Archive for the 'Uncategorized' Category
Monday, March 30th, 2009
Catching Up!
Whew! It’s been a busy couple of months for me. I’m always curious as to how I get so much on my plate. A quick recap of some of the stuff I’ve been working on / or have coming in the near future:
1) HITB Dubai is almost here! I’ve been selected to give two talks at HITB in Dubai. Although I’ve spent a significant amount of time in various parts of the Middle East, but I’ve never actually been to Dubai. Dhillon is always an EXCELLENT host and I’m looking forward to seeing the sights . As for the talks I’ll be giving in Dubai, the first (Biting the Hand that Feeds You – Reloaded) is an extension of a talk Nate McFeters and I gave at Defcon 15. It involves a lot of interesting application design scenarios that introduce security weaknesses in modern day web applications. It’s a very interesting collection of Content Ownership issues, some funky ways to abuse web application sessions, and a demo of some attacks against modern day web applications including Twitter and Facebook (respective security teams have already notified). For the second talk (Cross Domain Leakiness), I’ll be co-presenting with Chris Evans from Google. Chris is a super sharp guy and we’ll be talking about some interesting browser bugs we’ve discovered, as well as some techniques to bypass SSL protection mechanisms. I’m also looking forward to seeing Nitesh Dhanjani’s talk (Psychotronica). I’ve seen a sneak preview of the talk and it’s a very powerful illustration of how we can piece together people’s lives like jigsaw puzzles, learning more about them then they probably know about themselves!
2) Jeff Carr put out the second paper in the Grey Goose Series (first paper here, second paper here). Contact Jeff directly if you are interested in getting a GOVT only version of the papers. Jeff has assembled a crack team of intelligence specialists (many of which wish to remain anonymous), pulling together an impressive cyber intelligence capability that probably rivals some state sponsored intelligence agencies. The team is small enough to allow for lighting fast action without bureaucracy, but just large enough to bring an impressive intelligence eye to modern day problems. Jeff focuses on analysis related to politically motivated events around the world. I’m proud to be a part of the Grey Goose team, it is exciting work and perfectly in line with my background. Jeff and I will be traveling to Estonia in June to speak at the Conference on Cyber Warfare hosted by the NATO Cooperative Cyber Defence Centre of Excellence. We’ll be presenting a talk entitled “Sun Tzu was a Hacker” where we’ll break down the various tactics and operations associated with a real work attack against State servers. We’ll tie the various pieces back to traditional tactics/warfare via concepts of Maneuver Warfare and Marine Corps Doctrinal Publication – 1 (Warfighting).
3) My studies as an MBA student continue. Once I finish this semester, I’ll have two classes left. I’m currently taking a Finance class which is planting all sorts of great ideas on how to valuate risk associated with information systems. I think it’s great that Security Researchers are seeing the value of bugs in both monetary instruments and non monetary instruments (press, notoriety…etc). I see things like the No More Free Bugs (NMFB) campaign as financial declarations that a Security Researchers’ time/efforts/intelligence/creativity/determination is worth > $0.00. It will be interesting to see how the next generation of security researchers/hackers will view the disclosure/NMFB paradigm and whether places like iDefense and TippingPoint will rise to “power” (if they haven’t already) as vulnerability brokers. Maybe one day, we’ll track vulnerability worth via stock ticker, trying to game when to sell. I’m also interested to see whether web application bugs will ever have financial value that can be easily monetized. How much is a Gmail XSS or CSRF worth? Are there ways to monetize?
4) I’m co-authoring a book… more on this later
5) I’ve started a really cool project at work that will consume lots of time…
6) Oh yeah…. I have a ~3 month old baby girl that demands all my free time J
Where does the time go?!?!
Wednesday, November 19th, 2008
Pwnichiwa from PacSec!
WOW, it’s been a busy couple of weeks! I was in Tokyo last week for PacSec. PacSec was a great time, there were some GREAT talks, and Dragos knows how to party! I co-presented a talk entitled “Cross-Domain Leakiness: Divulging Sensitive Information and Attacking SSL Sessions” with Chris Evans from Google. I’m curious if this was the first time in history a Google Guy and a Microsoft Guy got on stage together and talked about security… Anyway, you can find the slides here:
Chris is a super smart guy and demo’d a ton of browser bugs, most of which he will eventually discuss on his blog (which you should check out). I had a chance to demo a few bugs and went over some techniques to steal Secure Cookies over SSL connections for popular sites. Now, before I get into the details of the Safari File Stealing bug that was recently patched (provided in the next post) I did want to talk a bit about WebKit.
<WARNING Non-Technical Content Follows!>
You were warned! Some friends and I have been playing around with Safari (we’ve got a couple bugs in the pipeline). As everyone knows, Safari is based on the WebKit browser engine. I think WebKit is a great browser engine and apparently so does Google because they use it for their Google Chrome. So, once I discover and report a vulnerability in Safari for the Windows, Apple must also check Safari for Mac, and Safari Mobile for iPhone. Additionally, “someone” should probably let Google know as their Chrome browser also takes a dependency on WebKit. Now, who is this “someone”? Is it the researcher? Is it Apple? Does the researcher have a responsibility to check to ensure this vulnerability doesn’t affect Chrome? Does Apple have a responsibility to give Google the details of a vulnerability reported to them? Our situation works today because we’ve got great people working for Apple and Google (like Aaron and Chris) who have the means to cooperate and work for the greater good. However, as security moves higher and higher on the marketing scorecards and becomes more and more of a “competitive advantage” at what point will goodwill stop and the business sense take over?
Let’s contemplate a scenario that isn’t so black and white… Let’s say two vendors both take a dependency on WebKit. An issue is discovered, but the differences in the two browsers make it so that the implementation for the fix is different. Vendor A has a patch ready to go, Vendor B on the other hand has a more extensive problem and needs a few more days/weeks/months. Should Vendor A wait for Vendor B to complete their patch process before protecting their own customers and pushing patches for their own products?
Let’s flip the scenario… Let’s say Vendor A has a vulnerability reported to them. Vendor A determines that the issue is actually in WebKit. Vendor A contacts Vendor B and discovers that Vendor B isn’t affected… does this mean Vendor B knew about issue, fixed the issue, and didn’t tell Vendor A? Do they have a responsibility to?
Wednesday, October 22nd, 2008
House Keeping
It’s been a crazy couple weeks! Some quick housekeeping:
ChicagoCon – I’ll be in Chi-Town next week giving one of the Keynotes at ChicagoCon. If you’re going to be in the area, hit me up and we’ll grab a few drinks.
Bluehat – I’m glad to see all the young blood in the scene. It’s going to be scary to see what Kuza55 and Sirdarckcat are up to in 10/15 years (they’re already tearing stuff up as it is…). As for us old guys, we can’t drink like we used too… but we still try 
As usual, the Bluehat parties ROCKED and it was great meeting everyone. We topped off all the Bluehat debauchery with a night at the shooting range, shooting AR-15s and various handguns…
MBA - I actually took a Midterm during the WAF discussion panel at Bluehat (no wonder I was soooo quiet). Once this class is over, I’ll have 3 more classes to go and I’ll have completed my MBA! The coursework isn’t too bad, but the time commitment is pretty high. It definitely cuts into my “pwnage time” and I can’t wait till it’s all over. Don’t ask me why I need another Masters degree and don’t ask me how many times I’ve XSS’d my online class discussion forums. I promise to practice responsible disclosure after my classes are over… but for now, its the only thing that keeps class bearable
Grey Goose – This was an AWESOME project and I’m glad Jeff Carr asked me to participate. Jeff basically assembled enough Intel brain power to rival an Intel agency of a small country. Jeff put out a couple reports and if you need more info on the project, you can find it here. I studied warfare as an Officer in the Marine Corps (Maneuver and Expeditionary) and I’m interested in anything related to cyber warfare. We’re living in a time when the tactical, operational, and strategic thinking surrounding cyber warfare is being defined. We can already see striking similarities between cyber capabilities and air power. Just as air power added a new dimension to modern warfare, so do cyber capabilities. Many typically view Computer Network Attack (CNA) and Computer Network Exploitation (CNE) as solitary events, but they can also be used in “combined arms” scenarios (much like targeted air strikes vs close air support). One day doctrine related to cyber warfare will be required reading for young military officers, just like Sun-tzu, Clausewitz, and Jomini.
Apple Pwnage – Nitesh and I reported a vulnerability to Apple (CVE-ID: CVE-2008-3638). I’ll go over the details on the blog as soon as some loose ends get tied up.
Win7 – I finally took the advice of Rob Hensing and Dave Weston and switched to Win7 as my primary OS…. So far, it absolutely ROCKS.
Great talk by a respected haxor…. – http://video.google.com/videoplay?docid=-1012125050474412771&hl=en