Giraffe's plugin 'HTML Purified' and Edward Z. Yang's Powered by HTML Purifier. 24521 items have been purified.