This presentation was by Robert "RSnake" Hansen and was designed to be a fun conversation to have over drinks with security people. I feel privileged to have been one of those security people who he talked about this with beforehand. A very interesting topic about the non-obvious threats that may or may not exist. My notes are below:
- Because I use the Internet
- Because I'm a target
- Because most people don't know
- Because it's a fun conversation to have over drinks with security guys
- Maybe/hopefully you'll continue this conversation instead of just arguing!
- Must be non-obvious and must be directly related to the Internet. Not:
- ...the President or any other gov'ernment official
- ...or someone involved with SCADA Systems/Brick and mortar
- Must be in control of some infrastructure or software, etc
- Must have the largest or widest negative impact possible for the least amount of work and least likelihood of being stopped
- No magic - must be real and dangerous
- They can't be "bad" people
- You can't take this list too seriously
How I Got Started
- Started thinking about core technologies that everything relies on
- Made a big list
- Shopped it around to dozens of security experts
- Assigned an arbitrary, unscientific, hand-wavy, risk-rating system of my own design
- Ranked them in order of how scared I am of them personally
- John Doe at C|Net
- Job: Network Engineer
- Why: Controls com.com
- Impact: Largest collection point of typo traffic both for web adn email.
- Doesn't require anything overt or even indefensible
- Giorgio Maone of NoScript
- Job: Consultant
- Why: Controls NoScript
- Impact: Nearly every security researcher on the planet - complete compromise. In general the most paranoid people on earth would be compromised.
- Builds arbitrary whitelists (ebay.com)
- Has changed functionality to subvert Adblock Plus
This was my third consecutive year attending the TRISC Conference and it gets better and better every year. This year, the location was outstanding, the presenters were top-notch, and the Keynotes were pretty good. This was my first time actually presenting at the TRISC Conference and I thought they did an excellent job from the presenter point-of-view as well. They kept the presentations on time, they had my notes all printed up and ready for attendees, and A/V equipment worked well. No complaints from me there.
My favorite Keynote speaker was far and away Johnny Long. His talk was on "No Tech Hacking" and he is as entertaining as he is talented. If you ever get a chance to see him speak, definitely do so. Also, be sure to check out his website at IHackCharities.org.
My least favorite Keynote speaker was Ken Watson. He spoke all monotone and the presentation on these centers around the country that the government is using to team up with industry to prevent attacks on critical infrastructure was pretty lame. I guess I just expected more and from talking with others it seems like I'm not alone.
My favorite presentation was Robert Hansen and Rob MacDougal's talk on "Assessing Your Web App Manually Without Hacking It". It was a simple concept that everyone from managers to developers to IT guys can follow to get an idea as to how many vulnerabilities their application might contain. RSnake!
My least favorite presentation was "The Importance of Log Management in Today's Insecure World" by Ricky Allen and Randy Holloway from ArcSite. Too vendory, not technical enough, and kinda a lame presentation in general. Maybe I'm just bitter because I heard that the other presentations that took place while I was in this session were really good.
This was the first year that TRISC had a Casino Night and it was awesome. I played Texas Hold 'Em most of the night and took Nathan Sportsman's money and a bunch of Rob MacDougal's as well. They had Roulette, Blackjack, and Craps tables there as well and the goal was to start with $10,000 in chips and for every $5,000 you had at the end of the night you got a raffle ticket. I ended up with over $40,000 and 9 raffle tickets and won three different items. Score.
Overall, TRISC 2009 was not the best conference that I've ever attended, but was certainly the best TRISC to date. I was very impressed and am looking forward to next year. FYI, all presentations from the conference are online and available for viewing here.
This talk was rumored to have been cancelled at a vulnerable vendors (Adobe) request, but Jeremiah Grossman and Robert Hansen decided to do parts of the talk anyway. Here's my notes from the semi-restricted presentation.
My Analysis: It sounds like the exploit basically creates a frame that is hidden underneath the main content frame that a user is seeing. The main content could be a flash game or any sort of incentive to keep a user clicking. All of the clicks that the user is making are used to click on content in the hidden frame. Again, just my speculation based on the information provided by RSnake and Jeremiah above.