CanSecWest Day 1 – Pen testing, social authentication, APR and Duqu

First of all I would like to congratulate @dragosr and the whole CanSecWest team for putting on one of my favorite security conferences in the world. You do a tremendous job and those of us lucky enough to attend are grateful.

Nick D. from Rapid 7 presented his talk “Mapping the Pen Tester’s Mind: 0 to Root” to a full room at CanSecWest 2012. While the talk was a little commercial and focused on Rapid 7’s Metasploit toolkit, Nick provided some great advice.

It was almost a crash course for budding penetration testers. Nick pointed out many of the pitfalls of pen testing, common rookie assumptions that are wrong and how to approach a professional test engagement. It was clear a lot of thought went into the talk and I thoroughly enjoyed his methodology.

Alex Rice was up next with his talk “Social Authentication”, a look at Facebook’s effort to combat mass-phishing against it’s users. Rice outlined the problems with challenging users who appear to have been compromised.

First off he noted that Facebook has a 95% false-positive (FP) rate when prompting for secondary authentication. Apparently this is by design and may be one of the only cases where a 95% FP rate is acceptable.

Social authentication is a secondary authentication step where you are asked to identify photos of your friends after logging in with your usual username and password. Rice described it as a cross between a CAPTCHA and traditional authentication.

Rice explained that they understand it can be defeated easily if you are being targeted for attack by using Google Image Search, racial profiling and other techniques, but that is not what Facebook is trying to stop using this feature.

He believes Facebook has largely eliminated mass-scale phishing attacks by implementing this technique and forced the spammers and scammers to use other methods to spread their scum.

Peleus Uhley of Adobe presented “Advanced Persistent Responses”, a talk explaining the evolution of Adobe’s security program and what it learned through the process.

Most zero day attacks against Adobe products are only utilized in targeted attacks, not mass market malware.

He explained how simply finding and fixing security flaws isn’t enough and how by creating new barriers and increasing the difficulty of exploitation they have deterred attackers from attacking Flash Player.

Uhley also announced a new open-source tool for researchers and developers called Adobe SWF Investigator.

Wrapping up the day was Roel Schouwenberg of Kaspersky Labs presenting “Inside the Duqu Command & Control Servers”. Through its research, Kaspersky was able to get access to half of the known command & control servers involved in Duqu infections.

Shouwenberg presented some interesting findings, although none of it was particularly telling of what Duqu is designed to steal or where it may have come from.

They showed some bash_history content of the attackers fumbling around on the CentOS systems they had compromised, demonstrating (amusingly) how unfamiliar with the platform they appeared to be.

The other fascinating tidbit was that the code in the Windows executable appears to be generated from an unknown compiler/language. Kaspersky is reaching out to the community to see if anyone might be able to identify the origin of this code.