BlackHat 2008: Lessons Learned, Training, and Day One

After a four hour delay at O'Hare - and sub-par updates from United, we managed to arrive in Vegas just after BlackHat's Sunday registration had closed. This is the first flight on which I've heard applause from the other fliers when we were told we would be taking off, and most of the fliers laughed when one person asked loudly "Are we driving to Vegas?" after taxiing for an interminable period of time.

Adventures in travel aside, my first BlackHat has been an interesting experience. I've previously attended other training at Caesar's, including SANS. BlackHat doesn't appear to have the conference setup down as well - wireless in our training room did not work reliably for almost a day and a half, and the food at the breaks was on a single floor in one area. With thousands of attendees crowding in during a 15 minute break, it leads to 30 minute delays in the courses.

Humorously, our class also had an issue with certificates - both missing certificates and duplicates. I'm not horribly worried about not receiving a certificate for attendance, but it was another minor issue added to the list.

How about the course content? The general feeling from two of the three of us who are attending the course segment is that our courses aren't as challenging and deep as we had expected from such a highly regarded conference. The third member of our group, who attended a Cisco course, has had glowing things to say.

I attended Tim Mullen's Microsoft Ninjitsu class. Tim is genial, has a good sense of humor, knows his stuff, and has a good supporting crew, but the content hasn't been as hardcore as I had expected. With that said, I've picked up a number of useful reminders and tidbits, particularly in terms of a Microsoft only network. I still won't be using ISA as a primary edge security device, but there are a number of uses for it when you have a Microsoft specific environment to protect.

The briefings were definitely content rich - I modified my schedule, and attended quite a few good presentations.

I started with Jared DeMott's AppSec A-Z. Jared provided a broad overview of application security topics, with details on how reverse engineering works from the ground up. Jared was working from a much longer talk, and he was definitely squeezed for time. If you're new to reverse engineering, and have some CS background, the presentation was a good intro.

Dan Kaminsky's DNS Goodness talk was massively attended. With co-workers and friends in attendance, I passed and sat in on Nate Lawson's Highway to Hell: Hacking Toll Systems. Nate gave a great presentation about the toll passes used by BATA and other California tolling systems. He discussed both the privacy aspect of remotely activated devices that can be used for both tolling and simple use monitoring, as well as the hardware itself.

Interestingly, the hardware is programmable and has flash storage, allowing them to be updated remotely. Nate offered a number of attack vectors that this could allow, ranging from cloning to shuffling between large numbers of devices as they pass on the highway. As with many other hardware devices, basic measures would have made the devices less susceptible to attack, and less useful for tracking users. Overall? Quite an enjoyable talk - it makes me wonder what EZPass and I-Pass look like.

Next up was Hoff's The Four Horsement of the Virtualization Security Apocalypse. This was one of my favorite talks. Hoff is both a good showman and he has a lot of insight into virtualization - if you're using a virtualized infrastructure, you should check his presentation out. His predictions of increased cost and lower reliability in virtual infrastructures due to lack of high availability VM appliances, as well as infrastructure consolidation are on the mark, and should make any security professional think twice about what their future virtualized infrastructure will look like.

One of the biggest issues that he brought up was the possibility of having a VM infrastructure lose security as VM appliances fail. Infrastructure isn't configured in the same way that a HA physical infrastructure is, meaning that a failure either causes a loss of service or a loss of security. As he spoke, I was struck by the need for a declarative syntax for VM architectures: basically a rules based system that would cause systems to always have the right elements in front of them, even if VMs in the system failed. In essence, we need a way to ensure that the infrastructure remains logically sound, even if the physical and virtualized elements of the infrastructure move or fail. We also need a way to manage VM based appliances in a way that scales - as we deploy IDS sensors, firewalls, WAFs and other tools in VMs, we're going to need to make ourselves more effective.

After a break, Bruce Potter's Malware Detection Through Network Flow Analysis was enjoyable. Bruce was selling his new tool Psyche throughout the presentation, and it sounds like he and the team who ar working on Psyche have the right idea - unfortunately, the quoted speeds are less than a fifth of my normal flow rate. For now, a commercial solution is my best answer to replace my existing NFSen/NFDump architecture. Bruce ran long - but his content was good and I'm sure it was useful and persuasive for those who aren't using netflow. For those who are, he captured some of the biggest issues that we face - how do we identify what isn't right, and how can we visualize it effectively to create useful monitoring capabilities.

I'll run through day two, including great talks on web application security in my next post. Still to come? DEFCON 16, where they've already run out of badges in the first run - if you're going, you won't get a hackable badge until 3 PM tomorrow.