Dissecting Web Attacks
Val Smith (founder of Offensive Computing) and Colin Ames kicked the day off for me with a guided tour through a common web attack that most of us, at some point or another, come across on a daily basis. They started by scanning a series of blog spam and mapping out the network of links to a limited set of attack sites. Analysis of the attack sites revealed attempts to exploit multiple browser platform and version vulnerabilities. In the event that none of those work, an enticing file download is offered to the user. What was most interesting about the talk was the ridiculous number of countries, fake sites, compromised legitimate sites and even home IP addresses were used in these attacks which assuming make it very difficult for any individual or law enforcement agent to track any of these attacks to a single person.
Blinded by Flash
Prajakta Jagdale from HP gave an interesting and engaging talk on Flash security, security analysis and anti-analysis. She started with a depressing revelation that many web sites are hard coding username / password combinations directly within SWF files. A simple Google query exposed dozens of these vulnerable sites which could be compromised with trivial static analysis. She next spoke about the usage of crossdomain.xml, which controls which domains can access local SWF files. Sites configured to use a wildcard are open to Cross-Site Request Forgery (CSRF) attacks. She quoted a statistic from Jeremiah Grossman stating that of fortune 500 companies 8% use crossdomain policies and of those 2% were configured to utilize a wildcard. There has to be some kind of typo in that stat, if you do the math that's less than a single site. She showed some static SWF decompilers and demonstrated a technique for breaking them. Finally, she demoed a very flashy looking (punny punny) internal HP tool named SWFScan capable of decompiling all versions of Flash and Action Script and additionally included some impressive looking source level analysis. Most unfortunately, it does not look like that tool will ever see the light of day.
Your Face is NOT Your Password
This talk was greatly disappointing. I wasn't going to catch it originally but saw some hype around the talk on Slashdot and decided to give it a shot. The researcher sought out to test the security of the consmer webcam based facial recognition technologies that are being shipped with some laptops from Asus, Lenova and Toshiba. The talk would have been fine in a lighting slot as the information relayed could very comfortably fit in less than 20 minutes. Unfortunately it was painfully dragged across a 75 minute session and left many questions unanswered. Let's begin with what was covered. As one might guess, all three systems can be tricked by simply holding a picture of the user in front of the camera. Lenova sported the worst security, accepting even greyscale images. Toshiba was the best, requiring some motion to trick. All were terrible. The images used in the demos looked to be printouts of the exact same image used to train the software (as opposed to a different picture being used). There was so much more that could have been done to make the talk more interesting and fill the track time with interesting and non-redundant information. Two ideas immediately came to mind, one of which I almost finished implementing during the talk:
- Face fuzzing with real photos: Collect a bunch of profile pictures (I started spidering criminal mug shots) and write a simple program to cycle through them displaying it full screen. Place the fuzz laptop in front of the target laptop and see if you can bypass the check. Record how long it takes.
- Face fuzzing with shapes: The facial recognition algorithms must analyze specific features of the face. Read up on the algorithm and write a small Flash script that will generate various shapes in those areas of a "face" and again place it front of the target laptop to see if you can bypass the check. Record how long it takes. This is loosely similar (very loosely) to this.
One Cell is Enough to Break Tor's Anonymity
Though the actual technical portion of this presentation had merit, this talk was also disappointing for me. Once again we had 20 minutes worth of information stretched across a full length 75 minute talk. On to the technical portions. Tor utilizes 3 hops in its secure path by default. It has been believed that to compromise the anonymity of a Tor path, an attacker would need to control all 3 hops. Increasing the length of the Tor path will thereby increase security. The talk exposed how if an attacker can control the entry and exit nodes, regardless of path length, then anonymity can be compromised. This is done by creating a decryption error via any of replay, insertion, modification or deletion attacks. Here is an interesting statistic: if you contribute 9% of the global Tor nodes, then you can compromise the anonymity of 60% of all connections.
Snort My Memory
The final talk I caught was given by a good friend of mine Peter Silberman from Mandiant. I first met Peter almost 6 years ago when he applied for an internship on my team. We've since worked on many projects together and it's a good feeling to watch someone grow so rapidly in the industry. On to the talk. Peter gave a presentation on some interesting research he has been doing built upon another recent project he partook in, Memoryze. Peter put together a tool suite allowing one to apply Snort IDS signatures to memory. Essentially providing the ability to isolate infected systems before they begin to communicate over the network. He very candidly pointed out a number of shortcomings to the approach but also demonstrated some strong benefits, mainly that malware authors focus on hiding their contents on disk and keeping themselves out of registry. Hiding from memory is a whole different ball game. Furthermore, small variations to avoid network signature detection do not affect in-memory analysis as significant changes would be required to change the memory footprint. Peter gave some live demonstrations, showing an example of detecting malware in memory and another of detecting a compromise by searching for Metasploit shellcode. All in all an interesting research project that he hopes to move along with the help of interested parties now that the code is all public.
Again, if you want to take a peak at the slides / whitepapers from this event browser over to:
http://blackhat.com/html/bh-dc-09/bh-dc-09-archives.html
