CSI-SX is the new branding for the CSI NetSec conference, which is co-located with Interop Las Vegas, and is essentially the security-focused portion of the overall conference. As with the annual CSI conference, this conference targets a different demographic than I’m used to speaking for as the attendance is usually comprised of very large enterprise and government employees and I usually speak for conferences targeted at the research and hacker communities.

The night before the first day of conference sessions a speaker reception was held which I attended. I met a number of people from the conference staff whom I had not met before as well as a few of the other speakers. Surprisingly I was well-received by this crowd, even with my spiked green hair, which I’m sure they don’t see a lot of at this type of conference.

Below are my thoughts on the couple of talks I was able to attend.

The Rise of X-Morphic Exploitation

Gunter Ollmann, Director Security Strategy, IBM

Gunter’s talk was an excellent setup to mine because he really illustrated where a lot of the ‘drive by’ exploitation techniques are going and how it’s becoming an increasingly difficult problem to detect and block them with signature-based filter systems. He covered the definitions of various types of morphing that exploitation engines are using, how they are deployed to sites or linked into sites, and various methods that they use to obfuscate and encode the exploit code and payload, including multiple levels of encoding. Overall it was a very informative session.

Testing and Validation of Network Security Devices

Dustin D. Trammell, Security Researcher, BreakingPoint Systems, Inc.

This was my presentation, and I spoke about how content-aware firewalls and Intrusion Prevention Systems approach filtering network traffic for attacks against vulnerabilities, where they commonly fail or have deficiencies, and how to approach designing dynamic test cases for IPS filters to verify that they are blocking as many permutations of the attack as possible.

Bot and Botnet Taxonomy

Dr. Jose Nazario

This was a very interesting presentation of the various types of bots, what they do, how they behave, and how they communicate and are controlled. Jose presented a general taxonomy describing all these traits, then went through a number of specific bots describing them and their traits and how they related to the taxonomy.

The ToorCon organization puts on some of the best conferences in my opinion, and this last weekend was version 1.0 of their Seattle conference (beta was last year, which I also attended). Friday night was entirely 5-minute lightning talks and then Saturday was entirely 20-minute turbo talks. Sunday was workshops, which unfortunately I could not attend since I had to fly back to Austin mid-day. Last year was invite only and if you were there last year you received a coupon code for a discounted rate this year ($300), otherwise it was a little expensive to attend ($1000). Overall there were a number of excellent speakers with excellent content.

Due to the sheer number of talks (and I did see all of them), I’ll only cover the ones I found most interesting below:

My Handle

I)ruid

I was the very first talk of the lightning talk track. I spoke about my handle, it’s origin, why it’s spelled funny with that close parenthesis, and the benefits of that particular character over the past 18 years or so that I’ve been known by that handle. I also covered a few case studies of the systems it’s broken entirely on it’s own such as the BlackHat USA 2006 registration system and a ShmooCon Arcade game called “Slash’Em!”

Creating the Phreaking Challenge

nous

This was interesting because I’m a phone person and didn’t have time to actually do the challenge last year at DEFCON. I didn’t realize just how much effort they put into putting the challenge together, and if they do it again at this year’s DEFCON I’ll most likely participate. It was an interesting mix of hardware and software from lineman’s butt-sets to Asterisk for the core of the system.

Attend My Talk And Win A Xbox 360… In Some Other Contest!

jrandom

This was a quick overview of lottery scratch-off cards and how to determine before playing if you have a winning ticket or not. The talk covered techniques such as back-lighting, re-applying the scratch medium, and various printing properties that can give away status such as vibrancy of the inks throughout the print run, sharpness of the paper cut, and printing errors.

Managing Brilliant People

Shyama Rose

Shyama spoke about her new role as a project manager and some interesting observations about geek and hacker-type people. She then went on to describe her approach to managing those types of people because of the traits observed.

Inside a Traffic Light Controller’s Firmware

Travis Goodspeed

Travis quickly covered some of the interesting things he had found while reverse engineering a hardware traffic light controller for compatibility purposes. Some of the things covered were the firmware, predictable static locations in memory where certain values resided, access to the device, etc.

seeds of contempt

Dean Pierce

This was an interesting overview of a project which I can best describe as a distributed application framework. The applications in question are referred to as “seeds” and each seed type has different capabilities and purpose. The one demonstrated called “Blue Seed” was like a network monitor which could track network hosts by MAC address. These seeds communicated back with the central monitoring and control component, “contempt”, where you could instruct and configure the seeds. The first thing that came to mind when listening was it’s Metasploit analog, the Meterpreter.

Capture the Flag …… er …… Cards

Justin Searle

Justin spoke about a collectible card game he’s working on which deals with the subject matter of hacking and security. As a gamer for life, and as an amateur game designer myself, I totally intend to get involved with this project. … As soon as I figure out how to contact Justin.

Yoga for Hackers

Ken Caruso

While not technical, I found this very interesting as I have a lot of friends who practice Yoga and I’ve been meaning to study it a bit myself. Ken covered three Yoga poses which can deal directly with issues that hacker types face such as carpal tunnel syndrome and ADD.

Asterisk IAX2 DoS and Exploit Framework

Joel Voss

Joel described an amplification DoS vulnerability he accidentally found in IAX while trying to write a soft-phone last year. I remember the advisory on the vulnerability when it came out and it was one of the biggest amplification ratio’s I had seen in quite a long time, something like 1,000 to 1 amplification in the response.

h0h0h0h0

Dan Kaminsky

Dan presented a new technique for using DNS NXDOMAIN responses to sub-domain requests to respond with an illegitimate web server hosting content that could then script back into the parent domain’s web content (completely within the javascript same-origin policy restrictions) and essentially trojan any website’s HTML content. How he manages to continue to come up with ways to talk about DNS and actually make it high-impact like this I’ll never know (:

An Introduction to Decompilation and Keygenning

Nathan Rittenhouse

This was an interesting walk-through of reversing a crackme application that dealt with finding the code paths, identifying anti-reversing/anti-debugging code in the crackme app, and reversing out the function that verified the serial numbers that the app took as input. Once identified, valid serial numbers could be generated that would satisfy the crackme’s input requirements. I found this very interesting as it’s something I’m actively learning how to do better and improve my skills at.

Splitting Gemini

Adam Cecchetti

This was probably my favorite talk of the entire conference. Adam described the process of hijacking a core from a multi-core system and using that core entirely outside of the context of the original running operating system. This type of technique could be extremely useful for rootkitting systems and staying out of view of anti-virus and other system protections.

Reverse Engineering Cookbook

Aaron Portnoy & Cameron Hotchkies

Aaron and Cameron discussed some problems with using IDA while reverse engineering and presented some scripts that they have developed for solving some of those problems. I was very interested in this as well as I’m actively attempting to improve my skills with IDA and I regularly experience some of the annoyances they were talking about.

Phreaks, Confs, and Jail

TProphet

TProphet took us on a trip down memory lane about phone phreaks, free conferences, and noteworthy busts of those involved, then compared to the current state of the Phreak now with VoIP in the mix and how some things never really change all that much.

Adam was my grandfather: Changing your Self, changing your society

Quinn Norton

I always really enjoy Quinn’s talks, she’s an excellent speaker, really gets the audience’s attention and involvement, and actually makes you think. I can’t say I saw anything new in this presentation though, it was essentially a condensed version of her usual talk on body modification, self improvement, and body augmentation, although this time the focus seemed to be on mental programming and pharmaceuticals, likely due to the time constraint.

State of the Exploit

Matt Miller

This was probably my second favorite talk of the conference. While fairly high-level and a bit on the side of methodology/process rather than technical, it was still extremely relevant and easily applied to many aspects of vulnerability and exploit development. Essentially, Matt described the current state of software protection systems like the GS flag, ASLR, non-executable stacks, etc. and how they are impacting the usefulness of generic exploitation techniques. He then went on to propose a methodology for ranking or categorizing information systems and software based on how exploitable they would be if a vulnerability were present, using the presence or absence of various aforementioned protection systems and other factors as part of the weighting system. This allows a vulnerability researcher to focus on parts of software where, if a vulnerability is found, it is more likely to be exploitable.

Fast n Furious Transforms

Richard Johnson

On a completely different subject than what he usually talks about, Richard relayed his recent journey through learning all about audio formats and streams, weaveforms, etc. while developing a Guitar Hero or Rock Band type interface for learning a real instrument rather than playing with a game peripheral. Further, he covered a bit of applying the data modeling and parsing techniques he learned to general information stream processing like packet data or data files.

Packet Death Touch: Finding Vulnerable Areas in Backbone Protocol Parsing

Raven

Raven has been doing network backbone security research for quite a while now. Her talk was essentially discussing some of the various protocols found within the backbone, how they broke down to their data fields, and which fields were ripe for targeting with fault injection and fuzzing techniques. I always find it interesting when people are discussing lower-layer networking protocols like these.

Privacy and Identity Hacking

divide

divide showcased some web resources for the Washington State area where you could do things like make the association between a automobile license plate and a vehicle’s VIN, the owner’s name and address, birthdate, etc., and generally build a profile of a person from some easily observable data about them. I can’t say this was anything new to me, since we’ve been doing this in Texas (and other states) for years using sites like PublicData, although his point was well received that as more and more of this information and the systems managing it goes online and becomes available to the public this type of information gathering is only going to become more and more prevalent and continually easier.

Exploiting Proprietary Crypto

Karsten Nohl

This was probably my third favorite talk of the conference. Karsten made crypto analysis easily understandable to the crypto-layperson unfamiliar with deep mathematics (like me!) and described the process of breaking apart cryptosystems into their components and attacking the weaker components individually and brute forcing the stronger ones when possible. He also outlined a class of tools that help you do this and specifically talked about his favorite one, MiniSAT.

I have long been fascinated with self-given names, and the effect they have on the entity being named. Having grown up with my roots firmly planted in the computer underground, I regularly met and dealt with people identified only by their self-given handles (pseudonyms). I soon began to notice that many of these people seemed to embody traits and mannerisms that coincidentally aligned with the character assumptions and mental imagery that their handle’s subject-matter embodied. After a while I began to wonder, did these personal traits cause the person to name themselves in a certain way, or did naming oneself a certain name begin to manifest such  corresponding traits in the individual? I’ve done some preliminary research into this subject, however I’m not quite ready to release my results… that’s a discussion for another time. Instead, today I want to comment on an observation regarding an entity of another type; a corporation.

The original Atari Inc. was founded in 1972. It was a pioneer in arcade games, home video game consoles, and home computers. The company’s products, such as Pong and the Atari 2600, helped define the computer entertainment industry from the 1970s to the mid 1980s. In 1984, the original Atari Inc. was split, and the arcade division was turned into Atari Games Inc. Atari Games received the rights to use the logo and brand name with appended text “Games” on arcade games, as well as rights to the original 1972 - 1984 arcade hardware properties. The Atari Consumer properties were in turn sold from Warner Communications to Tramel Technology Ltd., which then renamed itself to Atari Corporation. In 1996, Atari Corporation reverse merged with disk drive manufacturer JT Storage (JTS), becoming a division within the company. Atari Interactive started as a subsidiary of Hasbro Interactive, after Hasbro Interactive acquired all Atari Corporation related properties from JTS in 1998. IESA in turn acquired Hasbro Interactive in 2001, and proceeded to rename it to Infogrames Interactive. In 2003, IESA then changed the company name entirely to Atari Interactive. The company that currently bears the Atari Inc. name was founded in 1993 under the name GT Interactive. IESA acquired a 62% controlling interest in GT Interactive in 1999, and proceeded to rename it Infogrames, Inc. In 2003, Infogrames Inc. licensed the Atari name and logo from Atari Interactive and changed its name to Atari Inc., bringing the name full-circle to the original.

What was the point of that long-winded history of Atari? Simply to make you aware of the constant cycle of business or financial failure, acquirement or sell-off of the assets and intellectual properties, and subsequent rebirth of the company repeatedly over it’s entire history. I was personally familiar with the company during the ’80s when the consumer division was producing the Atari ST line of personal computers, and was a member (and eventually president) of the North Texas Atari Computer Team (NTACT), the local Atari user group. It was a common observation and concern at the time that Atari was constantly missing opportunities, being mis-managed by the company’s executives, making outright blunders, and so forth.  As the video game industry has matured since those days, many of those concerns have persisted through the company’s many reincarnations. These observations and concerns seem to be confirmed simply by the number of times that the company was in trouble, financial or otherwise, and then was either sold or acquired in order to breathe fresh life into the brand. This has happened so many times that many say the Atari name is cursed. Even with all of it’s many successes, in all of the areas of arcade games and machines, computer and video game hardware, and in game software, Atari seems to constantly be in it’s death throes, struggling to stay alive.

So, what’s in a name? The name of the company appears to be an unfortunate choice, when viewed through the lenses of it’s sordid history. The term atari is a Chinese word meaning “a hit”, and is primarily used in the game of Go:

“Atari” (Chinese: dǎchī (打吃); Korean: dansu (단수)) is a term used for a situation where a stone or chain of stones has only one liberty, and may be captured on the next move if not given one or more additional liberties. It can be a verb to describe the act of placing a chain under atari, as well as an adjective to describe the status of a unit, as being “in (the state of) atari”. Calling out atari during a game is sometimes done by beginners much like calling out check in chess, but it is considered rude by many players who have advanced beyond the absolute beginner level.

Sound eerily similar to the constant state of the company itself? A group of stones, or a unit, being in atari in the game of Go is essentially a sign of their failing health, or dwindling liberties, and their eventual demise or capture. Unless there is plenty of room around the unit on the game board for it to expand, or some extremely strategic or bold steps are taken to save it, a unit in atari is many times accepted to be a lost cause. Luckily for Atari, it has managed to escape atari many times over it’s long history and is still around today. The big question is, will the nature of the company’s name continue to haunt it, and if so, will the essence of Atari continue to find ways to survive against the apparently daunting odds?

Today, my research paper entitled “Context-keyed Payload Encoding” was published in Uninformed Journal vol. 9. If you’re into cutting-edge exploitation technology, you should check it out. This is the research I presented at ToorCon 9 last October.

Having recently played most of the way through Metroid Prime 3: Corruption, I came across an interesting security mechanism in the game that I haven’t really seen paralleled in the real world. During the latter part of the game where the player travels to the Space Pirate home-world, the player receives a suit upgrade which allows the HUD of their visor to go into an X-Ray mode and see through most obstacles. An interesting property of this visor is that it allows the values on the buttons of a combination lock’s access panel to be obscured from normal view. When viewed via the X-Ray visor, the values of the buttons can be read:

That’s not the bit that struck me as novel, however. The interesting bit to me was that once the player uses the X-Ray visor to see the values of the buttons on the panel, whenever a button was pressed to enter it’s value, the remaining buttons’ values were randomized:

Now, the obvious flaw in the game’s locking mechanism is that the combination is displayed alongside the buttons; the “key” to the lock is essentially possession of the X-Ray visor. In the real world, the combination is generally secret and must be stolen, guessed, or brute-forced. A lot of mechanical brute-force attacks against combination locks using button pads, letter or number dials, disks, etc. depend on the values of those components to be a mechanical constant of the system. If this is true, the brute forcing device can ensure that once it has tried a particular combination of values that it does not try them again and can therefore progressively eliminate the failed combinations that it has already tried. The locking system used in the game denies an attacker that mechanical constant by randomizing the button values after every button press, so unless the attacking mechanism can dynamically determine the values of the buttons prior to each button press, it will likely never succeed in brute-forcing the combination to the lock.

In addition to the brute-force attacks, many intelligent guessing methods other than directly observing which values a user presses rely on observing the approximate locations of a user’s fingers and motion of the hand as they press the buttons. A more forensic approach involves identifying button wear or dusting the keypad for fingerprints to identify which buttons are commonly pressed or were used in a recent authentication. Randomizing the button values either after every button press or after each authentication attempt also defeats both of these types of attacks. In the first case, the button values are not predictable for the period of time in which they were observed being pressed. In the second case, button wear should be uniform across all buttons due to the randomization of values, and fingerprints left on the keypad will no longer be associated with the correct button values at the time of dusting.

I personally haven’t seen any key-pad combination lock manufacturers create anything like this in real life, and after some fairly extensive searching of the web I didn’t come across any products that do this. It would appear that Space Pirates have a thing or two to teach us about physical security.

[EDIT: Apparently, IBM holds a patent on exactly this idea. I wonder if they'll sue Nintendo for virtual patent infringement...]

My second Microsoft Patch Tuesday at the new employer was fairly uneventful. This Tuesday there was only one patch rated critical, MS07-061, and as it turns out it was the bug that I had already worked on last week. Essentially all I had to do was update my strikes from last week with the new reference and rename them, and our team was essentially done. You can read the details about the patched vulnerability over at the BreakingPoint StrikeCenter blog.

CSI 2007 was the first time I’ve ever attended a CSI conference. I was actually a CSI member way back in the day when I was running my own consulting firm and needed as many business development avenues to explore as possible, but after closing my consultancy and going back to work for The Man(tm) I didn’t keep up my membership as I really wasn’t getting much out of the organization at that point. For some reason I had never attended any of their conferences. The CSI Annual Conference is billed as “The leading management, strategy and policy event for today’s security professionals”, so it’s a very different conference from what I’m used to. While I generally attend the more technical events, this one was targeted at an entirely different demographic. There was a lot of large enterprise and government presence, and I got plenty of scowls as people noticed my green hair, but in the end I believe I won most of them over…

The evening of my talk there was also a Capture the Flag game. Unfortunately I wasn’t aware of this until I ran into Dave Aitel that evening and he told me about it, or I would have had my laptop with me and been prepared to compete. This game was essentially a race through various goals with clues and hints along the way. The guy that won achieved the final goal at just under 2 hours. One potential vulnerability that I pointed out to the event organizers was that most of the information was given away to the audience in the observation room near the start of the competition, and had the competition not been 3 floors underground where there was no cellular signal, I could have easily relayed the information to Dave’s mobile via SMS or AIM or something. Had we had some other form of local wireless communication, cheating would have been trivial. Perhaps next time they’ll not give away so much information at the beginning to the audience…

Below are my thoughts on the couple of talks I was able to attend. Unfortunately I was only there for the one day that I was speaking and I was busy preparing to speak and recording a shorter version of my talk to actually attend many of them.

How to Prevent Classified Data from Leaving Your Networks

Alok Mittal, Sr. Mgr. Technology and Business Development, Cisco Systems

I checked out this talk because it’s very much inline with a research topic that I’ve been considering working on for a while now; Extrusion Prevention. I’ve done a lot of work in the past in the areas of Steganography and covert channels, so I’ve been considering delving into prevention of such things. There wasn’t a whole lot of technical information in the presentation, rather it was more aligned to managing risk of data theft and accidental loss, proper classification of data so that you can accurately determine that risk, and education of users on how to identify and accurately classify data as being sensitive. Not exactly what I was looking for but it was good to find out what people in the Enterprise are currently doing about extrusion and their general approach. Somewhat in-line with some preliminary research I’ve done into the subject,t here’s not a whole lot of technical solutions to the problem because it’s a rather hard problem to solve.

Techniques and Topics on How to Generate and Remember Passwords

Joseph W. Popinski III, CISSP, CISM, IE-Dynetics

I attended this talk for two reasons; to see if my recent research regarding Mnemonic Password Formulas was mentioned (it wasn’t), and because it was a Turbo-talk and I needed to attend something short since I was speaking the next hour. Some interesting methods for creation of passwords were presented that I hadn’t heard of myself, but the overwhelming theme of many of the methods seemed to focus more on length rather than complexity, although some of them obviously did include various types of complexity. While performing my research a couple years ago for my work in passwords, and supported by my own personal experience in the area of attacking passwords, the more common attack methods are shifting to intelligent guessing of passwords rather than brute force cracking, so while length still helps, it’s no longer the primary characteristic of your password that you should be concerned with. It was good that many of the technique examples that were presented used non-personal data, but the techniques themselves didn’t specifically exclude personal data. It’s my experience that when users have that choice, they’ll almost always use personal data which lends itself to attack by intelligent password guessing techniques.

VoIP Attacks!

Dustin D. Trammell, Security Researcher

Obviously, this was my talk. My presentation, VoIP Attacks!, is intended to be a “state of the industry” type talk, updated and presented around once a year or so. Considering the audience I tried to cut out a lot of the technical details, examples, and demos (my usual target audience likes proofs), and talk a lot more about each attack’s effect, impact, and threat metrics. A couple of times I saw some blank stares from the audience, but for the most part I think the majority of them followed the presentation fairly well. I haven’t yet seen the result of the feedback forms, but from what I heard initially I had one of the more widely attended talks and it was very well received. You can find the slide deck I used over at my personal site in HTML, PDF, or Flash.

ToorCon is always one of my favorite conferences of the year, and this year was no different. Actually, I take that back, it WAS different, it was even better than usual. I got something out of almost every talk that I attended, and the conference ran very smoothly. The conference is small and intimate and the speaker badges are green… I really can’t ask for much more. This year the conference was split between the two days; the first day being traditional hour-long presentations whereas the second day took the cue from ToorCon Seattle (beta) and was entirely 20-minute turbo talks. I thought the conference format worked out really really well and provided a much larger breadth of subject-matter than would normally have been possible with entirely traditional-length talks.

Below are my thoughts on the various talks I attended.

Wolverine, Yo’Mama, Spooks, and Osama

Beetle

This was one of the most entertaining talks I’ve seen in a while. Beetle started his talk off about the current state of the Marvel comic universe and how it is eerily paralleling the real world and many of it’s issues; overreaching government control, national security, fear of terrorism, etc. Being a comic geek myself, and the Marvel universe being within which the vast majority of the comics I read are set, I understood exactly what he was talking about and where he was going. This part of his talk may have been lost on some of the non-comic minded in the crowd. Next he told some funny stories about his parents and their interactions with technology and security, making the point that old people will likely be the death of the Internet. The end of his talk focused on “cyber-terrorism” and how he felt that the hype far outweighed the real threat.

Black Ops 2007: Design Reviewing the Web

Dan Kaminsky

Usually when I attend Dan’s Black Ops talks, I have to sit through some of his content which I’d seen before to get to the new stuff toward the end. I don’t know if Dan is getting better at including a larger majority of fresh content in his talks, or if my avoiding his last couple of talks so as to wait a bit longer between seeing them is responsible, but this time I saw entirely new content. I heard someone mention that they had seen part of it before, perhaps at BlueHat? But I hadn’t, so it was all new to me.

Dan started off talking about DNS resolution pinning and tricks you can use to cause browsers running both javascript and flash to execute arbitrary code within the security context of a different site. This basically involved responding to DNS requests differently depending on what content the browser was after; load the normal site resources by resolving the hostname to the site’s real IP but then also load some malicious code from a different IP as well, still by responding to the site’s normal hostname. He leveraged this to load malicious software within a browser that allows a client application to set up TCP and UDP sockets with the malicious code running within the browser, essentially allowing network tunneling into a restricted network area such as behind a firewall by tunneling through a compromised browser.

At the end of his talk he also talked about net neutrality, or rather, hostile ISPs, and demonstrated a way to definitively tell whether or not your ISP is being hostile to various types of your network traffic by leveraging some of the tricks from the earlier part of his talk.

Fuzzing with Code Coverage by Example

Charles Miller

In my opinion, there is not much research being done (or at least being talked about) which truly advances the state of the art in fuzzing. Pedram and Aaron’s talk at BlackHat was one of them. I believe that this talk may be another, and both this talk and the BlackHat talk were about completely different things. Most of the prominent fuzzing tools and methodologies these days involve thoroughly researching the type and format of the input data which will be used for fuzzing, and then manipulating that data set to achieve the result. This talk was more about observation of behavior and trial and error rather than understanding the data or what it’s used for.

Charles started off with some basics of fuzzing, which I’m not sure this audience really needed, but at least that part was short and to the point. He then went on to discuss some code coverage techniques and tools that you can use to help identify what code (or instructions, if you’re dealing with binary executables) are being exercised by various types of input. By watching the data flow from input vectors through the code, you can note things like conditional branching which can be more effectively covered by massaging your input. The process he described takes much less initial research as it’s designed to be used without much knowledge of the underlying data such as protocol semantics and packet structure. He ended the presentation with a case study of a vulnerability he found and worked out an exploit for entirely by code coverage fuzzing and with no prior knowledge of the protocol or data structure being used.

Cthulhu: A Software Analysis Framework Built on Phoenix

Matt Miller

Matt (skape) always brings something extremely interesting (and usually pretty obscure) to the table. This talk was no different. Matt started off by stating that software analysis was something that he’s been very interested in for a while but just recently had the opportunity to begin to explore. He also described what Phoenix is, which is the next generation of compiler for Microsoft systems. The talk is rather hard to summarize but essentially Cthulhu is designed to make use of the information provided by Phoenix to perform data flow and control flow analysis of various aspects of an application or larger complex system. By abstracting out and generalizing components, analysis can link data flow between two components which may not be directly connected. The example Matt used was connecting data flow from an output function of one part of a network client application to an input function of another part of a network server application. I highly recommend you read the slides or watch the video to really grasp the concepts and what he is trying to accomplish. I personally saw an immediate benefit to some research that I’ve been using and plan to follow up with Matt and see if his analysis framework could be used for my purpose.

Speeding Up the Exploits’ Development Process

Jerome Athias

I really enjoyed this talk as I use Metasploit myself and am becoming more and more involved in exploit and attack development. Jerome presented an overview of MSF-XB, or, the Metasploit eXploit Builder. MSF-XB is essentially a GUI front-end to Metasploit and other tools which provides the user with a single interface for exploit development. This interface assists the developer in various tasks such as determining return addresses, generating shellcode, etc. by leveraging the underlying systems such as Metasploit. Unfortunately, it’s a windows application and I primarily use Metasploit on Linux, but given it’s utility it may be worth booting a windows VM (:

The Last Stand: 100% Automatic 0day, Achieved, Explained, and Demonstrated

Jason Medeiros

Jason described some of the common ways that bugs are analyzed and exploits written and noted that a lot of this process can be easily automated. He then questioned why no one had automated it before. Next he went on to explain how parts of the process could be automated and then demoed his automation tool in action, which produced a C exploit for the vulnerability he was using as an example. It was really cool stuff, and extremely useful for cranking out exploits to simple vulns like straight-forward stack and heap overflows, but I wonder if it can target more complicated and esoteric vulnerabilities like integer overflows, some of the more crazy heap overflows, format string bugs, etc. Overall it’s a very very cool tool and I look forward to trying it out.

CDMA Unlocking and Modification

Alexander Lash

The technical depth of this talk was a little shallow, but the speaker noted that that was intentional as he wanted to leave the majority of his time for answering specific questions from the audience. Alexander is one of the best speakers I’ve seen in a while; he was concise and to the point, and he spoke with obvious knowledge and authority about his subject, even in the face of some fairly obscure questions from the audience. The subject of his talk covered CDMA cellular phones, various ways to unlock them, and various types of modification.

VoIP Penetration Testing: Lessons Learned, Tools and Techniques

Jason Ostrom, John Kindervag

This presentation was mostly about a new tool called voiphopper. John started off with some quick information about what they do and the types of assessments they’ve been working on for customers. Jason then presented some case studies which outlined the abilities of the voiphopper tool, which centered around hopping VLANs so as to traverse the logical separation of VoIP and data networks, essentially making the case that VLANs are not a security technology. I always try to convince people that using VLANs as a security control just isn’t a good idea but many times they don’t believe me without concrete proof or examples. While there have always been ways to demonstrate the failings of VLANs when used as a control, within the context of VoIP this tool makes an extremely good case.

Byakugan: Automating Exploitation

Nathan Rittenhouse

Nathan essentially gave an update on the Byakugan WinDBG plug-in project and the types of things they are accomplishing with it. Pusscat gave a previous overview back at ToorCon Seattle (beta) and this was essentially an extension of that. Nathan outlined some of the features of Byakugan and also introduced NOXdbg, intended to be the Ruby equivalent of PyDbg for python. Toward the end of the talk, JohnnyCache demoed a real-time 3D visualization of a process’s heap, which was really cool.

Live Memory Forensics

datagram

This talk was basically an overview of live memory forensics, how it differs from “dead” forensics (targeting a powered-off system), and described many of the tools an techniques for performing this type of forensics. datagram also discussed some of the limitations of both live and dead forensics and made the point that both should be used to augment each other rather than one as a replacement for the other. Forensics is definitely not my research field so I don’t have the background to state whether or not there was anything new here, but it seemed like a good overview to the field and the speaker at least provided tools references.

Attacking VoIP to Gain Control of a Laptop

Nick Kezhaya, Sachin Joglekar

This presentation is what I assume is a condensed version of what was supposed to have been presented at BlackHat. This time however the original speakers made it to give the talk and since I saw both versions I can say this one was much improved. Sachin, who essentially replaced me when I left Sipera to move to Austin, presented the case that the majority of VoIP phones, both soft-phones and hardware devices, are essentially crap. Nick then went on to demonstrate the LAVA attack framework launching a buffer overflow exploit against a particular soft-phone in order to execute a remote shell and gain control of the target laptop. Compared to the BlackHat version, these two speakers were much more versed in security concepts and the common vernacular and were able to explain the details of the vulnerability and how the attack worked in the face of some questions from the audience. I believe that the 20-minute turbo-talk format was much more appropriate for this talk than the hour slot it was given at BlackHat, although for the particular audience at ToorCon I would have liked to have seen some more details on the vulnerability being exploited itself, such as perhaps a disassembly of the vulnerable code, references to offsets, the exploit payload, etc. Perhaps they should use an old vulnerability which already has a patch so that they can disclose more detail. Given a less technical audience however, what was presented would have probably been adequate. Overall, while I felt the presentation lacked the technical detail I mentioned it was much improved over the version from BlackHat.

Context-keyed Payload Encoding

I)ruid

This was my talk. Overall I felt it went really well, I hit my time constraint with a few minutes left for Q&A, and I stayed focused and on point. As always I forgot to repeat the question for the benefit of the microphone a couple of times but it can’t always go perfectly (: You can view the slides and video from my talk at my website.

The Talk Talk: How to Give Better Tech Presentations

Strom Carlson

Since there seems to be no end in sight regarding myself giving tech presentations, nor would I want there to be, I went to this talk with interest. Strom outlined some fundamental things that you can do to better format your message and reach a wider audience, as well as some good pointers on how to connect with the audience and keep them engaged. Overall I felt it was fairly informative and I should be able to use some of the information when preparing for future speaking engagements.

Post-Scarcity

Christopher Abad

Not Abad’s normal style of rant but interesting nonetheless. Chris talked about supply and demand and how it relates to scarce or abundant resources. He then tied that to intellectual property, or “ideas”, and their property of not having a significant material or tangible barrier to reproduction thus making an enforcement of their scarcity (such as per-seat licensing) essentially an artificial attribute. His opinion seems to be that such practices are simply wrong and software developers should be paid for their effort in a different manner. He believes that things which are by their very nature abundant should be freely available to the masses.

vnak (VoIP Network Attack Kit)

Zane Lackey

Zane outlined some attacks against VoIP signaling protocols like H.323, SIP, and IAX such as authentication downgrade attacks, authentication token cracking attacks, etc., essentially the same types of attacks he detailed in his BlackHat talk. The difference here was that he provide an all-encompassing tool called vnak which implemented many of these attacks. vnak is intended to be a swiss-army-knife type tool for VoIP signaling hackers.

Last week was Microsoft Patch Tuesday, and for once it actually affected me directly. The team I am part of at my new employer is responsible for reversing out patches such as these, determining the vulnerability that was patched, and developing ways to exploit or otherwise attack the software. From the advisories that were released, I ended up with ms07-055 which detailed a stack overflow in the Kodak Image Viewer which was used as the default image handling application on Windows 2000 systems. After spending most of Tuesday setting up VMWare and installing some tools like IDA Pro and BinDiff, I was able to get started.

With a little help from a friend online, I was able to determine how to trigger the bug and started working on an exploit for it. In a nutshell, when the application parses a TIFF image file, you can create some malicious internal data structures that cause it to start parsing arbitrary data at a location that you specify when it’s expecting particular formatted values, which will then overflow a buffer and wipe out the call stack. With a little bit of stack repair in your overflow payload you can get the function that was executing to return to your shellcode via a supplied return address placed in the repaired stack and thus gain code execution. There’s a slightly more technical write-up with pretty pictures at our group’s blog, the BreakingPoint Strike Center, which also details the three different ways I found to evade some of the network monitoring devices that claim to detect or block network traffic exploiting this vulnerability.

Anyhow, this was probably my first overflow based exploit that I’ve written in easily 5 or 6 years, and although it was a fairly straight forward and simple one, it was good to get back into the exploitation game. The exploit I developed and IPS/IDS evasions I identified culminated into 8 different “strikes” for the company’s product, so I’d say it was a productive couple days of effort.

Today I stepped into a new role as a Security Researcher for BreakingPoint Systems. I will be working with the team that handles the security component of the flagship product, the BPS-1000, which is a load and security testing appliance used to test network devices such as switches, firewalls, and the types of products my previous employer produces, Intrusion Prevention (or Detection) Systems. For the most part I’ll be developing “strikes”, which are essentially attacks and exploits packaged in such a way that the product can launch them and verify whether or not the device under test has properly blocked or otherwise handled the offensive traffic. It’s a welcome change to move over to the offensive side of the game again, which is really where I’m most comfortable.