Topics of Interest
- Application Protocol Fuzzing
- Cloud Computing and Virtualization
- Custom Applications and Attacks
- Cyber Warfare
- Data Center Planning and Consolidation
- DDoS and Botnet Simulation
- Deep Packet Inspection
- IPTV
- IPv4/IPv6
- Layer 2-7
- Network Traffic Generation
- Performance Testing
- Security Updates
- Server Load Testing
- VoIP
- 10/40/100 GigE
Devices
CanSec West 2009 Overview
The CanSecWest security conference just occurred in Vancouver last week. This three-day conference, preceded by two days of dojo training sessions, features a single track of mostly high-quality talks. Another feature of the conference is the third consecutive Pwn2Own contest, which gives researchers the chance to win hardware and cash awards for compromising various laptops and mobile phones. Three members of the BreakingPoint Labs team attended this year, HD Moore, Todd Manning and Sean Bradly, and we wanted to give our review of the talks presented.
Mobile technologies were the main focus of talks on the first day with iPhone, Android, Windows Mobile, Palm and Symbian mentioned in several talks. Sergio Alvarez started the mobile device theme with a presentation covering mobile platforms and finding and exploiting bugs in them. This talk ended with a demonstration of an iPhone exploit that didn't go completely smoothly, but the information presented was a great reference for attacking smartphones. This talk was the first mention of the meme of "No More Free Bugs," which was later expanded upon by Charlie Miller during Thursday's lightning talks.
The second day of the conference broke from mobile platforms, and was the most diverse of the conference. Anibal Sacco and Alfredo Ortega from Core presented a very interesting talk entitled Persistent BIOS Infection (link to slides). The presentation was full of great information, and the demo, which showed their infected BIOS patching binaries on both Windows and OpenBSD were really cool. They focused on the Phoenix BIOS, but their techniques should be fairly applicable to other BIOSes. Next up was Loíc Duflot presenting on abusing Intel System Management Mode when writing rootkits. We found this talk to be fascinating, but will definitely have to read the slides again and dig into our Intel manuals before fully understanding the techniques he presented.
Thursday's third talk was quite possibly the most entertaining talk of the conference. Andrea Barisani and Daniele Bianco presented two ways of remotely sniffing keystrokes with two very different methods. The first used a very simple and cheap circuit to analyze keystrokes leaked onto the buildings power wires. The second was a more intriguing approach involving yet another simple, cheap and homemade device, a laser microphone. This could let the attacker sit hundreds of meters away and listen in on the clicking sounds of a keyboard. Their signal analysis technique for the recorded keystrokes used some voice recognition algorithms and some letter pattern matching ("Wheel of Fortune" style) to determine which clicking sound corresponded to a specific key. Not to mention their hilariously well done video.
On the last day of CanSecWest, four Microsoft researchers presented on two exploit-related topics.
The first talk, by Matt Miller and Tim Burrell, provided an excellent rundown of the changes Microsoft has made to prevent exploitation of programming flaws. This talk covered /GS, /SafeSEH, and the upcoming SEHOP chain validation system. Their presentation covered not only the successes that Microsoft has had, but also the failures where existing methods were bypassed (MS08-068, MS07-017). More information from the presenters can be found on the Security Research and Defense blog.
The second talk that day, by Jason Shirk and Dave Weinstein, covered a WinDBG extension that handles the grunt work of determining whether a given crash is exploitable. This extension is valuable for anyone using fuzzers, since it provides an easy way to determine what bugs are worth investigating. Couple this extension with Byakugan and WinDBG becomes an end-to-end platform for vulnerability research and exploit development.
One of the bigger stories of the conference for the past three years has been the Pwn2Own competition, in which competitors stand to win both a laptop or mobile phone, and cash. Charlie Miller made a prediction that Safari would be the first browser to fall, and thanks to the random name draw, he had the first opportunity to attack one of the four browsers (Chrome, Firefox, IE8, and Safari). He'd obviously done his homework, and walked away with a MacBook and $5,000. As impressive as that is, the big story of Pwn2Own this year was Nils' "trifecta," in which he exploited IE8, Safari, and Firefox. Nils won a Sony Vaio, and $15,000 in prize money
Did you attend CanSecWest? What did you think?
Tags: