Day two at Black Hat


Author: Joe Barr

LAS VEGAS — The crowds are larger on this second day of Black Hat, though people are moving a little more slowly than yesterday, perhaps because of the free toga party last night at Caesar’s Palace, marking the casino’s 40th anniversary. Nevertheless, the conference sessions have been packed with intriguing information.Spyware is everywhere

Yesterday afternoon I attended a panel on spyware threats led by Ari Schwartz from the Center for Democracy and Technology and the Anti-Spyware Coalition. Joining Schwartz on the panel were Gerhard Eschelbeck, CTO of Webroot; Dan Kaminsky, Dox Para Research; Andre Gold, CISO at Continental Airlines; and Eileen Harrington from the US Federal Trade Commission.

Schwartz kicked the session off by going over why we care about spyware and the harm that it does, including identity theft, corporate espionage, domestic violence, extortion, and fraud by unfair and deceptive practices.

Eschelbeck presented some new unpublished numbers depicting just how bad the spyware situation is. Since 2004, Webroot has found more than half a million potentially malicious Web sites from which visitors might become infected with spyware. In the latest quarter, the company says it discovered more than 100,000 new sites.

Kaminsky argued for laws and enforcement, saying spyware should be seen as “a large scale organized crime” problem, rather than being dealt with as a civil offense. But the real problem, according to Kaminsky, is that “this problem lies at the legal/technical boundary,” asserting that technology alone is not going to solve the spyware problem.

Gold outlined measures his company takes to combat spyware on its internal networks, primarily through increasing employee awareness of the problem.

Finally, Harrington delved into the FTC’s role and the legal mandates it has been given. As to law enforcement getting more involved, she pointed out that “the DC police department does not have a spyware unit.” She was in full agreement with Kaminsky’s take on it being both a legal and a technical problem, saying “the question for the Congress is, ‘Do you want to change the legal boundaries?'”

It was an informative session, but a pessimistic one if you’re a Windows user.

Focus on Globalization

A second panel yesterday afternoon, led by Joyce Brocaglia from the Executive Woman’s Forum, discussed globalization issues for the security industry. Brocaglia described her panelists during the introductions as having been chosen from among “the most brilliant women in our industry.” With her were Becky Bace from Trident Capital, Marike Kaeo of Double Shot Security, and Dena Tsamitis, a distinguished fellow of Carnegie Mellon University. One was a security pro who had worked on the first intrusion detection software developed at the National Security Agency during the ’80s, while another was a world-famous authors of definitive texts on IT security.

This session was interactive, driven primarily by questions from the audience. I was one of the few men in the room, and one of the few there who did not work in the field of IT security.

Several of the audience questions variations on “How do I deal with the problem of gender bias in the workplace?” Not all the panelists were in agreement on how to respond to the situation, though each had had to face the same problem in her own career. One thing they did agree on was that the best answer was to be right when their ideas or arguments were being challenged simply because they were female.

This was an eye-opening session for me. But the widest my eyes got after listening to this group came toward the end, when I realized that I was no longer listening to a group of women talking about security, I was listening to a group of experts talking about security.

Rootkits in the morning

I got a tip from an unimpeachable source last night that William Arbaugh of Komoku was ahead of the wave in the rootkit detection business, so his presentation — with Jamie Butler of fu and fu2 rootkit fame — was the first session I attended this morning.

There were no staged video demonstrations of hacking an unidentified wireless device in less than a minute, like the one that caused a media frenzy yesterday while I was in the session on Globalization. Instead, the session leaders made a solid presentation on the history of and current trends in rootkits and rootkit detection.

Arbaugh sketched a rough history of rootkits from The Cuckoo’s Egg in the late ’80s to an article in Phrack about hiding TTY to Greg Hoglund’s Windows NT rootkit in 1999.

Citing figures from McAfee, Arbaugh noted a 400% increase in rootkits between 2004 and 2005, as well as the expectation that they will increase by 650% on Windows platforms over the next three or four years.

Butler then described various methods being used by rootkits. They began, he said, by simply modifying binary executables, then moved into memory and modified it, and later began to modify kernel data. Today they use hooks like intercepting or simply requesting call backs triggered by events. Each move has made them more difficult to detect.

Arbaugh then took over again to discuss methods of detection and the problems encountered in trying to detect rootkits. He said, “It’s like asking a crazy person if they are crazy. You can’t trust the answer.”

System integrity, semantic integrity, signatures, behavioral checks, and cross views are some of the methods he mentioned that are being used today.

Finally, Arbaugh closed with the issue of remediation. The bottom line is that it is extremely difficult to to remediate rooted systems, and often isn’t even possible. The convergence of rootkits and other types of malware, from worms to spyware, is increasing both the size and the complexity of the issue.


  • Security