.:Computer Defense:.

SecTor Day #1
Speaker: Mike Shema
Presentation (pdf)
Audio (wmv)

Webapp worms and browser insecurity... exactly what I wanted to hear about. It was actually quite a tough call because at the same time as this talk, Joanna Rutkowska was speaking on 'Security Challenges in Virtualized Environments'. In the end, my interest in web security won out over my interest in VM security.

Mike is a rather bright guy in the web space with several books to his credit... his talk however left me a little on the disappointed side. That being said, I'm not sure that it's Mike's fault... I think that my expectations were a little high. I'm guessing that the presentation was a great overview for those without a background / interest in webapp security... for those that have always wanted to learn more, but weren't sure where to start. The talk did a great job of getting that across.

Essentially Mike did an overview of web security over the last 2 -3 years, where it's been and where it could go. I picked up a few pieces of historic trivia and I'm pretty sure that the majority of the audience was rather pleased by the end.

Mike touched on research from individuals like Jeremiah Grossman, RSnake and pdp. I found the presentation to be like the sports on the 11 o'clock news. If you've come home and missed the games themselves, then it's a great way to inform yourself of what has happened and be prepared for tomorrow, but if you saw the games then you don't really find the update all that interesting. Which is why I think for a lot of people, Mike's talk was quite useful... a lot of people don't follow web app security on a day to day basis.

I had actually wanted to chat with Mike and find out more on his thoughts but unfortunately the jam-packed schedule prevented any post-talk chatting, and I never did track him down during the CheckPoint Reception... so Mike if you're reading this, fire me off an email.

SecTor Keynote
Speaker: Ira Winkler
Presentation (ppt)

It's lunch time, the food is great and the first day is on it's way to being half over. Although I've never seen him talk before, I've heard the hype about Ira Winkler... a great speaker with an interesting background, I was really looking forward to this keynote... and it didn't disappoint.

Ira was full of stories... with his PowerPoint acting as more of a map. The story of an email saying, "Hello, I've finally gotten a company to agree to let me perform a pentest against their systems... what do I do now?" was good for a laugh but it also demonstrated a point... If you have to ask, you probably shouldn't be doing it... it also demonstrated a previous point about people 'not knowing how much they don't know'.

Another story looked at martial arts... That it's important to master the basics. Ira discussed how a white belt and a black belt both know the same moves, because there are only so many ways that you can punch, kick and block. It's the years of application, practice and theory that make it appear as though black belts know so much more than white belts. The same is true in computers and Ira pointed out that there are only two ways to hack a computer:

• Take advantage of configuration problems
• Take advantage of problems built into software

It boils down to being that basic, beyond that you are just honing your skill and your method.

One point that had to be left out because of time limitations, but that I would liked to have heard the story that went with it, was the 'Wizard of Oz' approach. In the story, everyone seeks out the great and almighty wizard, each for their own reason. What they find out when they find the wizard is that they all had everything they needed. Dorothy had the shoes, Lion had courage, Tinman had a heart and Scarecrow had a brain... they didn't know what they were looking for, so how could they know that they already had it.

The talk was captivating and a lot of fun... it was great to hear the stories... I definitely recommend looking through the slide deck... it loses a lot without the talk itself (although I believe the SecTor page will have the talk posted in the future [I'll link to it when it's posted]) but for now you can read through the slide deck from a past conference.

SecTor Day #1
Speaker: Rares Stefan
Presentation (ppt)
Audio (wmv)

This was the first talk that I attended. Based on what I saw, it was the smallest of the three rooms, however I can't be sure as every talk I attended was in the same room. I rather enjoyed the intimate nature of the setting... a small, yet packed, room made for a great presentation environment (at least it did on the attendee side).

The subject was TCP/IP Perversion and the presenter was Rares Stefan, the Chief Security Architect at Third Brigade. The talk centered around inline drivers that could be placed low enough in the stack that they could modify data being sent without the OS taking notice. The idea was focused around malware, but the demonstration slides made use of what I believe is internal Third Brigade software for testing/development (Note to any Third Brigade employees that read this: I'd love to a chance to play with the software).

So here's an example of what was presented. You (192.168.1.100) fire up Wireshark and start sniffing, then you request a web page (Google.ca: 64.233.161.104):

Source: 192.168.1.100
Destination: 64.233.161.104

GET / HTTP/1.1
Host: www.google.ca
Connection: close

In Wireshark you see the request as you should, however the sniffer on the hub you are connected to sees the following request.

Source: 192.168.1.100
Destination: 82.165.158.149

POST / HTTP/1.1
Host: www.computerdefense.org
Connection: close

Data that has been inserted.

Your sniffer, and therefore any HIPS/HIDS that you have, will not have noticed this change. To any device further down the network (IDS/IPS/Proxy) this is a completely valid request. The network device hasn't seen the original message and your computer hasn't seen the modified message.

This was demonstrated/discussed using Pre-Vista Windows Operating Systems but that doesn't preclude Vista from the possibility of the same issues.

As I said in my SecTor Overview post, I had expected presentations that were quite a bit more technical. This presentation was actually great in that category... while the technical details weren't necessarily communicated, you could see what was happening in the debug window of the software used and the actions taking pace in those images were quite interesting to watch.

The concept of malware that could do this is frightening. If I remember correctly, it was mentioned that presently there isn't any malware taking these sort of actions, but that doesn't mean that we won't see it in the future.

The talk ended up being a great way to start off Day #1, and struck me as a topic that I would love to delve deeper into.

This was on Slashdot earlier and the original article can be found here (including a video which demonstrates the sound that is made).  It seems that in order for cell phones to be handicap accessible, they are required to (in some way) alert the user that a 911 call is being made. The FCC Telecommunications Act requires that some sort of notification occurs, it doesn't, however, require that the notification be audible.

I see many of the same issues that the person who complained about this sees. You are kidnapped, held hostage, or trapped and you attempt to secretly dial 911. As soon as you dial the number, your phone essentially becomes a siren (Don't believe me? Watch the video), alerting your aggressor that you are calling the authorities. I seriously hope that Verizon rethinks this and does something more appropriate such as a message on the display, or even flashing the keypad lights.

I'm against "creating fear" but I think this is an issue that the public needs to be aware of. It could actually mean the difference between life and death in hostile situations.

SecTor Keynote
Speaker: Dr. Richard Reiner
Presentation (pdf)

It was Day 1 of SecTor and I had gotten up much earlier than I usually do, so I was still half asleep as the SecTor house keeping was occurring, the house keeping ended and a round of applause brought me out back to reality just as Dr. Reiner was taking the stage. Needless to say, the thought of catching a few z's didn't even occur to me after the keynote started.

The topic was 'Growing the Security "Profession"' with profession in quotes. The keynote pointed out that InfoSec isn't a profession right now... we aren't recognized professionals like doctors, lawyers and engineers. Then the question was posed, should we be professionals?

A number of interesting questions were posed:

• Do we professionalize IT or IS?
• Do all aspects of IS qualify as professionals?
  • Would researchers qualify?
  • Would corporate security teams qualify?
  • Would pen testers and auditors qualify?
• Who would benefit?
  • Would IS professionals benefit?
  • Would the public benefit?

In the end, no answer was given... it wasn't a "this is what we need to do" presentation, it was a "here's a concept to think about" presentation. In the end it left you thinking, which is exactly what I think a keynote should do. At first I thought it was a very cut and dry answer... yes we need to professionalize.

• We become members of a respected community
• We gain exclusivity... eliminating those who don't qualify
• We have a standardized code of ethics
• We eliminate the "piece of paper" certificates that test what you can memorize, not what you know

At least that's how I saw it at first... the more I thought about it I saw several cons.

• We cause a greater divide between the "underground" and professional sizes of IS.
• A lot of the great minds in IS wouldn't have necessarily become IS Professionals when they were doing the interesting work that they were doing.
• A standardized code of ethics has never been agreed upon in the past, and now we're going to put it in the hands of a committee to determine?
• Formal education, something that definitely isn't a requirement in IS, suddenly becomes a requirement.

So, over the past couple of days, as I've thought about this... I've realized it isn't so cut and dry... and if I had to vote for or against professionalizing IS, I'm still not sure how I'd vote. At least I'm thinking about it... and that was, as far as I understand, the intended outcome of the presentation.

Note: I just took a look at SecTor and I don't see the slides posted yet, as soon as slide decks are out, I'll attach links to them.

My Tuesday and Wednesday this week were occupied by the first ever SecTor (Security Education Conference Toronto) . Over the next couple of days, I'm going to write-up my thoughts about the speakers that I saw but I thought that I would first give an overview of the conference itself.

The schedule provided for two full days of talks with keynotes in the morning and at lunch. When I saw the speaker list for the first time, I was rather impressed, they had quite a few big names. I was, however, disappointed with the technical level of the talks. Not that the talks were bad, in fact they were great, but I had expected them to occur at a much lower level. I've been informed that they were roughly the same technical level as the talks at Black Hat. I think the issue was that I had expected more due to the wording on the SecTor website. In the end, even with the level of the talks, I enjoyed myself for pretty much the entire time that I was there.

Then there was the food... it was pretty impressive. Breakfast was your traditional continental breakfast: coffee or juice, croissants, muffins and danishes. Lunch on Day 1 was: Buns, Caesar Salad, an Antipasto platter, steamed veggies, cheese cannelloni, salmon quiche and dessert. Lunch on the second day was very similar, however a pasta dish (chicken, black olives, and other ingredients) was substituted for the cannelloni, and we had broccoli quiche instead of the salmon. There was also a Cocktail reception at the end of Day 1 sponsored by CheckPoint and on top of free alcohol (which was very generously poured), there was even more food. Spring rolls, chicken skewers, mini quiche and various hors d'oeuvres.

I don't know yet if I'll be attending next year but if I am, I think that I might like to see a lower price tag. I'm guessing the cost was where it was partially because it was the first year and sponsorship, while it included a number of big names, was limited. As well, I'd like to see the scheduling of the speakers occur slightly differently. There were times when I would have liked to see 2 or 3 of the talks that were taking place at the same time and other times when nothing really stood out to me. In the end though, I enjoyed everything I saw and that made the con worthwhile. I have to say kudos to the organizers, it was a job well done.

Over the next couple of days, I'll be doing write-ups on each of the speakers that I saw... this will include:

1. Dr. Richard Reiner (Keynote)
2. Rares Stefan
3. Ira Winkler (Keynote)
4. Mike Shema
5. Rohit Sethi / Nish Bhalla
6. Steve Riley (Keynote)
7. Dan Kaminsky
8. Johnny Long
9. Jay Graver / Ryan Poppa

View Presentations (Slide Decks and Audio)

I was attempting to grab a web page via netcat the other day, and my GET / HTTP/1.0<enter><enter> appeared to simply hang. I mentioned this to a colleague who pointed out that netcat only sends line-feed (LF / 0x0A), not carriage-return line-feed (CRLF / 0x0D0A). I did some playing around and it turns out that you can simulate CRLF while using *nix by sending the following Ctrl+V<enter><enter>. Ctrl+V<enter> is translated into CR and then <enter> alone sends the expected LF.

This unfortunately doesn't work in Windows, so I'll pose a question to my readers. Does anyone know of a way to simulate CRLF using netcat in Windows?

I got an early Christmas gift this year. My fiance bought me a subscription to Yahoo! Music Unlimited, 2 million songs that I can stream / download on demand (which is awesome, if anyone's been thinking about buying it). Now in order to use Yahoo! Music Unlimited, I had to install Yahoo! Music Jukebox. The program's search feature was obviously web based, so I became a little curious. I started testing various inputs into the search box. Now basics like <script> were filtered out but I wanted to see where I could take this. In my 30 minutes or so of search, I found two issues.

1. %00 was accepted into the search box and would cause early termination of the search page when it was loading.
2. test%3Cimg%09src%3Djavascript%3Aalert(document.cookie)%3EFaith was a valid XSS. The 'Faith' had to be appended to the end because it would still attempt to search for an artist, and would actually find a match with the data provided prior to 'Faith' using some sort of guessing algorithm. 'Faith' caused the guessing algorithm to not match.

I reported these issues to Yahoo! Security on Nov. 9th and received a same day response. It didn't have the same personalized feel that a report to Microsoft has, but it was speedy.  Yesterday (Nov. 13th), I received another email from Yahoo! Security telling me that a fix had been implemented and asking me to test it.  I tested it and it was indeed fixed, I was rather impressed.

I decided to install PowerShell for Vista today, specifically because Michael keeps talking about PowerShell Scripting over at Terminal23.net. Now, I have Vista Home Premium (it came with the PC) and I failed to realize that PowerShell won't install on my version of Vista. However, this post is about what happened before the installer even told me I couldn't install it.

When I double clicked the installer, I was greeted by UAC and after pressing continue, I received the following message:

 Installer encountered an error: 0x80070422

The service cannot be started, either because it is disabled or because it has no enabled devices associated with it.

It seems that if you have the 'Windows Update' service disabled, you cannot use the  Windows Update Standalone Installer. Now those XP users out there that dislike 'Automatic Updates' will be accustomed to the concept of disabling the AU service. However, with Vista, Automatic Updates are controlled via the 'Windows Update' service. So, just as I would on XP, I disabled the service when tweaking a couple of weeks ago, low and behold, this also disabled the ability to install standalone updates that you download from the website. After looking at the 'Windows Update' service again it makes sense, as part of the description states, "programs will not be able to use the Windows Update Agent (WUA) API."

Now maybe it's just me, but I don't think that installing software/update should require a running service, this seems to be like a waste of resources.

Earlier today I still hadn't been prompted to install Firefox 2.0.0.9, so I decided to download it and install it myself. I went to the website, downloaded the installer, installed Firefox 2.0.0.9 and opened Firefox... The new version was installed and things were going good... Then a couple of hours ago I had the Firefox auto-update pop-up and tell me I needed to install 2.0.0.9. I'm not sure if manually installing caused this boo-boo or what, but I found it slightly amusing.