.:Computer Defense:.

SecTor Day #2
Speakers: Ryan Poppa and Jay Graver
Presentation (pdf)
Download Audio (with Slide Deck) (wmv)

This was the final talk that I attended prior to the wrap up. I already knew what to expect for the most part, since Ryan and Jay are colleagues at nCircle.

The hour long presentation started with 30 minutes of background presented by Jay. The discussion itself focused around network fingerprinting (detecting versions of operating systems and listening services over a network) and, more specifically, HTTP server fingerprinting. The background included a comparison of currently available tools and included nmap, amap and httprint. Jay looked at the results of these tools against modern servers... first while displaying their standard banners and then using obfuscated banners. When faced with obfuscated banners the tools didn't fare so well.

The second half of the presentation, presented by Ryan, included what was really the "meat" of the presentation... the discussion of a new tool, httpfp [link coming as soon as the tool is released], which uses a new approach to fingerprinting. Ryan pointed out numerous aspects of a HTTP Server response that can be used to determine the type of software that the server is running, even if banner obfuscation is being used. Some of the included identification points were:

• Case of the Content-Length header (Content-Length/Content-length/content-length)
• The existence of Public or Allow headers
• The order of the options presented in the Public/Allow header

The concept is definitely cool and I'm really looking forward to see what advancements and improvements will be made in the future. It was also a great way to round-up the conference.

[Updated Links]

SecTor Day #2
Speaker: Johnny Long
Download Audio (wmv)

This was my first time seeing Johnny talk and he definitely lived up to the stories I've heard. This wasn't a technical talk by any means, but it was highly entertaining and hilarious.

Before Johnny started his talk, he took advantage of his the platform to fill in the attendees on IHackCharities.org. The basis of the organization is fairly simply... they match hackers/it professionals who are unemployed with charities that are seeking IT-related help... e.g. a charity that needs a web page built for them. In exchange for the few hours of work that the hacker donates, they get references from leading industry professionals who have verified their work. I actually see this as being quite useful and was excited to hear about it. I have to contact Johnny still as he mentioned unemployed professionals, but I'm wondering if the employed can volunteer as well. It's a way that everyone can give back, even if it's just a little bit. This is something that the SecTor organizers should have picked up on and presented to the entire con, as it's definitely a worthwhile cause.

Back to the presentation... Johnny took several popular hacker related movies and demonstrated why scenes were either 'leet' or 'lame'. The movies included Hackers, The Matrix, Swordfish, and Code Hunters... although there were plenty of others. The presentation was a lot of fun, however it might have been more fitting as a keynote so that everyone could have enjoyed it.

Valid uses of security in movies were pointed out, as were the completely wacko ideas. There were typos identified and examples of Hollywood using yet to be discovered technologies.

The hour flew by and could have most likely been extended, as everyone was drawn into the talk, which included audience participation.

SecTor Day #2
Speaker: Dan Kaminsky
Presentation (ppt)
Audio (wmv)

This was the first talk I attended on day 2. Dan demonstrated DNS Rebinding attacks and how they can be dangerous to internal networks. The talk was filled with technical data and live demos.

While the demo had been setup in advance it was nice to see how quickly and efficiently the attack could be pulled off if you were prepared.

One interesting event occurred when another speaker (who had presented on DNSSEC) argued that DNSSEC is the solution to this problem. Kaminsky was able to make short work of the individual and put him in his place... even though he attempted to persist with his argument.

There are solutions to some forms of DNS rebinding, unfortunately they could take years to implement, even if they were.

The first would be to rewrite DNS servers to not allow RFC 1912 addresses from external sources.

Another would be to rewrite DNS to operate with its own version of the three way handshake. The server receives an IP after resolving the domain name and rather than pass it to the host, it performs a reverse resolution on the IP, ignoring any mappings that occur in its cache. Sure this increases the load on servers, but I'm fairly certain they'd be able to handle it... A problem that can occur here is with virtual hosts, and unfortunately they are becoming more and more common. The problem here is that you need all virtual hosts to be returned when an IP is resolved, and that doesn't seem likely.

Right now, the most effective step you can take is to have firewall rules on the border of your network to either drop DNS responses with internal IPs or to rewrite them on the fly. This doesn't, however, stop an attack from rebinding to a different external IP.

For more information on DNS Rebinding, there's a great paper available from a team at Stanford CS on the subject.

SecTor Keynote
Speaker: Steve Riley
Presentation (ppt)

Full Title: Defending Layer 8: How to Recognize and Combat Social Engineering

This talk was interesting, funny and informative... a great way to start the second day.

Steve took the 7 layer OSI model and turned it into a 9 layer model. He added layer 0 to the bottom, physical... but not physical like layer 1... He differentiated by referring to layer 1 as 'cyberspace' and layer 0 as 'meatspace'. Layer 0 is your physical location, your physical security... the building itself where your systems are located. The other added layer was layer 8, a layer that is traditionally added to the OSI model and referred to as the 'human layer'.

To demonstrate layer 0 problems, Steve told a story involving the movement of a data center. The company had moved their data center down to street level, and put it on display behind a glass window facing the street. This included server names and ip addresses, dial-in numbers for modems, etc... It turned out some thieves noticed the display and they drove a truck through the window, grabbing the first computer they came across. The computer ended up being the company's domain controller. An hour later they were lucky enough to get the computer back, however instead of performing forensics... they immediately plugged it back into the network.

Steve's talk was full of stories like that one... little, funny, to the point stories that kept you interested and enhanced the overall presentation. I believe that the SecTor organizers are putting video, or at very least audio, online with the presentations... for all of the keynotes so far that will make a huge difference for those intending to go through the slide decks (which I will link to as soon as I see them posted).

Steve continued on with his discussion on social engineering and offered 10 tips for anyone interested in trying out social engineering. The list included:

1. Be Professional.
2. Be Calm.
3. Know your mark.
4. Do not fool a superior scammer.
5. Plan your escape from your scan.
6. Be a woman.
7. Use watermarks.
8. Make business cards and fake names.
9. Manipulate the less fortunate, the unaware, and the stupid.
10. Use a team if you have to.

Each of these steps included details and descriptions... or at very least amusing commentary.

Steve also outlined 8 types of Social Engineering 'exploits', each with an example:

1. Diffusion of Responsibility - 'The VP says you won't bare any responsibility'
2. Chance for ingratiation - 'Look at what you might get out of this'
3. Trust Relationships - 'He's a good guy, I think I can trust him'
4. Moral Duty - 'You must help me! Aren't you so mad about it?'
5. Guilt - 'What, you don't want to help me?'
6. Identification - 'You and I are really two of a kind, huh?'
7. Desire to be helpful - 'Would you help me here, please?'
8. Cooperation - 'Let's work together. We can do so much!'

Following this, along with additional stories, were steps on discovering data on your target, ways to pull off an attack, ways to defend against an attack. It was definitely a great explanation of social engineering. I think that a lot of people walked away with a lot of useful information.

SecTor Day #1
Speaker: Mike Shema
Presentation (pdf)
Audio (wmv)

Webapp worms and browser insecurity... exactly what I wanted to hear about. It was actually quite a tough call because at the same time as this talk, Joanna Rutkowska was speaking on 'Security Challenges in Virtualized Environments'. In the end, my interest in web security won out over my interest in VM security.

Mike is a rather bright guy in the web space with several books to his credit... his talk however left me a little on the disappointed side. That being said, I'm not sure that it's Mike's fault... I think that my expectations were a little high. I'm guessing that the presentation was a great overview for those without a background / interest in webapp security... for those that have always wanted to learn more, but weren't sure where to start. The talk did a great job of getting that across.

Essentially Mike did an overview of web security over the last 2 -3 years, where it's been and where it could go. I picked up a few pieces of historic trivia and I'm pretty sure that the majority of the audience was rather pleased by the end.

Mike touched on research from individuals like Jeremiah Grossman, RSnake and pdp. I found the presentation to be like the sports on the 11 o'clock news. If you've come home and missed the games themselves, then it's a great way to inform yourself of what has happened and be prepared for tomorrow, but if you saw the games then you don't really find the update all that interesting. Which is why I think for a lot of people, Mike's talk was quite useful... a lot of people don't follow web app security on a day to day basis.

I had actually wanted to chat with Mike and find out more on his thoughts but unfortunately the jam-packed schedule prevented any post-talk chatting, and I never did track him down during the CheckPoint Reception... so Mike if you're reading this, fire me off an email.

SecTor Keynote
Speaker: Ira Winkler
Presentation (ppt)

It's lunch time, the food is great and the first day is on it's way to being half over. Although I've never seen him talk before, I've heard the hype about Ira Winkler... a great speaker with an interesting background, I was really looking forward to this keynote... and it didn't disappoint.

Ira was full of stories... with his PowerPoint acting as more of a map. The story of an email saying, "Hello, I've finally gotten a company to agree to let me perform a pentest against their systems... what do I do now?" was good for a laugh but it also demonstrated a point... If you have to ask, you probably shouldn't be doing it... it also demonstrated a previous point about people 'not knowing how much they don't know'.

Another story looked at martial arts... That it's important to master the basics. Ira discussed how a white belt and a black belt both know the same moves, because there are only so many ways that you can punch, kick and block. It's the years of application, practice and theory that make it appear as though black belts know so much more than white belts. The same is true in computers and Ira pointed out that there are only two ways to hack a computer:

• Take advantage of configuration problems
• Take advantage of problems built into software

It boils down to being that basic, beyond that you are just honing your skill and your method.

One point that had to be left out because of time limitations, but that I would liked to have heard the story that went with it, was the 'Wizard of Oz' approach. In the story, everyone seeks out the great and almighty wizard, each for their own reason. What they find out when they find the wizard is that they all had everything they needed. Dorothy had the shoes, Lion had courage, Tinman had a heart and Scarecrow had a brain... they didn't know what they were looking for, so how could they know that they already had it.

The talk was captivating and a lot of fun... it was great to hear the stories... I definitely recommend looking through the slide deck... it loses a lot without the talk itself (although I believe the SecTor page will have the talk posted in the future [I'll link to it when it's posted]) but for now you can read through the slide deck from a past conference.

SecTor Day #1
Speaker: Rares Stefan
Presentation (ppt)
Audio (wmv)

This was the first talk that I attended. Based on what I saw, it was the smallest of the three rooms, however I can't be sure as every talk I attended was in the same room. I rather enjoyed the intimate nature of the setting... a small, yet packed, room made for a great presentation environment (at least it did on the attendee side).

The subject was TCP/IP Perversion and the presenter was Rares Stefan, the Chief Security Architect at Third Brigade. The talk centered around inline drivers that could be placed low enough in the stack that they could modify data being sent without the OS taking notice. The idea was focused around malware, but the demonstration slides made use of what I believe is internal Third Brigade software for testing/development (Note to any Third Brigade employees that read this: I'd love to a chance to play with the software).

So here's an example of what was presented. You (192.168.1.100) fire up Wireshark and start sniffing, then you request a web page (Google.ca: 64.233.161.104):

Source: 192.168.1.100
Destination: 64.233.161.104

GET / HTTP/1.1
Host: www.google.ca
Connection: close

In Wireshark you see the request as you should, however the sniffer on the hub you are connected to sees the following request.

Source: 192.168.1.100
Destination: 82.165.158.149

POST / HTTP/1.1
Host: www.computerdefense.org
Connection: close

Data that has been inserted.

Your sniffer, and therefore any HIPS/HIDS that you have, will not have noticed this change. To any device further down the network (IDS/IPS/Proxy) this is a completely valid request. The network device hasn't seen the original message and your computer hasn't seen the modified message.

This was demonstrated/discussed using Pre-Vista Windows Operating Systems but that doesn't preclude Vista from the possibility of the same issues.

As I said in my SecTor Overview post, I had expected presentations that were quite a bit more technical. This presentation was actually great in that category... while the technical details weren't necessarily communicated, you could see what was happening in the debug window of the software used and the actions taking pace in those images were quite interesting to watch.

The concept of malware that could do this is frightening. If I remember correctly, it was mentioned that presently there isn't any malware taking these sort of actions, but that doesn't mean that we won't see it in the future.

The talk ended up being a great way to start off Day #1, and struck me as a topic that I would love to delve deeper into.

SecTor Keynote
Speaker: Dr. Richard Reiner
Presentation (pdf)

It was Day 1 of SecTor and I had gotten up much earlier than I usually do, so I was still half asleep as the SecTor house keeping was occurring, the house keeping ended and a round of applause brought me out back to reality just as Dr. Reiner was taking the stage. Needless to say, the thought of catching a few z's didn't even occur to me after the keynote started.

The topic was 'Growing the Security "Profession"' with profession in quotes. The keynote pointed out that InfoSec isn't a profession right now... we aren't recognized professionals like doctors, lawyers and engineers. Then the question was posed, should we be professionals?

A number of interesting questions were posed:

• Do we professionalize IT or IS?
• Do all aspects of IS qualify as professionals?
  • Would researchers qualify?
  • Would corporate security teams qualify?
  • Would pen testers and auditors qualify?
• Who would benefit?
  • Would IS professionals benefit?
  • Would the public benefit?

In the end, no answer was given... it wasn't a "this is what we need to do" presentation, it was a "here's a concept to think about" presentation. In the end it left you thinking, which is exactly what I think a keynote should do. At first I thought it was a very cut and dry answer... yes we need to professionalize.

• We become members of a respected community
• We gain exclusivity... eliminating those who don't qualify
• We have a standardized code of ethics
• We eliminate the "piece of paper" certificates that test what you can memorize, not what you know

At least that's how I saw it at first... the more I thought about it I saw several cons.

• We cause a greater divide between the "underground" and professional sizes of IS.
• A lot of the great minds in IS wouldn't have necessarily become IS Professionals when they were doing the interesting work that they were doing.
• A standardized code of ethics has never been agreed upon in the past, and now we're going to put it in the hands of a committee to determine?
• Formal education, something that definitely isn't a requirement in IS, suddenly becomes a requirement.

So, over the past couple of days, as I've thought about this... I've realized it isn't so cut and dry... and if I had to vote for or against professionalizing IS, I'm still not sure how I'd vote. At least I'm thinking about it... and that was, as far as I understand, the intended outcome of the presentation.

Note: I just took a look at SecTor and I don't see the slides posted yet, as soon as slide decks are out, I'll attach links to them.

My Tuesday and Wednesday this week were occupied by the first ever SecTor (Security Education Conference Toronto) . Over the next couple of days, I'm going to write-up my thoughts about the speakers that I saw but I thought that I would first give an overview of the conference itself.

The schedule provided for two full days of talks with keynotes in the morning and at lunch. When I saw the speaker list for the first time, I was rather impressed, they had quite a few big names. I was, however, disappointed with the technical level of the talks. Not that the talks were bad, in fact they were great, but I had expected them to occur at a much lower level. I've been informed that they were roughly the same technical level as the talks at Black Hat. I think the issue was that I had expected more due to the wording on the SecTor website. In the end, even with the level of the talks, I enjoyed myself for pretty much the entire time that I was there.

Then there was the food... it was pretty impressive. Breakfast was your traditional continental breakfast: coffee or juice, croissants, muffins and danishes. Lunch on Day 1 was: Buns, Caesar Salad, an Antipasto platter, steamed veggies, cheese cannelloni, salmon quiche and dessert. Lunch on the second day was very similar, however a pasta dish (chicken, black olives, and other ingredients) was substituted for the cannelloni, and we had broccoli quiche instead of the salmon. There was also a Cocktail reception at the end of Day 1 sponsored by CheckPoint and on top of free alcohol (which was very generously poured), there was even more food. Spring rolls, chicken skewers, mini quiche and various hors d'oeuvres.

I don't know yet if I'll be attending next year but if I am, I think that I might like to see a lower price tag. I'm guessing the cost was where it was partially because it was the first year and sponsorship, while it included a number of big names, was limited. As well, I'd like to see the scheduling of the speakers occur slightly differently. There were times when I would have liked to see 2 or 3 of the talks that were taking place at the same time and other times when nothing really stood out to me. In the end though, I enjoyed everything I saw and that made the con worthwhile. I have to say kudos to the organizers, it was a job well done.

Over the next couple of days, I'll be doing write-ups on each of the speakers that I saw... this will include:

1. Dr. Richard Reiner (Keynote)
2. Rares Stefan
3. Ira Winkler (Keynote)
4. Mike Shema
5. Rohit Sethi / Nish Bhalla
6. Steve Riley (Keynote)
7. Dan Kaminsky
8. Johnny Long
9. Jay Graver / Ryan Poppa

View Presentations (Slide Decks and Audio)