Fresh off of two days of teaching a reverse engineering class, it's my turn to take a seat in the audience and check out some new research from various parts of the globe. There are two simultaneous tracks running at this show, here are the talks I got to catch:

Reversing and Exploiting Wireless Sensors
Travis goodspeed gave a very knowledgeable talk on reverse engineering and exploiting wireless sensors such as the ZigBee remotely pollable electric meter monitors which will soon start popping up in homes around the country. He covered some really interesting attacks for gleaning information from the sensors such as ultraviolet light attacks and voltage glitching. To be honest, most of this talk was over my head as I am a hardware hacking virgin. I mention this to younger friends and colleagues all the time and I'll say it again here, I really should have taken EE in college as opposed to CS.

Let Your Mach-O Fly
Vincenzo lozzo, recently hired at Zynamics where my good friend Ero Carrera and the rest of the Halvar gang work, presented a forensic resilient exploitation technique for MacOS systems. He began with some background information on the Mach-O file format and the kernel's dynamic linker then dove into the details of an implementation that I can best compare to the Metasploit Meterpreter. He essentially wrote a tool that allows you to deliver an arbitrary binary as a payload to an exploited box, which will execute without ever hitting the disk.

QuietRIATT
Brian Krumheuer and Jason Raber gave a talk on a custom developed run time Import Address Table (IAT) rebuilding tool which uses Microsoft Detours to hook functions and in conjunction with ImportREC rebuild munged IATs. I personally don't find this all that helpful as it limits you to rebuilding symbols only for API calls you are able to monitor at run-time. When reverse engineering malware the key portions an RE needs to focus on are the activities that are not empirically observable. The symbols for hidden functionality such as coordinated DDoS attacks will not be revealed. Furthermore, more runtime information can be extracted with the help of live contextual information from a debugger such as OllyDbg which can export an enumeration of all intermodular calls and then easily imported into IDA via IDC. This is a technique Ero and I cover in our class on reverse engineering malware.

A Wolf in Sheep's Clothing: The Dangers of Persistent Web Browser Storage
My good friend, co-author and past colleague Michael Sutton, from Zscaler, gave an interesting and entertaining talk about the threats of next-generation web technologies. He spoke briefly on the oversight that clearing cookies is a sufficient means of eliminating web tracking, pointing to the fact that Flash Local Shared Object (LSO) cookies have increased in popularity and serve the same purpose. He then dove into the security issues rising with the increasing popularity of the offline browsing world built on top of frameworks such as Google Gears, noting that cross-site scripting (XSS) vulnerabilities on such platforms immediately result in client-side SQL injection. He demonstrated one such vulnerability that was reported to and patched by Paymo, a web 2.0 time tracking website. Michael sprinkled funny motivational posters throughout his slides, I especially appreciated the one on Apple users.

Satellite Hacking for Fun and Profit
Adam Laurie of rfidiot.org has given some great talks in the past and did not disappoint with his presentation today. Easily the best presentation of the day and if I had to guess, will be the best of the con. Adam showed how for less than a $1,000 US you can put together a satellite dish with motor control and a DREAMbox to snatch satellite signals right out of the sky. He demonstrated a series of Python scripts he wrote to scan the sky looking for rogue and potentially interesting signals. Next he showed how one could identify IP flows over satellite and with the help of dvbsnoop create a Linux interface which can be sniffed with tools such as tcpdump. Very interesting stuff. With the remaining 30 mins of the day Adam then gave a sneak preview into his main research passion, RFID, demonstrating how one can implement a functional RFID man-in-the-middile attack for under 30$.

If you want to take a peak at the slides / whitepapers from this event browser over to:

http://blackhat.com/html/bh-dc-09/bh-dc-09-archives.html