So, the nCircle VERT guys will be hanging out in the nCircle booth over the next couple of days at InfoSecurity Canada - stop by the booth and introduce yourself if you're in Toronto.

Also, I'll be speaking on Thursday afternoon - the topic will be "Driving Security Compliance through Security Intelligence Profiling". I urge you all to drop by and check it out.

So, here's one of my biggest dilemma's - there are so many conferences, and so little time (and money) to attend them all.

So, beyond the obvious 2 big ones (Blackhat/Defcon and CanSecWest), which ones should we go to? I've heard great things about Toorcon but never been... should we be there? Where else?

We've got a pile o' people here at Blackhat manning the booth, in the conference, and just generally hanging out. We're also going to be blogging the conference pretty heavily - I'm pushing for live coverage of all of the talks that people attend, so we're going to be your #1 Blackhat News source. :)

The conference so far looks pretty good, though there are some notable people missing - as Halvar pointed out on a previous comment, there are a lot of people at What The Hack this year. That said, it's still Blackhat.

Also, we're having a pretty serious party tonight - anyone who's here and reading this should check it out. The info for the party is here.

This years Blackhat keynote was given by Mr. Gilman Louie and he and I share something in common as we both started early in our careers in the computer game industry. The difference is that he has been much more financially successful ☺ and for that I think that is awesome. I’ll say it again, Information Security is just IT with an active opponent. ☺

He touched on a few things in the Keynote that I want to offer a counterpoint to and hope that the readers will research these topics on their own because they are fundamental to the elements of design when your task is to author or be a part of a successful Information Technologies Security System.

The three that I want to cover are:
The OODA loop introduced to us by the late Col John R. Boyd;
Friction in the system as a negative attribute;
Policymakers are clueless.

-- OODA Loop --
Just as he said, OODA stands for Observe, Orient, Decide, Act.
A superior competitive strategy is the ability to turn your OODA loop faster than the opponent and to “get inside” their OODA loop. This is a topic that has been written about in many business journals, sports strategies, and continues to ring true with military strategists.

The problem with Mr. Louie’s brief analogy (to someone unfamiliar with Boyd’s work) is the context of its usage in the keynote. The fact of the matter is that from an IT security perspective, there is no offensive posture as there is with Jet Fighter tactics and so I would like to clarify how an OODA loop would successfully be applied to a IT security strategy. To be fair, Mr. Louie did clarify that it is the business that is properly using the OODA loop with their competitors and not IT security. (Rock on Mr. Louie)

The words Observe, Orient, Decision and Action are self explanatory but where they sit in terms of the game play is the context that needs to be clarified. Lets break these OODA elements out in to their natural classes: Observe and Orient fall in to the Intelligence bucket and the Decision and Action fall in to the Execution bucket. We have the classic Intelligence versus Execution. Systems that are out of balance will exhibit extreme ends of the spectrum which are an “INFORMED non-EXECUTION” and an “UNINFORMED EXECUTION”. (I’ll blog more on this balancing act later)

If you want the biggest bang for your buck when applying the OODA loop to your IT Security defense, think about what processes or technologies you have in the system as a whole that help you Observe and Orient and how those are working with the systems or people that need this intelligence to execute. If you remain ALWAYS ahead of your adversary in terms of intelligence and execution, you will make your position unassailable. The trick is to think of these OODA terms in a pre-incident and pre-flow type of context. The coupling of this discipline at the time of flow or attack is too tightly coupled to yield a high degree of accuracy. For example, this is the basic design problem currently with IPS in that the OODA loop is too tightly coupled and many of its criteria parameters are far too closely related to the adversaries input.

-- Friction as a negative attribute to a system –
At more than one point in the talk Mr. Louie kept refereeing to the “removal of friction” in the system so I assume that this notion is important to his beliefs. He also stressed that “speed” is important and noted examples where slowness drive him nuts.

In systems theory, friction is not always a bad thing. Here I go with context again. ☺ The deal is that the transfer of “energy” (or it may be the transfer of knowledge as a byproduct of transit relationship) or the concept of friction can be a very positive attribute to use in system design. The real culprit that Mr. Louie should be identifying is inefficiency. I can build a low friction system that has very low efficiency which is not a good thing.

I can think of many systems that have been around for millions of years that depend on the concept of friction but we won’t get in to those here now, will we?

-- Policymakers as being clueless. –
There seemed to be an overtone that the people making the decisions were not well informed and more important to Mr. Louie’s point, I heard frustration in his voice with regard to the policymakers’ ability to seek the proper intelligence for their decision making. This goes back the OODA loop again where the policymaker needs better Intelligence (Observation and Orientation). ☺ While this all may be true or even true most of the time, I want to put something out there for everyone to consider.

Boyd himself said that there are do-ers and there are say-ers. In a nutshell, the do-ers are people who do things that really matter to the common good of the whole and in their hearts have a great deal of integrity. The say-ers are people who say things and their actions are aimed at their self promotion and sometimes at the expense of their integrity. I find, as does Boyd, integrity is job one and if you can’t trust yourself, game over, go back to bed.

(warning: blanket statement) The argument that a policymakers are just clueless people who don’t know anything is not a very responsible claim. While it may be true, the real question is if they are a part of my system, how do we get to steady state and a high level of efficiency.
I recall my as a teenager thinking that my teachers and parents were clueless, I recall as a young engineer thinking that my manger and the executive team were clueless, and we continue to see criticism toss out at leadership on the grounds that they are uninformed. Common theme? What is broken here is trust and communication between the adjacent layers. In game theory, this is key and to speak in a language that is most efficient to me, you need to find a way through communication and trust to establish a non-zero-sum game with these policy makers. Job one is to make sure there are communication and trust factors in place. If either fail at any point in time, a zero-sum game relationship will form.

Thanks for listening,
--tk

Reference:
Game Theory Ref.
http://www.gametheory.net/html/books.html

Boyd Books
http://www.sci.fi/~fta/boyd_books.htm

Blackhat ‘05
http://www.blackhat.com/

Keynote address to BlackHat 2005 by Gilman Louie. I enjoyed this speech a lot, but came away with some fear and loathing. First off - this guy brought Tetris over from Russia way back in the day, so you figure he would be all fun, happy and kind of post Soviet sunshine - not true. He brought the hate-on for the InfoSec community and the so called Intel organizations in the Gov't / Military. His message (this only became really apparent to me once I re-read my notes) was that America has created a culture of fear and paranoia that is approaching the level once endured under Soviet Rule in the Eastern Block. He postulates that an obsession of security will eventually bankrupt your country and drive your population away in droves.

Is the harbinger of the Western world InfoSec? Well I am not convinced yet, so I kept listening to his keynote. He defends to front line techs as well intentioned souls that are constantly being pushed around by the Security Policy community which he calls InfoSec posers.

I really like his point about information restrictions and brain dead IT policies causing users to circumvent the safe guards just get to get their job done. I felt encouraged by his message that the Information Security community should evolve into the Information Effectiveness community and that it is our duty to remove the needless barriers that are suffocating our intelligence organizations.

All in all it was an impassioned keynote address - which is to say it was effective at stirring emotion in the attendees, but in the end I was left shaking my head at how on earth the Tetris guy got so damn angry ...

David Litchfield put on a great presentation, despite conditions that would have made lesser speakers cry. The audio was so terrible that at one point he decided to convey his message through interpretive dance. I suppose poor audio setup is one price you pay for being speaker number 1 at a 2 day con.

Litchfield presented a new technique of SQL inference that shows some serious promise. By making properly formed, but horribly flawed SQL requests you can slowly read through the DB back end of SQL injection prone Web Apps.

His syntax examples started out pretty straight forward and seemingly easy to replicate - then they started getting freakishly cool - then when he hit informix my eyes started to really hurt.

The 2nd presentation he did was about how completely shit Oracle security and software support is. When it comes right down to it, he called them on being completely incompetent on providing even token support for their high rolling customers. As I see it, Oracle has some completely delusional perception of where it stands in the IT realm and why it has such godlike status. Oracle provides some pretty high price and high performance Database software - good for them. They also have a scheduled security update policy that will deliver the most timely and efficient protection to their subscribers - good for them. Well having spent several days of my life installing their high end software, and another day obtaining and installing their patches, I really enjoyed Litchfield pointing out how completely half assed their security patches really were. Update 68 stands as a benchmark in the field of security updates gone wrong. Oracle has been repeatedly criticized for downplaying the severity of this psuedo-service pack. Update 68 has files that have to copied by hand, scripts that need to individually executed and then to top it off, most of the time parts of it fail! Verifying that you are now safe and fully patched is almost impossible.

Seeing as how most of the vulnerabilities that Oracle patches quarterly are discovered by Mr. Litchfield, they might as well just let him create the security patch himself and be done with it. Oracle's arrogant attitude towards the world makes it almost poetic when thousands of people flock to the city of sin just to point and laugh at them.

Now this was a cool presentation. Like a neighborhood kid showing off his birthday presents, Dan Kaminsky had a bag full of tricks to talk about. He prefaced his hack extravaganza with a list of 7 topics he would discuss. When it was said and done, he talked about DNS, DNS, some new IP fragmentation techniques that enable IDS evasion, DNS and thankfully DNS. Although Kaminsky appears to know more about DNS than the most OSes do, he was able to bring most of his presentation down to a level where mere hackers could digest it. All in all he had many scary things to talk about, and a fun video over DNS demo. He was severely let down by the lame ass wireless internet that BlackHat provided. Although super slow, free wireless for the attendees is acceptable, making the presenters use the same unwired and horridly slow connection to run a live demo is shameful.

Good show Dan, hopefully Defcon hands you some RJ-45.

I'm not sure what it was I expected to find when I came to the cons. To be honest, I've spent more time hanging out and partying than taking in speeches and presentations. I've met alot of great people, inside and outside the company. It's been a blast!

I made sure to take in the Michael Lynn presentation; I had confidence a shit storm was going to ensue. I wasn't disappointed! God how I love that power can still be wielded by a single person like that - bravo. A little anarchy is always good, and really reminded me in alot of core ways why this is such a cool industry, despite it's many glaring faults. On the other hand, I think it's a shame that ISS behaved the way they did. And Cisco... well, you both should be ashamed of yourselves. Thankfully it looks like things are getting sorted out, but what a show to see...

Defcon I've been finding alot more enjoyable. It was interesting to be in the middle of so many people, from poseurs and scene-whores to folks that are more intelligent and deep in one little finger than I am as a whole. Everybody I've met has been cool - including John, an initially random non-nCircle guy who got screwed for a place to stay and who's crashing in our room. He may or may not have also snuck into Blackhat. For a security conference, guys, you really shoulda caught this guy out! It's a shame we didn't tap him to man the booth so we coulda grabbed a few more beers.

Meeting customers was one of the coolest aspects. It's nice to have people come up to you and tell you, for whatever faults you may have, that we're both on the same page. To know that the work you do *is* making a difference and that people appreciate it is, well, a rush. Everybody's buying everybody drinks, picking up the cheque for meals, and it feels kinda like a big family. Ok, that sounded nauseatingly saccharine, but fuck it!

Can't remember where I saw it or heard it, but some words have been stuck in my mind that I'll now paraphrase - "We need to recapture the revolutionary spirit of our industry". Despite some odd behaviour from a few people that showed up at our booth, I think there's room for a number of players. [Update: it has been confirmed that the 3 guys who showed up and acted odd at the booth were definately not from a competitor. Thank goodness! I don't understand their motivations though.]

Folks from multiple competitors that showed up at the nCircle party were really cool. We have people who used to work at Qualys working for us. There's ex-nCirclers working at other competitors. But I still felt that we all had that excited-to-be-in-the-security-industry feeling.

Shouldn't people who sit in a room evilly cackling 'I will crush the competition!' become a thing of the past? Scorched earth is bad for everyone.

Defcon so far has been total hit or miss.

Outdoor Location + 110 F heat = Miss
"Hacking Google AdWords" = Hit
"Everything you ever wanted to know about credit cards" = Big Miss
Shmoo group in an air conditioned tent = Big Hit

The Shmoo group alone made yesterday's long long lineups of sweating nerds worth joining. These guys were awesome - they really represent today's hacker mindset. They appear to be some of the few people who actually appreciate the symbiotic relationship hackers have with vendors. The also create things, in contrast to groups that only break things. I really look forward to learning more about the Shmoo Group - and recommend anyone who doesn't know them, to look them up.

"Hacking Google AdWords" had the potential to be another Cisco versus hacker-guy saga, but thankfully for everyone involved the show went ahead. The material was not groundbreaking, but it brought information to the community that was new to most. I know I learned a lot - however I will need to have a site to advertise to really use it. I found the stenographic segment to be really disturbing even without the casual mention of the T word. The most positive thing to say about this presentation is that it will most certainly cause changes over at Google, and really that is better for everyone.

The Shmoo group [cazz] has been awarded the first CVE for a vulnerability in an exploit [edit: I am still waiting to confirm this claim]. They went on to detail 0day exploits in Canvas and Metasploit. These were really funny as they were based on the attack http://www.digitaldefense.net/labs/papers/Termulation.txt credited to HD Moore (founder of Metasploit). Oh the irony. The 0days got even better from there, when they detailed a Kismet exploit that could have (did?) root anyone trying to war drive at the con. Damn funny that they were able to take away one of people's fav tools in a sentence. No doubt Kismet will be out with a new (safer?) release shortly. I think the moral of the story is that when working with security tools, we really have to be mindful of what we run and that most often we run them as root.

Other highlights from Shmoo's talk were;

+ IDN is still a total mess and browser vendors don't seem to care. When phishers wake up to the possibilities here your friends and family members are in danger. You might want to go set up some boomarks for your grandmother and hide her address bar. Just tell her the internet got smaller and now only has 6 sites. [ericj]

+ Rainbow Tables! Get your Rainbox Tables! Shmoo is now offering a 43.9 GB torrent of LanMan Hashes. Fun stuff. Now if only I could download that without buying a new hard drive. [dan m.]

+ A certain American Nucular power plant allowed a journalist to publish a picture of their 'ultra secure' wifi setup -- including the brand name and IP ADDRESS! Lame. [beetle]

My fav quotes from Shmoo's presentation.

"Step 3 is Profit" (Like the underpants gnomes) [cazz]

"Gartner can blow us" [beetle]

"Oh ya the vendors guys are here too. They are the ones with the loud hawaiian shirts and the good hair cuts." [rodney]

"PKI is teh suk" [beetle]

"Post Intrusion SSH Hijacking" by Metalstorm was a great talk about how to leverage one hack into several nearly untraceable intrusions. Instead of attacking a network on off hours, the idea is to exploit the admin's desktop and then piggy back on all their existing ssh sessions. Using the SSH RFC (something I have had the joy of memorizing) to its fullest Metalstorm was able to convince sshd that he needed another terminal session all while using the existing authenticated secure tunnel.

This talk was well paced and very funny in parts. The idea of an admin playing "Hunt the Wumpus" while pine exploded on his desktop was really funny. Even MS's much maligned Clippy made a cameo.

His parting thoughts on MSRDP and Citrix ICA are disturbing however. Protocols that support Multiplexed channels are in danger of being pwned by this technique. I really like Python and SSH so I thought it was awesome to see someone mash them together with such great results!

'J0hnny I hack stuff Long' is famous for his Google Hacking work. Is it real hacking? Are his 15 mins of fame over? Is he a one trick h4x0r? Well having seen Johnny Long present at Defcon today, I was really impressed. The amount of anonymous techniques that he demo'd were brilliant.

I had been warned that the book was pretty much the same stuff the site had - and that the presentation was pretty much what was in the book. I went in with a very critical attitude and came out pretty impressed.

Johnny Long has a really good attitude about his Google fame and his 'hacker' title. He is also a talented public speaker. The talk was tailored to the geeks of Defcon and caused a lot of spontaneous clapping and shaking of heads.

The techniques that Johnny detailed can be used by all Security Researchers to help locate obscure stuff on the web. He proved how disturbingly easy it is to access unauthenticated administrative GUIs.

If Johnny Long is a one hit wonder, I hope his hit song keeps going on and getting better for years to come.

Johnny Long is best known for his Google hacking website located here. His website, if you have never visited it before, consists of many ways that one could query the web pages that Google spiders and caches to gain access to things that one shouldn't have access to.

Johnny's speech at Defcon did not contain a lot of information that was new or groundbreaking. Johnny went over the basics of "Google hacking", describing in quick detail what many of the additional functions that you could add to queries to tighten the strength of the query (e.g. inurl:, intitle:, site:, link: and so on). Johnny then continued on with many other cool things that you could do with Google (including such topics as using Google to find sites that even Google doesn't know about and ways to read the content of a web page the Google no longer has cached within their own cache feature). He then finished the presentation with a list of web pages screenshots that showcases a selection of the web pages that one could find through Google and plus all the dangerous things that one could do with it. For all those that are interested, Johnny did say during the presentation that the slides will be posted on his web site above. (Edit: You can now download it in the download section of his website).

Johnny Long also gave the same speech at Blackhat. A co-worker of mine went to that presentation and was disappointed with it. They said that the presentation focused too much on the basics of crafting queries in Google and not enough on the "hacking" part of it. Therefore, it was boring for anyone who had any background in the topic. However, Johnny must have changed the format and speed of the presentation at Defcon because his presentation focused almost solely on the technical aspects of the google hacking (as well as giving props to the Sensepost guys for the Google tools that they have written). I was a little disappointed after hearing about the presentation at BlackHat because this presentation was one I really wanted to see, so I was glad that he toned down the explanation and focused more on the technicals.

Out of all the presentations that I happened to see at Defcon, I think Johnny's was one of the best. I think he fully understands the audience at both Defcon and BlackHat (BlackHat being more corporate, Defcon being more blackhat) . Johnny understood that the people who were watching at Defcon were interested in things that hadn't seen before (i.e. shiny object syndrome) that was chock full of juicy technical details. These people want to able to go home and try the same things that you are presenting. Also, they want you to be funny. Johnny's presentation contained both aspects. All in all, it was an excellent presentation and I feel sorry for those who saw it at Blackhat and were disappointed with it there.

This presentation was stuck in between the SSH and Google Hacking presentations at Defcon on Saturday. I was not that interested in the presentation, but since I didn't feel like changing rooms at that time, I figured it was a good idea to sit through it. The audience for the presentation was fairly sparse, at least in comparison to the other talks that were being presented at Defcon.

The topic of the presentation was denial of information attacks. Denial of Information attacks are attacks on people instead of an attack on a computer itself. Probably the easiest form of a denial of information attack is spam, where users get inundated with so many e-mails that they have a hard time picking out the ones that they want to read. Other examples include the ads that are present on web pages or just software programs that spit out globs of information that is almost impossible to sift through. The presenter spent most of the time talking about the inundation of information and everything that you could do to change the way things work so that people are not saturated with information.

As I mentioned previously, I did not expect much from this presentation going in. However, in the end, it was a pretty good presentation. The presenter displayed a tool that provided different views to packet stream data. For a set of packet data, one could look at the contents of the packet data in many different forms (and sorted by many different types of input) and showed that even if there was a form of information attack by looking at this data through one form, one could change the way that they are looking at the data and get the information that they are searching for. This is really cool because this inundation of information is a problem in the security industry. Look at most IDS products and/or Ethereal, where it can be impossible to find what you want if you don't narrow down what you are searching for. It is awesome that someone is trying to look at the display of information this way.

One of the coolest things at Defcon this year was the wall of sheep. You don't go into a hacker conference expecting that your wireless is safe and not being monitored. Apparently the ATM's (or ABM's depending on where you're from) were hijacked last year, so this isn't your mother's hacker conference.

Anyways, the wall of sheep was a list of all the usernames and passwords (at least part of them) and what was being logged into (e.g SMTP, ICQ, Webmail) that were hijacked at the conference. All this information was projected onto a wall at Defcon for everyone to see. It's humbling to see that, even at a conference full of people who are admittedly blackhats, people still don't pay attention to who might be watching.

It was quite funny to see the name of someone quite famous in the security industry scroll by as we were standing there. What made it even funnier is that they explicity were talking about how one does NOT want to be on that wall prior to showing up at Defcon and how they should not use "unencrypted anything" at one of these hacker conferences. Karma can be a major pain sometimes.

Come to think of it, hopefully I wasn't on that list.........

NLP Was defined by the presenter. as ‘the “Science of Excellence” which I found a bit curious… personally I think that ‘mind control’ sounds much cooler. Over the course of the next hour though ‘Mystic’ explained that NLP was less voodoo and more common sense then I could have imagined.

He started with a brief history of NLP and the two pioneering books called “The structure of Magic” 1 and 2 – these books were the results of studies done on successful psycho-therapy and attempted to identify trends and common practices by different ‘professionals’ in the field.

The Milton model next and switched tracks from suggestive hypnosis to ‘indirect’ hypnosis. A hypnotist employing this technique would be vague and ambiguous thus allowing the subjects mind to choose the direction.

Some other new ideas came out around this time;

“The mind and body are not separate”

“Everything you experiences has a structure, a sequence”

“We all have the same (or similar) hardware. If we can think alike – we can perform alike”

The presenter delved into NLP as psycho-therapy and brought up some interesting points. When you ask your sub-conscious a question (and we all do) it answers… no matter what you ask it, it WILL answer. One of the problems many depressed people have is that they ask the wrong questions. When asking the question, “Why do I feel so shitty?” the mind can easily come up with a number of answers – you don’t have enough money, the weather is crap, you’re girlfriend is cheating on you, you hate your parents… instead of asking destructive questions like these we can ask, “what can I do to feel better?”. The subconscious will of course answer this as well.

With out a doubt, the coolest part of the presentation was the ‘taking control’ portion. It touched on pacing and leading. The idea, again, is simple but the effects are undeniable. Pacing occurs first. It is the process of ‘syncing’ with the subject and making them like you. People typically like other people who are like them. A number of verbal and physical methods were identified like matching tone of voice, speed of speech, body language and speech patterns and representational systems (physical, auditory, visual). After building a physical rapport comes the leading portion. Carefully crafted suggestive questions are used to ‘nudge’ the subject to a desired conclusion. For example, “would you be more comfortable sitting down or standing?” implies that choosing one of the two options will result in comfort… see where this is going?

Much of the presentation seemed like common sense but many of us live our lives without employing that common sense. It was a refreshing reminder.

On august 31st TASK will be meeting and rehashing the DefCon presentations from our drunken-chicken-scratch notes.

Speaker: Various DefCon Attendees
In case you didn't already know - DefCon is "The largest underground hacking event in the world". If you haven't been, you simply don't know what you're missing. In this presentation, we'll cover the highlights of the conference. The new exploits and tool releases, any new research and make sure you know what you missed out on!

Check the DefCon 13 website and let us know if there are any particular presentations you want highlighted.

So come check it out! -- Map to location:

So, I've been given the opportunity to speak on a panel with two excellent colleagues, Richard Stiennon and Adam Shostack next week on a panel about Security and Blogging.

If you're in the Detroit area on October 6th, come check it out - it's the Detroit IT-Security Summit.

There was plenty of semi-live blogging of the RSA conference in San Jose last week, but I thought I'd do something a little different: a post-mortem from a vendor.

I "attended" RSA, but not in the role of a full conference attendee or an 'expo-only' pass, but as a vendor. Maybe the perspective isn't really that different, but the vendor is somehow an in-between role. As a vendor I'm aware of things like booth size and placement, I am paying attention to what types of people are walking the floor (vendors, customers, partners, analysts), and I'm not shopping for products or for give-aways.

Far and away, the biggest benefit of the conference was connecting with existing customers and partners. One of the highlights for me was our nCircle customer breakout session. We did a roadmap presentation and got some excellent feedback from the participants. I actually had some very productive meetings on the conference floor. Another highlight was the event we hosted at Gordon Biersch. In an industry with folks spread around the country/world, it's a treat to spend some time in a social atmosphere.

There was definitely entertainment on the floor as well. I have to give some props to Arbor Networks for the fine presentation they provided. Their booth was directly behind ours and the guy delivering their presentation was an entertainer. I can't say I caught all of it, but there was a Lost theme involved. Mazu Networks gets the credit for creative advertising from me. They hired a few people to walk around the floor behaving strangely and wearing t-shirts that said "I know my behavior is not normal. Do you?" See, they provide "behavior-based network security solutions." And I should thank PGP, Tumbleweed, and GeoTrust for the beer they provided.

From my perspective, the people walking the floor tended to be more partners/vendors than customers. It's hard to say if that impression is accurate. It would be interesting for RSA to provide that sort of demographic material. I have a feeling that if you were there for the actual sessions, you didn't spend too much time on the expo floor. I can't help wondering what customers get out of these shows, outside of the actual seminars. The expo floor is pretty overwhelming. It's not just the variety of vendors, but the simplicity of the language. Vendors are forced to boil product functionality down to a sign on a booth. Shows like RSA provide a window into the evolving market terminology. This year I saw a ton of 'Network Access Control' language. Regulation and compliance are hot too. 'Vulnerability and Risk Management' is still present as well. The simplification of technology into market language makes it hard to understand what a product actually does. Customers are left to decode what each product can do for them.

The show is also, definitely, a chance to suss out the competition. This year, it was most interesting to see who was there and who wasn't. Some of our significant competitors simply didn't attend.

All in all, it was a productive week, I think. If you're a non-vendor and attended, post some feedback and let us know how it went.

Well, here I am in wonderful Vancouver. The plane ride last night was ugly with a 2 hour delay due to weather. I get in to YVR and for some reason, they pick me for some extra screening and I spend more precious time talking to an immigration officer. It might have been my friendly disposition due to the flight delays. By now, it is past midnight PDT and I figure I grab some cash (Canadian), jump a taxi, and get to my hotel. First ATM machine is not handing out cash to the person in front of me so on to the next. Second machine I get to it a Royal Bank of Canada machine and I put in my card, punch my digits and after processing, it just returns to the initial screen as if I was never there at all! What! Second try, goes through the workflow again and the machine starts to make noise like it is going to issue me my cash, more noise, more noise, keeps on machine the sound like it is issuing cash but no cash is being dispensed. Arg! I hit cancel until the machine surrenders my ATM card back to me. It is times like these where you wish you had ‘lsof’, ‘dsniff’ and a few other trusted tools on this ATM machine to figure out what they heck is going on. Oh well, I end up doing to the Exchange counter and handing them some USD for some Canadian coin. In the taxi, to the hotel and it is almost 1pm PDT. Unpack and lights out.

Wednesday morning, the registration is at 8am according to the schedule. 7:30am, I have Starbucks in hand and when 8am rolls around, no one is in the registration area. ☺ I love this conference. Reminds me of being back in Hawaii and everyone using appointment times as a general suggestion to when the event is to begin. Its almost 9am and it looks like registration will begin soon. Unlike previous CansecWest con’s, there is no breakfast served today so off to Starbucks again for some food. I’ll do my best to report on the sessions as the day goes on. If what you seek is content, there is no better con than Cansecwest (IMHO).

… it is now 9:45am and still no registration. ☺ We have progressed over the past hour 45 to at least have a table setup. Boxes of stuff are on the table but nothing that looks like registration will be open anytime soon.

…my last comment on this posting is that it is 12:15pm PDT and I am finally getting my badge from registration. No complaints. I am sure the content will not disappoint. Every year there is some CanSecWest schwag and this year it is a very cool jacket. Very nice.

--tk

cansecwest/core06
Jim DeLeskie & Danny McPherson
Title: Protecting the Infrastructure

The talks title was protecting the core infrastructure. For the most part, this was a talk about routers and to call ONLY routers core infrastructure is misleading. Yes, it is core but so is SONET, RADIUS, DNS, NTP, and so on. This talk should have been called “Best Practice Security for Cisco Routers”.

Management, Control, and Data Planes were explained. Ingress Filter, Unicast Reverse Path Forwarding, Tracebacks, iACL (infrastructure Access control lists), CEF accounting, Netflow/Sflow/*flow, blackhole routing, and so on. For someone who had never designed or administrated a large IP network, this talk had a LOT of value. McPherson was someone who when I was learning the ins and outs of BGP4 throughout the 90’s, his books and postings to the NANOG mailing-list were vital in my education. I should also toss in that anyone who had been to a NANOG conference in the past few years, you would have gotten this content. Good content for someone who does not understand the threat and countermeasures involved in securing the routing infrastructure (which almost by default is Cisco).

Please take note that this threat is very real. Service Providers are the most effected and as a consequence more educated about these measures; Enterprise networks are less educated about these measures and countermeasures. In any case, getting educated is the very first step in managing these risks.

One last note, the material covered in this talk is about 3 or 4 years old which means that your adversary has known of all these methods for a while. If this material is new to you, either you learned of these attacks the hard way (ie you were the victim of it) or consider yourself lucky that you learned of it via this con and now you can setup the appropriate security countermeasures.

At the end of the presentation, they presented some interesting stats. They said that in their bi-annual sampling, the trend is that victims are taking preventative measures and becoming more educated. The one issue that stuck out was a stat that 29% of their sampling did not believe law enforcement could help the victim. Sad. If this is true, law enforcement should take an active role in changing this image. Like Cosmo said in the movie “Sneakers”, it is not about who has more bullets, it is about who controls the information.

cansecwest/core06
van Hauser – THC / nruns GmbH
Title: Attacking the IPv6 protocol suite

This talk was a solid discussion on the weaknesses of IPv6 (caused by its complexity). The research was very well represented in his slides and tools are available for all of these weaknesses. The majority of these exploits were DoS or man-in-the-middle strategies. Overall, very solid presentation.

I missed core05 but it appears that this material was presented at the last pacsec.
http://pacsec.jp/core05/psj05-vanhauser-en.pdf
The presentation today was a little updated but not by much.

He covered how the Blackhats have been leveraging v6 for sometime now as a means to evade detection of their backdoor applications (malware or trojan applications installed after the host is compromised and then used for a their bidding) Most of the scanning and sniffing tools a few years back did not even have v6 capabilities. It was the best cloaking and they got it for free.

Heck, as you read this posting, I’ll bet that you have IPv6 enabled on your machine and don’t even know it. For the people not afraid of a command line, most OS’s will take a ‘netstat –a’ at the shell and line items with udp6 and tcp6 are the services right now running and bound to a v6 address LIVE ON THE NETWORK! Applications do a wildcard bind() and bang, you have a v6 socket in a *.* LISTEN state.

THC has a IPv6 Attack Toolkit that looks very promising.
It is a IPv6 packet factory library. Constraints today are:
- Linux 2.6.x only
- Little endian, 32bit
- Ethernet and raw mode

Let me describe a few applications based on this THC library:

Application: ‘alive6’ is the tool for end-point discovery

Application: ‘parasite6’ is a man-in-the-middle tool that leverages the discovery and solicitation of v6.

Application: ‘dos-new-ipv6’ abuses the init stage of the stack where it will check the network to see if someone is using an address that it has picked as a candidate by always answering “YEAH DUDE, I AM USING THAT ONE” to every single test. The host that is trying to come on the network never gets there because all addresses appear to be in use. ☺

Application: ‘fake_router6’ essentially abuses the RA (router advertisements) and is able to get in the middle of victim and rest of the network by becoming the default router.

Note: No v4 broadcasting in v6, instead you have multicast.
Application: ‘smurf6’ for can be used for local segment smurfs
Application: ‘rsmurf6’ reverses the login and instead of traditional one-to-many-to-one amplification, it is a one-to-one-to-many

Application: ‘redir6’ abuses ICMP redirect in the same was it was abused in IPv4.

The key issues were:
- In IPv6, network based worms will not be as effective in finding their next victim with the current scanning methods in v4.
- DNS will become a primary target.
- more Client-to-Server like WMF exploitation strategies will emerge
- Native IPSEC support will reduce your exposure significantly but will rarely be used for many reasons.
- All of these tools exploit the complexity of the protocol itself.

I completely agree with all of this research.
Very nice presentation and highly educational to customers and vendors alike.

--tk

cansecwest/core06
Steve Lord
Title: An hour of Rap and Comedy about SAP

This guy was really funny. I’d pay to see him in a standup comedy act. For a minute there, I forgot I was at a technical conference.

The slides have been posted to the site:
http://cansecwest.com/slides06/csw06-lord.ppt

The HP failed implementation example he cites is frightening. Here again you have complexity as the enemy. Lets see, get all your business critical systems and make them dependent on a complicated and highly interdependant system that is too large to properly secure and if the project goes south, the business impact will be astronomical. That’s enough to get your hands sweaty and acid to flow in to your GI system.

I would compare it to being first in line for a synthetic nervous system that would replace the one I have in my body today. Lets get a team of people to perform the surgery who for the most part are not communicating well with each other on the game plan and if something goes wrong, all parties play the blame game while I am dead on the table. Whoa! That comparison sucked but you get the picture.

The front end of the presentation was all about the war stories of implementing a large complex Enterprise Application.

The middle of the presentation was a game show he hosted and got two people from the audience to answer multiple choice questions. Very entertaining.

The final section of the talk should have been called “Everything you need to know to exploit SAP but were afraid to ask” Lots of detailed examples in the format of a cookbook. I am sure there were some pen-testers in the audience that got a lot from this section.

I was happy to learn of an organization he is driving called:
OWASP-EAS: Enterprise Application Security
The goals are to:
Develop Requirement Guidelines
Develop Audit programs
Essentially, OWASP is great for web-based stuff but inappropriate for Enterprise Applications. OWASP-EAS satisfies this need. I totally agree and can’t wait for it. He is planning to launch in June so I am sure you’ll be able to Google on it then.

--tk

cansecwest/core06
Nico Fischbach – COLT
Carrier VoIP Security

Good presentation about the mess that is old world TDM voice meets new world VoIP and everything in between.
http://cansecwest.com/slides06/csw06-fischbach.ppt

The talk covered all of the protocols at an overview level so that you could understand how everything worked together and where the interdependencies are at the system level.

Most of these systems are running realtime OS’s like QNX/Neutrino, VxWorks, RTLinux. Others are running Windows, Linux and sometimes Solaris. Same damn story:
#1 OS’s not up to date
#2 Not allowed to patch them because it will break something

Tools: vomit, YLTI, VOIPONG, scapy (VoIPoWLAN): effective tools for intercept and replay.

He spoke of a funny story where a good number of switches that had been previously rooted were super stable due to the fact that the talents of the attacker far exceeded that of the system administrator.

In the end, the complexity of these protocols are so high that it is a target rich environment and most transit safeguards (firewalls) are not effective at the carrier level.

--tk

HD Moore – BreakingPoint
Title: Metasploitation (and a dash of IPS)

What can I say, I’m in the fan club!
Metasploit is deserving of a design award. HD covered the new version 3 of Metasploit and also new IPS evasion techniques that are awesome!

http://cansecwest.com/slides06/csw06-moore.pdf

The tool and the presentation speaks for itself.

The only color I could add is this: I don’t know HD but he thinks like a gamer. What I mean is that in terms of game theory and the principles involved in ‘game play’, he gets it. Most of the evasion techniques leverage one of two tactics:
#1 remove as many deterministic factors from your opponents observation of your actions while staying within the boundary of your functional objective.
#2 learn as much as you can, get as much intel’ as possible prior to your move.

Reality Check: IPS vendors and customers spending lots and lots of money on IPS solutions that make big claims, review the slides. v3 of Metaspoit will redefine the effectiveness of any and all IPS solutions.

I was happy to see that the new class of modules – aux modules – are all about gaining intelligence of the environment. This intelligence then supports smarter execution of metaspoits offensive actions.

Yes, version 3 of metaspoit is a complete re-write in Ruby.
Yes, Ruby does rock. Some things are just self evident.

Other tools that got mentioned in his talk:
‘skape’ like IDA pro stuff (research toolkit)

‘vinnie’ Anti Forensics tool (Completely hoses Encase)
It can mess with attributes important to these forensic tools.
Apparently, windows will allow one to seek past end of a file and hide data there. I have not tried it but that sounds ugly.

‘IDARub’ – IDA plugin that will interface with Ruby (spoonm)
'Hamachi' – public available (hdm) client-side fuzzer.

As always, most of this great work is somewhere in the vicinity of:
Metasploit.blogspot.com
Metaspoit.com

[HD, if you read this, how about asking Cansec to get better projectors next year.]

--tk

The day ended with a tool that is effective in evaluating the Host IPS (HIPS) to the point where it can be evaded. Julien Tinnes - France Telecom R&D and the tool is called Slipfest (HIPS evaluation toolkit). It was his first presentation ever but the tool itself was strong enough to stand on its own.

A quick demo showed how the tool helped defeat the protection offered by Cisco CSA. His research shows that all other HIPS are victim to this toolkit. Nice job.
Check it out for yourself:
slipfest.cr0.org

Lastly, a panel was formed to speak about the commercialization of vulnerability research. I’m not going to say much about this other than it was poorly moderated. From the start, the argument for the debate was not clearly stated and at any one point in time, it was hard to tell if the object was the knowledge of a vulnerability or if it was a working exploit. These were not stupid people on the panel, it was just poorly moderated and I found it frustrating. Why? Because it is a complicated multi-dimensional problem and in order to move forward, a more structured debate is needed. Maybe next year.

Real Time Threat Mitigation Techniques
Josh Ryder – Univ. of Alberta

Hmmm….the claim is that they have developed a method that accomplishes non-signature based worm detection and isolation. In opening, he put the presentation in to the context of their network. (the problem space)
To the degree that you can fit your problem in to their problems space, this will be useful.

Their corporate network is not surprising. Big ungoverned inside, lots of border control and all that vanilla stuff.

Their definition of worms: capable of spreading without user intervention. I’m good with that. Multi-vector points of entry being exploited, standard Warhol worms.

They created their own Warhol worm. They wanted a best in class worm: modeled after MS.Blast; both will start 20 threads, 60/40 ratio of offLan/OnLan targets, 6k payload. Blah blah blah.

Victim environment: 50 identical machines, each machine had the same vulnerability, engineered the network so that they would be able to monitor all the flows. It is on a /24 with all machines vulnerabilities having line-of-sight from all others. Dude, this is a dream target surface for this unstructured threat!

Their worm detection and isolation strategy is described as:
1 Worm enters the network
2 Sensor reports the worm traffic to collector
3 Collector analyzes reports
4 Collector signals Reactor
5 Reactor takes appropriate action

So, the methods were in 4 categories:
Packet filtering Firewall
Filter a set of machines from the worm. Silly but I guess they needed to toss it in. The rule is that if the worm can see it, it is owned.

Threshold based Detection
‘pf’ facility for connection rate limited was used for a threshold model.
They would just count the ‘connection states’ in that the norm for desktops was 25-35 states, 15k connection states with compromised machines.

Signature based Detection
‘snort’ – used for when they were lucky enough to get a signature match

Honeypot based Detection
‘honeyd’ used to identify recon on the network. Populate inactive IP space with honey pots acting as end-point sensors.

In this last method, they then tied the honeypot detection with the actions of a firewall to perform the mitigation.
Honeypot + Firewall == Honeywall
I guess you could have also called it a Firepot but I digress.

Result Sets:
I’ll format it as
method:settings:#systems:#comprimised:elapse_time:%_violated

Baseline:
none:none:50systems:50violated:68secs:100%
Comments: baseline with no detection of protection.

Firewall:acl-set:27:27:27secs:54%
Comments: meaningless

Threshold based strategy using ‘pf connection state’
pf:50cons/4sec:50systems:12comprimised:77secs:42%
pf:8cons/4sec:50systems:2comprimised:5.7secs:4%
Note: this threashold was so low that they DoS’ed denied all good stuff
Pf:28cons/4sec:50systems:11comprimised:16secs:22%
Comments: There is no magic here. To the degree that your threshold settings can differentiate between bad and good, you will be effective.
This is all keyed off of the patterns of the worm being different from the patterns of normal traffic.

Signature analysis
Snort:custom_rules:50systems,2compromised:0.78secs:4%
Snort:all_rules&&custom_rules:50systems,2compromised:0.99:4%
Comments: If you have the pattern in your knowledge base, ie a signature or a pattern, great! If not, you suck because you have placed your detection method at the mercy of your adversary. As you would expect, just because you add a mass of signatures that have nothing to do with your controlled experiment, nothing is gained other than processes latency.

Honeywall
Honeywall:low-interaction:50systems:1comprimised:0.27secs:2%

They conclude that honeywalls can be effective on small LANS.

I asked about the test: What was the size of the segment because I needed to know 50 machines out or what? 50/n. From a set theory standpoint, the question is what is the value for the Universal Set? It turned out to be 2^8 (/24 segment) As you can see, if a segment was 95% populated with operational hosts and only 5% honeypot’ed, the percent of compromised hosts would be much different.

Good stuff. As I said in the beginning, if your problem is simular to this problem, then it is useful.

--tk

Crispin Cowan from Novel Inc.
Title: Stunt Profiling: Securing a System While you Wait

Quick reminder: Novell acquired Immunix and thus AppArmor
Goal of AppArmor: Confines applications to do what they are supposed to do, and nothing else.

Coming from a game development background, I am always sensitive how the design of the system takes in to account the skill set and behavioral profile of the user. The outside of the packaging should read: domain expert not included. ☺ I am being serious here. Great design for the knowledgeable Linux user. These are people who have a good chance of properly answering a question related to “should I glob this shared lib the ‘*.so’ level or more of a ‘*\.2?.so’ level. Nothing wrong with that, just don’t try to change your market. Optimizing for one audience will almost always compromise your value in the other.

The thing uses the LSM (Linux Security Module) Interface in a Linux 2.6 Kernel. Being in the kernel is a pain in the butt without LSM. I would agree that with this position in the problem space and your objectives of governance, LSM is the best choice for mediation given the cost to bypass it.

I don’t know if Crispin was the designer but the designer is the first person I have heard who truly understands black-list and white-list strategies. Given this very dynamic problem to solve, a hybrid proves the most dominant strategy. I can’t help but spend some time on this subject as I have been working at this knot for so long.

Quick review: white-list strategy is where the white-list set (Lets call it G for good) contains “all good things”; black-list strategy is where the black-list set (lets call it B for bad) contains “all bad things”. The role of the set is to describe the criteria match for some action. What needs to be emphasized (that is missing in most discussions) is that both set G and set B are a subset of the Universal set U.

For the record, I have a serious problem with the terms white and black when it is associated with good and bad. From here on out I will call them set G or good-list, B or bad-list, and U or universal-set.

Crispin pointed out that most misuse detection is based on bad-list while most anomaly detection is based on good-list. Here is where I would like to share with you my thoughts.

The factors I always keep in my head are the ‘rightness’ and the ‘completeness’. Don’t ask me why I call them that because I would then have to invite you in to my head and that is a scary place. Given the size of U, which subset B or G will yield a higher rightness (the knowledge quality of the elements) and a higher completeness (the complement of subset B or G relative to U) As a rule of thumb, when U is large and mostly unknown, B is the dominant strategy; when U is smaller or mostly known, G is the dominant strategy. If I had more time, I would explain this properly but I have too many blog postings to get through tonight.

AppArmor uses a very elegant hybrid model whereby they use a good-list for applications and a bad-list for the system-wide criteria. It is the right choice in my opinion because a single application to be protected presents a smaller universal set and with a lot more known objects and it makes G dominant over B. The system-wide space presents a larger U with a high potential for unknowns so B is dominant over G.

Very nice policy language. It is in a native tongue of the target user base and you can’t ask for more than that. Great job!

I’ll just note some highlights from the demo of AppArmor.
The learning mode was great in that what was uncertain, it asked the user thus creating a better G set in both rightness and completeness. Again, I would point out that most of these questions need to be answered by a domain expert but that is the case here so no problem. Rock on.

The moment he put his machine on the network and spawned the vulnerable sendmail daemon for the demo, it was hacked! Funny stuff. He pulled it off the network, configured AppArmor to protect the vulnerable program, all was well. Great demo. Lesson learned: secure before connect and Cansec. ☺

He did some SElinux versus AppArmor bashing. Whatever. I think AppArmor can speak for itself.

Overall, very nice tool for the highly technical. The cansecwest audience was perfect and I am sure I can say the same for the SUSElinux community.

--tk

Edward Balas – University of Indiana
Michael Davis – Savid Technologies
Title: Next Generation Kernel Activity Monitoring

Talk was about Sebek (kernel based activity monitoring)
The focus of the detection is on the intra-system domain: processes to process communication. Sebek is available for windows and linux (loadable module or kernel patch). Essentially, observational record of system calls for interesting stuff (keystrokes, file access, processes interaction, sockets, etc)

Look mom, I can capture all this data! Guess what, too much data. Sound familiar? Downing in data, thirsting for intelligence. The quantity of uninteresting data is blinding: 100k records/hour if machine is doing nothing: 1 million an hour in average use. Essentially, the problem is that at the observational stage where in this case you don’t have enough context to offer any criteria for discretion, you are basically screwed. OK, not screwed, just a heavy demand on resources.

Their proposed solution is to allow the configuration of static policy for “interesting” discretionary criteria. These rules can act as a trigger to follow the process tree. The luxury here is much like a motion sensor for a camera, recording begins with the triggered event and the events that follow can be associated via this process tree. Make sense to me.

Many times in the talk, they had to emphasize the fact that they are in a intellectual turn based game.
The game goes like this: Alice authors a detection method and its deterministic properties are learned by adversary Bob, Bob games the detection method to ultimately go undetected; Alice learns of how she is out gamed, new detection method; and so on and so on.

With this level of kernel monitoring, I can clearly see the value to the bad guys but limited value for the good guys. I guess the good guy’s usecase would be a nice tool for system analysis or application testing.
Just because I can’t see the value does not mean it is a bad tool. Heck, I can’t see the value in the electric tooth brush (prefer the manual model) but that does not mean it is bad.

--tk

Renaud Bidou from RADWare
Talk: How to test an IPS

The basic story here was ‘IPS buyer beware’. How can you properly evaluate an IPS? You must first and foremost define your success criteria and this criteria must be measurable and reasonable. No your IPS is not going to cure all your ills.

Can IPS’s be evaded? YES, get over it! Anyone who will argue otherwise should take some of their security budget and find a good therapist.

The buyer is at a tremendous disadvantage because of his or her lack of expertise in this domain. I heard this so many times from customers that I’m sick of hearing it. Where can the buyer find the facts? Dude, there is no Consumer Reports for this stuff. And even if there were, the success of this type of device is so dependant on YOUR environment, I am not sure they could do anything but validate the vendors claims. Validating claims and it being success in your environment are completely different problems.

Without getting in to the details, MS03-026 which is an oldie-but-goodie was used in his tests. He looked at three vendors and all of them had problems once active evasion techniques were applied. There also was issues with throughput.

Most of these tests can be found at:
http://www.iv2-technologies.com/~rbidou
Thanks dude for posting facts.
Here we are, many code releases later, and still accuracy issues and performance plague most IPS vendors and customers need to at the very least know the facts.

http://www.iv2-technologies.com/~rbidou/HowToTestAnIPS.pdf

In closing, I would like to say something that bugs the living daylights out of me. During the detailed section of the talk on ‘how to test’, he kept on highlighting principles and guidelines that are fundamental scientific methods. This is the same stuff you learned in 6th grade. Don’t you find it odd that pointing these things out is seen as valuable information? The sad thing is that most people cut corners and do not have the discipline to carry out a test that has integrity. I commend Renaud for his attention to detail in testing. Look, if you can’t trust your test environment and methods, the results are just worthless. Wait, they are worth something: they inform you that you need to improve your testing methodology.

--tk

Dennis Cox,CTO – BreakingPoint
Title: Insiders View: Network Security Devices

Quick reminder: BreakingPoint is where HD Moore resides.
Let me see if I can get Dennis’s history right: Used to be with Cisco, then at some point ended up at Intruvert, and now BreakingPoint. Right or wrong, the dude is smart, this presentation was honest, and he almost speaks as fast as HD. Must be that overclocking of the grey matter.

The summary of this talk comes down to the topic of facts versus “facts*”.
Similar to Renaud’s talk today, this is much of the same. Vendors, and I am not talking about just security vendors, have always stretched the facts. They get caught in an argument where they claim that their competitors are doing it so they have to do it too. Again, the reason why it is so out of wack is because the consumer is not educated enough to know any better.

He pointed out that there are some useful questions to ask.
Mechanical Design? It could be just a DELL server.
Who runs their Hardware Team? No one?
What do they have running in Silicon? Nothing?

Vendors OEM a lot of components and these components have upper boundaries that are just impossible to overcome. When you know the real facts of these components, you do the math, and the throughput number you come up with is significantly lower than what the vendor has claimed, beware!

TIP: If you find A0 and the prefix to any silicon on the board, beware because it is fresh off the press and full of defects that are not yet known.

His Analysis:

He gave an example of the G1000 ISS Appliance:
G1000 has two Ethernet cards of known origin and is a repackaged Dell.
ISS has no no hardware team and the numbers they claim for throughput don’t match up to what you would get out of a common Dell box. These are his claims but it is hard to argue given the evidence.

He gave a detailed Netscreen IPS example and the figures were pathetic. How can these marketing claims be so far off from what can be derived via a scientific method? Are consumers that misinformed?

He then gave a TopLayer IPS example.
They claim 4.4Gbs of raw fw throughput….
By this time you can guess what his findings were.

He gave some very wise words that could have only come from someone experienced in the science of building network devices:
Somewhere on the every device the box trusts the packet in some way. Find that location and abuse it. Find out which process trusts you, then lie?

My Final Comments
-------------------

Well, I guess for human and machine alike, what does not kill you makes you stronger!

Back in the day when nCircle had a Traffic Monitor, in our research and design we were educated on the limitation of these off the shelf cards, driver design, mem copy tricks, dead locks, live locks, bus limits, all that good stuff. In fact, some of the best work in this area of off-the-shelf limitations and design was in an MIT project called The Click Modular Router.
Brilliant work! http://pdos.csail.mit.edu/click/

It all comes down to ‘Buyer Beware!’ Know what you want and don’t be afraid to test for what you want.

BreakingPoint is just oozing with talent. I can’t wait to see more from that company.

--tk

Halvar Flake
SABRE Security GmbH
Halvar.falke@sabre-security.com
Title: More on uninitialized local variables

This is really hard to describe without diagrams so I am only going to give a high level summary. For details, find Halvar at a show and check it out.

Trickery and abuse of memory is always the popular topic when you are trying to exploit a condition. It comes down to “How can we exploit some undefined behavior?"

In terms of trickery, no one will argue that Halvar is one of the best tricksters.

Exploitation via this vector was thought to be too large of a space to be feasible but Halvar found a way via graph structures and sequential patterns to shrink the space significantly and with just the right maneuvers, can author content in this uninitialized space (the residual of some previous actions) such that it can be subsequently used to run exploit code.

This is an area of research that over the next 12 months, I am sure there will be some discoveries that will rock the world of computing. Halvar, BINDIFF rocks and keep up the great work.

The next talk entitled “Security Issues Related to Pentium System Mgmt Mode” (SMM) employs a similar memory range problem but a billion times more severe given that most Pentium-x86-based Unix systems running an Xserver display can fall victim to this technique.

--tk

Loic Duflot
Title: Security Issues Related to Pentium System Mgmt Mode

It is day 2 at Cansecwest and this talk wins for ‘so frightening that you want to hide under your desk in the fetal position’.

I’ll go through the high level technical and then end with pointing out a principal that is one of those universal truths I carry around with me everywhere.

This entire exploit is based on documented x86 functions.

Your CPU runs in a few modes, one of those modes is known as Protected mode, other known as System Mgmt Mode. When your OS is running, your in Protected mode and this is how much of the security is performed and you’ll hear of ring0 and ring3. Just know that your in-world universe is in protected mode.

System Management Mode (SMM) is used so that when there is something external to your OS world like say a thermal condition that needs to communicate some message, the CPU saves all its protected mode state out, does all this SMM stuff and then return to its regular scheduled program in protected mode.

There are details that evolve registry addresses and very low level operations but for the most part, a system in a very secure state can be circumvented via this SMM facility. I’m talking free access to all memory and IO.

The song goes a little like this:
Enable SMI
Open SMRAM space
Replace default SMI Handler by custom one (do your duty)
Close SMRAM space
Trigger SMI
Gain access to restricted operations.

In the wider picture: works on most systems. Turns out that Linux and the *BSD’s will fall victim to this attack strategy, however, Windows XP is not known to be exploitable because of a few system calls that are not present and more importantly a certain memory range in protected mode is not shared addresses to SMM.

So, for the demo, they did not pick some shabby OS to exploit. How about OpenBSD at level2 (high security) with allowaperture=1
Ummm…it worked. Theo, microphone please?

Theo spoke to this OPENBSD issue and said he and the team have known about it for a year. They are between a rock and a hard-place because Xserver is really the core of the problem. It has too much damn access to regesters and is in the most unfortunate address space in protected mode because when in SMM, what is in that address range can be used to exploit.
Solution is for Xserver people to abstract sufficiently so that the kernel can have more governance on the Xservers logic.

Closing TK comments:
A system or a world that has a policy governed by in-world mechanisms cannot be effective when a process in-world can reach to the out-world to cause in-world change. You could also say that since a problem cannot be resolved at the same logical realm it has been created, then it is also the case that the most effective governance of a world can only come from outside that world. Think about all the crazy things we do in the physical world. As soon as we could get to the strong and weak forces at the atomic level, we created a incredibly destructive device. I just hope that if string theory is right and there really are energy strings at the lowest level of the universe, that no one in our world get control of them. The negative outcome caused by the power hungry is too high a risk to even consider the positive benefits.

Its late and I have been blogging way too much today I am certain that my mental packet loss is abnormally high. I’ll return to this in-game out-game concepts later in another blog entry, when I am less sleep deprived.

--tk

Dude, I am tired. I’ll just cap the rest of day 2 in this single entry.

Alex Stamos
Title: “Attacking Web Services”
Attacks on XML, SOAP, and AJAX.

You owe it to yourself to grab the presentation from
https://www.isecpartners.com/speaking.html
This is mandatory reading for anyone looking for soft tissue to penetrate.
People, you need to understand this stuff in order to secure yourself.
Regardless if you believe me or not, somewhere right now in the world, some highly critical and sensitive information is going over a insecure web-service infrastructure.

I am tempted to go on and on but I’ll let the presentation speak for itself.
It will blow your mind. If you just can’t wait to have nightmares, check out
http://en.wikipedia.org/wiki/UDDI
This talk could have been called “New protocols that take the guess work out of hacking sites”

Christopher Abad
Title: “Advancement in Anonymous e-Annoyance”

I am going to have to get a little personal on this posting. Abad worked for me at nCircle for a little while and a lot of people including myself miss the guy. First off, you will not find someone more genuine on the planet. Abad is who he is and does not make excuses. He is th