By Hunter King & Nick Chapman
The saying goes: "What happens in Vegas stays in Vegas." Well, apparently not during the week of Black Hat USA 2008. Black Hat is one of the world's largest and most well known security conferences. Several members of the SecureWorks Counter Threat UnitSM had an opportunity to attend and we'd like to share some brief highlights from a few of the talks.
There were many highly renowned speakers sharing their expertise, including our own Joe Stewart speaking about the Storm botnet. Informal conversations with other attendees were also extremely valuable. With all this knowledge and experience in one place, Black Hat really is like drinking from the InfoSec fire hose. We don't want to keep you in suspense any longer, so here are a few samples from some of our favorite talks.
Readers of our previous blog postings will know that we, like many others, have been keeping an eye on the recent waves of mass SQL injection attacks (here, here, and here). Justin Clarke of Gotham Digital Science gave a turbo talk about this very topic. The main thrust of his presentation was that this is just the beginning. The current attacks, although widespread, are very limited in scope. The attackers are only targeting websites using Microsoft SQL Server for a backend database and only targets Microsoft ASP (and more recently Cold Fusion) websites. Once a website has been compromised, the payload is only targeting users who visit that site. Nasty attacks that could be on the horizon include privilege escalation / attacking the database host OS, attacking HTML Forms, scanning internal corporate networks / DMZs, and more. Today the attackers are using the Google search engine to identify potentially vulnerable systems and have successfully compromised literally hundreds of thousands of websites. It would be quite feasible to use Google search results to further refine their focus, generating a targeted attack against an entire business vertical or just a particular organization.
Jeremiah Grossman and Arian Evans gave a wonderful talk about real world ways to monetize attacks, both against technology and flaws in business logic (Arian's other talk about encoding issues was also very interesting). What I found fascinating is how, as the amount of money involved increased, the amount of technical expertise required to pull off the hack decreased. The presentation started by talking about manually solving CAPTCHAs for profit. Initial offers were for $10 per 1000 CAPTCHAs solved, which works out to an income of about $50 a day. However, free market competition drove that price down to as low as $2 per 1000 CAPTCHAs.
Another example of ways hackers can make large sums of money that don't require a high degree of technical sophistication was through information leakage. An Application Service Provider (ASP) which provided services to banks had been revealing sensitive information in an error message. Only three items of information were actually required to access an account through the ASP a client identifier, a bank identifier and an account number.
These parameters were supplied via HTTP GET variables, easily modifiable by anyone with a web browser. If these three items didn't match, the web application was kind enough to tell the visitor that account X belongs to Bank Y. If a visitor used the correct bank identifier but other parameters did not match, the website would inform them you that Bank Y belongs to Client Z. The website was also only checking that a visitor was authenticated it did not verify that the user was authorized to access a particular account. This could easily be exploited for profits in the tens or hundreds of thousands of dollars.
A third example requires even less technical expertise. A website featuring press releases (including profit and loss statements) would add press releases to their site ahead of their official release date they just wouldn't link them from the main page. However, the press releases were stored on sequentially numbered web pages, so it was a trivial task to identify and access a 'hidden' press release. This would allow outsiders to have access to P&L information for publicly traded companies before the market closed. Hackers exploited this to earn over 8 million dollars on the stock exchange market.
The critical lesson here is that all avenues of attack must be considered. This is especially true when dealing with how the business logic is implemented at a technical level. This is very difficult to do, because it requires knowledge of the business processes and a grasp of some of the technical details that drive those processes. If you're not aware of how these interact, rest assured that there are many people using your systems, and it only takes a single one having that "Eureka!" moment where they find a critical flaw. This can lead to financial losses in the hundreds of thousands or more. What's even worse is that some of these 'attacks' aren't even illegal, not even in the United States.
The always entertaining Bruce Potter, founder of The Shmoo Group, gave a talk titled "Malware Detection Through Network Flow Analysis." In it, Bruce emphasized the need to quickly detect compromised machines in order to minimize damage. Given the rate at which client-side attacks presently occur, compromise is, for many, inevitable. Quick detection of infections becomes an increasingly important tool in the defender's toolkit. Bruce advocates analyzing network traffic data for statistical anomalies. For example, a desktop which sends out twice as much data as it receives is likely part of a botnet. Without NetFlow data (or similar), this infection may go completely unnoticed. Bruce also advocated including frequency distribution graphs alongside traditional time-based graphs as a method of quickly identifying potential network issues. Incorporating these techniques won't stop the bad guys, but could greatly minimize the damage done once a compromise does occur.
2) Modify the Mozilla JS interpreter to run in headless mode. This would break the majority of Billy's attacks, and raise the bar significantly for malware authors. The analysis needed to detect this form of inspection would be easy to identify and evade.