Perimeter
8/14/2015
11:30 AM
Aamir Lakhani
Aamir Lakhani
Commentary
Connect Directly
Twitter
RSS
E-Mail vvv
50%
50%

Securing Black Hat From Black Hat

'Dr. Chaos' shares the inside scoop on the challenges and rewards of protecting one of the 'most hostile networks on the planet.'

BLACK HAT USA -- Las Vegas -- Securing Black Hat from Black Hat sounds like a great tagline, but it’s something volunteers at the Black Hat Network Operations Center (NOC) took very seriously last week when we were tasked to help secure one of the most hostile networks on the planet.   

Our primary objective for network security was to maintain an open environment that was both available and performed well, but equally safe and secure. The principal challenge came from the Black Hat attendees themselves, a group of men and women who were constantly testing new attack techniques and tools against the network throughout the entirety of the conference. Thus, for those of us in the NOC, our goal was to get out of the way of attendees’ learning and calibration process because we share the belief that testing security effectiveness means testing with live attacks and the newest techniques. That’s what the bad guys do, and that’s how we learn to protect ourselves.

At the same time, Black Hat NOC volunteers must also ensure that all management and registration networks are protected and adhere to guidelines from both the event venue at the Mandalay Bay and the Internet Service Providers providing web access.

Many attendees understood the potential dangers of the Black Hat network and took steps to ensure their safety when accessing the network. The top 20 applications we observed were related to secure VPNs or other privacy-related applications. It appears that security professionals have started to learn they should always use a VPN on an open wireless network.

Image Source: Black Hat Events
Image Source: Black Hat Events

When the Black Hat NOC observed what could be classified as “threats” we believed them to be related to attendees testing applications and attack techniques rather than using applications for nefarious activities. The top threat detected was an application called Netcat – often used by penetration testers or in classroom environments to teach attacker techniques. Yes, it is possible real attackers with malicious intent could be using this as well; after all, it’s a very simple and easy-to-use application. But my gut tells me they would use something a little more effective.

The Black Hat NOC also observed a virus called JS/Frame.BDF!tr. This virus attempts to gain access to a victim’s computer and was the second most popular threat the NOC observed during the conference – most likely because the signature catches different types of web HTML and iFrame attacks.

Attackers sometimes use this virus with a social engineering technique, trying to trick a user into accepting a software update or some sort of web dialogue box they need to click ok on. Although it is possible to embed and use this attack in a manner that could evade anti-virus and other host protection technologies, there are much more sophisticated ways to get the same results that work much more efficiently. 

In most cases the JS/Frame virus was used in a classroom or learning environment where attendees were learning about techniques, or it could have simply been the amateur attacker trying his luck on the Black Hat network. At an event like this, you are always going to have a few script kiddies who do not understand hacking and are using pre-built scripts and programs made by others to launch attacks.

Hands-on learning

Participants  in sessions about web application hacking led the NOC team to software such as Zeus crawl, which was quickly contained and stopped by attendees themsleves as they learned how sophisticated malware works and propagates.

The NOC also observed outgoing Botnet traffic attempting to communicate with known compromised command and control servers. This included communication traffic from Neurevt Botnet and Cridex Botnet. It is difficult to guess if this Botnet traffic was communicating on purpose, perhaps for a Black Hat class, if attendees had become infected while at Black Hat, or if they had been infected before they even arrived at the conference. Since we saw Botnet communication appear all of a sudden on the first day rather than a gradual, predictable rise, I tend to believe at least a percentage of the traffic were attendees infected before they even arrived in Las Vegas.

Now, if you think anything like I do, you’re likely wondering, “Where are all the new attacks? Where are all the zero-days in the network?” The truth is, the goal of the Black Hat network is to promote sharing of information, and we take privacy and the ability for attendees to learn very seriously. If attendees were executing more sophisticated attacks, it is possible they may have been doing it thru encryption or VPNs. We did not observe any new exploits being taken advantage of or anything that I would define as a zero-day attack. We did see some new variants of old attacks that may not have necessarily been detected by security tools. However, we found nothing that we considered really earth shattering.

It actually makes perfect sense if you think about it. Black Hat is a learning environment and it is about sharing ideas. Zero-days, although they are pretty sexy in the security world, have a limited shelf life. However, when attendees learn the actual techniques behind well-known malware, they understand how it truly behaves and how attackers really think. This allows them to take that knowledge and defend their own networks.

What did we learn from Black Hat? Attendees are testing real attacker tools and techniques at the conference. But attackers are not truly testing, or bringing with them, complex attacks that take advantage of new, unknown exploits. (Or if they are, they are doing it over an encrypted non-observable channel.)

In any case, I wouldn’t worry too much. Unlike attendees, I can confidently say everyone involved in the Black Hat network takes privacy extremely seriously and no one would never run any type of SSL Intercept or Man-in-the-Middle attack, (Well, at least no one running the official network.) But you might want to look out for other attendees. 

Black Hat Europe returns to the beautiful city of Amsterdam, Netherlands November 12 & 13, 2015. Click here for more information and to register.

Aamir Lakhani is a cyber security researcher and practitioner with Fortinet and FortiGuard Labs, with over 10 years of experience in the security industry. He is responsible for providing IT security solutions to major commercial and federal enterprise organizations. Lakhani ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Joe Stanganelli
50%
50%
Joe Stanganelli,
User Rank: Ninja
8/23/2015 | 11:54:44 PM
Wi-Fi
This is why I don't use the public Wi-Fi at ANY tech conference (let alone Black Hat!).  It's just asking for trouble.
5 Reasons the Cybersecurity Labor Shortfall Won't End Soon
Steve Morgan, Founder & CEO, Cybersecurity Ventures,  12/11/2017
Oracle Product Rollout Underscores Need for Trust in the Cloud
Kelly Sheridan, Associate Editor, Dark Reading,  12/11/2017
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: Gee, these virtual reality goggles work great!!! 
Current Issue
The Year in Security: 2017
A look at the biggest news stories (so far) of 2017 that shaped the cybersecurity landscape -- from Russian hacking, ransomware's coming-out party, and voting machine vulnerabilities to the massive data breach of credit-monitoring firm Equifax.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2017-0290
Published: 2017-05-09
NScript in mpengine in Microsoft Malware Protection Engine with Engine Version before 1.1.13704.0, as used in Windows Defender and other products, allows remote attackers to execute arbitrary code or cause a denial of service (type confusion and application crash) via crafted JavaScript code within ...

CVE-2016-10369
Published: 2017-05-08
unixsocket.c in lxterminal through 0.3.0 insecurely uses /tmp for a socket file, allowing a local user to cause a denial of service (preventing terminal launch), or possibly have other impact (bypassing terminal access control).

CVE-2016-8202
Published: 2017-05-08
A privilege escalation vulnerability in Brocade Fibre Channel SAN products running Brocade Fabric OS (FOS) releases earlier than v7.4.1d and v8.0.1b could allow an authenticated attacker to elevate the privileges of user accounts accessing the system via command line interface. With affected version...

CVE-2016-8209
Published: 2017-05-08
Improper checks for unusual or exceptional conditions in Brocade NetIron 05.8.00 and later releases up to and including 06.1.00, when the Management Module is continuously scanned on port 22, may allow attackers to cause a denial of service (crash and reload) of the management module.

CVE-2017-0890
Published: 2017-05-08
Nextcloud Server before 11.0.3 is vulnerable to an inadequate escaping leading to a XSS vulnerability in the search module. To be exploitable a user has to write or paste malicious content into the search dialogue.