CanSecWest13 CFP Open Until December 14 2012, Conf March 7-9 2013, Vancouver
The CFP is open and a new conference rushes forward. The shorter version: Package up your PII/contact info that we need so we can book flights and figure out visas, put together a summary of who you are and what you want to talk about that is cool new security research, and email them to our jaded, grumpy reviewers (some of whom still use mutt so make sure you include a little ascii at least :-) at secwest13 [at] cansecwest.com before Friday, December 14th, 2012. Full details can be found on the Speakers tab on http://cansecwest.com.. Oh, and make sure to leave room in your schedule for the weekend after, when a lot of folks go up to Whistler. We are now trying to put together a plan for Tronapalooza 3 (Insert Witty Sub-Title Here) - sponsors, it's a good time to chat. If you aren't submitting a talk, now is a great time to make lower-cost bookings. Happy Holidays. cheers, --dr -- World Emerging Security Technology Vancouver, March 7-9 2013 (Dojo Mar. 2-5) http://cansecwest.com
EUSecWest 2012 - Amsterdam, Sept 19/20 featuring Mobile PWN2OWN - CFP Deadline June 15
EUSecWest 2012, Amsterdam, September 19/20, Featuring Mobile PWN2OWN CALL FOR PAPERS - Deadline June 15 2012 AMSTERDAM, Nederland -- The seventh annual EUSecWest applied technical security conference - where the eminent figures in the international security industry get together share best practices and technology - will be held in downtown Amsterdam near Leidseplein Square on September 19/20, 2012. The most significant new discoveries about computer network hack attacks and defenses, commercial security solutions, and pragmatic real world security experience will be presented in a series of informative tutorials. This year the EUSecWest conference will also host dedicated security coverage of mobile devices, and host the first mobile device only focused PWN2OWN competition, where researchers get to demonstrate live vulnerability attack code against designated targets and, if successful, get to keep the target hardware and cash prizes. The EUSecWest meeting provides international researchers a relaxed, comfortable environment to learn from informative tutorials on key developments in security technology, and collaborate and socialize with their peers in one of the world's most scenic cities - a short walk away from several large hotels and the Leidseplein entertainment and shopping district, conveniently close to many famous museums, convenient transport, Vondel Park, and a plentitude of restaurants and bars. The EUSecWest conference will also feature the availability of the Security Masters Dojo expert network security sensei instructors, and their advanced, and intermediate, hands-on training courses - featuring small class sizes and practical application excercises to maximize information transfer. We would like to announce the opportunity to submit papers, courses, and/or lightning talk proposals for selection by the EUSecWest technical review committee. This year we will be doing one hour talks, and some shorter talk sessions. Please make your proposal submissions before June 15th, 2012. Some invited papers have been confirmed, but a limited number of speaking slots are still available. The conference is responsible for travel and accommodations for the speakers. If you have a proposal for a tutorial session then please make your submission by mailing a plain text version of the information along with any other supporting material or formats to synopsis of the material and your biography, papers and, speaking background to "secwest12 [at] eusecwest.com" Only slides will be needed for the September paper deadline, full text does not have to be submitted - but will be accepted if available. This year we will be opening up the presentation guidelines to include talks not in English (particularly Dutch, Chinese, French, Russian, and Spanish) which we will offer to translate for the speaker if they are not a native English speaker. The EUSecWest 2012 conference consists of tutorials on technical details about current issues, innovative techniques and best practices in the information security realm. The audiences are a multi-national mix of professionals involved on a daily basis with security work: security product vendors, programmers, security officers, and network administrators. We give preference to technical details and new education for a technical audience. The conference itself is a single track series of presentations in a lecture theater environment. The presentations offer speakers the opportunity to showcase on-going research and collaborate with peers while educating and highlighting advancements in security products and techniques. The focus is on innovation, tutorials, and education instead of product pitches. Some commercial content is tolerated, but it needs to be backed up by a technical presenter - either giving a valuable tutorial and best practices instruction or detailing significant new technology in the products. Paper proposals should consist of the following information: 1. Presenter, and geographical location (country of origin/passport) and contact info (e-mail, postal address, phone, fax). 2. Employer and/or affiliations. 3. Brief biography, list of publications and papers. 4. Any significant presentation and educational experience/background. 5. Topic synopsis, Proposed paper title, and a one paragraph description. 6. Reason why this material is innovative or significant or an important tutorial. 7. Optionally, any samples of prepared material or outlines ready. 8. Will you have full text available or only slides? 9. Language of preference for submission. 10. Please list any other publications or conferences where this material has been or will be
CanSecWest 2012 Mar 7-9; 2nd call for papers, closes next week, Monday.Dec 5 2011
So after a dozen years or so organizing conferences, you get the urge to pull levers and try experimenting with things. So this year I sent out the CanSecWest CFP only over Twitter, and G+ publicly. Just curious as to the adoption and information dispersion rate, and some estimate of the attention these newer channels are getting. So after this experiment I hear about people having submissions and missing the CFP. So for my control set, here is the normal announce message to different e-mail lists. We'll do a Second CanSecWest CFP, but a brief one. Send us your proposal by the end of Monday next week, December 5, 2011. The questions and information needed is the same as usual (see website), also for my curiosity could you include: 12. Where did you hear about the CFP from? cheers, --dr -- World Emerging Security Technology Vancouver, March 7-9 http://cansecwest.com pgpkey http://cansecwest.com/ kyxpgp
PacSec CFP note, deadline Aug 3; conf Nov 9/10 Tokyo
PacSec CALL FOR PAPERS TOKYO, Japan -- To address the increasing importance of information security in Japan, the best known figures in the international security industry will get together with leading Japanese researchers to share best practices and technology. The most significant new discoveries about computer network attacks will be presented at the ninth annual PacSec conference to be discussed. The PacSec meeting provides an opportunity for foreign specialists to be exposed to Japanese innovation and markets and collaborate on practical solutions to computer security issues. In an informal setting with a mixture of material bilingually translated in both English and Japanese the eminent technologists can socialize and attend training sessions. Announcing the opportunity to submit papers for the PacSec 2011 network security training conference. The conference will be held November 9/10th in Tokyo. The conference focuses on emerging information security tutorials - it is a bridge between the international and Japanese information security technology communities.. Please make your paper proposal submissions before August 3rd, 2011. Slides for the papers must be submitted for translation by October 1, 2011 (Which, oh so rarely, happens so we are going to start asking for them earlier :-P --dr). A some invited papers have been confirmed, but a limited number of speaking slots are still available. The conference is responsible for travel and accomodations for the speakers. If you have a proposal for a tutorial session then please email a synopsis of the material and your biography, papers and, speaking background to "secwest11 [at] pacsec.jp" . Tutorials are one hour in length, but with simultaneous translation should be approximately 45 minutes in English, or Japanese. Only slides will be needed for the October paper deadline, full text does not have to be submitted. The PacSec conference consists of tutorials on technical details about current issues, innovative techniques and best practices in the information security realm. The audiences are a multi-national mix of professionals involved on a daily basis with security work: security product vendors, programmers, security officers, and network administrators. We give preference to technical details and education for a technical audience. The conference itself is a single track series of presentations in a lecture theater environment. The presentations offer speakers the opportunity to showcase on-going research and collaborate with peers while educating and highlighting advancements in security products and techniques. The focus is on innovation, tutorials, and education instead of product pitches. Some commercial content is tolerated, but it needs to be backed up by a technical presenter - either giving a valuable tutorial and best practices instruction or detailing significant new technology in the products. Paper proposals should consist of the following information: 1) Presenter, and geographical location (country of origin/passport) and contact info (e-mail, postal address, phone, fax). 2) Employer and/or affiliations. 3) Brief biography, list of publications and papers. 4) Any significant presentation and educational experience/background. 5) Topic synopsis, Proposed paper title, and a one paragraph description. 6) Reason why this material is innovative or significant or an important tutorial. 7. Optionally, any samples of prepared material or outlines ready. 8. Will you have full text available or only slides? 9. Language of preference for submission. 10. Please list any other publications or conferences where this material has been or will be published/submitted. Please include the plain text version of this information in your email as well as any file attachments, html, or other data variant. Yes, some of our reviewers are so curmudgeonly they still read email in text readers. Please forward the above information to "secwest11 [at] pacsec.jp" to be considered for placement on the speaker roster. thanks, --dr -- World Security Pros. Cutting Edge Training, Tools, and Techniques Tokyo, November 9/10 2011 http://pacsec.jp pgpkey http://cansecwest.com/ kyxpgp
Final Penultimate last Call for Papers for CanSecWest 2011 (deadline Jan. 17th, conf March 9-11)
"First they ignore you, then they ridicule you, then they fight you, then you win." -- Mahatma Ghandi. Well if Fox's new comedy show "Breaking In" is any indication, infosec has now entered Ghandi's second stage. http://goo.gl/ZpLDp [youtube] (hat tip to Adam O'Donnell for this humorous find, and Sam Bowne for the quote/quip) But on a slightly more serious note. CanSecWest is nearing in the second week of March, and this year I've waited on sending out the CFP note/reminder. It's been up on the site for a while with a Dec 29 deadline, but this is the real last call for submissions. If you don't get them in by this weekend they won't make the selections review process next week. We'll try to announce the selections the week following. After 11 years, most of you should know the drill, but for those who haven't submitted or attended before, the fine print and usual further information is attached below. Other info: We are doing more dojo training courses than ever this year (17!) and they will be up for registration next week. I've also confirmed with Aaron/TippingPoint/HP that we will again be holding PWN2OWN with both browser and mobile targets, so stand by for some announcements there. There will also be some other new experiments and conference goings on, some fascinating keynotes that have been invited, as well as some interesting new sponsors exhibiting new security wares that you'll see announced on the conference site in the coming weeks, but for now, get your talk proposals in so that our grumpy, cynical, and battle-scarred reviewers can complain about them, err, I mean provide informative feedback.;-) cheers, --dr (@dragosr) The usual CFP boilerplate info: Call For Papers The CanSecWest 2011 CFP is now open. Deadline is January 17th, 2011. CanSecWest CALL FOR PAPERS VANCOUVER, Canada -- The twelfth annual CanSecWest applied technical security conference - where the eminent figures in the international security industry will get together share best practices and technology - will be held in downtown Vancouver at the the Sheraton Wall Centre on March 9-11, 2011. The most significant new discoveries about computer network hack attacks and defenses, commercial security solutions, and pragmatic real world security experience will be presented in a series of informative tutorials. The CanSecWest meeting provides international researchers a relaxed, comfortable environment to learn from informative tutorials on key developments in security technology, and to collaborate and socialize with their peers in one of the world's most scenic cities - a short drive away from one of North America's top skiing areas. The CanSecWest conference will also feature the availability of the Security Masters Dojo expert network security sensei instructors, and their advanced, and intermediate, hands-on training courses - featuring small class sizes and practical application exercises to maximize information transfer. We would like to announce the opportunity to submit papers, and/or lightning talk proposals for selection by the CanSecWest technical review committee. This year we will be doing one hour talks, and some shorter talk sessions. Please make your paper proposal submissions before January 17th, 2011. Some invited papers have been confirmed, but a limited number of speaking slots are still available. The conference is responsible for travel and accommodations for the speakers. If you have a proposal for a tutorial session then please make your submission by emailing a synopsis of the material and your biography, papers and, speaking background to secwes...@cansecwest.com . Only slides will be needed for the March paper deadline, full text does not have to be submitted - but will be accepted if available. This year we will be opening CanSecWest presentation guidelines to include talks not in English (particularly Chinese and Korean) which we will offer to translate for the speaker if you are not a native English speaker. The CanSecWest 2011 conference consists of tutorials on technical details about current issues, innovative techniques and best practices in the information security realm. The audiences are a multi-national mix of professionals involved on a daily basis with security work: security product vendors, programmers, security officers, and network administrators. We give preference to technical details and new education for a technical audience. The conference itself is a single track series of presentations in a lecture theater environment. The presentations offer speakers the opportunity to showcase on-going research and collaborate with peers while educating and highlighting advancements in security products and techniques. The focus is on innovation, tutorials, and education instead of product pitches.
EUSecWest 2010 MiniCFP (conf Jun 16/17) and PacSec 2010 CFP (conf Nov 10/11, deadline July 30)
EUSecWest 2010 MiniCFP (PacSec CFP Follows) One of our presenters was unable to get corporate approval for his travel and cancelled out. As such we are opening up one or two available slots for last minute submissions. We are also offering a referral bounty of a free conference registration for high quality replacement papers on short notice. (The Conference is on June 16/17 at the Melkweg in Amsterdam.) Please forward submissions to secwest10 [at] eusecwest.com, and please include the name of the referrer for the bounty award. The current confirmed speakers for EUSecWest are: Special party (16th) musical guests: Plump DJs (others TBA) Legic Prime: Obscurity in Depth Karsten Nohl & Hendryk Plötz, Security Research Labs Having fun with Apple's IOKit Ilja Van Sprundel, IOActive Escaping the Sandbox Stephen Ridley, Matasano Milking a horse or executing remote code in modern Java web frameworks Meder Kydryraliev, Google Hacking Printers for fun and profit Andrei Constin DarunGrim - A Tool for Binary Diffing and Automatic Vulnerabilities Pattern Matching Jeongwook (Matt) Oh Immature Femtocels Ravishankar Borgaonkar & Kevin Redon, Technical University of Berlin Defending the Poor - Flash Defense Journ Bratzkei, Recurity Labs BlackBerry Proof-of-Concept malicious applications Mayank Aggarwal, SMobile Systems Fighting PDF Malware with ExeFilter Philipe Lagadec, NATO/NC3A Rainbow Tables Reimplemented Sebastian "naxxatoe" Graf Hacking Oracle from Web Apps Sumit Siddharth, 7Safe - PacSec 2010 Conference The 8th annual PacSec conference will be held Nov 10/11 2010, at Aoyama Diamond Hall in Tokyo, Japan. PacSec CALL FOR PAPERS TOKYO, Japan -- To address the increasing importance of information security in Japan, the best known figures in the international security industry will get together with leading Japanese researchers to share best practices and technology. The most significant new discoveries about computer network hack attacks will be presented at the eighth annual PacSec conference to be discussed. The PacSec meeting provides an opportunity for foreign specialists to be exposed to Japanese innovation and markets and collaborate on practical solutions to computer security issues. In an informal setting with a mixture of material bilingually translated in both English and Japanese the eminent technologists can socialize and attend training sessions. Announcing the opportunity to submit papers for the PacSec 2010 network security training conference. The conference will be held November 10/11th in Tokyo. The conference focuses on emerging information security tutorials - it is a bridge between the international and Japanese information security technology communities.. Please make your paper proposal submissions before July 30th, 2010. Slides for the papers must be submitted for translation by October 1, 2010 (Which, oh so rarely, happens so we are going to start asking for them earlier :-P --dr). A some invited papers have been confirmed, but a limited number of speaking slots are still available. The conference is responsible for travel and accomodations for the speakers. If you have a proposal for a tutorial session then please email a synopsis of the material and your biography, papers and, speaking background to secwest10 [at] pacsec.jp . Tutorials are one hour in length, but with simultaneous translation should be approximately 45 minutes in English, or Japanese. Only slides will be needed for the October paper deadline, full text does not have to be submitted. The PacSec conference consists of tutorials on technical details about current issues, innovative techniques and best practices in the information security realm. The audiences are a multi-national mix of professionals involved on a daily basis with security work: security product vendors, programmers, security officers, and network administrators. We give preference to technical details and education for a technical audience. The conference itself is a single track series of presentations in a lecture theater environment. The presentations offer speakers the opportunity to showcase on-going research and collaborate with peers while educating and highlighting advancements in security products and techniques. The focus is on innovation, tutorials, and education instead of product pitches. Some commercial content is tolerated, but it needs to be backed up by a technical presenter - either giving a valuable tutorial and best practices instruction or detailing significant new technology in the products. Paper proposals should consist of the following information: 1) Presenter, and geographical location (country of origin/passport) and
EUSecWest Amsterdam 2010 Call For Papers (short deadline May 5 - conf June 16/17)
EUSecWest CALL FOR PAPERS AMSTERDAM, Nederland -- The sixth annual EUSecWest applied technical security conference - where the eminent figures in the international security industry will get together share best practices and technology - will be held in downtown Amsterdam at the the Melkweg Multimedia Center near Leidseplein on June 16/17, 2010. The most significant new discoveries about computer network hack attacks and defenses, commercial security solutions, and pragmatic real world security experience will be presented in a series of informative tutorials. The EUSecWest meeting provides international researchers a relaxed, comfortable environment to learn from informative tutorials on key developments in security technology, and collaborate and socialize with their peers in one of the world's most scenic cities - a short walk away from several large hotels and the Leidseplein entertainment and shopping district, conveniently close to many famous museums, convenient transport, Vondel Park, and a plentitude of restaurants and bars. This year the first evening party will feature a special musical guest star. We will announce the performer(s) shortly. The EUSecWest conference will also feature the availability of the Security Masters Dojo expert network security sensei instructors, and their advanced, and intermediate, hands-on training courses - featuring small class sizes and practical application excercises to maximize information transfer. We would like to announce the opportunity to submit papers, and/or lightning talk proposals for selection by the CanSecWest technical review committee. This year we will be doing one hour talks, and some shorter talk sessions. Please make your paper proposal submissions before May 5th, 2010. Some invited papers have been confirmed, but a limited number of speaking slots are still available. The conference is responsible for travel and accommodations for the speakers. If you have a proposal for a tutorial session then please make your submission by mailing a plain text version of the information along with any other supporting material or formats to synopsis of the material and your biography, papers and, speaking background to "secwest10 [at] eusecwest.com" Only slides will be needed for the June paper deadline, full text does not have to be submitted - but will be accepted if available. This year we -- will be opening up the presentation guidelines to include talks not in English (particularly Chinese) which we will offer to translate for the speaker if they are not a native English speaker. The EUSecWest 2010 conference consists of tutorials on technical details about current issues, innovative techniques and best practices in the information security realm. The audiences are a multi-national mix of professionals involved on a daily basis with security work: security product vendors, programmers, security officers, and network administrators. We give preference to technical details and new education for a technical audience. The conference itself is a single track series of presentations in a lecture theater environment. The presentations offer speakers the opportunity to showcase on-going research and collaborate with peers while educating and highlighting advancements in security products and techniques. The focus is on innovation, tutorials, and education instead of product pitches. Some commercial content is tolerated, but it needs to be backed up by a technical presenter - either giving a valuable tutorial and best practices instruction or detailing significant new technology in the products. Paper proposals should consist of the following information: 1. Presenter, and geographical location (country of origin/passport) and contact info (e-mail, postal address, phone, fax). 2. Employer and/or affiliations. 3. Brief biography, list of publications and papers. 4. Any significant presentation and educational experience/background. 5. Topic synopsis, Proposed paper title, and a one paragraph description. 6. Reason why this material is innovative or significant or an important tutorial. 7. Optionally, any samples of prepared material or outlines ready. 8. Will you have full text available or only slides? 9. Language of preference for submission. 10. Please list any other publications or conferences where this material has been or will be published/submitted. IMPORTANT:Please include the plain text version of this information in your email as well as any file, pdf, sxw, ppt, or html attachments. Please forward the above information to "secwest10 [at] eusecwest.com" to be considered for placement on the speaker roster, or have your lightning talk scheduled. If you contact anyone else at our organization p
CanSecWest 2010 CALL FOR PAPERS (deadline Nov 30, conf. Mar22-26) and PacSec (Nov 4/5) Selections
We extend our apologies if you are inconvenienced by multiple copies of this messages. We would like to announce the PacSec 2009 Paper Selections, and the opening of the 2010 CanSecWest Call For Papers. Given the proximity of the Winter Olympics in Vancouver one month before the conference, we would advise all planning to attend to make travel preparations well in advance for next year... PacSec 2009 Presentations Keynote Presentation November 4: Mitsugu Okatani, National Information Security Center / Ministry of Defense / Japan Air Self-Defense Force Keynote Presentation November 5: Hideaki Kobayashi, Information Technology Promotion Agency Virtualisation security and the Intel privilege model - Tavis Ormandy & Julien Tinnes, Google Silicon Chips: No More Secrets - Karsten Nohl Filter Resistant Code Injection on ARM - Yves Younan, University of Leuven iPhone SMS Fuzzing and Exploitation - Charlie Miller, Independent Security Evaluators The Microsoft View of the 2008 Threat Landscape - Tony Lee, Microsoft Cloud Defense in the Post-BotWar Era - Ikuo Takahashi The Android Security Story: Challenges and Solutions for Secure Open Systems - Rich Cannings & Alex Stamos, Google, iSec Partners Stealthy Rootkit : How malware fools live memory forensics - Tsukasa Ooi, Livegrid Defending a Social Network - Alex Rice, Facebook Museum of API Obfuscation on Win32 - Masaki Suenaga, Symantec !exploitable and Effective Fuzzing Strategies as a Regular Part of Test - Jason Shirk, Microsoft Analyzing Word and Excel Document Encryption - Eric Filiol, ESIEA - Operational cryptology and Virology Lab English Dojo: Auditing Java Security, Marc Schoenefeld Japanese Dojo: Assembler Programming and Reverse Engineering Malware, Yuji Ukai, fourteenforty Pacsec will be held on November 4 and 5th, in Aoyama, Tokyo. CanSecWest 2010 CALL FOR PAPERS VANCOUVER, Canada -- The eleventh annual CanSecWest applied technical security conference - where the eminent figures in the international security industry will get together share best practices and technology - will be held in downtown Vancouver at the the Sheraton Wall Centre on March 22-26, 2010. The most significant new discoveries about computer network hack attacks and defenses, commercial security solutions, and pragmatic real world security experience will be presented in a series of informative tutorials. The CanSecWest meeting provides international researchers a relaxed, comfortable environment to learn from informative tutorials on key developments in security technology, and collaborate and socialize with their peers in one of the world's most scenic cities - a short drive away from one of North America's top skiing areas. The CanSecWest conference will also feature the availability of the Security Masters Dojo expert network security sensei instructors, and their advanced, and intermediate, hands-on training courses - featuring small class sizes and practical application excercises to maximize information transfer. We would like to announce the opportunity to submit papers, and/or lightning talk proposals for selection by the CanSecWest technical review committee. This year we will be doing one hour talks, and some shorter talk sessions. Please make your paper proposal submissions before November 30th, 2009. Some invited papers have been confirmed, but a limited number of speaking slots are still available. The conference is responsible for travel and accomodations for the speakers. If you have a proposal for a tutorial session then please make your submission using our new online form, available at https://cansecwest.com/submissions/. If the on-line form is not available you can alternatively email a synopsis of the material and your biography, papers and, speaking background to secwest09 [at] cansecwest.com . Only slides will be needed for the March paper deadline, full text does not have to be submitted - but will be accepted if available. This year we will be opening up the presentation guidelines to include talks not in English which we will offer to translate for the speaker if the
Re: Five days left to find the oldest data loss incident
On 11-May-09, at 7:29 AM, Juha-Matti Laurio wrote: The oldest documented vulnerability in computer security world is password file disclosure vulnerability from 1965, found by Mr. Ryan Russell. Open Security Foundation launched a competition in April to find the oldest documented data loss incident. They have announced that the last day to make a submission is next Friday - 15th May. The contest page is located at http://datalossdb.org/oldest_incidents_contest Juha-Matti Mechanical computers are computers. The loss and the algorithmic crack of the Enigma machine circa 1939 should count - the story and break of the more difficult 4 rotor Naval Machine at Bletchley park recovered from the U-boat and cracked in 1941 is the most famous. http://users.telenet.be/d.rijmenants/en/enigmauboats.htm But I would nominate the break of the 3 Rotor Enigma circa 1939, by the Polish, as the first documented computer security vulnerability. http://www.avoca.ndirect.co.uk/enigma/index.html cheers, --dr -- World Security Pros. Cutting Edge Training, Tools, and Techniques London, U.K. May 27/28 2009 http://eusecwest.com Tokyo, Japan November 4/5 2009 http://pacsec.jp Vancouver, Canada March 22-26 http://cansecwest.com pgpkey http://dragos.com/ kyxpgp
EUSecWest 2009 (May27/28) London Agenda and PacSec 2009 (Nov 4/5) Tokyo CFP deadline: June 1 2009
EUSecWest 2009 Speakers Efficient UAK Recovery attacks against DECT - Ralf-Philipp Weinmann, University of Luxembourg A year in the life of an Adobe Flash security researcher - Peleus Uhley, Adobe Pwning your grandmother's iPhone - Charley Miller, Independent Security Evaluators Post exploitation techniques on OSX and Iphone and other TBA matters. - Vincent Iozzo,Zynamics STOP!! Objective-C Run-TIME. - nemo Exploiting Delphi/Pascal - Ilja Van Sprundel, IOActive PCI bus based operating system attack and protections - Christophe Devine & Guillaume Vissian, Thales Thoughts about Trusted Computing - Joanna Rutkowska, Invisible Things Lab Nice NIC you got there... does it come with an SSH daemon? - Arrigo Trulzi Evolving Microsoft Exploit Mitigations - Tim Burrell & Peter Beck, Microsoft Malware Case Study: the ZeuS evolution - Vicente Diaz, S21Sec Writing better XSS payloads - Alex Kouzemtchenko, SIFT Exploiting Firefox Extensions -Roberto Suggi Liverani & Nick Freeman, Security-Assessment.com Stored Value Gift Cards, Magstripes Revisited - Adrian Pastor, Gnucitizen, Corsaire Advanced SQL Injection to operating system control - Bernardo Damele Assumpcao Guimaraes, Portcullis Cloning Mifare Classic - Nicolas Courtois, University of London Rootkits on Windows Mobile/Embedded - Petr Matousek, Coseinc PacSec 2009 CALL FOR PAPERS World Security Pros To Converge on Japan TOKYO, Japan -- To address the increasing importance of information security in Japan, the best known figures in the international security industry will get together with leading Japanese researchers to share best practices and technology. The most significant new discoveries about computer network hack attacks will be presented at the seventh annual PacSec conference to be discussed. The PacSec meeting provides an opportunity for foreign specialists to be exposed to Japanese innovation and markets and collaborate on practical solutions to computer security issues. In an informal setting with a mixture of material bilingually translated in both English and Japanese the eminent technologists can socialize and attend training sessions. Announcing the opportunity to submit papers for the PacSec 2009 network security training conference. The conference will be held November 4/5th in Tokyo. The conference focuses on emerging information security tutorials - it is a bridge between the international and Japanese information security technology communities.. Please make your paper proposal submissions before June 1st, 2009. Slides for the papers must be submitted for translation by October 1, 2009 (Which, oh so rarely, happens we are going to start asking for them earlier :-P --dr). A some invited papers have been confirmed, but a limited number of speaking slots are still available. The conference is responsible for travel and accomodations for the speakers. If you have a proposal for a tutorial session then please email a synopsis of the material and your biography, papers and, speaking background to . Tutorials are one hour in length, but with simultaneous translation should be approximately 45 minutes in English, or Japanese. Only slides will be needed for the October paper deadline, full text does not have to be submitted. The PacSec conference consists of tutorials on technical details about current issues, innovative techniques and best practices in the information security realm. The audiences are a multi-national mix of professionals involved on a daily basis with security work: security product vendors, programmers, security officers, and network administrators. We give preference to technical details and education for a technical audience. The conference itself is a single track series of presentations in a lecture theater environment. The presentations offer speakers the opportunity to showcase on-going research and collaborate with peers while educating and highlighting advancements in security products and techniques. The focus is on innovation, tutorials, and education instead of product pitches. Some commercial content is tolerated, but it needs to be backed up by a technical presenter - either giving a valuable tutorial and best practices instruction or detailing significant new technology in the products. Paper proposals should consist of the following information: 1) Presenter, and geographical location (country of origin/passport) and contact info (e-mail, postal address, phone, fax). 2) Employer and/or affiliations. 3) Brief biography, list of publications and papers. 4) Any significant presentation and educational experience/background. 5) Topic synopsis, Proposed paper title, and a one paragraph description. 6) Reason why this material is innovative or significant or an important tu
EUSecWest 2009 CFP (May 27/28, Deadline April 7 2009)
Call For Papers The EUSecWest 2009 CFP is now open. Deadline is April 7th, 2009. EUSecWest CALL FOR PAPERS LONDON, U.K. -- The third annual EUSecWest applied technical security conference - where the eminent figures in the international security industry will get together share best practices and technology - will be held in downtown London at the Sound Club in Leicester Square on May 27/28, 2009. The most significant new discoveries about computer network hack attacks and defenses, commercial security solutions, and pragmatic real world security experience will be presented in a series of informative tutorials. The EUSecWest meeting provides international researchers a relaxed, comfortable environment to learn from informative tutorials on key developments in security technology, and collaborate and socialize with their peers in one of the world's most most important technology hubs and scenic cities. The timing of the conference allows international travelers to travel to Berlin for FX's Ph-Neutral on the weekend, and Rennes the following week for SSTIC. We would like to announce the opportunity to submit papers, and/or lightning talk proposals for selection by the EUSecWest technical review committee. This year we will be doing one hour talks, and some shorter talk sessions. Please make your paper proposal submissions before April 7th, 2009. Some invited papers have been confirmed, but a limited number of speaking slots are still available. The conference is responsible for travel and accommodations for the speaker (one speaker airfare and one room). If you have a proposal for a tutorial session then please email a synopsis of the material and your biography, papers and, speaking background to secwest09 [at] eusecwest.com . Only slides will be needed for the paper deadline, full text does not have to be submitted - but will be accepted if available. The EUSecWest 2009 conference consists of tutorials on technical details about current issues, innovative techniques and best practices in the information security realm. The audiences are a multi-national mix of professionals involved on a daily basis with security work: security product vendors, programmers, security officers, and network administrators. We give preference to technical details and new education for a technical audience. The conference itself is a single track series of presentations in a lecture theater environment. The presentations offer speakers the opportunity to showcase on-going research and collaborate with peers while educating and highlighting advancements in security products and techniques. The focus is on innovation, tutorials, and education instead of product pitches. Some commercial content is tolerated, but it needs to be backed up by a technical presenter - either giving a valuable tutorial and best practices instruction or detailing significant new technology in the products. Paper proposals should consist of the following information: 1. Presenter, and geographical location (country of origin/passport) and contact info (e-mail, postal address, phone, fax). 2. Employer and/or affiliations. 3. Brief biography, list of publications and papers. 4. Any significant presentation and educational experience/background. 5. Topic synopsis, Proposed paper title, and a one paragraph description. 6. Reason why this material is innovative or significant or an important tutorial. 7. Optionally, any samples of prepared material or outlines ready. 8. Will you have full text available or only slides? 9. Language of preference for submission. 10. Please list any other publications or conferences where this material has been or will be published/submitted. Please include the plain text version of this information in your email as well as any file, pdf, sxw, ppt, or html attachments. Please forward the above information to secwest09 [at] eusecwest.com to be considered for placement on the speaker roster, or have your lightning talk scheduled. If you contact anyone else at our organization please ensure you also cc the submission address with your proposal or it may be omitted from the review process. cheers, --dr -- World Security Pros. Cutting Edge Training, Tools, and Techniques London, U.K. May 27/28 2009 http://eusecwest.com pgpkey http://dragos.com/ kyxpgp
CanSecWest 2009 CFP (March 18-20 2009, Deadline December 8 2008)
Call For Papers The CanSecWest 2009 CFP is now open. Deadline is December 8th, 2008. CanSecWest CALL FOR PAPERS VANCOUVER, Canada -- The tenth annual CanSecWest applied technical security conference - where the eminent figures in the international security industry will get together share best practices and technology - will be held in downtown Vancouver at the the Sheraton Wall Centre on March 18-20, 2009. The most significant new discoveries about computer network hack attacks and defenses, commercial security solutions, and pragmatic real world security experience will be presented in a series of informative tutorials. The CanSecWest meeting provides international researchers a relaxed, comfortable environment to learn from informative tutorials on key developments in security technology, and collaborate and socialize with their peers in one of the world's most scenic cities - a short drive away from one of North America's top skiing areas. The CanSecWest conference will also feature the availability of the Security Masters Dojo expert network security sensei instructors, and their advanced, and intermediate, hands-on training courses - featuring small class sizes and practical application exercises to maximize information transfer. We would like to announce the opportunity to submit papers, and/or lightning talk proposals for selection by the CanSecWest technical review committee. This year we will be doing one hour talks, and some shorter talk sessions. Please make your paper proposal submissions before December 8th, 2008. Some invited papers have been confirmed, but a limited number of speaking slots are still available. The conference is responsible for travel and acomodations for the speakers. If you have a proposal for a tutorial session then please email a synopsis of the material and your biography, papers and, speaking background to secwest09 [at] cansecwest.com . Only slides will be needed for the March paper deadline, full text does not have to be submitted - but will be accepted if available. This year we will be opening up the presentation guidelines to include talks not in English (particularly Chinese) which we will offer to translate for the speaker if they are not a native English speaker. The CanSecWest 2009 conference consists of tutorials on technical details about current issues, innovative techniques and best practices in the information security realm. The audiences are a multi-national mix of professionals involved on a daily basis with security work: security product vendors, programmers, security officers, and network administrators. We give preference to technical details and new education for a technical audience. The conference itself is a single track series of presentations in a lecture theater environment. The presentations offer speakers the opportunity to showcase on-going research and collaborate with peers while educating and highlighting advancements in security products and techniques. The focus is on innovation, tutorials, and education instead of product pitches. Some commercial content is tolerated, but it needs to be backed up by a technical presenter - either giving a valuable tutorial and best practices instruction or detailing significant new technology in the products. Paper proposals should consist of the following information: 1. Presenter, and geographical location (country of origin/passport) and contact info (e-mail, postal address, phone, fax). 2. Employer and/or affiliations. 3. Brief biography, list of publications and papers. 4. Any significant presentation and educational experience/background. 5. Topic synopsis, Proposed paper title, and a one paragraph description. 6. Reason why this material is innovative or significant or an important tutorial. 7. Optionally, any samples of prepared material or outlines ready. 8. Will you have full text available or only slides? 9. Language of preference for submission. 10. Please list any other publications or conferences where this material has been or will be published/submitted. Please include the plain text version of this information in your email as well as any file, pdf, sxw, ppt, or html attachments. Please forward the above information to secwest09 [at] cansecwest.com to be considered for placement on the speaker roster, or have your lightning talk scheduled. If you contact anyone else at our organization please ensure you also cc the submission address with your proposal or it may be omitted from the review process. cheers, --dr -- World Security Pros. Cutting Edge Training, Too
PacSec 2008 CFP (Deadline Sept. 1, Conference Nov. 12/13) and BA-Con 2008 Speakers (Sept .30/ Oct. 1)
Spanish url: http://ba-con.com.ar/speakers.html?language=es Speaker list and Dojos for BA-Con, September 30, October 1st. (all presentations in both Spanish and English) Presentations: WPA/WPA2: how long is it gonna make it - Cédric Blancher & Simon Maréchal, EADS & SGDN Security Concerns of Firmware Updates (SPI System BIOS and Embedded Controller) - Sun Bing A Practical Approach to Mitigate and Remove Malware - Ching Tim Meng Advances in Attacking Interpreted Languages: Javascript - Justin Ferguson Understanding eVoting in post Everest, TTBR world - Harri Hursti SecViz 007 - Raffael Marty, Splunk Pass-the-hash Toolkit for Windows - Hernan Ochoa, Core Linux 2.6 kernel rootkits - Daniel Palacio, Immunity Reverse Engineering Dynamic Languages, a Focus on Python - Aaron Portnoy & Ali Rizvi-Santiago, TippingPoint All the Crap Aircrafts Receive and Send - Hendrik Scholz Teflon: anti-stick for the browsers attack surface - Saumil Shah, Net-Square Hacking PXE without reboot (using the BIOS network stack for other purposes) - Julien Vanegue, CESAR LeakedOut: the Social Networks You Get Caught In - Jose Orlicki, Core Dojos (September 28/29): Reverse Code Engineering - Edgar Barbosa, COSEINC Practical 802.11 Wi-Fi (In)Security - Cédric Blancher, EADS Effective Fuzzing using the Peach Fuzzing Platform (2 days) - Michael Eddington, Leviathan Assembler for Exploits - Gerardo Richarte, Core The Exploit Lab - Saumil Shah, Net-Square We would like to especially thank the gracious sponsorship of Core, Microsoft, and Symantec/SecurityFocus, without whom this event would not be possible and/or would be a lot more expensive for attendees. We also suggest that conference attendees stay a couple of days longer and go to ekoparty right after this event. cheers, --dr --8<--kyx--8<-- English url: http://pacsec.jp/speakers.html?language=en Japanese url: http://pacsec.jp/speakers.html?language=ja (the following should be up soon...) Spanish url: http://pacsec.jp/speakers.html?language=es Chinese url: http://pacsec.jp/speakers.html?language=cn PacSec 2008 CALL FOR PAPERS World Security Pros To Converge on Japan TOKYO, Japan -- To address the increasing importance of information security in Japan, the best known figures in the international security industry will get together with leading Japanese researchers to share best practices and technology. The most significant new discoveries about computer network hack attacks and defenses will be presented at the sixth annual PacSec conference. The PacSec meeting provides an opportunity for foreign specialists to be exposed to Japanese innovation and markets and collaborate on practical solutions to computer security issues. In an informal setting with a mixture of material bilingually translated in both English and Japanese the eminent technologists can socialize and attend training sessions. Announcing the opportunity to submit papers for the PacSec 2008 network security training conference. The conference will be held November 12/13th in Tokyo at the Aoyama Diamond Hall above Omotesando station. The conference focuses on emerging information security tutorials - it is a bridge between the international and Japanese information security technology communities.. Please make your paper proposal submissions before September 1st, 2008. Slides for the papers must be submitted for translation by October 1, 2008. A some invited papers have been confirmed, but a limited number of speaking slots are still available. The conference is responsible for travel and accomodations for the speakers. If you have a proposal for a tutorial session then please email a synopsis of the material and your biography, papers and, speaking background to secwest08 [at] pacsec.jp . Tutorials are one hour in length, but with simultaneous translation should be approximately 45 minutes in English, or Japanese. Only slides will be needed for the October paper deadline, full text does not have to be submitted. The PacSec conference consists of tutorials on technical details about current issues, innovative techniques and best practices in the information security realm. The audiences are a multi-national mix of professionals involved on a daily basis with security work: security product vendors, programmers, security officers, and network administrators. We give preference to technical details and education for a technical audience. The conference itself is a single track series of presentations in a lecture theater environment. The presentations offer speakers the opportunity to showcase on-going research and collaborate with peers while educating and highlighting advancements in security products and techniques. The focus is on innovation, tutorials, and education inst
Re: Fedora confirms: Our servers were breached
On 22-Aug-08, at 7:41 AM, Juha-Matti Laurio wrote: New information about the "important infrastructure issue" affecting to Fedora Project has been released today. Mr. Paul W. Frields, Fedora Project Leader has posted an announcement about the facts, including: "One of the compromised Fedora servers was a system used for signing Fedora packages." More information available at https://www.redhat.com/archives/fedora-announce-list/2008-August/msg00012.html and http://blogs.securiteam.com/index.php/archives/1130 It's ok, only a small number of architectures were affected: http://rhn.redhat.com/errata/RHSA-2008-0855.html You only have something to worry about if you have some x86 boxes. :-) cheers, --dr -- World Security Pros. Cutting Edge Training, Tools, and Techniques Buenos Aires, Argentina Sept. 30 / Oct. 1 - 2008http://ba-con.com.ar Tokyo, Japan November 12/13 2008 http://pacsec.jp Vancouver, Canada March 16-20 2009 http://cansecwest.com pgpkey http://dragos.com/ kyxpgp
BA-Con 2008 CFP - Buenos Aires, Sept. 30 / Oct. 1 (closes July 11 2008)
BA-Con 2008 CALL FOR PAPERS BUENOS AIRES, Argentina -- The first annual BA-Con applied technical security conference - where the eminent figures in the international and South American security industry will get together and share best practices and technology - will be held in Buenos Aires on September 30 and October 1st. 2008. The most significant new discoveries about computer network hack attacks and defenses, commercial security solutions, and pragmatic real world security experience will be presented in a series of informative tutorials. The BA-Con meeting provides local and international researchers a relaxed, comfortable environment to learn from informative tutorials on key developments in security technology, and collaborate and socialize with their peers in one of South America's largest metropolises. All material will be translated into both Spanish and English. Evening social activities will be planned to provide personal networking opportunities. The BA-Con conference will also feature the availability of the Security Masters Dojo expert network security sensei instructors, and their advanced, and intermediate, hands-on training courses - featuring small class sizes and practical application exercises to maximize information transfer. We would like to announce the opportunity to submit papers, lightning talk proposals for selection by the international BA-Con technical review committee. Please make your paper proposal submissions before July 11th, 2008. Some invited papers have been confirmed, but a limited number of speaking slots are still available. The conference is responsible for travel and accommodations for the speakers. If you have a proposal for a tutorial session then please email a synopsis of the material and your biography, papers and, speaking background to secwest08 [at] ba-con.com.ar . Only slides will be needed for the September paper deadline, full text does not have to be submitted - but will be accepted and translated on a best effort basis if available. The BA-Con 2008 conference consists of tutorials on technical details about current issues, innovative techniques and best practices in the information security realm. The audiences are a multi-national mix of professionals involved on a daily basis with security work: security product vendors, programmers, security officers, and network administrators. We give preference to technical details and new education for a technical audience. The conference itself is a single track series of presentations in a lecture theater environment. The presentations offer speakers the opportunity to showcase on-going research and collaborate with peers while educating and highlighting advancements in security products and techniques. The focus is on innovation, tutorials, and education instead of product pitches. Some commercial content is tolerated, but it needs to be backed up by a technical presenter - either giving a valuable tutorial and best practices instruction or detailing significant new technology in the products. Paper proposals should consist of the following information: 1. Presenter, and geographical location (country of origin/passport) and contact info (e-mail, postal address, phone, fax). 2. Employer and/or affiliations. 3. Brief biography, list of publications and papers. 4. Any significant presentation and educational experience/background. 5. Topic synopsis, Proposed paper title, and a one paragraph description. 6. Reason why this material is innovative or significant or an important tutorial. 7. Optionally, any samples of prepared material or outlines ready. 8. Will you have full text available or only slides? 9. Please list any other publications or conferences where this material has been or will be published/submitted. 10. Do you have any special demo or network requirements for your presentation? Please include the plain text version of this information in your email as well as any file, pdf, sxw, ppt, or html attachments. Please forward the above information to secwest08 [at] ba-con.com.ar to be considered for placement on the speaker roster, have your lightning talk scheduled. We would like to extend a special thanks to our local partners at Core Security Technologies, and the gracious sponsorship of Microsoft, and Symantec for making this event possible and letting us keep the registration fee lower in local currency while letting us cover the costs of international speakers. cheers, --dr -- World Security Pros. Cutting Edge Training, Tools, and Techniques Buenos Aires, ArgentinaSept. 30 / Oct. 1 - 2008http://ba-con.com
FInal EUSecWest 2008 Speakers
The selected papers for EUSecWest 2008 are: * PhlashDance, discovering permanent denial of service attacks against embedded systems - Rich Smith, HP Labs * Attacking Near Field Communications (NFC) Mobile Phones - Collin Muliner, trifinite * Abusing X.509 certificate features - Alexander Klink, Cynops GmbH * Phoenix, and automated vulnerability finding - Tim Burrell, Microsoft * Cisco IOS Rootkits - Sebastian Muñiz, Core * Advances in attacking interpreted languages - Justin Ferguson, IOActive * One Token to Rule Them All: Post-Exploitation Fun in Windows Environments - Luke Jennings, MWR InfoSecurity * Building the bridge between the Web Application and the OS: GUI access through SQL Injection - Alberto Revelli, Portcullis * Satellite Systems - Adam Laurie, RFIDIOt.org * Browser Exploits - Attacks and Defense - Saumil Shah, Net Square * WebSphere MQ Security - Martyn Ruks, MWR InfoSecurity Paper synopses are now up on the website. This year there will be three Security Masters Dojo courses on May 19/20, including a new course from Foundstone: * Ultimate Web Hacking - Nick Murison, Foundstone, a division of McAfee * Advanced Honeypot Tactics - Thorsten Holz, Aachen University * The Exploit Laboratory - Advanced Edition Saumil Shah and Christopher Owen Net-Square and Consault cheers, --dr -- World Security Pros. Cutting Edge Training, Tools, and Techniques London, U.K. May 21/22 - 2008http://eusecwest.com pgpkey http://dragos.com/ kyxpgp
EUSecWest CFP Closes April 14th (conf May 21/22 2008)
(We've moved the conference this year to the a club in Leicester Square in the heart of London and SoHo. We'll be putting speakers up across the square at the Radisson Edwardian Hampshire, but there are lots of hotels in the region there in the center of London for those who want to attend (the venue is physically on top of a tube station on Circle line so easy to get to). Registration is now open and we hope to have the Dojo registrations on-line by this weekend. The conference is on Wednesday/Thursday, which leaves Friday to fly to Berlin for those going to ph-n. cheers, --dr) EUSecWest CALL FOR PAPERS LONDON, U.K. -- The second annual EUSecWest applied technical security conference - where the eminent figures in the international security industry will get together share best practices and technology - will be held in downtown London at the Sound club in Leicester Square on May 21/22 2008. The most significant new discoveries about computer network hack attacks and defenses, commercial security solutions, and pragmatic real world security experience will be presented in a series of informative tutorials. The EUSecWest meeting provides international researchers a relaxed, comfortable environment to learn from informative tutorials on key developments in security technology, and collaborate and socialize with their peers in one of the world's most central cities. The EUSecWest conference will also feature the availability of the Security Masters Dojo expert network security sensei instructors, and their advanced, and intermediate, hands-on training courses - featuring small class sizes and practical application excercises to maximize information transfer. We would like to announce the opportunity to submit papers, lightning talk proposals for selection by the EUSecWest technical review committee. Please make your paper proposal submissions before April 14th, 2008. Some invited papers have been confirmed, but a limited number of speaking slots are still available. The conference is responsible for travel and accomodations for the speakers. If you have a proposal for a tutorial session then please email a synopsis of the material and your biography, papers and, speaking background to secwest08 [at] eusecwest.com . Only slides will be needed for the May paper deadline, full text does not have to be submitted - but will be accepted if available. The EUSecWest 2008 conference consists of tutorials on technical details about current issues, innovative techniques and best practices in the information security realm. The audiences are a multi-national mix of professionals involved on a daily basis with security work: security product vendors, programmers, security officers, and network administrators. We give preference to technical details and new education for a technical audience. The conference itself is a single track series of presentations in a lecture theater environment. The presentations offer speakers the opportunity to showcase on-going research and collaborate with peers while educating and highlighting advancements in security products and techniques. The focus is on innovation, tutorials, and education instead of product pitches. Some commercial content is tolerated, but it needs to be backed up by a technical presenter - either giving a valuable tutorial and best practices instruction or detailing significant new technology in the products. Paper proposals should consist of the following information: 1. Presenter, and geographical location (country of origin/passport) and contact info (e-mail, postal address, phone, fax). 2. Employer and/or affiliations. 3. Brief biography, list of publications and papers. 4. Any significant presentation and educational experience/background. 5. Topic synopsis, Proposed paper title, and a one paragraph description. 6. Reason why this material is innovative or significant or an important tutorial. 7. Optionally, any samples of prepared material or outlines ready. 8. Will you have full text available or only slides? 9. Please list any other publications or conferences where this material has been or will be published/submitted. Please include the plain text version of this information in your email as well as any file, pdf, sxw, ppt, or html attachments. Please forward the above information to secwest08 [at] eusecwest.com to be considered for placement on the speaker roster, have your lightning talk scheduled. -- World Security Pros. Cutting Edge Training, Tools, and Techniques London, U.K. May 21/22 - 2008http://eusecwest.com pgpkey http://dragos.com/ kyxpgp
CanSecWest 2008 PWN2OWN - Mar 26-28
Calendar Notes: === PacSec 2008 will be on November 12/13 in Tokyo at Aoyama Diamond Hall. EUSecWest 2008 will be on May 21/22 at a fun new venue in central London. (We cooked this schedule up so it will enable people to fly to Berlin on the 23rd and make FX's ph-neutral on Saturday the 24th - which also has a fun new venue. Island???!?) The EUSecWest 2008 CFP opens tomorrow and closes _before_ April 1 :-). EUSecWest registration is now open. Announcing CanSecWest PWN2OWN 2008. === Three targets, all patched. All in typical client configurations with typical user configurations. You hack it, you get to keep it. Each has a file on them and it contains the instructions and how to claim the prize. Targets (typical road-warrior clients): VAIO VGN-TZ37CN running Ubuntu 7.10 Fujitsu U810 running Vista Ultimate SP1 MacBook Air running OSX 10.5.2 This year's contest will begin on March 26th, and go during the presentation hours and breaks of the conference until March 28th. The main purpose of this contest is to present new vulnerabilities in these systems so that the affected vendor(s) can address them. Participation is open to any registered attendee of CanSecWest 2008. Once you extract your claim ticket file from a laptop (note that doing so will involve executing code on the box, simple directory traversal style bugs are inadequate), you get to keep it. You also get to participate in 3com / Tipping Point's Zero Day Initiative, with the top award for remote, pre-auth, vulnerabilities being increased this year. Fine print and details on the cash prizes are available from TippingPoint's DVLabs blog (http://dvlabs.tippingpoint.com/). More fine print and rules for the contest will be found at the http://cansecwest.com/ site. Quick Overview: -Limit one laptop per contestant. -You can't use the same vulnerability to claim more than one box, if it is a cross-platform issue. -Thirty minute attack slots given to contestants at each box. -Attack slots will be scheduled at the contest start by the methods selected by the judges. -Attacks are done via crossover cable. (attacker controls default route) -RF attacks are done offsite by special arrangement... -No physical access to the machines. -Major web browsers (IE, Safari, Konqueror, Firefox), widely used and deployed plugin frameworks (AIR, Silverlight), IM clients (MSN, Adium, Skype, Pigdin, AOL, Yahoo), Mail readers (Outlook, Mail.app, Thunderbird, kmail) are all in scope. Fine Print: These computers are REAL and FULLY patched. All third party software is widely used. There are no imitation vulnerabilities. Any exploit successfully used in this contest would also compromise a significant percentage of Internet connected hosts. Instead, players choose to use their exploits here, at CanSecWest PWN2OWN 2008. All successful exploits will be turned over to the appropriate vendor and patched before details are made public. Rules 1. Attacks remain confidential until prize is claimed Players will connect to the targets with a crossover cable and we will not record the network traffic or log anything other than what is done by default. Successful exploits can be delivered directly to Tipping Point after the we verify that you control the target. In the event that internet connectivity is required (eg. IM clients) we will put the target online behind a firewall. We won't sniff at the firewall, but we can make no guarentees for upstream networks. (so be careful what you send over the Internet!) 2. No wireless attacks in the conference area Players with intent to use wireless attacks must inform us in advance. We will relocate to a secluded, undisclosed location where there won't be dozens of people watching the traffic. 3. One attacker per target at a time As is obvious from rule #1 and rule #2, one player gets exclusive access to any target at one time. 4. Players take turns, no hogging the targets Players are limited to 30 minutes per attempt. We will mercilessly disconnect your cable at the end of each attack slot. Be fast! We will reboot the targets before each session begins. 5. First come, first served access to targets. Players get in line for their turns and may take an unlimited number of turns. If a player runs out of time and no one else is waiting for access to the target he may continue for another turn. Players may not have more than 1 turn in any 30 minute period. (That means we won't reboot a target any time you feel like it) 6. Remote, pre-authentication attacks are required to win Players may not physically touch the targets or look at the target's display. Players are required to demonstrate to our satisfaction that arbitrary code runs on the target. 7. Attackers control the default route for the target. Players may become the target's default gateway in order to perform man in the middle attacks. 8. Contest officials visi
CanSecWest 2008 Mar 26-28
CanSecWest 2008 Presentations Snort 3.0 - Marty Roesch, Sourcefire Cross-Site Scripting Vulnerabilities in Flash Authoring Tools - Rich Cannings, Google Proprietary RFID Systems - Jan "starbug" Krissler and Karsten Nohl, CCC Media Frenzy: Finding Bugs in Windows Media Software - Mark Dowd and John McDonald, IBM ISS Targeted Attacks and Microsoft Office Malware - Rob Hensing, Microsoft Virtually Secure - Oded Horovitz, VMWare Malicious Cryptography - Frédéric Raynal and Eric Filiol, Sogeti/Cap-Gemini and ESAT The Death of AV Defense in Depth: Revisiting Anti-Virus Software - Thierry Zoller and Sergio Alvarez, nRuns VMWare Issues - Sun Bing, McAfee Intrusion Detection Systems Correlation: a Weapon of Mass Investigation - Sebastien Tricaud and Pierre Chifflier, INL Web Wreck-utation - Dan Hubbard and Stephan Chenette, WebSense Secure programming with gcc and glibc - Marcel Holtmann, Intel Mobitex network security - olleB, toolcrypt.org Peach Fuzzing - Michael Eddington, Leviathan Fuzz by Number - Charlie Miller, Independent Security Evaluators Fuzzing WTF? What Fuzzing Was, Is And Never Will Be. - Frank Marcus and Mikko Varpiola,Wurldtech / Condenomicon Vulnerabilities Die Hard - Kowsik Guruswamy, Mu Hacking Windows Vista - Dan Grifin, JW Secure ExeFilter: a new open-source framework for active content filtering - Philippe Lagadec,NATO/NC3A VetNetSec: Security testing for Extremists - Eric Hacker, BT INS w3af: A framework to own the web - Andres Riancho, Cybsec A Unique Behavioral Science Approach to Threats, Extortion and Internal Computer Investigations - Scott K. Larson, Stroz Friedberg -- 2008 Dojos Vulnerability Discovery Demystified Mark Dowd and Justin Schuh The Exploit Laboratory - Advanced Edition Saumil Shah Advanced Honeypot Tactics Thorsten Holz Mastering the network with ScapyPhilippe Biondi Voice over IP (VoIP) Security Nico Fischbach Practical 802.11 WiFi (In)Security Cédric Blancher Advanced Linux HardeningAndrea Barisani Defend The Flag Microsoft -- 2008 PWN 2 OWN There will three targets: A MacBook Air, running the latest OSX, patched, typical configuration. A Sony VAIO VGN-TZ37CNB, running Ubuntu, latest release. A Fujitsu U810, Running Vista, latest update. The contest will be adjudicated by our impartial celebrity judge: Ronald C. Dodge JR., Ph.D. Lieutenant Colonel, Academy Professor Associate Dean, Information and Education Technology, United States Military Academy The victory conditions will be the contents of specific specially planted files on each system, to be extracted by winners. Hack them and you get to keep them, and any associated prizes for the exploits used, oh and the fame and glory. :-) Browsers (I.E., Mozilla, Safari), Mail Clients (Outlook, Mail.app, Thunderbird), and IM clients (MSN, Adium, Pigdin, Skype all platforms) are all in scope. More details and official rules soon. cheers, --dr -- World Security Pros. Cutting Edge Training, Tools, and Techniques Vancouver, Canada March 25-28 - 2008http://cansecwest.com pgpkey http://dragos.com/ kyxpgp
CanSecWest 2008 CFP (deadline Nov 30, conf Mar 26-28) and PacSec Dojo's
I'd like to congratulate Adam Laurie for winning the second Powerbook from the Pwn_to_Own contest as the prize for the best speaker rated by the audience for his presentation on RFID at CanSecWest 2007. We will have a similar prize for the best speaker at CanSecWest 2008, prize TBD (but we promise it will be cool - depending on what we find trawling though the electronics shops in Akihabara this year :). ** The Security Masters Dojo courses available at PacSec in Tokyo on November 27/28 2007 have been updated. The final list is: Ultimate Web Hacking - Yeng-Min Chen (Japanese) Reverse Engineering - Yuji Ukai (Japanese) The Exploit Laboratory - Saumil Shah (English) Advanced Honeypot Tactics - Thorsten Holz (English) Advanced Linux Hardening - Andrea Barisani (English) Bugfinding with the Immunity Debugger - Nicolas Waisman & Kostya Kortchinski (English) Practical 802.11 Wi-Fi (In)Security - Cedric Blancher (English) ** CanSecWest 2008 CALL FOR PAPERS VANCOUVER, Canada -- The ninth annual CanSecWest applied technical security conference - where the eminent figures in the international security industry will get together share best practices and technology - will be held in downtown Vancouver at the the Mariott Renaissance Harbourside on March 26-28, 2008. The most significant new discoveries about computer network hack attacks and defenses, commercial security solutions, and pragmatic real world security experience will be presented in a series of informative tutorials. The CanSecWest meeting provides international researchers a relaxed, comfortable environment to learn from informative tutorials on key developments in security technology, and collaborate and socialize with their peers in one of the world's most scenic cities - a short drive away from one of North America's top skiing areas. The CanSecWest conference will also feature the availability of the Security Masters Dojo expert network security sensei instructors, and their advanced, and intermediate, hands-on training courses - featuring small class sizes and practical application excercises to maximize information transfer. We would like to announce the opportunity to submit papers, and/or lightning talk proposals for selection by the CanSecWest technical review committee. This year we will be doing one hour talks, and some shorter 20/30 minute talk sessions. Please make your paper proposal submissions before November 30th, 2007. Some invited papers have been confirmed, but a limited number of speaking slots are still available. The conference is responsible for travel and accomodations for the speakers. If you have a proposal for a tutorial session then please email a synopsis of the material and your biography, papers and, speaking background to [EMAIL PROTECTED] (please remove _'s). Only slides will be needed for the March paper deadline, full text does not have to be submitted - but will be accepted if available. The CanSecWest 2008 conference consists of tutorials on technical details about current issues, innovative techniques and best practices in the information security realm. The audiences are a multi-national mix of professionals involved on a daily basis with security work: security product vendors, programmers, security officers, and network administrators. We give preference to technical details and new education for a technical audience. The conference itself is a single track series of presentations in a lecture theater environment. The presentations offer speakers the opportunity to showcase on-going research and collaborate with peers while educating and highlighting advancements in security products and techniques. The focus is on innovation, tutorials, and education instead of product pitches. Some commercial content is tolerated, but it needs to be backed up by a technical presenter - either giving a valuable tutorial and best practices instruction or detailing significant new technology in the products. Paper proposals should consist of the following information: 1. Presenter, and geographical location (country of origin/passport) and contact info (e-mail, postal address, phone, fax). 2. Employer and/or affiliations. 3. Brief biography, list of publications and papers. 4. Any significant presentation and educational experience/background. 5. Topic synopsis, Proposed paper title, and a one paragraph description. 6. Reason why this material is innovative or significant or an important tutorial. 7. Optionally, any samples of prepared material or outlines ready. 8. Will you have full text available or only slides? 9. Please list any other publications or conferences where this material has been or will be published/submitted. Please include the plai
Re: IM upgrade automated social engineering attack
On Tuesday 06 November 2007 02:37, Roman Shirokov wrote: > Hey all > > I confirm that, I received several messages as well. The text of > message is: > > WINDOWS REQUIRES IMMEDIATE ATTENTION > = > > ATTENTION ! Security Center has detected > malware on your computer ! > > Affected Software: > > Microsoft Windows NT Workstation > Microsoft Windows NT Server 4.0 > Microsoft Windows 2000 > Microsoft Windows XP > Microsoft Windows Win98 > Microsoft Windows Server 2003 > > Impact of Vulnerability: Remote Code Execution / Virus Infection / > Unexpected shutdowns > > Recommendation: Users running vulnerable version should install a repair > utility immediately > > Your system IS affected, download the patch from the address below ! > Failure to do so may result in severe computer > malfunction.http://www.alertmonitor.org/?q=updatescan > > > With all the proliferation of phone home for update systems in > > even trivial software packages these days, neophyte users > > can easily get confused about legitimate upgrades and imposters. > > So someone is trying to take advantage of this with an > > automated version of an old school social engineering > > attack via Skype spam. > > > > Someone/something/.someone's-botnet on skype last night > > contacted users who reported it to me. The messages were > > formatted to resemble Microsoft update messages or an AV scan > > with a link to click to update and/or repair malware in a number > > of Microsoft products. None of the users who reported it to me > > clicked on the link so its not clear what the installed malware > > was after. > > > > A series of users with the name "Scan Alert" followed by the registered > > trade mark sign originating from a numeric range of skype userids > > following the form: > > scan.alert.o > > > > ...have been sending these unsolicited messages. These id's seem > > to be registered in the US. Please warn your users to ignore and be > > wary of social engineering attacks purporting to be upgrades via > > IM, because without doubt the persons behind this will try other > > variants. > > > > A little bit of googling indicates these folks have been active for > > at least two weeks. > > > > cheers, > > --dr That text came from a worm that Symantec and FSecure alerted about and put out an advisory about (and there was a story on PC World too as I recall). (One of the web vuln scanner folks also put an advisory but I forget whom now, sorry). What was interesting to me about the reports I got was that it sounded like someone was using the worm ids as noise to send other messages, to look like _update_ messages not AV. Maybe experimenting with a new version? Using the worm as cover for a targeted attack? Unfortunately this is all verbal descriptions, and not very accurate ones, so I can't verify this. Also a quick search for IDs on skype also shows that there is another sequence of IDs in the form: system.scan.c But this also begs the question, why haven't the security folks at Skype shut these down already, as they've been active for weeks, and people are submitting abuse reports about them? cheers, --dr -- World Security Pros. Cutting Edge Training, Tools, and Techniques Tokyo, Japan November 29/30 - 2007http://pacsec.jp pgpkey http://dragos.com/ kyxpgp
IM upgrade automated social engineering attack
With all the proliferation of phone home for update systems in even trivial software packages these days, neophyte users can easily get confused about legitimate upgrades and imposters. So someone is trying to take advantage of this with an automated version of an old school social engineering attack via Skype spam. Someone/something/.someone's-botnet on skype last night contacted users who reported it to me. The messages were formatted to resemble Microsoft update messages or an AV scan with a link to click to update and/or repair malware in a number of Microsoft products. None of the users who reported it to me clicked on the link so its not clear what the installed malware was after. A series of users with the name "Scan Alert" followed by the registered trade mark sign originating from a numeric range of skype userids following the form: scan.alert.o ...have been sending these unsolicited messages. These id's seem to be registered in the US. Please warn your users to ignore and be wary of social engineering attacks purporting to be upgrades via IM, because without doubt the persons behind this will try other variants. A little bit of googling indicates these folks have been active for at least two weeks. cheers, --dr -- World Security Pros. Cutting Edge Training, Tools, and Techniques Tokyo, Japan November 29/30 - 2007http://pacsec.jp pgpkey http://dragos.com/ kyxpgp
In Memoriam: Jun-ichiro Hagino
With great sadness, I regret to inform you that Itojun will not be presenting his great knowledge of IPv6 at PacSec. I have been informed by several sources that he passed away yesterday. Funeral services will be held on Nov 7th at Rinkai-Saijo in Tokyo. There aren't many details of his passing, so please let his family and relatives mourn in peace for now. My heartfelt condolances go out to them, and all of his many friends. I knew Itojun as one of the smartest and kindest people I have ever met. He helped everyone around him. He graciously hosted and assisted many foreigners new to Japan at the PacSec conferences, and was a good friend to all. He would go to extraordinary lengths to help anyone around him. We will all miss him - and his work on IPv6 will continue to help us for a long time.. He once said to me, "When a professional race car driver races, his pulse gets lower and he relaxes. When I code it is the same thing." I'll miss him driving around in his prized Fiat 500... and I hope we can all proceed to help fix our V6 networks without his gentle and insistent coaching. We will announce a replacement talk shortly. If you knew or respected him, he would have wanted any energy you put towards grief to be spent on speeding the adoption and the robustness of the version 6 internet which he devoted so much of his extraordinary life to. Some more information in Japanese at http://www.hoge.org/~koyama/itojun.txt May he rest in peace, --dr -- World Security Pros. Cutting Edge Training, Tools, and Techniques Tokyo, JapanNovember 29/30 - 2007http://pacsec.jp pgpkey http://dragos.com/ kyxpgp
PacSec 2007 Agenda (Tokyo 11-29/30)
Talk selections for PacSec 2007 - November 29 and 30 - Aoyama Diamond Hall --- - Programmed I/O accesses: a threat to virtual machine monitors? - Loic Duflot, - Developing Fuzzers with Peach - Michael Eddington, Leviathan Security - Cyber Attacks Against Japan - Hiroshi Kawaguchi, LAC - Windows Localization: Owning Asian Windows Versions - Kostya Kortchinsky, Immunity - TOMOYO Linux - Toshiharu Harada, NTT Data - IPV6 Demystified - Jun-ichiro itojun Hagino , IPv6Samurais - Automated JavaScript Deobfuscation - Alex Rice, Websense Security Labs - Enter Sandman (why you should never go to sleep) - Nicolas Ruff & Matthieu Suiche, EADS - Agent-oriented SQL Abuse - Fernando Russ & Diego Tiscornia, Core - Bad Ideas: Using a JVM/CLR for Intellectual Property Protection - Marc Schoenefeld, University of Bamberg - Heap exploits are dead. Heap exploits remain dead. And we have killed them. - Nicolas Waisman, Immunity - Deploying and operating a Global Distributed Honeynet - David Watson, Honeynet Project - Office 0days and the people who love them - TBA, Microsoft . (I would also like to thank Colin Delaney and Stephen Ridley as standby presenters) -- FInal Dojo schedule will be announced shortly but will include both English and Japanese language dojos. In English Dojos will include: Saumil Shah's Exploit Lab, Andrea Barisani's Linux Hardening, and the folks from Immunity doing a course on bugfinding with the Immunity debugger. In Japanese: Yuji Ukai will be doing a reverse engineering course, and the McAfee/Foundstone folks will be translating their Ultimate Web Hacking course into Japanese for the first time. Dojos will be on Nov 27/28. Talk descriptions will be up shortly. :-) cheers, --dr P.s. other dates: CanSecWest March 26-28, EUSecWest May21/22 -- World Security Pros. Cutting Edge Training, Tools, and Techniques Tokyo, JapanNovember 29/30 - 2007http://pacsec.jp pgpkey http://dragos.com/ kyxpgp
Really, really, penultimate, PacSec CFP deadline, Aug 10.
Some folks have been trying to convince us to extend deadlines, so being the sticklers we are, we said: no way... But they convinced us. So to be fair - this is a heads up for others who didn't have time to submit. :-) We'll try to turn around the selection reviews ASAP, before the end of August for those who submitted. cheers, --dr P.s. The gentleman from McAfee who phoned me about his submission whose name I've forgotten, we didn't get your mail, please get back in touch. -- World Security Pros. Cutting Edge Training, Tools, and Techniques Tokyo, JapanNovember 29/30 - 2007http://pacsec.jp pgpkey http://dragos.com/ kyxpgp
Re: Internet Explorer 0day exploit
On Tuesday 10 July 2007 08:53, Gadi Evron wrote: > To paraphrase Guninski, this is still not a 0day. It is a vulnerability > being disclosed. You're being pedantic Gadi. :-) We have to accept the term "0day" has passed into the realm of meaningless nebulousness along with "hacker" and other misused terms. If we are to be pedantic, the original meaning of 0day is new warez release :-). cheers, --dr -- World Security Pros. Cutting Edge Training, Tools, and Techniques Tokyo, Japan November 29/30 - 2007http://pacsec.jp pgpkey http://dragos.com/ kyxpgp
PacSec 2007 Call For Papers (Nov. 29/30, deadline July 27)
PacSec CALL FOR PAPERS World Security Pros To Converge on Japan TOKYO, Japan -- To address the increasing importance of information security in Japan, the best known figures in the international security industry will get together with leading Japanese researchers to share best practices and technology. The most significant new discoveries about computer network hack attacks will be presented at the fifth annual PacSec conference to be discussed. The PacSec meeting provides an opportunity for foreign specialists to be exposed to Japanese innovation and markets and collaborate on practical solutions to computer security issues. In a relaxed setting with a mixture of material bilingually translated in both English and Japanese the eminent technologists can socialize and attend training sessions. Announcing the opportunity to submit papers for the PacSec 2007 network security training conference. The conference will be held November 29-30th in Tokyo. The conference focuses on emerging information security tutorials - it will be a bridge between the international and Japanese information security technology communities.. Please make your paper proposal submissions before July 27th, 2007. Slides for the papers must be submitted by October 1st 2007. The conference is November 29th and 30th 2007, presenters need to be available in the days before to meet with interpreters. A some invited papers have been confirmed, but a limited number of speaking slots are still available. The conference is responsible for travel and accomodations for the speakers. If you have a proposal for a tutorial session then please email a synopsis of the material and your biography, papers and, speaking background to secwest07 [at] pacsec.jp . Tutorials are one hour in length, but with simultaneous translation should be approximately 45 minutes in English, or Japanese. Only slides will be needed for the October paper deadline, full text does not have to be submitted. The PacSec conference consists of tutorials on technical details about current issues, innovative techniques and best practices in the information security realm. The audiences are a multi-national mix of professionals involved on a daily basis with security work: security product vendors, programmers, security officers, and network administrators. We give preference to technical details and education for a technical audience. The conference itself is a single track series of presentations in a lecture theater environment. The presentations offer speakers the opportunity to showcase on-going research and collaborate with peers while educating and highlighting advancements in security products and techniques. The focus is on innovation, tutorials, and education instead of product pitches. Some commercial content is tolerated, but it needs to be backed up by a technical presenter - either giving a valuable tutorial and best practices instruction or detailing significant new technology in the products. Paper proposals should consist of the following information: 1) Presenter, and geographical location (country of origin/passport) and contact info (e-mail, postal address, phone, fax). 2) Employer and/or affiliations. 3) Brief biography, list of publications and papers. 4) Any significant presentation and educational experience/background. 5) Topic synopsis, Proposed paper title, and a one paragraph description. 6) Reason why this material is innovative or significant or an important tutorial. 7) Where else has this material been presented or submitted? 8) Optionally, any samples of prepared material or outlines ready. Please forward the above information to secwest07 [at] pacsec.jp to be considered for placement on the speaker roster. cheers, --dr P.s. Some other dates of interest are announced: CanSecWest 2008 March 19-21 see http://cansecwest.com EUSecWest 2008 May 21/22 see http://eusecwest P.P.S. Also as a friendly reminder, CCC Camp is Aug 8 -12 2008, see http://events.ccc.de/camp/2007/Intro (Hi Julia et al...) Happy Independence Day and Canada Day, -- World Security Pros. Cutting Edge Training, Tools, and Techniques Tokyo, JapanNovember 29/30 - 2007http://pacsec.jp pgpkey http://dragos.com/ kyxpgp
EUSecWest 2007 Papers
Hi, For those who asked, we are still processing the submissions for CanSecWest and the call closed, please stand by. The paper selections are back from the reviewers for EUSecWest, in London on March 1-2. In absolutely random order: Threats against and protection of Microsoft's internal network - Greg Galford, Microsoft Linux Kernel == Security Nightmare - Marcel Holtmann, Red Hat /GS and ASLR in Windows Vista - Ollie Whitehouse, Symantec Fuzzing: history, perspectives and limits - Christian Wieser, Oulu university The new OWASP Web Application Penetration Testing Methodology - Matteo Meucci & Alberto Revelli, OWASP-Italy Reverse Engineering Malicious Javascript - Jose Nazario, Ph.D., Arbor Bypassing NAC Systems - Ofir Arkin, Insightix RFID - Adam Laurie, trifinite Protecting Next-Gen Networks @ Nx10G link sizes - Jim Deleskie, Teleglobe Video Conferencing Security - Navid Jam, Sandia National Laboratories Software Virtualization Based Rootkits - Sun Bing VoIP Attacks! - Dustin D. Trammell, TippingPoint Windows Vista Exploitation Countermeasures - Richard Johnston, Microsoft OSX Security - Daniel Cuthbert, Corsaire Distributed drone-based malware propagation and deployment automation - Emmanuel H We have added a new RFID dojo in London with Adam, and Nico has a new VoIP Security dojo amongst the new dojos to be announced for CanSecWest along with the paper selections. Dojos for London have final schedules now. cheers, --dr -- World Security Pros. Cutting Edge Training, Tools, and Techniques London, U.K.Mar 1-2 - 2007http://eusecwest.com pgpkey http://dragos.com/ kyxpgp
Re: Flaw in OpenOffice.org 2.1: OpenOffice 2.1 is vulnerable to MS Word 0 day vulnerability!!!
On Friday 15 December 2006 10:07, Bruno Lustosa wrote: > On 15 Dec 2006 09:49:54 -, [EMAIL PROTECTED] <[EMAIL PROTECTED]> wrote: > > try yourself with OpenOffice.org 2.1: > > http://www.milw0rm.com/sploits/12122006-djtest.doc > > Crashed OpenOffice.org 2.1 on my Linux system (Gentoo using > openoffice-bin 2.1.0). > Anyone tried it under Windows? Philippe Lagadec's presentation about OpenOffice security from PacSec is now up in English and Japanese. It may prove cogent to this line of analysis. :-) It's on the http://pacsec.jp/psj06archive.html section. cheers, --dr -- World Security Pros. Cutting Edge Training, Tools, and Techniques London, U.K.Feb 28 / Mar 1 - 2007http://eusecwest.com pgpkey http://dragos.com/ kyxpgp
CanSecWest 2007 (April 18-20) Call For Papers (Deadline January 7th)
CanSecWest 2007 CALL FOR PAPERS VANCOUVER, Canada -- The eighth annual CanSecWest applied technical security conference - where the eminent figures in the international security industry will get together share best practices and technology - will be held in downtown Vancouver at the the Mariott Renaissance Harbourside on April 18-20, 2007. The most significant new discoveries about computer network hack attacks and defenses, commercial security solutions, and pragmatic real world security experience will be presented in a series of informative tutorials. The CanSecWest 2007 meeting provides international researchers a relaxed, comfortable environment to learn from informative tutorials on key developments in security technology, and collaborate and socialize with their peers in one of the world's most scenic cities - a short drive away from one of North America's top skiing areas. The CanSecWest 2007 conference will also feature the availability of the Security Masters Dojo expert network security sensei instructors, and their advanced, and intermediate, hands-on training courses - featuring small class sizes and practical application excercises to maximize information transfer. We would like to announce the opportunity to submit papers, and/or lightning talk proposals, for selection by the CanSecWest technical review committee. Please make your paper proposal submissions before January 7th, 2007. Slides for the papers must be submitted by March 15th, 2007. Some invited papers have been confirmed, but a limited number of speaking slots are still available. The conference is responsible for travel and accomodations for the speakers. If you have a proposal for a tutorial session then please email a synopsis of the material and your biography, papers and, speaking background to [EMAIL PROTECTED] Only slides will be needed for the March paper deadline, full text does not have to be submitted - but will be accepted if available. The CanSecWest 2007 conference consists of tutorials on technical details about current issues, innovative techniques and best practices in the information security realm. The audiences are a multi-national mix of professionals involved on a daily basis with security work: security product vendors, programmers, security officers, and network administrators. We give preference to technical details and new education for a technical audience. The conference itself is a single track series of presentations in a lecture theater environment. The presentations offer speakers the opportunity to showcase on-going research and collaborate with peers while educating and highlighting advancements in security products and techniques. The focus is on innovation, tutorials, and education instead of product pitches. Some commercial content is tolerated, but it needs to be backed up by a technical presenter - either giving a valuable tutorial and best practices instruction or detailing significant new technology in the products. Paper proposals should consist of the following information: 1) Presenter, and geographical location (country of origin/passport) and contact info (e-mail, postal address, phone, fax). 2) Employer and/or affiliations. 3) Brief biography, list of publications and papers. 4) Any significant presentation and educational experience/background. 5) Topic synopsis, Proposed paper title, and a one paragraph description. 6) Reason why this material is innovative or significant or an important tutorial. 7) Optionally, any samples of prepared material or outlines ready. 8) Will you have full text available or only slides? 9) Please list any other publications or conferences where this material has been or will be published/submitted. Please include the plain text version of this information in your email as well as any file, pdf, sxw, ppt, or html attachments. (Some reviewers only look at .txt info.) Multiple submissions are acceptable. Please forward the above information to be considered for placement on the speaker roster, or have your short lightning talk scheduled. Send all conference related correspondence to [EMAIL PROTECTED] thanks, --dr -- World Security Pros. Cutting Edge Training, Tools, and Techniques London, U.K.Feb 28 / Mar 1 - 2007http://eusecwest.com pgpkey http://dragos.com/ kyxpgp
EUSecWest/London CFP extended to Nov. 7
Hi folks, some brief news: Some people have asked for late submissions to the EUSecWest paper selections. In the interest of fairness, we are extending the deadline for all until next Tuesday (November 7), at which time the submissions will be reviewed. Details of submissions can be found on the http:/eusecwest.com site under the speakers sections. PacSec/Tokyo paper descriptions have been published, and CanSecWest/Vancouver early discount registration is now available. thanks, --dr -- World Security Pros. Cutting Edge Training, Tools, and Techniques Tokyo, JapanNovember 27-30 2006http://pacsec.jp pgpkey http://dragos.com/ kyxpgp
PacSec Hype Security Team: CGI.pm param injection
==
PacSec Hype Security Team
param injection in CGI.pm and inheritors
allows SQL injection and manipulation of data
bypassing many perl web form validators
==
Table of Contents
Affected Software1
Severity.2
Description of Software..3
Description of Vulnerability.4
Solution.5
Time Table...6
Credits..7
References...8
About PacSec.9
Verification10
==
1) Affected Software
CGI.pm and perl modules which inherit from it or behave compatibly.
Data::FormValidator is an example.
==
2) Severity
Rating: Extra Crispy
Impact: Blatant shilling
Overstated claims of insecurity
Manipulation of data
SQL Injection
Where: A series of tubes
==
3) Description of Software
CGI.pm is the defacto standard for handling forms in perl. It is
included in core perl.
Data::FormValidator is the most common way of validating form data
in perl. It is available as a plug in to Catalyst, CGI::Application,
and almost every other framework for building web apps in perl.
DBIx::Class is a pretty decent ORM for perl, Catalyst uses it by
default.
==
4) Description of Vulnerability
The CGI.pm documentation states (http://xrl.us/r6ev) that the 'param'
method will return an array if a named parameter is multivalued.
This can have unintended consequences if used as a hash value with the
assumption that 'param' will always return a scalar.
For example:
http://example.com/somecgi?name=value
The programmer may expect the following to work:
use CGI.pm
use Data::Dumper;
my $q = new CGI;
my $importanthash = {name => $q->param('name')};
print Dumper $importanthash;
will show something like this as expected:
VAR1 = {
'name' => 'value',
};
However in cases where the parameter is multivalued something
different will happen.
http://example.com/somecgi?name=1&name=2&name=evilkey&name=evilvalue
This is probably not expected:
$VAR1 = {
'evilkey' => 'evilvalue',
'name' => '2'
};
This becomes more interesting because almost everything that deals
with the web in perl either inherits from CGI.pm or mimics its
behaviour. This makes an interesting problem for data validation.
Data::FormValidator is quite commonly used to validate cgi
parameters (both GET and POST). A typical validation profile
might look something like this:
use Data::FormValidator;
my $profile = {
required => [qw( fullname
phone
email
address )],
constraint_methods => {
email => qr/\w+/
#yes I know this is retarded, it's an example
}
};
The expected behaviour is that the 'email' parameter must match the
supplied regular expression otherwise it will not be returned by the
'valid' method (see docs at http://xrl.us/r6e7). A naive programmer
would assume that since the 'email' parameter has been validated, it
is hereafter safe to use. The documentation even lulls the programmer
along, suggesting this construct:
my $results = Data::FormValidator->check($q->Vars, $profile);
foreach my $f ( $results->valid() ) {
print $f, " = ", $results->valid( $f ), "\n";
}
Obviously the above will not do what is expected when supplied with
multivalued parameters, but it is not yet actually dangerous.
When a multivalued parameter is supplied, say for example:
http://example.com/[EMAIL PROTECTED]&email=userid&email=0
the above example should print out
'email = [EMAIL PROTECTED]'
Here's an example that is dangerous. Rather than printing out the
name value pairs, the (supposedly) valid data is being used in
an update method for an ORM (in this case DBIx::Class). This
can be used to do a SQL injection attack, despite the use of bind
variables by the ORM, and validation by Data::FormValidator.
#don't do this
foreach my $f ( $results->valid() ) {
$db->update({$f, $results->valid($f) });
}
Our previous multivalue parameter query now causes the following:
$db->update({'email', '[EMAIL PROT
pacsec hype security team: 7 words of warning about Macromedia Flash Player 9+
Advisory: "The new Flash player adds network functions!" Details: With a minor amount of fanfare "binary socket" support has been added to Flash Player 9 / ActionScript 3.0. The Flash sandbox model is primarily focused on preventing modifications to the local system, and thus there are many ways to bypass the only-connect-back-upstream and port<1024 limitations on the SWF applet Socket() class. A (potentially malicious) server can override the limit with a cross domain policy file on the server, or it can be overriden locally at the player with a global setting/policy change, or by configuring the applet as trusted. Adobe has a paper on flash security configuration at: http://www.adobe.com/devnet/flashplayer/articles/flash_player_9_security.pdf The potential for network misuse possible in Flash just went up several orders of magnitude, and as the Adobe site triumphantly proclaims, it's apparently in use at 97.3% of networked computers. I'll avoid some of the more exotic scenarios, lest they give anyone some bad ideas - and leave this caveat at this warning. Audited the trusted Flash applets on your system lately? Forewarned is Forearmed. cheers, --dr -- World Security Pros. Cutting Edge Training, Tools, and Techniques Tokyo, JapanNovember 27-30 2006http://pacsec.jp pgpkey http://dragos.com/ kyxpgp
PacSec 2006 Papers announcement and EUSecWest Call For Papers
The PacSec 2006 paper selections have been announced:
Smashing Heap by Free Simulation - Sandip Chaudhari
Methods of increasing source code security automatically - Ben Chelf,
Coverity
IPTV: Triple Play Triple Threats - YM Chen, McAfee
Windows Vista Security Model - Matt Conover, Symantec
Mobile IPV6, Les Problemes - Arnaud Ebalard & Guillaume Valadom, EADS,
University of Tokyo
Threats against and protection of Microsoft's internal network - Greg
Galford, Microsoft
Native IPV6 in Windows Vista - Abolade Gbadegesin, Microsoft
Linux Kernel == Security Nightmare - Marcel Holtmann, Red Hat
On XSRF(Cross Site Session Riding) and why you should care - Martin Johns,
University of Hamburg
hacking fingerprint recognition systems - Jan Krissler, Fraunhofer
Institute
OpenOffice/OpenDocument and MS OpenXML security - Philippe Lagadec, French
Ministry of Defence
Windows Defender - Adam Overton, Microsoft
VM Based Intrusion Detection System - Nguyen Anh Quynh, Keio University
Strong cryptographic payload obfuscation and encryption - Ariel Waissbein,
Core Security Technologies
Undermining Security in Vista WCF - Marc Schoenefeld
IPV6 Mapping - Yuji Ukai & Ryan Permeh, eeye
MSKK Security Fundamentals - TBA, Microsoft
More details and registration at http://pacsec.jp
--
EUSecWest CALL FOR PAPERS
--
LONDON, U.K. -- The second annual EUSecWest applied technical
security conference - where the eminent figures in the international
security industry will get together share best practices and
technology - will be held in downtown London at the the Victoria Park
Plaza hotel in March 1-2 2007. The most significant new discoveries
about computer network hack attacks and defenses, commercial security
solutions, and pragmatic real world security experience will be
presented in a series of informative tutorials.
The EUSecWest meeting provides international researchers a relaxed,
comfortable environment to learn from informative tutorials on key
developments in security technology, and collaborate and socialize
with their peers in one of the world's most central cities.
In addition to the usual one hour tutorials, panel sessions and highly
entertaining 5 minute "lightning" talks, this conference will also
feature a new session called "Elevator Focus Groups". Featuring
several short sessions, these commercial presentations will showcase
new, significantly used, or dramatically innovative new products in
the information security realm. Each selected vendor will have a short
10 minute presentation ("elevator pitch"), after which 10 minutes of
audience Q&A and interactive discussion amongst the expert security
practitioners attending will follow. In this session both the audience
and the vendors can get valuable feedback from world leading experts
and the attendees can get user evaluations and learn from sharing
experiences and real world security applications about practical uses
of the products - the "focus group." Hence the name: Elevator Focus
Groups.
The EUSecWest conference will also feature the availability of the
Security Masters Dojo expert network security sensei instructors, and
their advanced, and intermediate, hands-on training courses -
featuring small class sizes and practical application excercises to
maximize information transfer.
We would like to announce the opportunity to submit papers, lightning
talk proposals, and elevator focus candidate products for selection by
the EUSecWest technical review committee.
Please make your paper proposal submissions before October 20th,
2006. Slides for the papers must be submitted by January 15th, 2007.
Some invited papers have been confirmed, but a limited number of
speaking slots are still available. The conference is responsible for
travel and accomodations for the speakers. If you have a proposal for
a tutorial session then please email a synopsis of the material and
your biography, papers and, speaking background to
[EMAIL PROTECTED] Only slides will be needed for
the March paper deadline, full text does not have to be
submitted - but will be accepted if available.
The EUSecWest 2007 conference consists of tutorials on technical
details about current issues, innovative techniques and best practices
in the information security realm. The audiences are a multi-national
mix of professionals involved on a daily basis with security work:
security product vendors, programmers, security officers, and network
administrators. We give preference to technical details and new
education for a technical audience.
The conference itself is a single track series of presentations in a
lecture theater environment. The presentations offer speakers the
opportunity to showca
PacSec 2006 CALL FOR PAPERS (Deadline Aug. 4; Event Nov. 27-30)
url: http://pacsec.jp PacSec 2006 CALL FOR PAPERS World Security Pros To Converge on Japan TOKYO, Japan -- To address the increasing importance of information security in Japan, the best known figures in the international security industry will get together with leading Japanese researchers to share best practices and technology. The most significant new discoveries about computer network hack attacks will be presented at the third annual PacSec conference to be discussed. The PacSec meeting provides an opportunity for foreign specialists to be exposed to Japanese innovation and markets and collaborate on practical solutions to computer security issues. In a relaxed setting with a mixture of material bilingually translated in both English and Japanese the eminent technologists can socialize and attend training sessions. Announcing the opportunity to submit papers for the PacSec 2006 applied security training conference. The conference will be held November 27-30th in Tokyo. The conference focuses on emerging information security tutorials - it will be a bridge between the international and Japanese information security technology communities.. Please make your paper proposal submissions before August 4 2006. Slides for the papers must be submitted by October 1st 2006. The conference is November 29th and 30th 2006, presenters need to be available in the days before to meet with interpreters. The Security Masters Dojo, Tokyo, is November 27 -28, 2006. Both events will be held at Aoyama Diamond Hall. Some invited papers have been confirmed, but a limited number of speaking slots are still available. The conference is responsible for travel and acommodations for the speakers. If you have a proposal for a tutorial session then please email a synopsis of the material and your biography, papers and, speaking background to secwest06 [at] pacsec.jp. Tutorials are one hour in length, but with simultaneous translation should be approximately 45 minutes in English, or Japanese. Only slides will be needed for the October paper deadline, full text does not have to be submitted. The PacSec conference consists of tutorials on technical details about current issues, innovative techniques and best practices in the information security realm. The audiences are a multi-national mix of professionals involved on a daily basis with security work: security product vendors, programmers, security officers, and network administrators. We give preference to technical details and education for a technical audience. The conference itself is a single track series of presentations in a lecture theater environment. The presentations offer speakers the opportunity to showcase on-going research and collaborate with peers while educating and highlighting advancements in security products and techniques. The focus is on innovation, tutorials, and education instead of product pitches. Some commercial content is tolerated, but it needs to be backed up by a technical presenter - either giving a valuable tutorial and best practices instruction or detailing significant new technology in the products. Paper proposals should consist of the following information: 1) Presenter, and geographical location (country of origin/passport) and contact info (e-mail, postal address, phone, fax). 2) Employer and/or affiliations. 3) Brief biography, list of publications and papers. 4) Any significant presentation and educational experience/background. 5) Topic synopsis, Proposed paper title, and a one paragraph description. 6) Reason why this material is innovative or significant or an important tutorial. 7) Optionally, any samples of prepared material or outlines ready. Please forward the above information to secwest06 [at] pacsec.jp to be considered for placement on the speaker roster. Please include a plain text version of all the above informaiton along with any other submission data/information. -- World Security Pros. Cutting Edge Training, Tools, and Techniques Tokyo, JapanNovember 26-30 2006http://pacsec.jp pgpkey http://dragos.com/ kyxpgp
Re: [Full-disclosure] SendGate: Sendmail Multiple Vulnerabilities (Race Condition DoS, Memory Jumps, Integer Overflow)
On March 23, 2006 01:41 am, Gadi Evron wrote: > Here's what ISS releasing the Race Condition vulnerability has to say: > http://xforce.iss.net/xforce/alerts/id/216 > They say it's a remote code execution. They say it's a race condition. No > real data available to speak of. I can't see how it's remotely > exploitable, but well, no details, remember? From what we can see it seems > like a DoS. ISS's Mark Dowd is very clever guy. And if duke says it's exploitable I would believe him :-). It's an interesting new vector anyway. But like all timing related attacks, the question is reliability. Though gossip has it, this one is repeatable with sub-100 attempts and you get infinite shots at it because even if the process does die it's a child of the parent listener. (So it is not really a DoS per se in any case.) > > Bottom line > --- > What they did behind the smoke-screen is replace a lot of setjmp() and > longjmp() functions (not very secure ones at that) with goto's > (interesting choice). Smoke screen seems like unfarily loaded terminology to use. OpenBSD fixed (removed) many setjmp/longjmp functions in their tree a long time ago as a class of bugs. (Though this sendmail exploitable collecttimeout() longjmp one is new and they patched it yesterday with everyone else, because as you noted, replacing it was kinda hairy...) I don't think its fair to bitch about people fixing bugs and then not having the time to send out advisories for every little tweak. The important thing is to fix the bug. And often times the developer won't understand the real impact of fixing a bug until someone clever like Mark comes up with some innovative way to exploit an "unexploitable" bug like this one. What will be interesting to see when the PoC exploits are finally released, is if any of the memory/stack protection schemes mitigate it. Besides, there is only one true mailer to mail them all, and its name is Postfix. Now if we could only convince Mr. Venema to switch to a BSD license _everyone_ would switch to Postfix and everything would be much better. If it weren't for that "poison pill" clause in its license, I'm sure most OSes and commercial systems would have swapped out Sendmail for Postfix long ago. cheers, --dr -- World Security Pros. Cutting Edge Training, Tools, and Techniques Vancouver, CanadaApril 3-7 2006 http://cansecwest.com pgpkey http://dragos.com/ kyxpgp
CanSecWest/core06 Vancouver April 3-7
The call for papers is now closed and the proposals have been reviewed for the CanSecWest/core06 Applied Technical Security Conference held on April 5-7 2006 at the Mariott Renaissance Harbourside in Vancouver, B.C. Canada. The selected submissions are : An hour of Rap and Comedy about SAP - Steve Lord Next Generation Sebek - Edward Balas - Indiana University RF Bugsweeping - Tim Johnson - Technical Security Consultants Inc. Magstripe Madness - Major Malfunction Metasploitation (and a dash of IPS) - HD Moore - BreakingPoint Carrier VoIP Security - Nico Fischbach - COLT Attacking VoIP Networks - Hendrik Scholz - Freenet Cityline GmbH Security Issues Related to Pentium System Management Mode - Loïc Duflot Advancements in Anonymous eAnnoyance - Christopher Abad - Cloudmark Real Time Threat Mitigation Techniques - Josh Ryder - University of Alberta Stunt Profiling: Securing a System While You Wait - Crispin Cowan - Novell Visualizing Source Code for Auditing - Lisa Thalheim Attacking Web Services - Alex Stamos, Scott Stender - iSEC Partners Reverse Engineering Microsoft Binaries - Alexander Sotirov - Determina Zen and the art of collecting and analyzing Malware - Fred Arbogast and Sascha Rommelfangen - S.E.S. Astra How to test an IPS - Renaud Bidou - RADWare Insiders View: Network Security Devices - Dennis Cox - BreakingPoint More on Uninitialized Variables - Halvar Flake Eric Byres - SCADA - BCIT Panel Discussion - Vulnerability Commercialization Terri Forslof, 3Com, Manager of Security Response Michael Sutton iDefense Labs, Director of iDEFENSE Labs Others TBA Vendor Elevator Focus Groups David Meltzer, Cambia Ofir Arkin, Insightix Others TBA Lightning Talks Some talks from the PacSec/core05 conference in Tokyo in November and the EUSecWest/core06 conference in London during February were highly rated and have been invited for encore presentations at CanSecWest: Attacking the IPv6 protocol suite - van Hauser - THC / n.runs GmbH Protecting the Infrastructure - Jim DeLeskie & Danny McPherson - Teleglobe, Arbor Networks Security Masters Dojo Courses April 3-5 Vancouver Network Reconnaissance with Nmap 4 - Fyodor & Doug Hoyte Network Vulnerability Scanning: Turning Nessus into Metasploit - Renaud Deraison & Nicolas Pouvesle Reverse Engineering: Rapid Bug Discovery and Input Crafting - Halvar Assembly for Exploit Writing - Gerardo Richarte Advanced IDS Deployment and Optimization - Marty Roesch Advanced Honeypot Tactics - Thorsten Holz Mastering the network with Scapy - Philippe Biondi Securing your critical Cisco network infrastructure - Nico Fischbach Practical 802.11 WiFi (In)Security - Cédric Blancher Bluetooth Auditing and Technology - Martin Herfurt, Adam Laurie, Marcel Holtmann Conference registration on line can be found at: http://cansecwest.com/register.html Security Masters Dojo Vancouver registration can be found at http://cansecwest.com/dojo.html thanks, --dr -- World Security Pros. Cutting Edge Training, Tools, and Techniques Vancouver, CanadaApril 3-7 2006 http://cansecwest.com pgpkey http://dragos.com/ kyxpgp
EUSecWest papers and CanSecWest CFP
url: http://eusecwest.com
url: http://cansecwest.com
(CanSecWest Call For Papers attached below)
EUSecWest/core06 Conference
---
Announcing the final selection of papers for the
EUSecWest conference in London, U.K. on Feb. 20/21
at the Victoria Park Plaza Hotel. The following
topics will be covered:
Javier Burroni & Carlos Sarraute - Core Security Technologies
Analyzing OS fingerprints using Neural Networks and Statistical Machinery
van Hauser - thc
Attacking the IPv6 protocol suite
Yuji Ukai - eeye
Exploiting Real-Time OS Based Embedded Systems Using the JTAG Emulator
Nguyen Anh Quynh - Keio University
XEBEK: A Next Generation Honeypot Monitoring System
Fred Raynal - EADS
Malicious Crypto
Cesar Cerrudo - Argeniss
Windows Local Shellcode Injection
Andrew Cushman - Microsoft
Windows Security Fundamentals
Sheeraj Shahi - Net Square
Advanced Web Hacking - Attacks & Defense
Andy Davis - IRM PLC
ColdFusion Security
Tim Hurman - Pentest Ltd.
ARMed combat: the fight for personal security
Raffael Marty - ArcSight
A Visual Approach to Security Event Management
Michael Boman - KPMG Singapore
Network Security Monitoring: Theory and Practice
Jim DeLeskie & Danny McPherson - Teleglobe, Arbor Networks
Protecting the Infrastructure
Andrea Barisani - Inverse Path
Lessons in Open Source Security: The Tale of a 0-Day Incident
We would also like to announce the final list of Security
Masters Dojo courses that will be offered on February 16th
and 17th at the Victoria Park Plaza Hotel. Seats are
available for all courses, but course registration is
limited to only ten students each. We are considering
adding additional course sessions on Feb 23/24 if
demand warrants it. The hands-on courses offered
will be:
Gerardo Richarte - Core Security Technologies
Assembly for Exploit Writing
Marty Roesch - Sourcefire
Advanced IDS Deployment and Optimization
Maximillian Dornseif & Thorsten Holtz - Aachen University
Advanced Honeypot Tactics
Philippe Biondi - EADS
Mastering the Network with SCAPY
Renaud Deraison & Nicolas Pouvesle - Tenable Network Security
Vulnerability Scanning: Advanced Nessus Usage
Laurent Oudot & Nico Fischbach - rstack, COLT telecom
Applied network security and advanced anomaly detection using
state-of-the art honeypots and netflow/NIDS
Cédric Blancher - EADS
Practical 802.11 WiFi (In)Security
Adam Laurie & Martin Herfurt & Marcel Holtmann - trifinite
Bluetooth Technology Security
Vendors Presentations for the Elevator Focus Groups will
be announced shortly.
Registration:
---
Seats are available but limited for EUSecWest, and registration
is open at: https://eusecwest.com/register.html
Security Masters Dojo/London registration is now open
at: https://eusecwest.com/courses.html
Contact [EMAIL PROTECTED] for registration support or
corporate sponsorship inquiries.
*
CanSecWest/core06 CALL FOR PAPERS
VANCOUVER, Canada -- The seventh annual CanSecWest
applied technical security conference - where the
eminent figures in the international security
industry will get together share best practices
and technology - will be held in downtown Vancouver
at the the Mariott Renaissance Harbourside on
April 3-7, 2006. The most significant new discoveries
about computer network hack attacks and defenses,
commercial security solutions, and pragmatic real
world security experience will be presented in
a series of informative tutorials.
The CanSecWest meeting provides international researchers
a relaxed, comfortable environment to learn from informative
tutorials on key developments in security technology, and
collaborate and socialize with their peers in one of the
world's most scenic cities - a short drive away
from one of North America's top skiing areas.
In addition to the usual one hour tutorials, panel sessions
and highly entertaining 5 minute "lightning" talks, this
conference will also feature a new session called
"Elevator Focus Groups". Featuring several short
sessions, these commercial presentations will showcase
new, significantly used, or dramatically innovative
new products in the information security realm.
Each selected vendor will have a short 10 minute
presentation ("elevator pitch"), after which 10 minutes
of audience Q&A and interactive discussion amongst
the expert security practitioners attending will follow.
In this session both the audience and the vendors can
get valuable feedback from world leading experts and
the attendees can get user evaluations and learn
from sharing experiences and real world security
applications about practical uses of the products - the
"focus group." Hence the name: Elevator Focus Groups.
The CanSecWest conference will also feature the availability
of the Security Masters Dojo expert network security sensei
EUSecWest/London Call for Papers and PacSec/Tokyo announcements
url: http://eusecwest.com
url: http://pacsec.jp
(PacSec/Tokyo Announcement below...)
EUSecWest/core06 CALL FOR PAPERS
London Security Summit February 20/21 2006
LONDON, United Kingdom -- Applied technical security
will be the focus of a new annual conference from the
organizers of CanSecWest, and PacSec, which is sponsored
by the U.K. government CESG - where the eminent
figures in the international security industry will
get together with leading European researchers to
share best practices and technology. The most
significant new discoveries about computer network
hack attacks and defenses, commercial security
solutions, and pragmatic real world security experience
will be presented in central London at the Victoria
Park Plaza hotel on February 20 and 21.
The EUSecWest meeting provides international researchers
a relaxed, comfortable environment to learn from informative
tutorials on key developments in security technology, and
to collaborate and socialize with their peers in one of the
world's hubs of IT activity - downtown London.
In addition to the usual one hour tutorials, panel sessions
and highly entertaining 5 minute "lightning" talks, this
conference will also feature a new session called
"Elevator Focus Groups". Featuring several short
sessions, these commercial presentations will showcase
new, significantly used, or dramatically innovative
products in the information security realm. Each
selected vendor will have a short 10 minute
presentation ("elevator pitch"), after which 10 minutes
of audience Q&A and interactive discussion amongst
the expert security practitioners attending will follow.
In this session both the audience and the vendors can
get valuable feedback from world leading experts.
The attendees can get user evaluations and learn
from sharing experiences about real world security
applications and the practical uses of the products - the
"focus group." Hence the name: Elevator Focus Groups.
The EUSecWest conference will also feature the availability
of the Security Masters Dojo expert network security sensei
instructors, and their advanced, and intermediate, hands-on
training courses - featuring small class sizes and practical
application excercises to maximize information transfer.
We would like to announce the opportunity to submit papers,
lightning talk proposals, and elevator focus candidate products
for selection by the EUSecWest technical review committee.
Please make your proposal submissions before December 1st 2006.
Slides for the papers must be submitted by February 1st 2006.
Some invited papers have been confirmed, but a limited
number of speaking slots are still available. The conference is
responsible for travel and accomodations for the speakers. If you
have a proposal for a tutorial session then please email a
synopsis of the material and your biography, papers and,
speaking background to [EMAIL PROTECTED] Only slides
will be needed for the February paper deadline, full text
does not have to be submitted.
The EUSecWest/core06 conference consists of tutorials on technical
details about current issues, innovative techniques and best
practices in the information security realm. The audiences are a
multi-national mix of professionals involved on a daily basis
with security work: security product vendors, programmers,
security officers, and network administrators. We give
preference to technical details and new education for a
technical audience.
The conference itself is a single track series of presentations
in a lecture theater environment. The presentations offer
speakers the opportunity to showcase on-going research
and collaborate with peers while educating and highlighting
advancements in security products and techniques.
The focus is on innovation, tutorials, and education
instead of product pitches. Some commercial content
is tolerated, but it needs to be backed up by a technical
presenter - either giving a valuable tutorial and best
practices instruction or detailing significant new
technology in the products.
Paper proposals should consist of the following information:
1) Presenter, and geographical location (country of origin/passport)
and contact info (e-mail, postal address, phone, fax).
2) Employer and/or affiliations.
3) Brief biography, list of publications and papers.
4) Any significant presentation and educational experience/background.
5) Topic synopsis, Proposed paper title, and a one paragraph description.
6) Reason why this material is innovative or significant or an
important tutorial.
7) Optionally, any samples of prepared material or outlines ready.
Please include the plain text version of this information in your email
as well as any file, pdf, or html attachments.
Please forward the above information to [EMAIL PROTECTED] to
be considered for placement on the speaker roster, have your lightning
talk scheduled, or submit your product for inclusion in th
Re: passlogd sniffer remote buffer overflow root exploit.
On April 3, 2003 08:24 am, dong-h0un U wrote: > Hello. > > Exploit confirmed possible truth in OpenBSD. > But, I did not exploit. > Also, did not test in RedHat 8.0. ... > /* > ** > ** [*] Title: Remote Multiple Buffer Overflow vulnerability in passlogd > sniffer. ** [+] Exploit code: 0x82-Remote.passlogd_sniff.xpl.c ... I'm a little unclear on the meaning of "truth" here, but ProPolice will stop this exploit from working on OpenBSD 3.3 or -current/cvs. etoh++ :-) cheers, --dr -- pgpkey http://dragos.com/ kyxpgp -- http://cansecwest.com
CanSecWest/core03
CALL FOR PAPERS: CanSecWest/core03 The fourth annual CanSecWest computer security training conference is scheduled to be held April 16-18 2003 in Vancouver, British Columbia, Canada. Submissions and presentation proposals for tutorials for this conference will be accepted during the months of September and October 2002, with preference given to submissions made in September. The CanSecWest conferences consist of tutorials on advanced technical details about current issues, innovative techniques and best practices in the information security realm. The audiences are a multi-national mix of professionals involved on a daily basis with security work: security product vendors, programmers, security officers, and network administrators. We give preference to technical details and education for a technical audience. The conference itself is a single track series of presentations in a lecture theater environment. The presentations offer speakers the opportunity to showcase on-going research and collaborate with peers while educating and highlighting advancements in security products and techniques. The focus is on innovation, tutorials, and education instead of overt product pitches. Some commercial content is tolerated, but it needs to be backed up by a technical presenter - either giving a valuable tutorial and best practices instruction or detailing significant new technology in the products. Paper proposals should consist of the following information: 1) Presenter, and geographical location (country of origin/passport) and contact info (e-mail, postal address, phone, fax). 2) Employer and/or affiliations. 3) Brief biography, list of publications and papers. 4) Any significant presentation and educational experience/background. 5) Topic synopsis, Proposed paper title, and a one paragraph description. 6) Reason why this material is innovative or significant. 7) Optionally, any samples of prepared material or outlines ready. 8) Optionally, list any software, source code or new information scheduled to be released and available for publicaiton on the conference CD. Please forward the above information to [EMAIL PROTECTED] to be considered for placement on the speaker roster. Details of presentation logistics: Presenters do not have to submit full text of their materials, but do have to submit slides and any accompanying software/demo information at the deadline one month before the conference. Presentations are nominally one hour in length, and exceptions must be justified. (And this year this will be a very strict limit, and we will try to have few or no exceptions.) Internet access (wireless or other) and av projection is provided for live demonstrations. Vendor display or corporate sponsorship inquiries and requests for attendee or exhibitor information should be directed to [EMAIL PROTECTED] The conference site and registration system is at: http://cansecwest.com --dr pgpkey: http://dragos.com/dr-dursec.asc 0 = 1 , for large values of zero and small values of one.
fragroute vs. snort: the tempest in a teacup
Just a quick follow-up to the fragroute alarmism (which I see has prompted Mr. James Middleton at vnunet to write a news story "Evasion tool put's Snort's nose out of joint" :-). First, this is not a snort-only issue, as I would wager other idses have as many if not more evasion modes as well as sharing these with Snort... But upon further analysis, this issue is a bit of a tempest in a teacup, as a vast majority of these attack obfuscations, particularly the IP fragmentation ones are not a real threat in practice, because they are not actually useable in real networks except on vulnerable bastion hosts. Most firewalls these days (especially Linux and OpenBSD ones) actually do reassembly inbound. This was an interesting point discovered recently when it was realized that the snort defragger was actually never getting touched at all in some installations. So in reality these fragroute obfuscations are actually obfuscating things from the firewall rather than from internal snort sensors. Which is just fine, as snort will see the same traffic as a system being attacked... and therefore operate properly. Theo DeRaadt coined the best answer for fragrouter in this procedure, a single word: scrub. So in practice, the fragment level obfuscations are usually hidden/scrubbed from internal snort sensors by the firewalls... but that's ok because they are also hidden from most of the target systems too... ;) and therefore the attack is of not much value or cause for alarm as it will either be stripped of obfuscation or broken and not be a concern or significant threat. cheers, --dr -- --dr pgpkey: http://dragos.com/dr-dursec.asc CanSecWest/core02 - May 1-3 2002 - Vancouver B.C. - http://cansecwest.com
Re: Snort exploits
Heh, well... first... don't panic. :-) First of all I would like to commend Dug on his responsible disclosure stance. He has given the IDS vendors several months heads up that this stuff is in the pipe... I think everyone who needed to know knew this was coming down the pipe, so this is in _no_ way critical of him. I was actually expecting him to release fragroute on the CanSecWest conference CD, for his talk on it there and am preparing some appropriate counter measures for the variant of snort I was going to put on there. Been kinda swamped with conference preparations so please do not ask me for any of this in advance of the conference. Odds are now that this info has gone out snort cvs will have fixes for this in a matter of hours or days... The TCP evasions are fairly easily detectable as overlaps should not normally occur. I'm sure Marty or Andrew will be releasing some tweaks to stream4 shortly to address this. It is just a matter of slightly more rigorous alerting and an occasional little bit of extra noise. Similarly the IP fragmentation detection just needs slightly more rigorous overlap detection and alerting, as these overlaps will not be occurring in normal situations. For now as a workaround you can just alert on small fragments (resurrect minfrag... heh) which should be indicative of games being played. Note that some of these overlaps were successful in snort 1.8.x because the teardrop detection had a bug in it which was recently found and was only fixed again in snort 1.8.4. The moral of the story is that it pays to keep your copy of snort current. :-) Basically all the chaffing at the IP and TCP level is detectable as those should not be normal conditions. Look to snort cvs over the next few days for solutions to these issues... To Dug: As far as playing timing games in the future, well the solution for this and some other problems will be target based reassembly which varies reassembly timing and overlap behaviour based on destination to mimic host specifics. And though the current frag2 snort defragger features deterministic timeout behaviour the earlier defrag reassembler had non-deterministic timeout behaviours on purpose to specifically avoid timeout games and this kind of behaviour will likely be resurrected on future defraggers. I have had a defragger in the works for, oh, a long time... :) that fixes this and some other issues. Guess Marty, I, and the other snort developers have to get off our lazy asses (since snort development proceeds so slowly :-) and fix that now. Heh... I'm being sarcastic for those that didn't note. The same logic and procedures can be applied at the TCP level as well as at the IP fragmentation layer BTW. To everyone else: The game of evasion and coutermeasures is the snake eating its tail and you shouldn't be naive and assume that there aren't other evasions out there because there are _always_ other obfuscations and countermeasures, and then detectors for those. That's why you pay us snort developers the big bucks, and you should keep your ids builds current fairly often... to keep you safe from that. :-) But using fairly loaded terms like "blindside" is just excessively alarmist imho. cheers, --dr On Tue, 16 Apr 2002 20:07:12 -0700 [EMAIL PROTECTED] wrote: > > I didn't see it posted to these lists, but yesterday Dug Song quietly released a >tool on the focus-ids list which totally blindsides Snort - >http://www.monkey.org/~dugsong/fragroute/index.html. His README.snort file contains >several fragroute scripts which blindside even the current Snort version in CVS, >tested on RedHat 7.2. For example, the latest wu-ftpd exploits run through the one >line "tcp_seg 1 new" don't trigger any Snort alerts at all. > :( :( > > Fragroute is a very powerful new tool. Has anyone found other attacks against Snort >with it, or tried it against any other IDS for that matter? > > > -=+ 0xCafeBabe +=- > > > > > Hush provide the worlds most secure, easy to use online applications - which >solution is right for you? > HushMail Secure Email http://www.hushmail.com/ > HushDrive Secure Online Storage http://www.hushmail.com/hushdrive/ > Hush Business - security for your Business http://www.hush.com/ > Hush Enterprise - Secure Solutions for your Enterprise http://www.hush.com/ > > Looking for a good deal on a domain name? >http://www.hush.com/partners/offers.cgi?id=domainpeople > > -- --dr pgpkey: http://dragos.com/dr-dursec.asc CanSecWest/core02 - May 1-3 2002 - Vancouver B.C. - http://cansecwest.com
802.11 wep broken
url: http://www.isaac.cs.berkeley.edu/isaac/wep-faq.html Be careful with your wireless networks. cheers, --dr -- Dragos Ruiu <[EMAIL PROTECTED]> dursec.com ltd. / kyx.net - we're from the future gpg/pgp key on file at wwwkeys.pgp.net or at http://dursec.com/drkey.asc CanSecWest/core01: March 28-30, Vancouver B.C. Speakers: a whole bunch of cool guys and the massive sig was a pain see http://dursec.com
Re: kyxspam: isc loses mind
On Fri, 02 Feb 2001, Jim Reid wrote: > >>>>> "Dragos" == Dragos Ruiu <[EMAIL PROTECTED]> writes: > > Dragos> Not only is it NOT solid according to past record > > So I suppose the 10-12,000 DNS queries that get answered every second > by a.root-servers.net or the ~5,000/second that f.root-servers.net > answers are handled by something that isn't solid. Or the overwhelming > number of DNS lookups on the internet go to something that isn't > solid. I see. You have a rather strange perception of solid. > I am not referring to its operational ability to handle query load, but to its track record of being able to maintain security integrity. > Dragos> As a response to Mr. Vixie: Yes, bind9.1, the proprietary, > Dragos> commercial, closed source software version of named by the > Dragos> ISC > > This nonsense is so ridiculous that it must be corrected immediately. > BIND9.1 is not any of these things. Go to ftp.isc.org and pick up the > source code (blatant hint #1) and read the copyright (blatant hint #2). > After you've done that, kindly retract the above remarks publicly. > Yes, I will admit to sarcasm here, in case it wasn't evident or you did not pick up on it (considering I talked about browsing the code in the part of the sentence you edited out). But I do believe you understand the point I was trying to make even though you are being a semantic stickler I guess I must have hit some nerve if you have to resort to the petty tactic of quibbling on semantics about statements out of context. You have the luxury of being able to ignore or dismiss as irrelevant any proclamations I may make about bind, but the majority of the internet users, locked into using bind do not have the luxury of being able to ignore the edicts of the ISC when it comes to releasing security information about it (especially with all the developers and knowledgeable parties muzzled by potentially restrictive NDAs) or distributing security patches for the code in a timely fashion. cheers, --dr -- Dragos Ruiu <[EMAIL PROTECTED]> dursec.com ltd. / kyx.net - we're from the future gpg/pgp key on file at wwwkeys.pgp.net or at http://dursec.com/drkey.asc http://cansecwest.com CanSecWest/core01: March 28-30, Vancouver B.C. ^ Speakers: Renaud Deraison/Nessus Attack Scanner, Martin Roesch/Snort/Advanced IDS, Ron Gula/Enterasys/Strategic IDS, Dug Song/Arbor Networks/Monkey in the Middle, RFP/Whisker2.0 and other fun, Mixter/2XS/Distributed Apps, Theo DeRaadt/OpenBSD, K2/w00w00/ADMutate, HD Moore/Digital Defense/Making NT Bleed, Frank Heidt/@Stake, Matthew Franz/Cisco/Trinux/Security Models, Fyodor/insecure.org/Packet Reconaissance, Lance Spitzner/Sun/Honeynet Fun, Robert Graham/NetworkICE/IDS Technology Demo, Kurt Seifried/SecurityPortal/Crypto: 2-Edged Sword, Dave Dittrich/UW/Forensics, Sebastien Lacoste-Seris & Nicolas Fischbach/COLT Telecom/Securite.Org/Kerberized SSH Deployment, Jay Beale/MandrakeSoft/Bastille-Linux/Securing Linux
Re: kyxspam: isc loses mind
On Thu, 01 Feb 2001, Darren Coleman wrote: > We've all managed to survive using BIND for the past x years - I don't see > what has radically changed overnight. It's taken as given nowadays that > large, complex systems/software contain bugs, exploits, overflows.. etc etc. > The fact that "the majority" (I would hazard 90%+) of the DNS servers on the > Internet are using BIND, and there has been few *serious* incidents > (considering how much exposure the software gets, the considerable variances > in load it is placed under (ie. ISC's own rootserver serving over 272 > million queries per day (by ISC's own estimations)), etc) goes to show that > as software goes, BIND is pretty solid. > I guess you've never been rooted through bind then. I've lost count of the number of incidents I've dealt with on my own and my customer's boxes that involved named exploits as the initial entry vector. Chrooted, etc... doesn't matter, still massively insecure... they've all had serious holes, and widely distributed and used exploits. I put named right up with httpd, ftpd, and rpc as one of the most exploited services hardly something to call solid. As far as the ISC's long-term security track record... I've also dealt with some security incidents involving their DHCP software too. :-) 2-3 years ago, I had one box in my own office right next to my desk that was rooted three times over the space of 6 months through bind - with different exploits each time. Maybe I have a different definition of serious than you do Wasn't named how one 17 year old kid from one of the nordic European countries took over 17,000+ (!) computers a while back? That sounds serious enough to me. Not only is it NOT solid according to past record configuring it is arcane and the majority of installs I encounter are broken in one fashion or another. bind = malware by design apparently. I differ with your opinion on bind security, and the fact that 90% of the internet runs the same named software sounds like a problem to me. As I said... monoculture. A single point of failure waiting to happen. What happens to 90% of the net when the next bind9.x worm caries "rm -rf /" set up to execuite at a certain time as its payload? As a response to Mr. Vixie: Yes, bind9.1, the proprietary, commercial, closed source software version of named by the ISC, with its planned, for-pay, inner-circle, CVS servers is a cleaner bit of software(or at least it looks like it from a quick browse through the code). And as a ground up rewrite, we'll see the security track record of this fresh code soon enough... :-P But I still think there should be a widely used alternative, and that the ISC is making a grave error by closing the sources/CVS and limiting the distribution of security information via non-disclosure agreements for something that many don't have any choice but to use For the record, I use djb-dns on production systems because I've spent too much time reinstalling systems rooted because of bind. I make no warranties that it is more secure than bind, but it does have the advantange of simply being different. And there is no cabal hoarding security info for it. Djb-dns is mostly good stuff (other than some magic numbers and sparsely commented code), however the license that prevents the distribution of patches, modifications, or derivatives by anyone except DJB is a problem with its inclusion in a distribution. I'm told that several people have tried to get Mr. Bernstein to soften his stance on this but he remains adamant. I'm also told the OpenBIND domain was registered yesterday... :-) They can count on me as a developer and future user, whomever the members of that group turn out to be, if Mr. Vixie presses on with his "bind-members" idea in light of all the negative sentiments it has stirred up >From all the sympathetic mail comments I have received as a result of this discussion I know I'm not alone in holding these opinions. The ratio of people I've heard from that seem to be in agreement vs. dissenting seems to be roughly 10:1 to me. Hardly a scientific poll, but to me that says that the ISC is going against the wishes of its user base on the internet with these plans, driven by their commercial desires to increase their development dollar coffers. Maybe in the end it will all be for the better, as they alienate enough of their user base to drive them to develop another alternative, and in a fashion, the problem will be fixed. cheers, --dr -- Dragos Ruiu <[EMAIL PROTECTED]> dursec.com ltd. / kyx.net - we're from the future gpg/pgp key on file at wwwkeys.pgp.net or at http://dursec.com/drkey.asc http://cansecwest.com CanSecWest/core01: March 28-30, Vancouver B.C. -
kyxspam: isc loses mind
gs of security or other important flaws >3. Periodic in-person meetings, probably at IETF's conference sites >4. Participation on the bind-members mailing list > > If you are a BIND vendor, root or TLD server operator, or other interested > party, I urge you to seek management approval for entry into this forum, and > then either contact, or have a responsible party contact, [EMAIL PROTECTED] > > Paul Vixie > Chairman > ISC -- Dragos Ruiu <[EMAIL PROTECTED]> dursec.com ltd. / kyx.net - we're from the future gpg/pgp key on file at wwwkeys.pgp.net or at http://dursec.com/drkey.asc http://cansecwest.com CanSecWest/core01: March 28-30, Vancouver B.C. ^ Speakers: Renaud Deraison/Nessus Attack Scanner, Martin Roesch/Snort/Advanced IDS, Ron Gula/Enterasys/Strategic IDS, Dug Song/Arbor Networks/Monkey in the Middle, RFP/Whisker2.0 and other fun, Mixter/2XS/Distributed Apps, Theo DeRaadt/OpenBSD, K2/w00w00/ADMutate, HD Moore/Digital Defense/Making NT Bleed, Frank Heidt/@Stake, Matthew Franz/Cisco/Trinux/Security Models, Fyodor/insecure.org/Packet Reconaissance, Lance Spitzner/Sun/Honeynet Fun, Robert Graham/NetworkICE/IDS Technology Demo, Kurt Seifried/SecurityPortal/Crypto: 2-Edged Sword, Dave Dittrich/UW/Forensics, Sebastien Lacoste-Seris & Nicolas Fischbach/COLT Telecom/Securite.Org/Kerberized SSH Deployment, Jay Beale/MandrakeSoft/Bastille-Linux/Securing Linux
Re: Packet Tracing (linux klog patch)
In a word.. no I'm not sure because I haven't seen it here. That is not an indication that it isn't necessarily there. Of course I'm testing using an smp machine that isn't doint anything else but that sooo it may not be a valid test. I'll ask you about more symptoms of that off line and get back to the list with a summary. I just peeked a NeTraMet. again - still looks neat. I looked at it last summer or fall and had decided that I really didn't want an SNMP mib hollering my traffic statistics to the world so that stealth attacks can come in more easily. But I'll look at it again... Does anyone have any benchmark data for it? Then I'll look at my isp's netflow settings on their router. :-) I've never looked hard at the security of cisco netflow. :-( Has anyone else? In similar veins, for more lightly loaded networks, you should check out ntop, and for heavier loads snort's logging. One other option is good old tcpdump or maybe logging in iptraf. I wanted to put this in the kernel to provide an almost binary bare sensor system to add just one more layer of fun and hassle for intrusion. Removable drive carriers allow export of the data to analysis stations because the sensors are so stripped as to make them virtually useless for any other function and hopefully devoid of most vulnerabilities. Kernel, sh, syslogd and a trivial filesystem should suffice. Maybe only kill, cp/mv and cron for log files As a matter of fact you should even be able to disable the IP stack and have it work. Call it the data motel security model and approach... :-) cheers, --dr On Tue, 15 Feb 2000, Andrzej Bialecki wrote: > On Sat, 12 Feb 2000, Dragos Ruiu wrote: > > > How to use it: > > -This patch makes the kernel log all ethernet packets to syslog. > > -The logging happens at the default level. I.e. normally on. > > -You can turn logging on and off at the console by using the Magic SysRq key > > and a number to change the logging level. > > -Put the interface into promiscuous mode: ifconfig eth0 promisc > > > > Notes: > > -It makes a neat hotkey sniffer when using the text console too. > > -It seems to run pretty fast. Any benchmark data welcome(-->[EMAIL PROTECTED]). > > -try a tail -f /var/log/messages for real time display > > I was wondering... Are you sure it doesn't overrun the kernel message > buffer? I noticed that sometimes, when you produce tons of messages from > within the kernel, some of them are lost. > > I would rather use package as NeTraMet for doing this - it also does very > nice traffic compression in the form of flows - very fast, extremely > flexible, uses standard libpcap, doesn't require kernel patching etc... > > Andrzej Bialecki > > // <[EMAIL PROTECTED]> WebGiro AB, Sweden (http://www.webgiro.com) > // --- > // -- FreeBSD: The Power to Serve. http://www.freebsd.org > // --- Small & Embedded FreeBSD: http://www.freebsd.org/~picobsd/ -- dursec.com / kyx.net - we're from the future http://www.dursec.com learn kanga-foo from security experts: CanSecWest - April 19-21 Vancouver Speakers: Ron Gula/NSW, Ken Williams/E&Y, Marty Roesch/Hiverworld, Fyodor/insecure.org, RainForestPuppy/wiretrip.net, Theo de Raadt/OpenBSD, Max Vision/whitehats.com
Re: A DDOS proposal.
Thank you all for your kind comments, offers of help and input about my attack signalling system proposal. Here are some comments to the comments: Re: In-band vs. Out of band signalling In our tests so far, though we've found some pretty devastating attacks, none of the host targeted attacks has succeeded in producing 100% saturation/failure to the point where an outbound connection with some determined re-try and process priority could be completely defeated. My hypothesis at this point is that an in band notification or signalling that would survive DoS could be built. If not with TCP certainly with an aggressive UDP re-transmitter. You will likely be able to squeak out that alarm packet eventually (even with TCP I think). If anyone has some evidence to contradict this I would love to hear about it. I estimate that out-of-band signalling is -very- expensive (perhaps prohibitively). Let's save that for the big e-commerce sites. Having avoided the temptation (:-) to take out a whole bunch of systems and try a test with a massive number of nodes our tests have been limited to the small number (<10) of links we could cobble up with our employee's home cablemodem/adsl links and other scrounged systems and T1's from friends, but there seemed to be little effect difference as we increased the number of nodes. DDOS seems to be a bandwidth game, and he/she with the most bandwidth wins. If some people would like to volunteer to set up a massive number of systems in a testbed, we're game. We can even play target, but I may have to talk to my ISPs and warn them. :-) C'mon, this is way more fun than Seti@Home. Re: DoS the victim and the relay Defenders simultaneously One of the theoretical side effects of this "Defender" system is that there will be a big bull's eye painted on the Defender node - they will likely become a target of choice so that you can get past them and do some mischief. This is both good and bad, good because the obvious target can be fortified and watched appropriately, bad because it's, well a target. However DoSing the Defender will hardly qualify as a stealth maneouver... when you see all that traffic to it you will pretty much know that -something- is going down. (And you -should- be watching.) I would be worried much more about the stealthy clean up the complaints penetration. Re: AI-driven attack sensing There are a huge number of ways to wire this into advanced IDSes and the like. I think there will be a lot of vendors who may wish to differentiate themselves or improve their features in this way. I was only proposing a rudimentary human operated triggering - you'd think that only server operators would care enough about ddos and uptime to go to the trouble of getting themselves wired into such a system at first. I'm sure there will be lots of other clever ideas here. Re: Coding trivial I didn't mean to downplay the difficulty of really securing an app. But the effort here still seems dwarfed to the policy and political issues to be overcome to make this work. A prototype is not a long reach, I maintain. Re: InterNIC whois as a contact instead. First of all, for small companies they might work, but I've -tried- on many occasions with more mundane portscans and attacks to contact operators of servers attacking us to warn them about potential compromises. My success rate is less than 10%. And you would be surprised at the number of sites that are seemingly unreachable by telephone (even some big ones). Then let's consider the language and geography issues of attacks from different countries Another issue if you get attacked by forlorn.subgroup.megacorp.com and you contact the whois for megacorp.com in likely a different city is that it may take you a long time to reach the operator of the attack system - if you can at all (sysadmins for large companies seem to have developed the best telephone call avoidance technologies around :-). The other point here is that the ISPs Defender daemon would be able to contact many sites en-masse (this is for -distributed- attacks) if the other ISPs have a server listening for such requests. When was the last time you tried to contact 100 server operators nevermind 1000? (Guys from Yahoo need not answer. :-) The idea is to distribute the contact work to the ISPs responsible rather than saddling the victim with the burden as we do now. When I used to chase down attacks on our servers to warn sysops (I don't anymore, declaring it futile), it would take me on the average of a day per system if it worked, and I used to time out on it after more than a day - which led to the abysmal success rate. Normally it would take at least four phone calls before you got to someone who understood what you were talking about. Maybe things are better now with all this DDOS visibility, but I doubt it. Re: RTBL and blocking Yes, some extension may be feasible but the issue here is not some voluntary opt in filtering, but squelching and securin
Packet Tracing (linux klog patch)
One of the problems that people have is logging the origin of the attack
streams and tracing packet paths through the networks. Here is a small bit of
code that may help you inexpensively deploy some packet loggers at key
network ingress/egress points. The real solution is to get Dragon or NFR or some
other really kick ass IDS sensor stuff. But for those ISPs on a budget, that
just want to build a quick and dirty forensic logger to track down or follow the
path to the origin of attacks, here is a Linux kernel patch that turns any Linux
system into an ethernet logger that records mac address, ip address, ports and
protocols with a timestamp in the system log.
It can be activated and deactivated at the system console with
two keystrokes, see build instructions below. It's from a tool set of an
article I was working on, but it seemed relevant so I'll release it in
advance. It started life as a project to build a sniffer small enough to
type from memory. It's simple enough that you should be able to tweak
the output format to suit your own tastes. It is intended to be small
and light so as to lose as few packets as possible.
One nice application is to build a very stripped down Linux system
and turn it on to log packets using a simple low cost pc or rack server.
Depending on your traffic rate and your disk size you may be able to store a
pretty good time window of traffic. If it's not enough... time for a commercial
product with fancy data structures and compression. :-) We'll be covering
stuff like this during our training at CanSecWest (plug, plug :-).
P.S. I have a message for all the silly bad ass ddos bozos:
If this is for fun... you'll probably have less fun in the
long run by being detrimental to others.
comments, feedback, enhancements welcome...
--dr
kyx.net
Learn Kanga-Foo - www.dursec.com
this is a patch for /usr/src/linux/net/ethernet/eth.c:
--kyxkyxkyxkyxkyxkyxkyxkyxkyxkyx--
***
*** 182,196
--- 184,295
unsigned char *rawp;
skb->mac.raw=skb->data;
+
+ /*Linux Kernel Forensic Logger [EMAIL PROTECTED]*/
+ eth = skb->mac.ethernet;
+ if( *((u16*)((u8*)skb->data+12)) == 0x0608 )
+ {
+ printk(">>ARP<< ");
+ if(*((u16*)((u8*)skb->data+20)) == 0x0100)
+ printk("req ");
+ else if(*((u16*)((u8*)skb->data+20)) == 0x0200)
+ printk("REP");
+ printk("T:%03d.%03d.%03d.%03d:%02x%02x%02x%02x%02x%02x
+S:%03d.%03d.%03d.%03d:%02x%02x%02x%02x%02x%02x\n",
+ *((u8*)skb->data+38), *((u8*)skb->data+39),
+*((u8*)skb->data+40),
+ *((u8*)skb->data+41), *((u8*)skb->data+32),
+*((u8*)skb->data+33),
+ *((u8*)skb->data+34), *((u8*)skb->data+35),
+*((u8*)skb->data+36),
+ *((u8*)skb->data+37), *((u8*)skb->data+28),
+*((u8*)skb->data+29),
+ *((u8*)skb->data+30), *((u8*)skb->data+31),
+*((u8*)skb->data+22),
+ *((u8*)skb->data+23), *((u8*)skb->data+24),
+*((u8*)skb->data+25),
+ *((u8*)skb->data+26), *((u8*)skb->data+27));
+ }
+ else if( *((u16*)((u8*)skb->data+12)) == 0x0008 )
+ {
+ printk(">>IP<< ");
+ switch(*((u8*)skb->data+23))
+ {
+ case 1: printk("ICMP%d ", ((u8*)skb->data+34));
+ break;
+ case 2: printk("IGMP ");
+ break;
+ case 0x11: printk("UDP ");
+ }
+ if (*((u16*)((u8*)skb->data+34)) == 0x4300 ||
+ *((u16*)((u8*)skb->data+36)) == 0x4400)
+ {
+ printk("DHCP ");
+ if(*((u8*)skb->data+42) == 1)
+ printk("req ");
+ else if(*((u8*)skb->data+42) == 2)
+ printk("REP ");
+ else printk("invalid ");
+ }
+ else if(*((u16*)((u8*)skb->data+34)) == 0x3500 ||
+ *((u16*)((u8*)skb->data+36)) == 0x3500)
+ printk("DNS ");
+ printk("s:%03d.%03d.%03d.%03d:%d d:%03d.%03d.%03d.%03d:%d %d bytes
+hl:%02x iplen:%04x ttl:%u\n",
+ *((u8*)skb->data+30), *((u8*)skb->data+31),
+*((u8*)skb->data+32),
+ *((u8*)skb->data+33), *((u8*)skb->data+37) +
+(*((u8*)skb->data+36) << 8),
+ *((u8*)skb->data+26), *((u8*)skb->data+27),
+*((u8*)skb->data+28),
+
A DDOS proposal.
Panic Button, open trouble notification channel: Attack Defender The appropriate place to suggest this solution was at the NANOG meeting on DDOS but I didn't think of it before then so I thought that a posting to bugtraq may float this proposal for public discussion. The term ISP is used below to refer to any network service provider responsible for connecting end user systems or servers to the net. The problem with DDOS: - It is infeasible to secure the entire net. - Scanners for DDOS daemons are being built but still require efforts from uniterested parties to run the scans. Frequency of scanning will be an issue too. - The attackers are often systems that are unattended or neglected as far as security. This makes it even harder to reach someone at the site to stop the attack. - The ones who are motivated to do something about DDOS are the victims not the attack relays. - The ISPs are also greatly motivated to ensure that their services are not disrupted. - The problem with disabling the attack is that the victim has to contact many, many systems to notify them that they have been breached and convince the administrators and take measures agains the attacker software now embedded in their system. As this is an industry wide issue, it is doubtful a single source commercial antidote to all the potential DDOS problems can be found with a single countermeasure. So I propose a collaboration between service providers - an Anti-ddos ISP Coalition to remedy the problem. The key issue I as I see it is one of notification, how do you notify all the attackers that their systems are being detrimental to the net. I suggest that we move the onus of solution to their service providers. It has already been suggested that the ISPs that connect the attacker-relays to the net may be culpable or liable for damages... so they should be willing to expend some effort to resolve the issue. There is already a push to educate about putting in proper address filtering into provider routers, but this is not the full solution because it will only hinder DDOS attacks based on spoofed traffic. At dursec we have been testing DDOS effects for the last 8 months, and we've researched many DDOS techniques that do not require spoofing, so address filters will not be a panacea solution. One of the solutions we've been bandying about is some sort of Emergency Broadcast Network like solution that would facilitate communication during attacks or outages amongst service providers. We would like to propose that an open-source, peer reviewed attack notification system like this be developed. It would work like this: - Each ISP(AS) that has an IP address block allocated to it would maintain a publicly listed attack/outage notification point. - call it the Attack Defender daemon. By my estimate and materials published by Boardwatch there are less than 15,000 ISPs in the world so keeping/distributing a central contact table listing address blocks and contact would be feasible (similar to whois). - Free client software would be distributed to the participating (hopefully all) ISPs customers. This client software would essentially be a red panic button for victims of a DDOS attack. When activated it would use some sort of strong crypto authentication and notify your local service provider's Attack Defender that an attack is in progress. The notice would contain a small description of the attack and a list of attack sources gathered by promiscuous sniffing by the Defender client as well as a contact e-mail for the attack victim. The client could also log traffic stats for future forensic verification/tracing of the attack. Varous levels of automation are possible. -When an ISP customer triggers the Attack Defender panic button, and notifies his service providers' Defender daemon, it will in turn contact/notify the other well-known and publicly listed Defender contact addresses of the ISPs/ASs/Owners of the address blocks that a victim ISP's customer has filed a complaint about attacks coming from their nets. That notification will contain the offending source address(es) and contact info for the victim and their ISPs technical support for subsequent verification. -When the incoming complaints from other Defenders reach some configurable(and likely site dependent) threshold level, the AS's Defender will notify/alarm the attack origin ISPs technical support crew, who would supposedly have contact information for the client nodes that are doing the attacking. They could then notify, with whatever strength of wording (:-) they feel is appropriate, their customers that they must take additional security precautions and hopefully provide assistance. There are numerous inherent DoS opportunities in such a system so great care needs to be taken care beween Defenders to use strong authentication. In addition, guidelines should be drafted so no draconian penalties are imposed on clients that have potentially spurious complaints filed again
