Tangled Web Blog

Black Hat 2010 Sessions - Day 2

The first day of sessions is complete and hackers and security professionals are preparing for the Day 2 sessions. But before we get into what to expect, let’s recap some of the high points from yesterday.

Barnaby Jack’s ATM vulnerability discussion was, as we expected, one of the main highlights from yesterday. His discussion explored some interesting ATM attacks, labeled as dangerous because they affect multiple types of ATMs. Over the course of his presentation, he addressed two types of ATM attacks, one physical and one remote, the latter considered more dangerous because attackers can silently gather account information from anyone who uses the ATM.

The remote attack, which he named “Dillinger,” exploits a vulnerability that exists within the remote monitoring authentication process. Unfortunately, most ATMs made by a certain manufacturer have this authentication process turned on by default. A rootkit can easily be installed once the vulnerability is exploited. For the purpose of his demonstration, Jack installed a rootkit named “Scrooge” enabling the machine to spit out cash.

Additional highlights from yesterday’s speaking sessions include discussion of payment for researchers who identify vulnerabilities. This is a big discussion point for researchers following Tavis Ormandy’s public disclosure of the Microsoft vulnerability not too long ago.

Just like every argument, there are always two sides to the story. Microsoft and Cisco addressed the situation yesterday stating that “bug bounty programs” are not the best strategy for improving internet security. Other panelists, however, explained they thought it was a nice way for a researcher to be rewarded for identifying a vulnerability. Quite frequently, a researcher is offered little more than a “thank you.”

To try to get everyone on the same page, Microsoft created a “coordinated vulnerability disclosure” with the goal of aligning the motives of researchers and vendors. Microsoft also announced its Microsoft Active Protections Program (MAPP) will include vulnerability information sharing from Adobe Systems Inc. to help better protect customers by alerting them to vulnerabilities before Microsoft releases its monthly patches.

Additional highlights from Day 1 sessions include:

The security of access points within the enterprise called into question, particularly those still programmed as WEP instead of the more secure WPA.
Department of Homeland Security prioritizing cybersecurity initiatives, although defining the scope and goals of these initiatives is proving to be more challenging and time consuming than expected.
Increasing customization of malware to defeat layers of security in place and the increasing use of SEO to push out malware.
Cell phones can indeed be hacked, especially those that utilize the GSM (Global System for Mobile Communications), the global standard for cell phone radios that was previously thought to be a “walled garden.”

With so much of the show’s anticipation met within the first day of speaking sessions, what can expect for Day 2? It is likely we’ll see continued discussion around vulnerability disclosure and Microsoft’s response to bug bounty programs, partnerships and other collaborations to ensure a common goal can be met when it comes to disclosing and fixing a vulnerability, and mobile device security and its impact on the enterprise network.

Check back in tomorrow for a recap of Day 2 sessions.