一大堆没有听过的名词,都是些新东西。哪位站出来品评一番?
大风 写道: > Microsoft��s internal security conference BlueHat <http://technet.microsoft. > com/en-us/security/cc261637.aspx> finished on Friday. I posted > <http://www.mikeandrews.com/2008/10/13/its-bluehat-week/> earlier that I > would do a write up about it, so I��ll briefly discuss the presentations I > went to, and some of the other comings-and-goings of the conference. I��m > told that some of the presentations will be up on TechNet later, so look out > for those and I��ll try and come back to this post and edit them in when > they are available. > > Tuesday > Although the conference didn��t truly start until Thursday, there was a > speakers dinner held on Tuesday night. It was a small gathering at a > restaurant in Seattle and allowed us to mingle with the other presenters and > people from Microsoft that put the conference together. I got to meet a few > people for the very first time that I was really looking forward to talking > to. Ashley Allen and Bryan Sullivan <http://blogs.msdn.com/bryansul/> were > the first to welcome me after Jeremiah Grossman and myself talked him into > letting us do a panel (in reality, Bryan thought it was a great idea) and > Ashley organized everything for us (which for once was really easy for me as > I didn��t have to travel or get a hotel to go to a con �C score!). Spent a > lot of the first part of the evening talking to Adam Shostack > <http://www.emergentchaos.com/> about the state of the internet, current > development practices, and how MSFT is addressing them (and can help other > devs/orgs in the future). Also had a great discussion with Dave Weinstein > <http://www.sff.net/people/olorin/> about vulnerability vs exploitation > (does it really matter if things aren��t getting exploited? If a tree falls > in the forest and there��s no-one around, does it make a sound? How much > are we getting exploited?) Dave has some great stats on the exploitation of > Word of Warcraft and how criminals are profiting from it quite easily (it��s > as close as you can get to a victimless and low-risk crime). Talked to the > internet security celebrity of the year, Dan Kaminsky > <http://www.doxpara.com/> , for some time and turned out that not only did > we get on really well (he has very much the same personality as I do), but > discover there��s lots of tenuous links between us of people we know, places > we��ve been, etc. Starting to see this "6 degrees of separation" thing more > and more �C it��s even less in small community like computer security. > > Wrapped up the evening hopping between a number of different conversations > �C please don��t feel left out if I don��t mention you here �C I talked to a > *lot* of people over the course of this week, and I��m only going to have > space to write about a small subset of even the few I can still remember :) > > Wednesday > Despite booking most of the week off from work so I could go to some > meetings and meet/network with more people, guess what �C still had work to > do for Foundstone. Ah the joys of billable hours and last-minute scheduling > difficulties :) In any case, another party in Seattle. Spent time with > Danny Dhillon and the CSS guys - David Lindsay, Gareth Heyes > <http://www.businessinfo.co.uk/> and Eduardo Vela Nava > <http://www.sirdarckcat.net/> as well as Alex K > <http://kuza55.blogspot.com/> - on what seems to be the theme for me this > week - "why the hell does it allow that". From triple encoding an attack > (for filter bypass) and the browser triple decoding, then executing the > result!, invisible iframes, a:link CSS being allowed to have > ��expression(��)�� and calling out to a remote site, etc, etc. All of these > things I couldn��t think of a single legitimate use of (these guys couldn��t > either), and therefore the only usage is a malicious or unnecessary one. > Finished off the night in a small loft where some of the guys at the party > had invited us back to listening to Frank > <http://www.leviathansecurity.com/team.html#Frank_Heidt> Heidt explain the > intricacies of the financial market, reselling non-existent "things", and > how it was plainly obvious that this was all going to come crashing down, it > was just a matter of when. Smart guy Frank, and looking forward to hanging > out with him more. > > Thursday > First day <http://technet.microsoft.com/en-us/security/cc748656.aspx#day1> > of the conference proper. Iftach > <http://www.aladdin.com/CsrtBlog/default.aspx> "Ian" Amit��s talk on modern > crimeware was interesting, but being related to that field (listening to the > McAfee guys) nothing that I didn��t already know. > > Roelof Temmingh��s <http://www.paterva.com> talk was about how much > information you could glean from public sources, often just starting with an > IP address / network footprinting. Once again, I had some idea, but > Roelof��s <http://www.paterva.com/maltego/> tool really did open my eyes. > There��s a stunning amount of info out there, and with a good tool and > visualization techniques, it��s possible to pull a lot of thing together. > This is certainly a demo to watch. > > Dan��s talk (the DNS flaw) I had seen before, but I always find it > entertaining to watch him. > > The CSS guys seemed to have a hard time of presenting �C not because they > weren��t good, but this was the first time that they had ever physically > been in the same place! The joys of the internet meant that they were able > to research together for quite some time, and didn��t have the opportunity > to be able to rehearse or get everything together quite as smoothly as they > might have liked (multi-presenter talks are hard). In any case, they had > some cool things to show, but I couldn��t help keep thinking "why do > browsers support this" �C it��s clearly a malicious use of the spec, and I > can��t see why some of the things are in there anyway. Certainly drew > awareness of the fact that turning Javascript off isn��t the end of it and a > means of protection, and that CSS has to also be restricted in some way. > > The last two talks �C Richard Johnson and Ian Hellen �C talked about > visualization and code characteristics to find defects. I only partially > caught these two talks from the remote display in the speakers green-room as > I caught up with old-time friends Jeremy Dallman and Dave Ladd. > > Throughout the day I was with Alex <http://keepitlocked.net/> Smolen, > friend and fellow Foundstone consultant, so we went out for some dinner, > talked about various work stuff, and then headed out to the last MSFT > BlueHat community dinner/party. This event I spent quite some time with > Frank from Leviathan and some of his team/colleagues/friends, and also got > to spend some time with one of my "security hero��s" RainForestPuppy > <http://www.wiretrip.net/rfp/> . This was a really nice meeting as RFP was > one of the first guys on the webapp security trail and got me thinking > differently �C certainly helped me take the first few steps in my security > interests. RFP was far nicer (and younger) than I imagined he would be. > Ending the night I managed to get a few words with Andrew Cushman and Jon > Pincus <http://www.talesfromthe.net/> , mostly about "normal" life, blogging > and the election �C a nice (and welcome) change of topic. > > Friday > Day 2 <http://technet.microsoft.com/en-us/security/cc748656.aspx#day2> was > focused towards the "building" rather than the day one "breaking" theme �C > Mark Curphey would have been proud > <http://securitybuddha.com/2008/09/10/are-you-a-builder-or-a-breaker/> :) > > Danny and Adam started off the talks with quick discussions of how EMC and > MSFT do threat modeling. It certainly looked like there were lots of > obvious similarities between their two approaches. Adam highlighted the > differences, and why EMC or MSFT chose to go down those routes because of > different lines of business or process/security/developer maturity. Adam > also showed the next version of MSFT��s threat modeling tool (which we were > talking about at the first party), which is very cool and should make a big > impact in the ease of threat modeling. I would still like to see a "wizard > based" approach which non-security aware developers could use if only to get > started, but as Adam suggested it would be a bit "boring" and "heavy-weight" > to see that many questions, and just didn��t interest him in going down that > path. Instead, users draw out the system and the tool suggests threats and > things that haven��t been put into the drawing. After seeing this demoed, I > think it��s a much better approach. The tool is internal for now but should > be released free to the public in ��09. > > Matt Miller��s talk focused a lot on how technologies like GS, DEP, ASLR, > etc helped mitigate against exploitation, even if a vulnerability was > discovered �C layered defenses are certainly a must-have. This was another > talk I only caught some of remotely in the speakers room or in the corridors > while catching up with people. > > Scott Stender and Alex Videgar from iSec <http://www.isecpartners.com/> > Partners talked abut concurrency attacks in web apps > <http://www.isecpartners.com/files/iSEC%20Partners%20-%20Concurrency%20Attac > ks%20in%20Web%20Applications.pdf> [PDF]. At first I wasn��t too interested > in this �C it��s really hard to do any kind of deterministic testing on a > webapp, so attacking concurrency (where timing is everything) is simply a > difficult place to go. These guys showed how most web frameworks are not > thread safe, and multiple users hitting a server can cause the traditional > "lost update" race hazards. Lots of perf graphs showing the performance hit > of locking, transactions, etc (and thus the potential of DoS if "done > correctly, but with a performance hit") got the point across. Takeaway �C > most web frameworks are not thread safe (and don��t warn you about that > fact) and it��s something not many people think of. Also, because of > database settings and transactions, doing this may not actually safe you! > > A bunch of guys from MSFT talked about fuzzing. I didn��t learn a whole > amount technically here, but was interesting to see how MSFT does fuzzing, > and some of the stats �C there��s some "break even" points or "guidance" on > the number of iterations vs bugs left to find, but it seems that there��s no > top limit. Some tools are better than others (no surprise there), but > there��s no one great tool (although SAGE seemed to be the best and won the > "fuzzing olympics" - medals were handed out :)). Random fuzzing is better > than "intelligent" fuzzing (where the tool knows the file/protocol > structure), which is certainly unintuitive, but something I learnt quite > some time ago. > > Vinnie Liu <http://www.stachliu.com/> talked about the trade-offs in tools > (and humans) during a code review/pen test. Once again, nothing new for me > �C I��ve learn and preached all these lessons, but was a fun and engaging > talk. I��ve asked Vinnie for a copy of his slides because there were some > great classic humor slides in there �C I��ll post (and comment) on them if > he does send them to me. > > Finally, and closing the conference, was the WAF vs. SDL Shootout panel. > Myself, Nate McFetters <http://natemcfeters.blogspot.com/> , Gareth Heyes > and Kevin Overcash <http://www.whitehatsec.com/home/abt/team.html> (poor > guy �C he was to "defend" WAF��s, but ended up being just as critical as all > of us!) fielding questions from Bryan Sullivan and the audience. The main > questions were�� > > * Earlier this year, over one million sites fell victim to an > automated SQL injection attack. The vast majority of affected pages were > classic ASP pages. While we don��t have statistics, it can be assumed that > many if not most of these pages were no longer being actively developed. If > you were called in as a consultant by one of these sites to fix the problem, > what do you do? Do you recommend a WAF or a change to the code? Or both? > Would your answer to this question change if the site in question was still > being actively developed? > * Five years ago, black-box scanning was the ��magic pill�� that would > solve security problems. Then source analysis became more popular. > Pentesting has always been important. While none of these approaches are > perfect, they each have definite benefits, and more to the point: each of > these activities is now part of the SDL (at least the Microsoft SDL). Should > we end the feud between the SDL camp and the WAF camp by mandating WAF usage > in the SDL? > * Imagine that someone invents a perfect WAF. It blocks all known > attacks with a 0% false negative and 0% false positive rate. Do we now > abandon previously mandated secure coding practices like validating input? > If not, how do you justify spending developer time on this activity? How > would you justify spending tester and pentester time on security testing? > > The discussion went all over the place, and I can��t remember all of the > answers or points that each of us raised (although I did pull out the > "silver bullet and Jack and the Beanstalk > <http://www.mikeandrews.com/2008/01/14/silver-bullets-or-magic-beans/> " > allegory at one point). I hope there��s some audio somewhere as there was > some good well-reasoned arguments. If I can find some time and anyone is > interested (i.e. the audio doesn��t go up), I see if I can come back and > fill this in a bit more. > > There was one final party hosted by IOActive <http://ioactive.com/> , but by > then I was far to knackered for another night on the town (and I��m told > that the IOA parties can get a bit out of hand!) so headed home and crashed > out �C nice to (finally) get to bed in the same 24hrs in which you woke up, > but there��s still the mountain of emails and RSS items I had to dig out of > over the weekend. > > Thanks to all the people that I met and had great discussions with. Also a > big thanks to Bryan for the invitation and Ashley for organizing everything > for the speakers. I had a fantastic time, and confirmed one of the reasons > that I moved up to Seattle �C meeting interesting people and being engaged > in the community again �C really was worth it. I look forward to seeing all > these people again, and if anyone is in the area, visiting, or has time to > chat, and wants to hook up, by all means get in contact. > > > > > > [Ph4nt0m] <http://www.ph4nt0m.org/> > > [Ph4nt0m Security Team] > > <http://blog.ph4nt0m.org/> [EMAIL PROTECTED] > > Email: [EMAIL PROTECTED] > > PingMe: > <http://cn.pingme.messenger.yahoo.com/webchat/ajax_webchat.php?yid=hanqin_wu > hq&sig=9ae1bbb1ae99009d8859e88e899ab2d1c2a17724> > > === V3ry G00d, V3ry Str0ng === > > === Ultim4te H4cking === > > === XPLOITZ ! === > > === #_# === > > #If you brave,there is nothing you cannot achieve.# --~--~---------~--~----~------------~-------~--~----~ 要向邮件组发送邮件,请发到 [email protected] 要退订此邮件,请发邮件至 [EMAIL PROTECTED] -~----------~----~----~----~------~----~------~--~---
