alex.moskalyuk

I spent this weekend in Las Vegas attending DefCon 15. This year there weren’t as many announcements of 0-day exploits as last year, but nevertheless three days were information-packed, with 5 tracks on Friday and Saturday starting at 10 am and ending at 10 pm. On Sunday they did a half-day that ended at 4 pm, with 3 tracks of presentations. There were, of course, some pretty cool events, like a Dateline NBC undercover reporter Michelle Madigan being outed. Below are some of the memorable talks.

Q&A with Bruce Schneier. The secret to leading an effective life (Schneier is the top US cryptography expert, a frequent blogger, quote generator, and restaurant reviewer) is not to watch television. He was also able to travel to Vegas without an ID. Apparently if you just tell the airline agent that you’ve lost your ID (which could happen, and you don’t need to be stuck somewhere else waiting for your state to send you back your ID), they will give you a ticket with NO ID stamp on it, which gives you access to the boarding area. Also, Schneier doesn’t think the encryption algorithms will need to change a great deal in the future, because what we have right now seems to be more or less sufficient. When Feds need to get the information off somebody’s computer, they don’t ask NSA to break into 1024-bit encryption on his PC, they just install the keylogger and get the passphrase.

Steve Dunker enlightened the public on facts and myths about police arrests. In case a hypothetical arrest happens, they don’t necessarily need to read you your Miranda rights, contrary to what you might have seen in the latest action movie. They only need to do it if they intend to use what you said in the court, which in the case of an obvious crime, or witnesses being out there, is not necessary.

Founder of Shmoo group Bruce Potter spoke about the “dirty secrets” of the security industry in a packed room. Bruce is a pretty popular guy, and generally attracts crowds to his speeches. He had some good points about security industry lacking fundamentals. We spend billions on firewalls, intrusion detection systems, authentication systems, etc., without realizing that the underlying problem for all the security concerns is crappy code. The reason you need that expensive firewall or IDS is because you cannot trust the application that’s running within your organization to correctly deal with weird data inputs, network connections, injections, etc. If your app was golden, none of this additional spending would need to happen. Instead the responsibility for dealing with data securely is offloaded to a third-party.

Founder of DefCon Dark Tangent told the story of CiscoGate, speaking at his conference for the first time (unfair advantage being the reason he avoids speaking at DefCon). That was a pretty intense talk, complete with lawyers from both ISS and Cisco calling Jeff Moss regarding Mike Lynn’s talk at Black Hat conference, as well as Cisco hiring a brigade of temp workers to rip out the pages of Mike Lynn’s presentation from the book of papers that’s provided to the conference attendees.

Johnny Long’s talks are usually a highlight of any day he presents, and this time he didn’t disappoint. Low-tech hacking presentation was all about figuring out important information without doing anything high tech. Dumpster-diving, getting important information from people’s parking badges, taking pictures of badged employees and then reproducing the badges, or even misrepresenting yourself as an AT&T employee, who’s here to check the integrity of the phone network, with AT&T laminated badge and all. Apparently, the whole process of lamination convinces any representative of the human race that somehow you are now an official employee of the organization, whose logo you display on your badge.

Broward Horne presented an interesting technique of analyzing click fraud through some unorthodox means. IAmFacingForeclosure.com managed to generate tons of negative press towards it, being, as the Web site claimed, a blog of someone who invested too much money into subprime real estate, and now could not make his payments, waiting on the government to kick in abd bail him out. As one can imagine, this strategy generated quite a few of resented readers, and the traffic to blog rose. Broward Horne was doing two things at the same time - measuring the blog’s traffic through Alexa, and also linking to it with the right terms, so that his site would show up on Google result list in proximity to IamFacingForeclosure, and therefore he’d get some portion of the traffic, a bone off the master’s table. Strangely, none of this happened. Alexa graph, unreliable as it is, stayed the same, and even though IamFacingForeclosure’s site traffic was supposedly skyrocketing, the site placed close to it in the search engines received no traffic whatsoever. When both Google and Yahoo! kicked IAmFacingForeclosure off their AdSense and Publisher Network programs, it was obvious that the author was engaged in click fraud - generating high-priced real-estate and mortgage-related content, placing Google and Yahoo! text ads, and then relying on an army of bots to click through the ads, thereby generating substantial revenue for the site. Of course, once the idea is out there, it’s relatively easy to now train the bot to ping Alexa or Compete whenever they’re visiting a site, but the analysis via third-party means was quite interesting nonetheless.

Dan Kaminsky’s talk is usually oversubscribed, and the same happened this time - the gigantic conference room was packed, with people sitting on the floor, and with goons shooing them away due to notorious Fire Marshal concerns. Kaminsky was talking about a current IT security myth that claims that outside attackers cannot get to your internal network due to firewalls and what not. They can, however, present a Web site to the user, suggest a Java applet or Flash application on the Web site, have those applications be granted sufficient permissions by a user on your network, and then access pretty much anything the user has access to. The highlight of the presentation was rebinding the DNS for some popular domains out there. You don’t need to completely divert the DNS, you need only to insert one additional A record specifying that, for example, paypal.com lives not only on the IP addresses defined in their whois, but also your own server. Now, the multitude of IP addresses presented in the DNS record is accompanied by the fact that a browser would choose a random one from the selection available, every once in a while taking the user to your compromised server. Create an invisible iframe with your code, a visible frame with Paypal’s official Web site, and JavaScript’s single origin policy effectively allows you to read and write DOM data to and from any Web site out there.

Gadi Evron spoke about botnets. A Google search for C99Shell returns 5,700 results, and while some of those are discussing the C99Shell, some of the results are the sites that have been compromised, frequently through their upload tools, to host a shell that pretty much has access to anything that the Web server can access. Even when it doesn’t maliciously harm the host, it can be used to generate spam, host files, etc. The Register also reported on the session dedicated to malware marketplace. Gadi Evron also spoke the same evening on “cyber-war” between Russia and Estonia, that according to him, looked more like some vigilante activity than an organized government vs. government attack. Estonia is essentially leading the world in e-government initiatives, with a bunch of their government and financial transactions happening exclusively online. A political scandal related to removal of a Russian monument riled up Russians, who passed the messages through blogosphere (mostly Livejournal and forums), instructing everyone who’s feeling insulted by Estonians to run a ping on major Estonian servers. Gadi did not go into details of the attack, as he was interested mostly in defending. It’s also very alarming that the country was not prepared for such level of attacks, and there was essentially no emergency plan. There’s a little bit more information on Gadi’s blog.

Steve Topletz from Hacktivismo Project announced the release of XB Machine, a completely anonymous virtual machine that can live on a Mini-CD or USB drive and operates via Tor network. Perry also discussed the current architecture of XeroBank (formerly known as TorPark) and reasons behind commercial services that it offers - XeroBank runs its own network in countries with the right privacy legislation, and completely encrypts all browsing transactions, making it impossible even for them to identify you properly. There were other future-looking announcements, but since each one was preceded by “I am not supposed to talk about this”, I won’t go into much detail - XeroBank will release the news when they’re ready.

Daniel Peck & Ben Feinstein introduced CaffeineMonkey, a tool to identify and explore potentially malicious JavaScript. From the tool Web site: “One of the key components of this tool is that it is behavior based, not signature based. It identifies specific behaviors that are indicative of malicious code. Building on the work of several existing client honeypot implementations, their goal is to largely automate the painstaking work of malicious software collection. The focus is on attacks using JavaScript for obfuscation or exploitation.”

Rick Deacon this morning talked about flaws discovered at MySpace.com site, specifically the MYUSERINFO cookie is susceptible to being stolen and then authenticated against MySpace. There are tons of reports on Rick Deacon’s presentation on the news wires today, even though apparently disclosure to MySpace has been made, and the trick only works in older versions of Firefox. Even though at the beginning of presentation he claimed that it might impact quite a few people, you got to respect Firefox’s upgrade model - you basically have no choice but to upgrade, when they tell you to. The new version is downloaded and installed, and then is just waiting for you to restart the browser, bugging you in between.

Aviv Raff & Iftach Ian Amit this morning were able to inject a malicious JavaScript widget into iGoogle homepage, and if that widget is being located on the same page as Gmail widget, the malicious widget can read the data on the page, which limits to Gmail senders and subject lines currently. They also discussed a vulnerability for Live.com RSS reader, which Microsoft fixed upon disclosure, and Yahoo! widget vulnerability, which Yahoo! fixed as well. As a side note, most of the fixes resulted in changing one or two lines of code. I asked Raff and Amit regarding exploitability of the Facebook profile code, and they generally were unfamiliar with the site, but said that external JavaScript was the underlying platform for all of the security exploits, so FBML code pushed by the app developer to the profile is safe. ComputerWorld also attended a session on AJAX exploits.

Brendan O’Connor spends his time studying the underlying security of the banking industry, specifically, the online banking and bill payment services. One error in security in that field, and customer’s information is completely exposed, which combined with e-statements, tax forms, and electronic copies of the checks that current online banking services keep could have a rather dire impact on customer’s finances. Discoveries from the talk? All those images the banks display to you to prevent phishing are sourced from a single database with the primary key into that database displayed in the ALT field. Get an account with an online bank, go to online banking sign up, start choosing your images by moving through their gallery, and within a few minutes or hours, depending on your skills, you should have a complete database of images supposedly verifying that the site is not a phishing site. Also, the challenges presented from the public sources are not consistent, therefore if somebody tries to sign up as yourself at a banking site, the first time they will be asked to verify the car purchased in 1995 - was it a Toyota, Honda, Ford or none of the above. Choose to decline the challenge, come back a few days later and the challenge question will remain the same, with the answers now represented by Mitsubishi, Ford, General Motors or none of the above. Notice anything interesting? Ford is present in both of them, therefore giving a potential attacker right answers about your personal information.

I missed the lockpicking presentation this year, since it was time for me to head for the airport. There was also an interesting WiFi presentation compromising Gmail addresses (but from the description, looks like some other Webmail providers could be vulnerable as well), which I missed.