So my trip to DC and Shmoocon was interesting to say the least. I'm still not used to visiting somewhere I lived. It's always amusing to actually know your way around (well as much as I can with my messed up sense of direction.) and since my departure to sunny California, I've really missed my old friends from DC, so meeting up with them was great.
I have to admit that I've always enjoy cons -- the people, the free flow of ideas and concerns. It's great, I usually find something new and interesting to look into. This time I picked up Craig Nevill-Manning's thesis. Which is the basis for most of Dan Kaminsky's work on using inferred structure with fuzzing. More in a later post.
Before The ConMy con experience started off by meeting Ben Laurie and helping him set up the Google table at the con. No sooner had we finished setting up when a woman accosted us regarding recruiter spam. Now I'm not anywhere near the recrutiers at work for the most part so I'm not sure what they are or are not doing. Needless to say this woman was upset. Ben took her information and said he'd look into it. Around this time I realized that I needed breakfast. So I'd wandered up to get coffee and some food from the Starbucks inside the Wardman Park hotel when I ran into Richard Bejtlich. Who was looking for Chris Lee who was speaking at a NovaSec meeting. So I abandoned my search for food and drink and crashed the meeting.
Chris Lee presented on various networking monitoring and Honeynet related projects. One of the more interesting projects was Flowtag. Basically it's a way of taging flows that are extracted from a pcap. The idea being that you can improve analysis by subsequently looking at the tags applied by other humans at flows and sort of have a del.ico.us of network data. Very cool though I want it to have a rule language so that when I tag something Ican then see if my pattern or tag could be applied elsewhere.
I ran into Kathy and while talking to her ran into Billy Hoffman. We ended up talking about some conversations we'd been having regarding a barage of topics from Javascript to Honeyclients.
Day 1 Talks H1kari -- Hacking the Airwaves with FPGA'sThis talk was about using (Field Programmable Gate Arrays) FPGAs to enhance brute forcing attacks against varioius wireless protocols such as WPA, WEP and Bluetooth. I'd seen Hikari talk on this before so I didn't fine myself learning a whole lot other than that some hashes were computationally expensive to calculate on purpose to discourage brute force attacks. I think the real take away from the talk was that FPGAs are coming down in price. H1kari mentioned that their new expresscard based FPGAs were about $1950 US. This means that the whole technology is easily within reach for a small company or determined individual. If the price comes down more I'd wonder how long it will be before we hear that it's time to increase our key sizes?.
Eoin Miller and Adair Collins -- Auditing Cached Credentials with CachedumpThis talk was disappointing. The main focus of the talk was the risks associated with windows cached credentials. The talk focused on first introducing you to the need for cached credentials followed by the implication cracking a Domain Administrator's credentials on an unsuspecting laptop. This talk closed with a demo of using cache dump. Questions from the audience centered around how long does it take to crack these hashes and what data consituted the hash. The speakers seemed to be at odds with the contents of the hash.
Adam Shostack -- Security Breeches are Good For You.Adam's a very sharp guy and I highly recommend you read his blog.
The basic premise was that with new legislation requiring companies to disclose breaches we (as in the security community) now have new hard data that we can start using. This referenced California's SB 1386 as the law that started it all. Some points were made regarding the lack of standardization interms of information required to be disclosed. To quote Adam "We can do science..." with this data. I especially like the idea of verifying the effectiveness of adding countermeasures. E.g. after a breach has been reported and a company has implemented some sort of countermeasures do they get breached the same way again or do the total number of reported breaches decrease? The caveat I see to this is that it's not entirely perfect as your threats could just ignore you for a long while.
I wanted to see the keynote but as I had a date (too long of a story for me to explain here). I went back to my hotel to get ready. The short of it is that this made my trip to DC complicated. I had a great time but found myself soul searching on a few things.
Day 2 Talks Matt Fisher, Cygnus and PresMike -- Web Application Incident PreparationIn fairness the presenters made it clear that they didn't expect to give this talk until last minute so it came across as unpolished. However I really found myself disliking this talk. They spent a lot of time trying to discuss how incident response for a web application is different than tradditional incident response. I found myself walking out of this talk and then back in. Specifically they brought up the fact that you have to look at logs and that traditional signs of an incident aren't present. This seemed obivous. To make IDS useful they talked about using canary values, in your data such that you could identify when it's left you webapp. Of course this led into the next topic which was how does SSL hamper your ability to identify attacks. Recommendations such as terminate SSL at an accelerator were passed around.
At about this time I was getting annoyed so I walked out. Why was I annoyed? Because no one had bothered to discuss detection at the app layer. The SSL question can be nullified side if you're willing to do some detection at the application layer, products like modesecurity allow you to do just this in Apache.. The detriment of doing this is that it's a fairly large investment, requiring modification of software. However the benefite of doing this is that you can effectively remove a choke point in your network which allows you to scale. Also it allows you to detect things even when load balancing is in play.
Not discussing the effects of load balancing I thought was remiss. Even if I'm terminating SSL on an accelerator, but keep going to differnt datacenters or locations because of load balancing or some form of CDN what can I actually detect? Another issue that comes into play with a large website is the size of the pipe how effectively can I monitor a 1GB+ line?
Billy Hoffman -- JavaScript Malware for a Grey Goo TomorrowThis talk was about Jikto his Javascript based attack tool. I got called and paged during this talk so I don't have the best of notes as I had to leave the talk. I'll write something up for this after the slides come out.
Backbone Fuzzing by RavenThis talk was pretty good. The main focus was that there doesn't seem to be a lot of fuzzing being done on the backbone protocols e.g. RIP, OSPF and company. Her research was started by a bug disclosed in Cisco's in which advertising a previous version of IOS in the packet would crash the infrastructrure. The rest of the talk was on her methodology of how she'd go about fuzzing and how she did just that with the General Purpose Fuzzer (GPF).
One complaint that Raven made was that it wasn't easy to write fuzzers for protocols like BGP, RIP, etc. I really wanted to talk to her after and point out Dug Song's dpkt which makes packet crafting pretty simple. The crowds were big so I never got a chance. I guess that's why there's email.
The Audience got weird during the Q & A session for this talk. One member asked Raven why she was qualified to do backbone security when should couldn't keep her laptop secure at another con. This was a pointless question and seemed to show that fuzzing is a topic that many people seem to have trouble following. However it set the stage for encountering a hostile audience at the next talk I attended which was Dan Kaminsky's.
Dan Kaminsky -- Weaponizing Noam Chomsky, or Hacking with Pattern LanguagesI've seen Dan talk at cons for close to 4 years always entertaining. Plus he usually gives me something fun to try and rewrite so I can understand all of the nuances to what he's saying.
This talk was a continuation of the talk that he gave at Defcon. He started by making a quick point "Why is fuzzing still useful in 2007?" He then proceded to discuss context free grammars and their applicability to machine generated data. He then proceded to discuss Craig Nevill-Manning's work on infering sequental structure from a sequence of data, and his implementation of Nevill-Manning's Sequiter algorithm. All of this was to leading how Dan is using his implementation of sequiter to help his fuzzing. Dan called this the CFG9000, the idea feed it input and it figures out the symbols in the output and attacks parser at the symbolic level. In other words his fuzzer gains a basic syntactical understanding of the data and then uses this to add in it's data generation.
Dan also showed how one could use linguistic methods of comparison to find differnces between subsequent versions of data. Namely he used dot plots. (More on this in a future post).
Like Raven's talk the audience was somewhat hostile. The Shmooballs flew and the Dan tried to get through his talk. Many of the questions and interuptions from the audience were off topic. For example there was a tangent on the wheather or not PKI was in fact dead. Personally I found it annoying, but it was illustrative that the audience was not following what Dan was saying.
As to quality of presentation I'm a little mixed in my review. I found it easy to follow Dan because I talked to him about it the night before. Dan was moving very fast to try and cover the full amount of material he had and I think the transitions weren't entirely clear. If I had to give advice to Dan I'd say walk people through a few examples to make sure they follow you.
I'd love to see Dan's sequiter linked up with some of the semantic web stuff as I think he could use RDF and OWL for some cool stuff. (Again more on this in a later post.)
Chris Paget -- WPAD: Proxy AttackAfter Dan's talk this one seemed amazingly straight forward. Essentially the Windows Proxy Auto Detection protocol relies on names in WINS, NetBIOS, DNS and DHCP. By either registering the name WPAD.your.domain or winning the resolution race an attacker can become the WPAD host and have everyone in a network trying to use them as their proxy.
Chris then showed his proxy that could be used to both intercept this traffic, and conduct attacks on hosts using him as a proxy. All in all very scary.
The problem here is that there isn't a way for the client to verify where they get their proxy information from or even if it makes sense for the client.
Day 3 TalksI wasn't feeling so good so I didn't get to the conference until the last talk. Which was about the one laptop per child though I again left the talk to catch up with a few people last minute. I regret not seeing Ben Laurie speak.
ConclusionShmoocon was fun though due to some aftermath from Friday night this visit was tainted for me. I look forward to it next year. Though hopefully with less drama.