usefulfor.com/security

hack-fu by Matt Hillman

Last week I attended DEFCON 16 in Las Vegas. I went last year as well, so I knew to expect the huge throngs of people, the strange mix of young, old, and crazy-haired and all the usual antics that happens when you gather around 7 thousand hackers in one place.

There’s a lot to do at DEFCON besides attending presentations, but this year I was there for business not just pleasure, so I went on a presentation-attending marathon. I must admit that this year there were less “wow” moments as far as the talks were concerned, but there were still some decent talks ands of course lots of opportunities to catch up with friends and acquaintances from around the world.

Here’s a list and some comments of the talks I attended:

Day 1

Time-Based Blind SQL Injection Using Heavy Queries
By: Chema Alonso and Jose Parada

Nice little technique to perform blind SQL injection without the use of delay functions, but instead creating queries which tax the database enough for a noticeable delay to be seen. Nothing ground breaking, but nifty.

Links:

• http://technet.microsoft.com/en-us/library/cc512676.aspx
• http://www.codeplex.com/marathontool

Digital Security: A Risky Business
By: Ian Angell (aka the “Angell of Doom”)

A fantastic speaker, and an unusual presentation for DEFCON, dealing with some of the myths and fallacies of the high tech world.

Security and anonymity vulnerabilities in Tor: past, present and future
By: Roger Dingledine

There always seems to be a talk like this at DEFCON now, and its usually pretty interesting. This talk looked back at past Tor vulnerabilities, through to today, and suggested where further problems may lie. Tor’s unusual architecture always makes this a fascinating listen.

New Tool for SQL Injection with DNS Exfiltration
By: Robert Ricks

This talk demonstrated a technique and a tool to extract data through an SQL injection vulnerability by tunnelling the data through DNS. This makes for fast extraction as more data can be extracted with each query than in traditional blind SQL injection techniques. The DNS exfiltration method is not new, but Rickses tool targets Oracle which, as far as I know, no practical tool did before.

Anti-RE Techniques in DRM Code
By: Jan Newger

Fascinating look at some of the devious techniques DRM code uses to make it harder to reverse. Slides featured a pixelated section of a diagram to avoid revealing the full DRM algorithm.

NMAP-Scanning the Internet
By: Fyodor

Really enjoyed this one. I hadn’t seen Fyodor present before and he is a very engaging speaker. His talk contained some interesting metrics based on his mammoth scans of large parts of the internet, allowing him to give advice on the most efficient scan options. He also added a variety of very nice features to nmap to be released soon.

Keeping Secret Secrets Secret and Sharing Secret Secrets Secretly
By: Vic Vandal

The talk focused mainly on issues surrounding stenography.

Virtually Hacking
By: John Fitzpatrick

John is a colleague of mine, so naturally I went to heckle this presentation In all seriousness though it’s an interesting talk about VMware security. He released some scripts to manipulate VMware in some very interesting ways.

Day 2

RE:Trace: The Reverse Engineer’s Unexpected Swiss Army Knife
By: David Weston and Tiler Beauchamp

This was a great talk, and one I will probably use in some future research of mine. RE:Trace is a ruby framework written around DTrace which allows you to do some kung-fu to help in reverse engineering and exploit writing. Includes some very nice integration with IDA Pro.

Hacking Desire
By: Ian Clarke

Not what I expected, but interesting nonetheless, the talk focussed on how systems can build a predictive picture of what users like.

Feed my SAT Monkey
By: Major Malfunction (aka Adam Laurie)

Hacking satellites. Do I need to say anymore? Well ok, no sending data to satellites here, but interesting insight into the world of hunting for interesting signals. Including tcp/ip data that you “wouldn’t believe”.

Is that a unique credential in your pocket or are you just pleased to see me?
By: Zac Franken

If you’ve never seen someone take a silicone cast of their hand to fool a hand scanner, you haven’t lived.

VulnCatcher: Fun with Vtrace and Programmatic Debugging
By: atlas

This talk shows techniques for programmatically finding when an exploitable bug “likely” occurred during fuzzing, so you can hone in on the truly interesting crashes quickly. Included an amusing interruption in which atlas was attacked by a fully automatic nerf gun.

Introducing Momentary Faults Within Secure Smartcards/Microcontrollers
By: Christopher Tarnovsky

Some of this talk was a bit over my head (I’m a software monkey at heart), but it was quite amazing to see how you could physically mess with circuits on a chip to bypass certain restrictions. Included live, participatory demonstration!

Day 3

Malware Detection Through Network Flow Analysis
By: Bruce Potter

Its not as if you can not go to a Bruce Potter talk. He started off with some insightful comments about the security industry generally, and moved on the to main topic of discussion, showing how best to analyse network flow from a security analysts point of view, as opposed to a purely operational concerned person. Before the talk, Bruce took part in a small TF2 lan game that was stuck up on the big screen as we filed in.

Advanced Software Armouring and Polymorphic Kung-Fu
By: Nick Harbour

Nick Harbour had developed a pretty cool packer which used some amazing
techniques to screw with analysis of the disassembly. My favourite was
instructions that jump half way into their own bytecode at which point
new meaningful instructions emerge.

DNS
By: Dan Kaminsky

If I have to explain this one, you must have been living under a rock. I actually only caught the second half, as the line to get in to his talk was insanely long. But he spoke for almost 2 hours and I managed to hear some of his comments on the implications of easy DNS poisoning. Afterwards, he gave out cookies!

Race-2-Zero Unpacked
By: Simon Howard

A dissection of the controversial Race-2-Zero contest in which participants had to get various malware past virus scanning engines.

Toaster, a Modular NetBSD Rootkit
By: Anthony Martinez and Thomas Bowen

The guys seemed quite nervous in this presentation, but the material behind it was an interesting look at how they implemented this BSD rootkit.

Malware RCE: Debuggers and Decryptor Development
By: Michael Ligh and Greg Sinclair

This demo driven presentation looked at techniques and tips for effectively analysing malware samples.

en-Testing is Dead, Long Live the Pen Test
By: Taylor Banks and Carric

An insightful look at the history and development of pentesting, its roots in hacker culture, what went wrong, and how to progress into the future.

Summary

I really enjoyed The Pen-Test is Dead Long Live the Pentest as it tied in quite closely with what I am seeing myself and the changes we are making at MWR InfoSecurity. On a technical level my favourite talks were probably RE:Trace, Anti-RE Techniques in DRM Code and Polymorphic Kung-Fu. I wish I had got to see Jason Scott’s talk, he has to be one of my favourite speakers, but his talk wasn’t technical and as I was there on company time I decided to take in the technical talks on at the same time instead.

This entry was posted on Thursday, August 21st, 2008 at 4:46 pm and is filed under Events. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.