Black Hat conference spotlights virtualization, DNS issues

This year's Black Hat conference had more vendor booths, more talk of the perils of virtualization and Cisco's weak spots, and more DNS discussion

The 12th Black Hat conference convened at Caesar's Palace, where the 4,500 attendees (a 12.5 percent increase over last year) heard about the security problems that will plague virtualized environments, why Cisco routers are more of a hacker target than ever, and a detailed explanation of DNS attacks.

Attendees also found a conference show floor that was dominated by vendor booths. The booths, once a rarity at the conference, are becoming more prevalent as vendors inject themselves into the Black Hat mix. While he didn't apologize for their presence -- and noting that vendor sponsorships are important to the financial success of the conference -- Black Hat founder and director Jeff Moss did distance the content of the show from the sponsors. Presenters at the show briefings present vendor-neutral material chosen solely for its value to the security community, he said during his opening remarks.

[ InfoWorld Special report: Black Hat and Defcon 2008 ]

Vendor booths aside, the audience was tuned to far more weighty topics, such as the security problems that will ultimately arise out of the industry's headlong push into virtualizing everything.

Virtualization "will not save you money, it will cost you more," and "virtualized security can seriously impact performance, resilience, and scalability," said Christopher Hoff, chief security architect at Unisys, in an impassioned presentation. Hoff argued the user community is being sweet-talked into virtualization by an industry unmindful of the security consequences.

"Over the next 12 to 18 months, there's a very uncomfortable set of circumstances as every vendor rushes out to say we've virtualized," said Hoff in his talk, entitled "The Four Horsemen of the Virtualization Apocalypse."

Using strong language directed at the network industry, Hoff argued that "it's getting real messy" as Cisco, Brocade, 3Leaf, Xsigo, among others gallop off toward virtualization of basic switching infrastructures without a clear notion of what the security consequences are for enterprise customers accustomed to wholly different topologies that include technologies such a spanning tree and STP.

"A virtual switch is just a piece of code like a hypervisor," said Hoff about the industry's new direction. "It's basically Layer 2 switching modules," adding it means you've collapsed the network into "a single tier" and "it all boils down to three settings in a GUI."

The virtual security -- he called it "VirtSec" -- that's arising in the wake of anticipated changes is ushering in virtual appliances that will become the cornerstone for trying to replicate traditional defenses such as intrusion-prevention systems, anti-virus, and firewalls, Hoff said. But as security functions compete for virtual-machine resources, there will be a performance hit just as is seen in unified threat management devices today that combine IPS, firewall, and other functions, he said.

Capacity planning with a virtualized network is "going to be very difficult to predict," Hoff said, adding he was profoundly skeptical that trying to virtualize a firewall is going to work as DMZs are pushed into going virtual, too.

"If I decide to V-motion a firewall, it won't work," said Hoff, alluding to his own research with VMware and its V-Motion capability to rapidly deploy VM images. With virtualization, "you won't get rid of host-based security software. As we add more solutions, we add complexity," Hoff said, advising the Black Hat audience "not to be dragged into the environment."

The Cisco factor
While virtualization got its fair share of attention, it wouldn't be a Black Hat conference without Microsoft and Cisco being bandied about. But this year experts said with Microsoft Windows no longer the fertile ground for bug hunting that it once was, researchers are looking at other products to hack. And Cisco's routers are an interesting target. They command more than 60 percent of the router market, according to research firm IDC.

"If you own the network, you own the company," said Nicolas Fischbach, senior manager of network engineering and security with COLT Telecom, a European data service provider. "Owning the Windows PC is not really a priority anymore."

But Cisco's routers make a harder target than Windows. They're not as well known to hackers, and they come in many configurations, so an attack on one router might fail on a second. Another difference is that Cisco administrators are not constantly downloading and running software. Cisco has done a lot of work in recent years to cut down on the number of attacks that can be launched against its routers from the Internet, according to Fischbach. "All the basic, really easy exploits you could use against network services are really gone," he said. The risk of having a well-configured router hacked by someone from outside of your corporate network is "really low."

That hasn't deterred the latest crop of security researchers.

Two months ago Core Security researcher Sebastian Muniz showed new ways of building hard-to-detect rootkit programs for Cisco routers, and last week his colleague, Ariel Futoransky, gave an update on the company's research in this area. Also, two researchers from Information Risk Management (IRM), a security consultancy, released a modified version of the GNU Debugger that gives hackers a view of what happens when Cisco IOS software processes their code, and three shell-code programs that can be used to control a Cisco router.

Meanwhile Felix Lindner, head of Recurity Labs, released his Cisco forensics tool, called CIR (Cisco Incident Response), which he has beta tested for the past several months. There will be a free version, which will check a router's memory for rootkits, while a commercial version of the software will be able to detect attacks and perform forensic analysis of the devices.

This software will give network professionals like Fischbach a way to go back and look at the memory of a Cisco device and see if it has been tampered with. "I think there's a use for it," he said. "To me, it's part of the tool kit when you do forensics, but it's not the only tool you should rely on."

That little DNS problem
The other dominating news from Black Hat was the widely anticipated discussion about the highly publicized flaw in the DNS, used by computers to find each other on the Internet.

Dan Kaminsky's full-time job over the past few months has been working with software vendors and Internet companies to fix a security problem with DNS. Kaminsky first disclosed the problem on July 8, warning corporate users and Internet service providers to patch their software as quickly as possible.

Last week he disclosed more details of the issue during a crowded session at the Black Hat conference, describing a dizzying array of attacks that could exploit DNS. Kaminsky also talked about some of the work he'd done to fix critical Internet services that could also be hit with this attack.

By exploiting a series of bugs in the way the DNS protocol works, Kaminsky had figured out a way to very quickly fill DNS servers with inaccurate information. Criminals could use this technique to redirect victims to fake Web sites, but in Kaminsky's talk he described many more possible types of attacks.

He described how the flaw could be used to compromise e-mail messages, software updating systems or even password recovery systems on popular Web sites.

And though many had thought that SSL connections were impervious to this attack, Kaminsky also showed how even the SSL certificates used to confirm the validity of Web sites could be circumvented with a DNS attack. The problem, he said, is that the companies that issue SSL certificates use Internet services like e-mail and the Web to validate their certificates. "Guess how secure that is in the face of a DNS attack," Kaminsky said. "Not very."

"SSL's not the panacea we would like it to be," he said.

Another major problem has been what Kaminsky says is the "forgot my password" attack. This affects many companies that have Web-based password recovery systems. Criminals could claim to have forgotten a user's password to the Web site and then use DNS hacking techniques to trick the site into sending the password to their own computer.

In addition to the DNS vendors, Kaminsky said he'd worked with companies such as Google, Facebook, Yahoo, and eBay to fix the various problems related to the flaw. "I do not want to see my cell phone bill this month," he said.

Although some conference attendees said Wednesday that Kaminsky's talk was overhyped, OpenDNS CEO David Ulevitch said that the IOActive researcher has performed a valuable service to the Internet community. "The entire scope of the attack is even yet to be fully realized," he said. "This affects every single person on the Internet." 

This story, "Black Hat conference spotlights virtualization, DNS issues" was originally published by Network World.

Copyright © 2008 IDG Communications, Inc.