Daniel is a business and technical systems analyst with a background in IT security and software development. He has six years experience in the IT security field, including published academic research. His main areas of expertise include software assurance, network security, and authentication. In addition to security, Daniel has a software development background in languages such as Java, Perl, SQL, and PHP. He also has 14 years experience working with and administering various versions of Linux and related open-source software.
Secure Development - ShmooCon Edition
Feb 12 2010
This week I'm taking a break from my current series of top 10 web application vulnerabilities. Instead, I'll be talking about my experiences at ShmooCon (http://www.shmoocon.org/), an annual IT security conference in DC that has a very similiar feel to the (in)famous DefCon. As usual, ShmooCon was a whole-weekend experience, with lots of things going on besides the official talks: many different contests, vendor booths, lock-picking tutorials, you name it... Throw in about two feet of snow that fell in DC the Saturday of the con, and things start becoming even more interesting! In fact, I was very lucky to get out of town on Monday thanks to a fellow CapTecher who was headed back to Richmond by car.
For all of the sideshows at ShmooCon, the speakers and presentations are always top-notch and cover a wide variety of cutting-edge IT security issues. To keep things relevant, I'm going to talk about three of the most interesting talks I saw related to secure development.
- The Friendly Traitor: Our Software Wants to Kill Us by Kevin Johnson and Mike Poor of InGuardians. This was a very well-presented, high-energy session that explored the dangers of (well-intended) client-side software features that can be easily abused by attackers. Such "features" include JavaScript, Flash, Firefox add-ons, and of course HTML5 (which the presenters likened to having a hacker's toolkit pre-installed in the victim's browser...). The message here is of course not that these features are inherently bad, just that they give unprecedented power for launching attacks directly to/from inside a browser, especially since the majority of web traffic traverses most firewalls without a problem. There must be appropriate safeguards in place to prevent these features from being abused, and one of the examples they presented (Flash's crossdomain.xml file) shows just how far we have to go in this area: out of roughly 40,000 of the most popular Internet domains, over 2,000 had their sites mis-configured to allow Flash from any domain to pull data from their website.
- Windows File Pseudonyms by Dan Crowley. This talk was a poster child for proper input validation. It showed how the same file on a Windows system can be referenced in many different ways, for example by using legacy 8.3 filenames, UNC paths, and by inserting bogus characters that will be silently dropped when resolving the filename. Some of these alternate naming schemes were so obscure and complicated, that it brought me to the conclusion that even the best set of Regular Expressions would probably not do this task justice. Instead, the best way to deal with this challenge is to pass the user input to a Windows de-canonicalization function first to return a standardized filename (such as the Windows API call GetFullPathName). There are still some tricky cases, such as the fact that remote files can be referred to by either a full UNC path or a mapped drive letter, and that local files can actually be treated as remote files by using a UNC path. In other words, filename verification on Windows is much harder than it looks on the surface.
- Learning by Breaking: A New Project for Insecure Web Applications by Doug Wilson. This presentation introduced a very useful new tool in the web application tester's toolkit: the OWASP Broken Web Applications (BWA) Project. This is a pre-built VM that pulls together a variety of intentionally-created and (unintentionally bad) real-world web applications with known vulnerabilities. It currently includes 11 separate applications, covering the three major technologies: Java, PHP, and ASP. Three of these are old versions of real-world web applications: WordPress, phpBB, and Yazd. The main audience for BWA are probably aspiring web application penetration testers, but I also think that developers and testers would benefit immensely from looking the underlying vulnerable code. This way, they can learn from other people's poor coding habits rather than waiting for their own mistakes to catch up with them.
Not surprisingly, secure development was a theme across many talks at ShmooCon. However, some of the really cool stuff goes on in the "hardware hacking" area, which had fascinating talks on WiFi attacks, the complete lack of security in the basic GSM standard, and the ease of sniffing Bluetooth keyboards. Other noteworthy talks were about the BlackBerry security model, hard drive internals (turns out each hard drive is a mini-computer), and building your own Predator UAV (i.e. strapping a camera to a model plane and shooting some really cool aerial footage). See the full lineup of talks here (all have a short summary linked, some already have slides posted).
Like last year, this year's ShmooCon was again the perfect mix of high-quality presentations, really smart people exchanging ideas, and a laid-back, fun atmosphere. I'm already looking forward to next year's con.
Next week, I'll resume my top 10 series and we'll talk about Cross-Site Scripting (XSS) and Cross-Site Request Forgery (CSRF).
© 2011 CapTech Ventures, Inc. All Rights Reserved. Legal Notices.