TriGeoSphere

The annual pilgrimage to Las Vegas for Black Hat and/or Defcon is a ritual that many of us observe and certainly much has been written about this gathering of the key players in the world of security (and insecurity.) I’ve been attending for many years, and generally view it as a sort of “state of the union” address, where you get both a sense for where things stand, and specific details on tools and techniques.

Network security is often viewed as an arms race, and Black Hat is one of those venues where the arms merchants gather to display their wares, and people on opposite sides of the conflict evaluate claims and counter-claims and challenge both.

Is Virtual Security Real Security
Much of the focus this year was on virtualization, and the popular misconception that virtualized systems are “as secure” or even “more secure” than their physical counterparts – nothing could be further from the truth. As is often the case, network management and network security are at odds in this fairly new arena. The pros of virtualization are obvious – space, power, heat and cost are all significant drivers to the rapid adoption of this technology, but ignore the security implications of the virtual world at your peril.

It’s certainly easy to imagine that when multiple systems and virtual network infrastructure all coexist that it’s critical to understand that a security flaw exposes much more than a comparable physical implementation. The bottom line is that virtualized network infrastructures simply do not equate (yet) to their physical counterparts and some caution is required to ensure you understand the strengths and weaknesses of virtual networks and plan accordingly.

No Honor Among Thieves
Nitesh Dhanjani and Billy Rios’ presentation “Bad Sushi: Beating Phishers at Their Own Game“ delved into their research on phishing tools and tactics, and the underbelly of this community. While not entirely surprising, it was interesting to see the volume of ready-made sites, how little some members of the phishing community actually know, and the lucrative market for captured personal information.

Using information gleaned from one of the phishing sites they investigated, they turned to Google and found pages of credit card data readily available. This raised an interesting question. Why is it that this information, some of it only hours old, was so readily available? Their conclusion was that the free “samples” establish the sellers as “legitimate”. On the market front, it seems that Gold and Platinum cards, complete with CCV, sell in packs of 100 for $2,500 and 500 for $5,000 (prices subject to change without notice.)

It was fun to hear of the duo’s effort to break into the world of phishing, and that a “mentor” assisted them with code that would have sent a copy of anything they collected directly to their new cyber-friend. Clearly, the prevailing rule is the law of the jungle where Big Phish eat Little Phish. The community does attempt to police itself with blacklists that expose “unscrupulous phishers” – an amusing oxymoron.

Get Rich or Die Trying
One of the more entertaining presentations this year was “Get Rich or Die Trying - Making Money on The Web, The Black Hat Way”, by Jeremiah Grossman, Arian Evans. They stated at the outset that some of the techniques demonstrated could yield significant financial reward, and while some might even be “legal”, they could stretch the envelope of one’s ethics.

There was the case of the woman that discovered QVC would send her free merchandise if she simply ordered and then canceled. The $412,000 she made exploiting the cancellation system flaw and reselling the “QVC packaged” items on eBay ultimately led to her discovery and conviction for wire fraud. In another example, an Estonian financial firm discovered that it was possible to view embargoed press releases (releases scheduled to be made public on a specific date in the future). The SEC investigation estimated they made over $8 million trading on this information.

These are just a few of the many Black Hat approaches to making money on the web that were discovered and tested by some creative (if not always bright) people, cataloged for us in this presentation, and presented as education and temptation - just in case that day job doesn’t work out.