Categories:
/ (30)
discoveries/ (1)
events/ (5)
humor/ (6)
paradigms/ (3)
rants/ (3)
Categories:
/ (30)
discoveries/ (1)
events/ (5)
humor/ (6)
paradigms/ (3)
rants/ (3)
Dirk Breiden and FX of Recurity Labs went to an IT security trade show in Milano, Italy, following an invitation of fellow hackers Stefano Zanero, Igor Falcomata, Raoul Chiesa and other members of Sikurezza.org. We gave a talk on the current state of independent research into the security of RIM's BlackBerry solution.
Our Italian friends were exceptionally nice and forthcoming, making sure we had everything and were well entertained all the time. Many thanks go to the organizers of our daily and evening events.
One thing that struck me as strange was the security trade show itself. The exhibitors came almost exclusively from the usual suspect section of security software and appliance vendors and distributors. Many displayed embedded boxes of various sizes with little or no LCD displays that somehow made something secure. As far as we could tell, none of them sent any technical personal to the event and the attendees didn't seem to mind at all.
We talked to one particular vendor's booth personal since we happen to use one of their products and happened to stumble across some 0day vulnerabilities in it. The person did not know what a vulnerability is and, once we started to explain that their embedded product runs on Linux, insisted that we must be wrong, since it only supports Windows and Apple. Oh well. While I'm totally aware of the fact that a trade show booth is not the recommended vulnerability reporting channel, I did actually expect the company representative to know a certain minimum about their product.
Afterwards, it crossed my mind that at every trade show, may it be cars, construction equipment, tools, boats and even food, the exhibitors get out of their way to show the inner workings of their product, like engines, safety mechanisms and any other aspect that highlights the quality and uniqueness. At the security product show, nobody seemed to consider opening their magic appliances to even show the PCB and the hardware within; leave alone explained the inner workings in any considerable detail. And even then, people seemed to like the stuff, as far as we could tell. Very interesting.
posted at: 17:58 by FX | path: /events | permanent link to this entry
As part of our research commitment, I went to teach a few classes to students of the Master of Security Management course at the Brandenburg University of Applied Science, following an invitation from Professor Friedrich Holl.
The first lecture focused on security engineering and the different ways professional security verification services are performed. We also went into discussions on how software audits are done, including source code review as well as binary code audits.
It is interesting to talk to people with solid education on the subject but less practical experience in the field. What I found most astonishing was that they had little to no preference for a specific programming language. This caused some discussions about which programming languages are better fit for security verification. I had to argue about my point that more modern languages should be used for quite a while. What I think finally drove the point home was the effort needed for testing, especially unit testing and code verification. If your language and especially your runtime environment (for example .NET) does not allow you to play fancy tricks with pointers or address indices outside of the array bounds, neither testing nor automated code verification needs to cover those topics and deal with the problems inherent to such actions. If nothing else convinces you to stop writing your programs in C, it should be the fact that the less flexibility on the lower levels of machine interpretation you have, the less things can go wrong and be turned against you with an exploit.
Of course higher level languages have plenty of their own issues. But given the fact that the fault density actually directly relates to the number of lines of source code, a language in which you write less code allows for a smaller chance to introduce faults. This is why I cringe every time I hear or read someone stating that the prototype is written in Python and works well but the release version is going to be rewritten in C. Please, don't.
posted at: 10:42 by FX | path: /events | permanent link to this entry
Every year between Christmas and New Year's Eve, the Chaos Computer Club invites hackers and security enthusiasts to the Chaos Communication Congress in Berlin. Of course, this is a must-go event for everyone at Recurity Labs.
The event was more smooth-running than any other CCC Congress we have been to. Herding such a large number of hackers, coordinating and staying within the schedule of three tracks isn't easy. But this year, everything went perfectly well from our point of view. The community responded well to most talks we have attended and a number of follow-up activities arose, like the newly deployed barcode hackers wiki, hosted at cyphertext.de.
This year was also the first time that we could contribute the results of our research activities to the conference. We presented and released PortBunny, a specialized TCP port scanner for professional use. The motivation behind developing a new port scanner was the requirement in the professional security services world to be predictable.
Port scanning a large network can take a significant amount of time. When using the commonly available tools of the trade, the time to scan a network varies a lot, depending on how well the network is protected. But from a professional services point of view, you want to minimize the time tools work on a subject and hereby maximize the time you can work on it yourself. Additionally, being able to predict the time a TCP port scan takes is a huge improvement for estimating the overall time required for the engagement.
PortBunny is designed to run in the Linux Kernel space on dedicated machines. It uses different algorithms than most other scanners to separate the bandwidth saturation detection from the detection of filtered (aka firewalled) ports. The slides of the presentation can be found on our publications page.
PortBunny is released under the GPLv2 and can be downloaded from recurity-labs.com. Any feedback is much appreciated and should be sent to portbunny@recurity-labs.com.
posted at: 18:58 by FX | path: /events | permanent link to this entry
Joern Bratzke of Recurity Labs held a presentation on "Academia vs. Hackers" on behalf of FX at the 2nd International Workshop on Secure Information Systems (SIS'07), October 15-17 2007 in Wisla, Poland. Although a pure academic conference, we were invited to speak on the different approaches of hackers compared to academic researchers when tackling real world security problems. According to Joern, the talk was well received, although our bottom line might have been a bit hard for the honourable audience. Don't get us wrong; we opened with our appreciation and respect for the academics that work with us. But bottom line of our experience is: sometimes, the imperfect but pragmatic solutions of hackers are much more efficient than academia's "solve the root cause" approach.
posted at: 13:42 by FX | path: /events | permanent link to this entry
Last week, I had the pleasure to attend "YOU sh0t the sheriff", Version 1.0 in Sao Paulo. Although getting there wasn't exactly driving two blocks down the street from my house, it was definitively worth the trip. Luiz Eduardo invited me to this exclusive little conference, held in an English Pub. There was a nice mix of around 50 people (I guess) and half the talks were in English. Luiz challenged me to talk about mobile phone security (since I made fun of his iPwn during HITB Malaysia), so I ended up giving a presentation comparing the major platforms and the new pocket malware host sold by Apple. Bottom line: currently, only BlackBerry (of all things!) provides the infrastructure for an enterprise managing their mobile phone assets and the data on them. Microsoft will follow soon, AFAIK.
It was a great time, hanging out with people like Luis Miras (RE guru, inventor of my favorite non-black t-shirt), Mike Reavey (MSRC), Nick Farr (Hacker Foundation) and Emmanuel Goldstein, who even joined in on the 2 hour traffic jam session back to the airport. Thanks very much to the organizers, especially Luiz, who is a great host.
posted at: 21:39 by FX | path: /events | permanent link to this entry