Microsoft's internal security conference BlueHat <http://technet.microsoft. com/en-us/security/cc261637.aspx> finished on Friday. I posted <http://www.mikeandrews.com/2008/10/13/its-bluehat-week/> earlier that I would do a write up about it, so I'll briefly discuss the presentations I went to, and some of the other comings-and-goings of the conference. I'm told that some of the presentations will be up on TechNet later, so look out for those and I'll try and come back to this post and edit them in when they are available.
Tuesday Although the conference didn't truly start until Thursday, there was a speakers dinner held on Tuesday night. It was a small gathering at a restaurant in Seattle and allowed us to mingle with the other presenters and people from Microsoft that put the conference together. I got to meet a few people for the very first time that I was really looking forward to talking to. Ashley Allen and Bryan Sullivan <http://blogs.msdn.com/bryansul/> were the first to welcome me after Jeremiah Grossman and myself talked him into letting us do a panel (in reality, Bryan thought it was a great idea) and Ashley organized everything for us (which for once was really easy for me as I didn't have to travel or get a hotel to go to a con - score!). Spent a lot of the first part of the evening talking to Adam Shostack <http://www.emergentchaos.com/> about the state of the internet, current development practices, and how MSFT is addressing them (and can help other devs/orgs in the future). Also had a great discussion with Dave Weinstein <http://www.sff.net/people/olorin/> about vulnerability vs exploitation (does it really matter if things aren't getting exploited? If a tree falls in the forest and there's no-one around, does it make a sound? How much are we getting exploited?) Dave has some great stats on the exploitation of Word of Warcraft and how criminals are profiting from it quite easily (it's as close as you can get to a victimless and low-risk crime). Talked to the internet security celebrity of the year, Dan Kaminsky <http://www.doxpara.com/> , for some time and turned out that not only did we get on really well (he has very much the same personality as I do), but discover there's lots of tenuous links between us of people we know, places we've been, etc. Starting to see this "6 degrees of separation" thing more and more - it's even less in small community like computer security. Wrapped up the evening hopping between a number of different conversations - please don't feel left out if I don't mention you here - I talked to a *lot* of people over the course of this week, and I'm only going to have space to write about a small subset of even the few I can still remember :) Wednesday Despite booking most of the week off from work so I could go to some meetings and meet/network with more people, guess what - still had work to do for Foundstone. Ah the joys of billable hours and last-minute scheduling difficulties :) In any case, another party in Seattle. Spent time with Danny Dhillon and the CSS guys - David Lindsay, Gareth Heyes <http://www.businessinfo.co.uk/> and Eduardo Vela Nava <http://www.sirdarckcat.net/> as well as Alex K <http://kuza55.blogspot.com/> - on what seems to be the theme for me this week - "why the hell does it allow that". From triple encoding an attack (for filter bypass) and the browser triple decoding, then executing the result!, invisible iframes, a:link CSS being allowed to have 'expression(...)' and calling out to a remote site, etc, etc. All of these things I couldn't think of a single legitimate use of (these guys couldn't either), and therefore the only usage is a malicious or unnecessary one. Finished off the night in a small loft where some of the guys at the party had invited us back to listening to Frank <http://www.leviathansecurity.com/team.html#Frank_Heidt> Heidt explain the intricacies of the financial market, reselling non-existent "things", and how it was plainly obvious that this was all going to come crashing down, it was just a matter of when. Smart guy Frank, and looking forward to hanging out with him more. Thursday First day <http://technet.microsoft.com/en-us/security/cc748656.aspx#day1> of the conference proper. Iftach <http://www.aladdin.com/CsrtBlog/default.aspx> "Ian" Amit's talk on modern crimeware was interesting, but being related to that field (listening to the McAfee guys) nothing that I didn't already know. Roelof Temmingh's <http://www.paterva.com> talk was about how much information you could glean from public sources, often just starting with an IP address / network footprinting. Once again, I had some idea, but Roelof's <http://www.paterva.com/maltego/> tool really did open my eyes. There's a stunning amount of info out there, and with a good tool and visualization techniques, it's possible to pull a lot of thing together. This is certainly a demo to watch. Dan's talk (the DNS flaw) I had seen before, but I always find it entertaining to watch him. The CSS guys seemed to have a hard time of presenting - not because they weren't good, but this was the first time that they had ever physically been in the same place! The joys of the internet meant that they were able to research together for quite some time, and didn't have the opportunity to be able to rehearse or get everything together quite as smoothly as they might have liked (multi-presenter talks are hard). In any case, they had some cool things to show, but I couldn't help keep thinking "why do browsers support this" - it's clearly a malicious use of the spec, and I can't see why some of the things are in there anyway. Certainly drew awareness of the fact that turning Javascript off isn't the end of it and a means of protection, and that CSS has to also be restricted in some way. The last two talks - Richard Johnson and Ian Hellen - talked about visualization and code characteristics to find defects. I only partially caught these two talks from the remote display in the speakers green-room as I caught up with old-time friends Jeremy Dallman and Dave Ladd. Throughout the day I was with Alex <http://keepitlocked.net/> Smolen, friend and fellow Foundstone consultant, so we went out for some dinner, talked about various work stuff, and then headed out to the last MSFT BlueHat community dinner/party. This event I spent quite some time with Frank from Leviathan and some of his team/colleagues/friends, and also got to spend some time with one of my "security hero's" RainForestPuppy <http://www.wiretrip.net/rfp/> . This was a really nice meeting as RFP was one of the first guys on the webapp security trail and got me thinking differently - certainly helped me take the first few steps in my security interests. RFP was far nicer (and younger) than I imagined he would be. Ending the night I managed to get a few words with Andrew Cushman and Jon Pincus <http://www.talesfromthe.net/> , mostly about "normal" life, blogging and the election - a nice (and welcome) change of topic. Friday Day 2 <http://technet.microsoft.com/en-us/security/cc748656.aspx#day2> was focused towards the "building" rather than the day one "breaking" theme - Mark Curphey would have been proud <http://securitybuddha.com/2008/09/10/are-you-a-builder-or-a-breaker/> :) Danny and Adam started off the talks with quick discussions of how EMC and MSFT do threat modeling. It certainly looked like there were lots of obvious similarities between their two approaches. Adam highlighted the differences, and why EMC or MSFT chose to go down those routes because of different lines of business or process/security/developer maturity. Adam also showed the next version of MSFT's threat modeling tool (which we were talking about at the first party), which is very cool and should make a big impact in the ease of threat modeling. I would still like to see a "wizard based" approach which non-security aware developers could use if only to get started, but as Adam suggested it would be a bit "boring" and "heavy-weight" to see that many questions, and just didn't interest him in going down that path. Instead, users draw out the system and the tool suggests threats and things that haven't been put into the drawing. After seeing this demoed, I think it's a much better approach. The tool is internal for now but should be released free to the public in '09. Matt Miller's talk focused a lot on how technologies like GS, DEP, ASLR, etc helped mitigate against exploitation, even if a vulnerability was discovered - layered defenses are certainly a must-have. This was another talk I only caught some of remotely in the speakers room or in the corridors while catching up with people. Scott Stender and Alex Videgar from iSec <http://www.isecpartners.com/> Partners talked abut concurrency attacks in web apps <http://www.isecpartners.com/files/iSEC%20Partners%20-%20Concurrency%20Attac ks%20in%20Web%20Applications.pdf> [PDF]. At first I wasn't too interested in this - it's really hard to do any kind of deterministic testing on a webapp, so attacking concurrency (where timing is everything) is simply a difficult place to go. These guys showed how most web frameworks are not thread safe, and multiple users hitting a server can cause the traditional "lost update" race hazards. Lots of perf graphs showing the performance hit of locking, transactions, etc (and thus the potential of DoS if "done correctly, but with a performance hit") got the point across. Takeaway - most web frameworks are not thread safe (and don't warn you about that fact) and it's something not many people think of. Also, because of database settings and transactions, doing this may not actually safe you! A bunch of guys from MSFT talked about fuzzing. I didn't learn a whole amount technically here, but was interesting to see how MSFT does fuzzing, and some of the stats - there's some "break even" points or "guidance" on the number of iterations vs bugs left to find, but it seems that there's no top limit. Some tools are better than others (no surprise there), but there's no one great tool (although SAGE seemed to be the best and won the "fuzzing olympics" - medals were handed out :)). Random fuzzing is better than "intelligent" fuzzing (where the tool knows the file/protocol structure), which is certainly unintuitive, but something I learnt quite some time ago. Vinnie Liu <http://www.stachliu.com/> talked about the trade-offs in tools (and humans) during a code review/pen test. Once again, nothing new for me - I've learn and preached all these lessons, but was a fun and engaging talk. I've asked Vinnie for a copy of his slides because there were some great classic humor slides in there - I'll post (and comment) on them if he does send them to me. Finally, and closing the conference, was the WAF vs. SDL Shootout panel. Myself, Nate McFetters <http://natemcfeters.blogspot.com/> , Gareth Heyes and Kevin Overcash <http://www.whitehatsec.com/home/abt/team.html> (poor guy - he was to "defend" WAF's, but ended up being just as critical as all of us!) fielding questions from Bryan Sullivan and the audience. The main questions were... * Earlier this year, over one million sites fell victim to an automated SQL injection attack. The vast majority of affected pages were classic ASP pages. While we don't have statistics, it can be assumed that many if not most of these pages were no longer being actively developed. If you were called in as a consultant by one of these sites to fix the problem, what do you do? Do you recommend a WAF or a change to the code? Or both? Would your answer to this question change if the site in question was still being actively developed? * Five years ago, black-box scanning was the "magic pill" that would solve security problems. Then source analysis became more popular. Pentesting has always been important. While none of these approaches are perfect, they each have definite benefits, and more to the point: each of these activities is now part of the SDL (at least the Microsoft SDL). Should we end the feud between the SDL camp and the WAF camp by mandating WAF usage in the SDL? * Imagine that someone invents a perfect WAF. It blocks all known attacks with a 0% false negative and 0% false positive rate. Do we now abandon previously mandated secure coding practices like validating input? If not, how do you justify spending developer time on this activity? How would you justify spending tester and pentester time on security testing? The discussion went all over the place, and I can't remember all of the answers or points that each of us raised (although I did pull out the "silver bullet and Jack and the Beanstalk <http://www.mikeandrews.com/2008/01/14/silver-bullets-or-magic-beans/> " allegory at one point). I hope there's some audio somewhere as there was some good well-reasoned arguments. If I can find some time and anyone is interested (i.e. the audio doesn't go up), I see if I can come back and fill this in a bit more. There was one final party hosted by IOActive <http://ioactive.com/> , but by then I was far to knackered for another night on the town (and I'm told that the IOA parties can get a bit out of hand!) so headed home and crashed out - nice to (finally) get to bed in the same 24hrs in which you woke up, but there's still the mountain of emails and RSS items I had to dig out of over the weekend. Thanks to all the people that I met and had great discussions with. Also a big thanks to Bryan for the invitation and Ashley for organizing everything for the speakers. I had a fantastic time, and confirmed one of the reasons that I moved up to Seattle - meeting interesting people and being engaged in the community again - really was worth it. I look forward to seeing all these people again, and if anyone is in the area, visiting, or has time to chat, and wants to hook up, by all means get in contact. [Ph4nt0m] <http://www.ph4nt0m.org/> [Ph4nt0m Security Team] <http://blog.ph4nt0m.org/> [EMAIL PROTECTED] Email: [EMAIL PROTECTED] PingMe: <http://cn.pingme.messenger.yahoo.com/webchat/ajax_webchat.php?yid=hanqin_wu hq&sig=9ae1bbb1ae99009d8859e88e899ab2d1c2a17724> === V3ry G00d, V3ry Str0ng === === Ultim4te H4cking === === XPLOITZ ! === === #_# === #If you brave,there is nothing you cannot achieve.# --~--~---------~--~----~------------~-------~--~----~ 要向邮件组发送邮件,请发到 [email protected] 要退订此邮件,请发邮件至 [EMAIL PROTECTED] -~----------~----~----~----~------~----~------~--~---
<<inline: image001.gif>>
<<inline: image002.gif>>
