Marco
BlackHat presentation demo vids: SugarSync
[part 1 in a series of 5 video write-ups from our BlackHat 09 talk, summary here]
Goal We wanted to demonstrate how access to cloud resources can bring certain attack classes within reach of regular users. Instead of focusing on brute-forcing regular user credentials such as usernames and passwords, we decided to look at less noisy options since failed logins would typically be a closely watched metric.
To this end, different types of session identifiers were examined. The thinking was that by bruting session IDs instead of credentials the monitoring systems might be less likely to pickup the attack, and the cloud gives the attacker vast amounts of bandwidth and processing power that was not previously available. However even with access to cloud resources, most “strong” session IDs would still be large enough to avoid this attack (think 128-bit sessions such as those stored in ASP.NET cookies).
BlackHat presentation demo vids: Summary
Our BH09/DC17 presentation relied heavily on videos for the demos, and they’ve been blogged separately. Links below (will be made active once the upload is complete):
[slides]
[SugarSync]
[SalesForce Clickjack]
[SalesForce Sifto]
[Amazon Web Services]
[MobileME]
Clobbering the cloud slides
[updated: videos will be made available on this page]
140 slides in 75 minutes. They said it couldn’t be done… and they were right! (mostly)
Regardless, our Vegas trip was as much fun as previous years and our presentations at BlackHat and DEFCON went down well from the looks of things. While we plan on writing up the interesting parts, a number of people have requested access to the slidedeck in the mean time, and we’ve posted them here:
Wishlist for graduates
We were invited to speak at the recent ISSA2009 conference in Joburg, a local mostly academic security conference and I decided to carry a message in addition to the regular demo-style talk with which we try to entertain. By co-incidence, Haroon also had his peer-reviewed talk on Apple Exploitation Defences accepted so there were two SensePosters talking to the tweed jackets. I figured the most important bit of the presentation should be mentioned first, so before we carry on I’d like to present our attacker:
these tubes are quick
Kaminsky’s thunder has all but evaporated into a fine mist, and Ptacek has gone all silent. In the meantime, the MetaSploit crowd put their heads down and produced:
http://www.caughq.org/exploits/CAU-EX-2008-0003.txt
DNS poisoning for the masses.
(If anything ever deservered the tag ‘infosec-soapies’, this would be it!!!)
funky javascript
found this online last night. try in FF or IE7:
javascript:document.body.contentEditable='true'; document.designMode='on'; void 0
then edit the page in-place, screenshot, and make your scam millions…
at least, it beats editing HTML?
rethinking ye old truths
since forever, i’ve been told (and told others) that the greatest threat is from the inside. turns out, not so much. verizon business (usa) apparently conducted a four year study on incidents inside their organisation and found that the vast majority, 73%, originated from outside. however, the majority of breaches occurred as a result of errors in internal behaviour such as misconfigs, missing patches etc. (62% of cases).
So attackers are generally outsiders taking advantage of bad internal behaviours, rather than local users finding 0-day. From the exec summary:
22:30 to 23:30: the quiet hour
while waiting around for the PSW guys last night, it seemed like a good time to test our mettle on the foosball table. we’ve witnessed rapid development of general foos skills in the office since the introduction of the table a few weeks ago, and the improvement in shot speed has been noticeable. of course, questions always remain as to the difference between actual and perceived velocity of shots, and the only way to answer the questions is by a clean, scientific, test.
reddit: exploit publisher?
saw this in my RSS reader, the null poison byte makes a comeback!
Until it gets fixed, you can view here.
QoW 1 answered; Qow 2 released
A little while back we published our first public QoW for your abuse and enjoyment, and the time to close it is ………. now. The new QoW is available here.
Thanks for the efforts; we received a fair number of answers and are still figuring out how to go about recording your submissions. For now, we’ll publish the first correct answer, and discuss the answer in brief. Over to Haroon:
Jeremiah Grossman was the first correct answer, with valiant attempts from many others.. Acceptable solutions involved either the use of JavaScript / HTML comments to allow our injection to span multiple lines (or really really small urls :>)
Prev
Page 3 of 3