Black Hat 2007 preview: Blue Pill under scrutiny

By Bill Brenner, Senior News Writer 31 Jul 2007 | SearchSecurity.com

Security Wire Daily News Digg This!     StumbleUpon     Del.icio.us

She said it showed how hardware virtualization technology could become a major security threat in the coming years, when more people will use processors with hardware virtualization support. The room was jammed, with many attendees standing in the back. Wild cheers erupted as she finished the demo.

Rutkowska's ideas will come under fire at Black Hat USA 2007, which starts Wednesday at Caesars Palace, in a presentation called "Don't Tell Joanna: The Virtualized Rootkit Is Dead." Researchers Nate Lawson of Root Labs, Peter Ferrie of Symantec Corp., and Thomas Ptacek of Matasano Security are scheduled to talk about research they conducted showing that virtualized rootkits will always be detectable.

Special Black Hat coverage Check out more of SearchSecurity.com's special news coverage of Black Hat USA 2007.

Along with that, Black Hat organizers promise a full agenda of sessions where researchers will demonstrate the insecurities of such technologies as NAC (Network Admission Control), VoIP (voice over IP) and Web applications with Ajax-based features. Researchers from Watchfire Inc. will also show off a reliable method they discovered to exploit dangling pointers. A detailed agenda for both days is available on the Black Hat Web site.

A Blue Pill challenge or lecture?
There had been speculation the virtualized rootkit session wouldn't go off as planned because of Rutkowska's response. Ptacek said Rutkowska told them she'd play along if they met some conditions, including one stipulation that she be paid $416,000. Ptacek said of the last condition, "Why would we pay you $416,000 to buy a rootkit we already know we can detect?" Besides, he said, Rutkowska has conceded that Blue Pill, as it exists today, could be trivially detected by anyone who knows how hardware virtualization works. "Since Matasano itself owns a hardware-virtualized rootkit, it was clear to everyone that the 'challenge' wouldn't have been interesting," he said.

Nevertheless, Ptacek said there will still be a presentation on it, though not as the challenge it was originally intended to be.

"The challenge at Black Hat will likely not proceed, but the talk will," he said. "We will present the different techniques we had planned to use against Blue Pill, and explain how our code works. Joanna will likely be in attendance, and we hope she objects loudly. She's smart, and I can guarantee the argument would be interesting."

Ajax and VoIP risks revealed
Billy Hoffman, a researcher with Atlanta-based SPI Dynamics, warned at last year's conference that Ajax-based applications are being adopted quickly without a lot of thought about security. He said he'll take that theme to the next step with a session called "Premature Ajax-ulation," which he'll give with fellow researcher Bryan Sullivan.

Himanshu Dwivedi and Zane Lackey of San Francisco-based digital security firm iSEC Partners Inc. will discuss the security issues, attacks and exploits against such VoIP protocols as IAX and H.323. The latter, they say, is particularly vulnerable to attack but that most users assume it's secure because not much evidence to the contrary has been presented.

"We'll talk about the best ways to build a layered defense around VoIP, going through different attacks scenarios against these protocols and how to lower the risks," Dwivedi said. He said the topic is critical because the use of VoIP has exploded in the last three years without much thought of the security risks. Lackey agreed, saying, "While companies are in the same mindset with VoIP as they were a couple years ago, there are more and more tools out there that can be used to both attack and defend it."

Gadi Evron, a security evangelist with Beyond Security, has closely followed the recent coordinated cyberattacks against government and private computer networks in the Baltic nation of Estonia, and will talk about who may be behind the onslaught, what went right on the part of the Estonians and what IT professionals can learn from it.

Jonathan Afek, a senior security researcher at Watchfire, will give a presentation on the technique he and colleague Adi Sharabani discovered to remotely exploit dangling pointers. They stumbled across the technique by chance while running the company's AppScan software against a Web server. The server crashed in the middle of the scan and after some investigation, the pair found that a dangling pointer had been the culprit. This wasn't a surprising result, given that these coding errors are well-known for causing crashes at odd times. But after some further experimentation, Afek and Sharabani found that they could cause the crash intentionally by sending a specially crafted URL to the server and began looking for a way to run their own code on the target machine.

Black Hat surprises
Last year's Black Hat gathering focused heavily on the security features in Windows Vista, which had not yet been released. At the time conference attendees joked that Microsoft had purchased a full track of presentations to promote the new operating system. This year's agenda includes some sessions on Vista security issues, but it isn't as dominant a theme as it was last year.

One thing attendees will be watching for is controversy. Two years ago most of the presentations were overshadowed by a firestorm that erupted over researcher Michael Lynn's demonstration of a Cisco router exploit, which Cisco tried to block with legal action.

Black Hat and Cisco settled a lawsuit over the Lynn affair after conference organizers promised not to proliferate Lynn's findings.

A smaller controversy erupted in March during a smaller Black Hat gathering in Arlington, Va. A security researcher who said he was pressured by radio frequency identification (RFID) chip maker HID Corp. to scrap his demonstration of a device that could clone RFID enabled proximity badges ended up delivering a modified version of his talk anyway, without any details specific to HID's products.

Tags: Virtualization Security Issues and Threats,  Security Industry Market Trends, Predictions and Forecasts,  VIEW ALL TAGS

Digg This!     StumbleUpon     Del.icio.us

RELATED CONTENT Virtualization Security Issues and Threats Cloud computing data security starts with internal strategy, experts say PCI virtualization SIG closer to proposing changes to standard Security challenges with cloud computing services Secure virtual desktop software enables remote client security Security threats to virtual environments less theoretical, more practical At VMworld 2009, companies focus on virtual desktops for security Security fundamentals remain focus of virtualization deployments How to implement virtual firewalls in a complex network infrastructure How to find virtual machines for greater virtualization compliance Quiz: Virtualization and compliance Security Industry Market Trends, Predictions and Forecasts Using unique device identification for bank website security Cybercriminals invest in social networking attacks RSA's Coviello declines cybersecurity coordinator post Schneier-Ranum face-off, part1: The future of information security Cybersecurity grant to fund research into critical infrastructure threats Hackers to sharpen malware, malicious software in 2010 Part 1: Marcus Ranum on the state of information security Part 2: Marcus Ranum on the state of information security Part 4: Marcus Ranum on the state of information security Part 3: Marcus Ranum on the state of information security Security Industry Market Trends, Predictions and Forecasts Research

RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary backscatter body scanning  (SearchSecurity.com) marketecture  (SearchSecurity.com) NCSA  (SearchSecurity.com) Palladium  (SearchSecurity.com)

RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary