Cool Beans

I wish I could go to this. Not just to visit Helsinki which would be awesome, but to see first-hand a proof-of-concept of a new TCP SYN-flood-like attack that uses a "a very low bandwidth attack stream" to fill the TCP state table and effectively cause a denial of service. I imagine if it were Metasploited, any kiddie could take down entire domains. [Wow, that's useful, cursory speculation. Sorry.] The issue seems to affect all popular systems, including Windows, Linux, BSD, and embedded systems.

If you don't get it, TCP owns the Internet. Not everything Internet, but it's big. And this vulnerability means that almost everything on the Internet can be taken down: IM, web,  email, your home computer, cablemodem, the list goes on for services and almost any networked system. This could literally destroy the Net... and there's no easy fix according to the discoverers.

On that note, I've noticed it seems that bleeding edge hackers tend to be hugely pessimistic doomsayers about the state of the 'net-- and rightly so if they are in the thick of fixing it and dealing with vendor lag. This is especially apparent in any group demo of an exploit, easily becoming tiresome; The security guy always claiming the sky is falling. But I've also noticed that security "managers" on the other hand focus a great deal on analysis and quantification rather than pessimism. If it's not on paper and all risks identified and documented, it does not yet qualify for a consideration. Maybe these characteristics are different facets to dealing with the same challenges; but combined they can be very problematic and even impeding. Just some posits about the industry.

The recent drama behind a grave browser vulnerability called clickjacking has caused the discoverers to pull their speech/presentation from the agenda today, the first day of the OWASP NYC AppSec 2008 Conference. Clickjacking refers to code that forces a user visiting a web page to click on anything the code-writer desires. Put another way, visit a page, click anything, and something else is substituted and you won't even know. The implications are far-reaching: Initiating XSS, forging ad click-throughs, linking bad exploits, and a whole lot of other potentially bad things beyond my understanding. 

Speakers RSnake and Jeremiah Grossman said they were working a for a few months on a proof-of-concept to be demo'd today at the conference. But at Adobe's request they decided to do "responsible disclosure" and would wait until Adobe had a chance to respond to the problem. While not specifically Adobe's problem, the exploit was instead described as inherently a browser problem with far-reaching effect on non-browser vendors. The vibe throughout their explanation was: It's that bad. They said they also notified other vendors including names dropped like Cisco, and the "two main browser vendors" Mozilla and Microsoft. (When one attendee asked, "What about Google Chrome?" RSnake replied, "I have no interest in going after the little guys...".)

The duo spoke in generalized and NDA terms to the conference attendees during a Q&A session.

Here is an audio recording I made of that conference Q&A session:

• Clickjacking_Censored_OWASP_NYC_08.MP3 (mp3, 22.6MB)

Update 10/7/08: RSnake and Grossman released a summary of the exploits, including how a Flash Player can be used to surreptitiously activate the microphone and webcam.

One thing immediately apparent at the Open Web App Security Project (OWASP) introductory presentation is true adherence to the description of "openness". I am very impressed by the freedom of information presented so far. Books, white papers, even event recordings and video, are made freely to the public. There is no hindrance of copyright, of licensing, of disclosure agreements.

I spoke earlier in another conference of author/speaker Paul Glen and my brief conversation with him after his keynote speech. What I didn't share was the fact that I recorded his speech. I told him this and he explicitly asked me to not distribute it. I found this as a minor bummer because his speech was so enjoyable and interesting. Instead he asked me to refer people to his site and for them to obtain CDs from there. No problems with making money, and I still hold his work in high regard, but limiting disclosure at the cost of the larger public benefit?

I use this as an example only because it was so recent in my experience. There are many others whose work and help is stifled by the concept of "ownership". Nevertheless, I am very excited about the topics to be discussed at OWASP NYC, and I will be sharing select (read: interesting) recorded audio from this conference shortly.

I feel like I have finally found a security professional association that cares less about identity or profit and more about strengthening the overall security of our industry. I was pleased to see that the majority of users were on Macbooks (can you really call yourself "security conscious" running Windows and freely connecting to public wifi?) And every time I go to these things, the message is always dismal: Security is broken, we are in trouble, we need to act. At least they're realists.

MIS Training Institute's IT Security World 2008 started last Friday, but for us folks with the free Expo passes it's only today and tomorrow. I get to experience such coolness as: 

•  "This year's 'Rock Star' Panel promises progressive opinions on the hottest information security topics from those on the bleeding-edge. Special consideration will be given to the growing worries around online fraud and the hyper-evolution of the script-kiddie to organized fraudster."
• Busting Archiving Myths.
• Keynote Address: Leading Geeks: How to Manage and Lead People Who Deliver Technology.

Hehe, that last one sounds cool. But I am wondering how an organization can hold an industry "Expo and Conference" inside a hotel like the Marriott. Last time I was in there, it was no Moscone...