Advertisements

Archive for the ‘security’ Category

Microsoft Exploitability Index

November 5, 2009

Earlier today, this article from ComputerWorld came across my desk.  The headline grabbed my attention, having indicated controversy and disagreement, which of course I’m going to look into.  The article, which cites Microsoft’s semi-annual security intelligence report, claims that  Microsoft has only been right in it’s vulnerability exploitability predictions about 27% of the time.  Others quoted in the article purport that since their accuracy is so low, what’s the point?

They’re obviously missing the point, and I suggest that the premise of even trying to calculate such a metric as its accuracy is fundamentally flawed.

(more…)

Advertisements

DEFCON 17

August 11, 2009

After staying with some of my local Vegas friends during BlackHat, I went over and checked into the Riviera for DEFCON 17 on Thursday afternoon.  After dropping my bags in my room and getting my temporary paper badge because they were already out of the electronic badges, I ran back up to my room for a bit and then headed over to the Microsoft party which I already wrote about in my BlackHat USA 2009 post.  After an extremely long night I crashed in the early morning and slept through most of the first day of DEFCON talks.  I did however catch Richard Thieme’s talk about UFOlogy, which was one of the talks I really wanted to see.

Shortly after Richard’s talk and some discussion with friends about what to do for dinner, I started not feeling well so I went back up to my room.  After an hour or two I knew I really was sick because I started getting the fever sweats, cold chills, and headache, so I ordered some room service since I probably needed to eat, called it a night and went to sleep.  I stayed in bed pretty much all day Saturday and only came downstairs once in the afternoon during the conference to speak during the Metasploit track, and then went right back upstairs to my room.  By then I had a horrible cough and chest congestion, but was feeling much better regardless, so I decided to take a walk for a couple hours and let the dry desert air into my lungs for a bit.

I hadn’t yet walked the length of the Strip this visit, and also hadn’t eaten a FatBurger, both of which are personal Vegas traditions.  Since I was running out of days in Vegas during which to accomplish these, I decided to walk from the Riviera up on the North end of the Strip all the way down to FatBurger which is near the South end of the strip, get a burger, and then walk back, which took around 2.5 hours and immensely helped my lungs and cough.

By the time I got back to the Riviera, I was feeling well enough to attend some parties, so I went up to the Penthouse for a while to check out the IOActive Freak Show party for a bit.  It was similar to last year’s party, but had some new attractions so that wasn’t too bad.  I tried to dance for a bit but my chest cold was severely holding me back since I could only dance for a few minutes before not being able to breathe.  I left that party shortly after Keith went on since I couldn’t really dance and he started off with tracks that were a little too glitchy for my taste anyhow.  Unfortunately I missed the fire dancer at the IOActive party who had a fire hoop like my friend Angi’s, but living in Austin surrounded by burners I think I’m a bit spoiled regarding fire spinning/dancing/performance anyhow.  After leaving the Penthouse I took the Ninja Shuttle over to the Ninja Party and hung out there for a few hours talking to friends and waiting in line at the bar until I decided not to push my recent health luck and went back to my room at the Riviera and went to sleep.

On Sunday I slept a little late still trying to fully recover until I needed to check out of my room.  Unfortunately this meant that I missed Richard Thieme’s other talk on BioHacking, but I did manage to catch a few more of the talks before I had to head to the airport to catch my plane back to Austin.  You can read my thoughts on the talks that I saw below:

(more…)

BlackHat USA 2009

August 7, 2009

Last week and through the weekend I was in Las Vegas for this year’s annual block of hacker conferences, BlackHat USA and DEFCON.  This year was a bit different for me as my employer no longer covers conference expenses (even if you’re speaking!), so since I was there not representing a company and entirely on my own dime, I stayed with some local friends for the first half of my stay and did a lot less gambling… none actually.  My gracious hosts did a lot of ferrying me around for the first half of my stay as well to help me avoid cab fares.

One of the highlights of BlackHat was obviously the Pwnie Awards.  This industry awards ceremony, highlighting the successes and failures of the security industry of the past year, has quickly become one of my favorite parts of BlackHat.  If you’re interested, you can find this year’s nominees and winners listed over at the Pwnie Awards website.  The impromptu dinner afterward was very enjoyable as well, where I shared a meal with the likes of the lovely Shyama Rose, that beef-hunk (nsfw) Alex Sotirov, Pusscat, who needs no introduction, the code machine I call a boss, HD Moore, some d00d from Rhode Island, slow, and a slew of other interesting and intelligent people.

I didn’t make it to many parties this year, but one of the few BlackHat parties that I did make it to was the Microsoft party over at Treasure Island.  An awesome mix of people made for some good conversations, but the music indoors was horrible…  The DJ was playing all kinds of early-90’s tunes like Bel Biv Devoe, Boys II Men, etc. Outside the music was much better (house!) except that the DJ kept having to stop the music for any number of reasons, the longest of which being the Pirate show going off just outside the balcony on the waterfront between the club and the street.

Overall BlackHat was a fairly enjoyable experience.  I would have liked to have seen more of the presentations but due to an extremely late night Wednesday night culminating in my friend locking himself out of his hotel suite, soaking wet, in his boxers, I ended up sleeping late on Thursday and then attempted to get over to DEFCON early to get registered and get one of the electronic badges to play with.  You can however read my thoughts on the various presentations I did see below:

(more…)

MD5? Really?

January 7, 2009

First let me say that this article is not meant to diminish the work that Alexander Sotirov et. all have been doing for the past 6 months.  It’s good work, has brought about some awesome results, and has demonstrated what was once a theoretical attack on PKI certificates based on MD5 hash collisions.  What I’m amazed at is that it had the impact that it actually did.

(more…)

The Folly of a Scheduled Patch Release Cycle

December 11, 2008

A number of years ago, Microsoft led the charge by moving away from a dynamic patch release schedule to a monthly patch release schedule, essentially creating an imposed monthly patch cycle for their customers.  Since then, many other vendors have followed suit.  There are opinions and arguments supporting both a release schedule philosophy as well as a release upon completion philosophy, and today I’m going to outline where I stand on the issue.

(more…)

Penetration Test != Audit != Assessment

August 19, 2008

If someone is selling you a network penetration test, and then running a vulnerability scanner and handing you a report, you’re not getting what you paid for, period.

(more…)

DEFCON 16

August 14, 2008

DEFCON is always entertaining as it’s the largest hacker conference in North America. Back to back with it’s corporate counterpart, Black Hat, it generally draws thousands of hacker-type people to Las Vegas every summer. The related parties, shenanigans, and drama surrounding it are legendary, and this year was no different.

Below are my thoughts on the talks I was able to attend.

(more…)

Configuring DNSSEC in BIND

August 1, 2008

DNSSEC, which I mentioned in my previous post about mitigation for Kaminsky’s recent DNS cache poisoning flaw, are the SECurity extensions for the Domain Name System (DNS). It essentially adds cryptography to DNS, allowing authoritative nameservers to cryptographically sign their zones and resource records, which in turn allows caching/recursive nameservers to verify them. This prevents attacks against the recent cache poisoning flaw by allowing the nameserver under attack to verify that a record it receives is valid by checking the cryptographic signature against the zone’s public key. Theoretically, an attacker would not be able to forge this signature unless the zone’s keys have been compromised.

I’ve spent a bit of time over the past few days researching DNSSEC, as it’s been standardized for nearly a decade now but there hasn’t been much adoption. It’s most likely The Best™ solution for the recent vulnerability, but I’ve heard time and again that it’s too complicated and has too many controversial issues surrounding it which is why many admins haven’t adopted it into their infrastructure and still don’t plan to.

During this research, I’ve configured all of my nameservers to use  DNSSEC, both authoritative and caching/recursive. While it is a bit of a pain on the authoritative side having to deal with signature expiration, key rotation, proving your identity and ownership of the zone to a domain lookaside verification (DLV) registry and providing your DLV records, etc., configuration for caching/recursive nameservers was relatively straight-forward and simple. While this will obviously only protect you from accepting spoofed, poisoned cache entries for records within zones using DNSSEC, why would you not want to at least verify signatures for those zones that do provide them?

(more…)