Archived Blog
Talk of the town...
The biggest discussions outside of the presentations at Black Hat were:
* The ATL vulnerability (CVE-2008-0015) that affected multiple ActiveX Controls. When the controls were compiled, they were statically linked to the vulnerable ATL library within Visual Studio. The vulnerability affected multiple ActiveX controls, including controls in Adobe and Cisco. The researchers who discovered this bug won a Black Hat Pwnie for Best Client-Side Bug.
* The Adobe PDF/SWF 0-day - this generated a lot of talk as well, because there were very few work-arounds, and disabling JavaScript was not one of them. Adobe issued a patch fairly quickly, releasing it late last week.
Both of these vulnerabilities were patched during the week Black Hat was occurring.
If you haven't patched the machines on your network already, here are the necessary links. It's advisable to patch as soon as possible; these vulnerabilities are being exploited in the wild.
Other chatter was the fact that Dan Kaminksy's main website/machine, DoxPara Research, was compromised.
The Talks...
There were some great talks this year. Moxie Marlinspike, Dan Kaminsky, and Mike Zusman discussed some serious flaws surrounding the implementation and model of SSL. Kostya Kortchinsky's talk demonstrated a vulnerability that allowed him to break out of a VMware guest. SMS flaws were discussed, and even the San Francisco parking meters were shown to have vulnerabilities.
Here is a list of the talks we attended and felt worth special mention:
- Billy Hoffman's talk on creating a browser-based darknet
- Nathan Hamiel, Shawn Moyer - Weaponizing the Web: More Attacks on User-Generated Content Paper
- Dino Dai Zovi - Presenting Mac OS X rootkits Paper Slides
- Moxie Marlinspike - More Tricks For Defeating SSL Movie Paper Slides sslsniff tool VeriSign response Schuberg Philis blog
- Jeongwook Oh - Fight Against 1-day Exploits: Diffing Binaries vs. Anti-diffing Binaries Paper Slides Darun Grim tool
- Mario Vuksan, Tomislav Pericin - Fast & Furious Reverse Engineering with TitanEngine Paper Slides TitanEngine website
- Charlie Miller, Collin Mulliner - Fuzzing the Phone in your Phone Paper
- Felix "FX" Lindner - Router Exploitation Paper Slides
- Dan Kaminsky : Something about Network Security Movie
Here is a list of talks we wished we had attended, but we were either at another talk, or sleeping in. =]
- Mark Dowd, Ryan Smith, David Dewey - The Language of Trust: Exploiting Trust Relationships in Active Content Movie
- Egypt - Using Guided Missiles in Drive-bys: Automatic browser fingerprinting and exploitation with Metasploit Slides
- Jeremiah Grossman, Trey Ford - Mo' Money Mo' Problems: Making A LOT More Money on the Web the Black Hat Way Slides
- Nick Harbour: Win at Reversing - Tracing and Sandboxing through Inline Hooking - Slides API Thief tool
- Kostya Kortchinsky : Cloudburst: Hacking 3D (and Breaking Out of VMware) Paper Slides
- John McDonald, Chris Valasek - Practical Windows XP/2003 Heap Exploitation Paper
- Mikko Hypponen - The Conficker Mystery Paper Slides
Great con this year. We especially want to thank some of our gracious hosts for the invites to the conference parties - McAfee, Core, Microsoft, Facebook, ISEC, and iSIGHT Partners. Some parties were great, and some were...out of the ordinary, but maybe to be expected for Vegas!