Core researchers Damian Saura and Ariel Waissbein plan to display their process for scooping database records by showing how timing can be used to extract private data from a database by performing mere record insertion operations -- an unprivileged set of commands typically made available to any user of a database, including users accessing the systems via Web applications, Core researchers said.
"There's no misconfiguration being exploited in this case. What is being exploited is that by designing databases to allow for rapid access to information, in many cases an attacker can simply insert some rows into a database and measure differences in timing -- how long it takes to insert an entry -- to retrieve the contents of the database," said Ivan Arce, chief technology officer with Boston-based Core.
"If there is a substantial difference in the timing, someone can essentially infer what the contents of the database might be, such as if there are credit card numbers being made available for access," Arce said. "By repeating this process several times you can nail down database content bit by bit by merely inserting some rows."
Web security testing firm Cenzic is planning to release some new vulnerability trends at Black Hat that further highlight the trend toward the discovery of new applications-level vulnerabilities.
According to the Santa Clara, Calif.-based company, some 72 percent of all the 1,484 widely published software flaws in the second quarter of 2007 were related not only to applications vulnerabilities but to those discovered in Web applications, Web servers, or Web browsing programs, representing a 7 percent increase over Q1 2007.
Among browser hacks, always a hot topic at the conference, Cenzic reported that 33 percent of the flaws were found in Microsoft's Internet Explorer, followed by Mozilla's Firefox at 26 percent, and Opera at 21 percent.
One of the entirely new elements of the 2007 Black Hat show will be a first-ever awards ceremony aimed at recognizing the most creative vulnerabilities and exploits unveiled at the conference.
Dubbed the "Pwnies" in honor of the hacker slang of "pwning" (which means to compromise a particular site or program), categories include Best Server-Side Bug, Best Client-Side Bug, Most Innovative Research, Lamest Vendor Response, and Most Overhyped Bug.
Judging the competition will be well-known security researchers including Dino Dai Zovi, HD Moore, Dave Aitel, and Alexander Sotirov. The awards will be announced on Aug. 2.