Tag Archives: B-Sides

HouSecCon 2011 and B-Sides ATL Review

Last week was a travel week.
On Wednesday I was in Austin for some meetings, then headed to Houston for the second annual HouSecCon on Thursday. I have to say that I was blown away at how much bigger and better it was than last year (with the exception of the badges ;). My buddy Michael Farnum puts this thing on with a team of friends and they are doing an amazing job growing the event, and it was fun having a booth for NT OBJECTives and everyone loved our new shirts we were giving out.

This year MJ Keith (now with The Denim Group) was the keynote speaker. I was first introduced to MJ Keith at last years HouSecCon where he blew me away with his Bump hack in his “Pwn on the go!” talk, and I was glad to see him being given the headlining spot this year.

The talks were all great, with highlights from Michael Gough, Josh Sokol and Zac Hinkel. I did my “Not your granddad’s webapp” talk which seemed to go over well, if you missed it, you can watch the video.

On Friday I was in Atlanta for B-Sides Atlanta, which was a fun event. I didnt have as much time to sit in the talks, but the lockpick room was great and I tried to hang in the podcasters room, even though it was a little hard to engage in useful conversation. I wonder what it was like for those listening to the live stream.I didnt do a talk at this one, so I just spent my time meeting people and eating great southern food.

Comparing the two would be hard, because they were entirely different, so I will just say that I have a fun week at both cons and look forward to both next year.

Vegas 2011 Review: Pentultimate Hack

Conference: B-Side
Title: Pentultimate Hack – Manipulating Layers 8 & 9 of the OSI Model (Management & Budget)
Speaker: Rafal Los (aka Wh1t3Rabbit)

This talk was well prepared but not as dynamic and entertaining as the Schuyler Towne talk (fortunately I attended the Towne talk and they had coffee by now).  It had alot of buzzwordology and business clichés in it but I mean that in a good way.  Knowing business-speak is unfortunately a cost of doing business so it was grating but valuable to attend this talk.  He spoke of how security is typically a bolt on or an afterthought and really needs to be thought of as part of the core business plan.  What often happens is some application that is going to generate $20 million in revenue gets audited and found to be full of security holes and that justifies $750,000 to harden it up.  It usually takes those big money projects to drive the security side of things.  He also spoke of the plight of the CSO or pen tester, specifically that they are implicitly to blame if any compromise happens but it is actually under pressure of the project manager that products ship despite the warnings of pen testers or the CSO.  So he recommends requiring the project manager to sign a document absolving the CSO or pen tester(s) of responsibility if he/she intends to ship a product against recommendation to the contrary.  He also recommends schmoozing the legal counsel as that gives political leverage in these situations.

Summary:  this guy is giving very good advice to CSOs and pen testers which, if they heed it, will create a climate in which vulnerability scanners should become more popular.

Vegas 2011 Review: Transparent Botnet Command and Control for Smartphones over SMS

Conference: B-Sides
Title: Transparent Botnet Command and Control for Smartphones over SMS
Speaker: Georgia Weidman

The title actually says most of it.  SMS is used because it is easy to conceal the botnet.  Malware on phones often announces its presence by draining the battery and piggybacking into SMS packets solves that.  And SMS is fault tolerant.  It is within the protocol itself to resend the message if there is no acknowledgement.  The protocol extends to the hacker the courtesy of persistently communicating the attack to its destination.  The balance of the talk encompassed the technical details of what an SMS packet looks like and how you craft the attack.

Summary:  this talk provided good general security knowledge.  I’m not sure if we (NTO) will ever scan smartphones.  That is an interesting business prospect though… I have never heard of a smartphone app scanner… one targeted specifically to phone apps.

Security B-Sides Vegas 2011 Review: How to Hide Your Pr0n

Conference: B-Sides
Title: How to Hide Your Pr0n
Speaker: Orlando Barrera II and Josh Sokol

Pr0n being a fanciful distortion of “porn”… itself a fanciful name for any data you value and might want to hide.  The speakers started by noting several stupid ways to hide data (hidden files, deep directories, etc) then got down to the good ways… encryption being step one.  In the current political climate (terrorism etc), there is a law which states that the mere presence of encryption is itself suspicion, i.e. that one can be prosecuted for refusing to supply credentials to an investigator under certain circumstances.  So in addition to encryption, one must establish “plausible deniability.”  That is, hide the data and leave no traces that suggest its presence anywhere on any computer you are afraid might be searched.  Steganography is the proffered solution to this.  Steganography is concealing data in some differently-purposed file.  For example, take a lossless encode of an image like PNG and use the least significant bit of each pre-encode pixel to hold the data.  Since in any photographic data, those bits are quite plausibly noise, they can be used to store data.  On a previous Defcon, someone spoke of using whitespace in HTML source to store attack data.  That speaker did not call it steganography and the purpose was attack, not solely concealment, but conceptually, it is basically the same thing.  So, encrypt the files, stego them into image files or whatever, then store the stegoed files in the cloud.  Obviously, this is the ultra paranoid extreme but of course that’s what security is about.  The speakers mentioned that Al Quaeda were communicating data to their operatives by stegoing it into pornography images posted on the Usenet.

My reactions:  this talk inflamed my anti-establishment and paranoid sentiments.  Specifically, I wonder what happens when someone with something like encrypted bank info, encrypted personal info, any info that a private citizen might want to encrypt for quite valid reasons (identity theft etc) could be acquired by legal machinations claiming to be concerned about terrorism, child porn, etc.  Terrorism and child porn are such high fear provokers that any hint of either is so provocative that they can and have had their definitions stretched to rather dubious extremes.  So I’m not rushing to stego all my data but I am concerned that authorities are being granted purview over information beyond their ability to wield such power responsibly.  But that Al Quaeda stuff is rather unsettling as well.  So I fear both the terrorists who are called terrorists and the terrorists that work for the government.  I also think this talk may prove to have some direct relevance to our product.  We might want to write a stego detector module… more for the concealing attacks in webpages variety than the stashing data in images variety although the latter could have assessment relevance as well.

Not your Granddad’s WebApp Video

This talk was previously mentioned, but now a recorded video is available.

Not Your Granddads Web App

The next generation of applications have started to rule the web, and they look very different from their ancestors.
In the “good ol’ days” web apps had their problems, but it was easier to understand and great resources (tools/practices/trainings) were quickly made available to help.
The new age of applications sit on top of HTTP and HTML with technologies such as AJAX, Flash, Silverlight etc, and their developers are often as naive as teenage girls wearing midriffs and mini-skirts. Today’s applications dazzle with their rich user interface, ability to push logic to the client and retrieve information asynchronously. But these younger applications inherently have the same security problems, which are now obfuscated by fancy looking interfaces and the resources (tools/practices/trainings) available to help are even more limited.

Security B-Sides Vegas 2011 Review: Cultural Cues from High Risk Professions

Conference: B-Sides Las Vegas
Title: Cultural Cues from High Risk Professions
Speaker: Gal Shpantzer

In this B-Sides LV talk,Gal Shpantzer employed the Swiss cheese model of catastrophe as a parallel for the information security industry. The model was originally developed by James Reason of the University of Manchester and Dante Orlandella[1],  and used to analyze the causes of systematic failures in aviationengineering and healthcare. The model likens organizational problems to swiss cheese – where each problem can be viewed as a hole in a piece of swiss cheese. The layers in the systems and processes are designed to catch mistakes before they become catastrophic. But, if the holes in each layer align, serious problems can result. Much like a hole going all the way through the piece of cheese.

For example, Korean Air at one point in time had 17 times as many catastrophic incidents per million miles as United Airlines.  Investigation revealed that it came down to differences in processes and protocols. Whereas, at United Airlines, volunteering information and seizing controls under emergency circumstances, etc were incorporated into the official cockpit protocols. The captain was the authority but could be questioned. This was also discussed in depth in the context of cultural influence in Malcolm Gladwell’s book, Outliers, there was an atmosphere of over-deference in the cockpit where one does not question the captain. And, it wasn’t just Korean Air where this happened. There were other airlines headquartered in countries where respect for authority is so ingrained in the culture – like in Colombia.

In the info security space, Gal Shpantzer proposed protocols where there is responsibility but people are not afraid (i.e. penalized) for volunteering information.  Pain and hostility shuts people down and leads to swiss cheese.  In the medical profession, it was found that the more expert the physician, the more likely that physician was to miss simple things like administering aspirin before/after operations that reduce probability of cardiac problems.

Summary:  I find little to disagree with.  This is one of those common sense, obvious when you hear it talks that is none the less worth mentioning because when you don’t hear it, it tends to not get done. No product ideas, but good general security philosophy.

Security B-Sides Vegas 2011 Review: History of Physical Security

Conference: B-Sides
Title: History of Physical Security
Speaker: Schuyler Towne

This was a great entertaining talk.  This guy enters my pantheon along with Joseph McCray (conspicuous in his absence this year) as a must-attend for entertainment and information.

This talk was about the history of lock technology from year ~1500 onwards.  Actually he did mention ancient Egypt, but mostly ~1500 onwards.  Up to a point, locks were “security by obscurity“.  Once you knew how the lock worked, it was easily defeated.

Then in England some guy invented a lock that is more along the lines of a modern lock with the tumblers and whatnot that demand a specific key to unlock and where knowing the design doesn’t help you as you need the specific key to open it.  These of course are also defeat-able but the security-by-obscurity approaches were as trivial as:  if you knew where to poke a stick into the lock you could open it.  There was a long period in which there was no advance in physical security.  People got smug or didn’t want to be told that their locks were insecure and this created a climate which stifled advancement.

Advances then resumed around the end of the 1800’s.  The summary of this talk and its relevance to our business is:  this is another “metaphor” talk.  It is about locks (physical locks) but security-by-obscurity and its weaknesses is quite relevant to information security as well.

Any Schuyler Towne talk is highly relevant to any software engineer at a vulnerability assessment company particularly if they are out of coffee (as they were when I attended the talk) because he wakes you up and entertains you and gives you a bit of cognitive inertia that you can carry forward into the next boring-but-informative talk and thereby get more information out of it.

Security B-Sides Vegas 2011 Review: Boyd’s OODA and General Predator/Prey theory

Conference: B-Sides
Title: Boyd’s OODA and General Predator/Prey Theory
Speaker: Tim Keanini

The NTO team had a great time at Black Hat, B-Sides and Defcon this year. This blog post is the first in a series where we share some of our favorite talks.

The first talk we attended at B-Sides Las Vegas, was Tim Keanini’s, CTO at Ncircle Network Security Inc, presentation on how we can use metaphors like John Boyd‘s OODA attack/defense and General Predator/Prey theory  to better understand how hackers work. Keanini used nature as a metaphor for attack/defense.

Keanini used nature as a metaphor for attack/defense. On the internet, the victim of an attack generally cannot attack back so the natural analogue are prey species that make it as expensive as possible to be attacked. Predators can use foraging which is expensive for the predator and therefore the predator must do an economical calculation to hedge the energy spent attacking against the energy gained by eating the prey. In the old days, this described the internet.  Attackers foraged for servers to attack.  The other approach is ambush and that is a better description of today.  The server has the attack and waits for the victim.  The speaker also touched on the idea of “nuke and pave.”  This is where it is less expensive to simply toss the computer, format the harddrive, etc than pay a security professional to sort out a hacked box.

This talk was interesting and quite worth attending.  It was a general security philosophy talk as opposed to a nuts and bolts how-to talk and it is good to toss one of those in here and there to break up the thickness of the “here is how you hack something” talks.  Another metaphor in IT is that of virus-driven evolution.  That is, most if not all the species on this planet owe their evolution to viruses providing the impetus for improvement.  And of course we implicitly acknowledge this metaphor in the IT space by calling it “a computer virus.”  See Schuyler Towne’s B-Sides physical security talk for more of that sort of thinking (though in the physical security space).

-mjp

Not Your Granddads Web App

Come see my talk at B-Sides LA Friday the 19th (today) at 10am

Not Your Granddads Web App

The next generation of applications have started to rule the web, and they look very different from their ancestors.
In the “good ol’ days” web apps had their problems, but it was easier to understand and great resources (tools/practices/trainings) were quickly made available to help.
The new age of applications sit on top of HTTP and HTML with technologies such as AJAX, Flash, Silverlight etc, and their developers are often as naive as teenage girls wearing midriffs and mini-skirts. Today’s applications dazzle with their rich user interface, ability to push logic to the client and retrieve information asynchronously. But these younger applications inherently have the same security problems, which are now obfuscated by fancy looking interfaces and the resources (tools/practices/trainings) available to help are even more limited.

If you cant make the talk, my slides will be available soon at http://www.ntobjectives.com/granddad