Last week I spoke at Immunity’s Infiltrate 2012 at the Gansevoort Hotel in Miami Beach. The single-track conference was small-medium sized, having around 200(?) people in attendance.
Infiltrate’s coordinators made being a speaker feel like being a celebrity. Flights and hotel rooms were paid for, a car picked me up at the airport, the location was fun, and for all attendees - breakfast, lunch, and dinner were provided. The open bar opened at 1pm everyday. It was awesome.
The CFP and conference preparation process made me feel like the organizers really cared about having quality presentations. It was nice to receive a phone call from a technical team asking questions to feel out exactly how put-together and complex the work I was doing was. The pre-conference dry-run was a nice touch too, and although there weren’t many questions or suggestions for my talk, it was nice to have some outside opinions. Another nice touch was that Dave Aitel was involved in much of the CFP and preparation process, which further demonstrated how much he really cared about putting together a good conference.
Even though there was a good amount of involvement in vetting speakers and a lot of planning clearly went into the conference, I was a little surprised that some talks were already presented at other conferences. I shouldn’t really be criticizing this (since I’m giving the same talk at Shmoocon in two weeks) but I think Infiltrate has worked hard to raise the bar when it comes to talks – a goal that I greatly admire. I think that the more times a presentation is given, the less exotic the content becomes. So even if the research produces amazing insight, everyone already knows about it, so the content is no longer “the best of the best”. At other conferences I think its ok to see a presentation if it has been given a few times already, but I think if Infiltrate wants to maintain the perception that only the best of the best talks will be presented, then they need to vet out the duplicates.
Also, there were just a couple of the talks were not as “offensive” as I had hoped. With the bar raised so high, my expectations are even higher, so if I don’t see stuff getting completely ripped apart and owned, I feel like it’s something better presented at a conference with less emphasis on total pwnage.
Reservations aside, the majority of content at Infiltrate was engaging and though-provoking - exactly what I’d expect from a security conference.
- Badges – I’m still not sure how I feel about this, but at infiltrate, your conference badge was a wristband. Badges are traditionally a fun little knick-knack at every conference, usually containing some sort of encoded message, challenge, etc... but at Infiltrate, that didn’t exist. Does it matter? Would I sacrifice an open bar for a cool badge? Probably not.
- Event support staff – Everyone I encountered was extremely nice and quick to offer a helping hand whenever I had a question or needed anything.
- Presentation Lengths – Talks were 45 minutes. I think they should have been 60. Some talks were cut short for the sake of time, while others went over, affecting the flow of the conference.
- Lunch and Dinner – Food was really good and tasty, deserts (my specialty) were outstanding!
Overall ImpressionI have to say that it’s refreshing to attend and be involved in a conference like Infiltrate. Our industry is getting over saturated with conferences that are filled with stale and sometimes un-inspiring content. If we cannot collectively raise the bar, we’re not motivating ourselves to produce creative and innovative research – and if we’re not doing that, we might as well surrender our intellect, curiosity, and integrity to the vendors who would prefer to ignore the security of their customers, to increase their profits.
Here’s a quick run-down on the talks that I was able to take notes on. Keep in mind that I’m not an expert in really any of these topics, so I’ll try my best to summarize accurately but if you really want to know the specifics, look around online or contact the presenter.
Day 1 Keynote – Thomas LimThomas’ blunt and extremely entertaining presentation style kicked off the conference spectacularly. His talk resonated with me throughout the conference. The keynote started by discussed the challenges of running a good conference. Most conferences don’t make more than $10k, which means, given the amount of time invested, the organizers end up losing money or barely breaking even. Another major challenge is with finding good speakers. In his experience there is a little bit of a talent problem:
- It’s hard to find people who are doing amazing things
- It’s common to get a CFP response from someone who writes really well, but whose actual content is lacking or who presents horribly. This can really negatively impact a conference
- There are a lot of people who keep reusing content - he said that a good rule of thumb is to avoid presenting the same talk more than 3 times.
Voight-Kampff'ing the Blackberry Play Book - Zach Lanier/Ben NellThe title is a reference to Blade Runner. Zach and Ben’s information-packed presentation covered a number of different vulnerabilities they’ve discovered in the Blackberry Playbook. Although many of the vulnerabilities have been already addressed by RIM and spoken about, it was very interesting to see the types of issues they uncovered. An interesting discovery was around a legacy QNX “feature”, which is applicable to any services that leverage Persistent Publish/Subscribe(PPS). Configuration and other files are stored within the PPS directory structure, and are protected by POSIX file permissions. Although the permissions appropriately restrict unauthorized applications from accessing their contents, a mirror of the file contents are provided within a “.all” file, which has much more relaxed permissions. This means that sensitive information - session tokens, and PINs, for example is accessible to anything that has local access.
Next, any native code application can essentially bypass application permissions and do pretty much anything. Lanier and Nell apparently wrote an application that, from the user’s perspective, required no permissions, but once run, served a shell to a remote host.
Applications within the app store are assigned an identifier. Every version of the application is assigned a unique identifier and those versions are always available on the app store. The problem is that the identifier is sequentially assigned, and the URL providing the application does not require authentication. This means that anyone can download any application and application version for free.
Finally, the two spoke about Sapphire proxy, which is an internal service that is used as part of "bridge" - a service involved in Bluetooth communication. Since the Playbook uses Bluetooth to pair with a central messaging device, you can leverage Sapphire proxy to intercept and view email, as well as other messaging data.
Unearthing the World's Best WebKit Bugs - Michel Aubizzierre
Michel’s quirky slides were right up my alley and had me chuckling. His presentation was around reviewing public development braches for open-source projects (this talk was around WebKit) and tracking code developers who are known to patch bugs or write code that contain bugs. Using that information and tags that are included within bug reports, he wrote a proof-of-concept tool to uncover vulnerabilities that have yet to reach the stable branch. He mentioned that his tool identified somewhere around 76,000 potential bugs, but it is difficult to tell which are actually exploitable. Additionally, since many of the bugs that fit this criteria are restricted from public viewing, its difficult to truly measure the severity and accuracy of the bugs identified.
Effective Denial of Service Attacks Against Web Application Platforms -Alexander Klink/Julian Waelde
This presentation was already presented at CCC on December 27th, although I missed the live feed for it, I did read a little bit about the attack online. That being said, Klink and Waelde did update the slides to include vendor responses, which I found to be interesting. Additionally, it was nice to be able to ask them questions when I just so happened to sit next to them during the conference.
Here’s a summary of vendor responses, and resolution status:
- PHP has a workaround in PHP 5.3.9
- ASP.NET is patched as of Dec 29th (MS-11-100), exploit code exists.
- Java is more susceptible, and since it used by many different application servers, has a wider reach to things like Apache, Glassfish, Jetty, etc..
- Apache Tomcat - Workaround Patch 7.0.23, 6.0.35
- Oracle GlassFish - Will be fixed (S0104869)
- Oracle does not plan to fix the issue in Java, but rather have the Application server handle it
- Python - No Response, under "active discussion" on mailing lists
- Ruby - Fixed in 2008 version 1.9, other deriviates
- CRuby/JRuby/Rack fixed Dec 28th.
A Heap of Trouble: Breaking the Linux Kernel SLOB Allocator - Dan RosenbergDan's talk covered one of the Linux kernel's heap allocators, called the SLOB (Simple List of Blocks). He mentioned there are three allocators, SLUB, SLAB and SLOB -- with SLOB having just about no sanity validation or exploit mitigation compared to other allocators. This allocator is commonly used in embedded Linux distributions such as OpenWRT. He mentioned that he plans on releasing a whitepaper, and right after the conference, he tweeted about libplayground, a framework for delivering Linux kernel heap exploitation techniques.
Day 2 Keynote - Andrew CushmanAndrew Cushman leads the Trustworthy Computing Group at Microsoft. His keynote covered a handful of interesting ideas, looking at the need for adaptive change within the industry as a whole. He's seeing shifts in attacks from networking and infrastructure equipment to intellectual property, foundations, and business models. In turn, this moves security controls from security engineering and operations to government regulations, cyber security policies, and similar agendas. There are even groups exist that would like to see Internet governance shift to a multi-country regulatory body. (yikes)
He also discussed Microsoft's approach to handling security mechanisms within its software. Microsoft has evaluated exploit economics and devised a way to reduce the appeal of attacking their software. In short, Microsoft works to decrease an attack’s ROI by increasing the attacker's investment (more time spent learning, developing attacks) and decreasing attacker opportunity to recover investment (quicker patch turn around via windows update).
Finally, Cushman wrapped up his talk by saying that exploit mitigations raise the bar for attackers, and he suggests that if you don't want to spend the time to learn the advanced techniques, social engineering is the next best thing, since it requires less technical skill but can have a devastating effect.
Attacking Proximity Card Access Systems - Brad AntoniewiczIf you ask me, I thought it was a good talk :)
Secrets in Your Pocket: Analysis of [Your] Wireless Data - Mark WuerglerMark's extremely well designed presentation (his twin brother is a graphic artist) was the result of many months of data collection and analysis. He discussed the potential of tracking people via the wireless data originating from their cell phones or other always-on devices. Although I've seen a couple of different research studies around this, Mark's presentation was unique in the sense that he created a tool, called Stalker, that takes an input PCAP and analyzes the data within it to create a profile of a user. It also fetches information from outside sources to complete the overall picture. There are some caveats- the data shouldn't be encrypted to get the most out of the tool, and some of the techniques the tool uses require a few specific environmental factors to be present. Mark also noticed that on certain mobile devices, if they're connected to a wireless network that doesn't provide DHCP, the device will attempt to blindly ARP out to the default gateway of previously-used wireless networks. If on an open wireless network, these ARPs can be observed and used to identify where a person has been. Perhaps even more interesting than the actual tool were some of the active attacks Wuergler showed against users on open wireless networks (implemented by the tool). An access token is sent when using Facebook-enabled applications (such as Pandora); if an attacker can obtain this access token, there is a possibility that the attacker can create a forged request to increase the privileges of the application (which are set client-side). The attacker could then access any of the user’s Facebook data (inbox, status, pictures, etc.).
Undermining Security Barriers - further adventures with USB - Andy DavisAndy's talk was previously presented but updated to account for the release of a new tool, FrisBee Lite. Although there are some tools for USB testing, most are expensive and somewhat limited. The $1200 Packet Master USB 500+ AG is described as Wireshark for USB with injection capabilities. The issue is that the supporting software thats packaged with the device has a non-existent API and a limited scripting language, making it difficult to leverage it for more comprehensive fuzzing. Even then, the presenter wrote a script to create basic fuzzing test cases, but it was very slow and restricted. The next approach was an Arduino-based tool called FuzzBox, which was greatly limited since it could only emulate USB HID devices. FuzzBox is also pretty slow due to speed constraints on the Arduino.
FrisBee Lite is a wxPython application that makes fuzzing relatively simple, via a point and click Windows GUI. The tool has been leveraged to find flaws in Solaris, the Xbox, iOS, and Mac OS X. An interesting side effect of the fuzzing was that when the author was testing certain operating systems with endpoint protection software installed, he actually found cases that crashed the software responsible for monitoring the insertion of USB devices.