Slashdot Mirror

← Back to Stories (view on slashdot.org)

Ask Slashdot: Favorite Thing Out of This Year's Black Hat?

Posted by samzenpus on from the best-of-the-best dept.

Nerval's Lobster writes "This year's Black Hat conference wasn't just about the NSA director defending his agency's surveillance practices (and getting a bit heckled in the process). Other topics included hacking iOS devices via a modified charging station, eavesdropping on smartphones via compromised femtocells, demonstrating a password-security testing tools that leverage AWS (and 9TB of rainbow tables) to crush weak passwords, and compromising RFID tags with impunity. What was your favorite news out of Black Hat?"

41 comments

  1. First credible way to detect real 0day on your box by Sean · · Score: 4, Informative

    http://blockwatch.ioactive.com:8888/

    It's pretty alpha, and you will need to use IE to install it. This tool compares software in memory against known signatures, allowing you to confirm what's running on the system is really what you think it is. It works with HyperV and VMWare.

    It's free. Thanks IO Active!

  2. Why is it even called "Blackhat"? by aNonnyMouseCowered · · Score: 1, Interesting

    Just curious, why is the conference even called "Blackhat"?

    According to Wiki (a very reasonable defintion): "A "black hat" hacker is a hacker who "violates computer security for little reason beyond maliciousness or for personal gain" (Moore, 2005). Black hat hackers form the stereotypical, illegal hacking groups often portrayed in popular culture, and are "the epitome of all that the public fears in a computer criminal". Black hat hackers break into secure networks to destroy data or make the network unusable for those who are authorized to use the network."

    So instead of attending shouldn't the NSA be arresting the participants? Not that I actually favor such an act, but that appears to be the "legal" thing to do. Maybe it's better off called "Whitehat" or maybe "Greyhat" since the conference is partly about revealing new threats that concerned computer security experts can study and defend against?

    1. Re:Why is it even called "Blackhat"? by Antique+Geekmeister · · Score: 4, Informative

      The NSA is not a law enforcement agency. They're an intelligence agency: they have little jurisdiction to charge US citizens for domestic crimes, or authority to arrest foreign nationsals for crimes overseas. That would be the task of the FBI for various federal crimes, the Secret Service for certain types of fiscal crimes including wire fraud, or local police for state or local crimes. And I'm afraid the NSA doesn't like to share responsibility for such arrests, because monitoring US communications is actually against their charter. They do it anyway with various very poor excuses, but they'd hardly pursue arrests on that basis.

      Also, a lot of the activity is below any reasonable threshold of when a prosecutor would be bothered to file charges.

    2. Re:Why is it even called "Blackhat"? by icebike · · Score: 2

      You go out of your way to make a Distinction without a Difference.
      Who puts the cuffs on you hardly matters.

      If you believe the nonsense about their charter you deserve the delusions under which you so evidently labor.

      --
      Sig Battery depleted. Reverting to safe mode.
    3. Re:Why is it even called "Blackhat"? by Anonymous Coward · · Score: 0

      Thank you kind citizen for your clarification. The NSA is continually at odds as to why so many people fail see it as a benevolent information gathering agency with well meaning intentions meant for all Americans.

    4. Re:Why is it even called "Blackhat"? by blahblahwoofwoof · · Score: 5, Informative

      At this point, it's just branding. There was a time when Black Hat was correctly titled, but that train has long since left the station.

    5. Re:Why is it even called "Blackhat"? by blueg3 · · Score: 2

      The NSA doesn't (can't) arrest people.

      Now as to why the FBI doesn't arrest the attendees, it's because none of them have outstanding arrest warrants. (Well, presumably not. At DEFCON, you don't give them your name or your credit card and it's so crowded, you couldn't find anyone anyway.) Turns out calling yourself a hacker isn't grounds for arrest.

    6. Re:Why is it even called "Blackhat"? by phantomfive · · Score: 1

      Just curious, why is the conference even called "Blackhat"?

      Because they want to sound edgy, and the name DEFCON was already taken.

      So instead of attending shouldn't the NSA be arresting the participants? Not that I actually favor such an act, but that appears to be the "legal" thing to do.

      No, you can't arrest someone without evidence. Going to a conference, even one designed for criminals, is not a "legal" thing to do. That's why you can't arrest someone for being in a gang. Freedom of assembly is protected by the constitution.

      --
      "First they came for the slanderers and i said nothing."
    7. Re:Why is it even called "Blackhat"? by Antique+Geekmeister · · Score: 2

      Then understand that that they do not arrest people for the same rason they do not sign US treaties or sign bills into law. It's not their job to arrest people, even if they cooperate with and provide intelligence for the people who do and are in some ways responsible for such arrests or for what treaties get signed or what laws get passed informing the people who'd do such tasks.

      I was careful to answer the question from aNonnyMouseCowered, not to say the NSA is innocent of wrongdoing or of providing leads for the FBI or or the US State department and US Customs to harass attendees at BlackHat or to block the visas of international attendees. It's vital to answer the people that people actually asked.

    8. Re:Why is it even called "Blackhat"? by EmperorArthur · · Score: 2

      [offtopic]
      Nice sig. What keywords do you put in your E-Mails to make sure they back them up?

      --
      So lets pretend that we've just completed writing this code, as opposed to having just completed sabotaging it -Altera
    9. Re:Why is it even called "Blackhat"? by phantomfive · · Score: 2

      It all goes there, the hard part is getting it back with an FOIA request can sometimes be delayed.........

      --
      "First they came for the slanderers and i said nothing."
    10. Re:Why is it even called "Blackhat"? by Anonymous Coward · · Score: 0

      If you believe the nonsense about their charter you deserve the delusions under which you so evidently labor.

      You can blabber all you want, they take that charter very seriously. The reason they're spying on the Americans is because they've been told to and it's been made legal.

    11. Re:Why is it even called "Blackhat"? by Suferick · · Score: 1

      I think you will find there is a certain amount of irony in the name.

      You know irony - like goldy and bronzy, but made of iron.

    12. Re:Why is it even called "Blackhat"? by TWiTfan · · Score: 4, Insightful

      When the head of the NSA--an agency absolutely notorious for lying to the American people, subverting the U.S. Constitution, and generally screwing over every freedom we the people have--can address the conference and not be immediately and universally booed the fuck offstage, you know you're not dealing with the same crowd that used to be there.

      --
      The cow says "Moo." The dog says "Woof." The Timothy says "Thanks, valued customer. We appreciate your input."
    13. Re:Why is it even called "Blackhat"? by sabbede · · Score: 0

      Not just an intelligence agency, they are military intelligence. Part of the DoD. So, not only are they operating in contravention of their charter, one may even try the argument that they are violating the 3rd Ammendment! And I'd really like it if someone did try that. I don't think the 3rd has ever been used in the courts.

    14. Re: Why is it even called "Blackhat"? by Anonymous Coward · · Score: 0

      Maybe "money hat", or "vendor hat" would be a better fit?

    15. Re:Why is it even called "Blackhat"? by Anonymous Coward · · Score: 0

      ...but then it would attract the "cool" kids.

    16. Re: Why is it even called "Blackhat"? by eric4308 · · Score: 1

      It matters because it's important to have a basic understanding of our government and how it works. The average person's knowledge about law enforcement and intelligence comes from Hollywood movies and television. Hence, most news and dialogue around topics like NSA surveillance read like tabloid news and prevents having an accurate, rational discussion about what's going on.

  3. favorite news by Anonymous Coward · · Score: 1

    Hearing about the Snowden "hero or villain" vote, and that it was nearly 50/50. That tells you all you need to know about "Black Hat".

  4. Re:First credible way to detect real 0day on your by Anonymous Coward · · Score: 2, Interesting

    HTTP server on non-standard port with (probably) proprietary freeware that requires IE to work. Sounds genuine to me!

  5. Re:First credible way to detect real 0day on your by Sean · · Score: 2

    Oh, and make sure you have .NET 4.5 installed. The installer choked on me the first time because I didn't have it. You install it on your host system, and it connects to VMs of your choosing to analyze them.

  6. No doubt... by Anonymous Coward · · Score: 0

    It's called blackhat, because it's the one time a year they get together and brag about the exploits they've found, after having had an entire year to financially benefit through exploiting them.

    As far as the NSA arresting them: They're still backlogged due to the FIFO nature of their legal mechanisms and the fact that the blocking cases involve their own misconduct :)

  7. Re:First credible way to detect real 0day on your by Sean · · Score: 2

    Fair point, but it's not like getting something from port 80 or 443 really assures safety.

    Like I said it's really alpha. I would not run it on any important VMs anyway.

  8. Barnaby's Death by Anonymous Coward · · Score: 1

    A healthy 35 year old inexplicably dies when he's about to reveal a deadly vulnerability in pacemakers. In his words, the vulnerability allowed the knowledgeable to be able to kill anyone having a pacemaker within 20 feet of the attacker. Was it a horrible coincidence? Hopefully it wasn't pure evil, plain and simple; someone finding the solution too expensive to implement or a sinister organisation wanting to retain their secret weapon.

  9. Feds by Anonymous Coward · · Score: 0

    Thousands of federal employees and federal contractors self-identifying as computer criminals by attending a 'black hat' conference.

  10. 9TB for Crushing weak passwords by Delirium+Tremens · · Score: 1

    I'll take that with a grain of salt. Thank you.

    1. Re:9TB for Crushing weak passwords by MrMickS · · Score: 1

      Its it just me or does the idea of using an online cloud based service provided by a third party to test the strength of your password database sound like a bad idea?

      --
      You may think me a tired, old, cynic. I'd have to disagree about the tired bit.
    2. Re: 9TB for Crushing weak passwords by chill · · Score: 1

      Wrong pronoun. It isn't for testing * your * passwords, it is for testing other people's password.

      --
      Learning HOW to think is more important than learning WHAT to think.
    3. Re: 9TB for Crushing weak passwords by pauljauregui · · Score: 1

      PWAudit.com plans to have private cloud and on-premise options. And there is a custom context-based wordlist generator built in, not to mention you can upload as many of your own wordlists, so the 9GB isn't a limitation. (Disclosure: I work for Praetorian and helped build it)

    4. Re:9TB for Crushing weak passwords by jon3k · · Score: 1

      Why? They have no idea what the password is for. If they already have a rainbow table, they already "know" your password. I don't see the issue?

  11. Ask Slashdot? by Fnord666 · · Score: 1

    Yet another editor that doesn't know how to post "Ask Slashdot" questions in the "Ask Slashdot" topic. For $deity's sake, is it really that hard to do? This topic exists for a reason. Use it.

    --
    'The tyrant will always find pretext for his tyranny.' - Aesop's Fables
  12. Like tripwire? by ulatekh · · Score: 2

    That sounds like tripwire to me.

    Plus, that link doesn't lead to information about blockwatch, but instead immediately tries to download a file. Not very friendly.

    --
    "Once we've identified and embraced our sickness, we'll have strength...and that's when we get dangerous." - John Waters
    1. Re:Like tripwire? by Sean · · Score: 1

      It's like tripwire, except it works on code in memory. It has an online database where hashes of known code are stored in various sizes... so the client will hash 4k and ask the server if this is known. If so, move on we know what it is. If not, split it into 2 blocks of 2k. Can we positively identify that? Anything not identified continues to be split into smaller and smaller pieces.

      The software understands how processes are laid out so it's not going to hash your user data as that can't possibly provide a useful result.

      The idea is that we need to be able to ask, "Is this really Microsoft Word 2010 patchlevel X running on my system? Has it been modified in anyway, even via hotpatching memory? If so, show me exactly where it has been modified so I can focus my analysis on that"

      When you visit the site in Firefox for some reason it just tries to download something. I didn't try with other browsers. That's why I said use IE. Visit in IE and you see a little blurb about it with a couple different options for installing. It uses some Microsoft 1click installer framework... and yeah, this needs some serious release engineering work.

      It's alpha code. It seems to work better on HyperV than VMWare too... In VMWare I have to close the target VM (run in background) in order to get it to work. Some kind of locking issue I guess.

      Anyway, I think it's a really cool concept. I'm sure there will soon be a proper page put up to describe it, running on a standard port and everything.

  13. Blackhat Bingo by formfeed · · Score: 2

    I love to play Blackhat Bingo.

    Will the presenter die, commit suicide, leave the country, or just appear on a no-fly-list?

    Ahh, hacking was so much more fun before they were all terrorists..

    </sarcasm>

  14. To be all edgy and shit. by Anonymous Coward · · Score: 1

    The deeper problem is that very few of anyone in the security industry is actually a "hacker" in the (not quite, the one right after "maker of furniture with an axe") original sense of "being creative with technology", specifically to the point that people will go "I didn't know it could do that!?!".

    People needing epithets like "ethical", "black hat", "white hat", "green hat" to their "hacker" are not hackers. The first buffer overflow or SQL injection probably was a hack, but the 9000th, not so much. And that is more or less all these people are producing.

    Worse, it's not helping computer security forward in any meaningful way. Even the white hats are nothing more than the consultants spreading FUD and making good money prolonging the problem. Just look at all those press releases and blogs from the likes of Krebs and Kaspersky, and everyone else in the industry, really. Black hats are possibly more honest; they're part of a criminal cottage industry raking in other people's money--and identity, and banking login data, and anything else that sells. I'm sure most people at this conference won't admit to that, so they're really white hats, muddling the waters.

    But they're not really helping anyone, much less meaningfully improving security much at all. All they do is confuse people further about what "hacking" should mean -- it's the uninformed big media "anything vaguely dodgy involving computers somehow" taken to bigger extremes. Down to laws now existing criminalising "hacking", except that nobody knows what really got criminalised. Which is bad law by any standard.

    So anybody who's a "something hat hacker" or even an "ethical hacker" really is more of a crook fscking it up for progress. And it shows. What really substantial, structural thing has improved at all over the last few years in computer security? All I see is dabbling in the margins. That, then, is what being a "hatted hacker" means.

    So in a sense, this is a hipster term, and these people are all their very own brand of hipster.

  15. RFID hack is superfluous by MadCow-ard · · Score: 2

    There are hundreds of free-for-download Access Control software packages which will read the serial number from a RFID card. You don't need to go through the trouble of building a new package. The hard part is that most good AC systems don't use the serial from a smart card, they use one of the sectors on the chip. This is usually locked with a PKI method of encryption and thus much harder to break. He mentioned HID, which uses their own proprietary PKI (such as Legic does), but there are many standards such as DESFire which are open and manage access to the chip sectors. What the article is really talking about is normal 125MHz prox cards which are not secure and yes, widely used in the USA but not in Europe. The real way to crack even the HID encryption is to get behind the reader and capture the Wigand (text) output from the reader which does the encryption handshake for you. Watch out for tampers, but its not hard in any interior space, just look in the false ceiling for the controller and tap in where the cables enter it. Much easier then all this non-sense.

  16. Well I've seen them before but by BlindRobin · · Score: 1

    I liked the pigeons best and the rabbit is still pretty cool.

  17. SSL, gone in 30 seconds by dsinc · · Score: 4, Interesting

    http://breachattack.com/

  18. Not a that bad by foma84 · · Score: 1

    No, it doesn't sound like a bad idea in case you trust the service.
    Oh wait!

  19. Rabbi Convention? by Anonymous Coward · · Score: 0

    So this "Black Hat Convention" is not for Rabbis? ;)

  20. Pixel Perfect Timing Attacks by crowemojo · · Score: 1

    Easily one of the best technical talks I have ever seen; how timing attacks can be used to break the same origin policy and read the contents of a frame. This talk included demo's of an attacker site loading up a target site in a frame and reading the contents to grab the CSRF token. It was awesome. http://contextis.co.uk/files/Browser_Timing_Attacks.pdf