Apps security to dominate Black Hat

Enterprise IT issues figure prominently on the agenda

Black Hat kicks off this week in Las Vegas with a big shift in focus from Internet viruses to application security.

The shift mirrors the change in threats on the security landscape, with malware attacks morphing from generic Internet viruses into targeted attacks aimed at vulnerabilities in proprietary business IT systems.

Security researchers gathered at Caesar's Palace on Monday to undergo training in the latest hacking and malware-authoring techniques, following an initial set of classes held over the weekend.

The conference transitions on Tuesday from its training stage into it briefings mode, as the media, software vendors, and other interested parties -- including law enforcement officials -- join in the action to see noted security experts present their latest discoveries.

The even edgier Defcon "underground" hacker show will kick off at the Las Vegas Riviera on Wednesday, with a fair share of computer-based pranks sure to be mixed in with the event's annual combination of security research and system-cracking tricks.

As threats have evolved and hackers have broadened their focus on finding and exploiting vulnerabilities -- as opposed to focusing almost solely on Microsoft's Windows platform in years past -- the 2007 Black Hat briefings schedule is weighted heavily toward applications security.

At least four scheduled sessions specifically highlight Windows flaws and other Microsoft-based hacks on botnets, and other so-called mass market threats that are designed to take advantage of consumers and other unsuspecting Web users.

Many of the breakout sessions, however, are aimed specifically at detailing attacks that can be carried out on software applications.

One such presentation will be hosted by research experts employed by SPI Dynamics, the applications security testing software maker acquired by Hewlett-Packard in June to help coders using the company's Mercury Interactive development platform to drive flaws out of their work.

Billy Hoffman, lead researcher in SPI's Labs group, and Bryan Sullivan, one of the Atlanta-based company's development managers, will share their latest findings regarding common vulnerabilities found in AJAX-based applications.

Hoffman, who presented on the same topic at Black Hat last year to enthusiastic reviews from his audience, has become a leading voice behind efforts to encourage coders to cover their security bases when writing AJAX applications.

The so-called Web 2.0 programming language, which melds Asynchronous JavaScript and XML to boost the interactivity of Web sites, has become an increasingly popular platform, but many developers working with the language remain unaware of its security issues, Hoffman maintains.

The SPI researchers plan to demonstrate commonly found AJAX application design flaws that they say stem from such substandard coding, including use of client-side XSL transformations, use of erratic server-side APIs, and methods by which data is unintentionally stored in the client-side code of many programs.

Hoffman and Sullivan also plan to show off exploits of these vulnerabilities, including blind SQL and blind XPath injection techniques, detection and exploitation of program race conditions, and techniques for applying static analysis to de-obfuscate client-side JavaScript.

"Last year's presentation was more abstract. This time we're going to show live examples of how applications built using security tips from popular AJAX guidebooks and advice forums can be ripped to little itty-bitty pieces," Hoffman said. "There's a lot of bad advice out there, and it illustrates the inexperience most developers have with AJAX. We've seen companies like Yahoo and Google hit with major AJAX security issues; if those companies are having problems, chances are that smaller developers are too."

As part of the demonstration, the two researchers will execute attacks against a fictional travel site they built using commonly accepted AJAX coding techniques. Among the types of threats they plan to carry out are those that can be used to steal information from such applications, carry out DoS campaigns on the sites, or to use the vulnerabilities to hack into backend systems.

Hoffman said he does not plan to display any automated vulnerability scanning tools that he has architected to search for AJAX flaws. The researcher caused a stir at the annual ShmooCon hacker confab in April 2007 when a system he designed to find JavaScript bugs -- dubbed Jikto -- was leaked onto the Internet after being scooped from his presentation.

Among the other applications-security experts planning to present at Black Hat 2007 will be researchers from SPI rival Watchfire, which was similarly acquired in June by IBM for the sake of having its vulnerability scanning technologies integrated into Big Blue's Rational development platform.

Among the attacks that Watchfire researchers will present at the gathering will be a clinic delivered by Jonathan Afek on the art of attacking so-called dangling pointers.

Dangling pointers, or programming instructions that do not point to a valid object of the appropriate type, are very common in most types of software as developers have never been pushed to clean the code out of their work.

Watchfire maintains that it has found the first way to actively exploit the instructions, even though the pointers have been suspected as a potential security threat for some time.

Officials said that Afek's presentation involves an exploit based on a remote command execution vulnerability.

"Dangling pointers theoretically have been considered as security bugs for some time, with the idea that if you could get them to point to malicious code you could do things, but prior to this nobody has been able to figure out a way to take advantage," said Danny Allan, director of security research at Watchfire, which is based in Waltham, Mass.

"What's truly interesting is that this is a completely new attack vector, and it will show the methodology for creating an exploit to introduce shell code," Allan said. "I expect that we'll see a lot of activity among security researchers around this issue after this gets out into people's hands."

In another nod to the theme of applications-level hacks, researchers from automated penetration testing software specialist Core Security will demonstrate their latest methods for stealing information from database records. The latest attacks will be carried out using timing techniques that take advantage of the indexing algorithms found in many commercial database management systems.

Core researchers Damian Saura and Ariel Waissbein plan to display their process for scooping database records by showing how timing can be used to extract private data from a database by performing mere record insertion operations -- an unprivileged set of commands typically made available to any user of a database, including users accessing the systems via Web applications, Core researchers said.

"There's no misconfiguration being exploited in this case. What is being exploited is that by designing databases to allow for rapid access to information, in many cases an attacker can simply insert some rows into a database and measure differences in timing -- how long it takes to insert an entry -- to retrieve the contents of the database," said Ivan Arce, chief technology officer with Boston-based Core.

"If there is a substantial difference in the timing, someone can essentially infer what the contents of the database might be, such as if there are credit card numbers being made available for access," Arce said. "By repeating this process several times you can nail down database content bit by bit by merely inserting some rows."

Web security testing firm Cenzic is planning to release some new vulnerability trends at Black Hat that further highlight the trend toward the discovery of new applications-level vulnerabilities.

According to the Santa Clara, Calif.-based company, some 72 percent of all the 1,484 widely published software flaws in the second quarter of 2007 were related not only to applications vulnerabilities but to those discovered in Web applications, Web servers, or Web browsing programs, representing a 7 percent increase over Q1 2007.

Among browser hacks, always a hot topic at the conference, Cenzic reported that 33 percent of the flaws were found in Microsoft's Internet Explorer, followed by Mozilla's Firefox at 26 percent, and Opera at 21 percent.

One of the entirely new elements of the 2007 Black Hat show will be a first-ever awards ceremony aimed at recognizing the most creative vulnerabilities and exploits unveiled at the conference.

Dubbed the "Pwnies" in honor of the hacker slang of "pwning" (which means to compromise a particular site or program), categories include Best Server-Side Bug, Best Client-Side Bug, Most Innovative Research, Lamest Vendor Response, and Most Overhyped Bug.

Judging the competition will be well-known security researchers including Dino Dai Zovi, HD Moore, Dave Aitel, and Alexander Sotirov. The awards will be announced on Aug. 2.

Copyright © 2007 IDG Communications, Inc.

How to choose a low-code development platform