Blog
About:SnowLeopard
Sure it only cost $29, but when you consider the number of people bowing down and thanking our Cupertino overlords you have to consider the following:
If the Emperor was given his new clothes today, #emperors_clothes would be trending on twitter (with ppl thanking the tailors for reduced closet space requirements)
/mh
MonSoen.py
I was recently playing with a Wingate Proxy server, came across some arbitrary interestingness.
So, WinGate proxy includes a remote management agent which is accessed via a client utility called GateKeeper. This allows one to configure the WinGate server across the network. However, its not enabled to listen on the network by default, and only listens on 127.0.0.1:808. From my perusal of the documentation, the remote administrative facility should only be available to enterprise and professional license holders, and those firms using standard edition licenses will have to configure their proxy software locally.
John Viega’s “the myths of security”.. Really??
i go through a ton of books. Over the past 10 years, this has been dominated by books on computer security, computer science, programming (and some sprinklings of management classics).
I generally stay away from writing reviews, but was genuinely suprised at the number of 5 star reviews Viega’s new book had received and felt i had to chime in.
I picked up “the myths of security” (what the computer industry doesn’t want you to know) with hope, because O’Reilly books in general are well done and i really liked some of Johns previous books. Alas! I tried hard to think of a good thing to say about the book, and the best i can come up with right now is that “at least, it wont take up space on my bookshelf”.
The book is tiny (48 chapters, where each chapter is between a paragraph to 2-3 pages) which isn’t a bad thing, but it reads mostly as a collection of blog posts or hurriedly written notes-to-self.
BlackHat presentation demo vids: MobileMe
[part 5 in a series of 5 video write-ups from our BlackHat 09 talk, summary here]
Goal The final installment of our BlackHat video series showcases weaknesses in the password reset feature for Apple’s MobileMe service as well as publicizing an XSS vulnerability in the application. At first glance the choice of MobileMe may seem arbitrary, but it was useful for a number of reasons. MobileMe is one of the more popular consumer-focused cloud services and it’s a good example of the feature-creep that’s a hallmark of cloud systems. By compromising a user’s MobileMe account an attacker has access to much more than just the user’s mail. With each new feature addition the user is sucked into the service a little more until most of their data is stored within MobileMe, and a compromise of the account becomes serious for the user.
BlackHat presentation demo vids: Amazon
[part 4 in a series of 5 video write-ups from our BlackHat 09 talk, summary here]
Goal In the fourth installment of our BlackHat video series, we turned our attention to Amazon’s cloud platform and focused on their Elastic Compute Cloud (EC2) service specifically.
Theft of resources is the red-headed step-child of attack classes and doesn’t get much attention, but on cloud platforms where resources are shared amongst many users these attacks can have a very real impact. With this in mind, we wanted to show how EC2 was vulnerable to a number of resource theft attacks and the videos below demonstrate three separate attacks against EC2 that permit an attacker to boot up massive numbers of machines, steal computing time/bandwidth from other users and steal paid-for AMIs.
BlackHat presentation demo vids: SalesForce Sifto
[part 3 in a series of 5 video write-ups from our BlackHat 09 talk, summary here]
Goal Our third video write-up covers abuse of cloud services. By signing up for free accounts, it is possible to gain access to small amounts of free resources, specifically processing time and bandwidth. However these resources are tightly controlled to maintain fairness across the many thousands of users who share the same platform.
We aim to circumvent some of these controls in order to access more resources than should be allowed, and we demonstrate this on the Force.com platform which supports the ability for a developer to upload and execute custom code. Our proof-of-concept was to port Nikto into a Force.com application, and we named it Sifto.
BlackHat presentation demo vids: SalesForce ClickJacking
[part 2 in a series of 5 video write-ups from our BlackHat 09 talk, summary here]
Goal The premise behind this video was that while we are migrating more and more services into the cloud, the front-end through which the services are accessed as well as managed is (in many cases) a web application and we still have not figured out how to write secure web applications reliably. The implication is that business-critical services and infrastructure maybe at risk due to a web developer’s mistake.
BlackHat presentation demo vids: SugarSync
[part 1 in a series of 5 video write-ups from our BlackHat 09 talk, summary here]
Goal We wanted to demonstrate how access to cloud resources can bring certain attack classes within reach of regular users. Instead of focusing on brute-forcing regular user credentials such as usernames and passwords, we decided to look at less noisy options since failed logins would typically be a closely watched metric.
To this end, different types of session identifiers were examined. The thinking was that by bruting session IDs instead of credentials the monitoring systems might be less likely to pickup the attack, and the cloud gives the attacker vast amounts of bandwidth and processing power that was not previously available. However even with access to cloud resources, most “strong” session IDs would still be large enough to avoid this attack (think 128-bit sessions such as those stored in ASP.NET cookies).
BlackHat presentation demo vids: Summary
Our BH09/DC17 presentation relied heavily on videos for the demos, and they’ve been blogged separately. Links below (will be made active once the upload is complete):
[slides]
[SugarSync]
[SalesForce Clickjack]
[SalesForce Sifto]
[Amazon Web Services]
[MobileME]
Clobbering the cloud slides
[updated: videos will be made available on this page]
140 slides in 75 minutes. They said it couldn’t be done… and they were right! (mostly)
Regardless, our Vegas trip was as much fun as previous years and our presentations at BlackHat and DEFCON went down well from the looks of things. While we plan on writing up the interesting parts, a number of people have requested access to the slidedeck in the mean time, and we’ve posted them here: