Cатсн²² (in)sесuяitу / ChrisJohnRiley

Because we're damned if we do, and we're damned if we don't!

Tag Archives: Conference

Defense by Numbers: Making problems for script kiddies and scanner monkies

4 Comments Posted by on April 24, 2013

Since early 2012 I’ve been working on a simple theory…

The Theory:

By varying [response|status] codes, it should be possible to slow down attackers and automated scanners.

If you’ve met me at a conference any time in the last year I’ve probably talked about it at length and bored the hell out of you (sorry about that BTW).

After researching a number of aspects of this theory I put forward a presentation for BSidesLondon to talk about my findings and how it might be applied to application defense.

The topic can be a little complex due to the various ways browsers handle [response|status] codes. Even within a specific browser the handling of different content types varies. JavaScript is a prime example of that. Where as a browser will happily show you a webpage received with a 404 “Not Found” code, the same browser may not accept active script content with the same code.

During testing I also discovered a couple of interesting issues with Proxy servers that could be used by attackers to expose credentials… as well as some very interesting browser quirks that are probably only interesting to a handful of people. Still, I like edge-case stuff, it’s weird and that suits me just right ;)

BSidesLondon Abstract

On the surface most common browsers (user agents) all look the same, function the same, and deliver web content to the user in a relatively uniformed fashion. Under the surface however, the way specific user agents handle traffic varies in a number of interesting ways. This variation allows for intelligent and skilled defenders to play with attackers and scripted attacks in a way that most normal users will never even see.
This talk will attempt to show that differences in how user agents handle web server responses can be used to improve the defensive posture of a website. Further examples will be given that show specially crafted responses can disrupt common automated attack methods and cause issues for casual attackers and wide scale scanning of websites

If the topic is something that interests you (and I’m sure there’s a lot more research to be done here) feel free to take a snoop at the slides… The talk was recorded also, so keep an eye on the BSidesLondon website and twitter feed for information on the video/audio release.

 

 

Links:

  • Some thoughts on HTTP response codes –> HERE
  • Privoxy Proxy Aauthentication Credential Exposure [cve-2013-2503] –> HERE
  • mitm-proxy scripts used in testing –> HERE
Conference, Security , , , , , ,

BSidesLondon 2013

Leave a Comment Posted by on April 19, 2013

It’s been a while since I’ve had the chance to update the blog, and that makes me a sad panda… still, sometimes life gets in the way of the really important stuff. Plus, nobody really reads this crap anyway right!

Still, pleasantries aside, next week is BSidesLondon (and a couple of events that run alongside it, such as 44cafe, and that small $vendor thing called InfoSec Europe). I was lucky enough to get selected as one of the speakers for this years event, and despite not dressing up like a gay biker, I hope the talk will be interesting. So, if you like number, weird edge cases, or innovative ways to protect web applications, come along to my talk and let me know what you think!

  • Defense by numbers: Making problems for script kiddies and scanner monkeys

Chris John Riley
Track One 12:45 – 13:30

On the surface most common browsers (user agents) all look the same, function the same, and deliver web content to the user in a relatively uniformed fashion. Under the surface however, the way specific user agents handle traffic varies in a number of interesting ways. This variation allows for intelligent and skilled defenders to play with attackers and scripted attacks in a way that most normal users will never even see.
This talk will attempt to show that differences in how user agents handle web server responses can be used to improve the defensive posture of a website. Further examples will be given that show specially crafted responses can disrupt common automated attack methods and cause issues for casual attackers and wide scale scanning of websites

Just to warn those brave souls to plan to attend… I have LOTS of slides… it could get messy ;) I’ll try to put my slides up on Slideshare prior to the talk so people can follow along if they want.

Anyway, as part of the build-up to the conference I wanted to list a few of the talks I’m really looking forward to seeing (time permitting).

  • Pentesting like a Grandmaster

Abraham Aranguren
Track One 10:15 – 11:15

Chess is a complex game: The number of permutations is just too great to compute the best possible move during a game. This is similar to pen testing in that we also have too many vulnerabilities to find and choose from not only on a 1 by 1 basis but also how we would chain them together like a real attacker. Chess players must analyse efficiently to beat time constraints like pentesters but unlike pentesters they have been doing this for a long time.

Abraham’s talks are always interesting, and I expect nothing less from his latest talk. He seems to have a unique way of looking at things and from a sneak peek at his slides, I think this one is going to be another interesting talk point.

  • Going Stealth: Staying off the Anti-Virus RADAR

Alex Polychronopoulos
Track One 17:00 – 18:00

Anti-Virus software is often the first line of defence in host based intrusion prevention. For years both black-hats and ethical hackers have researched how to avoid detection – some to compromise hosts reliably and others to improve detection. Executable packers are a popular technique used by virus and malware writers. They “pack” their malicious payload by compressing and/or encrypting it and they distribute it with enough clear-text instructions to “unpack” it. In particular, we’ll look at basic AV detection concepts and the basic design principles for packers. We’ll also touch on advanced techniques like polymorphism and metamorphism. You’ll leave marvelling that your AV ever catches anything at all.

Sometimes AV is the only standing between a good penetration tester and total domination… Anything we can do to test the limits of AV and maybe get that elusive shell is certainly worth the time to learn. Hoping for a few hints and tips here that might help in those situations.

  • How to build a personal security brand that will stop the hackers, save the world and get you the girl

Javvad Malik
Track Two 11:30 – 12:30

You’re a security professional, but even your boss doesn’t remember your name. Your brilliant ideas aren’t listened to, you’re never invited to speak at conferences and not even your mother visits your blog. In this talk I will take you down a journey of self-discovery that took me 3 years and went from another faceless security dude, to someone in control of my personal security brand. What worked, what didn’t work and all the behind-the-curtain magic exposed. If you’re into building your personal brand, making your voice heard amongst the 100′s of security ‘rockstars’ and dinosaurs who get all the attention – this is the talk for you to attend.

Fuck rockstars… no really, in this industry we need solutions, not primadonas with a god complex. Still, that said, having a brand and a platform to shout from is something we need. Plus Javvad is wicked funny and I’m sure he’ll CISSP mofo everybody in the crowd at LEAST once!

  • Dissecting Targeted Attacks – Separating Myths from Facts

Candid Wuest
Track Two 14:30 – 15:30

A lot of media do report on targeted attacks or so-called APTs, but how sophisticated or those attacks really? Flamer & co. are only the tip of the iceberg and even they had flaws. Most of the attacks are not so smart at all, but nevertheless successful. I will elaborate on the common methods of targeted infection & exfiltration, happening every day around the globe. Explaining the methods and tools used by the attackers with real life examples. I will show why they successfully bypass most security tools and analyse where these attacks differ from the common malware flood.

Learn your APT from your elbow… not everything is OMGtargetedStateSponsoredBBQ Malware from China with love!

—————————————————-

Well, those are my picks… so much cool stuff, so little time! Before I sign-off however, I wanted to remind all attendees that it’s your JOB (yep, attendees also have a job to do) to give feedback to speakers. Even if it’s a single point, an idea, or a pat on the back and “that was cool” comment… be part of making the conference better… give feedback or the kitten gets it!

Read my thoughts on “Giving feedback” –> HERE

Hope to see you all in London. Please come up and say hi if you’re about… I only bite when provoked!

Conference, Security , ,

ITWeb Security Summit

Comments Off Posted by on May 10, 2012

It’s been a while since I last posted… between a trip to the UK (for BSides London) and a few days in bed with con-flu, it’s been a busy few weeks.

I’m flying out to South Africa this weekend to take part in the ITWeb Security Summit in Johannesburg. There are a lot of great speakers talking, and I was honoured to be asked to present some of my SAP research as part of the “Enterprise Resource Planning” track.

This will be the last time I’ll be presenting this material, so hopefully it will go down well. This research has been ongoing for the last year or so, and it was time to move my focus off onto some other projects I’ve got running. Plus, nobody likes to see research that’s old and busted. The information I’ll be presenting is “out there” for the community, so I’m happy to cover it one last time before I put it to bed. So much hacking, so little time ;)

If you’re attending the conference please come up and say hi… I only bite on request!

Conference, Security , ,

DEEPSEC 2011: Quick Roundup

1 Comment Posted by on November 22, 2011

Well it’s been a few days since Deepsec 2011 finished, and I thought it was about time I wrote something about the actual conference.

Day 1

The first day started off with the usual 6am start to get to Vienna in time for registration. I arrived a few minutes late for the keynote, but quickly got into the swing of things. The keynote (How Terrorists Encrypt) was a discussion of how terrorist organisations (mostly Al Qaeda and connected cells) use encryption to communicate. Although you’d expect terrorists to have the basics of OPSEC down to a fine art by now, the presentation read more like a catalogue of failures and basic lack of skills/information. Instances such as the BA IT Expert, Rajib Karim and his refusal to use the Mujahideen Secrets tool (front-end for PGP/GPG?) in favour of a simple alphabetic replacement cipher.

The talk was definitely eye-opening on how badly the terrorists seem to be using encryption in general. However it does raise the question, are we only catching the stupid ones? Perhaps the better prepared are using encryption and simply staying below the radar!

I wrote a number of blog posts on the other talks from Day 1 :

Day 1 ended with a discussion by Morgan on the changing face of the infocalypse. Definitely worth catching on video once it’s released.

Day 2

The second day of the conference started off with a presentation on Identity X.0, OAuth, OpenID and general security issues surrounding user-centric Identity technologies. An interesting overview of implementation issues.

As with day 1 I wrote a number of blog posts for talks on day 2 :

After lunch I took some time to watch Kizz MyAnthia’s presentation on Bond Tech and had a long chat with him about Mobile Phone hacking and some issues he had getting his “toys” through UK Border Security.

Unfortunately the second SAP talk of the conference (Rootkits and Trojans on your SAP landscape) met with a slight issue as the presenters laptop fell on the floor as the talk began. Although he managed to complete the talk the demos weren’t possible due to data corruption. This was a pity as the content of the presentation itself was almost 100% the same as a presentation he gave in 2010. The demos would have been the saving grace here I think. Still, that’s life!

The final presentation of the conference was by Tom Mackenzie discussing some of the issues surround vulnerability research and coordination with vendors. The presentation touched on some interesting points and posed some open-ended questions, as well as showing some interesting examples of when things work and when they don’t!

Day 2 finished off with a late night party at Metalab… good music, club mate and good company. Oh and I once again lost to Kyrah at table football! One day I will prevail, oh yes, I will :D

Conclusion

Overall I’d give Deepsec a 7/10 for a solid conference, with friendly people and good presentations. It will definitely be on my recommended list once I get around to writing one ;)

The Good

Nice mix of presentations

Great location / organisation

The Bad

No way to leave feedback for individual speakers

No lightning talks

The Ugly

At least 1 talk based on 12 month old research / vulnerabilities

Conference, Security , ,

Older posts

Follow

Get every new post delivered to your Inbox.

Join 59 other followers