Blackhat Federal – Notes from Days 1-3

So I'm at Blackhat Federal this week - doing the training thing (IDA class with Chris Eagle - fairly good / broad intro to IDA and it's capabilities) and today was the first day of the sessions.  It's been a great con so far . . . Monday and Tuesday I got to have lunch with Dave from Immunity and he convinced me to install Immunity DBG (figure I may as well try it out - after he gave me a demo it does look fairly impressive) . . . I got to hang out a bit with Katie Moussouris who is hella cool and organized and helped run the Defend the Flag competition (which I hear was pretty awesome as Dave / Immunity were there providing Canvas pwnage to the defenders) . . . last night I met some really cool folks (Billy Rios and Nitesh Dhanjani and some others) and we chatted until about 3am.  At around 3am one of the guys we were hanging with in the bar had his iPhone ring . . . so he went to answer it . . . and it was *his* number calling him.  Pretty funny - so he answers it and asks who it is and they won't say so he hangs up.  His phone called him back a few minutes later and he had a minute or so conversation trying to figure out who was doing it . . . I haven't laughed that hard in a while.

Today the sessions have been pretty great . . . the first session of the day was on pwning GSM phone networks and various methods that can be used to eavesdrop on calls (active attacks, passive attacks etc.) or to break the encryption used in GSM voice / SMS communications using rainbow tables and FPGAs.  Later this year for as little as $1,000 it will be possible to intercept GSM calls and decrypt them in about 30 minutes or less using fairly in-expensive hardware.   The rainbow tables needed for this are being generated now and will be done by March . . . that was a great, very deeply technical presentation with lots of math and stuff - enjoyed it a lot.

The next session I attended was about RFID hacking presented by Adam Laurie . . . he demonstrated cloning various 'unique' RFID tags (both dumb and smart) and talked about some of the implications of being able to do this.  It was a pretty interesting presentation for me since I'd never actually seen any of his other RFID presentations.  Again - his stuff is all based on off the shelf hardware and Python scripts . . . you can check out more at

Next up was a session on pwning the phishes by Billy Rios and Nitesh . . . their talk was very good and gave a great example of how easy it is to start with a phishing email and work your way into the phishing underground . . . they talked about various interesting things (like how phishing filter blacklists may be used by other phishers to spot easily compromisable phishing sites, and how some phishing kits actually have obfuscated code to have the phishing form data results posted to the author of the phishing kit instead of the person who's trying to use it etc.).  T'hey showed a ton of screen shots of various underground economy web sites where stolen identities are bought and traded and sold etc.

The last talk of the day for me was a talk by David Litchfield who has yet another Oracle vuln he's discovered . . . he's actually discovered what he considers to be a new class of attack against Oracle servers that allows him to elevate privs from a non-DBA user to a DBA user using a combination of dangling cursors and lateral SQL injection techniques . . . it was pretty wild stuff.  Don't want to get in too much details here but it was a good interactive talk with lots of demos to show him doing EoP to DBA privs etc. 

And finally the most 'interesting' part of my day was when I came back to my room this evening to fire up my notebook to sync email and write this blog post.  As you know I run 64bit Vista and I've got SP1 installed with BDE enabled in PIN mode for Secure Startup capability.  When I'm on the road I switch my power button over to 'hibernate' so that I can walk away and trust that my hard drive is effectively encrypted and thus my notebook is bricked if you don't have my startup PIN (which is rather long - like 14 chars long) or thumb drive with the key (which I carry on me).  It seems to have worked out for me as tonight when I came back into my room I found my lid open and my notebook powered on sitting at the Bitlocker PIN prompt.  It appears that someone was sending me a message. 🙂  Who sent that message - or why - I'm not so sure. 🙂
I checked my event logs and it appears that my notebook did successfully hibernate this morning (i.e. this wasn't an accidental reboot instead of hibernate or a blue screen during hibernate / shutdown resulting in a reboot). 

I say that because:

  1. I have these event log entries in my system event log back to back with no event log entries in between them (i.e. no one used my PIN or USB drive to boot the notebook and resume from hibernate while I was gone):
    Information 2/20/2008 9:54:49 AM Kernel-Power 42 None  // When I put the notebook into hibernate this morning
    Warning 2/20/2008 5:28:46 PM Time-Service 129 None  // From when I resumed from hibernate tonight

  2. I know that it hibernated because after shutting off the notebook and re-starting it (to ensure I wasn't sitting at a fake PIN prompt) and typing in my PIN - it resumed from hibernate with all of the same apps running exactly as I had left it

Sooooo . . . what just happened here?

Curious cleaning lady?
Curious friendly hax0r messing with me (this IS a security con after all and it's not like these mag stripe controlled doors can be considered secure!)
Curious federal agent?
Curious foreign agent? 🙂

Maybe I'll start travelling with a portable video device that I can hide somewhere in the room so that I can answer questions like these in the future . . . all I know is that I feel fairly confident that BDE may have prevented something potentially very bad from happening.  It's too bad the press seems to spend all their time focusing on bashing Vista and giving voice to those who would discourage people from using it . . . I for one really like the OS. 🙂





Comments (1)

  1. Anonymous says:

    It appears its a very good thing that your using BDE in an advanced mode given the frozen memory research that came out of Princeton. I take it the hoel your in does not have a safe in it so you can negate Law#3?

Skip to main content