Wednesday, August 6, 2008

Spliced feed for Security Bloggers Network

Spliced feed for Security Bloggers Network

Rage, rage against the dying of the light. [The Falcon's View]

Posted: 06 Aug 2008 08:21 AM CDT

As noted here and here, Rage Against the Machine will be performing in Minneapolis while the Republican National Convention is convened in St Paul. Too funny. :) In honor of that scheduled performance, I bring you the famous poem "Do...

Chris Pirillo update on his PayPal loss [Roer.Com Information Security - Your source of Information Security]

Posted: 06 Aug 2008 03:02 AM CDT

Chris Pirillo made an update regarding his loosing US$450,- from his PayPal account.

The post of his includes some tips (known to most of us, but no harm in repeating) on how to stay (more) secure when it comes to PayPal and online shopping:

(cut'n'pasted from Chris' post)

  1. The first thing, it all starts with a clean computer system. A computer system with viruses or keyloggers may be the cause unauthorized people to be inside of your PayPal account. Use security programs on your computer.
  2. Make sure the site you are in is the verified PayPal site, and not a Phishing site. You can check this out by checking the domain name in the browsers url bar. You should see PayPal's actual site address, and not something else.
  3. Don't keep large amounts of money in your PayPal account, because people can easily send your money to other accounts in a blink of an eye if they gain access to it. Instead of keeping it on PayPal, keep it inside your bank account.
  4. Check your Paypal history on a daily basis. This way, you can stop money from being transfered if you see it happening when and where it shouldn't be.
  5. This may be common sense, but use a strong password! Use a mixture of lowercase, uppercase, symbols, and numbers. Make it harder for a hacker to guess to begin with! Reading this post by Chris may help.
  6. When you're buying something with PayPal, be sure to check that the site you are on is secure. Do this by checking the url bar. The site should contain "HTTPS". This will help you determine if the site is fraudulent or not. You can also do research on Google about certain sellers that you may not be sure of.
  7. Shop with well-known companies who have established a good reputation.

He explains the case here:

Do You Have a Problem with PayPal?

Does this mean we can revise our opinion of Friday the 13th? [Emergent Chaos]

Posted: 06 Aug 2008 02:43 AM CDT

Knights Templar Being Burned

According to The Daily Telegraph, the Knights Templar are suing the Vatican for all that money they lost in 1307. (The Telegraph has a companion article here as well.)

This adds up to a nice round €100 billion. The Telegraph didn't say whether that is American billions (thousand million, 109) or English billions (million million, 1012), and given that the Templars were The World Bank of the turn of the previous millennium and there's 700 years of interest involved, it's not obvious how many zeroes need to go at the end.

Last October, the Vatican released copies of the parchments documenting the Templar Trials after having them been "misfiled" for over three hundred years. (My house has nearly as many books as the Vatican, squished into a much smaller space, so I completely understand how that could happen.)

These parchments reveal that in fact the Templars were found to be not guilty of heresy at the time, but Pope Clement V let them be disbanded and burned at the stake anyway because King Philip IV of France was being really cranky about it. (If you follow US foreign policy, you should completely understand how that could happen, as well.)

The major dodgy thing about the suit is that the Spanish group claims that their suit is not to reclaim damages but only to restore the good name of the Templars. Yeah, uh huh, sure. Then why aren't you suing for a single Euro?

Perhaps the Freemasons will weigh in on this. Among the many Fun Templar Facts, there's a surprisingly good theory that they're founded by escaped Templars. Other Fun Templar Facts include that Friday the 13th is considered unlucky because that's when they were all rounded up; that the burned Templar Grand Master, Jacques de Molay, was the 23rd Grand Master; and that Jacques de Molay was the inventor of Molé sauce.

Photo is of Jacques de Molay being sent to burn at the stake, via the GETTY and the Daily Telegraph web site.

Vendor Parties @ Black Hat USA [Infosec Events]

Posted: 06 Aug 2008 02:24 AM CDT

Vendor parties during Black Hat USA is always interesting, because the conference is in Las Vegas. Here is a list of vendors that I know of that are throwing parties this year at Black Hat USA 2008.

Tuesday, August 5th

Wednesday, August 6th

Thursday, August 7th

Saturday, August 9th

Know of any other parties that aren’t on the list? Post a comment or send us an email and we can share the joy.

Black Hat SWAG Bag [Infosec Events]

Posted: 06 Aug 2008 02:01 AM CDT

This years’ SWAG bag for Black Hat USA 2008 is pretty cool. Included in the bag is a Moleskine like notebook, Paypal OTP token, Black Hat pen/highlighter, Black Hat sticker and of course all the presentations from the conference. The shoulder bag is actually useable, which is somewhat rare for conference bags. Thanks Black Hat!

Twitter Updates for 2008-08-05 [.:Computer Defense:.]

Posted: 05 Aug 2008 10:59 PM CDT

  • Currently Browsing: <-- Slides from my TASK talk are posted. #
  • 7 Hours til we fly out for Vegas. #
  • @myrcurial Flying WestJet? #
  • @myrcurial ahh ok we're on westjet 918 out of yyz #

Powered by Twitter Tools.

Russian Gang Hijacking PCs in Vast Scheme [Vincent Arnold]

Posted: 05 Aug 2008 10:54 PM CDT

Published: August 5, 2008

A criminal gang is using software tools normally reserved for computer network administrators to infect thousands of PCs in corporate and government networks with programs that steal passwords and other information, a security researcher has found.

The new form of attack indicates that little progress has been made in defusing the threat of botnets, networks of infected computers that criminals use to send spam, steal passwords and do other forms of damage, according to computer security investigators.


Cleared Traveler Data Lost [Emergent Chaos]

Posted: 05 Aug 2008 03:44 PM CDT

Finger on print reader

Verified Identity Pass, Inc., who run the Clear service have lost a laptop containing information of 33,000 customers. According to KPIX in "Laptop Discovery May End SFO Security Scare" the "alleged theft of the unencrypted laptop" lost information including

names, addresses, birth dates and some applicants' driver's license numbers and passport information, but does not include applicants' credit card information or Social Security numbers, according to the company.

We are also told:

The information is secured by two levels of password protection, the company reported.

Two levels of passwords. Wow. I guess you don't need to encrypt if you have two levels of passwords.

The TSA suspended enrollment of new customers, but existing customers can still use the service. So if you stole the data and can use it, you're Clear.

Blackhat / Defcon [.:Computer Defense:.]

Posted: 05 Aug 2008 02:08 PM CDT

Well, I'm leaving shortly for Blackhat and Defcon. For half the time at Blackhat I'll be working the nCircle booth, feel free to say 'Hey'. Look me up while you're there, or message / email me and I'll pass along my cell so that we can text. I'll also be updating twitter as much as I can and blogging when I can.

This is my first time heading down to Vegas so I'm looking forward to having quite a bit of fun.

Black Hat USA Goes Social With Twitter [Infosec Events]

Posted: 05 Aug 2008 01:55 PM CDT

Black Hat has embraced the social networking site Twitter for this year’s Black Hat Briefings USA 2008. Follow the official Black Hat USA 2008 account on Twitter and get live updates from the conference. There are also a bunch of "Security Twits" attending this year’s event and the best way to track all the chatter is to monitor #blackhat on twitter.

The greatest rogue antispyware scan warning of all time [ - A Revolution is the Solution]

Posted: 05 Aug 2008 01:49 PM CDT


Clear program lost a laptop [An Information Security Place]

Posted: 05 Aug 2008 01:36 PM CDT

I just posted over at my CW blog about the lost laptop from the company running the Clear program.  Whiskey Tango Foxtrot, over?

When you read, take a look at the quotes I found from their website.  Friggin’ classic.


What does a Botnet look like? [Roer.Com Information Security - Your source of Information Security]

Posted: 05 Aug 2008 12:03 PM CDT

Ever wondered what a Botnet looks like? Now you can see for yourself!

This graphic shows the interconnections between bot-infected computers. The graphic also incorporate controls for you to zoom and move around - quite impressive IMO.

Thanks to Steinar for pointing me to this!

Vegas, baby, Vegas [...And You Will Know me by the Trail of Bits]

Posted: 05 Aug 2008 11:36 AM CDT

It’s that time again.  It’s 110 degrees in Las Vegas and if that wasn’t causing the locals enough worry, the yearly invasion of hackers this week certainly will.  Expect to see more humungous LCD displays blue screen and guys walking around in the heat wearing black leather trenchcoats (that’s dedication!).

Anyway, it looks like there will be a lot of cool stuff happening at BlackHat, and here are some of the talks and events that I am looking forward to on Day 1:

Anyway, if anyone is trying to hunt me down, DM me on Twitter. - still the worst site ever [ - A Revolution is the Solution]

Posted: 05 Aug 2008 04:57 AM CDT

I could ramble on about Mylol for pages and pages, but let's face it - there's no need to. We all know it is one gigantic train-wreck of biblical proportions.

I still don't know who could come up with the idea of a "teen dating site" without immediately thinking this might be the worst idea ever, but oh well. I've already drilled down into the site previously, so this time round let's go with some general observations. Checking the email account I used to sign up, I can see I've become pretty popular in my absence:

Can you guess what kind of content is in every single message I opened up? No prizes, but...

Well fancy that, hot chicks from Africa wanting to be my wife. Roll up, roll up kids, it's time to get scammed! If you try and register on the site, it won't let you if you're under 13:

However, you can still go trawling through the profiles and go hunting for 13 year old girls, a good slice of which have pictures and personal info readily available like phone numbers or whatever:

Yeah, 3000+ of them! 3000+ slices of hot teeny action to get all excited about! Woo! Hooray for creepy old guys with stunningly easy access to teenage kids handing out their phone numbers and names left, right and center! I cannot believe the ability to search for 13 year old kids on this digital trainwreck has NOT been switched off.

Then again, their terms of service are completely nonsensical anyway. Here's a random example of "stuff not to do":

(h) provides material that exploits people under the age of 18 in a sexual or violent manner, or solicits personal information from anyone under 18;

Lol wut

How are they supposed to prevent anyone soliciting personal information from anyone under 18 when they offer membership to anyone 13 years of age or older in the first place?

Trawling through the profiles themselves is an exercise in extreme creepiness. Apart from the weird-assed pics of young girls posing in their underwear, you keep seeing exchanges like the following. It starts off (sort of) innocently enough, but see if you can spot where it all goes horribly wrong:

...ick. Anyway, here's a comment left on her page:

....actually, it's probably a really good thing she's not in the UK. Why?

Oh, perhaps because Davy Boy is TWENTY YEARS OLD AND TELLS 13 YEAR OLDS THEY LOOK SEXY. Do I hear the Party Van rolling in to town?

Jeez. If ever there was a time I would pray to God and ask him to bless me with the ability to punch people in the face over a standard TCP/IP Protocol, now would be it. Don't even get me started on this guy, who claims to be a sexy 14 year old boy looking for a 13 to 18(!) year old girl to text and meet. Fourteen? This guy is never, ever fourteen, is he? Incidentally, his Mylol profile (which I'm not linking to) has someone on his friends list who looks like an extremely young girl in some kind of underwear / hotpants setup posing for the camera. It is, as you might have guessed, extremely freaking creepy.

/ Edit - publishing a newer entry appears to have screwed up this post, I think I got most of it back though.

Privacy Enhancing Technologies and Threat Modeling [Emergent Chaos]

Posted: 05 Aug 2008 12:05 AM CDT

murdoch-watson-tor.jpg Steven Murdoch and Robert Watson have some really interesting results about how to model the Tor network in Metrics for Security and Performance in Low-Latency Anonymity Systems (or slides). This is a really good paper, but what jumped out at me was their result, which is that the right security tradeoff is dependent on how you believe attackers will behave. This is somewhat unusual in two ways: first, it implies the need for a dynamic analysis, and second, that analysis will only function if we have data.

We often apply a very static analysis to attackers: they have these capabilities and motivations, and they will stick with their actions. This paper shows a real world example of a place where as attackers get more resources, they will behave differently, rather than doing more of what they did before. So actually operating a secure Tor system requires an understanding of how certain attackers are behaving, and how they choose to attack the system at any given time.

There's a sense in which this is not surprising, but these dynamic models rarely show up in analysis.

Bonus snark to the Colorado team: why don't you buy a botnet and see what you can break? (The Colorado team is the people Chris blogged about in "Ethics, Information Security Research, and Institutional Review Boards.")

"Dependence," Not "Addiction" [The Falcon's View]

Posted: 04 Aug 2008 09:56 PM CDT

addiction "the state of being enslaved to a habit or practice or to something that is psychologically or physically habit-forming, as narcotics, to such an extent that its cessation causes severe trauma" dependence "1. the state of relying on or...

Free Topo Maps from USGS [The Falcon's View]

Posted: 04 Aug 2008 09:48 PM CDT

Hey hey hiking/camping/outdoors fanatics! Guess what? You can now download topographical maps for free from the USGS. You can also order print copies from them for a few bucks, if you prefer. Cost of printing at home is your responsibility,...

MIT invents cheap energy storage? [Phillip Hallam-Baker's Web Security Blog]

Posted: 04 Aug 2008 07:05 PM CDT

When I saw the claim that a new, cheap means of energy storage had been found, my first response was 'says who'.

Then I discover that the claim comes from MIT, which makes something of a difference. Claims of this sort tend to fall short of reality. When the claim comes from the MIT press office it is rather more credible than when it comes from Fred Blogs working out of his garden shed.

While I was at Oxford the 'discovery' of cold fusion was the daily topic of conversation in the Nuclear Physics Lab coffee room for months as news came in from the nearby Rutherford labs attempts to duplicate the result.

The first computer security related angle to the story is: provenance matters, especially on the Internet where anyone can join the conversation.

But the second angle is that energy management is trickiest problems in data center design. In the case of a mission critical data center, energy security is part of the total security consideration. As a well known security expert put it to me, the electricity grid is the ultimate 'just in time' system. There is very little storage in the system and what little there is tends to be far from the places where it is used.

Monday Diversions: The Guild [The Falcon's View]

Posted: 04 Aug 2008 03:18 PM CDT

Ok, so, it's Monday, blah, back to work you slackers! :) I was catching up on my Google Reader this morning and ran across this Lifehacker interview with Felicia Day. In the intro of the article, it mentioned that she...

More thoughts on convention security [Network Security Blog]

Posted: 04 Aug 2008 11:08 AM CDT

Last year Didier Stevens wrote up some of the precautions he took for Black Hat Europe 2007. My work laptop is already using whole disk encryption, so I’m not worried about that and I’ve never put any sensitive information on my Mac Book Pro. I’d say updating your OS and making backups before heading out are very high on my to-do list. I have Time Machine working on the MBP right now.

[Slashdot] [Digg] [Reddit] [] [Facebook] [Technorati] [Google] [StumbleUpon]

Solove's Understanding Privacy [Emergent Chaos]

Posted: 04 Aug 2008 10:43 AM CDT

understanding-privacy.jpg Dan Solove sent me a review copy of his new book, "Understanding Privacy." If you work in privacy or data protection either from a technology or policy perspective, you need to read this book and understand Solove's approach. That's not to say it's perfect or complete, but I think it's an important intellectual step forward, and perhaps a practical one as well.

I'm going to walk through the chapters, and then bring up some of my responses and the reasons I'm being guarded.

Chapter 1 is "Privacy: A Concept in Disarray." It lays out how broad and complex a topic privacy is, and some of the struggles that people have in defining and approaching it as a legal or social science concept. Chapter 2, "Theories of Privacy and Their Shortcomings" lays out, as the title implies, prior theories of privacy. Having thus set the stage, chapter 3 "Reconstructing Privacy"is where the book transitions from a review of what's come before to new analysis. Solove uses Wittgenstein's concept of 'family resemblances' as a way of approaching the ways people use the word. Privacy (as I've commented) has many meanings. You can't simplify it into, say, identity theft. Solove uses family resemblances to say that they're all related, even if they have very different personalities. Chapter 4, "The Value of Privacy" points out that one of the reasons we're losing privacy is that it's often portrayed as an individual right, based on hiding something. In policy fights, society tends to trump individualism. (Which is one reason the Bill of Rights in the US protects the individual.) Rather than calling for better protection of the individual, this chapter explores the many social values which privacy supports, bringing it closer to equal footing, and providing a policy basis for the defense and enhancement of privacy because it makes us all better off.

Chapter 5, "A Taxonomy of Privacy" is the core of the book. The taxonomy is rich. Solove devotes seventy pages to expounding on the harms done in not respecting privacy, and discussing a balance between societal interests of privacy and the reason for the invasion. In brief, the taxonomy is currently:

  1. Information collection: Surveillance, Interrogation
  2. Information Processing: Aggregation, Identification, Insecurity, Secondary Use, Exclusion
  3. Information Dissemination: Breach of confidentiality, Disclosure, Exposure, Increased Accessibility, Blackmail, Appropriation, Distortion
  4. Invasion: Intrusion, Divisional Interference.
I've tried to apply this taxonomy to issues. For example, when I wrote "Call Centers Will Get More Annoying," I used the taxonomy, although not the words. There's surveillance, secondary use, increased accessibility and (what feels like a form of) intrusion. What the taxonomy doesn't do is capture or predict my outrage. I think that that's an important weakness, but it may well be asking too much. Solove's goals of a societal balance don't admit my outrage as a key factor. They can't. Outrage is too individual.

I'm also concerned that perhaps this isn't a taxonomy. If you read the old posts in my taxonomies category, you'll see that I spent a bunch of time digging fairly deeply into what taxonomies are, how they come about, how they're used and abused. I don't think that Solove's taxonomy really fits into the core of a taxonomy: a deterministic way to classify things which we find, which various practitioners can reliably use. As in my example of the call centers, the flaws are legion, and some of my classification may be wrong.

At Microsoft, we use STRIDE as a "taxonomy" of security issues (STRIDE is Spoofing, Tampering, Repudiation, Information Disclosure, Denial of Service, and Elevation of Privilege) I think, as a taxonomy, STRIDE is lousy. If you know about an issue, it's hard to classify using STRIDE. The categories overlap. On the other hand, it's very useful as an evocation of issues that you might worry about, and the same may be said of Solove's taxonomy. I also don't have a superior replacement on hand, and so I use it and teach it. Taxonomy-ness is not next to godliness.

My other issue with Solove's taxonomy is that it doesn't recognize the issuance of identifiers, in and of itself, as a privacy issue. I believe that, even before the abuses start, there are forseeable issues that arise from issuing identification numbers to people, like the Social Security Number. The act of enumeration was clearly seen by as an invasion by Englishmen who named the Doomsday book. The ability of the US government to even take a census is tied directly to the specified purpose of allocating legislative seats. I see it as self-evident, and haven't been able to find the arguments to convince Solove. (Solove and I have discussed this in email now and then; I haven't convinced him.)

Chapter 6 Privacy: A New Understanding closes the book with a summation and a brief discussion of the future.

The book has a strong policy focus. I am very interested in understanding how this new understanding intersects both broad laws and legal principles (such as the Fair Information Practices) and specific law (for example, HIPAA). The FIP, the OECD privacy statements, and Canada's PIPED act all show up in the discussion of secondary use. I'm also interested in knowing if an organization could practically adopt it as a basis for building products and services with good privacy. I think there's very interesting follow-on work in both of these areas for someone to pick up.

I also worry that privacy as individual right is important. Even though Solove makes a convincing case that that's a weaker policy basis than the one he lays out, that doesn't mean it's not to be cherished as a social value, and I feel that the view of privacy which Solove presents is weaker to the extent that it fails to embrace this.

In closing, there are three major elements to the book: the first is to take us past the definitional games of "what is privacy." The second is a serious attempt to address the "what do you have to hide" approach to privacy. The third is the taxonomy. Two of these would have been a pretty good book. Three are impressive, even as I disagree with parts of it. Again, this is an important book and worth reading if you work in or around privacy.

Another off to Black Hat post [StillSecure, After All These Years]

Posted: 04 Aug 2008 09:55 AM CDT

Let me run with the pack and put up my own "off to Black Hat" post.  I leave Tuesday actually and won't get there until Tuesday evening.  I will be on a red eye home Thursday night/Friday morning.  In this way I don't break my own three day rule on Vegas.  What is my three day rule?  Suffice to say that it prevents me from spiraling down into the bowels of degeneracy.

So what am I looking forward to at Black Hat?  The Dan K / DNS stuff should be fun.  I will be cheering on my boy Hoff and I always sit in on Jeremiah.  But lets face it, I am there for the party and catching up.  I am looking forward to throwing a few back with Rothman.  Seeing Martin, Mogul and the rest of the bunch.  There are always good parties of course and free drinks and food never hurts.

Of course I will also spend some time at the StillSecure booth shaking hands and kissing babies.  If you would like to say hello feel free to stop on by.

Also, a quick thanks to all of the members of the SBN for their support on our Black Hat affiliation.  The last few weeks have seen a bunch of blogs raising the buzz on the conference.

Zemanta Pixie

NetSanity - how can we keep our children safe? [Roer.Com Information Security - Your source of Information Security]

Posted: 04 Aug 2008 07:37 AM CDT

A while back, I helped facilitate a group of parents to develop their knowledge and awareness related to their own and their children's use of the Internet.

And as most parents, I am also interested in this topic. How can I both ensure that my children are getting the most out of their use of the great resource called Internet; while on the other hand keep their hands clean and safe.

The group came up with a list of things to do - and we produced this small flyer. (Norwegian only). You may download the flyer directly.

What are your experiences with such groups? What rules have you made to help your children being safe online? Please share your thoughts!

This posting includes an audio/video/photo media file: Download Now

New Terminology [GNUCITIZEN]

Posted: 04 Aug 2008 05:32 AM CDT

For my Black Hat talk I had to come up with some made-up terms in order to find sensible enough categories in which my material actually fits. So, I will put them all up here for feedback from the audience.

The Stare

Cross-context Request Forgery

CCRF (Cross-context Request Forgery) is the generalized form of CSRF (Cross-site Request Forgery). Although, the general notation is that CSRF only applies to site-to-site types of attacks, the reality is very different. CSRF attacks can be applied also to application-to-application attacks and many other forms. I find that the word context is the most generic way of expressing the essence of the attack so this is what I use in the talk as well.

Cross-context Scripting

In a similar fashion to CCRF, Cross-context Scripting (XCS) is the generalized form of Cross-site Scripting (XSS). Many people are very ignorant when it comes to XSS attacks. They believe that they are only present within Websites. Well, in reality they are everywhere. This category will summarize all CCS attacks including vulnerabilities that affect Websites and other Client-side Web-based technologies.

Command Fixation Attacks

There is a growing trend of using features built in into client-side technologies which allow attackers to execute commands on behalf of the user without authorization. I call them Command Fixation Attacks and even in some cases Parameter Fixation Attacks as they are very similar to Session Fixation Attacks well known in the Web security world. This section will describe numerous study cases within this category.

Needless to say, the talk will include a wide range of design bugs some of which you might be already familiar with due to the fact that I’ve already blogged about them on GNUCITIZEN. There will be several new exploits and design conditions which haven’t been discussed in the public yet.

Top 5 Must See Sessions at Black Hat [Infosec Events]

Posted: 04 Aug 2008 12:23 AM CDT

Black Hat USA is only a few days away, and I think the conference gets bigger each year. There are eight different tracks during the Black Hat Briefings, and many of the presentations sound interesting. Because there are so many choices, we decided to gather our top give picks for sessions you can’t afford to miss:

1) Black Ops 2008: Its The End Of The Cache As We Know It by Dan Kaminsky

DNS is at the heart of every network — when a web site is browsed to, it says where the site is, and when an email is sent, DNS says where to. The answer is usually correct — but not always. Six months ago, it became clear that there was an ancient design flaw, present in the original 1983 specification for DNS, that would allow any attacker to insert their own addresses for DNS names. An industry wide bug hunt commenced, culminating in a simultaneous release date of patches for virtually all platforms. We will talk about the issue, and about how a partnership between industry competitors and researchers helped protect all our customers.


2) Xploiting Google Gadgets: Gmalware and Beyond by Tom Stracener and Robert Hansen

Google Gadgets are symptomatic of the Way 2.0 Way of things: from lame gadgets that rotate through pictures of puppies to calendars, and inline email on your iGoogle homepage. This talk will analyze the security history of Google Gadgets and demonstrate ways to exploit Gadgets for nefarious purposes. We will also show ways to create Gadgets that allow you to port scan internal systems and do various javascript hacks via malicious (or useful) gadgets, depending on your point of view. We’ve already ported various javascript attack utilities to Google Gadgets (like PDP’s javascript port scanner) among other things. We will also disclose a zero day vulnerability in Google Gadgets that makes Gmalware (Gmodules based malware) a significant threat.


3) MetaPost Exploitation by Val Smith

When penetration testing large environments, testers require the ability to maintain persistent access to systems they have exploited, leverage trusts to access other systems, and increase their foothold into the target. Post exploitation activities are some of the most labor intensive aspects of pen testing. These include password management, persistant host access, priviledge escalation, trust relationships, aquiring GUI access, etc. Penetration testers acquire hashes, crack them, keep track of which passwords go with which usernames / systems and finally reuse this information to penetrate further systems.

This paper will first cover the technical details of these topics as well as some examples of manual methods currently in use during penetration tests. Next we will present some improvements to these techniques and demonstrate some tools we have developed which can be integrated with other popular applications such as Metasploit. We will also demonstrate automated methods for using collected password intelligence to penetrate massive numbers of systems. Finally we will suggest some future directions for this area.


4) The Internet is Broken: Beyond Document.Cookie - Extreme Client Side Exploitation by Nathan McFeters, John Heasman, and Rob Carter

The dangers of client-side threats such as XSS and CSRF are well understood in the context of vulnerable web applications. Furthermore, the dangers of malicious script as a vehicle for exploiting browsers flaws and reconnoitering the Intranet have been discussed at length. Now what if XSS and CSRF could be leveraged to directly to compromise the host… by design?

Rewind a few years ago and the client-side landscape was somewhat different: research was focused on exploiting the complex interactions between components exposed by the browser. The security of the whole was defined as the sum of the weaknesses of the parts, namely JavaScript, Java, Flash, and anything accessible via a protocol handler. These types of attack gave way to direct browser flaws… after all, why carry out a multi-stage attack when you could trigger straight code execution? Fast forward to 2008: browser flaws are not going away in the foreseeable future but they are on the decline, and in a world of stack cookies, non-executable stacks and ASLR they are becoming increasingly hard to exploit. Which takes us back to the complexity issues. They never went away. In fact the situation has gotten worse spurred by the development of offline solutions such as Google Gears and Adobe AIR, the plethora of protocol handlers and an explosion of browser helper objects.

This double session presentation combines the research of four notable Black Hat presenters who have previously discussed client side exploitation from browser to rootkit. This combined with a rapidly increasing corporate interest in "outsourcing" applications to the browsers, this fast paced, entertaining, and novel presentation answers the question: should we really be building next generation applications on the shaky foundations of the browser?

This is NOT another talk focused on XSS or CSRF, it’s about issues and vulnerability classes that have not been discussed anywhere else. You get all of this from some legit, good looking security researchers, what more could you ask for?


5) Pushing the Camel Through the Eye of a Needle by SensePost

In 2007 SensePost demonstrated the how DNS and Timing attacks could be used for a variety of attacks. This year we take those attacks further and show how small footholds in a target network can be converted into portals we can (and do) drive trucks through! With some updated SensePost tools, and some brand new ones, we will demonstrate how to convert your simple SQL Injection attacks (against well hardened environments) into point and click (well, type and click) ownage, how the framework management pages you never knew you had, can double as our network proxies and why despite all of the hype around SQL Server 2005, we still enjoy finding it behind vulnerable web applications. The talk is fairly technical and expects that the attendees understand the basics of Web Application and Web Browser based attacks. Attendees will leave with new attack vectors, a couple of new tools and some thoughts on future directions of these attacks.


We will be posting our picks for each time slot soon, and stay tuned for our coverage!

No comments: