Have I mentioned yet how much CanSecWest rocks? Dragos seems to have thought of everything. Since many people stay out late at night networking and socializing and sometimes find it challenging to get up at 7:30am to make the 8-9am breakfast - Dragos offers 'second breakfast' from 10-10:30am . . . and the food was GOOD! We're not just talking continental breakfast with light pastries and things like that - we're talking eggs, bacon, sausage, french toast etc. Pleasantly surprising.
Anyways - after grilling Oded on the finer points of VMSafe I had second breakfast and got back into the sessions. Marty from Sourcefire was there to talk about changes made to Snort 3.0. Most notably it's move to a new programming language that is shared by other apps like WireShark and the newest nmap - LUA. There are other changes as well - like Snort 3.0 will now support hardware based acceleration and other things.
After the Snort 3.0 talk - some french dudes were up and they were talking about visualizing and enhancing the alerts you get from your IDS systems and they showed off some software. They work here: http://www.inl.fr/-English-.html I wasn't super impressed and the talk was sort of light and fluffy.
Next we had lunch at the revolving 'Vistas' restaraunt where I had quite possibly the worst Mexican food I've ever had. It was really really bad. During lunch I admit I whoreishly self-promoted my talk on Friday to the folks at the table to try and get some attendance. Most people I know are NOT going to be around for the 4pm stuff on Friday. 🙂
After lunch Mark Dowd and John McDonald from ISS talked about how ISS fuzzes the media stack on Windows. This was a strange presentation for me . . . it seemed very much like training material - like this may be what ISS uses to ramp up new employees who are told to go find bugs in our DirectX / codecs / media stacks. They (IMHO) spent waaaayyyy too much time going over the basics of how filters work, and showing filter graphs and showing input pins and output pins and stuff and not enough time at all spent on what should have been the actual meat of the presentation - the fuzzing and the results! Unfortunately this is probably partially our fault - they have found some bugs that we are in the process of fixing and so they couldn't talk publicly about those yet. Mark did get into some pretty good detail at the end about what parts of the various file formats you want to intelligently fuzz (BITMAPINFOHEADER structures, other similar structs in other audio / video formats etc.) and he seems to posses a great deal of knowledge in this area. After his presentation I became convinced that this could quite possibly be the future of client-side pwnage in targeted attacks. We may see a shift someday from using Office documents and productivity apps - to the use of malformed media files designed to pwn Media Player or QuickTime etc.
After Mark's session - Dan Hubbard from Websense (who I always enjoy watching - very good speaker!) presented a session on Web Wreck-utation. He was here to talk about reputation based systems and how they are not a solution to the webs problems. This talk was pretty amusing and he gave numerous examples of how bad actors have abused legitimate sites with good reputation in order to pwn victims. One of the more interesting things he mentioned was the IFRAME injection attacks that have been happening lately where big, reputable sites like say USA Today end up hosting malicious IFRAMES. Are they hacked to do so? No - as it turns out many of these sites will crawl other sites and host content crawled from those sites directly on theirs. Web 2.0 uh-oh indeed. He also mentioned how spammers are increasingly focusing on using reputation to bypass SenderID and Domain keys enabled mail servers. For example it's no secret that Hotmail and Gmail CAPTCHAs are being bypassed by spammers. Dan actually thinks that they are being solved by humans and not by software. WebSense found evidence that spammers are paying 'laborers' for every CAPTCHA they successfully solve. More interestingly - the humans attempting to solve them only have about a 20% success rate? They also demonstrated that eBay and other sites allow users to inject custom HTML into parts of their web site (for example in an auction listing - you can switch to raw HTML mode and insert your own HTML which can use IFRAMEs to point to like vulnerabilities). eBay took about 1.5 hours to find their malicious HTML and shut it down but that still seems like way too long.
After this session I was introduced to "the Apple security guy" that's at the conference! I figured he'd probably be on a conference call / emergency response type thing but nope - he was chillin' having a beer and hanging out in the pwn2own room where I met him. His name is Aaron Sigel and he was surprisingly cool and un-smug . . . the anti-Steve Jobs. 🙂 We talked about wide and varied things - but surprisingly he didn't seem to know of the hype and controversy surrounding Apple's decision to push Safari 3.1 for Windows down to iTunes for Windows users! In fact, amusingly the first words out of his mouth were "free attack surface" or something to that affect. It was then that I added him to my "this guy's alright" list. He's the Apple equivalent of MSRC + SWI . . . they do not seem to quite have the separation of duties that we do yet. Anyways - he's a very cool guy - I applaud Apple for sending him to the conference and I hope to maybe meet him again today and hang out with him some more!
Talking to the Apple dude made me miss the Malicious Crypto talk but I did manage to catch all the lightening talks. These were 5 minute(ish) talks and were for the most part good. Dragos opened the ceremony by presenting a sword to Juniper who sponsored the event later that night at the Aquarium (which was totally awesome). He told a tale of how French soldiers used to use a sword to chop open a bottle of Champagne before heading into battle and if it shattered - that meant they were all going to die excruciating deaths and if the end of the bottle sliced off cleanly it meant they would be victorious. Dragos held the bottle in one hand, and the sword in another and successfully lopped off the top of the champagne bottle. I've never seen that done before and it was hella impressive. Champagne was poured, beer was drunk and the lightening talks commenced! The ones that stood out to me the most were a video of Sandman in action against XPSP3. Basically Matthieu has reversed the hiberfile.sys binary format and has figured out how to locate things like EPROCESS blocks from saved kernel memory and once he has located them - he can do things like adjust their token's privilege level to elevate processes to SYSTEM privs once the hiberfile is used in a resume operation. So the attack is basically - hibernate an XP box (he demo'd XPSP3 RC1), edit the hiberfile.sys directly and then resume using that hacked hiberfile to see some process elevated after the resume (he demo'd elevating CMD). Good times - yet another reason to use Bitlocker. 🙂 One of the other more memorable lightening talks was Fyodor's . . . he talked about 10 years of nmap, told some funny stories about complaints he's received over the years from users about the language used in some of the errors and introduced us to some of the new features in the latest version and showed off the new GUI. Fyodor was a good speaker and pretty funny. 🙂
After the lightening talks we headed to the Vancouver aquarium where Dragos had setup DJs playing pretty cool music throughout the inside and had arranged for bite sized food to be served . . . the great thing was that the music was present but not so loud that you had to shout to be heard - which was a nice change from most of the cons I usually attend. 🙂 I still have a voice today - which is awesome since today is D-Day and I'm presenting to the 10 or so people who might attend my session. 🙂