Let me put on my roving reporter hat for a minute and share some dispatches from this year’s Black Hat conference in Las Vegas.
Registration was surreal because the adjacent conference was an pet-related conference called SuperZoo so the hallways featured scary hacker hoodie posters on one side, and then happy pets wearing poo-proof purple plastic gloves bounding through grass on the other.
Keynotes
Jeff Moss, the Dark Tangent himself, gave a short speech on how speed was the most important metric in security right now. Speed is what CEOs and CIOs are talking about. For example: speed to mediation. Speed is the current language in security.
Dan Kaminsky gave a ranging (some have said “rambling”) but passionate speech where he acknowledged that “this” Internet is designed so that nobody is in charge (and “this” Internet is very good at moving cat pictures). But it would benefit from a group like the “NIH for Cyber” to at least vet out and endorse technology/best practices.
Kaminsky described that, without SSH, Cloud may not have happened, given that without remote access, we would all be maintaining servers on-premises. He also believes that DNS is guaranteed to be around for another 25 years.
Dan mentioned the need for an “Autoclave”; a way to put virtual machines back into known good states after exploitation. The problem here is the “known” part: can we trust Cloud providers?
Recover a RSA Private Key from a TLS Session with Perfect Forward Secrecy
Marco Ortisi described how previous research warned of the ability to obtain an RSA Private key by exploiting a vulnerability in the RSA-CRT algorithm, which is used by default in almost every known crypto algorithm.
SonicWall published a vulnerability in the past, but indicated the attack requires a sophisticated tool that is not available to the public. Ortisi smiled and said “until now.”
He launched into an elegant overview of RSA, the theory of the attack, and then demonstrated it using tools he had developed. In essence, there are vectors that can introduce faulty digital signatures used in RSA cryptography by disrupting the mathematics used: CPU overheating, RAM errors, exposure to solar rays.
RSA signatures are embedded during the SSL/TLS negotiation. Using methods to disrupt the math and cause a faulty signature, the p or q value can be obtained, and the RSA key calculated, from an uncompressed TCP stream. Ortisi’s slides can be found here.
Researchers find four flaws in HTTP/2
HTTP/2 adoption is spreading across the internet. HTTP/2 includes many speed-related inmprovements over HTTP/1.1 including compression, multiplexing and server push. However, researchers at Blackhat unveiled at least four different attacks against HTTP/2 servers, mostly involving denial of service. One particularly cute attack a compression bomb where the attacker can send about 4K of data and trick the server into unpacking nearly a 1G of junk into its ram. Enough of these will crash the server.
The researchers suggest that until the protocol can be fixed, sticking a web application firewall (WAF) in front of the service provides a point of remediation. That’s always good advice, HTTP/2 or no.
Chip and PIN Attack for $50,000
Researchers with Rapid 7 unveiled an attack against the EMV chip in your Chip and PIN card that enabled unauthorized transactions. By making a new skimmer device (which they called a shimmer), and transmitting information to a smartphone controller, the researchers posited they could trick an ATM into dispersing up to $50,000.
A colleague of mine, who prefers to remain unnamed, worked at a major credit card processing firm for a decade. He had this to say about the hack.
“The idea was that since EMV was impossible to hack, then the only way fraudulent charges could be incurred was if the cardholder lost/surrendered/had stolen the card, and simultaneously shared the PIN. Under those circumstances, the banks and merchants could shift all fraud liability to the cardholder. This was scary indeed for cardholders. Fortunately, we have this hack to disprove the assertion that the cardholder is always responsible for fraud with EMV cards.”
Disrespecting Nonces: Attacks on GCM
Sean Devlin and Hanno Böck gave a great talk about GCM nonce disrespecting. They probed “the internet” looking for bad uses of AES-GCM nonces, finding about 200 hosts repeating nonces and tens of thousands that use random 64-bit nonces.
Both are forbidden and can lead directly to forgeries (though the former is clearly more perilous). They implemented Joux’s attack against repeated nonces which was immediate, and with such high probability that the speakers presented their slides as forged content through a UK government website which misused nonces in this way.
Most of the Internet has switched over to AES-GCM, which means tens of millions of HTTPS servers are using it correctly. But it looks like a few aren’t J
Random Gossip
On the second day, word spread about massive layoffs (300-400 people) at FireEye. Yet FireEye had the largest, best-placed booth at the show.
Notable for their absence was Juniper, who despite posting good numbers last quarter, didn’t front a booth at Black Hat this year.
Splunk ran out of medium T-shirts before I could get over there. Again. This happens to me about half the time, so my collection of their hilarious shirts is growing but only slowly.
From One SuperZoo to the Next
This year’s Black Hat conference had some great technical talks, good foot traffic, and was notable for a lack of glitches. Kudos to the organizers.
Now your roving reporter is off to another zoo, this one called “Defcon 24.” Stay tuned.