Blackhat USA 2011 Talks

Blackhat USA 2011 wraps up and the Defcon conference starts today. There is a little something for everyone in security here. Aside from the contests, networking, meeting folks in the industry and putting faces to names, I thought that the briefings had two fantastic talks.

The first of the two focused on breaking out of the official virtualization platform for Ubuntu and Red Hat, Kernel Based Virtual Machine, or KVM. The second focused on the massive challenges that exist in the current SSL infrastructure, or PKI.

KVM is gaining traction in the virtualization and cloud space, but there hasn’t been public security research efforts on this platform like there has been with VMWare and Xen. Nelson Elhage pointed out that the adoption of the platform will bring with it increased scrutiny, and that parts of the existing code is a “gold mine” for vulnerability hunters. He methodically reviewed CVE-2011-1751, and delivered the goods with an exploit demo implementing not ROP to evade DEP, but an in-memory timing chain fragment reuse technique. While the cloud has been under attack with multiple known exploits for Xen and VMWare from Invisible Things Lab and Immunity, Elhage pointed out that virtualization does not provide a reliable layer of security through isolation on its own.

Probably the best speaker at the conference this year was Moxie Marlinspike. His presentation was a talk about trust, and the massive breakdown of trust related to SSL this past year. He reviewed the ridiculous antics around the certificate authority Comodo hack, how cemented these organizations are in the infrastructure in the face of the repeated intrusions and mistaken certificate issuance, and what is missing from the infrastructure. To help overcome these challenges, he proposed adding “trust agility” to the infrastructure. He meant two enhancements need to be added to the trust model:

  1. a trust decision can be easily revised at any time
  2. individual users can decide where to anchor their trust

He reviewed why DNSSEC would continue to centralize trust in its model, and proposed a new implementation of certificate handling used in encrypted communications with web servers, where software clients contact “Notaries” for certificates to maintain encrypted communications, instead of letting web sites contact CAs to validate them. All of these ideas and the implementation of the concepts are available as a part of his Convergence project website. Details are provided there and Firefox users can download a plugin there.

Blackhat USA 2011 Talks

Your email address will not be published. Required fields are marked *



Sunburst backdoor – code overlaps with Kazuar

While looking at the Sunburst backdoor, we discovered several features that overlap with a previously identified backdoor known as Kazuar. Our observations shows that Kazuar was used together with Turla tools during multiple breaches in past years.

Lazarus covets COVID-19-related intelligence

As the COVID-19 crisis grinds on, some threat actors are trying to speed up vaccine development by any means available. We have found evidence that the Lazarus group is going after intelligence that could help these efforts by attacking entities related to COVID-19 research.

Sunburst: connecting the dots in the DNS requests

We matched private and public DNS data for the SUNBURST-malware root C2 domain with the CNAME records, to identify who was targeted for further exploitation. In total, we analyzed 1722 DNS records, leading to 1026 unique target name parts and 964 unique UIDs.

What did DeathStalker hide between two ferns?

While tracking DeathStalker’s Powersing-based activities in May 2020, we detected a previously unknown implant that leveraged DNS over HTTPS as a C2 channel, as well as parts of its delivery chain. We named this new malware “PowerPepper”.

Subscribe to our weekly e-mails

The hottest research right in your inbox