1. Diary of a DEFCON Delegate
Drew Williams
Co-founder, Information Security SWAT Team
AXENT Technologies
Greetings from a flood-ridden Las Vegas, where the rain is pouring like quarters in so
many slot machines. This is the third year of Black Hat and more than 650 people are in
attendance. On top of that, more than 2,500 people are expected for DEFCON 7.
People presented on a number of critical topics such as: Cryptography,
Regulating/Suggesting Parameters for Business Security, Cyber Forensics, "Competitive
Intelligence,” Putting Intrusion into IDS, Scanning: A Taxonomy of security testing, 1000 Hackers
in a Box: Failings of Security Scanners, Security Issues with IIS 4 Servers, and How Responsive are
Security Vendors to Security Problems. Dr. Mudge of L0pht made the Keynote address about
jointly developing a new shareware tool called “AntiSniff,” working with NFR’s Marcus Ranum.
In one of the security sessions, a Microsoft spokesperson responsible for
"Security@Microsoft.com" gave a party-line presentation, and then proceeded to take
questions about the security of the 25+ million lines of code in NT. As explained, "Microsoft
views BO2K as a malicious program and not as a vulnerability that's been cracked." After enough
people QA'd him from a "weeds-perspective" I posed the question, "How many security-trained,
security-conscious developers does Microsoft employ for code-level engineering?" He replied,
more than 200 security experts with a PhD in cryptography, and other various trained folks.
Doing the math with fellow attendees, we removed the technical support, QA, those two PhDs
in Cryptography, and the other scope-creep factors, and came up with a rough actual estimate
closer to five to 10 engineers who actually look at code from a security perspective.
This weekend's annual DEFCON hacker convention drew more than 2,000 computer
hackers, security experts, and federal officials from as high-ranking as the White House, who
assembled to discuss the latest trends in security exploits. One of the three-day conference
break-out sessions included a panel discussion with security officials from the Army and the
National Security Council, which afforded a room of more than 500 hackers to field questions
and commentary. Note: Never give out your e-mail address to a group of hundreds of computer
hackers—especially if you’re a White House “Security” Director!
Another session highlighted the unveiling of California-based hacker group Cult of the
Dead Cow's (cDc) newest version of "Back Orifice 2000 (BO2K). As a follow-up to last year's Back
Orifice, this new version provides NT users with the ability to operate at a "Privileged"
(Administrator) level—remotely (e.g., "RegEdit 32", remote file tree management, etc.). The
boldness from such hacker organizations as cDc-and the more prominent Boston-based L0pht
Heavy Industries, have fueled the cyber conflict between U.S. officials, software giants such as
Sun and Microsoft and hacker groups. These groups are doing a great deal of noise-making. And
most of the participants that are here--like I see every year--are punks drawn together like a frat
party gone bad. But the good news is, among the noise, there's some real value within the
ranks, and the software vendors (like Sun and Microsoft), government agencies--including some
of our own customer base--and the security vendors and our partners are starting to pay more
attention to what these groups are saying.
2. In the case of the BO2K program, this is an open-source architecture, which is being
hawked as a value-added tool that addresses both the productivity and security levels of any
organization that depends on the NT operating system. Anyone can download the actual code
directly from the cDc Website, and review it and its security safeties. What's different is that the
BO2K server can be easily sent as a less than 100K e-mail attachment. Once in naive users'
hands, the attachment can be opened and infect their systems without the users ever knowing
they've handed over the keys to their system to a stranger.
I expect Microsoft to look at BO2K as a high-level security risk—and they should.
Conversely, this was proclaimed by the cDc as a tool that IT administrators who are responsible
for mostly remote networks can use to help (transparently) “enable” their administrative tasks.
But hackerware is hackerware, and most of the virus groups will take a strong countermeasure
against it, as will the security vendors.
So what does BO2K have/do?
Has Open Source Architecture. This is big news and what security companies should be
concerned. Everything else, for one argument or another, is probably something that
has already been devised--either commercially, or through share/freeware. Open
Architecture means anyone can strip out the default settings and commands and put
their own into the tool
Supports Triple-DES encryption (yes, it's a restricted export encryption).
Ability to plug in your own authentication/encryption "stuff."
Enable all connections to be encrypted, including password requests, etc.
Designed to move data through secure connections.
Has a plug-in ("Butt Plug"), which is a small set of core BO2K source.
Designed for NT
Includes a PWDump-style utility for NT.
Includes extended Registry Key editing--remotely.
Has a smaller footprint (113k).
Uses less than 2MB RAM.
Looks like SMS, acts like SMS, but is risky to detect.
Has built-in TCP & UDP connections.
Includes session-based architecture, which enforces session sequencing on reliable
protocols.
Has a remote desktop interface plug-in called "BO-peep," which allows the user to see
the target desktop in clear stream.
Has a remote Registry Editor which allows the user to surf remote machines and create
values for registry keys.
"BOSOC 32" allows packets to be reordered. cDc akin this to a "clean set of TCP
functions in a UDP setting"
Here are some other highlights:
The cDc and distant colleagues at L0pht Heavy Industries, teamed up to create a remote
file browser, which allows the user to access directory trees from remote locations for dragging
and dropping files--even through encrypted tunnels. This isn't necessarily a new utility, but it's
still interesting.
3. With BO2K's source code released under the GNU Public License, you can also expect to
see numerous BO2K variations. Further complicating matters: BO2K is designed to be plug-in
extensible.
How can organizations detect and locate BO2K in an NT environment? My baseline
concern is fourfold:
1. How can a vendor’s products detect BO2K?
2. How can we locate where the incursion is originating?
3. What would be the defense against our countermeasures?
4. What are the other security vendors likely going to address as they make boasts in
the media over this?
Issues like high and low entropy, weak algorithms, credential checking, and other
technotalk bounced around among the conversations. Here are some suggested approaches
(aside from looking at some of the antivirus folks for partial solutions):
1: Detection
Use IDS solutions to monitor for encrypted traffic.
Isolate the encrypted traffic and challenge its validity.
2: Location
Identify the device(s) on which the encrypted traffic originated.
Inquire as to the purpose for the encrypted traffic.
3: Countermeasure
Stop using the encryption settings in BO2K and run it "naked" –so to speak.
The last, but far from least, of your security concerns about BO2K is that this program
enables a BO2K cracker on NT systems to make any directory shareable. Adding to the dilemma
that this is an open architecture application, the resulting “spin-offs” will evolve, based on the
time, resource, knowledge base and imagination of any hacker. To say that this can mean a
security nightmare is an understatement.