Archive for the ‘security research’ Category

Real-time Steganography with RTP Whitepaper

September 18, 2007

My paper detailing the research I presented last month at DEFCON 15 was published today in Uninformed Journal Vol. 8. The paper is entitled “Real-time Steganography with RTP” and details using steganographic techniques to establish a covert channel within the protocol commonly used for the media channel in VoIP calls as well as a reference implementation.



August 9, 2007

DEFCON 15, in their second year at the Riviera, seemed a little more settled than the turbulent vibe from last year. Unfortunately DEFCON already seems to be outgrowing this space as a couple of the talks I wanted to see were standing room only and attendees were spilling out into the halls.

The badge this year was a large rectangular PCB with the DEFCON logo parts down the left side and the letters “DEFCON” down the right side. In the center, oriented vertically, was a mini LED pixel display which was controlled by an on-board chip. In it’s default state, the display scrolled the text “I <heart> DEFCON”, however you could program the display through various sequences of pressing your fingers to the DEFCON logo parts down the left side. The badge this year was interesting, but it definitely had some quality issues. The controls to program the scrolling LED display were too easily triggered accidentally, causing most badges to be usually scrolling one of the menu texts instead of the custom message. Also, toward the end of the conference I was seeing a lot of the badges with stuck displays, only having a couple of random LED pixels lit up on them. The badges may have also been a little over-engineered as the instructional poem in the DEFCON book alluded to being able to solder on more components like an RF transceiver, an accelerometer, and potentially some other stuff. I identified at least three different places where you could add components to the badge. There was also WAY too much information about the badge in the DEFCON book such as what types of components you could add, where to get complete source code, how to debug it, etc. This seemed way more like being led down a path than actually being able to “hack” the badge.

Due to speaking this year and having a bunch of friends from DFW in town partying and gambling I didn’t really do the DEFCON social/party thing. I didn’t even have time to attempt Caezar’s Challenge, which from what I could tell merged this year with the Ninja Networks party since the challenge was on the back of the Ninja party pass. Oh well, the couple hundred bucks I made playing BlackJack and hanging out with my DFW friends was worth it.

Out of the presentations and events I attended, here’s my thoughts:


BlackHat 2007

August 9, 2007

BlackHat Briefings 2007 was a bit disappointing this year. This year, the first day of briefings had an entire track devoted to Voice Services. Being the sole VoIP researcher for TippingPoint’s DVLabs, I of course attended this entire track. In short, three words: waste of time. Out of 5 talks on VoIP security, I learned one single new piece of information. At best, the content was the same old attacks against new or attention-starved targets. At worst, it was the same old attacks against the same old targets. In all honesty, if the BlackHat CFP review board had accepted the updated version of my VoIP Attacks! talk that I had submitted, 80% of the attacks shown in the VoIP Services track would have been covered by about 50% of my slides. Maybe not in as much detail, or against the same targets, but that’s kinda the point of my VoIP Attacks! talk; almost all the attacks I speak about work against most protocols or multiple targets, just with slightly different implementations. But then I guess that would have removed the need for an entire VoIP track, which I’m guessing they wanted to have since it’s a hot topic. Also, my RTP Steganography talk that was accepted to DEFCON rather than BlackHat would have been much more appropriate for this track than some of the talks they accepted. I’m not bitter though (:

The second day I saw the talks by the other DVLabs researchers which of course were excellent.

One thing that struck me this year was the names of the people speaking. For a conference that’s actually named BlackHat, there was only a single person speaking under their handle or nym. To me that speaks volumes about the type of content being presented versus the image that the conference is purporting. Also, identifying the number of speakers associated with the conference sponsors versus those that aren’t is an interesting exercise for anyone that cares to look into it. I think this conference is becoming way to corporate and is beginning to do it’s attendees a disservice. This probably stems from the fact that the conference was sold recently and is now managed by a corporate entity.

Here are my summaries of the presentations that I attended:


Speaking at DEFCON 15

May 19, 2007

I’ve been invited to speak at DEFCON 15 this August which is being held at the Riviera Hotel & Casino in Las Vegas. I’ll be presenting on some new research I’ve been working on involving VoIP and steganography. The presentation will be entitled “Real-time Steganography with RTP.”

Mnemonic Password Formulas

May 17, 2007

A research paper that I recently authored entitled Mnemonic Password Formulas was published on Monday in Uninformed Journal Vol. 7. It’s essentially some research that I’ve done on the deficiencies in existing methods for memorability and manageability of passwords as well as documentation of a new method for the same that I’ve termed “Mnemonic Password Formulas”, or “MPFs”, that I have been developing for my own personal use over the past 6 years or so. If you’re a computer user and use passwords, I invite you to read this paper.

ToorCon Seattle (Beta)

May 16, 2007

ToorCon Seattle (Beta) in Seattle was a new experiment by the ToorCon folks. It was essentially an informal and free invite-only conference, total attendance numbering around 150, with a single track of speakers each having 20 minutes to speak on their current (and potentially in-progress) research. The format was very similar to the format that the AHA! meetings take, so I was right at home speaking there. The conference talks were held on a single day, during the day, in a night club called the Last Supper Club.

The badges for this conference were really unique and interesting in that they looked like chocolate bars. The badges themselves were wrapped in a paper candy-bar wrapping themed after a Wonka bar, and the conference being invite-only, some of the bars had golden tickets in them which ensured your invite to next year’s conference. I don’t know what the ratio of bars with golden tickets to bars without were, but I was lucky enough to have gotten a bar with a golden ticket.

Finally, here are my comments for the various talks that I attended:


TippingPoint DVLabs Website

May 3, 2007

Apparently, my employer launched the new TippingPoint DVLabs website when I wasn’t looking. Click through and check it out, it’s pretty slick. Not only do they have bios of all the team members, but each member page pulls data from all the other areas of the site like upcoming and published advisories, appearances, blog posts, etc. in an aggregated list specific to that team member. And of course, the site has yet another blog for me to write for…

Anatomy of an 0-day

April 19, 2007

Cody Pierce, a colleague of mine at TippingPoint’s DVLabs, was recently profiled in an article by Dennis Fisher over at The article basically describes how Pierce went about discovering and disclosing an 0-day vulnerability in the Internet Help Control ActiveX component last April, which resulted in a patch from Microsoft last August.

To do this, he built a custom fuzzer to test large numbers of ActiveX controls and separate the wheat from the chaff. He wrote the fuzzer using the Python and Ruby programming languages and began looking for remotely exploitable vulnerabilities that posed a serious threat to Internet users.

“There are 4,000 ActiveX controls on a typical XP machine and I looked for the ones that could be loaded in Internet Explorer,” Pierce said. “Then I looked for the ones with problems and then the ones that were critical. I wanted to see what was exploitable and what was just a denial of service.”

The article then goes on to hint at a paradigm shift in vulnerability research that targets web and hosted software, noting that as more and more software packages are provided solely on the web or by ASPs it’s increasingly difficult for 3rd party researchers to target those pieces of software. Due to the fact that such software generally isn’t available outside of the ASP or company hosting the web application for testing in a controlled environment, targeting such applications for vulnerability research can be construed as an active and malicious attack.

Kudos to Pierce and TippingPoint for the excellent press coverage!

Upcoming Conferences

April 19, 2007

In a couple of weeks I’ll be heading to Seattle for Microsoft’s internal security conference, BlueHat, and ToorCon’s invite-only conference, ToorCon Seattle (Beta).

I’ve never been to BlueHat before, but that’s not really surprising since most of my research targets, both now and in the past, have had absolutely nothing to do with Microsoft products. The primary reason I’m attending is that BlueHat takes place the two days before ToorCon Seattle and I’ll already be in town those days due to attending ToorCon Seattle and returning through Seattle from a trip to Vancouver which will get me there a few days early.

ToorCon Seattle (Beta) is the first of ToorCon’s invite-only conferences and is adopting an extremely familiar approach to structure; Basically, all speakers will have up to 20 minutes to present on research currently in progress rather than finished work, followed by a hand-full of 5 minute turbo talks toward the end of the day. It seems like I’ve seen this format somewhere before…

I’ve submitted something to speak about at ToorCon Seattle but haven’t heard back yet on whether or not I’ll get a slot, so I’ll refrain from talking about that just yet.

Black and White Ball

April 16, 2007

I’ve been invited to speak during the Black Track at the Black and White Ball this September which is being held at the Ministry of Sound in London. I’ll be presenting on some new research I’ve been working on involving VoIP and steganography. The presentation will be entitled “Real-time Steganography with RTP.”