From dave at immunityinc.com  Thu Nov  6 09:09:41 2008
From: dave at immunityinc.com (Dave Aitel)
Date: Thu, 06 Nov 2008 09:09:41 -0500
Subject: [Dailydave] TechTarget Information Security Decisions Conference
Message-ID: <4912FAA5.6030006@immunityinc.com>

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

I'm here in Chicago at the TechTarget Information Security Decisions
conference [1]. It seems like every second person in Chicago worked
for the Obama campaign, although my cabbie on the way to the airport
was convinced Obama was a Muslim and "The Antichrist".

One interesting thing they did was have 5 ten minute sessions for new
technology companies in information security. Probably my favorite was
NetWitness. Like every new company, NetWitness focuses on data
correlation almost as much as they focus on data collection, if not
more. One of the more striking things about it was the speaker they
sent up - very non-marketing. He sounded like he'd written some of the
code behind it.

His talk was simple: Here's what you do today, and it just doesn't
work against 0day. Here's some graphs we have that help you analyze
0day attacks on your network, which we generate by collecting every
packet you send. That way you can do your own anomaly detection
instead of relying on some sort of algorithm to give you fuzzy results.

*I* don't believe any sort of sniffer is the answer, but he was still
the best-in-show in my opinion. In any case, I'll be talking on the
panel today at 1:55pm if you want to come by and grade MY performance. :>


[1] http://infosecurityconference.techtarget.com/conference/index.html

- -dave
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFJEvqktehAhL0gheoRAjwbAJ0fs91Cjur09yiBRaeTJNZuaWD9NACfVyhv
Jmn6+itZHUVEgzIlAIutSNE=
=eCZU
-----END PGP SIGNATURE-----


From dr at kyx.net  Fri Nov  7 01:54:50 2008
From: dr at kyx.net (Dragos Ruiu)
Date: Thu, 6 Nov 2008 22:54:50 -0800
Subject: [Dailydave] All Ur WiFi(WPA) R Belong 2 PacSec
Message-ID: <200811062254.51433.dr@kyx.net>

Just as a heads up, one of the author(s) of the first practical crypto
attack against WPA secured wireless networks, besides
launching a dictionary attack when a weak pre-shared keys(PSK)
are used, Erik Tews, will be speaking at PacSec in Tokyo, on
Thursday next week. More specifically, his attack uses a
combination of protocol weaknesses and cryptographic
weaknesses to compromise TKIP encryption. The attack
lets the attacker inject seven packets into the network,
per decrypt window. It's an interesting attack, because it 
also hints at other attack forms, so it is rather open 
ended research.

You should discontinue use of TKIP is my recommendation.

The problem with this is that most AP implementations that
I have seen will automatically drop back to TKIP from CCMP(AES)
to support older clients. You should disable this if you are
given the option on your AP or WiFi router configuration.
Unfortunately how to do this varies on each router's
configuration systems, and some routers do not
provide facilities to do this.

If you aren't given the option to disable this, you might want
to think about getting a different Access Point or WiFi Router. :-)

You should seriously consider using some higher level
encryption facilities such as a VPN, IPsec, or SSH
to secure your communications over wireless.
Look at ssh -D <port> (or equivalent putty options)
to a wired host and the socks proxy options on
your browser to use that port on localhost, when
surfing over wireless.

On some equipment CCMP is called WPA2 and TKIP is WPA.
The WPA spec leaves support of CCMP(AES) optional
while the WPA2 spec mandates both TKIP and AES
capability.

Important WPA/WPA2 Recommendations:

-Use only CCMP(AES).
-Disable Negotiations to TKIP from CCMP(AES).
-If you must use TKIP, rekey every 120 seconds.

Quote:
To prevent this attack, we suggest using a very short rekeying time,
for example 120 seconds or less. ... The best solution would be
disabling TKIP and using a CCMP only network.

Oh, P.S. AFAIK some of the code to do this attack is out :).

If you want to find out more, you have to come to PacSec. :-)
The details are fairly intricate but the bottom line is above.
Consider yourselves duly warned.

cheers,
--dr

-- 
World Security Pros. Cutting Edge Training, Tools, and Techniques
Buenos Aires, Argentina ? Sept. 30 / Oct. 1 - 2008 ? ?http://ba-con.com.ar
Tokyo, Japan ?November 12/13 2008 ?http://pacsec.jp
Vancouver, Canada ?March 16-20 2009 ?http://cansecwest.com
pgpkey http://dragos.com/ kyxpgp

From sigmaapex at gmail.com  Thu Nov  6 10:06:25 2008
From: sigmaapex at gmail.com (J Wilder)
Date: Thu, 6 Nov 2008 10:06:25 -0500
Subject: [Dailydave] TechTarget Information Security Decisions Conference
In-Reply-To: <4912FAA5.6030006@immunityinc.com>
References: <4912FAA5.6030006@immunityinc.com>
Message-ID: <002b01c94021$3dc15a70$b9440f50$@com>

Yet not entirely new...
http://findarticles.com/p/articles/mi_m0EIN/is_/ai_n6089017

2004:
ManTech International Corporation (Nasdaq:MANT), a leading provider of
innovative technologies and solutions focused on mission-critical national
security programs for the Department of Defense, Intelligence Community, the
Department of State, the Department of Justice, Department of Homeland
Security and other federal government customers announced today the
introduction of NetWitness version 5.0, an enhanced version of the popular
network wiretap tool that offers improved analytics features and increased
capabilities to monitor Voice over Internet Protocol (VoIP) traffic.
...

-----Original Message-----
From: dailydave-bounces at lists.immunitysec.com
[mailto:dailydave-bounces at lists.immunitysec.com] On Behalf Of Dave Aitel
Sent: Thursday, November 06, 2008 09:10
To: dailydave at lists.immunityinc.com
Subject: [Dailydave] TechTarget Information Security Decisions Conference

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

I'm here in Chicago at the TechTarget Information Security Decisions
conference [1]. It seems like every second person in Chicago worked
for the Obama campaign, although my cabbie on the way to the airport
was convinced Obama was a Muslim and "The Antichrist".

One interesting thing they did was have 5 ten minute sessions for new
technology companies in information security. Probably my favorite was
NetWitness. Like every new company, NetWitness focuses on data
correlation almost as much as they focus on data collection, if not
more. One of the more striking things about it was the speaker they
sent up - very non-marketing. He sounded like he'd written some of the
code behind it.

His talk was simple: Here's what you do today, and it just doesn't
work against 0day. Here's some graphs we have that help you analyze
0day attacks on your network, which we generate by collecting every
packet you send. That way you can do your own anomaly detection
instead of relying on some sort of algorithm to give you fuzzy results.

*I* don't believe any sort of sniffer is the answer, but he was still
the best-in-show in my opinion. In any case, I'll be talking on the
panel today at 1:55pm if you want to come by and grade MY performance. :>


[1] http://infosecurityconference.techtarget.com/conference/index.html

- -dave
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFJEvqktehAhL0gheoRAjwbAJ0fs91Cjur09yiBRaeTJNZuaWD9NACfVyhv
Jmn6+itZHUVEgzIlAIutSNE=
=eCZU
-----END PGP SIGNATURE-----

_______________________________________________
Dailydave mailing list
Dailydave at lists.immunitysec.com
http://lists.immunitysec.com/mailman/listinfo/dailydave


From dave at immunityinc.com  Fri Nov  7 10:27:21 2008
From: dave at immunityinc.com (Dave Aitel)
Date: Fri, 07 Nov 2008 10:27:21 -0500
Subject: [Dailydave] All Ur WiFi(WPA) R Belong 2 PacSec
In-Reply-To: <200811062254.51433.dr@kyx.net>
References: <200811062254.51433.dr@kyx.net>
Message-ID: <49145E59.3050809@immunityinc.com>

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

This article has a good summary of the technique, for those not going
to Japan. While good work, it's not going to worry me if I have a WPA
network set up at home or as part of my business. At least, not yet
(and maybe not ever - we'll see :> ).

The other mitigating factors according to the article are:
 o It works like chopchop on small packets only
 o Busy networks might make it impractical
 o You can only send packets from the AP to the endpoints

http://arstechnica.com/articles/paedia/wpa-cracked.ars

- -dave




Dragos Ruiu wrote:
> Just as a heads up, one of the author(s) of the first practical
> crypto attack against WPA secured wireless networks, besides
> launching a dictionary attack when a weak pre-shared keys(PSK) are
> used, Erik Tews, will be speaking at PacSec in Tokyo, on Thursday
> next week. More specifically, his attack uses a combination of
> protocol weaknesses and cryptographic weaknesses to compromise TKIP
> encryption. The attack lets the attacker inject seven packets into
> the network, per decrypt window. It's an interesting attack,
> because it also hints at other attack forms, so it is rather open
> ended research.
>
> You should discontinue use of TKIP is my recommendation.
>
> The problem with this is that most AP implementations that I have
> seen will automatically drop back to TKIP from CCMP(AES) to support
> older clients. You should disable this if you are given the option
> on your AP or WiFi router configuration. Unfortunately how to do
> this varies on each router's configuration systems, and some
> routers do not provide facilities to do this.
>
> If you aren't given the option to disable this, you might want to
> think about getting a different Access Point or WiFi Router. :-)
>
> You should seriously consider using some higher level encryption
> facilities such as a VPN, IPsec, or SSH to secure your
> communications over wireless. Look at ssh -D <port> (or equivalent
> putty options) to a wired host and the socks proxy options on your
> browser to use that port on localhost, when surfing over wireless.
>
> On some equipment CCMP is called WPA2 and TKIP is WPA. The WPA spec
> leaves support of CCMP(AES) optional while the WPA2 spec mandates
> both TKIP and AES capability.
>
> Important WPA/WPA2 Recommendations:
>
> -Use only CCMP(AES). -Disable Negotiations to TKIP from CCMP(AES).
> -If you must use TKIP, rekey every 120 seconds.
>
> Quote: To prevent this attack, we suggest using a very short
> rekeying time, for example 120 seconds or less. ... The best
> solution would be disabling TKIP and using a CCMP only network.
>
> Oh, P.S. AFAIK some of the code to do this attack is out :).
>
> If you want to find out more, you have to come to PacSec. :-) The
> details are fairly intricate but the bottom line is above. Consider
> yourselves duly warned.
>
> cheers, --dr
>

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFJFF5ZtehAhL0gheoRAreXAJ0XEpxnbWIAkCb2uYMNEdVMeB2KHwCeM6Fk
qva3gj7/uznxX9pmHha3sEY=
=fvvr
-----END PGP SIGNATURE-----


From dave at immunityinc.com  Fri Nov  7 16:37:24 2008
From: dave at immunityinc.com (Dave Aitel)
Date: Fri, 07 Nov 2008 16:37:24 -0500
Subject: [Dailydave] Hackers to Hackers (Brazil)
Message-ID: <4914B514.5020104@immunityinc.com>

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Nicolas Waisman and Pablo Sole are at the Hackers to Hackers
conference this weekend in Brazil! You will want to catch Nico's
awesome keynote (it features an ant AND a fuzzy bee!) which is right
before Steven Adegbite (of MS)'s  keynote on the new Microsoft
security push. It's good to have a two-for-one keynote!
 
Pablo is talking about DEPLib, which is something Immunity has not
publicly discussed previously. Even talking this much about it annoys
our VP of Competitive Advantage, so you'll definitely want to check it
out.

Visit http://www.h2hc.com.br/agenda.html for more information. And of
course, Immunity is doing the NOP Certification there - so go annoy
them about that if you have what it takes. Please do not get all upset
if you don't pass! :>

Dave Aitel
Immunity, Inc.
PATROCINADORES PLATINUM of H2HC! (Which I assume means something good.)

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFJFLUTtehAhL0gheoRAiTfAJ9R5UZKBob94HJR5Ar1FlyGR9RVmQCePwPI
OZj2iL5SNRsGN4gsKVGn4bA=
=/n3K
-----END PGP SIGNATURE-----


From dr at kyx.net  Fri Nov  7 14:33:08 2008
From: dr at kyx.net (Dragos Ruiu)
Date: Fri, 7 Nov 2008 11:33:08 -0800
Subject: [Dailydave] [Full-disclosure] Once thought safe,
	WPA Wi-Fi encryption is cracked
In-Reply-To: <1014051114.20081107183745@Zoller.lu>
References: <6450e99d0811061503k7bc99f24oe83955e87cd50960@mail.gmail.com>
	<1014051114.20081107183745@Zoller.lu>
Message-ID: <266831CA-BEB3-4566-919D-499F1910B449@kyx.net>


On 7-Nov-08, at 9:37 AM, Thierry Zoller wrote:

> WPA is not cracked, a way was found to brute TKIP.

Not quite exactly... The actual impact is unclear due to the  
complicated exploitation mode.
And there are suggestions that it can be expanded upon...

The attack lets AP -> Client communications be decrypted, and a  
hostile attacker can inject traffic.
Client -> AP communications are not threatened yet, AFAIK.

What can be done with this capability is still to be evaluated. The  
complicated part comes in the
fact that part of this attack is cryptographic weakness, and part of  
it is a protocol weakness.

It will take some more study before it is fully understood and the  
full scope of impact is known IMHO.

cheers,
--dr


--
World Security Pros. Cutting Edge Training, Tools, and Techniques
Tokyo, Japan  November 12/13 2008  http://pacsec.jp
Vancouver, Canada  March 16-20 2009  http://cansecwest.com
pgpkey http://dragos.com/ kyxpgp


From smooge at gmail.com  Fri Nov  7 11:41:52 2008
From: smooge at gmail.com (Stephen John Smoogen)
Date: Fri, 7 Nov 2008 09:41:52 -0700
Subject: [Dailydave] All Ur WiFi(WPA) R Belong 2 PacSec
In-Reply-To: <49145E59.3050809@immunityinc.com>
References: <200811062254.51433.dr@kyx.net> <49145E59.3050809@immunityinc.com>
Message-ID: <80d7e4090811070841p58548946h199a82cbd54491ce@mail.gmail.com>

On Fri, Nov 7, 2008 at 8:27 AM, Dave Aitel <dave at immunityinc.com> wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> This article has a good summary of the technique, for those not going
> to Japan. While good work, it's not going to worry me if I have a WPA
> network set up at home or as part of my business. At least, not yet
> (and maybe not ever - we'll see :> ).
>
> The other mitigating factors according to the article are:
>  o It works like chopchop on small packets only
>  o Busy networks might make it impractical
>  o You can only send packets from the AP to the endpoints
>
> http://arstechnica.com/articles/paedia/wpa-cracked.ars

Hmmm it would be interesting to see what kind of devices have a
higherlevel renegotiate .. as in I am told by the 'AP' that old WPA
key is no longer accepted but can you send in the clear or switch to
this new WPA key (or go to WEP or ROT13). Then you just set up your
directional attenae with a bigger generator and get everyone to start
talking to you outside the building versus inside.



-- 
Stephen J Smoogen. -- BSD/GNU/Linux
How far that little candle throws his beams! So shines a good deed
in a naughty world. = Shakespeare. "The Merchant of Venice"

From raul.siles at gmail.com  Sat Nov  8 18:52:02 2008
From: raul.siles at gmail.com (Raul Siles)
Date: Sun, 9 Nov 2008 00:52:02 +0100
Subject: [Dailydave] All Ur WiFi(WPA) R Belong 2 PacSec
In-Reply-To: <80d7e4090811070841p58548946h199a82cbd54491ce@mail.gmail.com>
References: <200811062254.51433.dr@kyx.net> <49145E59.3050809@immunityinc.com>
	<80d7e4090811070841p58548946h199a82cbd54491ce@mail.gmail.com>
Message-ID: <c004c40d0811081552l7ca2446rcb03f6fe42b77e1f@mail.gmail.com>

The associated whitepaper from the authors has been released on the
aircrack-ng links page:
http://dl.aircrack-ng.org/breakingwepandwpa.pdf
--
Raul Siles
www.raulsiles.com

Early details: http://radajo.blogspot.com/2008/11/wpatkip-chopchop-attack.html


On Fri, Nov 7, 2008 at 5:41 PM, Stephen John Smoogen <smooge at gmail.com> wrote:
> On Fri, Nov 7, 2008 at 8:27 AM, Dave Aitel <dave at immunityinc.com> wrote:
>> -----BEGIN PGP SIGNED MESSAGE-----
>> Hash: SHA1
>>
>> This article has a good summary of the technique, for those not going
>> to Japan. While good work, it's not going to worry me if I have a WPA
>> network set up at home or as part of my business. At least, not yet
>> (and maybe not ever - we'll see :> ).
>>
>> The other mitigating factors according to the article are:
>>  o It works like chopchop on small packets only
>>  o Busy networks might make it impractical
>>  o You can only send packets from the AP to the endpoints
>>
>> http://arstechnica.com/articles/paedia/wpa-cracked.ars
>
> Hmmm it would be interesting to see what kind of devices have a
> higherlevel renegotiate .. as in I am told by the 'AP' that old WPA
> key is no longer accepted but can you send in the clear or switch to
> this new WPA key (or go to WEP or ROT13). Then you just set up your
> directional attenae with a bigger generator and get everyone to start
> talking to you outside the building versus inside.
>
>
>
> --
> Stephen J Smoogen. -- BSD/GNU/Linux
> How far that little candle throws his beams! So shines a good deed
> in a naughty world. = Shakespeare. "The Merchant of Venice"
> _______________________________________________
> Dailydave mailing list
> Dailydave at lists.immunitysec.com
> http://lists.immunitysec.com/mailman/listinfo/dailydave
>

From blancher at cartel-securite.fr  Sun Nov  9 17:14:08 2008
From: blancher at cartel-securite.fr (Cedric Blancher)
Date: Sun, 09 Nov 2008 23:14:08 +0100
Subject: [Dailydave] All Ur WiFi(WPA) R Belong 2 PacSec
In-Reply-To: <c004c40d0811081552l7ca2446rcb03f6fe42b77e1f@mail.gmail.com>
References: <200811062254.51433.dr@kyx.net> <49145E59.3050809@immunityinc.com>
	<80d7e4090811070841p58548946h199a82cbd54491ce@mail.gmail.com>
	<c004c40d0811081552l7ca2446rcb03f6fe42b77e1f@mail.gmail.com>
Message-ID: <1226268848.11730.23.camel@anduril.intranet.cartel-securite.net>

Le dimanche 09 novembre 2008 ? 00:52 +0100, Raul Siles a ?crit :
> The associated whitepaper from the authors has been released on the
> aircrack-ng links page:
> http://dl.aircrack-ng.org/breakingwepandwpa.pdf

You can find a summary I posted earlier today about it:

http://sid.rstack.org/blog/index.php/305-des-fameuses-faiblesse-de-tkip

It is written in French, but English speaking readers can click on the
UK flag just beneath title and get a Google translated version :)


-- 
http://sid.rstack.org/
PGP KeyID: 157E98EE FingerPrint: FA62226DA9E72FA8AECAA240008B480E157E98EE
>> Hi! I'm your friendly neighbourhood signature virus.
>> Copy me to your signature file and help me spread!

From brouce at gmx.net  Tue Nov 11 13:07:30 2008
From: brouce at gmx.net (wishi)
Date: Tue, 11 Nov 2008 19:07:30 +0100
Subject: [Dailydave] All Ur WiFi(WPA) R Belong 2 PacSec
In-Reply-To: <1226268848.11730.23.camel@anduril.intranet.cartel-securite.net>
References: <200811062254.51433.dr@kyx.net>
	<49145E59.3050809@immunityinc.com>	<80d7e4090811070841p58548946h199a82cbd54491ce@mail.gmail.com>	<c004c40d0811081552l7ca2446rcb03f6fe42b77e1f@mail.gmail.com>
	<1226268848.11730.23.camel@anduril.intranet.cartel-securite.net>
Message-ID: <4919C9E2.7070801@gmx.net>

Cedric Blancher schrieb:
> Le dimanche 09 novembre 2008 ? 00:52 +0100, Raul Siles a ?crit :
>> The associated whitepaper from the authors has been released on the
>> aircrack-ng links page:
>> http://dl.aircrack-ng.org/breakingwepandwpa.pdf
> 
> You can find a summary I posted earlier today about it:
> 
> http://sid.rstack.org/blog/index.php/305-des-fameuses-faiblesse-de-tkip
> 
> It is written in French, but English speaking readers can click on the
> UK flag just beneath title and get a Google translated version :)
> 
> 

I think this a perfect example for two technologies, which aren't
vulnerable for themselves: on the one hand this attack only works on QoS
enabled Access Points, one the other hand these Access Points have to
use TKIP, too. Nevertheless of WPA I oder II, as long as no AES-CCMP is
used.
Thing is: TKIP without QoS won't allow any successful attacks, either.
But today there's a need for VoIP and other technologies which need a
good latency. Which lead me to another tought:

UCsniff has been released this week. It's a very advanced VoIP sniffer.
(http://ucsniff.sourceforge.net/)

Especially the combinations again are problematic. Now it's not just
application data, but even VoIP, which can leak. It's like a little
piece of dynamite added to the problem to make it explode.
- Because it'll take years for the mass of people to patch their
routers. Even great companies have to find a new common denominator to
apply more security without TKIP, because QoS most times is harder to
deactivate.

It seems things came together... and made a really nice explosion!

From neal.wise+dailydave at assurance.com.au  Tue Nov 11 22:14:29 2008
From: neal.wise+dailydave at assurance.com.au (neal wise)
Date: Wed, 12 Nov 2008 14:14:29 +1100
Subject: [Dailydave] All Ur WiFi(WPA) R Belong 2 PacSec
In-Reply-To: <4919C9E2.7070801@gmx.net>
References: <200811062254.51433.dr@kyx.net>
	<49145E59.3050809@immunityinc.com>	<80d7e4090811070841p58548946h199a82cbd54491ce@mail.gmail.com>	<c004c40d0811081552l7ca2446rcb03f6fe42b77e1f@mail.gmail.com>
	<1226268848.11730.23.camel@anduril.intranet.cartel-securite.net>
	<4919C9E2.7070801@gmx.net>
Message-ID: <5C1D1F27-DB02-4590-BE66-8843F8131940@assurance.com.au>


On 12/11/2008, at 5:07 AM, wishi wrote:

> I think this a perfect example for two technologies, which aren't
> vulnerable for themselves: on the one hand this attack only works on  
> QoS
> enabled Access Points, one the other hand these Access Points have to
> use TKIP, too.

In playing with tkiptun-ng I found I had to enable 802.11e/WMM (off by  
default) on an out-of-the-box Linksys WRT54G. Sure you'd have it if  
you were doing QoS-based ranking. I can't think of any enterprise APs  
that have QoS on by default.

The tkiptun-ng tool released to implement the attack attempts to  
determine RFC1918 addresses in use by wireless network. So,  
interestingly, it seems that wireless networks numbered with public,  
assigned TCP/IP addresses rather than private ones would make  
determining unknown plaintext bytes harder. This applies to a couple  
of my lucky clients who have large, historical registered address  
ranges in use for their internal networks.

So you'd need to know non-RFC1918 TCP/IP addresses in use to, um, know  
the TCP/IP addresses in use. Phone call to helpdesk+social  
engineering, mail headers, etc. :-) and then add that network to  
tkiptun-ng src to narrow it down.

And for the attack you need to support a group rekeying time long  
enough to recover the unknown plaintext that ALSO doesn't change on  
events. Like how Cisco Aironet APs can rotate group keys based on  
member capability changes and when group members leave the group (roam  
to another AP or, well, leave)

If enabled (not a default) this group key change would seem to require  
restarting the "walk through" part of the attack (the part based on  
recovering the unknown parts of the plaintext from the encrypted ARP  
request/replies it identifies). So as long as your victim network has  
long enough group key time *and* never, ever changes on events while  
you're looking...

> Nevertheless of WPA I oder II, as long as no AES-CCMP is
> used.
> Thing is: TKIP without QoS won't allow any successful attacks, either.
> But today there's a need for VoIP and other technologies which need a
> good latency. Which lead me to another tought:
>
> UCsniff has been released this week. It's a very advanced VoIP  
> sniffer.
> (http://ucsniff.sourceforge.net/)

Yeah you'd certainly be more likely to have QoS in a multi-SSID AP  
supporting data/voice. And you do see networks around that mention  
voice/phone in the SSID name harhar

That makes me think about lining up the required issues - WPA/TKIP on,  
WMM/802.11e on for EDCA, long-ish group rekeying time (3600 *is* a  
common default), private network addresses in use (common certainly) -  
I can think of a whole generation of VoIP-over-wireless devices  
released starting around 2005 that supported WEP out of the box but  
were firmware upgradeable to WPA/TKIP (no WPA/AES or WPA2/AES).  
Spectralink E340's spring to mind - these were OEM'd quite a bit by  
bigger telephony vendors.

regards,

Neal
___________
Neal Wise CISSP CISA - assurance.com.au!neal.wise
PGP: 1DAA 1F81 EE57 F975 BA41  5BBA 7C38 F9F0 522D F20E





From dave at immunityinc.com  Wed Nov 12 15:03:44 2008
From: dave at immunityinc.com (Dave Aitel)
Date: Wed, 12 Nov 2008 15:03:44 -0500
Subject: [Dailydave] H2HC papers online
Message-ID: <491B36A0.5080803@immunityinc.com>

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

I know everyone's just waiting for AI War to come out, but in the
meantime we've put the presentations that Nicolas Waisman and Pablo
Sol? did at H2C2 in Brazil here:
http://www.immunityinc.com/resources-papers.shtml. I think DEPLIB in
particular is quite interesting. At first it seems like something that
would be quite obvious to create. "Oh yes, that seems doable" but then
you think for a long time about it and realize it is not as simple as
you were hoping.

In any case, if you're at all interested in exploitation they are
worth a read.

- -dave

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFJGzagtehAhL0gheoRAgU8AJ9+nLnYsEwueSqTx29KVIA+K+FWEACfcS2m
HyPpcgjLdpEYmSDycDT3Zw0=
=lzXt
-----END PGP SIGNATURE-----


From dave at immunityinc.com  Thu Nov 13 18:19:27 2008
From: dave at immunityinc.com (Dave Aitel)
Date: Thu, 13 Nov 2008 18:19:27 -0500
Subject: [Dailydave] Flashy.
Message-ID: <491CB5FF.3050506@immunityinc.com>

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Some web sites are secure. It's annoying, but it's the way it is with
modern libraries and web application packs.  However, even on web
sites that are fundamentally strong, sometimes the random third party
things they use interacts with a web browser in a way they can't hope
to inspect. Flash is a key example.

Although it's not mentioned anywhere clearly that I can see, IE and
Firefox treat SWF files somewhat differently. If you browse to
http://www.example.com/bob.swf?a=b in IE, it will render it. If you do
the same in Firefox, it will download the swf file. People make
oblique comments about IFrames being able to force Firefox to behave
like IE, but I don't think it works.

IE behaving like this makes some poorly coded Flash (ActionScript 2)
movies vulnerable to cross site scripting. Lots of web sites provide
Flash movies as "Demos" of their product. To the web developer, these
are just images they serve up. To the hacker, they're full blown
applications to decompile (thanks flare!) and attack. SWFIntruder,
while very good work, is not a magic button to get your XSS found and
fixed, fortunately for those of us in the assessment business this
week. :>

So even when your website itself is completely secure, the interaction
between your website and the browser is often not, which is a funny
thing. This is one of the things that was discussed during the panel
(we tried to make it fun!) in Chicago last week but it's good to see
it in practice.

- -dave

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFJHLX+tehAhL0gheoRAp+fAJ9OFbOKpJsTAzPX13vTP520D5jMzQCfbVaS
2v85tvVz44HFgJE3PTIV3H8=
=H1Ly
-----END PGP SIGNATURE-----


From Adam_Meyers at sra.com  Mon Nov 17 08:45:11 2008
From: Adam_Meyers at sra.com (Meyers, Adam)
Date: Mon, 17 Nov 2008 08:45:11 -0500
Subject: [Dailydave] Fw: NetWitness Investigator is now free!
Message-ID: <BB221CFBDC70DF418E5155B23C66547E0E0724AE@sraex4.sra.com>

FYI:


Adam Meyers
Principal
Information Assurance Division
SRA International 

cell: 703.229.7857
lab:   703.284.5066 
fax:   703.284.1386
http://www.sra.com  
 
PGP Fingerprint: 6476 C089 9EB6 C076 ADCF  1102 5097 97C9 EE21 49E5    

-----Original Message-----
From: NetWitness <NetWitness at mail.vresp.com>
To: Meyers, Adam
Sent: Mon Nov 17 08:01:36 2008
Subject: NetWitness Investigator is now free!

 <http://proxy.pcdn.vresp.com/2a2cfae1f/www.netwitness.com/images/FreewareEmail.png> 	
 	 
We have an early holiday present for everyone. Today, we at NetWitness announced the immediate availability of a freeware version of our core product, NetWitness Investigator. With today?s announcement, we are working to begin a philosophical change in the security industry ? providing users at all levels in security, I/T audit, anti-fraud and law enforcement with comprehensive analytical insight into technical, complex threats faced by the smallest to the very largest organizations. Effective immediately you may obtain this fully functional and licensed free version of NetWitness Investigator at: http://download.netwitness.com <http://cts.vresp.com/c/?NetWitness/79d396cd94/996f8dd88e/7e1075609c> .

The free version of NetWitness Investigator contains all major features of the Enterprise edition and the NextGen infrastructure. Version 8.6 of NetWitness Investigator provides users with significantly enhanced protection to analyze network sessions and deliver increased insight into all traffic and context. New features include SSL decryption and analysis of encrypted network traffic; interactive charts for instantaneous analysis; and enhanced content views for numerous protocols and applications.

We all know that there are gaps in addressing today?s advanced threats because current security solutions are highly dependent upon on signatures, operate at the network layer, or are based upon incomplete statistical information. NetWitness Investigator is deployed at some of the largest government and financial institutions in the world to detect and helps stop nation-sponsored and organized criminal techniques. It is also used to monitor insider threats such as rogue users and to verify operational regulatory compliance. This free version of Investigator, now available to all organizations, will permit users of all levels (novice to expert) to easily analyze and mine large amounts of information ? the actual full content of captured traffic. This approach allows users to rapidly identify and resolve many of their most complex security problems -- achieving faster and better informed security responses.

Once you download Investigator, you can visit our YouTube channel where you will find information on getting started with the software. You also can join the NetWitness Community, where you can share use cases and applications of the software with your peers in the industry. We are sure that once you install the software and capture some of your organization?s data, you will see your network in ways you never imagined ? and begin to understand why so many people are excited about this free release of Investigator. 	 	 
	
	


________________________________

If you no longer wish to receive these emails, please reply to this message with "Unsubscribe" in the subject line or simply click on the following link: Unsubscribe <http://cts.vresp.com/u?79d396cd94/996f8dd88e/6855d87> 	
________________________________

NetWitness
500 Grove Street
Suite 300
Herndon, Virginia 20170

Read <http://www.verticalresponse.com/content/pm_policy.html>  the VerticalResponse marketing policy.

	Try Email Marketing with VerticalResponse! <http://www.verticalresponse.com/landing/?mm/79d396cd94> 	
 <http://cts.vresp.com/o.gif?79d396cd94/996f8dd88e/6855d87> 
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.immunitysec.com/pipermail/dailydave/attachments/20081117/14dd6200/attachment-0001.htm 

From jmoss at blackhat.com  Tue Nov 18 15:32:17 2008
From: jmoss at blackhat.com (jmoss)
Date: Tue, 18 Nov 2008 12:32:17 -0800
Subject: [Dailydave] Black Hat November News: CFPS Now Open,
	Webinar 5 and Japan on-line.
Message-ID: <02db01c949bc$bffa6ff0$3fef4fd0$@com>

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Daily Dave, we opened up the CFPs for Washington D.C. and Amsterdam, as well
as some new ways to get involved in Black Hat. The audio from Tokyo is being
uploaded today, should be linked in this week. 

BLACK HAT FREE WEBINAR Nov 20th
https://www.blackhat.com/html/webinars/clickjacking.html

Black Hat Webcast #5 is scheduled for Thursday, November 20 at 1pm PST.  
The topic this time is Clickjacking, and our featured guest is Jeremiah
Grossman, the co-discoverer of the widely publicized vulnerability.  For the
uninitiated, it's a set of techniques discovered by Jeremiah Grossman and
Robert Hansen that allows an attacker to transparently capture a user's
clicks, forcing the user to do all manner of unpleasant things ranging from
adjusting security settings to unwittingly visiting websites with malicious
code.

The vectors for this attack include all the major browsers and Flash. In
co-operation with Adobe, the discoverers delayed public discussion to allow
a patch to be created. In the intervening time, other researchers have made
partial disclosures, but this is your chance to join co-discoverer Jeremiah
Grossman for a Black Hat webcast that deals with the attack from all sides.
Bring your questions - we'll have a Q&A session after the presentation.

Black Hat Japan is in the books and we're already looking forward to the
Washington DC and Europe events. If you missed Black Hat Tokyo, we have put
all the material on-line for download, and are in the process of getting the
audio files tagged and on-line as well:
https://www.blackhat.com/html/bh-japan-08/brief-bh-jp-08-onsite-archive.html

BLACK HAT WASHINGTON DC CFP NOW OPEN
Held February 16-19, 2009 at the Hyatt Regency Crystal City. Black Hat DC is
the leading security conference focused on the needs of government and
infrastructure security professionals, with tracks focused on Hardware and
Embedded Devices, Reverse Engineering and Malware, Client Wars and
Application Security, and Forensics and Network Protection. We hope to see
you there for another highly technical and refreshingly vendor-neutral
event. 

Submitters will have until January 1 to get their papers into the Black Hat
CFP system at :
https://www.blackhat.com/html/bh-dc-09/bh-dc-09-cfp.html.

We expect to have the final selections for speakers and trainers made by
January 15, 2009. For those who wish to attend, you can get the best rates
by registering early and online registration is open at:
https://www.blackhat.com/html/bh-registration/bh-registration-dc-09.html

Information about this year's venue can be located on the BH DC 09 venue
page at:
https://www.blackhat.com/html/bh-dc-09/bh-dc-09-venue.html.

BLACK HAT EUROPE CFP NOW OPEN
Black Hat Europe returns to Amsterdam from April 14 to April 17 with the
best lineup of security trainers and speakers anywhere on the European
continent. Tracks include Hardware and Embedded Devices, Reversing and
Malware, Client Wars and Application Security, as well as a focus on the
Enterprise for issues typically found in large enterprises, from databases,
access control, data management, centralized logging and policy management
all the way to routing and switching infrastructure.

The CFP closes February 1 with final selection expected by February 15,
2009. Papers can be submitted to:
https://www.blackhat.com/html/bh-europe-09/bh-eu-09-cfp.html.

Online registration for BH EU is also open at:
https://www.blackhat.com/html/bh-registration/bh-registration-eu-09.html
so be sure to register early for the best prices. 

Black Hat Europe will be located again this year at the Moevenpick Amsterdam
City Center. To learn more about the venue, you can check the EU 09 venue
page on the Black Hat website here: 
https://www.blackhat.com/html/bh-europe-09/bh-eu-09-venue.html.

Please keep in mind that paid delegates will have the opportunity to read
and evaluate CFP abstracts as the process unfolds.  Early registrants will
have the most opportunity to help shape the upcoming events by helping
review CFPs through our crowd-sourcing CFP system. Learn more here:
https://www.blackhat.com/html/blackpages/blackpages.html

GET INVOLVED WITH BLACK HAT!
- - Help review CFP submissions if you are a paid attendee:
https://www.blackhat.com/html/blackpages/blackpages.html
- - Join the Black Hat LinkedIn group and participate in discussions and
comment on news http://www.linkedin.com/groups?gid=37658&trk=hb_side_g
- - Share your pictures of past events, or just check out ours:
http://www.flickr.com/photos/30017677 at N05/

BLACK HAT NEWS AND UPDATES
If you want to get instant access to Black Hat news, you can get our RSS
feed:
https://www.blackhat.com/BlackHatRSS.xml
Follow us on Twitter:
https://www.twitter.com/BlackHatUSA2008

Jeff Moss


-----BEGIN PGP SIGNATURE-----
Version: PGP Desktop 9.7.2 (Build 1608)
Charset: us-ascii

wsBVAwUBSSMmUkqsDNqTZ/G1AQj3owf/Y5aFQSBRyd0HxS+sa6asewnTbwOpB0OF
W586MwFm+0r+NTgRikW5GfJqh6fbj96HLSYrF3+PIKQPqyEIoXWCV7smW5X2IZav
1p1oudjHKK6wS12Pv965oZal/ipjOx/GAlbHI6SnHdFZuqtKPTguGge3346e4/Bi
34b3h8bEpM/7lzFRJ6DpAE37Kw1QTdGuKqJSoHa2n1mAZzrKIk2ACYCxTDr27Np0
zTk7ilCVrytV+iTToxH405KkA5rJo4P0MVyOXGxctU5LTgyZGNeNy2QYCrYI9B5p
NHG4aaiRr/XmwgyLn9Jb2xoaTqZtlDj51AKRYC8tzSsO7LbHKtQNqw==
=YAsH
-----END PGP SIGNATURE-----

From dave.aitel at gmail.com  Sat Nov 22 08:03:28 2008
From: dave.aitel at gmail.com (Dave Aitel)
Date: Sat, 22 Nov 2008 08:03:28 -0500
Subject: [Dailydave] CSI 2008 Redux
Message-ID: <b581b3220811220503i96edf30mb46e506c3af5d32f@mail.gmail.com>

For TQBF and similar food people who twitter about cooking but should be
twittering about chemistry like this: :>
"Why Fries Taste So Good"
http://www.rense.com/general7/whyy.htm

CSI is a big conference - aimed not towards hackers but to IT managers.
Nevertheless it's interesting to gauge the speakers on their personalities
sometimes more than their tech. Steve Hanna [1], while ostensibly talking
about trusted computing seemed upset at the current US administration's
choices for the use of technology, which was an undercurrent in the
conference (held in DC). But not having a global PKI system (a.k.a.
Palladium, NGTGB, or Trusted Computing, the group Steve works on) is a good
way to make sure governments or large corporations don't abuse it, you know?
After that he went on to say that even with Trusted Computing, NAC still has
an important place for access control, which seemed to veer into confusing
all the OSI layers. If you can literally cryptographically attest to the
code running on a workstation, why do you need network access control?

And I don't understand why you need a trusted computing chip if you decide
to trust your hypervisor in the first place. Trusting the hypervisor instead
of a public key on a chip from Dell makes a lot more sense. It's more
configurable in a user-friendly way, and less configurable in a RIAA/Big
Brother friendly way.

-dave

[1]
http://www.networkworld.com/power/2006/122506-most-powerful-people-hanna.html
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.immunitysec.com/pipermail/dailydave/attachments/20081122/adfaa2e0/attachment.htm 

From aoz.syn at gmail.com  Sat Nov 22 17:22:22 2008
From: aoz.syn at gmail.com (RB)
Date: Sat, 22 Nov 2008 15:22:22 -0700
Subject: [Dailydave] CSI 2008 Redux
In-Reply-To: <b581b3220811220503i96edf30mb46e506c3af5d32f@mail.gmail.com>
References: <b581b3220811220503i96edf30mb46e506c3af5d32f@mail.gmail.com>
Message-ID: <4255c2570811221422r4910260cq3e00f9f6bd9d0271@mail.gmail.com>

On Sat, Nov 22, 2008 at 06:03, Dave Aitel <dave.aitel at gmail.com> wrote:
> And I don't understand why you need a trusted computing chip if you decide
> to trust your hypervisor in the first place. Trusting the hypervisor instead
> of a public key on a chip from Dell makes a lot more sense. It's more
> configurable in a user-friendly way, and less configurable in a RIAA/Big
> Brother friendly way.

To quickly address the public key bit: yes, the chip from
Infineon/Atmel/etc. that Dell soldered to their motherboard has an RSA
key (EK) burned into it, but that is only used if you follow the full
TCG specifications.  The second RSA key (SRK), which is what everyone
actually deals with, is changed every time you "take ownership" of the
chip.  You can't specify or modify the private portion, but you often
can't with smartcards.

Leaving the trust issue alone, I find it entirely regrettable that so
many seem to have blindly swallowed the "Right to Read" hype and
simply assume TPM chips are evil insilicate.  I detest DRM & Big
Brother as much as your garden-variety Libertarian, but while trying
to solve the very difficult physical presence security problem a
couple of years ago, I decided to try to examine them for what they
are.  Needless to say, I was surprised: although TPM chips certainly
could provide the building blocks to do what we all fear, they're
generally quite benign, more analogous to an integrated smartcard than
an evil overlord's rootkit.

Here's an extremely simplistic overview:
For the most part, a TPM chip sits idle - after "measuring"
(generating a checksum) of a few boot-time bits, it largely serves as
a secure cryptography facility.  The only checksums it actively makes
are of itself and of the BIOS; after that, each component in the boot
process _tells_ the TPM a 20-byte value (usually the SHA1) of the next
component and which register to store it in.

Encryption comes in two flavors: bound and sealed.  Bound encryption
uses the SRK to encrypt/decrypt arbitrary data that is generally
another encryption key.  Sealed encryption takes it a step further and
integrates the checksums from specified boot processes, generally
tying the resulting key to very particular hardware & software
configurations.

The problem at this point is that people inextricably conflate TPMs
with the remainder of the TCG specifications: mostly remote
attestation and the associated big-brother issues.  It's a simple
piece of technology that supports a much larger and agreeably more
intrusive suite, but its utility goes far beyond the unfortunate
association.  It is _just_ a [presumed] secure cryptography facility
that supports a wide variety of functionality.

Hardware trumps software, and I, for one, would rather trust a
smartcard to securely store my keys than a piece of software.


RB

From alex at sotirov.net  Sat Nov 22 18:06:00 2008
From: alex at sotirov.net (Alexander Sotirov)
Date: Sat, 22 Nov 2008 15:06:00 -0800
Subject: [Dailydave] CSI 2008 Redux
In-Reply-To: <b581b3220811220503i96edf30mb46e506c3af5d32f@mail.gmail.com>
References: <b581b3220811220503i96edf30mb46e506c3af5d32f@mail.gmail.com>
Message-ID: <20081122230600.GA1048@dsl093-068-004.sfo1.dsl.speakeasy.net>

On Sat, Nov 22, 2008 at 08:03:28AM -0500, Dave Aitel wrote:
> And I don't understand why you need a trusted computing chip if you decide
> to trust your hypervisor in the first place. Trusting the hypervisor instead
> of a public key on a chip from Dell makes a lot more sense. It's more
> configurable in a user-friendly way, and less configurable in a RIAA/Big
> Brother friendly way.

Because with a TPM chip you can verify (remotely) that the hypervisor that
booted on the machine is really the one you trust, and not a malicious or
backdoored one.

Alex
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 194 bytes
Desc: not available
Url : http://lists.immunitysec.com/pipermail/dailydave/attachments/20081122/6643e03c/attachment.pgp 

From joanna at invisiblethingslab.com  Sun Nov 23 10:06:40 2008
From: joanna at invisiblethingslab.com (Joanna Rutkowska)
Date: Sun, 23 Nov 2008 16:06:40 +0100
Subject: [Dailydave] CSI 2008 Redux
In-Reply-To: <20081122230600.GA1048@dsl093-068-004.sfo1.dsl.speakeasy.net>
References: <b581b3220811220503i96edf30mb46e506c3af5d32f@mail.gmail.com>
	<20081122230600.GA1048@dsl093-068-004.sfo1.dsl.speakeasy.net>
Message-ID: <49297180.3000602@invisiblethingslab.com>

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Alexander Sotirov wrote:
> On Sat, Nov 22, 2008 at 08:03:28AM -0500, Dave Aitel wrote:
>> And I don't understand why you need a trusted computing chip if you decide
>> to trust your hypervisor in the first place. Trusting the hypervisor instead
>> of a public key on a chip from Dell makes a lot more sense. It's more
>> configurable in a user-friendly way, and less configurable in a RIAA/Big
>> Brother friendly way.
> 
> Because with a TPM chip you can verify (remotely) that the hypervisor that
> booted on the machine is really the one you trust, and not a malicious or
> backdoored one.
> 

... which, of course, doesn't prevent the hypervisor from being exploited 5 secs
after it got securely loaded, e.g. via some buffer overflow bug...

But, nevertheless, yes, this indeed is a very important feature of the TPM (and
the whole trusted boot concept, like e.g. Intel TXT), and people should
eventually stop talking that TPM is bad. It is not, and it indeed can provide
great value for users concerned about security (and not only physical security!).

I wish people who complain so much about TPM read the spec first and then make
their complaints. Of course, there could be some undocumented functionality
there (=backdoor), but this applies equally well to you network card, graphics
card, the chipset and even the processor ;)

BTW, I'm also glad to see a VMWare researcher acknowledging it :) So far, only
the Xen hypervisor can use the trusted boot mechanism via the Intel-provided
tboot component AFAIK. So, looking forward to see the ESX implementing trusted
boot at some point in time.

joanna.
-----BEGIN PGP SIGNATURE-----
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iEYEARECAAYFAkkpcWsACgkQORdkotfEW84RXQCgocwxJ+g5A8vws1un85MG4Ic4
8y8Anid9O2faB5U9mJKG1FSDDbpoL1gU
=UnZ0
-----END PGP SIGNATURE-----

From jerome.athias at ja-psi.fr  Sun Nov 23 15:32:12 2008
From: jerome.athias at ja-psi.fr (Jerome Athias)
Date: Sun, 23 Nov 2008 21:32:12 +0100
Subject: [Dailydave] [CFP] FRHACK 01 PRE-Call For Papers
Message-ID: <4929BDCC.5040705@ja-psi.fr>

[CFP] FRHACK 01 Pre-Call For Papers

##########################################################################################                                                                                    

   > FRHACK: By Hackers, For Hackers! http://www.frhack.org
##########################################################################################

++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
+ FRHACK 01
+ PRE Call For Papers
+ Besan?on, France (Kursaal Hall)
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

Do you like good wine, french bread & food, strikes and the french kiss?
If so, you will love FRHACK!

[ - Introduction - ]

FRHACK is the First International IT Security Conference, by hackers -
for hackers, in France!
FRHACK is not commercial - but - highly technical.

Target Audience: Security Officers, Security Professionals and Product
Vendors, IT Decision Makers, Policy Makers, Security-, Network-, and
Firewall Administrators, Teachers, Academic Researchers and Software
Developers.

The FRHACK Team (TFT) encourages speakers to present new and interesting
projects for FRHACK 01 and will give preferential treatment to
submissions that have not been presented at other conferences.
Further, TFT invites any individual who has not spoken at a conference
before to submit a talk and attempt to make FRHACK their inaugural event!
TFT encourages girls passionated by IT Security to submit papers, as TFT
will offer a prize to the "Best IT Security girl of the year" to reward
innovation.
Papers can be submitted in English and/or French.
The conference language is either English or French.

Conference will be held in Besan?on - EU, East of France, closer to
Switzerland, and aims to get together industry, government, academia and
underground hackers to share knowledge and leading-edge ideas about
information security and everything related to it.
FRHACK will feature national and international speakers and attendees
with a wide range of skills.
The atmosphere is favorable to present all facets of computer security
subject and will be a great opportunity to network with like-minded
people and enthusiasts.

[ - The venue - ]

FRHACK 01 (1st edition) will take place at the Great Kurssal Hall of
Besan?on in two auditoriums with capacity for up to 1400 people.

[*] About Besan?on (stolen from http://en.wikipedia.org/wiki/Besan%C3%A7on)

Besan?on is the capital and principal city of the Franche-Comt? region
in eastern France. Located close to the border with Switzerland, it is
the capital of the Doubs department.
As well as being famed as one of France's finest "villes d'art" (art
cities), Besan?on is the seat of one of France's older universities, of
France's National School of Mechanics and Micromechanics, and one of the
best known French language schools in France, the CLA. It is also
reputed to be France's most environmentally-friendly city, with a public
transport network that has often been cited as a model. On account of
the topography, the historic city centre lies at the edge of the modern
city, and hiking tracks lead straight from the centre and up into the
surrounding hills.
The Citadel of Besan?on dates back to the Celtic era. In his De Bello
Gallicum, Julius Caesar already said about the fortress of Vesontio
(celtic name of Besan?on) that it was one of the best defensive sites he
had ever seen.
Besan?on is situated at the crossing of two major lines of
communication, the NE-SW route, following the valley of the river Doubs,
and linking Germany and North Europe with Lyon and southwest Europe, and
the N-S route linking northern France and the Netherlands with
Switzerland. A key staging post on the Strasbourg-Lyon (Germany-Spain)
route, it also has direct high-speed train (TGV) links with Paris,
Charles de Gaulle International Airport, and Lille. Unusually for a town
of its size, it does not have a commercial airport, though two
international airports, EuroAirport Basel-Mulhouse-Freiburg and Lyon
Saint-Exup?ry International Airport, can be reached in about 2 hours.

[ - Topics - ]

TFT gives preference to lectures with practical demonstration. The
conference staff will try to provide every equipment needed for the
presentation in the case the author cannot provide them.

The following topics include, but are not limited to:

     - Rootkits

     - Cryptography

     - Reverse engineering

     - Penetration testing

     - Web application security

     - Exploit development techniques

     - Internet, privacy and Big Brother

     - Telecom security and phone phreaking

     - Fuzzing and application security test

     - Security in Wi-Fi and VoIP environments

     - Information warfare and industrial espionage

     - Denial of service attacks and/or countermeasures

     - Analysis of virus, worms and all sorts of malwares

     - Technical approach to alternative operating systems

     - Techniques for development of secure software & systems

     - Information about smartcard and RFID security and similars

     - Lockpicking, trashing, physical security and urban exploration

     - Hardware hacking, embedded systems and other electronic devices

     - Mobile devices exploitation, Symbian, P2K and bluetooth technologies

     - Security aspects in SCADA, industrial environments and "obscure"
networks

[ - Important dates - ]

Conference and trainings

   2009????: FRHACK trainings

   2009????: FRHACK 1st edition

FRHACK's dates are not announced yet, please register to our RSS to stay
tuned:
http://www.frhack.org/frhack.xml

Deadline and submissions

     - Deadline for proposal submissions: Not available yet, but please
start to work right now!  ;-) 

     - Deadline for slides submissions: Will be available in a near
future :p

     - Notification of acceptance or rejection: Some beers after last
deadline

     * E-mail for proposal submissions: frhack-cfp at ja-psi.com *

Make sure to provide along with your submission the following details:

     - Speaker name and/or nickname, address, e-mail, phone number and
general contact information

     - A brief but informative description about your talk

     - Short biography of the presenter, including organization, company
and affiliations

     - Estimated time-length of presentation

     - General topic of the speech (eg.: network security, secure
programming, computer forensics, etc.)

     - Any other technical requirements for your lecture

     - Whether you need visa to enter France or not

Speakers will be allocated 50 minutes of presentation time, although, if
needed, we can extend the presentation length if requested in advance.

Preferrable file format for papers and slides are both PDF and also
ODT/PPT for slides.

Speakers are asked to hand in slides used in their lectures.

PLEASE NOTE: Bear in mind no sales pitches will be allowed. If your
presentation involves advertisement of products or services please do
not submit.
Furthermore, if your talk is just "I found an awesome new technic but if
you want it, just go in hell!" => You're not welcome at FRHACK.

[ - Information for speakers - ]

Please note that it's our first edition, and so we are looking for
sponsors to cover conference's expenses.

   Speakers' privileges are:

- FRHACK staff can guarantee and we will provide accommodation for 3 nights:

- For each non-resident speaker we hope to be able to cover travel
expenses up to EURO 1500

- For each resident speaker we might be able to cover travel expenses

- Free pass to the conference for you and a friend

- Speaker activities during, before, and after the conference

- Speaker After-Party with tons of fun, drinks and pretty girls

[ - Information for instructors - ]

- 50% of the net profit of the class

- 2 nights of accommodation during the trainings

- Free pass to the conference

- Speaker activities during, before, and after the conference

- Speaker After-Party with tons of fun, drinks and much more pretty girls

[ - Information for sponsors - ]

- If you can provide or offer materials, devices, goodies and money,
please contact us at: frhack-sponsor at ja-psi.com

[ - Other information - ]

- For further information please check out our web site
http://www.frhack.org (and nowhere else)
It will be updated with everything regarding the conference.
  
- If you have questions, want to send us additional material, or have
problems, feel free to contact us at: frhack at ja-psi.com


Thanks and see you soon at FHRACK!

Jerome Athias, Founder, Chairman, Program Coordinator
/JA



From alex at sotirov.net  Mon Nov 24 07:52:14 2008
From: alex at sotirov.net (Alexander Sotirov)
Date: Mon, 24 Nov 2008 04:52:14 -0800
Subject: [Dailydave] CSI 2008 Redux
In-Reply-To: <49297180.3000602@invisiblethingslab.com>
References: <b581b3220811220503i96edf30mb46e506c3af5d32f@mail.gmail.com>
	<20081122230600.GA1048@dsl093-068-004.sfo1.dsl.speakeasy.net>
	<49297180.3000602@invisiblethingslab.com>
Message-ID: <20081124125214.GA4945@dsl093-068-004.sfo1.dsl.speakeasy.net>

On Sun, Nov 23, 2008 at 04:06:40PM +0100, Joanna Rutkowska wrote:
> ... which, of course, doesn't prevent the hypervisor from being exploited 5 secs
> after it got securely loaded, e.g. via some buffer overflow bug...

Of course :-)

> But, nevertheless, yes, this indeed is a very important feature of the TPM (and
> the whole trusted boot concept, like e.g. Intel TXT), and people should
> eventually stop talking that TPM is bad. It is not, and it indeed can provide
> great value for users concerned about security (and not only physical security!).
> 
> BTW, I'm also glad to see a VMWare researcher acknowledging it :) So far, only
> the Xen hypervisor can use the trusted boot mechanism via the Intel-provided
> tboot component AFAIK. So, looking forward to see the ESX implementing trusted
> boot at some point in time.

Actually I just quit VMware, so my opinions are my own. I can't speak for the
company or comment on ESX.

I do agree that TPM has a lot more interesting uses than just DRM. It really
looks like we're building something similar to the Secure Hardware Environment
from Rainbow's End. I'm not sure if that's a good thing or not, but I doubt it
can be stopped, so we might as well try to take advantage of it.

Take care,
Alex
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 194 bytes
Desc: not available
Url : http://lists.immunitysec.com/pipermail/dailydave/attachments/20081124/527633a5/attachment.pgp 

From matthijs at koot.biz  Wed Nov 26 07:52:24 2008
From: matthijs at koot.biz (Matthijs Koot)
Date: Wed, 26 Nov 2008 13:52:24 +0100
Subject: [Dailydave] CSI 2008 Redux
In-Reply-To: <4255c2570811221422r4910260cq3e00f9f6bd9d0271@mail.gmail.com>
References: <b581b3220811220503i96edf30mb46e506c3af5d32f@mail.gmail.com>
	<4255c2570811221422r4910260cq3e00f9f6bd9d0271@mail.gmail.com>
Message-ID: <492D4688.6030007@koot.biz>

Hi RB,

RB wrote:
> Leaving the trust issue alone, I find it entirely regrettable that so
> many seem to have blindly swallowed the "Right to Read" hype and
> simply assume TPM chips are evil insilicate.  I detest DRM & Big
> Brother as much as your garden-variety Libertarian, but while trying
> to solve the very difficult physical presence security problem a
> couple of years ago, I decided to try to examine them for what they
> are.  Needless to say, I was surprised: although TPM chips certainly
> could provide the building blocks to do what we all fear, they're
> generally quite benign, more analogous to an integrated smartcard than
> an evil overlord's rootkit.

You mention that you were looking at TPM "while trying to solve the
(...) physical presence security problem". Although you didn't claim
that TPMs provide any solution there, I'd like to emphasize (for other
readers) that according to the TCG-specs, TPM is not designed to protect
itself against non-"simple" hardware attacks:

"The commands that the trusted process sends to the TPM are the normal
TPM commands with a modifier that indicates that the trusted process
initiated the command. The TPM accepts the command as coming from the
trusted process merely due to the fact that the modifier is set. The TPM
itself is not responsible how the signal is asserted; only that it
honors the assertions. The TPM cannot verify the validity of the
modifier. (...) The assumption is that to spoof the modifier to the TPM
requires more than just a simple hardware attack but would require
expertise and possibly special hardware."
(source: page 86 of the "Design Principles", TCG TPM Specification
Version 1.2 Revision 103)

So 1) being able to manipulate the (locality) modifier is bad, and
2) TPM only provides modest protection against attacker's with physical
access. The TCG-people confirm this: TPM is intended to protect against
software-based threats (which it may not do very effectively, as
Joanna's post suggested, as long as integrity checks can only be done at
boot/load-time).

> 
> association.  It is _just_ a [presumed] secure cryptography facility
> that supports a wide variety of functionality.
> 

Although you didn't claim the opposite, it may be useful to mention that
the TPM does not directly expose an interface to its encryption
capabilities: TPM does not (yet?) give us general-purpose
hardware-accelerated encryption. I'm not sure about hashing and signing.

Btw, it is interesting to see TPM being discussed so gentle and
reasonable on this list. Perhaps everyone's anticipating TPM to become a
new fun target for pentesting :)

The book "A Practical Guide to Trusted Computing" (David Challener et
al., 2008) makes a nice read.

Regards,
Matthijs

From dr at kyx.net  Mon Nov 24 22:32:14 2008
From: dr at kyx.net (Dragos Ruiu)
Date: Mon, 24 Nov 2008 19:32:14 -0800
Subject: [Dailydave] CanSecWest 2009 CFP (March 18-20 2009,
	Deadline December 8 2008)
Message-ID: <200811241932.14648.dr@kyx.net>

Call For Papers

? ? The CanSecWest 2009 CFP is now open.

? ? Deadline is December 8th, 2008.

CanSecWest CALL FOR PAPERS

? ? VANCOUVER, Canada -- The tenth annual CanSecWest applied
? ? technical security conference - where the eminent figures
? ? in the international security industry will get together
? ? share best practices and technology - will be held in
? ? downtown Vancouver at the the Sheraton Wall Centre on
? ? March 18-20, 2009. The most significant new discoveries
? ? about computer network hack attacks and defenses,
? ? commercial security solutions, and pragmatic real world
? ? security experience will be presented in a series of
? ? informative tutorials.

? ? The CanSecWest meeting provides international researchers
? ? a relaxed, comfortable environment to learn from
? ? informative tutorials on key developments in security
? ? technology, and collaborate and socialize with their peers
? ? in one of the world's most scenic cities - a short drive
? ? away from one of North America's top skiing areas.

? ? The CanSecWest conference will also feature the
? ? availability of the Security Masters Dojo expert network
? ? security sensei instructors, and their advanced, and
? ? intermediate, hands-on training courses - featuring small
? ? class sizes and practical application exercises to
? ? maximize information transfer.

? ? We would like to announce the opportunity to submit
? ? papers, and/or lightning talk proposals for selection by
? ? the CanSecWest technical review committee. This year we
? ? will be doing one hour talks, and some shorter talk
? ? sessions.

? ? Please make your paper proposal submissions before
? ? December 8th, 2008.

? ? Some invited papers have been confirmed, but a limited
? ? number of speaking slots are still available. The
? ? conference is responsible for travel and acommodations for
? ? the speakers. If you have a proposal for a tutorial
? ? session then please email a synopsis of the material and
? ? your biography, papers and, speaking background to
? ? secwest09 [at] cansecwest.com . Only slides will be needed
? ? for the March paper deadline, full text does not have to
? ? be submitted - but will be accepted if available. This
? ? year we will be opening up the presentation guidelines to
? ? include talks not in English (particularly Chinese) which
? ? we will offer to translate for the speaker if they are not
? ? a native English speaker.

? ? The CanSecWest 2009 conference consists of tutorials on
? ? technical details about current issues, innovative
? ? techniques and best practices in the information security
? ? realm. The audiences are a multi-national mix of
? ? professionals involved on a daily basis with security
? ? work: security product vendors, programmers, security
? ? officers, and network administrators. We give preference
? ? to technical details and new education for a technical
? ? audience.

? ? The conference itself is a single track series of
? ? presentations in a lecture theater environment. The
? ? presentations offer speakers the opportunity to showcase
? ? on-going research and collaborate with peers while
? ? educating and highlighting advancements in security
? ? products and techniques. The focus is on innovation,
? ? tutorials, and education instead of product pitches. Some
? ? commercial content is tolerated, but it needs to be backed
? ? up by a technical presenter - either giving a valuable
? ? tutorial and best practices instruction or detailing
? ? significant new technology in the products.

? ? Paper proposals should consist of the following
? ? information:
? ? ?1. Presenter, and geographical location (country of
? ? ? ? origin/passport) and contact info (e-mail, postal
? ? ? ? address, phone, fax).
? ? ?2. Employer and/or affiliations.
? ? ?3. Brief biography, list of publications and papers.
? ? ?4. Any significant presentation and educational
? ? ? ? experience/background.
? ? ?5. Topic synopsis, Proposed paper title, and a one
? ? ? ? paragraph description.
? ? ?6. Reason why this material is innovative or significant
? ? ? ? or an important tutorial.
? ? ?7. Optionally, any samples of prepared material or
? ? ? ? outlines ready.
? ? ?8. Will you have full text available or only slides?
? ? ?9. Language of preference for submission.
? ? 10. Please list any other publications or conferences
? ? ? ? where this material has been or will be
? ? ? ? published/submitted.

? ? Please include the plain text version of this information
? ? in your email as well as any file, pdf, sxw, ppt, or html
? ? attachments.

? ? Please forward the above information to secwest09 [at]
? ? cansecwest.com to be considered for placement on the
? ? speaker roster, or have your lightning talk scheduled. If
? ? you contact anyone else at our organization please ensure
? ? you also cc the submission address with your proposal or
? ? it may be omitted from the review process.


cheers,
--dr

-- 
World Security Pros. Cutting Edge Training, Tools, and Techniques
Vancouver, Canada ?March 16-20 2009 ?http://cansecwest.com
pgpkey http://dragos.com/ kyxpgp

From jlloret at dcom.upv.es  Tue Nov 25 04:58:48 2008
From: jlloret at dcom.upv.es (LMPCNA Advisory Committee)
Date: Tue, 25 Nov 2008 10:58:48 +0100
Subject: [Dailydave] Last 3 days: 1st Workshop LMPCNA in ICNS 2009 | April
	21-25, 2009 - Valencia, Spain
Message-ID: <200811250958.mAP9wlpc018949@smtp.upv.es>


INVITATION

Please consider to contribute to and/or forward to the appropriate groups  the following opportunity to submit and publish original scientific or educational results.

============== LMPCNAP 2009 | Call for Papers ===============
 
CALL FOR PAPERS, TUTORIALS, PANELS
 
The first International Workshop on Learning Methodologies and Platforms used in the Cisco Networking Academy (CNA), LMPCNA 2009 will be held during ICNS 2009 in April 21-25, 2009 - Valencia, Spain 
 
General page: http://www.iaria.org/conferences2009/LMPCNAP.html

Submission deadline: November 28, 2008
 
Submissions will be peer-reviewed, published by IEEE CPS, posted in IEEE Digital Library, and indexed with the major indexes.
 
Extended versions of selected papers will be published in IARIA Journals: http://www.iariajournals.org
Workshop Special Areas, but not limited to, are (details in the CfP on site):

New learning methodologies 
Blended learning 
Online laboratories 
Virtual laboratories 
Remote laboratories 
Learning strategies to enhance online courses 
Learning content adaptation for blended learning 
Learning platforms and their compatibility with cisco.netacad.net
 
=================

LMPCNA Advisory Committee

Emma Bluck, Cisco Systems, Inc./Cisco Networking Academy, Europe
Giuseppe Cinque, Consorzio Elis, Italy
Marco Cobb, Cisco Systems, Inc., Switzerland
Petre Dini, Cisco Systems, Inc., USA / Concordia  University, Canada
Dennis C. Frezzo, Network Academy Learning Systems Development / Cisco Systems, Inc., USA
Elaine Lawrence, University of Technology - Sydney, Australia
Bernardo Leal, Universidad Sim?n Bol?var, Venezuela
Jaime Lloret Mauri, Polytechnic University of Valencia, Spain
Kerry-Lynn Thomson, Cisco Academy Training Centre/Nelson Mandela Metropolitan University, South Africa
Donna Wright, Cisco Systems, Inc./Cisco Networking Academy, USA

LMPCNA 2009 General Chair

Rafael Tomas, Cisco Academy Training Center (CATC), Spain

LMPCNA 2009 Technical Program Committee

Chair:
Tomeu Serra, Universitat de les Illes Balears, Spain 

Carlos Alves, Instituto Politecnico de Castelo Branco, Portugal
Joan Arnedo, Universitat Oberta de Catalunya, Spain
Emma Bluck, Cisco Systems, Inc./Cisco Networking Academy, Europe
Doina Bucur, University of Aarhus, Denmark
Giuseppe Cinque, Consorzio Elis, Italy
Marco Cobb, Cisco Systems, Inc., Switzerland
Kristen Dicerbo, Cisco Learning Institute, USA 
Dennis C. Frezzo, Network Academy Learning Systems Development / Cisco Systems, Inc., USA
Michael Furminger, Cisco Networking Academy, Cisco Systems, Inc., UK
Gabriel Fuster, Cisco Networking Academy Program, Spain
Feher Gyula, Budapest Polytechnic, Hungary
Kevin Johnston, Cisco Networking Academy Program, USA 
Elaine Lawrence, University of Technology - Sydney, Australia
Bernardo Leal, Universidad Sim?n Bol?var, Venezuela
Thomas Meuser, IT-Bildungsnetz e.V., Germany
Josep Prieto, Universitat Oberta de Catalunya, Spain
Osama Saleh,  National Telecommunication Institute, Egypt
Mihai Stanciu, Cisco Networking Academy Program / UPB, Romania
Edward Swenson, Cisco Systems, Inc., USA
Kerry-Lynn Thomson, Cisco Academy Training Centre/Nelson Mandela Metropolitan University, South Africa
Donna Wright, Cisco Systems, Inc./Cisco Networking Academy, USA

==================

From philippelanglois at free.fr  Tue Nov 25 05:48:50 2008
From: philippelanglois at free.fr (Philippe Langlois)
Date: Tue, 25 Nov 2008 11:48:50 +0100
Subject: [Dailydave] [CFP] FRHACK 01 PRE-Call For Papers
In-Reply-To: <4929BDCC.5040705@ja-psi.fr>
References: <4929BDCC.5040705@ja-psi.fr>
Message-ID: <974A8AFD-10C9-48E9-9622-C14A668C931D@free.fr>

Hey Jerome & dd,

Nice to see some new conferences going in France!

(To give context to our fellow dailydaver's, the only conference  
before these new ones (kudos for J?rome!) were mostly dominated by  
spooks & defense (the conference even taking place _inside_ military  
sites), preventing quite a few to actually take part into these. )

I could not find any information about the price of such event.
Usually, the price clearly draws the line between community-like  
event (like WTH/CCC/HAL/HIP/Defcon) and professionnal-only conference  
(think Blackhat/...)?

Anyway, looking forward for both.
Best,
Phil.
--
Philippe Langlois
Email: Philippe.Langlois at Gmail.com
PGP Key: 8DAEE244
Phone: +33 6 11521671

PS: we should make sure the dates don't overlap with Hacker Space  
Fest 2009!!!



On 23 Nov 2008, at 21:32, Jerome Athias wrote:

> [CFP] FRHACK 01 Pre-Call For Papers
>
> ###################################################################### 
> ####################
>
>> FRHACK: By Hackers, For Hackers! http://www.frhack.org
> ###################################################################### 
> ####################
>
> ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ 
> ++++++++++++++++++++++
> + FRHACK 01
> + PRE Call For Papers
> + Besan?on, France (Kursaal Hall)
> ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ 
> ++++++++++++++++++++++
>
> Do you like good wine, french bread & food, strikes and the french  
> kiss?
> If so, you will love FRHACK!
>
> [ - Introduction - ]
>
> FRHACK is the First International IT Security Conference, by hackers -
> for hackers, in France!
> FRHACK is not commercial - but - highly technical.
>
> Target Audience: Security Officers, Security Professionals and Product
> Vendors, IT Decision Makers, Policy Makers, Security-, Network-, and
> Firewall Administrators, Teachers, Academic Researchers and Software
> Developers.
>
> The FRHACK Team (TFT) encourages speakers to present new and  
> interesting
> projects for FRHACK 01 and will give preferential treatment to
> submissions that have not been presented at other conferences.
> Further, TFT invites any individual who has not spoken at a conference
> before to submit a talk and attempt to make FRHACK their inaugural  
> event!
> TFT encourages girls passionated by IT Security to submit papers,  
> as TFT
> will offer a prize to the "Best IT Security girl of the year" to  
> reward
> innovation.
> Papers can be submitted in English and/or French.
> The conference language is either English or French.
>
> Conference will be held in Besan?on - EU, East of France, closer to
> Switzerland, and aims to get together industry, government,  
> academia and
> underground hackers to share knowledge and leading-edge ideas about
> information security and everything related to it.
> FRHACK will feature national and international speakers and attendees
> with a wide range of skills.
> The atmosphere is favorable to present all facets of computer security
> subject and will be a great opportunity to network with like-minded
> people and enthusiasts.
>
> [ - The venue - ]
>
> FRHACK 01 (1st edition) will take place at the Great Kurssal Hall of
> Besan?on in two auditoriums with capacity for up to 1400 people.
>
> [*] About Besan?on (stolen from http://en.wikipedia.org/wiki/Besan% 
> C3%A7on)
>
> Besan?on is the capital and principal city of the Franche-Comt? region
> in eastern France. Located close to the border with Switzerland, it is
> the capital of the Doubs department.
> As well as being famed as one of France's finest "villes d'art" (art
> cities), Besan?on is the seat of one of France's older  
> universities, of
> France's National School of Mechanics and Micromechanics, and one  
> of the
> best known French language schools in France, the CLA. It is also
> reputed to be France's most environmentally-friendly city, with a  
> public
> transport network that has often been cited as a model. On account of
> the topography, the historic city centre lies at the edge of the  
> modern
> city, and hiking tracks lead straight from the centre and up into the
> surrounding hills.
> The Citadel of Besan?on dates back to the Celtic era. In his De Bello
> Gallicum, Julius Caesar already said about the fortress of Vesontio
> (celtic name of Besan?on) that it was one of the best defensive  
> sites he
> had ever seen.
> Besan?on is situated at the crossing of two major lines of
> communication, the NE-SW route, following the valley of the river  
> Doubs,
> and linking Germany and North Europe with Lyon and southwest  
> Europe, and
> the N-S route linking northern France and the Netherlands with
> Switzerland. A key staging post on the Strasbourg-Lyon (Germany-Spain)
> route, it also has direct high-speed train (TGV) links with Paris,
> Charles de Gaulle International Airport, and Lille. Unusually for a  
> town
> of its size, it does not have a commercial airport, though two
> international airports, EuroAirport Basel-Mulhouse-Freiburg and Lyon
> Saint-Exup?ry International Airport, can be reached in about 2 hours.
>
> [ - Topics - ]
>
> TFT gives preference to lectures with practical demonstration. The
> conference staff will try to provide every equipment needed for the
> presentation in the case the author cannot provide them.
>
> The following topics include, but are not limited to:
>
>      - Rootkits
>
>      - Cryptography
>
>      - Reverse engineering
>
>      - Penetration testing
>
>      - Web application security
>
>      - Exploit development techniques
>
>      - Internet, privacy and Big Brother
>
>      - Telecom security and phone phreaking
>
>      - Fuzzing and application security test
>
>      - Security in Wi-Fi and VoIP environments
>
>      - Information warfare and industrial espionage
>
>      - Denial of service attacks and/or countermeasures
>
>      - Analysis of virus, worms and all sorts of malwares
>
>      - Technical approach to alternative operating systems
>
>      - Techniques for development of secure software & systems
>
>      - Information about smartcard and RFID security and similars
>
>      - Lockpicking, trashing, physical security and urban exploration
>
>      - Hardware hacking, embedded systems and other electronic devices
>
>      - Mobile devices exploitation, Symbian, P2K and bluetooth  
> technologies
>
>      - Security aspects in SCADA, industrial environments and  
> "obscure"
> networks
>
> [ - Important dates - ]
>
> Conference and trainings
>
>    2009????: FRHACK trainings
>
>    2009????: FRHACK 1st edition
>
> FRHACK's dates are not announced yet, please register to our RSS to  
> stay
> tuned:
> http://www.frhack.org/frhack.xml
>
> Deadline and submissions
>
>      - Deadline for proposal submissions: Not available yet, but  
> please
> start to work right now!  ;-)
>
>      - Deadline for slides submissions: Will be available in a near
> future :p
>
>      - Notification of acceptance or rejection: Some beers after last
> deadline
>
>      * E-mail for proposal submissions: frhack-cfp at ja-psi.com *
>
> Make sure to provide along with your submission the following details:
>
>      - Speaker name and/or nickname, address, e-mail, phone number and
> general contact information
>
>      - A brief but informative description about your talk
>
>      - Short biography of the presenter, including organization,  
> company
> and affiliations
>
>      - Estimated time-length of presentation
>
>      - General topic of the speech (eg.: network security, secure
> programming, computer forensics, etc.)
>
>      - Any other technical requirements for your lecture
>
>      - Whether you need visa to enter France or not
>
> Speakers will be allocated 50 minutes of presentation time,  
> although, if
> needed, we can extend the presentation length if requested in advance.
>
> Preferrable file format for papers and slides are both PDF and also
> ODT/PPT for slides.
>
> Speakers are asked to hand in slides used in their lectures.
>
> PLEASE NOTE: Bear in mind no sales pitches will be allowed. If your
> presentation involves advertisement of products or services please do
> not submit.
> Furthermore, if your talk is just "I found an awesome new technic  
> but if
> you want it, just go in hell!" => You're not welcome at FRHACK.
>
> [ - Information for speakers - ]
>
> Please note that it's our first edition, and so we are looking for
> sponsors to cover conference's expenses.
>
>    Speakers' privileges are:
>
> - FRHACK staff can guarantee and we will provide accommodation for  
> 3 nights:
>
> - For each non-resident speaker we hope to be able to cover travel
> expenses up to EURO 1500
>
> - For each resident speaker we might be able to cover travel expenses
>
> - Free pass to the conference for you and a friend
>
> - Speaker activities during, before, and after the conference
>
> - Speaker After-Party with tons of fun, drinks and pretty girls
>
> [ - Information for instructors - ]
>
> - 50% of the net profit of the class
>
> - 2 nights of accommodation during the trainings
>
> - Free pass to the conference
>
> - Speaker activities during, before, and after the conference
>
> - Speaker After-Party with tons of fun, drinks and much more pretty  
> girls
>
> [ - Information for sponsors - ]
>
> - If you can provide or offer materials, devices, goodies and money,
> please contact us at: frhack-sponsor at ja-psi.com
>
> [ - Other information - ]
>
> - For further information please check out our web site
> http://www.frhack.org (and nowhere else)
> It will be updated with everything regarding the conference.
>
> - If you have questions, want to send us additional material, or have
> problems, feel free to contact us at: frhack at ja-psi.com
>
>
> Thanks and see you soon at FHRACK!
>
> Jerome Athias, Founder, Chairman, Program Coordinator
> /JA
>
>
> _______________________________________________
> Dailydave mailing list
> Dailydave at lists.immunitysec.com
> http://lists.immunitysec.com/mailman/listinfo/dailydave
>


From jerome.athias at ja-psi.fr  Tue Nov 25 17:12:49 2008
From: jerome.athias at ja-psi.fr (Jerome Athias)
Date: Tue, 25 Nov 2008 23:12:49 +0100
Subject: [Dailydave] [CFP] FRHACK 01 Call For Papers (save the dates!)
Message-ID: <492C7861.9040401@ja-psi.fr>

[CFP] FRHACK 01 Call For Papers

##########################################################################################

   ###########   #########     ####     ####       ###          
#########   ###     ####
   ############  ##########    ####     ####      #####       
###########   ###    ####  
   ###           ###    ####   ####     ####      #####      
####           ###   ####   
   ###           ###    ####   ####     ####     #######    
####            ### ####     
   ###           ###    ####   ####     ####    #### ####   
####            #######      
   ##########    ##########    #############    ###   ###   
####            ######       
   ##########    ########      #############   ####   ####  
####            ########     
   ###           ###  #####    ####     ####   ###########  
####            ### #####    
   ###           ###   #####   ####     ####  ###      ####  
####           ###   ####   
   ###           ###    #####  ####     #### ####       ####   ######  
##   ###    #####
   ###           ###      #### ####     #### ###        ####   
##########   ###      ####
                                                                                        
 
   > FRHACK: By Hackers, For Hackers! http://www.frhack.org
##########################################################################################

++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
+ FRHACK 01
+ Call For Papers
+ September 7-8, 2009, at the Great Kursaal Hall of Besan?on, France.
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

Do you like good wine, french bread & food, strikes and the french kiss?
If so, you will love FRHACK!

[ - Introduction - ]

FRHACK is the First International IT Security Conference, by hackers -
for hackers, in France!
FRHACK is not commercial - but - highly technical.

Target Audience: Security Officers, Security Professionals and Product
Vendors, IT Decision Makers, Policy Makers, Security-, Network-, and
Firewall Administrators, Teachers, Academic Researchers and Software
Developers.

The FRHACK Team (TFT) encourages speakers to present new and interesting
projects for FRHACK 01 and will give preferential treatment to
submissions that have not been presented at other conferences.
Further, TFT invites any individual who has not spoken at a conference
before to submit a talk and attempt to make FRHACK their inaugural event!
TFT encourages girls passionated by IT Security to submit papers, as TFT
will offer a prize to the "Best IT Security girl of the year" to reward
innovation.
Papers can be submitted in English and/or French.
The conference language is either English or French.

Conference will be held in Besan?on - EU, East of France, closer to
Switzerland, and aims to get together industry, government, academia and
underground hackers to share knowledge and leading-edge ideas about
information security and everything related to it.
FRHACK will feature national and international speakers and attendees
with a wide range of skills.
The atmosphere is favorable to present all facets of computer security
subject and will be a great opportunity to network with like-minded
people and enthusiasts.

[ - The venue - ]

FRHACK 01 (1st edition) will take place at the Great Kursaal Hall of
Besan?on with capacity for up to 1400 people.

[*] About Besan?on (stolen from http://en.wikipedia.org/wiki/Besan%C3%A7on)

Besan?on is the capital and principal city of the Franche-Comt? region
in eastern France. Located close to the border with Switzerland, it is
the capital of the Doubs department.
As well as being famed as one of France's finest "villes d'art" (art
cities), Besan?on is the seat of one of France's older universities, of
France's National School of Mechanics and Micromechanics, and one of the
best known French language schools in France, the CLA. It is also
reputed to be France's most environmentally-friendly city, with a public
transport network that has often been cited as a model. On account of
the topography, the historic city centre lies at the edge of the modern
city, and hiking tracks lead straight from the centre and up into the
surrounding hills.
The Citadel of Besan?on dates back to the Celtic era. In his De Bello
Gallicum, Julius Caesar already said about the fortress of Vesontio
(celtic name of Besan?on) that it was one of the best defensive sites he
had ever seen.
Besan?on is situated at the crossing of two major lines of
communication, the NE-SW route, following the valley of the river Doubs,
and linking Germany and North Europe with Lyon and southwest Europe, and
the N-S route linking northern France and the Netherlands with
Switzerland. A key staging post on the Strasbourg-Lyon (Germany-Spain)
route, it also has direct high-speed train (TGV) links with Paris,
Charles de Gaulle International Airport, and Lille. Unusually for a town
of its size, it does not have a commercial airport, though two
international airports, EuroAirport Basel-Mulhouse-Freiburg and Lyon
Saint-Exup?ry International Airport, can be reached in about 2 hours.

[ - Topics - ]

TFT gives preference to lectures with practical demonstration. The
conference staff will try to provide every equipment needed for the
presentation in the case the author cannot provide them.

The following topics include, but are not limited to:

     - Rootkits

     - Cryptography

     - Reverse engineering

     - Penetration testing

     - Web application security

     - Exploit development techniques

     - Internet, privacy and Big Brother

     - Telecom security and phone phreaking

     - Fuzzing and application security test

     - Security in Wi-Fi and VoIP environments

     - Information warfare and industrial espionage

     - Denial of service attacks and/or countermeasures

     - Analysis of virus, worms and all sorts of malwares

     - Technical approach to alternative operating systems

     - Techniques for development of secure software & systems

     - Information about smartcard and RFID security and similars

     - Lockpicking, trashing, physical security and urban exploration

     - Hardware hacking, embedded systems and other electronic devices

     - Mobile devices exploitation, Symbian, P2K and bluetooth technologies

     - Security aspects in SCADA, industrial environments and "obscure"
networks

[ - Important dates - ]

Conference and trainings

   20090909-10: FRHACK trainings

   20090907-08: FRHACK 1st edition

Please register to our RSS to stay tuned:
http://www.frhack.org/frhack.xml

Deadline and submissions

     - Deadline for proposal submissions: 20090601

     - Deadline for slides submissions: 20090701

     - Notification of acceptance or rejection: 20090714

     * E-mail for proposal submissions: frhack-cfp at ja-psi.com *

Make sure to provide along with your submission the following details:

     - Speaker name and/or nickname, address, e-mail, phone number and
general contact information

     - A brief but informative description about your talk

     - Short biography of the presenter, including organization, company
and affiliations

     - Estimated time-length of presentation

     - General topic of the speech (eg.: network security, secure
programming, computer forensics, etc.)

     - Any other technical requirements for your lecture

     - Whether you need visa to enter France or not

Speakers will be allocated 50 minutes of presentation time, although, if
needed, we can extend the presentation length if requested in advance.

Preferrable file format for papers and slides are both PDF and also
ODT/PPT for slides.

Speakers are asked to hand in slides used in their lectures.

PLEASE NOTE: Bear in mind no sales pitches will be allowed. If your
presentation involves advertisement of products or services please do
not submit.
Furthermore, if your talk is just "I found an awesome new technic but if
you want it, just go in hell!" => You're not welcome at FRHACK.

[ - Information for speakers - ]

Please note that it's our first edition, and so we are looking for
sponsors to cover conference's expenses.

   Speakers' privileges are:

- FRHACK staff can guarantee and we will provide accommodation for 3 nights:

- For each non-resident speaker we hope to be able to cover travel
expenses up to EURO 1500

- For each resident speaker we might be able to cover travel expenses

- Free pass to the conference for you and a friend

- Speaker activities during, before, and after the conference

- Speaker After-Party with tons of fun, drinks and pretty girls

[ - Information for instructors - ]

- 50% of the net profit of the class

- 2 nights of accommodation during the trainings

- Free pass to the conference

- Speaker activities during, before, and after the conference

- Speaker After-Party with tons of fun, drinks and much more pretty girls

[ - Information for sponsors - ]

- If you can provide or offer materials, devices, goodies and money,
please contact us at: frhack-sponsor at ja-psi.com

[ - Other information - ]

- For further information please check out our web site
http://www.frhack.org (and nowhere else)
It will be updated with everything regarding the conference.
   
- If you have questions, want to send us additional material, or have
problems, feel free to contact us at: frhack at ja-psi.com


Thanks and see you soon at FHRACK!

Jerome Athias, Founder, Chairman, Program Coordinator
/JA


-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 5395 bytes
Desc: S/MIME Cryptographic Signature
Url : http://lists.immunitysec.com/pipermail/dailydave/attachments/20081125/31929405/attachment.bin 

From aoz.syn at gmail.com  Thu Nov 27 01:18:47 2008
From: aoz.syn at gmail.com (RB)
Date: Wed, 26 Nov 2008 23:18:47 -0700
Subject: [Dailydave] CSI 2008 Redux
In-Reply-To: <492D4688.6030007@koot.biz>
References: <b581b3220811220503i96edf30mb46e506c3af5d32f@mail.gmail.com>
	<4255c2570811221422r4910260cq3e00f9f6bd9d0271@mail.gmail.com>
	<492D4688.6030007@koot.biz>
Message-ID: <4255c2570811262218l19f10e4ep41a698798af794bb@mail.gmail.com>

On Wed, Nov 26, 2008 at 05:52, Matthijs Koot <matthijs at koot.biz> wrote:
> You mention that you were looking at TPM "while trying to solve the
> (...) physical presence security problem". Although you didn't claim
> that TPMs provide any solution there, I'd like to emphasize (for other
> readers) that according to the TCG-specs, TPM is not designed to protect
> itself against non-"simple" hardware attacks:

:-)  I try not to go off half-cocked, and it would have been foolish
to claim a TPM guards strongly against physical compromise.  It is my
understanding that If used properly, they can improve defense against
physical compromise to a level slightly less than that of a smartcard,
advantage going to the smartcard since they may be readily removed and
separately secured.

> So 1) being able to manipulate the (locality) modifier is bad, and
> 2) TPM only provides modest protection against attacker's with physical
> access. The TCG-people confirm this: TPM is intended to protect against
> software-based threats (which it may not do very effectively, as
> Joanna's post suggested, as long as integrity checks can only be done at
> boot/load-time).

The key is maintaining the chain of trust, and the TPM is only a
facility used to aid the process.  Mild physical protection aside, it
doesn't know or really care whether a link in the chain is
compromised, only what each link reports to it.  Therefore, the
software itself must be "vigilant", as the TPM only provides a safer
storage location for a less subvertible canary.

>> association.  It is _just_ a [presumed] secure cryptography facility
>> that supports a wide variety of functionality.
>
> Although you didn't claim the opposite, it may be useful to mention that
> the TPM does not directly expose an interface to its encryption
> capabilities: TPM does not (yet?) give us general-purpose
> hardware-accelerated encryption. I'm not sure about hashing and signing.

The state of TPM support is slightly more complex than that.  While
some cryptography facilities are available (since the EK and SRK
private material would otherwise have to be exposed), the hardware is
sufficiently slow as to discourage use beyond priming other, much
faster routines.  I don't think it's ever going to be an accelerant
over even the slowest software implementations.

> Btw, it is interesting to see TPM being discussed so gentle and
> reasonable on this list. Perhaps everyone's anticipating TPM to become a
> new fun target for pentesting :)

Software is software, and many of us have our jobs based on humanity's
record on software security.  Unless the TC model changes vastly,
programmers are still going to have to exercise due diligence in
secure programming and monitoring integrity.  That isn't happening on
a large scale today, so I don't much expect the immediate future to
change.  I, for one, am glad to see at least some people share my
opinion: yes, TPMs could be used for evil, but right now they're just
interesting hooks upon which to hang greater security.


RB

From eballen1 at qwest.net  Thu Nov 27 12:50:33 2008
From: eballen1 at qwest.net (Bruce Ediger)
Date: Thu, 27 Nov 2008 10:50:33 -0700 (MST)
Subject: [Dailydave] CSI 2008 Redux
In-Reply-To: <4255c2570811262218l19f10e4ep41a698798af794bb@mail.gmail.com>
References: <b581b3220811220503i96edf30mb46e506c3af5d32f@mail.gmail.com>
	<4255c2570811221422r4910260cq3e00f9f6bd9d0271@mail.gmail.com>
	<492D4688.6030007@koot.biz>
	<4255c2570811262218l19f10e4ep41a698798af794bb@mail.gmail.com>
Message-ID: <alpine.LNX.1.00.0811271047090.23359@stratigery>

On Wed, 26 Nov 2008, RB wrote:

> opinion: yes, TPMs could be used for evil, but right now they're just
> interesting hooks upon which to hang greater security.

But they so obviously could be used for evil.  The MSFT one even looks like
it's designed to make DRM easier, and to lock-out the use of any non-MSFT
operating system.

In the context of present standards/hardware/etc, isn't your "interesting
hook" actually a virtual plastic worm that conceals and makes interesting
a fearsome hook that would catch you and kill you?

From aoz.syn at gmail.com  Thu Nov 27 23:36:20 2008
From: aoz.syn at gmail.com (RB)
Date: Thu, 27 Nov 2008 21:36:20 -0700
Subject: [Dailydave] CSI 2008 Redux
In-Reply-To: <alpine.LNX.1.00.0811271047090.23359@stratigery>
References: <b581b3220811220503i96edf30mb46e506c3af5d32f@mail.gmail.com>
	<4255c2570811221422r4910260cq3e00f9f6bd9d0271@mail.gmail.com>
	<492D4688.6030007@koot.biz>
	<4255c2570811262218l19f10e4ep41a698798af794bb@mail.gmail.com>
	<alpine.LNX.1.00.0811271047090.23359@stratigery>
Message-ID: <4255c2570811272036v403f6604v5db5fcfe71d730ae@mail.gmail.com>

On Thu, Nov 27, 2008 at 10:50, Bruce Ediger <eballen1 at qwest.net> wrote:
> But they so obviously could be used for evil.  The MSFT one even looks like
> it's designed to make DRM easier, and to lock-out the use of any non-MSFT
> operating system.

At the risk of being redundant, it seems you are conflating TPMs with
the full TCG stack.  Other than the EK, can you point to any specific
functionality of the 1.1 or 1.2 TPM itself that actually supports your
claim?  Would you mind pointing us at the "MSFT" one of which you
speak?  My experience with the MS realm of TC stacks is admittedly
slimmer than I would like, but those I have seen seem to have come
from the TPM vendor rather than MSFT.

> In the context of present standards/hardware/etc, isn't your "interesting
> hook" actually a virtual plastic worm that conceals and makes interesting
> a fearsome hook that would catch you and kill you?

I find your metaphor inflammatory and designed to elicit emotional
response rather than technical dialogue.  Would you mind eliminating
these elements and try making a technical argument, or are you just
trolling the conversation?  If not, you're fulfilling the precise
stereotype we're talking about: hand waving fearmongering based on
3rd-party information.


RB

From dave.aitel at gmail.com  Fri Nov 28 13:48:12 2008
From: dave.aitel at gmail.com (Dave Aitel)
Date: Fri, 28 Nov 2008 13:48:12 -0500
Subject: [Dailydave] oh noes the russians are coming!
Message-ID: <b581b3220811281048s20138972le7b348c3bee321dd@mail.gmail.com>

http://www.latimes.com/news/nationworld/iraq/complete/la-na-cyberattack28-2008nov28,0,230046.story

"""
Reporting from Washington -- Senior military leaders took the exceptional
step of briefing President Bush this week on a severe and widespread
electronic attack on Defense Department computers that may have originated
in Russia -- an incursion that posed unusual concern among commanders and
raised potential implications for national security.

Defense officials would not describe the extent of damage inflicted on
military networks. But they said that the attack struck hard at networks
within U.S. Central Command, the headquarters that oversees U.S. involvement
in Iraq and Afghanistan, and affected computers in combat zones. The attack
also penetrated at least one highly protected classified network.
"""
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.immunitysec.com/pipermail/dailydave/attachments/20081128/c67ef489/attachment-0001.htm