The second and final day of Blackhat has come and gone.  Some good presentations today, and probably more interesting to the critical/control system area of security.  The activity at Defcon is already starting to pickup, and lots of parties going on tonight from the major and minor players and generally a lot of winding down for the presenters.

I started the day with a great presentation from Felix Lindner on forensics in Cisco IOS.  Essentially examining full memory dumps, and some of the configuration and debugging techniques available on IOS.  This is something that I think we could see applied to PLCs, assuming the PLC has some sort of rudimentary debugging interface it could be trivial to checksum the RAM/ROM and detect changes, both intentional and unintentional.  Also interesting pickup from the presentation is that there are estimated to be somewhere in the neighborhood of 100,000 different IOS builds out in the wild and approx 15,000 of which are currently supported by Cisco.

Next up was Billy Hoffman’s presentation of JavaScript techniques for circumventing automated analysis tools.  This presentation was near and dear to me and some of my previous research was creating an analysis tool called Caffeine Monkey that was mentioned quite a bit in the presentation.  Hoffman does good work and makes me more and more paranoid every time I use a web browser.  JavaScript is among the most common attack tools used today, Flash is on its way and I bet we see attackers leveraging the additional functionality there soon.

Travis Goodspeed has done some interesting work on dumping and reprogramming the firmware on the MSP430 microcontroller.  Fascinating research, but honestly I didn’t have enough of an electrical engineering background to completely understand it, lots of waveforms.

The SCADA fuzzing presentation was interesting.  There was a lot of buzz leading up to the talk and rumors floating around about vendor lawyers and court orders, but in the end the presentation was given.  Essentially Sergey Bratus of Dartmouth College, working with TCIP was able to cause a lot of damage to some real SCADA systems.  With no real knowledge of the proprietary protocols Sergey was able to use some compression techniques along with some evolutionary fuzzing to completely crash the system.  No details of exploits and such were given, and the presenters were careful not to give any real details about the vendors affected.  There is quite a mess of protocols floating around these critical systems and anyone who’s looked at them knows that they aren’t exactly the cleanest/clearest, and the only solution to that is open and peer reviewed standards.  A lot of side talk after the presentation about asset owners pushing vendors, and government intiatives/requirements.

Lastly, there was a big announcement from Microsoft.  I was unable to attend as I was in the SCADA talk above, but it appears that they’re going to begin sharing information with customers and partners on a more official basis.  From the Q&A that I caught the last bit of there seemed to be hints of MS working with 3rd party software developers to fix vulnerabilities in their software running on the Windows platform.  Few details were given, and they were clear that they wouldn’t be acting as a CERT, but clearly they’re preparing to be more involved with the process.  I have to think that they’re going to be most interested in Enterprise software, but without a doubt there will be some interested in critical systems as well.  It will be interesting to see how the program shapes up over the coming months.

Thats all for now, the chaos of Defcon really gets going tommorrow, should be some interesting stuff, and one very interesting on involving cell phones.