Category Archives: Conferences and Travel

OWASP / WASC AppSec 2007

Posted on by
Reply

It’s that time of the year again! Time to register for the OWASP / WASC AppSec 2007 Conference.

This is the conference track I dream about when I cry to myself re: lack of web application security in other security conferences. Awesome speakers, the Breach cocktail party (register now! Breach’s OWASP / WASC party at Blackhat’s was awesome).

I believe we are still looking for sponsors, so if you have a lead there, mail conferences ‘at’ owasp.org.

I really appreciate the WASC folks for taking a chance on collaborating with us at OWASP. With their help on the ground and on the papers committee, I think this will be one of the best appsec conferences ever! I hope to be there, but as my wife is nearly due, I may not get a leave pass from the Minister of War and Finance.

Notes from Black Hat

Posted on by
Reply

Well, I had fun. You have to be basically a kill joy to not have fun in Vegas.

Black Hat is getting busier and busier every year, and this year is no exception. There would have been easily three thousand folks at the event, and it was approximately 1.5-2.5 thousand too many, especially during breaks when it was basically impossible to change locations.

They made Black Hat smoke free! FINALLY! I wrote a strongly worded e-mail to Jeff Moss a couple of years ago after being smoked out by an extreme minority*. As I suspected, the 17 dying puffers who were displaced from killing us all upstairs were down the bottom of the escalators, and they seemed pretty lonely compared to the insane numbers upstairs.

The talks I attended were as were light on for solutions as I’d expected with one surprise – Billy Hoffman had a couple of slides on how to prevent the Ajax nastiness. He must have left that bit out of his outline.

The hallway track was excellent, met up with Jason Wood, my ex-boss at the NAB for breakfast, Justin Derry, an ex-colleague from b-sec, and a bunch of folks who I talk to over e-mail and hadn’t met until this year, and of course all the usuals like Jeremiah and RSnake.

The WASC / OWASP meet up was awesome – nearly 350 people turned up and got a bit plastered. It was very cool to meet up with everyone there. Huge kudos to Breach Security for organizing and sponsoring the event!

So will I go again? Most likely – the networking and hallway track are awesome and worth the effort. Will I submit a paper or talk there again? No. They simply don’t deserve it. I will give those talks to conferences who are into cutting edge research and solutions, not just yesteryear’s issues and non-problems.

* Folks in IT are generally too smart to smoke. I usually equate smoking to being reckless and / or stupid when doing interviews. Both attributes are a bad sign if you’re a contractor

Final score: OSCON 4/234, Black Hat 5/92, DefCon 1/118. AppSecurity: 10/444 == ~Statistically insignificant

Posted on by
3

A little while ago, I wrote a dejected post saying that OSCON, Black Hat, and Defcon all missed the greatest opportunity to speak to the right folks about securing their apps. Well, with the final schedules of Black Hat and Defcon up, we have:

  • Fear – Pretty much every talk
  • Uncertainty – you betchya
  • Doubt – doesn’t the security industry work on creating doubt? Yep.
  • Solutions – 10 out 444 talks == 2% of all talks

    We have to move past this. I am not asking for solutions to be even 50% of the talks, but dammit, it should be over 10% and it should be over 25%.

    The CIOs and CTOs and mid-level junketeers in our industry (who go to these events to pick up chicks of negotiable affection*) and go: “WHOA! I’m so screwed! What do I need to do to protect my assets from all this badness?” And the snake oil sales puke from the large security ISV will go: “let me show you this bridge I have for sale over here…”

    At Black Hat 3 of 5 potential security solution talks are the 20 minute turbo talks. How much can you learn in 20 minutes? Enough to be scared, or enough to learn a URL? In Defcon, there’s just one talk on using a tool as a shield around your crap. Of course that’ll work. Like anti-virus or IDS “works”. Not.

    The CIOs and CTOs and high level business folks don’t want horror stories. They get that enough of that from the snake oils sales pukes. They want solutions that work. They want to know what to do right. These solutions should not cost the earth and should be effective. None of which they’ll learn about at these conferences. Will this stop them going to conferences? Of course not! It’s Vegas, baby!

    The conferences will have to start being relevant or they’ll end up like being CES. CES started out small, grew immensely, changed to be vendor friendly, and no one came. They cancelled it. Now everyone goes to E3. They’ve changed the rules to be more industry friendly… and it’s only a matter of time before it, too, dies. “Our” industry conferences on the outside seem more popular than ever, but they are dead. I will not be submitting any more talks to them as they are irrelevant. They do not support solutions, only fear.

    * And occasionally, chicks with dicks of negotiable affection. But what happens in Vegas, stays in Vegas, eh baby!

W Chicago – Do not stay

Posted on by
4

I am at the SANS GSSP second face to face in Chicago (photos soon). SANS have chosen a nice hotel, the W Lakeshore right on Lake Michigan.

Until 10 pm tonight, it was awesome. But then at 10 pm… It was spoiled by the Richter level 4.0-4.9 bass drivers (seriously! – we’re feeling it in our waters – constantly – my diet Pepsi has ripples in it). It’s 1.30 am. I have to get up at 7.30 am – on a Sunday, a miracle not often seen – even with a good night’s sleep.

This hotel has forgotten its core duty: a good night’s sleep for ALL of its guests. We are the ones paying nearly US $400 per night, not the young things paying $10 for a drink at the nightclub.

Never come here – spread the word.

Why I will have a job in 2035, or how to write a successful talk submission

Posted on by
2

In 2035, I will be 65. Most likely, unless I was to take up photography or cat breeding, I will most likely still be in this industry doing pretty much what I’m doing today.

Why?

I submitted a bunch of “how to fix” talks to OSCON (the unconverted) and Black Hat (the converted). I’ve spoken at both before, and I know I don’t suck too badly at speaking. Knowing that you suck more than other folks is the first step to being a good speaker, and I learnt that many years ago and have been learning ever since. Nowadays, I get good reviews from my customers, got good reviews and write ups for my last talk at OSCON. Black Hat provided me with my feedback which indicate that most of the folks who returned the forms liked what I had to say and how I said it, although there is room for improvement. When I train professionally, I am probably my harshest critic. That said, everyone – including me – can always learn how to present better, and make presentations that don’t suck. But let’s put that aside for a moment, and look at our industry’s premier developer and security conferences.

Why you will not learn solutions at any major event this year

I know this might come across as sour grapes, but seriously, when the biggest “security” conference rejects my talk (which will show how to scale code reviews in large enterprises, a huge problem for the Fortune 500, government and defense types, who just happen to send a bunch of folks to said conferences) in favor of the same theoretical root kit talk as we saw last year and a meta-theoretical anti-root kit talk targeting that specific theoretical root kit talk, they’ve lost the plot. When the largest *developer* conference rejects three of my talk suggestions, two of which are teaching developers how to code more securely (including a advanced level 300 class – I’m sick of teaching “hey, this is htmlentities(). He’s your friend”), they’ve lost the plot, too*.

OSCON’s security track is a paltry seven talks, basically most of one day out of five. And only one, by my friend Chris Shiflett, will teach you how to avoid the most common problems in web apps and another reports on the use of a source scanning tool by the open source community. Each of those talks is less than an hour. The chance you’ll learn something you don’t already know about PHP security is pretty small. At Black Hat, so far, there’s plenty of announced talks, but it will take you until day two before you learn how to do something useful. There are no other how to fix talks at Black Hat. That’s very, very sad.

There are some fine speakers at each event, for sure. But some have been seen before. And before that, too. But when you’ve seen ten theoretical root kit talks, or the fiftieth hundred buffer overflow talk (the same attack since 1988? kill me now), or yet another XSS talk or eight, we get it. Software sucks.

How do we fix it? Show me the money!

Do I want to be fixing SQL injections, buffer overflows or cross-site scripting issues when I’m 65? Hell no. These are solved problems. We know the solution. They MUST be burnt into the APIs so that programmers (no matter what skill) CAN’T do it the wrong way. There are some fine researchers working in the field, and you’re not going to hear them talk about fixes at Black Hat or OSCON. It’s Fear Uncertainty and Doubt. Scare the punters so you’ll buy their products or services. That security sales method is so 1995 when we thought firewalls were kinda neat.

That sucks.

It’s the reason the security industry is little more than snake oil modulo a few gems here and there. Why don’t A/V vendors go white-list? Spend 10 minutes telling your computer about the programs you use and white list the behavior of those probably very common apps? No more virus infections as everything else is untrusted and doesn’t run. That’d kill their shakedown revenue stream.

To be a smart security vendor today, you provide value to the customer by showing them how to architect a secure solution, how to build secure software (by training their devs – we can’t write all the software), how to test and review software (or indeed provide these services as an external audit function), so they don’t have to worry about spending *more* money on useless controls or worse case, notifying the regulators and their customers that they’ve screwed up and “gee, we’re sorry! we tried our best. Here’s $100 bucks”. Value folks, value. We’re here to provide secure business, not scare money out of folks. Once the horse has bolted, it’s far, far too late. That’s why I think forensics and a lot of compliance is a total WAFTAM. Dead money.

Providing solutions is exactly what we’ve been doing at OWASP. We provide value. Some of the solutions are actually getting towards voting age. We just need to get it out there so you don’t make the same mistakes, time after time. I’ve dedicated the last four – five years to researching, describing and educating how to fix things at OWASP. And yet, we don’t get no love at major conferences. And here’s why – they don’t want to tell you how to fix it. They want headlines in the meeja. The meeja only know about attacks, “hackers”, and people losing money to organized crime gangs, or their daughters to the nasty pedos across state lines. So the conferences provide that. We all lose with this approach. Luckily, with OWASP, we run the conferences, so this year, I will speak, and hopefully it will be useful to those who attend.

But realistically, the folks we want to talk to are at BlackHat and OSCON, not at OWASP (yet). So let’s learn …

How to write a successful talk submission

First off, and foremost, be honest about why you’re going. You’re a conference whore, and so am I. The hallway track is their raison d’etre, and best experienced with booze and lots of it. But how to get there… write a submission!

0. The title must be snappy. “Attacking OMG PONIES!111 2.0″ All good talks have 2.0 in them somewhere.
1. Subject matter must ONLY be about attacks, exploits, or bragging. The more esoteric the subject of your attacks, the better. I’m talking to you, side channel attacks.
2. Reading poetry to the attendees is only acceptable if it’s accompanied by images of death and you’re dressed in a funny hat, so try to come up with a reasonable approximation of how much your new tool (P0NIE PWNER) haxxors the badness (OMG PONIES!!111) you claim to attack. You don’t need to provide the tool, just claim it exists. No tool / exploit == no attendance.
3. Don’t include anything – ever – about how to fix the problem. That’d ruin the the “hacker” image of the conference.
4. Profit!

Conclusion

So screw them. See you at Black Hat. I’m the one who looks like a trans-gender lady of negotiable affections and I’m lovin’ it.

* OSCON has a talk on PHP security, by Zeev Suraski, one of PHP’s founders. The talk (PHP Security: Fact and Fiction) which sounds pretty defensive. Hopefully, it will say something like “gee, sorry about that!” to all the attendees. I’m very hopeful about the claimed agenda – it talks about what is changing in PHP to fix their previous stupid insane security decisions and lack of a security architecture. PHP *must* move in that direction, and fessing up to current and past indiscretions is the first of at least 12 steps to resolving the issue. Look at ASP -> ASP.NET. Same thing.

Defcon is dead, long live Defcon

Posted on by
Reply

Well, that was Day 3 of Defcon out of the road. I didn’t get to see too many actual talks due to the hallway track being far more interesting than the actual three track program. Again, few webappsec talks, and some were repeats of the BH talks I’d already seen.

I caught up with a few fine folks, including Jeremiah Grossman, TC, RSnake, Arian Evans (possibly the funniest infosec guy I’ve ever met!), Dinis and more! It was a total hoot, and we did a lot of good work^Wdrinking.

The more esoteric talks were right up there. I wanted to go to Peter Gutmann’s talk on phishing, but unfortunately it was far too early after the night before. Luckily, I have the slides in PDF form, and soon we will have the DVD at work, so that’s no biggie.

The biggest change is the venue. The new location at the Riveria is excellent – it’s still old and crusty which is a la Defcon at Alexis Park, but it has *air conditioning* and it can handle zillions of geeks in the manner which they are accustomed – ie without bathing.

However, the smoking problem is worse than ever. I made my most valiant of efforts to kill them all using my onion ring with crab cake special edition flatus, but unfortunately, it backfired late at night thus causing me more grief than any of the smokers. When will conference organizers equate smokers == law suits for obvious and gross negligence when the dangers of said disgusting habit are well known?

In other news, Tanya picked up a huge stogy for her old man.

BlackHat Day 2

Posted on by
Reply

Day 2 had a complete web app sec track. This is a huge change from last year, where there was like … my talk and that was about it. And you know what? It was full! Every session I’ve attended so far today has been near full. Plus, it’s top material.

Let’s get on with the details.

Hacking Intranet Websites from the Outside “JavaScript malware just got a lot more dangerous”

Jeremiah Grossman & TC Niedzialkowski

The Register missed the boat – they went to the wrong talk. They should have gone to this talk instead.

Jeremiah and TC showed a bunch of demos which totally 0wned the browser of the victim. This talk was downright scary. They did a basic CSRF attack against a DSL router (incidentally, the model I have at home – luckily I *have* changed the default password), and demo’d the ability to make the victim’s browser the attacker’s complete biatch.

Essentially, you can do two things:

a) don’t go to any sites
b) turn off the Internet

They didn’t even use the Ajax stuff which is now possible, such as using cross-domain XHR and Flash based arbitrary header re-writes and forgery, which when taken together essentially mean that an attacker has an extremely wide array of vulnerable sites, such as MySpace and others, to send hostile code to your computer to do with as they please. I am certain this is how the malicious mofos behind commercial / organized crime spamming and bot nets will try to infect millions of boxes over the next few years.

Ajax talks

These two talks were interesting, but didn’t extend the state of the art much beyond where I was back in February. All of the next three talks had overlapping content, which got a bit monotonous by the end.

“AJAX (in)security”
Billy Hoffman

Billy talked about four areas of Ajax security, but my favorite was how he extended the method of using mash ups to be evil via the mash up proxy and hide where you’re from. That’s cool. Billy did go a little bit further with an idea to use Ajax to create a proper worm, but used the ol’ MySpace worm and the Yahoo mail worm to show previous examples.

Billy’s talk was energetic and he talked at a thousand miles an hour. He could have done with some demos. I had a chat with him before the talk, and I think there’s some potential there to collaborate on future stuff.

“Breaking AJAX Web Applications: Vulns 2.0 in Web 2.0″
Alex Stamos & Zane Lackey

With Ajax stuff, it is necessary to bootstrap the audience … this year. The guys went through the basics of Ajax … again … and then went on to talk about the problems as they saw them. Again, not much new here, but at least there was a look at different frameworks, particularly Java based frameworks. I’ve mostly looked at PHP frameworks, so this was pretty interesting.

The guys ran out of time, and so didn’t talk long enough about the methods to prevent attacks. It’s not hard for the main part, but too little detail doesn’t help the BlackHat audience (who are mainly security geeks at larger corporations) who want to know the problem … and the solution. At DefCon, you don’t have to worry about the solution as they’re just interested in the problem.

“Six Degrees of XSSploitation”
Dan Moniz & HD Moore

This talk was interesting as HD Moore and Dan Moniz are relatively (in-) famous. However, it was a fairly lightweight presentation, again introducing XSS and Ajax and the MySpace worm. There was some good material in here, potentially looking at things you can do once you’ve found yourself a nice juicy XSS.

I would have liked to hear more about the ActiveX null pointer execution thing that is apparently coming out next week, but obviously that one is under NDA. HD took a back seat to Dan most of the time, but that’s okay – they imparted a lot of information in not much time.

“Analysis of Web Application Worms and Viruses”
Billy Hoffman

Placeholder

Blackhat Day 1

Posted on by
Reply

“TBA” – David Litchfield

David did a talk on the problems with Informix. Awesome talk, and shows that all database servers are vulnerable. He totally 0wned his server in a set of well rehearsed demos.

I don’t use Informix so it wasn’t that useful to me, but a take home message is total props to IBM for solving these problems. Oracle can learn a few things from IBM on how to listen to professional security researchers, and fix stuff in a reasonable time frame.

“How to Unwrap Oracle PL/SQL”
Pete Finnigan

Pete went through the basics of figuring out how to unwrap (decode) PL/SQL. I’ve just finished doing a major PL/SQL code review, and I was hoping it was about how to do good code reviews of this language. It turns out that some folks encode their PL/SQL (which is essentially Ada with some extensions) to obfuscate the source. We don’t do that, so I found this stuff pretty dull. However, I’ll keep it filed away in case we get some third party code which has been “wrapped”.

Wrapping is an encoded form of DIANA. Pete showed how to decode this representation from the raw bytes stashed by Oracle. He also had some unkind words for the tools which supposedly decode this stuff today.

Lastly, 10g went backwards. They don’t use this method, instead favoring just base64 encoding. That’s cool, as it makes it easier to decode stuff in 10g.

Oracle Rootkits 2.0: The Next Generation
Alexander Kornbrust

Awesome talk. More when I have time to get my thoughts together. Take home point: take the time to secure your database servers, and isolate them.

Hallway track

So awesome to be here and meet the folks who do the research. I met a bunch of really smart folks and did a bit of an interview. If it comes out, I will update this entry.

OSCON

Posted on by
Reply

Work: I owe my boss a huge beer (and a document) and an apology when I get back to Australia.

Personal life: in the dog house. I got very little sleep these last few days, and I bet my other half is feeling far worse than me. Hopefully, she can come to Vegas so we can sort things out.

OSCON: Awesome.

My presentations went down well. I’ll upload the new presentations soon, but the Ajax Security demo went off really well. The room was overflowing with folks, so I’m really chuffed that so many of you decided to come.

I’ll put up the Ajax XSS demo I did later, but please be aware that these demos are INSECURE by design, and only to test them on your internal systems. The trick is to:

<img src="kitty.jpg" onLoad="... your javascript attack here ...">

People forget there’s literally hundreds and possibly millions of ways to do XSS. Do NOT look for script or Javascript and think you’re done. That’s stupid. Make the output safe, it’s faster, it’s simpler, and it works.

People

I met so many folks who I had spoken to over the net, or e-mailed. Everyone is so nice and friendly, it’s incredible to meet the greats. I really enjoyed catching up with Chris and Laura, met the Schlossnagles for the first time (cool dudes, cute kids :) , and of course, Wez.

Unfortunately, due to the bad things going on in my personal life, I could not bring myself to hang out after hours as I was feeling extremely down, but life goes on. I was hoping to go out to Portland a bit more; maybe next time.

Talks

I went to a fair few webappsec related talks, and it’s truly gratifying to me that the developers had an entire stream dedicated to it. I really enjoyed the PHP Security hoe down – we had a wack job in the back row causing a bit of a stir, but after he left, the hour really flew.

Portland

I’ve never been here before. It’s a very nice city, great public transport. I’ll post some images soon as it’s very pretty this time of the year. It was a bit hot when I got here (about 40C) but it soon cooled down to mid 20′s and I’ve been happy with that. :)

A friend through newbeetle.org picked me up from the airport last Sunday, and we went to her place and hung out for a while. She invited over a friend of hers, and I got to see her and her hubbie’s New Beetles (a nice Turbo S and a unired NBC), and her friend’s green Gecko TDI New Beetle. Very nice – I wish we could get that color in Australia. We had breakfast on Friday morning even though I was extremely tired (no sleep) and a bit sad, and she picked me up this morning to take me to the airport. I’m so impressed, I wish I could say I was as good a host when I have folks visiting. Thanks, Debbie – you set the standard!

Next steps

I’m off to SF next. I’m at the airport now. I have to spend a few hours this weekend getting stuff together to meet the CSO of a major partner of work’s, like running through the ESA presentations and ensuring that we have something constructive to talk about. I might need to go to Kinkos tomorrow and print off a few things unless my hotel has a printer I can use.