Blackhat USA 2011 Talks

Blackhat USA 2011 wraps up and the Defcon conference starts today. There is a little something for everyone in security here. Aside from the contests, networking, meeting folks in the industry and putting faces to names, I thought that the briefings had two fantastic talks.

The first of the two focused on breaking out of the official virtualization platform for Ubuntu and Red Hat, Kernel Based Virtual Machine, or KVM. The second focused on the massive challenges that exist in the current SSL infrastructure, or PKI.

KVM is gaining traction in the virtualization and cloud space, but there hasn’t been public security research efforts on this platform like there has been with VMWare and Xen. Nelson Elhage pointed out that the adoption of the platform will bring with it increased scrutiny, and that parts of the existing code is a “gold mine” for vulnerability hunters. He methodically reviewed CVE-2011-1751, and delivered the goods with an exploit demo implementing not ROP to evade DEP, but an in-memory timing chain fragment reuse technique. While the cloud has been under attack with multiple known exploits for Xen and VMWare from Invisible Things Lab and Immunity, Elhage pointed out that virtualization does not provide a reliable layer of security through isolation on its own.

Probably the best speaker at the conference this year was Moxie Marlinspike. His presentation was a talk about trust, and the massive breakdown of trust related to SSL this past year. He reviewed the ridiculous antics around the certificate authority Comodo hack, how cemented these organizations are in the infrastructure in the face of the repeated intrusions and mistaken certificate issuance, and what is missing from the infrastructure. To help overcome these challenges, he proposed adding “trust agility” to the infrastructure. He meant two enhancements need to be added to the trust model:

  1. a trust decision can be easily revised at any time
  2. individual users can decide where to anchor their trust

He reviewed why DNSSEC would continue to centralize trust in its model, and proposed a new implementation of certificate handling used in encrypted communications with web servers, where software clients contact “Notaries” for certificates to maintain encrypted communications, instead of letting web sites contact CAs to validate them. All of these ideas and the implementation of the concepts are available as a part of his Convergence project website. Details are provided there and Firefox users can download a plugin there.

Blackhat USA 2011 Talks

Your email address will not be published. Required fields are marked *



APT trends report Q2 2021

This is our latest summary of advanced persistent threat (APT) activity, focusing on significant events that we observed during Q2 2021: attacks against Microsoft Exchange servers, APT29 and APT31 activities, targeting campaigns, etc.

LuminousMoth APT: Sweeping attacks for the chosen few

We recently came across unusual APT activity that was detected in high volumes, albeit most likely aimed at a few targets of interest. Further analysis revealed that the actor, which we dubbed LuminousMoth, shows an affinity to the HoneyMyte group, otherwise known as Mustang Panda.

WildPressure targets the macOS platform

We found new malware samples used in WildPressure campaigns: newer version of the C++ Milum Trojan, a corresponding VBScript variant with the same version number, and a Python script working on both Windows and macOS.

Ferocious Kitten: 6 years of covert surveillance in Iran

Ferocious Kitten is an APT group that has been targeting Persian-speaking individuals in Iran. Some of the TTPs used by this threat actor are reminiscent of other groups, such as Domestic Kitten and Rampant Kitten. In this report we aim to provide more details on these findings.

Subscribe to our weekly e-mails

The hottest research right in your inbox