Following my recap of the first day of “Blackhat Europe,” here are a couple of choice highlights from day 2:
- Starting the day, Sebastian Muniz and Alfredo Ortega took the audience on a tour of the innards of the Cisco IOS (that’s a capital i for all you Mac users). I never looked at Cisco IOS in the past and this talk gave a really good overview. Some things were probably not new for those familiar with IOS but they were all new for me, including the fact that all processes on Cisco IOS share the same memory space, with no boundaries between them. This means that any process on the device can easily access the memory space of any other process. The presenters went on to give a very good talk on how to debug code on the IOS as well as how to carry out testing using fuzzing.
- Next up was the compulsory session on Stuxnet (it’s actually been nine months since it was discovered). Happily, however, Tom Parkers focused more on the field of malware attribution (i.e., looking for hints that may reveal who is behind a particular malware attack). Some things to consider include the level of technical knowledge required to create the malware (how many zero-day vulnerabilities were used, customer encyptors etc.), how much planning was required, what resources the attackers needed to test out the malware, and so on. Looking to see if the code was designed to bypass certain security solutions also indicated that the attackers have these security solutions installed on their test environments. Tom also looked at malware correlation—looking for parts of the malware code that are common among different attacks—linking those attacks together. All in all, an interesting talk and, if you are interested, a couple of his slides from the earlier “Blackhat DC” are up here.
- Felix “FX” Lindner gave his tenth Blackhat talk in 10 years, which was impressive on its own, but the subject matter was equally as good. Felix detailed how he put together a custom disassembler to analyze the Siemens STEP7 in Stuxnet in just three weeks. This really was a fascinating talk, which ended by taking one of the deepest looks at the STEP7 part of Stuxnet that I have seen to date.
- Thomas Roth gave a follow-up to his talk at “Blackhat DC” on using GPU-enabled cloud computing to create distributed, lightning-fast, password crackers. GPUs are orders of magnitude better than CPUs for many algorithms, especially highly parallel ones such as password cracking. With the ease to gain access to clusters of GPU machines via cloud hosting providers and some nice coding on Thomas’ part, he was able to demonstrate a successful proof of concept (POC).
- The last main talk I attended was Justin Searles’ look at the security of the smart grid. This talk was based on almost two years of research and went well beyond the normal talks of attacking smart meters, showing that these are only a very small part of the attack surface of the overall grid. His talk went into detail on many other areas of the grid and, for anyone interested in smart grid or SCADA research, looking at Justin’s research is definitely a good idea.
So that was it for “Blackhat Europe 2011.” All that was left was to enjoy the last couple of hours of this so-called “sunshine” they get in Spain (I live in Ireland), before returning back home. Overall, a very good conference with some very thought-provoking sessions.