Black Hat Briefings, Japan 2006 [Audio] Presentations from the security conference

"The Internet industry is currently riding a new wave of investor and consumer excitement, much of which is built upon the promise of "Web 2.0" technologies giving us faster, more exciting, and more useful web applications. One of the fundamental "Web 2.0" is known as Asynchronous JavaScript and XML (AJAX), which is an amalgam of techniques developers can use to give their applications the level of interactivity of client-side software with the platform-independence of JavaScript. Unfortunately, there is a dark side to this new technology that has not been properly explored. The tighter integration of client and server code, as well as the invention of much richer downstream protocols that are parsed by the web browser has created new attacks as well as made classic web application attacks more difficult to prevent. We will discuss XSS, Cross-Site Request Forgery (XSRF), parameter tampering and object serialization attacks in AJAX applications, and will publicly release an AJAX-based XSRF attack framework. We will also be releasing a security analysis of several popular AJAX frameworks, including Microsoft Atlas, JSON-RPC and SAJAX. The talk will include live demos against vulnerable web applications, and will be appropriate for attendees with a basic understanding of HTML and JavaScript."

Social networking sites such as MySpace have recently been the target of XSS attacks, most notably the "samy is my hero" incident in late 2005. XSS affects a wide variety of sites and back end web technologies, but there are perhaps no more interesting targets than massively popular sites with viral user acquisition growth curves, which allow for exponential XSS worm propagation, as seen in samy's hack. Combine the power of reaching a wide and ever-widening audience with browser exploits (based on the most common browsers with such a broad "normal person" user base) that can affect more than just the browser as we saw with WMF, a insertion and infection method based on transparent XSS, and payloads which can themselves round-trip the exploit code back into the same or other vulnerable sites, and you have a self-healing distributed worm propagation platform with extremely accelerated infection vectors. We investigate the possibilities using MySpace and other popular sites as case studies, along with the potential posed by both WMF and The Metasploit Project's recently-released browser fuzzing tool, Hamachi, to own a site with self-replicating XSS containing a malicious browser-exploiting payload which itself will modify the browser to auto-exploit other sites, all transparent to the user. On top of this one could layer any additional functionality, some loud, some quiet, such as DDoS bots, keyloggers, other viral payloads, and more.

"It is 4pm on a Friday, beer o'clock. You're just eyeing up your first beer and thinking about where the fish will be biting tomorrow. The phone rings, something "funny" is happening on a client's web server. A lot of money passes through the server and it looks like it could be serious. IDS on the network picked up a crypted command shell heading outbound from the server. You break out the security incident response manual and head to the scene. Being the process oriented and reliable chap you are, you load up your forensic toolkit and take forensic copies of current memory and disk. You kick off your tools to analyse the forensic copies you've taken, nothing. All the processes are good, no apparent hooks, all hashes match verifiable sources. You check the forensic copying process, it worked perfectly. What have you missed? How could it not be in memory or on disk? Someone is playing you for a fool, and it's probably someone in kernel land. Your forensic image has been faked, and yet any court in the country would accept your process as sound. This talk will be a low level talk aimed at forensic analysts, investigators, prosecutors and administrators. It will show new techniques and a previously unreleased working implementation called DDefy which anyone involved in forensic analysis should be aware of. The demonstration will show defeating live forensic disk and memory analysis on Windows systems exposing fundamental flaws in popular forensic tools. Attendees should preferably have an understanding of the live forensics process and some background in modern rootkit technologies. Knowledge of NTFS internals will also aid in understanding."

"By modeling all of the possible inputs of a protocol or file format as an input tree, the potential weak points of an implementation can be assessed easily and efficiently. Existing attacks can be reused for similar structures and datatypes, and any complex or susceptible areas can be focused on to improve the probability for success. This method is applicable not only for creating new attacks, but also for proactive defense and even protocol design. Some knowledge of network protocols is expected, as are also the basics of security testing and anomaly design. The talk will apply the presented techniques by presenting an input tree for DNS and cataloguing the potential attacks and problem areas."

"Imagine you?re visiting a popular website and invisible JavaScript Malware steals your cookies, captures your keystrokes, and monitors every web page that you visit. Then, without your knowledge or consent, your web browser is silently hijacked to transfer out bank funds, hack other websites, or post derogatory comments in a public forum. No traces, no tracks, no warning sirens. In 2005?s ""Phishing with Superbait"" presentation we demonstrated that all these things were in fact possible using nothing more than some clever JavaScript. And as bad as things are already, further web application security research is revealing that outsiders can also use these hijacked browsers to exploit intranet websites. Most of us assume while surfing the Web that we are protected by firewalls and isolated through private NAT'ed IP addresses. We assume the soft security of intranet websites and that the Web-based interfaces of routers, firewalls, printers, IP phones, payroll systems, etc. even if left unpatched, remain safe inside the protected zone. We believe nothing is capable of directly connecting in from the outside world. Right? Well, not quite.Web browsers can be completely controlled by any web page, enabling them to become launching points to attack internal network resources. The web browser of every user on an enterprise network becomes a stepping stone for intruders. Now, imagine visiting a web page that contains JavaScript Malware that automatically reconfigures your company?s routers or firewalls, from the inside, opening the internal network up to the whole world. Even worse, common Cross-Site Scripting vulnerabilities make it possible for these attacks to be launched from just about any website we visit and especially those we trust. The age of web application security malware has begun and it?s critical that understand what it is and how to defend against it. During this presentation we'll demonstrate a wide variety of cutting-edge web application security attack techniques and describe bestpractices for securing websites and users against these threats. You?ll see: * Port scanning and attacking intranet devices using JavaScript Malware * Blind web server fingerprinting using unique URLs * Discovery NAT'ed IP addresses with Java Applets * Stealing web browser history with Cascading Style Sheets * Best-practice defense measures for securing websites * Essential habits for safe web surfing"

"The presentation will first present how to generically (i.e. not relaying on any implementation bug) insert arbitrary code into the latest Vista Beta 2 kernel (x64 edition), thus effectively bypassing the (in)famous Vista policy for allowing only digitally singed code to be loaded into kernel. The presented attack does not requite system reboot. Next, the new technology for creating stealth malware, code-named Blue Pill, will be presented. Blue Pill utilizes the latest virtualization technology from AMD - Pacifica - to achieve unprecedented stealth. The ultimate goal is to demonstrate that is possible (or soon will be) to create an undetectable malware which is not based on a concept, but, similarly to modern cryptography, on the strength of the 'algorithm'."

"The U.S. Government has mandated that its organizations be IPv6-compliant by June 30, 2008. The Japanese government has already missed more than one IPv6 deadline. But while we can argue about specific dates for compliance and deployment, there is no question but that your organization must begin to prepare for the next generation Internet, and it should start today. This presentation is based on wide-ranging, in-depth research, including interviews with the top thinkers on the most crucial issues surrounding the sleeping giant known as IPv6. It will give you the facts you need in order to plan for what may be difficult times ahead. The tactical, down-in-the-weeds take on IPv6 will be examined in detail. This presentation will provide the Black Hat Japan audience with a myriad of technical details to inform them of the challenges that await their organizations as they attempt to keep pace not only with their government mandates, but also with economic competitors from around the world. The Black Hat audience will also learn how hackers will exploit this new technology, and how to stop black hats from taking advantage of the necessarily long-lasting, heterogeneous environment that will be required during the transition to IPv6. Believe it or not, many nation-states view IPv6 as crucial to their national security plans for the future. This presentation will make stops at the White House, Tokyo, Beijing, and Red Square, and cover in detail the most current v6 research and deployment events in East Asia. It will discuss how, if some governments get their way, most members of the Black Hat audience could well lose their last byte of anonymity on the Internet. The corporate side of Internet addressing will also be addressed: what do the Xbox, IPTV, and the number of beers I have left in my fridge at home have in common? Answer: IPv6!"

"As the Internet becomes a social framework, attacks and incidents with various intents have been actualized. As a result, previously unrelated organizations and groups have become actively engaged in discussions regarding threats and technology. In addition, they have begun to approach and actively engage in creating and implementing information security policies. This session will cover the information security revolution in Japan, as seen from analzyed attack models which have been actualized and on the changed meaning of threats and the influences. Mitsugu Okatani became a battleplane pilot after joining the Japan Air Self-Defense Force joined in April 1980, then he worked on the design development and management of the weapon systems as a development engineer. He was engaged in IT system development and information security related projects in the Air Self-Defense Force as a project executive from October 1993. He served in the Communications and Electronics Division in Air Staff Office Defense Division, the Director of Defense Agency Communication Division, and the Office of the Information Security at Cabinet from April 2002. He worked for the Network Information Security Center at Cabinet as a full time staff since Aug 2005, and became a Joint Staff Office at Japan Defense Agency since April 2006."

If you give a thousand programmers the same task and the same tools, chances are a lot of the resulting programs will break on the same input. Writing secure code isn't just about avoiding bugs. Programming is as much about People as it is about Code and Techniques. This talk will look deeper, beyond the common bug classes, and provide explanations for why programmers are prone to making certain mistakes. New strategies for taming common bug sources will be presented. Among these are TypedStrings for dealing with Injection Bugs (XSS, SQL, ...), and Path Normalization to deal with Path Traversal.

"Every application, from a small blog written in PHP to an enterprise-class database, receives raw bytes, interprets these bytes as data, and uses the information to drive the behavior of the system. Internationalization support, which stretches from character representation to units of measurement, affects the middle stage: interpretation. Some software developers understand that interpreting data is an incredibly difficult task and implement their systems appropriately. The rest write, at best, poorly internationalized software. At worst, they write insecure software. Regardless of whether this fact is understood or acknowledged, each developer is reliant on operating systems, communication mechanisms, data formats, and applications that provide support for internationalization. This represents a large and poorly understood, attack surface. f we go back to the ""three stages model"" above, many attacks have focused on simply sending bad data and using perceived failures to influence the behavior of the system. Most defenses have evolved to prevent malicious data from entering the system. This talk will cover advanced techniques that use the interpretation stage to manipulate the data actually consumed by the myriad components of typical software systems. Attack and defense methodologies based on years studying core technologies and real software systems will be presented."

"There have been a series of information leak incidents being happening in Japan regarding to the use of P2P file sharing softwares. But those incidents are just a tip of iceberg. There were expected to be tens of thousands of incidents that even not reported in the news. P2P file sharing softwares usually designed to enhance user anonymity therefore users of such software can enjoy act of violating the copyright law. However, contrary to such users assumption, the nature of P2P networks are nearly publicly open networks for either the files that being uploaded or downloaded. This talk will explain about the reason of how the encryption deployed by Winny and Share could be defeated, what will be the change by such encryption becoming disarmed, and what could be the evidence of the information been made public, with the details based on the characteristic of public openness resides in P2P and how the characteristics affect the content of communicaton exposed on the P2P networks that no longer have anonymity."

"Botnets pose a severe threat to the today?s Internet community. We show a solution to automatically, find, observe and shut down botnets with existing opensource tools, partially developed by us. We start with a discussion of a technique to automatically collect bots with the help of the tool nepenthes.We present the architecture and give technical details of the implementation. After some more words on the effectiveness of this approach we present an automated way to analyze the collected binaries. All these steps can be automated to a high degree, allowing us to build a system that autonomously collects information about existing botnets. This information can then be aggregated and correlated to learn even more. As a result, we obtain information that can be used to mitigate the threat, e.g., as a warning-system within networks or as an information ressource for CERTs. We conclude the talk with an overview of lessons learned and point out further research topics in the area of botnet tracking. Attentands are expected to have a basic knowledge of honeypots and how honeynets work. All necessary information about bots/botnets will be introduced during the talk and the live demonstrations."

Jeff Moss Welcomes Attendess of the Black Hat Conference, October 5-6 in Tokyo at the Keio Plaza Hotel. Two days, four different tracks. Mitsugu Okatani, Joint Staff Office, J6, Japan Defense Agency was the keynote speaker.

Jeff Moss Welcomes Attendess of the Black Hat Conference, October 5-6 in Tokyo at the Keio Plaza Hotel. Two days, four different tracks. Mitsugu Okatani, Joint Staff Office, J6, Japan Defense Agency was the keynote speaker.

"To know various fraud schemes is important when implementing counter measures against it. During this session, the presenter will show the latest online fraud schemes. Vulnerable Internet users could easily be captured in the traps of which set up by criminals who take increasingly sophisticated online fraud schemes such as Phising and One Click Fraud. In this session, we will show the latest online fraud schemes. Mr. Hoshizawa joined Symantec in 1998, took a position in charge of security research, correspondence to new viruses, and collection and analysis of vulnerability information as the Asia Pacific regional manager of the Symantec Security Response. He has established himself as a top class virus researcher in Japan, and has been contributing to many IT related publications about computer security. Moreover, he gave talks at the various international conference such as Virus Bulletin, EICAR, and AVAR, on the subject of security issues. After leaving Symantec in September 2004, he joined Secure Brain Corporation and took a charge of the present position since October 2004."