Blackhat 2013 – Keynote NSA’s Alexander Provides Details, and Talks on Embedded and Low Level Attacks
This year’s Blackhat 2013 conference started off with a surprisingly detailed presentation from General Keith Alexander on his recently exposed programs, including even screenshots of what looked like a Windows XP GUI that an analyst would see when examining phone call metadata.
Alexander’s keynote can be boiled down to a few points: 1. the program is built on identifying terrorist communications activity around the world and eventually tying these communications back to individuals in the US. In 2012, the program produced reports on under 500 total phone numbers in the US. 2. the communications intercept programs are under intense review, including a four year review by the Senate that found no wrongdoing within employee activities of the program (one of the things that makes the US program different from other countries is the rigid accountability regime) 3. every other country in the world has some form of legal communications intercept program. Unfortunately, there weren’t terribly many technical details or discussion of technical details. Mostly, discussion of any technical details revolved around limiting NSA analysts’ access to the data. But, he handled questions from the audience along with some pretty intense heckling.
Interesting talks included an examination of the new Blackberry 10 OS attack surface from Ralf Weinmann, one of the two individuals that exploited the Blackberry Torch at Pwn2Own 2011. While he was pretty impressed with their build tools, he found the collection of Adobe Air, QT and Python running on top of their new QNX OS “weird”. He discussed potential privilege escalation issues and QUIP, a so-called forensics service hidden away in the OS.
Other interesting talks included reviews of UEFI and BIOS level attacks, with bootkits and rootkits effective on Windows 8 systems demonstrated. It was interesting that these attacks focused on individual vendor implementations of firmware and handling. A team from Mitre demonstrated PoC called “Flea”, “Tick” and “Flash Hopper”, attacking Dell firmware packages. The code even persisted on the system across signed BIOS updates. Impressive stuff.
The guys behind Maltego delivered a new release of their research and data visualization tool, adding collaborative features like XMPP for real time chat and data synch’ing. They also put on display its integration with various reconnaissance and attack tools they call “Teeth” and “Kingfisher”, upping its offensive security capabilities. The tool can now scan and identify web services and accordingly apply brute force, SQLi and other web app attacks.
Afaik, no 0day was publicly dropped at any of the talks this year. Coordinated disclosure seemed to be used by all the researchers that I am aware of, so far this year.