I’ve just recently returned from REcon 2012 and while I heard a couple people express that they had “heard” that some people were more disappointed with this year’s conference compared to prior ones, I personally really enjoyed it and felt it was the best one yet. I saw and enjoyed more of the lectures this year than I have in the past and seemed to have better interactions with the other conference attendees, better conversations, and generally enjoyed myself more than years past. Perhaps it was because this year Montreal wasn’t in the middle of a heat wave with no air conditioning in the hotel and the conference hotel didn’t catch fire (:
Archive for the ‘security’ Category
REcon 2012
June 19, 2012ExploitHub
February 29, 2012
A few years ago, following the failure of WabiSabiLabi’s 0day auction site, I gave some thought to how to create a public marketplace for exploits that actually works. Obviously given the example of WabiSabiLabi and a little common sense that any vulnerability researcher worth their salt would know, you can’t have a public market for 0day vulnerabilities. As WabiSabiLabi quickly found out, by disclosing enough information about the vulnerability so that a potential customer can make a determination about whether or not to buy it, you’re likely giving up enough information about the vulnerability for them to find it themselves, given varying levels of time and effort. Thus, you can really only market 0day to trusted customers and when your marketplace is open to the public, your customers are most definitely not trusted and consists of various demographics who have lots of disposable time on their hands to go hunt down your vulnerabilities. So, what if we remove 0day from the equation entirely I thought? Could an open market for exploits of public vulnerabilities work? Would anyone actually buy such exploits? ExploitHub was born, and it turns out the answer is yes.
TSA Lectures, Lies, and Rude, Dismissive Behavior
February 21, 2012On a recent trip to Orlando, I opted out of the full-body scan at AUS, as I always do at every airport security checkpoint. While waiting for my pat-down, I was lectured by the TSA gate agent about how safe they are, was subsequently questioned about my cellphone use as a radiation exposure comparison, and was subjected to repeated attempts to get me to change my mind and just go through the scanner.
CanSecWest 2011
March 24, 2011Yes, that’s right… After many, many years of wanting to attend this conference, I finally made it. CanSecWest has been heralded as one of the best, top-quality security conferences that you can attend, and while I actually made it across the pond a few years ago to speak at EUSecWest, the logistics for getting up to CanSecWest just never worked out for me… until this year.
ToorCon 12
October 27, 2010After a two year absence due to unavoidable other obligations like good friends’ weddings, I finally made it back to one of my favorite hacker conferences, Toorcon. San Diego is always beautiful when I happen to be there with nice weather and a cool mix of people, both locals and visitors who are there for the conference, and this year was no exception.
REcon 2010
July 16, 2010This last weekend I took a trip up to Montreal for REcon. If you’re unfamiliar with REcon, it’s a small security conference focused on topics most interesting to reverse engineers. As such, the talks are more technical than you will find at other more mainstream conferences like BlackHat or DEFCON, and generally require a certain level of expertise as a baseline. If you don’t understand assembly language, you’ll probably not get much out of at least half of the lectures.
Advanced Persistent Threat
April 12, 2010Ok, enough with the APT marketing and journalism diarrhea… It’s really quite simple:
ad·vanced – /ædˈvænst, -ˈvɑnst/ -adjective
1. ahead or far or further along in progress, complexity, knowledge, skill, etc.: an advanced class in Spanish; to take a course in advanced mathematics; Our plans are too advanced to make the change now.
per·sist·ent – /pərˈsɪstənt, -ˈzɪs-/ –adjective
1. persisting, esp. in spite of opposition, obstacles, discouragement, etc.; persevering: a most annoyingly persistent young man.
2. lasting or enduring tenaciously: the persistent aroma of verbena; a persistent cough.
3. constantly repeated; continued: persistent noise.
threat – /θrɛt/ –noun
1. a declaration of an intention or determination to inflict punishment, injury, etc., in retaliation for, or conditionally upon, some action or course; menace: He confessed under the threat of imprisonment.
2. an indication or warning of probable trouble: The threat of a storm was in the air.
3. a person or thing that threatens.
This term has been around for ages, and means exactly what the acronym’s words mean. It’s not any single attack, it’s not any trivial or obvious piece of malware, and it’s not the bogeyman that the hot new security product will save you from. It’s a particular class of threat. The term gained critical mass being used as early as a few decades ago in the intelligence community where it is used to describe advanced and generally covert modus operandi for ensuring the ongoing gathering of intelligence about an individual or other entity. The term has been more recently applied, although still at least a decade ago, to Information Security where it is used to describe an ongoing campaign of targeted, sophisticated attacks, or the actors facilitating or conducting said campaign. In other words, a threat that is both advanced and persistent.
Please, for the love of all that’s holy, stop using “APT” interchangeably with “malware”. A particular piece of malware may be an APT, or a component used by an APT, but not every APT is malware. In fact, most of the time malware can’t be considered an APT as the majority of malware is neither relatively advanced nor persistent, and to be APT it would have to be both.
Fame, Trinkets and Cash
March 29, 2010Taking place over the last week was the CanSecWest 2010 security conference, with their now annual Pwn2Own contest. For those that are unfamiliar, the Pwn2Own contest presents a number of devices usually consisting of mobile or cellular devices and laptops as targets and allows contestants to attempt to compromise them in some way. These targets are patched up through the most recent vendor patches, and if a contestant is able to Pwn (compromise) the device, they get to Own (keep) it. This is always a nice publicity stunt as the contest is widely publicized by it’s sponsor, providing researchers with some fame and a prize as a bit of a return on their invested effort researching vulnerabilities and developing exploits. The Zero Day Initiative (ZDI) who sponsors the contest also offers to buy the vulnerabilities used by the winners and “responsibly disclose” them to the affected vendors, providing a bit of a cash incentive as well.
Over the past few years however, some things have drastically changed in the value and marketability of such vulnerabilities.
SmartPhone Unlock Screens: Moving in the Wrong Direction
November 10, 2009I recently purchased the Motorola Droid from Verizon, and am so far very happy with it. Other than finding the physical keyboard a bit lacking from being extremely spoiled by the Sidekick’s physical keyboard to which no other physical keyboard could ever hope to live up to, I’ve really had no complaints with the device or the Android 2.0 operating system that runs on it. I have however, noticed that touch-screen smart-phone unlock screens (not just the Droid’s) are getting progressively less secure.
Microsoft Exploitability Index
November 5, 2009Earlier today, this article from ComputerWorld came across my desk. The headline grabbed my attention, having indicated controversy and disagreement, which of course I’m going to look into. The article, which cites Microsoft’s semi-annual security intelligence report, claims that Microsoft has only been right in it’s vulnerability exploitability predictions about 27% of the time. Others quoted in the article purport that since their accuracy is so low, what’s the point?
They’re obviously missing the point, and I suggest that the premise of even trying to calculate such a metric as its accuracy is fundamentally flawed.
