Steve’s Blog

Just another compsci weblog

Black Hat 2008 & DEFCON 16

Back story

By some unexpected fortune last week I found myself in Las Vegas attending Black Hat & Defcon. Apparently there was some attempt by the heads of my office to get clearance from E&Y so that I could go, but that didn’t work out with me being an intern. I was notified about a week before Black Hat that someone was suddenly unable to go and now there was an extra ticket so I would need to make travel plans.

Cut to Monday morning; I roll out of bed at about 4:30am. After showering and throwing clothes on, I’m ready to be picked up at 5:00 to get to Newark airport for my 7:50 flight. I get a call around 5:05: the driver of my car has two flat tires, but they’re going to try to find another car in the area. The minutes crawl by until around 6:00 I get another call from the driver saying that he’s on his way. Since it takes about an hour to get to Newark airport, I narrowly made it through security in time. If the plane wasn’t slightly delayed, this trip would have started off very poorly.

We spend Monday in Houston for our ‘all-hands’ meeting with the Houston team, where many people on the team give presentations on various security-related topics. Because the hurricane was coming we decided to all catch a late flight Monday night to Las Vegas. By this time I was beat, so I checked into the hotel and went to sleep.

Spent Tuesday hanging out – later that night I gambled at a casino for the first time playing blackjack (more on that later).

Black Hat: Day One

Wednesday was the first day of Blackhat which started off with a keynote speech by Ian O. Angell about how complexity in information systems leads to increased risk. He made numerous mentions of how combining human systems with technology systems is disasertous but while eloquent in his speech, I largely disagreed with his opinion. He mentioned in one portion of his speech that we have a desire to categorize things and seemed to insinuate that this is a bad thing. This is, however, how the human brain operates which leads me to believe that it is an efficient way of interpreting reality. Yes, it may not be proper in all possible scenarios, but what is? Overall, he seemed to resent technology which made me resent his keynote.

Later I went to Dan Kaminsky’s talk on the new DNS cache poisoning attack. I had already heard about the details of the attack, but at Black Hat he went over the extent of the damage that could be caused by this attack: just about everything. Originally one of my co-workers mentioned that for anything important, such as your bank’s website, you’ll see a signed SSL certificate ensuring that the website is legit. However, Kaminsky pointed out that Certificate Authorities validate certificate purchases by way of email. So if I control the DNS entry for, I’ll get the mail to When I get an email from the CA for my newly-signed SSL cert – bam! You think you’re at, you see a signed SSL certificate, but its all controlled by evil Eve. Pretty cool attack.

A cool but low-profile talk I saw was entitled ‘Return-Oriented Programming: Exploits Without Code Injection’ by Hovav Shacham. Intrigued by the title, I went to the talk and discovered how the author came up with a system for injecting not code, but instead injecting pointers to areas of memory which contained libc functions that when executed contiguously would exhibit malicious behavior. While no evil code was injected, evil behavior would be executed. He even showed how he could run a sort in a vulnerable program by injecting pointers to libc which was pretty cool.

Finally I went to a talk on how implantable medical devices have virtually no security due to battery constraints.

Black Hat: Day Two

On day two, one of the guys from the Houston office was giving a talk on ‘extreme client side exploitation’. Basically, the talk was about how the Same Origin Policy is flawed and how to exploit it using GIFARS. GIFAR is a term which comes from a file which combines a GIF and a JAR together such that the resulting file is a valid GIF and JAR (this is possible due to the way each of these files are parsed; GIFs from the top-down, and JARs from the bottom-up). On sites which you can upload your own images (facebook, myspace, flickr, etc.), you can upload a GIFAR which will live on the website’s server. By getting a user to view a webpage which has an <applet> tag that points to the GIFAR, the attacker can gain access to the private information of the user on that website.

There were some other cool talks but I think my favorite was the Quantum Spookshow. During the conference they had a room with two quantum key distribution setups inside. One setup had a web cam at one end which was sending the encrypted stream via a network connection. At the same time the cryptographic key is transmitted via photons. The receiver is able to determine if the photon transmission has been intercepted and retransmitted or not by the principals of quantum mechanics. The other setup uses quantum entanglement to transmit the key, but has high bandwidth constraints. However, it has the advantage of having a truly random key.

Defcon: Day One

Defcon was a much more relaxed conference and filled with all kinds of cool stuff. The badges for the conference were actually a device that you could connect an SD card to and transfer files to other badges via infrared. They also had a lot of physical security talks which Black Hat didn’t have. My favorite talk from Defcon was entitled, “Advanced Physical Attacks” by Eric Schmiedl and covered a wide range of topics. First the talk was about spies and how the CIA and other agencies recruit them. One of my favorite parts of the talk was how you can listen to the sound of someone typing, and determine what keys they were pressing.

I ended the day at Defcon by buying some cool merch and playing about three hours of Guitar Hero with some other cool geeks. Unfortunately I only got to stay for the first day of Defcon, but the whole trip was outrageously fun.

No comments

No comments yet. Be the first.

Leave a reply