The NTO team had a great time at Black Hat, B-Sides and Defcon this year. This blog post is the first in a series where we share some of our favorite talks.
The first talk we attended at B-Sides Las Vegas, was Tim Keanini’s, CTO at Ncircle Network Security Inc, presentation on how we can use metaphors like John Boyd‘s OODA attack/defense and General Predator/Prey theory to better understand how hackers work. Keanini used nature as a metaphor for attack/defense.
Keanini used nature as a metaphor for attack/defense. On the internet, the victim of an attack generally cannot attack back so the natural analogue are prey species that make it as expensive as possible to be attacked. Predators can use foraging which is expensive for the predator and therefore the predator must do an economical calculation to hedge the energy spent attacking against the energy gained by eating the prey. In the old days, this described the internet. Attackers foraged for servers to attack. The other approach is ambush and that is a better description of today. The server has the attack and waits for the victim. The speaker also touched on the idea of “nuke and pave.” This is where it is less expensive to simply toss the computer, format the harddrive, etc than pay a security professional to sort out a hacked box.
This talk was interesting and quite worth attending. It was a general security philosophy talk as opposed to a nuts and bolts how-to talk and it is good to toss one of those in here and there to break up the thickness of the “here is how you hack something” talks. Another metaphor in IT is that of virus-driven evolution. That is, most if not all the species on this planet owe their evolution to viruses providing the impetus for improvement. And of course we implicitly acknowledge this metaphor in the IT space by calling it “a computer virus.” See Schuyler Towne’s B-Sides physical security talk for more of that sort of thinking (though in the physical security space).
After 5 years, I have finally added a contributing writer to the blog. MJ Power (aka Mike Morton) is a good friend and fellow founder of NTO. Mr. Power and I created NTOSpider together, with me leading up the vision and him being the real C++ master and architect. After 9 years of NTOSpider development Mr. Power is ready to lend some of his experience and thoughtfulness to this blog and its readers.
His initial posts for the next few weeks will be his summary of the talks he attended during B-Sides and Defcon, so stay tuned.
Come see my talk at B-Sides LA Friday the 19th (today) at 10am
Not Your Granddads Web App
The next generation of applications have started to rule the web, and they look very different from their ancestors.
In the “good ol’ days” web apps had their problems, but it was easier to understand and great resources (tools/practices/trainings) were quickly made available to help.
The new age of applications sit on top of HTTP and HTML with technologies such as AJAX, Flash, Silverlight etc, and their developers are often as naive as teenage girls wearing midriffs and mini-skirts. Today’s applications dazzle with their rich user interface, ability to push logic to the client and retrieve information asynchronously. But these younger applications inherently have the same security problems, which are now obfuscated by fancy looking interfaces and the resources (tools/practices/trainings) available to help are even more limited.
If you cant make the talk, my slides will be available soon at http://www.ntobjectives.com/granddad
“I’m Dan Kuykendall and I’m going to show you what it takes to hack into some of the most dangerous places on the web.
I’ve got to make it through a weak set of defenses in the sort of places you would think would have the right survival skills.
This week I’m in the dense objects of AMF, one of the least understood parts of the web. Its an environment full of hidden dangers. The decoders are unforgiving. Even the applets can push you to the limit. And every step forward, you can take two steps back.”
As I prepare to re-launch my Podcast I am doing so with a new name and new concept. I will cover the news and random web app sec that comes up, but mostly will focus on the actual how to’s for attacking and defending in as many shows as possible.
The show and this Blog will be renamed to “Man Vs WebApp”, and should take another week or so to get the migration completed and for me to start posting shows. All the existing content should stay in place. I appreciate your patient as the site goes through the changes and there may be some odd behavior/broken_pages for a few days.
Blackhat: Already kicked off and there are a number of good talks this year. I recommend the picks from Veracode for those going to Blackhat. As usual its unlikely that I will be attending any talks at Blackhat because I have so many meetings throughout the day.
B-Sides: Last year I kept hearing about all the great discussions going on at the mansion, and was very bummed that I didnt get time over there.
This year I decided that NTO needed to help out in any way it could, so we are sponsoring breakfast and co-sponsoring lunch on Thursday. If your there, please say hi and toss your card in to win a cool prize. Given the size of the audience, everyone has reasonable odds of winning.
I am also planning to sit in on as many talks at B-Sides as possible. For Wednesday track 3 looks the most interesting and fun to me, with two exception, the first at 1:30 Davi’s talk looks a bit more interesting than the DDoS talk in Track 3, and then again at 2:30 when Rafal Los does his talk. On Thursday its more of a mix,
- 10:30 – Track 1 – How to Get Fired After a Security Incident
- 11:30 – Track 1 – Cyber Fast Track (how can you pass on Mudge?!)
- 12:30 – Track 1 – Long Beard’s Guide to Exploit Dev (Track 2 close 2nd place)
- 1:30 – Track 3 – Cultural Cues from High Risk Professions (curious title, possibly very interesting)
- 2:30 – Track 2 – Hacking webapps is more fun when the end result is a shell! (of course Im going to pick a web app talk)
- 3:30 – Track 2 – Better to burn out than to fade away? (have to pick the panel, but HD Moore in track 1 is close 2nd)
- 4:30 – Track 1 – How to pass audits with non-compliant systems (Track 3 a close 2nd)
Defcon: As usual Defcon always has an interesting collection of talks, and there are plenty to look forward to. However, due to scheduling issues I have to leave on Friday night, so I wont be able to catch much of anything this year. The ones I would look for are:
- Malware Freak Show 3: They’re pwning er’body out there! (Nicholas Percoco is always interesting)
- Cellular Privacy: A Forensic Analysis of Android Network Traffic
- Gone in 60 Minutes: Stealing Sensitive Data from Thousands of Systems Simultaneously with OpenDLP
- Bulletproofing The Cloud: Are We Any Closer To Security?
- Tracking the Trackers: How Our Browsing History Is Leaking into the Cloud
- Don’t Fix It In Software
- Hacking Google Chrome OS
- “Whoever Fights Monsters…” Confronting Aaron Barr, Anonymous, and Ourselves
- Are You In Yet? The CISO’s View of Pentesting
- Web Application Analysis With Owasp Hatkit
If your in town, ping me on my cell (if you have it) or send me a msg on Twittier @mightyseek