11:30 AM
Aamir Lakhani
Aamir Lakhani
Connect Directly
E-Mail vvv

Securing Black Hat From Black Hat

'Dr. Chaos' shares the inside scoop on the challenges and rewards of protecting one of the 'most hostile networks on the planet.'

BLACK HAT USA -- Las Vegas -- Securing Black Hat from Black Hat sounds like a great tagline, but it’s something volunteers at the Black Hat Network Operations Center (NOC) took very seriously last week when we were tasked to help secure one of the most hostile networks on the planet.   

Our primary objective for network security was to maintain an open environment that was both available and performed well, but equally safe and secure. The principal challenge came from the Black Hat attendees themselves, a group of men and women who were constantly testing new attack techniques and tools against the network throughout the entirety of the conference. Thus, for those of us in the NOC, our goal was to get out of the way of attendees’ learning and calibration process because we share the belief that testing security effectiveness means testing with live attacks and the newest techniques. That’s what the bad guys do, and that’s how we learn to protect ourselves.

At the same time, Black Hat NOC volunteers must also ensure that all management and registration networks are protected and adhere to guidelines from both the event venue at the Mandalay Bay and the Internet Service Providers providing web access.

Many attendees understood the potential dangers of the Black Hat network and took steps to ensure their safety when accessing the network. The top 20 applications we observed were related to secure VPNs or other privacy-related applications. It appears that security professionals have started to learn they should always use a VPN on an open wireless network.

Image Source: Black Hat Events
Image Source: Black Hat Events

When the Black Hat NOC observed what could be classified as “threats” we believed them to be related to attendees testing applications and attack techniques rather than using applications for nefarious activities. The top threat detected was an application called Netcat – often used by penetration testers or in classroom environments to teach attacker techniques. Yes, it is possible real attackers with malicious intent could be using this as well; after all, it’s a very simple and easy-to-use application. But my gut tells me they would use something a little more effective.

The Black Hat NOC also observed a virus called JS/Frame.BDF!tr. This virus attempts to gain access to a victim’s computer and was the second most popular threat the NOC observed during the conference – most likely because the signature catches different types of web HTML and iFrame attacks.

Attackers sometimes use this virus with a social engineering technique, trying to trick a user into accepting a software update or some sort of web dialogue box they need to click ok on. Although it is possible to embed and use this attack in a manner that could evade anti-virus and other host protection technologies, there are much more sophisticated ways to get the same results that work much more efficiently. 

In most cases the JS/Frame virus was used in a classroom or learning environment where attendees were learning about techniques, or it could have simply been the amateur attacker trying his luck on the Black Hat network. At an event like this, you are always going to have a few script kiddies who do not understand hacking and are using pre-built scripts and programs made by others to launch attacks.

Hands-on learning

Participants  in sessions about web application hacking led the NOC team to software such as Zeus crawl, which was quickly contained and stopped by attendees themsleves as they learned how sophisticated malware works and propagates.

The NOC also observed outgoing Botnet traffic attempting to communicate with known compromised command and control servers. This included communication traffic from Neurevt Botnet and Cridex Botnet. It is difficult to guess if this Botnet traffic was communicating on purpose, perhaps for a Black Hat class, if attendees had become infected while at Black Hat, or if they had been infected before they even arrived at the conference. Since we saw Botnet communication appear all of a sudden on the first day rather than a gradual, predictable rise, I tend to believe at least a percentage of the traffic were attendees infected before they even arrived in Las Vegas.

Now, if you think anything like I do, you’re likely wondering, “Where are all the new attacks? Where are all the zero-days in the network?” The truth is, the goal of the Black Hat network is to promote sharing of information, and we take privacy and the ability for attendees to learn very seriously. If attendees were executing more sophisticated attacks, it is possible they may have been doing it thru encryption or VPNs. We did not observe any new exploits being taken advantage of or anything that I would define as a zero-day attack. We did see some new variants of old attacks that may not have necessarily been detected by security tools. However, we found nothing that we considered really earth shattering.

It actually makes perfect sense if you think about it. Black Hat is a learning environment and it is about sharing ideas. Zero-days, although they are pretty sexy in the security world, have a limited shelf life. However, when attendees learn the actual techniques behind well-known malware, they understand how it truly behaves and how attackers really think. This allows them to take that knowledge and defend their own networks.

What did we learn from Black Hat? Attendees are testing real attacker tools and techniques at the conference. But attackers are not truly testing, or bringing with them, complex attacks that take advantage of new, unknown exploits. (Or if they are, they are doing it over an encrypted non-observable channel.)

In any case, I wouldn’t worry too much. Unlike attendees, I can confidently say everyone involved in the Black Hat network takes privacy extremely seriously and no one would never run any type of SSL Intercept or Man-in-the-Middle attack, (Well, at least no one running the official network.) But you might want to look out for other attendees. 

Black Hat Europe returns to the beautiful city of Amsterdam, Netherlands November 12 & 13, 2015. Click here for more information and to register.

Aamir Lakhani is a cyber security researcher and practitioner with Fortinet and FortiGuard Labs, with over 10 years of experience in the security industry. He is responsible for providing IT security solutions to major commercial and federal enterprise organizations. Lakhani ... View Full Bio
Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
Joe Stanganelli
Joe Stanganelli,
User Rank: Ninja
8/23/2015 | 11:54:44 PM
This is why I don't use the public Wi-Fi at ANY tech conference (let alone Black Hat!).  It's just asking for trouble.
Crowdsourced vs. Traditional Pen Testing
Alex Haynes, Chief Information Security Officer, CDL,  3/19/2019
BEC Scammer Pleads Guilty
Dark Reading Staff 3/20/2019
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
5 Emerging Cyber Threats to Watch for in 2019
Online attackers are constantly developing new, innovative ways to break into the enterprise. This Dark Reading Tech Digest gives an in-depth look at five emerging attack trends and exploits your security team should look out for, along with helpful recommendations on how you can prevent your organization from falling victim.
Flash Poll
The State of Cyber Security Incident Response
The State of Cyber Security Incident Response
Organizations are responding to new threats with new processes for detecting and mitigating them. Here's a look at how the discipline of incident response is evolving.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2019-03-21
Opera before 57.0.3098.106 is vulnerable to a DLL Search Order hijacking attack where an attacker can send a ZIP archive composed of an HTML page along with a malicious DLL to the target. Once the document is opened, it may allow the attacker to take full control of the system from any location with...
PUBLISHED: 2019-03-21
A Denial of Service vulnerability related to preemptive item deletion in lmgrd and vendor daemon components of FlexNet Publisher version and earlier allows a remote attacker to send a combination of messages to lmgrd or the vendor daemon, causing the heartbeat between lmgrd and the vendor ...
PUBLISHED: 2019-03-21
A Denial of Service vulnerability related to message decoding in lmgrd and vendor daemon components of FlexNet Publisher version and earlier allows a remote attacker to send a combination of messages to lmgrd or the vendor daemon, causing the heartbeat between lmgrd and the vendor daemon t...
PUBLISHED: 2019-03-21
A Denial of Service vulnerability related to adding an item to a list in lmgrd and vendor daemon components of FlexNet Publisher version and earlier allows a remote attacker to send a combination of messages to lmgrd or the vendor daemon, causing the heartbeat between lmgrd and the vendor ...
PUBLISHED: 2019-03-21
An integer overflow flaw which could lead to an out of bounds write was discovered in libssh2 before 1.8.1 in the way packets are read from the server. A remote attacker who compromises a SSH server may be able to execute code on the client system when a user connects to the server.