Onto a few more highlights from Blackhat. Dowd, Smith, and Deweys presentation on The Language of Trust was excellent, and the bug highlighted in the presentation, MS09-035, is going to be around for a very long time. This bug was the result of a typo, an ‘&’ where one shouldn’t have been. An interesting and very subtle bug, and one that probably couldn’t have been found any other way except with deep down cyborg like binary analysis from this team. So what is the impact of this bug and why does it matter to a control system operators? So we all know how much developers in control system component like to use ActiveX controls, they’re easy drop ins and let you get to the meat of what you’re doing quickly, and every month or so a bunch of them get killbitted (blacklisted) where they can’t be instantiated in things like Internet Explorer, right? Well, all those just went out the window, and until the patch from MS is applied they’re all back, and you’re just a vulnerable as you were on the day they first were installed on your system. This should be a top priority patch for any system that has Internet Explorer installed and has a network connection, and with the trend towards web based HMIs and management consoles, this really is something you should get done sooner rather than later.
I also was able to see an excellent presentation on developer education from Andrew Rook, and I agreed with almost everything. We tend to teach developers about developing quality code in a very backwards way, showing them all the different ways something can break, and analogous to the drivers education videos with all the gruesome crashes that many of us had to suffer through. These videos didn’t make us better drivers, and after a while you feel like it was almost inevitable and made you less safe in the long run. Of course a certain amount of fear is a good thing, and nothing drives home the point like a memory corruption resulting in a shell, but we have to channel that. We need to encourage developers to have a deeper understanding of the tools that they’re using to create our systems, what the underlying concepts and philosophies of a given language/library are, what are the potential pitfalls and how to avoid them. What we need to avoid, and what far too many security consultants and “experts” are doing is just pushing another checklist onto people, and creating a de facto compliance requirement. And I think we all know what those lead to, the bare minimum.
And moving on to more of an attacker/penetration testers point of view, the metasploit track at both Blackhat and Defcon was excellent. I know a lot of people are apprehensive about the framework, but I think you have to take the tool for what it is, and realize its become an incredible platform for people like me who like working with the pointy end of the security stick. There’s too much to go into in a short post like this, since it was about 6 hours of 20 minute talks, but I’ll mention a few. Moore and Trammels wardailing additions that we’ve mentioned here before are growing up fast, excellent tools that I look forward to using on the next assesment that I’m on with a lot of dialup access. Valsmith and co’s Metaphish looks to give us a much more structured and more quantifiable way to test our employees for how successful a phishing attack could be. Often overlooked and ignored, but user education is still our best bet, and teaching people how to identify a phishing attack by demonstrating one might be the best way to keep them from clicking on a link without thinking the next time. Many other very interesting things going on with MSF.
There’s another presentation or two that I’m going to highlight specifically, but thats going to conclude my overview posts. Aside from the presentations, one of the more interesting things I noticed was how every other vendor had something about SCADA in their marketing materials, but almost no one has done anything with it or anything that they could tell me about. I’m wondering if those smart grid commercials have got the marketeers thinking that using the magic words “SCADA” and “smart grid” or “AMI” will make the contract faeries show up? Of course there’s no reason to completely discount a vendor new in the space, but the last thing we need in control systems are more blinking lights (probably blue ones) that give a false sense of security and one more service agreement to manage and most security products do little more than that.