CANSECWEST May 2005 Trip Report

[Dave Aitel <dave () immunitysec com>]

CANSECWEST May 2005 Trip Report

Overview

http://www.cansecwest.com/speakers.html has a general outline. I don't 
think the talks are up yet. There were also "Lightning talks" which were 
3-5 minutes long, enforced by a gong. These were a great idea. Gera 
demonstrated that his canon camera was an x86 dos-running computer, 
which was funny.


Talks of Note
/*Alex Wheeler & Neel Mehta*/ - Anti-Virus Issues

In my opinion, this talk was "Best of Show" with the perfect outline:
o Overview of problem (virus scanners are bad)
o Fun disassembly spot the bug game
o Specific past examples (McAffee, etc)
o Trend Micro Demo (ring0 bugs are cool)
o Computer Associates 0day

/*Maximillian Dornseif*/ - 0wn3d by an iPod: Firewire/1394 Issues

It's neat to watch someone plug their ipod into a box and see it's 
screen change. More practically, you can pop off a screensaver with it. 
Or just hand out thousands of ipods to everyone to let them own themselves.

/*Cesar Cerrudo*/ - Windows Internals

LPC and shared segements and other good fun.

/*Gaël Delalleau*/ - Large Memory Usage

Impossible to read slides marred an otherwise great talk. Maybe my lasik 
(tm) is fading, but for some reason, it was like someone was holding a 
video camera up to the slides on his laptop. Made for some really tough 
reading. Apparantly Linux 2.6 took out the guard page between the stack 
and heap? There was some comment about PaX as well, but I didn't quite 
catch it.

/*Barnaby Jack*/ - Step into Ring 0

Shellcode tricks in Win32 Kernel...this is more neat when you think 
about the fun IP layer bugs and other stuff that has been coming out for 
windows recently.

/*Window Snyder*/ - XPSP2 Internals
Window's talk was more on the political internals than any technical 
internals of the megapatch. She did mention that "a vendor" had 
explained integer overflows to them, and their system was riddled with 
them. She also mentioned they found 2 "classes" of bugs that wern't 
known to the outside world.

I find it interesting that one of the Windows Security Initiative's own 
didn't mention that a major change was happening two days after her 
talk: 
http://news.com.com/Microsoft+to+sound+early+alert+for+flaws/2100-1002_3-5697945.html
/*
Philippe Biondi*/ - Packet generation with scapy

Scapy is great - not just because it's in Python, but because it has so 
much power to do neat things. For example, a quick VisualRoute would be 
easy to build with it (plus GeoIP), and he has some neat scripts built 
up already which do cool things, like graph the backside of a firewall 
using traceroute-like techniques + more. By graph, I mean "put up pretty 
pictures" which was a pretty awesome thing.

Also if you've never seen Halvar or Shane+Dino's talks, those were great 
too. Dino even demo'd Hydrogen getting loaded via a IE Client-side 
attack. Marty demonstrated that the new snort will
1. Fix a bunch of problems in snort
2. allow snort to differentiate based on OS or other identifiers ("Is 
running IE on Windows SP2", etc)

At the very end, I demonstrated that Snort doesn't detect large amounts 
of CANVAS exploits, if you use a Covertness of 10. (I'm making it go to 
11 in the next release. :>)

Conclusion

Probably the best information security convention I've been to 
recently...this conference was smaller than BlackHat, but had a very 
high signal to noise ratio, in both the talks and the attendies.
_______________________________________________
Dailydave mailing list
Dailydave () lists immunitysec com
https://lists.immunitysec.com/mailman/listinfo/dailydave