I am finally back home in Sydney after a week in Japan for the Black Hat 2007 conference. I cannot say that all talks were bleeding edge, but the majority had some new ideas. Those that seemed like they had been done before were actually a rehash of old ideas with a new mechanism of performing the attack, detection or what not. For example, the talk on passive fingerprinting of the OS has been around a long time with tools like pOf that can sniff off the wire, but this talk focused on DHCP to perform the fingerprint.

One thing in direct contrast to other conferences I have attended earlier in the year is the granularity of each talk. Whilst talks like AusCert were focused on DDos and/or Botnets, Black Hat described how these attacks were actually being conducted. The underlying motif for all conferences is still the same as attackers are shifting their focus towards the end client masses instead of server takeover. This is not to say that server attacks are not occurring at the same or a higher rate as in the past, but more importantly that there is a definite increase in the focus of attacks on the end-client and also up the TCP stack towards the application layer.

To close I want to put a word out to a couple of guys that I had the privilege of working with in the past…Billy Rios and Nate McFeaters. When I worked as a Senior for the Advanced Security Center in NYC, I was lucky enough to be sent down to Houston where I met and trained both these guys for a 5 day period. Although they had just come on board and had only just finished their training, there was an urgent engagement that presented itself whereby as the Senior I lead these guys into their first official penetration test. We began in the afternoon and worked through the night till 9:00 am the next morning before handing the results over to London to continue the work. What really impressed me with these guys is that they picked up the patterns I showed them and were inventive enough to take them to the next step. Most guys take months to get to this level and some guys just never get there. These guys did it under pressure, in one night, whilst also being tired from a week of training. Anyway, I think it is this type of thinking that lead them to the discovery of a number of URI injection attacks leading to command injection and buffer overflows. Guys, I really enjoyed the talk and am glad to see how far you’ve come since last time we met. Billy, sorry I couldn’t hear you talk as the Big M put the muzzle on…know how that feels man.

So another AusCert comes to a close with what I will say was a most beneficial conference. Of course there are ups and downs to any conference which I won’t note here, but overall some real gains were taken away after listening to what the security community had to say. Apart from this, I also started to feel a little pessimistic about the whole situation….

After listening to a number of vendors, independent researchers, the secret service, etc I began to wonder why and where things went so wrong. Actually, as a security professional, things couldn’t look any better as it appears there are going to be a whole new wave of threats and exploits with the release of Web 2.0 at an application layer and IPv6 at a network layer. Not to mention the global expansion of bot-nets and fraud being driven by underworld gangs.

Now don’t get me wrong, a number of great things have come out of the security community to tighten down technology as we see it today. The problem I am talking about is that I see the security community being like the wild west when it comes to computer science. That is, I don’t see much science going on and all I hear are vendors selling products that will never solve the core problems we face. Take note, if I have a virus should I fear the virus as I have anti-virus? What about malware when I have anti-malware? How about addware when I have anti-addware? You see, all I really have here are black list solutions that mathematically will never win against these overwhelming threats that are dominating the Internet. The real problem is what happens when I have a virus, malware, addware that I nor anyone in the community knows about except the attacker? Using a black list solution, how do I protect myself against something I don’t know exists? The answer is simple: I can’t.

So then, if we all accept and know this is the case, then we have to ask ourselves “Is the Security Community Keeping Itself Employed” through means of fear and solutions that will inevitably never solve the problem?