As a Vancouverite it always seemed to be a bit of a shame that I have never attended a CanSecWest conference. This year I am here, the 11th annual CanSecWest conference, and I would like to thank Dragos Ruiu for putting on such a great event.
Here is my summary of today’s presentations:
“Internet Nails – Marcus Ranum”
Beginning the conference was Marcus Ranum, from Tenable Network Security. If you would like to watch this presentation it is available through YouTube as Marcus presented it late last year at TED. The premise of his talk is that we have made some very poor decisions because of temporary technical challenges, rather than good design. Many of these decisions should have long ago been resolved by a much smarter designed replacement, yet we continue to use old broken methods simply to be backward-compatible.
At one point Marcus says (warning, I didn’t record this, it’s a paraphrase) “FTP is almost 40 years old. We need to take it out behind the barn and put a bullet in it’s head. Don’t worry, software doesn’t have feelings, and we don’t know who the original author is”.
“Under the Kimono of Office Security Engineering – Tom Gallagher and David Conger”
Tom and David from the Microsoft Office team presented that large and coordinated effort Microsoft is making to improve the security of Microsoft Office 2010. I blogged last month about the addition of DEP to Office 2010, and that is only the start.
As was proven by Peter Vreugdenhil, DEP is not fool-proof, and this is why the work that Tom and David do is so important. They discussed a distributed, programmable fuzzer they wrote to discover bugs in Office. Office must process more than 300 different filetypes, and during their investigations they found and fixed more than 1800 bugs in Office 2010 alone.
Their work has resulted in the development of the new Gatekeeper and FileBlock technologies to protect Office users from potentially malicious files. To recruit machines for their “fuzzer botnet” they made sure to enlist managers at Microsoft who often have the coolest, fastest gear and use it the least .
“Automated SQL 0wnage techniques – Fernando Federico Russ”
Frederico had some passport issues, so his talk was presented by a colleague. The presentation covered the details of creating a successful automated SQL injection tester. It’s more difficult than it looks and Core Security was able to demonstrate the knowledge behind their tools. Note: It was in fact Fernando Russ who presented, he was substituting for his colleague Sebastian Cufre. My apologies to Fernando and thanks to @Ariel_Cornel for the correction.
“Can you still trust your network card? – Yves-Alexis Perez and Loic Duflot”
The final presentation today was presented by a French security research organization. They showed how the capabilities of modern NIC’s with co-processors can be harnessed to compromise machines with no ability for detection by the host operating system. By exploiting flaws in the firmware for established protocols they are able to completely able to control all network communications in and out of a system by simply controlling the computer on-board the network card. Although the technology used in the demonstration is not in wise-spread use, it shows the danger of embedding processors in everyday devices which have not had proper security testing completed.
I had a great time today, and will post another update tomorrow after I have a chance to provide you my insights.