On the whole, I was very happy to have attended the 10th Toorcon in San Diego, CA. Toorcon is probably my favorite small con. The attendance isn't massive but the people are generally more interested and knowledgeable in hacking and security. Not to mention that downtown San Diego is a blast and the weather is absolutely perfect. These were my highlights:

The Future of Lockpicking, datagram
I was glad to see a talk on lock picking that went beyond the realm of a simple how to or a single type attack.  Datagram didn't spend too long explaining the lockpicking techniques even though he did have some good animated visual aids. Instead, he focused a lot on how a lock vendor would react to new attacks getting media publicity. Just like in the software security world, some vendors wouldn't ever go beyond a PR response. Some vendors would add a metal plate in a certain place, much like a software patch, and others still redesigned the locks entirely. Some very interesting industry parallels.

Owning Telephone Entry Systems, Joshua Brashers
So many apartment complexes, condos, and gated communities have computerized panels that visitors can use to ask permission to gain entry. The talk outlined many different types of attacks against these types of systems. Most of these appear to be serviced by 3rd parties and allow you to remotely dial-in. And of course, default passwords are rarely changed. He showed how he was able to “back door the front gate” by adding a new entry that played a “Rick Roll” instead of calling a resident and later opened the gate. Another and more scary attack he outlined was the ability to proxy normal entry calls to his apartment using a VoIP server to perform the MiTM. This looked like it was a lot of fun.

How To Impress Girls With Browser Memory Protection Bypasses, Alexander Sotirov
This was a great talk. Although Dowd and Sotirov gave this talk at Blackhat almost two months ago. It was still a fun and entertaining talk to sit though. Alex outlined the implementations of the newer Microsoft memory protection schemes like SafeSEH, DEP, and ASLR. Then showed how and why none of them were effective in defending Internet Explorer from attacks and how much that impressed the ladies. The paper is here.

Posted by Sean Bradly (2008/10/01 13:27:21.035 GMT-5)

0 comments | Tags: voip // blackhat // strikes // evasion //

The other day I asked Dennis about botnet simulation and he started to demonstrate it, so we figured we would film a screencast.  We ended up reviewing how to simulate a botnet attack using our testing tools. The screencast shows you how to combine application traffic and strike attacks to realistically simulate a botnet attack including the use of strikes such as denial of service and backdoor attacks using IRC. Enjoy:

Posted by Kyle Flaherty (2008/08/15 08:45:00 GMT+0)

0 comments | Tags: content aware // Video // strikes //

Our BreakingPoint LiveLook on Monday garnered some interesting thoughts, one left in the comments section asked for a video of the security research team on Patch Tuesday.  Instead of waiting till next Tuesday we grabbed the camera and Dennis asked Todd Manning to tell us what it is like on Patch Tuesday and dive into what he does to create the security strikes used in our network equipment testing solution.  Enjoy...

Now be sure to vote on Todd's inquiry at the end of the video. Either comment directly on the video (press +) or in the comments section.

Posted by Kyle Flaherty (2008/08/08 10:00:00 GMT+0)

4 comments | Tags: Video // exploit // BreakingPoint LiveLook // Microsoft // strikes //

As of the next upcoming StrikePack, the BPS product will now have test cases from RFC-4475, the SIP Torture Tests, in the form of strikes. The sections of the RFC that are covered by this StrikeSet are Section 3.1.2: Invalid Messages, Section 3.2: Transaction Layer Semantics, and Section 3.3: Application Layer Semantics. The remaining two sections containing test cases, Section 3.1.1: Valid Messages and Section 3.4: Backward Compatibility, are not covered as they are comprised of test cases which are valid SIP messages.

The strikes contained in this StrikeSet are intended to be used as part of a broader RFC-4475 test plan, and should not be used without full understanding of RFC-4475, the sections contained therein, and the individual test cases defined for each section. The strikes for Section 3.1.2: Invalid Messages are likely the only strikes from this test suite for which a pass/fail result in the UI will be valuable, as these are the only test cases from RFC-4475 which should be definitively blocked, rejected, dropped, or otherwise ignored by a SIP-aware Device Under Test (DUT) or a SIP endpoint. The remaining sections' individual test cases each define for themselves how a SIP-aware DUT or SIP endpoint should behave in response to that specific test case, and therefore will likely require external monitoring of either the network traffic or the device itself in order to determine a pass/fail verdict.

The strikes for the BPS RFC-4475 test suite will be available by searching for keyword "torture" in the BPS Attack Manager after applying the next upcoming StrikePack.

Posted by Dustin D. Trammell (2008-02-27 14:04:38)

0 comments | Tags: rfc // sip // voip // strikes //