Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


11:30 AM
Aamir Lakhani
Aamir Lakhani
Connect Directly
E-Mail vvv

Securing Black Hat From Black Hat

'Dr. Chaos' shares the inside scoop on the challenges and rewards of protecting one of the 'most hostile networks on the planet.'

BLACK HAT USA -- Las Vegas -- Securing Black Hat from Black Hat sounds like a great tagline, but it’s something volunteers at the Black Hat Network Operations Center (NOC) took very seriously last week when we were tasked to help secure one of the most hostile networks on the planet.   

Our primary objective for network security was to maintain an open environment that was both available and performed well, but equally safe and secure. The principal challenge came from the Black Hat attendees themselves, a group of men and women who were constantly testing new attack techniques and tools against the network throughout the entirety of the conference. Thus, for those of us in the NOC, our goal was to get out of the way of attendees’ learning and calibration process because we share the belief that testing security effectiveness means testing with live attacks and the newest techniques. That’s what the bad guys do, and that’s how we learn to protect ourselves.

At the same time, Black Hat NOC volunteers must also ensure that all management and registration networks are protected and adhere to guidelines from both the event venue at the Mandalay Bay and the Internet Service Providers providing web access.

Many attendees understood the potential dangers of the Black Hat network and took steps to ensure their safety when accessing the network. The top 20 applications we observed were related to secure VPNs or other privacy-related applications. It appears that security professionals have started to learn they should always use a VPN on an open wireless network.

When the Black Hat NOC observed what could be classified as “threats” we believed them to be related to attendees testing applications and attack techniques rather than using applications for nefarious activities. The top threat detected was an application called Netcat – often used by penetration testers or in classroom environments to teach attacker techniques. Yes, it is possible real attackers with malicious intent could be using this as well; after all, it’s a very simple and easy-to-use application. But my gut tells me they would use something a little more effective.

The Black Hat NOC also observed a virus called JS/Frame.BDF!tr. This virus attempts to gain access to a victim’s computer and was the second most popular threat the NOC observed during the conference – most likely because the signature catches different types of web HTML and iFrame attacks.

Attackers sometimes use this virus with a social engineering technique, trying to trick a user into accepting a software update or some sort of web dialogue box they need to click ok on. Although it is possible to embed and use this attack in a manner that could evade anti-virus and other host protection technologies, there are much more sophisticated ways to get the same results that work much more efficiently. 

In most cases the JS/Frame virus was used in a classroom or learning environment where attendees were learning about techniques, or it could have simply been the amateur attacker trying his luck on the Black Hat network. At an event like this, you are always going to have a few script kiddies who do not understand hacking and are using pre-built scripts and programs made by others to launch attacks.

Hands-on learning

Participants  in sessions about web application hacking led the NOC team to software such as Zeus crawl, which was quickly contained and stopped by attendees themsleves as they learned how sophisticated malware works and propagates.

The NOC also observed outgoing Botnet traffic attempting to communicate with known compromised command and control servers. This included communication traffic from Neurevt Botnet and Cridex Botnet. It is difficult to guess if this Botnet traffic was communicating on purpose, perhaps for a Black Hat class, if attendees had become infected while at Black Hat, or if they had been infected before they even arrived at the conference. Since we saw Botnet communication appear all of a sudden on the first day rather than a gradual, predictable rise, I tend to believe at least a percentage of the traffic were attendees infected before they even arrived in Las Vegas.

Now, if you think anything like I do, you’re likely wondering, “Where are all the new attacks? Where are all the zero-days in the network?” The truth is, the goal of the Black Hat network is to promote sharing of information, and we take privacy and the ability for attendees to learn very seriously. If attendees were executing more sophisticated attacks, it is possible they may have been doing it thru encryption or VPNs. We did not observe any new exploits being taken advantage of or anything that I would define as a zero-day attack. We did see some new variants of old attacks that may not have necessarily been detected by security tools. However, we found nothing that we considered really earth shattering.

It actually makes perfect sense if you think about it. Black Hat is a learning environment and it is about sharing ideas. Zero-days, although they are pretty sexy in the security world, have a limited shelf life. However, when attendees learn the actual techniques behind well-known malware, they understand how it truly behaves and how attackers really think. This allows them to take that knowledge and defend their own networks.

What did we learn from Black Hat? Attendees are testing real attacker tools and techniques at the conference. But attackers are not truly testing, or bringing with them, complex attacks that take advantage of new, unknown exploits. (Or if they are, they are doing it over an encrypted non-observable channel.)

In any case, I wouldn’t worry too much. Unlike attendees, I can confidently say everyone involved in the Black Hat network takes privacy extremely seriously and no one would never run any type of SSL Intercept or Man-in-the-Middle attack, (Well, at least no one running the official network.) But you might want to look out for other attendees. 

Black Hat Europe returns to the beautiful city of Amsterdam, Netherlands November 12 & 13, 2015. Click here for more information and to register.

Aamir Lakhani formulates security strategy with more than 15 years of cybersecurity experience, his goal to make a positive impact toward the global war on cybercrime and information security. Lakhani provides thought leadership to industry and has presented research and ... View Full Bio

Recommended Reading:

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
Joe Stanganelli
Joe Stanganelli,
User Rank: Ninja
8/23/2015 | 11:54:44 PM
This is why I don't use the public Wi-Fi at ANY tech conference (let alone Black Hat!).  It's just asking for trouble.
COVID-19: Latest Security News & Commentary
Dark Reading Staff 8/10/2020
Pen Testers Who Got Arrested Doing Their Jobs Tell All
Kelly Jackson Higgins, Executive Editor at Dark Reading,  8/5/2020
Researcher Finds New Office Macro Attacks for MacOS
Curtis Franklin Jr., Senior Editor at Dark Reading,  8/7/2020
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Current Issue
Special Report: Computing's New Normal, a Dark Reading Perspective
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
The Changing Face of Threat Intelligence
The Changing Face of Threat Intelligence
This special report takes a look at how enterprises are using threat intelligence, as well as emerging best practices for integrating threat intel into security operations and incident response. Download it today!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2020-08-11
A Cross-Site Request Forgery (CSRF) vulnerability was discovered in the System Management Interface Web component of Avaya Aura Communication Manager and Avaya Aura Messaging. This vulnerability could allow an unauthenticated remote attacker to perform Web administration actions with the privileged ...
PUBLISHED: 2020-08-11
An issue was discovered in certain configurations of GNOME gnome-shell through 3.36.4. When logging out of an account, the password box from the login dialog reappears with the password still visible. If the user had decided to have the password shown in cleartext at login time, it is then visible f...
PUBLISHED: 2020-08-11
django-celery-results through 1.2.1 stores task results in the database. Among the data it stores are the variables passed into the tasks. The variables may contain sensitive cleartext information that does not belong unencrypted in the database.
PUBLISHED: 2020-08-11
There is a possible out of bounds read due to an incorrect bounds check.Product: AndroidVersions: Android SoCAndroid ID: A-152225183
PUBLISHED: 2020-08-11
The Temi application 1.3.3 through 1.3.7931 for Android has hard-coded credentials.