Web Admin Blog Real Web Admins. Real World Experience.

13Nov/090

The 10 Least-Likely and Most Dangerous People on the Internet

This presentation was by Robert "RSnake" Hansen and was designed to be a fun conversation to have over drinks with security people.  I feel privileged to have been one of those security people who he talked about this with beforehand.  A very interesting topic about the non-obvious threats that may or may not exist.   My notes are below:

Why?

  • Because I use the Internet
  • Because I'm a target
  • Because most people don't know
  • Because it's a fun conversation to have over drinks with security guys
  • Maybe/hopefully you'll continue this conversation instead of just arguing!

Ground Rules

  • Must be non-obvious and must be directly related to the Internet.  Not:
    • ...the President or any other gov'ernment official
    • ...or someone involved with SCADA Systems/Brick and mortar
  • Must be in control of some infrastructure or software, etc
  • Must have the largest or widest negative impact possible for the least amount of work and least likelihood of being stopped
  • No magic - must be real and dangerous
  • They can't be "bad" people
  • You can't take this list too seriously

How I Got Started

  • Started thinking about core technologies that everything relies on
  • Made a big list
  • Shopped it around to dozens of security experts
  • Assigned an arbitrary, unscientific, hand-wavy, risk-rating system of my own design
  • Ranked them in order of how scared I am of them personally

#10

  • John Doe at C|Net
  • Job: Network Engineer
  • Why: Controls com.com
  • Impact: Largest collection point of typo traffic both for web adn email.
    • Doesn't require anything overt or even indefensible

#9

  • Giorgio Maone of NoScript
  • Job: Consultant
  • Why: Controls NoScript
  • Impact: Nearly every security researcher on the planet - complete compromise.  In general the most paranoid people on earth would be compromised.
    • Builds arbitrary whitelists (ebay.com)
    • Has changed functionality to subvert Adblock Plus
9Apr/090

Thoughts on the TRISC 2009 Conference

This was my third consecutive year attending the TRISC Conference and it gets better and better every year.  This year, the location was outstanding, the presenters were top-notch, and the Keynotes were pretty good.  This was my first time actually presenting at the TRISC Conference and I thought they did an excellent job from the presenter point-of-view as well.  They kept the presentations on time, they had my notes all printed up and ready for attendees, and A/V equipment worked well.  No complaints from me there.

My favorite Keynote speaker was far and away Johnny Long.  His talk was on "No Tech Hacking" and he is as entertaining as he is talented.  If you ever get a chance to see him speak, definitely do so.  Also, be sure to check out his website at IHackCharities.org.

My least favorite Keynote speaker was Ken Watson.  He spoke all monotone and the presentation on these centers around the country that the government is using to team up with industry to prevent attacks on critical infrastructure was pretty lame.  I guess I just expected more and from talking with others it seems like I'm not alone.

My favorite presentation was Robert Hansen and Rob MacDougal's talk on "Assessing Your Web App Manually Without Hacking It".  It was a simple concept that everyone from managers to developers to IT guys can follow to get an idea as to how many vulnerabilities their application might contain.  RSnake!

My least favorite presentation was "The Importance of Log Management in Today's Insecure World" by Ricky Allen and Randy Holloway from ArcSite.  Too vendory, not technical enough, and kinda a lame presentation in general.  Maybe I'm just bitter because I heard that the other presentations that took place while I was in this session were really good.

This was the first year that TRISC had a Casino Night and it was awesome.  I played Texas Hold 'Em most of the night and took Nathan Sportsman's money and a bunch of Rob MacDougal's as well.  They had Roulette, Blackjack, and Craps tables there as well and the goal was to start with $10,000 in chips and for every $5,000 you had at the end of the night you got a raffle ticket.  I ended up with over $40,000 and 9 raffle tickets and won three different items.  Score.

Overall, TRISC 2009 was not the best conference that I've ever attended, but was certainly the best TRISC to date.  I was very impressed and am looking forward to next year.  FYI, all presentations from the conference are online and available for viewing here.

24Sep/0815

New 0Day Browser Exploit: Clickjacking – OWASP AppSec NYC 2008

This talk was rumored to have been cancelled at a vulnerable vendors (Adobe) request, but Jeremiah Grossman and Robert Hansen decided to do parts of the talk anyway.  Here's my notes from the semi-restricted presentation.

Jeremiah started off with a brief introduction on what clickjacking is.  In a nutshell, it's when you visit a malicious website and the attacker is able to take control of the links that your browser visits.  The problem affects all of the different browsers except something like lynx.  The issue has nothing to do with JavaScript so turning JavaScript off in your browser will not help you.  It's a fundamental flaw with the way your browser works and cannot be fixed with a simple patch.  With this exploit, once you're on the malicious web page, the bad guy can make you click on any link, any button, or anything on the page without you even seeing it happening.  "A normal user wouldn't have any idea of what is going on.  People in this audience may see something a little different from what they would expect and you would definitely see the results in the page's source code."  Ebay, for example, would be vulnerable to this since you could embed javascript into the web page, although, javascript is not required to exploit this.  "It makes it easier in many ways, but you do not need it."  Use lynx to protect yourself and don't do dynamic anything.  You can "sort of" fill out forms and things like that.  The exploit requires DHTML.  Not letting yourself be framed (framebusting code) will prevent cross-domain clickjacking, but an attacker can still force you to click any links on their page.  Each click by the user equals a clickjacking click so something like a flash game is perfect bait. The issue and fix will probably be originally released on http://ihackcharities.org.

My Analysis: It sounds like the exploit basically creates a frame that is hidden underneath the main content frame that a user is seeing.  The main content could be a flash game or any sort of incentive to keep a user clicking.  All of the clicks that the user is making are used to click on content in the hidden frame. Again, just my speculation based on the information provided by RSnake and Jeremiah above.