11:30 AM
Aamir Lakhani
Aamir Lakhani
Connect Directly
E-Mail vvv

Securing Black Hat From Black Hat

'Dr. Chaos' shares the inside scoop on the challenges and rewards of protecting one of the 'most hostile networks on the planet.'

BLACK HAT USA -- Las Vegas -- Securing Black Hat from Black Hat sounds like a great tagline, but it’s something volunteers at the Black Hat Network Operations Center (NOC) took very seriously last week when we were tasked to help secure one of the most hostile networks on the planet.   

Our primary objective for network security was to maintain an open environment that was both available and performed well, but equally safe and secure. The principal challenge came from the Black Hat attendees themselves, a group of men and women who were constantly testing new attack techniques and tools against the network throughout the entirety of the conference. Thus, for those of us in the NOC, our goal was to get out of the way of attendees’ learning and calibration process because we share the belief that testing security effectiveness means testing with live attacks and the newest techniques. That’s what the bad guys do, and that’s how we learn to protect ourselves.

At the same time, Black Hat NOC volunteers must also ensure that all management and registration networks are protected and adhere to guidelines from both the event venue at the Mandalay Bay and the Internet Service Providers providing web access.

Many attendees understood the potential dangers of the Black Hat network and took steps to ensure their safety when accessing the network. The top 20 applications we observed were related to secure VPNs or other privacy-related applications. It appears that security professionals have started to learn they should always use a VPN on an open wireless network.

Image Source: Black Hat Events
Image Source: Black Hat Events

When the Black Hat NOC observed what could be classified as “threats” we believed them to be related to attendees testing applications and attack techniques rather than using applications for nefarious activities. The top threat detected was an application called Netcat – often used by penetration testers or in classroom environments to teach attacker techniques. Yes, it is possible real attackers with malicious intent could be using this as well; after all, it’s a very simple and easy-to-use application. But my gut tells me they would use something a little more effective.

The Black Hat NOC also observed a virus called JS/Frame.BDF!tr. This virus attempts to gain access to a victim’s computer and was the second most popular threat the NOC observed during the conference – most likely because the signature catches different types of web HTML and iFrame attacks.

Attackers sometimes use this virus with a social engineering technique, trying to trick a user into accepting a software update or some sort of web dialogue box they need to click ok on. Although it is possible to embed and use this attack in a manner that could evade anti-virus and other host protection technologies, there are much more sophisticated ways to get the same results that work much more efficiently. 

In most cases the JS/Frame virus was used in a classroom or learning environment where attendees were learning about techniques, or it could have simply been the amateur attacker trying his luck on the Black Hat network. At an event like this, you are always going to have a few script kiddies who do not understand hacking and are using pre-built scripts and programs made by others to launch attacks.

Hands-on learning

Participants  in sessions about web application hacking led the NOC team to software such as Zeus crawl, which was quickly contained and stopped by attendees themsleves as they learned how sophisticated malware works and propagates.

The NOC also observed outgoing Botnet traffic attempting to communicate with known compromised command and control servers. This included communication traffic from Neurevt Botnet and Cridex Botnet. It is difficult to guess if this Botnet traffic was communicating on purpose, perhaps for a Black Hat class, if attendees had become infected while at Black Hat, or if they had been infected before they even arrived at the conference. Since we saw Botnet communication appear all of a sudden on the first day rather than a gradual, predictable rise, I tend to believe at least a percentage of the traffic were attendees infected before they even arrived in Las Vegas.

Now, if you think anything like I do, you’re likely wondering, “Where are all the new attacks? Where are all the zero-days in the network?” The truth is, the goal of the Black Hat network is to promote sharing of information, and we take privacy and the ability for attendees to learn very seriously. If attendees were executing more sophisticated attacks, it is possible they may have been doing it thru encryption or VPNs. We did not observe any new exploits being taken advantage of or anything that I would define as a zero-day attack. We did see some new variants of old attacks that may not have necessarily been detected by security tools. However, we found nothing that we considered really earth shattering.

It actually makes perfect sense if you think about it. Black Hat is a learning environment and it is about sharing ideas. Zero-days, although they are pretty sexy in the security world, have a limited shelf life. However, when attendees learn the actual techniques behind well-known malware, they understand how it truly behaves and how attackers really think. This allows them to take that knowledge and defend their own networks.

What did we learn from Black Hat? Attendees are testing real attacker tools and techniques at the conference. But attackers are not truly testing, or bringing with them, complex attacks that take advantage of new, unknown exploits. (Or if they are, they are doing it over an encrypted non-observable channel.)

In any case, I wouldn’t worry too much. Unlike attendees, I can confidently say everyone involved in the Black Hat network takes privacy extremely seriously and no one would never run any type of SSL Intercept or Man-in-the-Middle attack, (Well, at least no one running the official network.) But you might want to look out for other attendees. 

Black Hat Europe returns to the beautiful city of Amsterdam, Netherlands November 12 & 13, 2015. Click here for more information and to register.

Aamir Lakhani is a cyber security researcher and practitioner with Fortinet and FortiGuard Labs, with over 10 years of experience in the security industry. He is responsible for providing IT security solutions to major commercial and federal enterprise organizations. Lakhani ... View Full Bio
Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
Joe Stanganelli
Joe Stanganelli,
User Rank: Ninja
8/23/2015 | 11:54:44 PM
This is why I don't use the public Wi-Fi at ANY tech conference (let alone Black Hat!).  It's just asking for trouble.
WebAuthn, FIDO2 Infuse Browsers, Platforms with Strong Authentication
John Fontana, Standards & Identity Analyst, Yubico,  9/19/2018
Turn the NIST Cybersecurity Framework into Reality: 5 Steps
Mukul Kumar & Anupam Sahai, CISO & VP of Cyber Practice and VP Product Management, Cavirin Systems,  9/20/2018
NSS Labs Files Antitrust Suit Against Symantec, CrowdStrike, ESET, AMTSO
Kelly Jackson Higgins, Executive Editor at Dark Reading,  9/19/2018
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: "I'm not sure I like this top down management approach!"
Current Issue
Flash Poll
The Risk Management Struggle
The Risk Management Struggle
The majority of organizations are struggling to implement a risk-based approach to security even though risk reduction has become the primary metric for measuring the effectiveness of enterprise security strategies. Read the report and get more details today!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2018-09-22
An issue was discovered in libsvg2 through 2012-10-19. The svgGetNextPathField function in svg_string.c returns its input pointer in certain circumstances, which might result in a memory leak caused by wasteful malloc calls.
PUBLISHED: 2018-09-22
An issue was discovered in libsvg2 through 2012-10-19. A stack-based buffer overflow in svgStringToLength in svg_types.c allows remote attackers to cause a denial of service (application crash) or possibly have unspecified other impact because sscanf is misused.
PUBLISHED: 2018-09-22
An issue was discovered in libsvg2 through 2012-10-19. A stack-based buffer overflow in the svgGetNextPathField function in svg_string.c allows remote attackers to cause a denial of service (application crash) or possibly have unspecified other impact because a strncpy copy limit is miscalculated.
PUBLISHED: 2018-09-22
UDisks 2.8.0 has a format string vulnerability in udisks_log in udiskslogging.c, allowing attackers to obtain sensitive information (stack contents), cause a denial of service (memory corruption), or possibly have unspecified other impact via a malformed filesystem label, as demonstrated by %d or %n...
PUBLISHED: 2018-09-22
An issue was discovered in SeaCMS 6.64. XSS exists in admin_datarelate.php via the time or maxHit parameter in a dorandomset action.