cat slave diary

Category: Security

  • Defcon is dead, long live Defcon

    Well, that was Day 3 of Defcon out of the road. I didn’t get to see too many actual talks due to the hallway track being far more interesting than the actual three track program. Again, few webappsec talks, and some were repeats of the BH talks I’d already seen.

    I caught up with a few fine folks, including Jeremiah Grossman, TC, RSnake, Arian Evans (possibly the funniest infosec guy I’ve ever met!), Dinis and more! It was a total hoot, and we did a lot of good work^Wdrinking.

    The more esoteric talks were right up there. I wanted to go to Peter Gutmann’s talk on phishing, but unfortunately it was far too early after the night before. Luckily, I have the slides in PDF form, and soon we will have the DVD at work, so that’s no biggie.

    The biggest change is the venue. The new location at the Riveria is excellent – it’s still old and crusty which is a la Defcon at Alexis Park, but it has *air conditioning* and it can handle zillions of geeks in the manner which they are accustomed – ie without bathing.

    However, the smoking problem is worse than ever. I made my most valiant of efforts to kill them all using my onion ring with crab cake special edition flatus, but unfortunately, it backfired late at night thus causing me more grief than any of the smokers. When will conference organizers equate smokers == law suits for obvious and gross negligence when the dangers of said disgusting habit are well known?

    In other news, Tanya picked up a huge stogy for her old man.

  • BlackHat Day 2

    Day 2 had a complete web app sec track. This is a huge change from last year, where there was like … my talk and that was about it. And you know what? It was full! Every session I’ve attended so far today has been near full. Plus, it’s top material.

    Let’s get on with the details.

    Hacking Intranet Websites from the Outside “JavaScript malware just got a lot more dangerous”

    Jeremiah Grossman & TC Niedzialkowski

    The Register missed the boat – they went to the wrong talk. They should have gone to this talk instead.

    Jeremiah and TC showed a bunch of demos which totally 0wned the browser of the victim. This talk was downright scary. They did a basic CSRF attack against a DSL router (incidentally, the model I have at home – luckily I *have* changed the default password), and demo’d the ability to make the victim’s browser the attacker’s complete biatch.

    Essentially, you can do two things:

    a) don’t go to any sites
    b) turn off the Internet

    They didn’t even use the Ajax stuff which is now possible, such as using cross-domain XHR and Flash based arbitrary header re-writes and forgery, which when taken together essentially mean that an attacker has an extremely wide array of vulnerable sites, such as MySpace and others, to send hostile code to your computer to do with as they please. I am certain this is how the malicious mofos behind commercial / organized crime spamming and bot nets will try to infect millions of boxes over the next few years.

    Ajax talks

    These two talks were interesting, but didn’t extend the state of the art much beyond where I was back in February. All of the next three talks had overlapping content, which got a bit monotonous by the end.

    “AJAX (in)security”
    Billy Hoffman

    Billy talked about four areas of Ajax security, but my favorite was how he extended the method of using mash ups to be evil via the mash up proxy and hide where you’re from. That’s cool. Billy did go a little bit further with an idea to use Ajax to create a proper worm, but used the ol’ MySpace worm and the Yahoo mail worm to show previous examples.

    Billy’s talk was energetic and he talked at a thousand miles an hour. He could have done with some demos. I had a chat with him before the talk, and I think there’s some potential there to collaborate on future stuff.

    “Breaking AJAX Web Applications: Vulns 2.0 in Web 2.0”
    Alex Stamos & Zane Lackey

    With Ajax stuff, it is necessary to bootstrap the audience … this year. The guys went through the basics of Ajax … again … and then went on to talk about the problems as they saw them. Again, not much new here, but at least there was a look at different frameworks, particularly Java based frameworks. I’ve mostly looked at PHP frameworks, so this was pretty interesting.

    The guys ran out of time, and so didn’t talk long enough about the methods to prevent attacks. It’s not hard for the main part, but too little detail doesn’t help the BlackHat audience (who are mainly security geeks at larger corporations) who want to know the problem … and the solution. At DefCon, you don’t have to worry about the solution as they’re just interested in the problem.

    “Six Degrees of XSSploitation”
    Dan Moniz & HD Moore

    This talk was interesting as HD Moore and Dan Moniz are relatively (in-) famous. However, it was a fairly lightweight presentation, again introducing XSS and Ajax and the MySpace worm. There was some good material in here, potentially looking at things you can do once you’ve found yourself a nice juicy XSS.

    I would have liked to hear more about the ActiveX null pointer execution thing that is apparently coming out next week, but obviously that one is under NDA. HD took a back seat to Dan most of the time, but that’s okay – they imparted a lot of information in not much time.

    “Analysis of Web Application Worms and Viruses”
    Billy Hoffman

    Placeholder

  • Blackhat Day 1

    “TBA” – David Litchfield

    David did a talk on the problems with Informix. Awesome talk, and shows that all database servers are vulnerable. He totally 0wned his server in a set of well rehearsed demos.

    I don’t use Informix so it wasn’t that useful to me, but a take home message is total props to IBM for solving these problems. Oracle can learn a few things from IBM on how to listen to professional security researchers, and fix stuff in a reasonable time frame.

    “How to Unwrap Oracle PL/SQL”
    Pete Finnigan

    Pete went through the basics of figuring out how to unwrap (decode) PL/SQL. I’ve just finished doing a major PL/SQL code review, and I was hoping it was about how to do good code reviews of this language. It turns out that some folks encode their PL/SQL (which is essentially Ada with some extensions) to obfuscate the source. We don’t do that, so I found this stuff pretty dull. However, I’ll keep it filed away in case we get some third party code which has been “wrapped”.

    Wrapping is an encoded form of DIANA. Pete showed how to decode this representation from the raw bytes stashed by Oracle. He also had some unkind words for the tools which supposedly decode this stuff today.

    Lastly, 10g went backwards. They don’t use this method, instead favoring just base64 encoding. That’s cool, as it makes it easier to decode stuff in 10g.

    Oracle Rootkits 2.0: The Next Generation
    Alexander Kornbrust

    Awesome talk. More when I have time to get my thoughts together. Take home point: take the time to secure your database servers, and isolate them.

    Hallway track

    So awesome to be here and meet the folks who do the research. I met a bunch of really smart folks and did a bit of an interview. If it comes out, I will update this entry.

  • OSCON

    Work: I owe my boss a huge beer (and a document) and an apology when I get back to Australia.

    Personal life: in the dog house. I got very little sleep these last few days, and I bet my other half is feeling far worse than me. Hopefully, she can come to Vegas so we can sort things out.

    OSCON: Awesome.

    My presentations went down well. I’ll upload the new presentations soon, but the Ajax Security demo went off really well. The room was overflowing with folks, so I’m really chuffed that so many of you decided to come.

    I’ll put up the Ajax XSS demo I did later, but please be aware that these demos are INSECURE by design, and only to test them on your internal systems. The trick is to:

    <img src="kitty.jpg" onLoad="... your javascript attack here ...">

    People forget there’s literally hundreds and possibly millions of ways to do XSS. Do NOT look for script or Javascript and think you’re done. That’s stupid. Make the output safe, it’s faster, it’s simpler, and it works.

    People

    I met so many folks who I had spoken to over the net, or e-mailed. Everyone is so nice and friendly, it’s incredible to meet the greats. I really enjoyed catching up with Chris and Laura, met the Schlossnagles for the first time (cool dudes, cute kids :), and of course, Wez.

    Unfortunately, due to the bad things going on in my personal life, I could not bring myself to hang out after hours as I was feeling extremely down, but life goes on. I was hoping to go out to Portland a bit more; maybe next time.

    Talks

    I went to a fair few webappsec related talks, and it’s truly gratifying to me that the developers had an entire stream dedicated to it. I really enjoyed the PHP Security hoe down – we had a wack job in the back row causing a bit of a stir, but after he left, the hour really flew.

    Portland

    I’ve never been here before. It’s a very nice city, great public transport. I’ll post some images soon as it’s very pretty this time of the year. It was a bit hot when I got here (about 40C) but it soon cooled down to mid 20’s and I’ve been happy with that. 🙂

    A friend through newbeetle.org picked me up from the airport last Sunday, and we went to her place and hung out for a while. She invited over a friend of hers, and I got to see her and her hubbie’s New Beetles (a nice Turbo S and a unired NBC), and her friend’s green Gecko TDI New Beetle. Very nice – I wish we could get that color in Australia. We had breakfast on Friday morning even though I was extremely tired (no sleep) and a bit sad, and she picked me up this morning to take me to the airport. I’m so impressed, I wish I could say I was as good a host when I have folks visiting. Thanks, Debbie – you set the standard!

    Next steps

    I’m off to SF next. I’m at the airport now. I have to spend a few hours this weekend getting stuff together to meet the CSO of a major partner of work’s, like running through the ESA presentations and ensuring that we have something constructive to talk about. I might need to go to Kinkos tomorrow and print off a few things unless my hotel has a printer I can use.

  • Press: Q&A on Ajax / SOA Security

    Colleen Frye from SearchAppSecurity.com, interviewed me via e-mail a couple of weeks ago on the OWASP Ajax security research and materials I’ve been pumping out. Although she asked for brief answers, to paraphrase Mark Twain, I didn’t have the time to write shorter answers.

    The results are now available for your reading pleasure.

    Part 1
    Part 2

  • A quickie

    Here’s a single slide from the PHP security architecture slide deck. When I’ve sorted myself out in terms of demos for OSCON, I will release the entire thing when it’s in better shape (and smaller for the web – this Keynote theme seems particularly heavy).

    Slide 9 (1.2 MB, pdf)

  • PHP Security Architecture

    [ EDIT: a comment I wrote in this entry referred to Laura Thomson as one of the reviewers of the OWASP Top 5 article. Although I have discussed other PHP related things with Laura, this article is not one of them. I’ve carefully reviewed my Sent folder during this time, and I’ve updated the reviewers in the article on the OWASP website. I apologize to Laura for bringing her into this sordid affair. ]

    I have a comprehensive PHP security architecture for PHP 6 I’ve been developing, which I wanted to present to Chris for his comment, and if he felt it was good, possibly then ask Rasmus and Andi for a beer or two whilst I am at OSCON.

    However, I’ve just had a very disturbing e-mail conversation with Stefan Esser, PHP security researcher, founder of Hardened PHP, and one of the initiators of security@php.net. He posted from his php.net address, so I imagine he was talking to us (as in OWASP) in his PHP security bod at large capacity, but I’m not sure.

    I’m now basically convinced that there is just no point trying to make PHP safe. The people involved are too poisonous and arrogant to change, therefore PHP will not change and become safe. My architecture would be attacked viciously but nothing would be done to put something like it in place. And without a decent architecture (mine or someone else’s), PHP is no safer than it is today, which is to say – not safe at all unless you know what you’re doing and can control php.ini, something most shared host users do not have the luxury.

    The best bet for PHP is to kill it by letting the current development team make PHP 6.0 into even more of a niche that PHP 5.x is, and ensure that hosters become more and more locked into the insecure PHP 4.x. When the hosters get sick of rebuilding their virtual hosts all the time, it will become uneconomical to allow PHP to be on their hosts. They will take it off, and ask people to move to safer languages / frameworks.

    It’s time for PHP to die.

    Update… I’m not going to re-write history, so I’ve left the above text for you to see.

    However, it’s not fair to the PHP community that we security folks argue amongst ourselves whilst their apps continue to fall victim to the same attacks, time after time. I will spend more time on the architecture and create a BoF at the conference to present it after spreading it around my coterie of PHP friends for advice and comment. I’d love to have everyone who has been so passionate about this article come see us at OSCON and see what I have in mind.

  • OSCON 2006 – See you there!

    Just a quick note as to the quietness of the blog. I’m working on a few things:

    • my slides for OSCON (webappsec 150 tutorial, and updating my Ajax presentation to include the latest research and make it a bit more (ahem) controversial to liven things up)
    • doing demos for the above
    • my slides for OWASP Melbourne, July 2006 meeting (this coming Wednesday! Details)
    • reconstructing my work laptop
    • the OWASP membership packs and other executive director project items
    • administrating Aussieveedubbers
    • writing a fresh Ajaxy UltimaBB installer
    • writing a proposal for a workable security architecture for PHP 6 which I want to present to Chris when I go to OSCON, and maybe earn myself an audience with Rasmus and the other PHP luminaries to discuss it over a beer or two and thus decrease my trolliness to those folks.

    and plus Tanya would like my body sometime as well. I’ve given up TV. Woe is me!

    See you at OSCON 2006.

    I’m also making an appearance at BlackHat and Defcon, and will be in SF in between those two conferences, and possibly in Salt Lake City before OSCON (depends on work). If you want a Thawte Notarization for the Web of Trust (free *real* fully trusted S/MIME certificates!), please bring photocopies of your photo ID and I’ll do it for free.

  • Updated Ajax Security presentation

    I’ve updated the Ajax presentation to the slide deck I gave at OWASP EU. New pictures. More content. More size! (4.3 MB)

    Get it here:

    Ajax Security (4.3 MB PDF)

  • OWASP EU – Day 2

    Excellent day again.

    I’m still waking up far too early, but that’s okay, particularly since I had still to complete my Day 2 keynote slides, much to Dave’s disgust.


    – Leuven University

    The keynote went well, but I finished what I thought was early, when in fact, it was dead on time. This left Ivan Ristic with much less time than he had intended. 🙁

    Ivan’s talk was pretty cool – he went through the stuff you’d expect of the author of the open source web application firewall, mod_security, discussing the four major features of the software. I’ve used it before in a DDoS attack, and it worked well.

    After the morning break, I went to the invited papers track. I think this was a good idea, and the quality of the ideas was good. I think it allowed people who are not conference whores like myself to get up and speak. And considering that only a small percentage of the attendees are native English speakers, I was pleasantly surprised at the quality of the English at the conference. Awesome.

    The session riding talk was cool, but again, they’re using a non-mainstream technology to fix the problems. I think people really need to start using the major technologies which are weak rather than using esoteric languages which take their fancy. PHP needs a lot of help, for example.

    After lunch, I went to Dinis’ tool heavy presentation on the stuff he’s made this last year. Awesome tools. Might see if they work under Mono on the Mac. Except for the report generator, which is basically a waste of time. As a customer I HATE (and I mean I will return your report and not pay you HATE) getting nessus or other tool output auto-gen’d from XML into PDF. I don’t pay the pound for my reports. I prefer short (10-20 page) reports which tell me what is wrong, carefully considered and rated. This is something that can be done in Word more easily than Dinis’ tool. I’m sure Dinis’ report writing tool (he’s a total XML freak 🙂 works for his customer, but I’m not interested. If it gets out in the big bad world, I hope it doesn’t catch on. Our value is our skilled interpretation, not 1000 page automated reports.

    After the last break, there was a panel discussion, which was far more lively than the previous day when everyone agreed with each other. It was hard as Gunnar let people speak who had more than their turn. There was one particular lady who just butted in all the time. I had my hand up for half an hour before I could a word in edge ways, thus not allowing me to state a couple of points about user security education which I vehemently disagreed with, but couldn’t as the flow had moved on. Oh well. I’ll butt in next year – being a good guy does not pay off if you want to be heard. Despite this, it was a good and lively session.

    Dave finished the conference up. After we had finished, Pravir Chandra and I went out to dinner. I wished a few more could hang around, but many needed to get on flights home, and several wanted to go back to Brussels for food. We had a good meal in the center of the old city. Awesome food.

    I think it was extremely valuable as a conference. If I can, I’ll be back next year.