/var/log/messages (2009)
This section contains the latest news, announcements and thoughts from the MWR InfoSecurity team.
DeepSec 2009
Dec 03, 2009
The DeepSec security conference was held between November 17th and November 20th at the Renaissance Hotel next to the Imperial Riding School in Vienna. MWR InfoSecurity were invited to speak at the event for the second year in a row with Luke Jennings presenting a talk about attacking deployment solutions. The event was well managed and both attendees and speakers were well looked after by the organisers. The conference had a nice intimate feel to it and is focused across a range of topics that would be of interest to security consultants, security researchers and security managers in equal measure. The quality of the talks was of a good standard and some of those that stood out are outlined here.
Presentation: DeepSec 2009 - Weapons of Mass Pwnage: Attacking Deployment Solutions
Dec 03, 2009
Luke Jennings presented at DeepSec ‘09 in Vienna, Austria regarding the security of deployment solutions and some of the recent vulnerabilities he discovered in Symantec’s Altiris Deployment Solution. The slides for this presentation are available from:
mwri_deepsec09_weapons-of-mass-pwnage_2009-11-20
Singing the Mainframe Security Blues?
Nov 17, 2009
As an Information Security Officer what is the one question that the non-technical executives ask you the most? Usually it’s as simple as “Are we secure?” – and the answer had better be “Yes”. Anyone who’s had to back that answer up will have done their background research, been to conferences, read books and talked to their counterparts in other companies. Invariably this will have equipped you with knowledge of IT security from port scans and exploits through to Trojans and viruses. Armed with this knowledge you can understand the need for firewalls, IDS, anti-virus and how their effectiveness should be confirmed through penetration testing.
But what if your most critical data is held on a mainframe? Did they teach you about this at hacker boot-camp or in those hacking text books? But does that matter? After all, you know about IP and the ways that hackers try to attack your systems using it. You have firewalls on your network and have regular pen tests completed against your systems. Given this knowledge, the answer to the question is “Yes, we are secure”.
But still there’s that worry at the back of your mind – that there is something you haven’t thought about. If you are in the information security industry you know about that voice, call it paranoia, call your natural distrust. What is it about the mainframe that makes you nervous? Is it the fact that – in essence – that big metal box downstairs is your business? Just what is it our subconscious trying to tell us.
Attacking Altiris at DeepSec '09
Sep 07, 2009
Luke Jennings will be talking at DeepSec ‘09 in Vienna, Austria on 20th November 2009 regarding the security of deployment solutions and some of the recent vulnerabilities he discovered in Symantec’s Altiris Deployment Solution.
https://deepsec.net/docs/speaker.html#PSLOT39
If you are interested in this, be sure to come along!
USB Research to be Presented at t2'09
Sep 01, 2009
Following the talk presented at Defcon 17 this year, Rafa continued his research in USB attacks and will provide an update of his research at T2 in Finland on Thursday 29th October 2009. The presentation will cover a wide range of security considerations for the use of USB devices. However, it will specifically focus on the evolution of an attack that can be delivered through a malicious USB device. The talk will also include discussion about the methods that can be used to identify and exploit vulnerabilities in USB drivers and their advantages and disadvantages.
Defcon 17
Aug 07, 2009
Vegas, The Riviera, Hardware Hacking Village, Lock-picking Village, a whole host of talks, iPhone users filling the wall of sheep, fake ATM in the foyer, yep its DefCon17. Here is a quick overview of some of the talks I attended in no particular order.
EuSecWest 2009 Run Down
Jun 04, 2009
I recently had the good fortune to attend EuSecWest 2009. EuSecWest is one of those great conferences where it’s full of very knowledgeable, like-minded individuals but is small enough that by the end everybody kind of knows everybody, if they didn’t already! The talks were all very technical and of good quality I had the pleasure of engaging in many interesting discussions. Here are a few highlights from talks that interested me in particular.
Have you got bad timing?
Mar 13, 2009
Timing attacks have a long and successful history when used against a wide variety of systems and technologies. This is because these attacks can take so many forms, from vulnerabilities related to race conditions, or blind SQL injection vectors which use delays in execution through to the timing of a UNIX login.
One of the classic timing attacks is based on measuring the difference in the time an application takes to complete two different but related tasks. If the code path followed by different inputs varies in its length or in its complexity the execution time for the two different inputs can vary slightly – but measurably. The most common example of this is the time taken by a login mechanism to process authentication attempts. When the username which is supplied is valid, the code path can often be longer than that taken for an invalid user and therefore could allow a timing attack to occur. This type of attack has been widely publicised and there are many examples which are known to work.