I attended Black Hat for the first time this year. I took two training sessions before the briefings; Hacking By Numbers by Sensepost and Enterprise Security from Day 1 by Chris Conacher. Both presentations were well done, though Hacking by Numbers was more exciting of course, because of the hands-on.

The briefings were also very good. The DNS presentation by Dan Kaminsky was a full house and well presented but for the life of my I don’t understand the man’s icon status. Evidently there was a life-sized picture of him at the Core party for pictures. WTF?

The main point I got from his presentation though was just how wide spread the DNS problem is simply because nearly everything that uses the intarwebs relies on DNS and if you can pwn DNS, you win big time. Consider a case where I hack Comcast’s DNS server for the east coast. I then shift all traffic destined for Bank of America through my servers. So what if my certificate generates errors. A high percentage of users will click past the warning anyway. And why stop there? I’ll also set up a Sendmail server that will intercept all email to and from Bank of America. I’ll keep copies of everything and rummage through it at my leisure.

Ah but I digress. This post is about Black Hat, not DNS vulnerabilities.

I also sat in on most of Fyodor’s presentation on NMAP and scanning the Internet. He’s a good presenter and of course his material was great. Unfortunately he preceded Kaminsky so people (including myself) started walking out early to get a seat for the DNS presentation.

Black Hat has grown to such an extent that Caesars Palace is building them a structure for the meals so that we don’t have to eat in the tents any longer (which wasn’t bad at all). The organization of the conference was well done. There were very few technical glitches and for me all the presentations started pretty much on time. They kept us well fed and there was plenty of motor oil coffee to keep us caffeinated.

I kept in contact with a group of colleagues using Twitter. The group is affectionately named SecTwits by Jennifer Leggio, aka mediaphyter. Several of us posted snippets from various presentations so that people following us but not at the event could partake as well. We also used Twitter to meet each other and to organize outings (though I skipped out on these yet again, damn my priorities).

All in all I got a lot of good information out of Black Hat and will likely go again. Though next time I’ll not do the training and instead go just for briefings. That way I spend less time in Vegas and can stomach another three days to also attend Defcon, which I skipped this year. Vegas has lost it’s class and since I don’t gamble, it’s hard to take the non-stop assault on the senses.

I hope to post a summary from the DNS presentation shortly. It is a big deal and I originally thought that as long as our DNS servers are patched, we’d be okay. Silly me.

…and so far I haven’t found the Blackberry killer I sought.

My IPS has been blocking IRC rogue sessions on port 80. These blocks have been occurring in multiple offices; Chicago, New York, San Francisco, and Shanghai. I’ve found that the users on all affected machines are Chinese. A recent observation is that the blocks always occur during business ours, local office time.

Host intrusion prevention software indicates that the software making the connections is none other than the web browser (IE and Firefox both observed).

I allowed the traffic from one office for a period of time so I could run a capture of the traffic to see what is going on.

My capture caught the following conversations. Based on the ‘Sina Network’ and ’sina_test’ I’m wondering if this is associated with Sina.com…

The machines haven’t displayed any other malicious behavior; no SMTP traffic, no DDOS traffic, no file downloads, etc. So if this is malicious, the bot network might be in a building phase or might be waiting for balkanization (I love that word). I have seen encrypted conversations between the bot and server.

So, to recap;

1. I only observe IRC traffic during business hours, local office time. This to me indicates the traffic is driven by user activity, which lends to it being legit
2. The web browser is the IRC client, which leads me to believe it’s probably a java-based IRC client or something like that.
3. Nothing is being downloaded and installed. Typically, when IE is compromised, it will download the malicious payload (usually using FTP) and steps are taken to ensure continued access (registry edits). I have not observed any of that yet, which makes me wonder if this would be classified as a ‘compromise’.
4. I’ve seen no SMTP traffic outbound

My next step is to talk to one of the users.

Any comments or suggestions are certainly welcome, especially if you’ve seen this in your network as well.

Her: You’re all alone?

Me: Well, if you count my mammoth ego, there’s two of us.

I’m no Microsoft Exchange guru, by any stretch of the imagination, but I’ve been working with our email provider for the past three weeks trying to get our spam filtering disabled on Exchange 2007 because we use a third party anti-spam service and wish to simplify the whole solution.

There seems to be some confusion for Email jockeys who are used to the 2003 IMF way of filtering emails as opposed to the 2007 CFA way. Below is a summary of what I’ve learned (more than I wanted) about Exchange’s anti-spam product.

More below the fold.

(more…)