Last week, our team from Qualys Engineering participated in the Black Hat, B-Sides and DEF CON events in Las Vegas, and presented sessions on Web application security, flaws in Internet attached DVRs and introduced a tool to probe for DoS problems in web applications.
But we were mainly in Las Vegas to attend presentations to see the latest on what is going on in our field and maintain the relationships with other researchers and vendors. We saw a number of excellent presentations, here is a quick rundown of our favorites:
“Hunting the Shadows: In Depth Analysis of Escalated APT Attacks” at Black Hat
by Fyodor Yaro, Benson Wu, and team
Fyodor, Benson and team provided great insight into the daily attacks that are happening against the Taiwanese government. Their team had access to the Internet gateways used by the government and was able to analyze APT style attacks and their success rates. They showed the botnets of thousands of “chickens” (botnet zombies in Taiwanese) generated by these attacks, managed to get into the C&C servers used by one the attacking groups and recorded screenshots of the botnet management infrastructure used. They showed evidence that a professional team is behind the attacks, which has regulated work hours, with weekends off and national vacations days that correlate with a ebb and flow of attacks. It was eye-opening as to the ineffectiveness of the defenses in use and the level of organization of the attackers.
– Wolfgang Kandek, CTO Qualys
“Fear the Evil FOCA: IPv6 attacks in Internet connections” at DEF CON
by Chema Alonso
This presentation was part of the emerging research into IPv6 implementation and misconfiguration security implications. The author presented three local MITM attacks. Granted link level access to a network, the attacker could perform MITM attacks on IPv6 nodes and completely control the network traffic to and from the IPv6 node. The presented techniques are packaged into a single tool with extremely easy to use interface for researchers, network administrators and attackers to experiment with.
– Tigran Gevorgyan, Engineering Manager, Qualys
“SSL, Gone in 30 Seconds” at Black Hat
by Angelo Prado, Neal Harris and Yoel Gluck
The presenters introduced BREACH, a new attack on SSL and demonstrated how they were able to decrypt data from SSL/TLS responses. One of the most interesting things about the presentation was that the attack takes just a few thousands of request and can take under a minute to extract parts of the encrypted data. The presenters also released a PoC tool to check for the community to test their application.
– Bharat Jogi, Senior Security Engineer, Qualys
“Lessons From Surviving a 300 GBPS Denial of Service Attack” at Black Hat
by Matthew Prince
During his talk Matthew demonstrated how little is required nowadays to launch and orchestrate a massive Distributed Denial of Service (DDoS) attack that exploits DNS reflection. DNS reflection attacks have been known since quite a while, however the growing number of misconfigured open DNS resolvers as well as the availability of networks that allow IP address spoofing make it very easy to launch such attacks at an unprecedented scale. The talk also provided valuable insights on countermeasures that can be taken to mitigate DDoS attacks. At the end of the talk Matthew presented the Open Resovler Project (http://openresolverproject.org/) that is aimed at collecting data on open DNS resolvers and helping operators of DNS servers to configure them properly.
– Artem Harutyunyan, Architect, Distributed Computing, Qualys
“Defense by numbers: Making Problems for Script Kiddies and Scanner Monkeys” at DEF CON
by Chris John Riley
An entertaining look at what happens when expected HTTP status codes are twisted slightly and returned to the requester. Different browsers react differently, and automated scanners are certainly affected with either much longer scan times, extremely shortened scans which are useless, with tons of false positives or negatives, emphasizing the need for more intelligent web scanning as well as manual validation.
– Kimi Ushida, Network Security Engineer, Qualys