Hack In The Box first time in Europe

I have but come back from Amsterdam where I was a speaker at the Hack In The Box conference. HITB held its annual briefing here in Europe for the first time. The event was hosted in the cute ‘Venice of the North’, Amsterdam (Netherlands), the home of canals, windmills, tulips, and probably the best cheese in the world. One of the most beautiful hotels in the heart of Amsterdam, the Krasnapolsky, offered a welcoming environs for this occasion.

My subject was FireShark, which is an open source tool written by Stephan Chenette, our Chief Security Researcher at Websense. Stephan originally created an ultimate de-obfuscation tool by hooking Internet Explorer’s DLLs and dumping eval and document.write calls. This tool was presented at Toorcon last year and the code was released. Afterwards on he moved to a Firefox plugin where he could use proper APIs provided by Firefox, as opposed to hooking office calls in DLLs. He also added new ideas to the projection which gave the tool new functionalities. Currently FireShark covers two main issues: ultimate de-obfuscation, and creating a graphical map of compromised Spider web sites. Both of these features are based on monitoring Firefox’s internals to discover redirections, iframes and newly created DOM objects. Because the Web page is loaded into a real browser instead of an emulator, it does not matter how the obfuscation works: the browser sees all the results of the JavaScript code running while visiting the page, which is so logged past FireShark. No emulation is involved, therefore this is an ‘ultimate de-obfuscation’. Later on this log can be analyzed to see the existent intention of the code. Also in the meantime it logs all redirections and iframes made by the page, and that information tin can be mail-processed to generate a nice graphical map nigh connections made to other Web pages. For example, if in that location is a mass-injection campaign nosotros could run into that all the compromised Web sites are making connections to one suspicious landing site. Will nosotros detect something new by seeing all of these? Hopefully that question will be answered soon.

This yr at the HITB briefing, nosotros had the choice to hear many very interesting talks from diverse security experts from all over the world, including deep analysis of shellcode, hardware hacking, and traveling to the Russian cyber clandestine.

I attended the following talks:

• Keynote 1: Security Chasm – Dr Anton Chuvakin
  Anton is a well-known security expert and the author of many books about this discipline. In his talk he emphasized the importance of focusing on real security problems rather than conceptual theories. He was wondering why people are more agape of getting a fine by non wearing a seatbelt rather than worrying virtually the risk to their life. He also took a nice overview of the history of data security and a prediction on how it volition be changed in the post-obit 5 or x years.
• Breaking Virtualization by Switching to Virtual 8086 Mode – Jonathan Brossard
  Jonathan had a nice talk about the security issues of virtual machines, especially escaping code from virtualized servers. Server virtualization is very of import nowadays, by and large used in Web hosting environments. As he pointed out, an attacker might take over the host estimator breaking out of the virtualized hardware using an almost forgotten CPU mode, the virtual 8086 mode.
• From Russian federation With Love two.0 – Fyodor Yarochkin
  Fyodor is an independent network security researcher who digs deep down into the world of the Russian cyber underground, revealing many of their secrets and myths. He explained how they are organized and why they exercise what they practise – unsurprisingly it is all about the money. Fyodor likewise pointed out that many people do not even realize they are involved in a cyber criminal offence. They get a temporary job offer over the Internet and once they finish their consignment they receive the money online. Sounds like a legitimate business concern; however, in the stop the work is related to illegal activeness.
• Keynote 2: 10 Crazy Ideas That Might Really Change the State of Data Security – Mark Curphey
  Mark is the director of the MSDN Subscription Engineering team at Microsoft. He had some very interesting ideas most the cardinal problems of information security, and laid downward 10 ideas that could alter the security industry. He compared this work to how WHO stopped one of the deadliest diseases in the history of human kind, smallpox. Marking also highlighted that perchance security experts should work in the same way as a Chinese doctor: paid only if healthy, not when sick.
• Maltego 3: Beginning Your Engines – Reolf Temmingh
  Reolf is the founder of Paterva Ltd, the creator of Maltego. Maltego is an open source intelligence and forensics application. It tin be used to connect information and their sources together revealing many interesting details most a subject or even about people. Fyodor was actually using Maltego for his findings near the Russian cyber surreptitious. Reolf presented the capability of the new version 3 to the audience.
• Abusing Microsoft’s PostMark Validation Protocol – Dimitru Codreanu
  Dimitru is a Senior Researcher at BitDefender. He did research on a GPU and FPGA-assisted application that can suspension Microsoft’s PostMark Validation Protocol. This protocol helps with fighting confronting spam, and it was claimed that to break this system, the spammer needs to invest hundreds of thousands of dollars in hardware. Dimitru showed the weakness of the protocol and that using a GPU (graphical bill of fare like nVidia GeForce) or an FPGA card inserted into an ordinary PC could lead to signing 3-8 million mails per day with PostMark Validation, with an investment of only around a few hundred dollars.
• Subverting Windows 7 x64 Kernel with DMA Attacks – Cristophe Devine & Damien Aumaitre
  Cristophe and Damien are Security Researchers at Sogeti/ESEC and they fabricated a very interesting showcase of how vulnerable our computing systems are to hardware-based attacks. They have inserted a PCMCIA carte into a laptop running Windows 7 for a couple of seconds, which so accepted any random string entered to the Windows Logon screen as a valid password. They have pointed out that hardware that can use DMA (such as FireWire / IEEE1394, PCMCIA, ExpressCard and PCI bill of fare) is bypassing any security protocol in the operating system, leaving our computers open to attacks.
• Top 10 Web 2.0 Attacks and Exploits – Sheeraj Shah
  Sheeraj is the founder of Blueinfy and the author of many books on Web 2.0 Security. In his talk we got an overview of the acme 10 Web 2.0 attacks, exploits, and hacking techniques. He also explained new tools and methodologies to prevent attacks like these.
• The Traveling Hackersmith 2009-2010 – Saumi Shah
  Saumi is the founder of Net-Square and the writer of many books and tools. He was talking off the tape this fourth dimension about discovering security issues in online flying bookings and hotel room reservations during many of his travels. Equally it was off the record it would not be upstanding to write downward his bailiwick in detail. He emphasized that he does not want to testify a point; however, overall my conclusion was that he was worrying most Spider web shops in general, how highly insecure they are, simply because either the programmer does not know much about information security or because they just exercise not retrieve a cyber criminal would target their site at any time.

The briefing material can be downloaded from the HITB Web site.