Conferences
BlackHat presentation demo vids: Summary
Our BH09/DC17 presentation relied heavily on videos for the demos, and they’ve been blogged separately. Links below (will be made active once the upload is complete):
[slides]
[SugarSync]
[SalesForce Clickjack]
[SalesForce Sifto]
[Amazon Web Services]
[MobileME]
Clobbering the cloud slides
[updated: videos will be made available on this page]
140 slides in 75 minutes. They said it couldn’t be done… and they were right! (mostly)
Regardless, our Vegas trip was as much fun as previous years and our presentations at BlackHat and DEFCON went down well from the looks of things. While we plan on writing up the interesting parts, a number of people have requested access to the slidedeck in the mean time, and we’ve posted them here:
Wishlist for graduates
We were invited to speak at the recent ISSA2009 conference in Joburg, a local mostly academic security conference and I decided to carry a message in addition to the regular demo-style talk with which we try to entertain. By co-incidence, Haroon also had his peer-reviewed talk on Apple Exploitation Defences accepted so there were two SensePosters talking to the tweed jackets. I figured the most important bit of the presentation should be mentioned first, so before we carry on I’d like to present our attacker:
Apple vs Microsoft as a malware target.. stop saying market share..
I really enjoy listening to Mac Break Weekly.. Leo Laporte is an excellent host and i would tune in just to hear [Andy Ihnatko’s] take on the industry and the (possible) motivations behind certain players moves. (he is sometimes wrong, but always worth listening to). The only time the things ever get a little cringe-worthy is when talk switches to malware and security (although both Andy and Leo for the most part have pretty reasonable balanced views on it).
Excellent paper from MSFT Research on inline proxies vs. SSL
Ron Auger sent an email to the [WASC Mail list] on some fine work presented recently by Microsoft Research. The paper (and accompanying PPT), titled [Pretty-Bad-Proxy: An Overlooked Adversary in Browsers’ HTTPS Deployments] is pretty cool and shows several techniques for a malicious inline proxy to sniff SSL sessions passing through the proxy. Its genuinely a bunch of cool findings and has been handled neatly (with the exception of some shocking clipart!).
Ranum Reloaded..
A little while back i commented on Marcus Ranums HiTB talk “Cyberwar is Bullshit!“. I ended the post with the words “Ranum is indeed much better than this..“. Ranum spoke recently at Source Boston, and his talk [The Anatomy of Security Disasters] indeed shows this is true..
If you are in the industry to make a quick buck, or because it beats flipping burgers at McD’s, you probably dont need to, but if you are involved with security decisions at any level, then you really should take a few minutes to digest his talk.
!exploitable [Vuln finding freebie from MSFT]
Microsoft released !exploitable at CanSecWest this year. The debugger extension, and the accompanying slide deck can be found [here].
I have not looked at it, but a glance at the slides implies that they aim to solve the problem of too many dumps – not enough time..
Its pretty cool.. and that Microsoft is releasing this is even cooler..
Like deja-vu (all over again)
Those of you who were around in 2001 will recall http://anti.security.is (anti-sec f.a.q)..
The sentiment pops up periodically (in different forms) and it seems like CansecWest this year has seen a resurgence of it.. From Charlie Millers comments on the Safari bug:
“Did you consider reporting the vulnerability to Apple?
I never give up free bugs. I have a new campaign. It’s called NO MORE FREE BUGS. Vulnerabilities have a market value so it makes no sense to work hard to find a bug, write an exploit and then give it away. Apple pays people to do the same job so we know there’s value to this work. No more free bugs.”
CodeGate – 2009
[beistlabs] [CodeGate] has come and gone.. A nice writeup of the event can be found [here] with a pdf of challenges and solutions [here]
Defcon 16 Videos Available..
Ok.. So The Dark Tangent announced this [a few days ago], but i felt it deserved mention because i was genuinely wow’ed at the video quality.. I have only gone through a couple of the presentations, but its the first time ive found demos video’d well enough to follow ferpectly on screen..
Readers can pull the videos from [here]
SensePost’ers can pull from [here]
/mh
PS. When we did our talk (pictured above) i had almost no voice and a flu from hell