http://www.networkworld.com/news/2007/072307-black-hat.html
By Ellen Messmer
Network World
07/23/07
Rigorous and sometimes raw disclosure of network vulnerabilities will
all be part of the action at next weeks back-to-back hackfests, Black
Hat and Defcon in Las Vegas.
Exploits that can lure wireless LAN users into phony access control
points, plus discussions of how to break into computers by manipulating
coding errors will be hot topics. At one session, AirTight Networks will
demonstrate how phony WLAN access points can be set up to trick a WLAN
user into using them -- an attack AirTight says neither its
intrusion-prevention system (IPS) nor anyone elses can stop.
We call it multipot, and we accidentally stumbled upon this observation
in our own testing, says Pravin Bhagwat, CTO at AirTight, about its
planned demo at Defcon.
The multipot attack, according to Bhagwat, is a variation on the Evil
Twin ploy, in which a single WLAN access point is given a spoofed
Service Set Identifier based on the SSID of a legitimate wireless access
point, something done through WLAN sniffing.
With Evil Twin, the attacker sits in the path of the network, monitoring
the user with the purpose of stealing log-in credentials and observing
other traffic, says Bhagwat. Todays IPS can thwart this by breaking the
connection by keeping track of authorized access points, he says.
But to his dismay, Bhagwat says AirTight has found if the attacker has
set up two or more controlled Evil Twin access points to lure in a
single WLAN user, the IPS is ineffective at repelling the attack.
You kill one connection but the new one is enabled, says Bhagwat. Why
cant you knock both off at the same time? Because you need a sensor to
transmit and it can only transmit one at a time. Its a cat-and-mouse
game.
Bhagwat says AirTight will be doing the Multipot demonstration at Defcon
because theres a need in this industry to become aware of this so new
technologies can be developed. AirTight says its experimenting with a
new defense but doesnt expect to be able to publicly reveal it until
later in October.
A session at Black Hat that could provoke discussion will show how its
possible to remotely compromise servers by exploiting poor software
coding called dangling pointers that developers might leave in C or C++
applications.
Danny Allen, director of security research at Watchfire, which will be
demonstrating the attack, describes a dangling pointer as a software
error in which a pointer thats supposed to indicate a specific address
in memory holding a particular software object is actually pointing to
an address in memory that doesnt hold anything.
Dangling pointers were never deemed to be a security risk, but well show
a way to automate remote command execution to alter the pointer to look
at the place where we have the ability to write code, says Allen. You
can automate where you want malicious code to be. Were not trying to
find your dangling pointers for you, but well show how they can be
exploited to take root control of the machine.
Microsoft earlier this month released a patch for Microsoft Internet
Information Server after Watchfire recently showed Microsoft how a
dangling-pointer code flaw it had left unfixed for two years could be
manipulated, says Allen.
Microsoft never fixed this before because it wasnt considered a security
issue, says Allen. But in the Black Hat demonstration, Watchfire will
present a too -- which it wont generally release -- that will show how
to redirect dangling pointers and upload a malicious-code payload to a
target, in this case an upatched version of Microsoft IIS. Understanding
about security risk of dangling pointers is in its infancy, says Allen,
but it should be on the radar screen.
Other sessions scheduled for Black Hat and Defcon next week include:
* Several presentations on the topic of fuzzing, the investigative
process of using specialized tools to run scripts that are tuned to
throw garbled data at an application in order to see how it handles it
in order to discover unwanted code-execution risks. At one such
session, researchers from TippingPoint, which are expected to discuss
Sulley, an open source fuzzing tool being released at Black Hat.
* Security in VoIP will get a critical review from Barrie Dempster,
senior security consultant at NGS Software and in a separate session,
from Himanshu Dwivedi, founding partner at iSec Partners, who will
detail exploits against VoIP protocols IAX and H.323. NGS Software
director of research John Heasman will also present on the security
implications of Apples preboot environment for Intel-based
Macintoshes, the Extensible Firmware Interface.
* Sipera Systems product manager Sachin Jogelar is expected to discuss
vulnerabilities associated with dual-mode VoIP phones that can
automatically switch between Wi-Fi and cellular networks.
* Researcher Roger Dingledine will discuss how the Tor anonymity network
he helped develop will be extended to make it harder to block users
accessing it.
* In a session entitled Hacking Capitalism, Matasano Security
researchers will detail the specialized protocols used by the
financial industry to execute billions of dollars in trades, and
discuss the flaws inherent in them. In a separate session, Matasano
Security promises to reveal vulnerabilities in data-leakage prevention
products.
* Researchers from Germany-based ERNW GmbH are scheduled for a talk
about Cisco Network Admission Control and its purported design flaws.
* Security researchers Joanna Rutkowska and Alexander Tereshkin, both
with Invisible Things Lab, are scheduled to present some new findings
about virtualization-based malware, new methods for compromising the
Vista x64 kernel and the supposed irrelevance of the Trusted Platform
Module and BitLocker. Rutkowska gave a presentation on rootkits and
Microsoft software at last years Black Hat that won a standing ovation
from the audience. As a counterpoint at this years event, though,
Symantec researchers will take an opposing view in their presentation
entitled Dont tell Joanna, the Virtualized Rootkit is Dead. At this
session, Symantec will disclose techniques for detecting any trace of
virtual-machine malware though not necessarily eliminating it.
Symantec says theres a friendly competition going on now between
Rutkowska and Symantec on this.
* IBM Internet Security Systems researchers Mark Dowd, John McDonald and
Neel Mehta will discuss C++-based security and vulnerabilities that
can exist in C++ applications, some which may not have been publicly
disclosed before.
* HD Moore, director of security at BreakingPoint Systems and founder of
the Metasploit Project, will discuss new techniques for compromising
organizations, along with new modules that will available for the
Metasploit Framework, an open source exploit-development platform.
* Websense researchers Stephen Chenette and Moti Joseph plan to discuss
how to defend against techniques disclosed earlier this year that
allow an attacker to manipulate the browser heap layout using specific
sequences of JavaScript allocation.
Social issues wont be overlooked at Black Hat, as Gadi Evron, security
evangelist at Beyond Security, takes up the topic of Estonia:
Information Warfare and Strategic Lessons in a talk on what happened in
Estonia during the massive denial-of-service cyberattack there last
April.
And Kenneth Geers, author of several books on nations and terrorists
interests in cyberspace, war and security, promises to take up
provocative topics, including Which countries have the worst Orwellian
computer networks?
Some controversy already has swirled around the Black Hat conference as
last moth a presentation that promised to undermine chip-based desktop
and laptop security was suddenly withdrawn without explanation. The
briefing, TPMkit: Breaking the Legend of [Trusted Computing Groups
Trusted Platform Module] and Vista (BitLocker), promised to show how
computer security based on trusted platform module hardware could be
circumvented. No explanation was forthcoming by Black Hat or the
researchers.
All contents copyright 1995-2007 Network World, Inc.
Received on Tue Jul 24 00:10:09 2007