Black Hat

The Network Security Podcast Pwns Black Hat And DefCon!

By Rich

No, we didn't hack any networks or laptops, but we absolutely dominated when it comes to podcast coverage. This was our second series of microcasts since RSA, and we really like the format. Short, to the point interviews, posted nearly as fast as we can record them.

We have 9 (yes 9) microcasts up so far, with about 2-3 more to go. A few people also promised us phone interviews which we plan on finishing as soon as possible. Here's the list:

1. Our pre-show special; where we talk about or plans for coverage and what we'd like to see.
2. The first morning; our initial impressions before the main start of the show.
3. Mike Rothman of Security Incite, hot after Chris Hoff's virtualization presentation.
4. Tyler Regully of nCircle on web development and the learning curve of researchers.
5. Jeremiah Grossman from WhiteHat Security on what he's seen and what he talked about in his session.
6. Martin turns the tables on Jon Swartz of USA Today and the book, Zero Day Threat.
7. Martin and I close out Black Hat (don't worry, there's still DefCon).
8. Nate McFeters and Rob Carter talk with us about GIFARs and other client side fun.
9. Raffal Marty discusses security visualization, which he coincidentally wrote a book on.
10. I never saw Johnny Long, but Martin managed to snag an interview with him on his new hacker charity work.

Don't worry, there's more coming. Stay tuned to netsecpodcast.com for an interview with the slightly-not-sober panel I was on (Hoff, David Mortman, Rsnake, Dave Maynor, and Larry Pesce) and some other surprises.

–Rich

Black Hat: The Risks Of Trusting Content

By Rich

I'm sitting in the Extreme Client-side exploitation talk here at Black Hat and it's highlighting a major website design risk that takes on even more significance in mashups and other web 2.0-style content.

Nate McFeters (of ZDNet fame), Rob Carter, and John Heasman are slicing through the same origin policy and other browser protections in some interesting ways. At the top of the list is the GIFAR- a combination of an image file and a Java applet. Since image files include their header information (the part that helps your system know how to render it) and JAR (java applets) include their header information at the bottom. This means that when the file is loaded, it will look like an image (because it is), but as it's rendered at the end it will run as an applet. Thus you think you're looking at a pretty picture, since you are, but you're also running an application.

So how does this work for an attack? If I build a GIFAR and upload it to a site that hosts photos, like Picassa, when that GIFAR loads and the application part starts running it can execute actions in the context of Picassa. That applet then gains access to any of your credentials or other behaviors that run on that site. Heck, forget photo sites, how about anything that let's you upload your picture as part of your profile? Then you can post in a forum and anyone reading it will run that applet (I made that one up, it wasn't part of the presentation, but I think it should work). This doesn't just affect GIF files- all sorts of images and other content can be manipulated in this way.

This highlights a cardinal risk of accepting user content- it's like a box of chocolates; you never know what you're gonna get. You are now serving content to your users that could abuse them, making you not only responsible, but which could directly break your security model. Things may execute in the context of your site, enabling cross site request forgery or other trust boundary violations.

How do manage this? According to Nate you can always choose to build in your own domain boundaries- serve content from one domain, and keep the sensitive user account information in another. Objects can still be embedded, but they won't run in a context that allows them to access other site credentials. Definitely a tough design issue. I also think that, in the long term, some of the browser session virtualization and ADMP concepts we've previously discussed here are a god mitigation.

–Rich

Securosis Hits Black Hat and DefCon

By Rich

It won't come as a surprise to anyone, but Adrian and I will be out in Vegas for Black Hat and DefCon. I arrive Tuesday morning and Adrian arrives Tuesday night. He's there through Saturday morning, and I'm around to the bitter end.

I'm working the events on the speaker management team for Black Hat, and the speaker goon team for DefCon. Adrian gets to just hang out and drink. I'm also speaking at DefCon where I'll debut the new version of my Ultimate Evil Twin (which, thanks to being distracted by the recent DNS circus, isn't quite as ultimate as I originally planned).

Evenings are mostly full, but we have a couple lunch and break slots open still. Otherwise, we'll see you at the parties...

–Rich

Pre-Black Hat/DefCon SunSec And Inagural Phoenix Security Slam

By Rich

I've talked to some of the local crew, and we've decided to hold a special pre-BH/DefCon SunSec on July 31st (location TBD).

We're going to take a bit of a different approach on this one. A while back, Vinnie, Andre, myself, and a couple of others sat around a table trying to think of how to jazz up SunSec a bit. As much as we enjoy hanging out and having beers, we recognize the Valley of the Sun is pretty darn big, and some of you need a little more than just alcohol to get you out of the house on a Wednesday of Thursday night.

We came up with the idea of the Phoenix Security Slam (PiSS for short). We'll move to a venue where we can get a little private space, bring a projector, and have a little presentation free for all. Anyone who presents is limited to 10 minutes, followed by Q&A. Fast, to the point, and anything goes.

For this first run we'll be a little less formal. I'll bring my DefCon content, and Vinnie has some other materials to preview. I may also have some other good info about what's going down in Vegas the next week, and I'll share what I can. We'll limit any formal presentation time to an hour, and make sure the bar is open before I blather.

If you're in Phoenix, let me know what you think. If you're also presenting at BH/DC and want to preview your content, let me know.

Also, we could use ideas for a location. Some restaurant where we can take over a back room is ideal.

–Rich