Nmap Security Scanner
*Intro
*Ref Guide
*Install Guide
*Download
*Changelog
*Book
*Docs
Security Lists
*Nmap Hackers
*Nmap Dev
*Bugtraq
*Full Disclosure
*Pen Test
*Basics
*More
Security Tools
*Pass crackers
*Sniffers
*Vuln Scanners
*Web scanners
*Wireless
*Exploitation
*Packet crafters
*More
Site News
Site Search:
Exploit World
Advertising
About/Contact
Credits
Sponsors:

dailydave logo Dailydave mailing list archives

HITB trip report
From: Dave Aitel <dave () immunitysec com>
Date: Mon, 03 Oct 2005 14:21:28 -0400
As always, this is a trip report where I go through my fuzzy recollections of the conference and share that with the DD list at large. 

________________________________________________________________
First of all, the keynote from Microsoft's IE 7 team was oddly informational. I had a chance to chat with them later at lunch, and asked them about some more technical specifics. I think the ground breaker is this:
1. Vista implements setuid() (via SACL in the filesystem) !!!!!! <---!!!!!! \o/ ! o This is both good and bad. It heavily complicates the security model, which was already complicated enough. I'm sure it'll result in at least one neat local root.
2. IE uses this to mark any executable you download as a very low priv user so even if you do execute it, it can't do anything harmful.
3. IE has a new mode that sections off the IE process (and all activeX, extensions, etc) as a low priv user and has them doing all file operations via another process (like openssh privsep). o I wonder how it authenticates the process as being from IE and not from somewhere else o They mess with the import table to implement this, I believe, and so a smart activex control could get around it, but they'd be writing to the disk as a low priv user (unless there was some sort of other token in the process they could steal) o The really hard part here is dealing with the tokens. If I auth to a site as admin (which, I believe you do automatically, but most people will do manually if necessary) then I have a token sitting around maybe. I dunno. If there's non-restricted tokens sitting in the process, then the whole priv-sep thing is broken. Knowing MS, they didn't study OpenSSH to see the issues they solved. (I love that about them, it's cute! :>)
4. IE has "phishing protection" which is a big list of bad sites and some heuristics backing it. They don't plan on easily letting you extend this to third party protection systems yet. I can see how that makes business sense for them - and a closed system is easier to defend as well. 

5. We all have to wait for the next Vista beta to see a real IE 7 anyways.
I guess everyone's question is "At what point will vista implement chroot() as well as setuid()!" then maybe we could get fork()! I asked a question during the talk: "Have you used the fuzzers you built to test IE against Firefox?" 
answer: "no"
Those fuzzers are on the VS Beta CD they were handing out, so someone should definitely give it a shot... 

No entirely CLR IE for a while....which is sad.
Final Conclusion: Spyware will have to start using local kernel exploits. (assuming they aren't already) (This would probably bypass honeymonkey as well ...) 

______________________________________
VIA has apparently implemented a copy of bestcrypt backed up by some extra hardware in their newest line of chips. They decided to publicize this by having a snake-oil competition to "crack" their encryption at the conference. They need to fire their publicity team. No one is falling for a competition worth "5000 USD" (actually "5000 USD worth of software" !) where you are not allowed to install anything on the machine you are testing. Are you supposed to crack RSA in your head?
Having RSA and AES hardware accelerated in your chip is perfectly interesting already. We're willing to listen to you explain what you have, without having the world's most inane competition over it. 

_________________________________________
I tried to visit all the technical track talks, but in some cases my memory has already faded (I had very little sleep and arrived at the conference the day it started...)
Speakers kept forgetting to repeat the questions that were asked of them. This is mildly annoying. 

_________________________________________
The Grugq did a great talk on VOIP which ran down the buggy protocols they use and talked about a lot of the problems in each of them. Probably the biggest problem is that they mostly assume security is handled via a lower layer (like ip-sec) and hence don't have any of their own. Another huge problem is places that do their authentication via caller-id, which can easily be spoofed. Plenty of places do this, including Florida's gas company. So, in other words, people can charge their gas bill to anyone living in Florida. This is very bad. 
_________________________________________
STIF-ware Evolution
Meder Kydyraliev
and Fyoder Yarochkin
This was a good talk in many ways, but the technology isn't advanced enough to really give the demo the wow-effect that some people want to see. The basic idea is they've wrapped all the security tools you'd want (nmap, nessus, etc) with xml wrappers, and each of them can then use a framework to trigger off the others. So for example, you can give it a list of hosts, and it calls "add ip BLAH" and then you have say, a scanner module waiting for new IP notifications, and it reports "VULN blah" and then a module waiting for that runs and gets you root.
Of course, the devil is in the details. This sort of system is going to be hard to make efficient. 
_________________________________________
Joanna Rutkowska's talk on Windows kernel rootkit finding was good - her basic hypothesis (which I agree with) is that if you enumerate all the places in the kernel people can hook, you can write a reliable rootkit detector. My stance is that there's just not enough entropy in the kernel to truly hide in. 

_________________________________________
HITB also had auctions for random things - I think this would have worked better if all the things were really unique things you couldn't get anywhere else. 

_________________________________________
At udrw.com you can get a USB key that pretends its a cdrom. This is great for autorun, apparently. 
_________________________________________

CITF
Capture the flag was awesome. People loved it - they made it a truly spectator sport. One of the ways they did this was having a sane policy on teams (3 people max), scoring (hacking got you a high score...). The winning team (GO TEAM PANDA! :>) not coincidentally was the team that got the exploit for a custom overflow done first. Neat, huh? 

_________________________________________
Nematodes:
http://www.immunityinc.com/downloads/nematodes.pdf has a PDF'd slidepack from my talk. Let me know what you think. :>
Overall - professionally organized, well put-together conference. Hotel was 5 star...and it showed. Conference is largely under-priced, even including plane ticket price. 

-dave

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]