HITB trip report

[Dave Aitel <dave () immunitysec com>]

As always, this is a trip report where I go through my fuzzy 
recollections of the conference and share that with the DD list at large.

________________________________________________________________
First of all, the keynote from Microsoft's IE 7 team was oddly 
informational. I had a chance to chat with them later at lunch, and 
asked them about some more technical specifics. I think the ground 
breaker is this:

1. Vista implements setuid() (via SACL in the filesystem) !!!!!! 
<---!!!!!! \o/ !
   o This is both good and bad. It heavily complicates the security 
model, which was already complicated enough. I'm sure it'll result in at 
least one neat local root.

2. IE uses this to mark any executable you download as a very low priv 
user so even if you do execute it, it can't do anything harmful.

3. IE has a new mode that sections off the IE process (and all activeX, 
extensions, etc) as a low priv user and has them doing all file 
operations via another process (like openssh privsep).
  o I wonder how it authenticates the process as being from IE and not 
from somewhere else
  o They mess with the import table to implement this, I believe, and 
so a smart activex control could get around it, but they'd be writing to 
the disk as a low priv user (unless there was some sort of other token 
in the process they could steal)
  o The really hard part here is dealing with the tokens. If I auth to 
a site as admin (which, I believe you do automatically, but most people 
will do manually if necessary) then I have a token sitting around maybe. 
I dunno. If there's non-restricted tokens sitting in the process, then 
the whole priv-sep thing is broken. Knowing MS, they didn't study 
OpenSSH to see the issues they solved. (I love that about them, it's 
cute! :>)

4. IE has "phishing protection" which is a big list of bad sites and 
some heuristics backing it. They don't plan on easily letting you extend 
this to third party protection systems yet. I can see how that makes 
business sense for them - and a closed system is easier to defend as well.

5. We all have to wait for the next Vista beta to see a real IE 7 anyways.

I guess everyone's question is "At what point will vista implement 
chroot() as well as setuid()!" then maybe we could get fork()! 

I asked a question during the talk: "Have you used the fuzzers you built 
to test IE against Firefox?"
answer: "no"

Those fuzzers are on the VS Beta CD they were handing out, so someone 
should definitely give it a shot...

No entirely CLR IE for a while....which is sad.

Final Conclusion: Spyware will have to start using local kernel 
exploits.  (assuming they aren't already) (This would probably bypass 
honeymonkey as well ...)

______________________________________

VIA has apparently implemented a copy of bestcrypt backed up by some 
extra hardware in their newest line of chips. They decided to publicize 
this by having a snake-oil competition to "crack" their encryption at 
the conference. They need to fire their publicity team. No one is 
falling for a competition worth "5000 USD" (actually "5000 USD worth of 
software" !) where you are not allowed to install anything on the 
machine you are testing. Are you supposed to crack RSA in your head?

Having RSA and AES hardware accelerated in your chip is perfectly 
interesting already. We're willing to listen to you explain what you 
have, without having the world's most inane competition over it.

_________________________________________

I tried to visit all the technical track talks, but in some cases my 
memory has already faded (I had very little sleep and arrived at the 
conference the day it started...)

Speakers kept forgetting to repeat the questions that were asked of 
them. This is mildly annoying.

_________________________________________

The Grugq did a great talk on VOIP which ran down the buggy protocols 
they use and talked about a lot of the problems in each of them. 
Probably the biggest problem is that they mostly assume security is 
handled via a lower layer (like ip-sec) and hence don't have any of 
their own. Another huge problem is places that do their authentication 
via caller-id, which can easily be spoofed. Plenty of places do this, 
including Florida's gas company. So, in other words, people can charge 
their gas bill to anyone living in Florida. This is very bad.
_________________________________________
STIF-ware Evolution
Meder Kydyraliev
and Fyoder Yarochkin

This was a good talk in many ways, but the technology isn't advanced 
enough to really give the demo the wow-effect that some people want to 
see. The basic idea is they've wrapped all the security tools you'd want 
(nmap, nessus, etc) with xml wrappers, and each of them can then use a 
framework to trigger off the others. So for example, you can give it a 
list of hosts, and it calls "add ip BLAH" and then you have say, a 
scanner module waiting for new IP notifications, and it reports "VULN 
blah" and then a module waiting for that runs and gets you root.

Of course, the devil is in the details. This sort of system is going to 
be hard to make efficient.
_________________________________________

Joanna Rutkowska's talk on Windows kernel rootkit finding was good - her 
basic hypothesis (which I agree with) is that if you enumerate all the 
places in the kernel people can hook, you can write a reliable rootkit 
detector. My stance is that there's just not enough entropy in the 
kernel to truly hide in.

_________________________________________

HITB also had auctions for random things - I think this would have 
worked better if all the things were really unique things you couldn't 
get anywhere else.

_________________________________________

At udrw.com you can get a USB key that pretends its a cdrom. This is 
great for autorun, apparently.
_________________________________________

CITF

Capture the flag was awesome. People loved it - they made it a truly 
spectator sport. One of the ways they did this was having a sane policy 
on teams (3 people max), scoring (hacking got you a high score...). The 
winning team (GO TEAM PANDA! :>) not coincidentally was the team that 
got the exploit for a custom overflow done first. Neat, huh?

_________________________________________
Nematodes:

http://www.immunityinc.com/downloads/nematodes.pdf has a PDF'd slidepack 
from my talk. Let me know what you think. :>


Overall - professionally organized, well put-together conference. Hotel 
was 5 star...and it showed. Conference is largely under-priced, even 
including plane ticket price.

-dave