Archive for August, 2009

Black Hat 2009

I’m increasingly involved in security and thus managed to make a brief appearance at the Black Hat 2009 Briefings in Las Vegas.

I enjoyed the program. Hereafter some of my personal take-away and favorite sound bites.

Smartphones. There will be exploits:

  • Target volumes and personal data becoming interesting, really interesting
  • Hordes of 1st-time programmers writing code … which raises the significance of application/system separation that one can depend on
  • Also, some seasoned engineers who built highly reliable telco protocols (e.g., SS7, SMS) are now asked to operate in a hostile open world … the price of convergence
  • To witness, at Black Hat some folks gave a public account of an iPhone vulnerability exposed with a SMS attack vector. Before Black Hat was over, Apple issued the v3.0.1 patch release (though they had been given a few weeks lead on this exploit)

Smartphones. There will be patches:

  • What’s a reasonable time-to-patch benchmark given gazillion of units in the field?
  • Apple’s “monoculture” can play out as a strength (homogeneous field, iTunes-centralized lifecycle for patches) and a weakness (magnet for new targeted exploits)
  • Others will have to ripple their patches through OS release cycles, hardware manufacturers, providers’ security policies, and the various QA cycles therein

Smartphones. There will be tussles:

  • The Apple/Google one is already capturing the news
  • Microsoft and Nokia won’t let it go by without a fight
  • Android’s licensing model (Apache style, no permission to use) is due to make wave in the whole mobile OS segment (some impressive uptake numbers reported by presenters)

Cloud Computing:

  • Hackers/rootkiters have taken notice of the Cloud but are still struggling to figure out the new implications (New attack vectors? Is everything Cloud Computing?). Just like everyone else!
  • SaaS/PaaS exploits: any new “Cloud” material here other than the OWASP10 vectors!?
  • IaaS exploits: any new “Cloud” material here other than VM attack vectors (like device drivers flaws or pseudo-random generation)!?
  • A presenter talked about legal and regulatory implications (e.g., data is subpoenaed and then what) — this was distinctively “Cloud”

Miscellaneous:

  • Bruce Schneier provided some excellent food for thoughts on the psychology of security (ref. to his essay)
  • The traversal of x.509 certs is still a weak spot after all these years… Basic constraints are not enforced properly and OCSP is easily subverted by toggling a return code, which is inexplicably left out of signature (I haven’t had a chance to validate this claim). Net out, end-to-end SSL is less secure than we think…
  • According to a presenter, the hacker-proof shield of Cisco IOS stems from the 250,000+ different images of IOS that resulted from just as many release trains since inception. To hackers’ detriment, each release scrambles waymarks and other reference points thus making it virtually invulnerable
  • I wrote about my serendipitous Mach OS encounter in an earlier post

Black Hat 2009 material is here.

Leave a Comment

August 5, 2009 · Filed under Conferences