CanSecWest 2010 day 3 summary

The conference has now drawn to a close and Michael Argast and I have made CanSecWest this week’s podcast topic. Our weekly podcasts have been going well so far and I would like to thank our editor/producer Maria Varmazis for her help and for committing to a weekly schedule with us.

Download and listen to the Sophos podcast “CanSecWest 2010 Wrap-up”

If you enjoy this podcast you can download many more via iTunes or directly from our website.

“Stuff we don’t want on our Phones: On mobile spyware and PUPs – Jimmy Shah”

Jimmy works for McAfee and the heart of his presentation this year was the increasing threats against mobile platforms, and especially the creation of grey-ware. McAfee refers to these as Potentially Unwanted Programs (PUPs) and they often exhibit both positive and negative behaviors.

“Practical Exploitation of Modern Wireless Devices – Thorsten Schroeder and Max Moser”

Thorsten presented their research on wireless keyboards and how to both spy on them and remotely inject keystrokes. He explained the different radio technologies used and demonstrated a small PCB with antennae he developed that can sniff Microsoft wireless keyboards and insert key sequences from 70 meters away! They plan to start selling these devices later this year as the “Kerkeriki 2” and hope to add Logitech support as well.

“RFID Hacking at Home – Dr. Melanie Rieback”

RFID Guardian logo

Dr. Rieback does research on RFID technologies at Vrije Universiteit in Amsterdam, Holland. She demonstrated the 4th generation of the “RFID Guardian”, a device she coordinated development of. The purpose of her talk and device is to raise awareness of the ubiquity and insecurity of RFID technology. She hopes to make production versions of RFID Guardian and work with industry to secure many of the important uses of RFID technology.

“Advanced Mac OS X Physical Memory Analysis – Matthieu Suiche”

Matthieu recently founded his own company Moonsols focusing on incident response and forensics. He is well-known for creating the Win32dd and Win64dd tools, which allow direct block-by-block copying of memory and disks. The presentation at CanSecWest focused on new tools he is creating to allow advanced memory analysis of OS X and the associated functionality for analyzing OS X memory dumps. He used some real memory dumps to show how to navigate OS X memory structures and discussed the direction he is heading in his development of Mac forensics.

“Full Process Analysis and Reconstitution of a Virtual Machine from the Native Host – James Butler”

In the incident response and forensics business, James is a household name. He works for Mandiant and is an expert in rootkits and malware. He demonstrated the Memoryze and Audit Viewer tools, available for download from Mandiant. His demonstration on gaining access to VMWare guest memory from the host and analysis of that memory using Audit Viewer was impressive. With full access to the memory of a guest without the guest operating system’s awareness, it is much easier to observe malicious or suspicious processes, not to mention code and its behavior after being unpacked/decrypted.

“Through the Looking Glass: An Investigation of Malware Trends and Response Activity – Jeff Williams”

Jeff is the Director of the Microsoft Malware Protection Center. If you are familiar with the Microsoft Security Intelligence Report, you are familiar with Jeff’s work. The first half of his talk focused on the patterns Microsoft has discovered in how different pieces of malware show up in different regions of the world, and how this relates to language, socioeconomic status, and technical sophistication. In the second half, he outlined Microsoft’s recent project B49, in which they worked with the courts, government and private sector to perform a takedown of the Waledac botnet. Most of the questions after his session were related to what they learned from project B49.

“The Jedi Packet Trick takes over the Deathstar: taking NIC backdoors to the next level – Arrigo Triulzi”

Arrigo presented on his methods for taking over a theoretical firewall running 2 Broadcom NICs and an Nvidia GPU card. He was able to compromise the external NIC using the remote firmware update capability. He hypothesized that this capability was a vestige of factory testing, but it was still enabled and he was able to use it to take control of the NIC. Once in the NIC, he could traverse the PCI bus and install SSH on the video card. He continued by leapfrogging to the inside NIC and was able to capture, redirect, and alter traffic, through means currently undetectable by the operating system.