Toorcon 2003 Information Security Conference
By Danx-Oracle on Sep 29, 2003
San Diego, CA, http://www.toorcon.org/
Dan Anderson, September 2003
These notes are on a conference I attended last weekend (on my dime, or actually 500 dimes and tax-deductible). This is an annual conference for people interested in computer security. This includes the whole range of hackers, computer hobbyists, professionals, security consultants, press, law enforcement, prosecutors, FBI, etc. I'm told by someone who also goes to Defcon in Las Vegas that it's like Defcon but without the rowdyness. Toorcon had an open bar party until 3 am, which is way past my bedtime. I've only summarized what I felt were the best of the talks I've attended.
The "con" was held at the Hyatt downtown. Nice place on the bay and the largest coastal hotel in Southern California. Next to us, a local Iranian group was having a banquet. Since I can't read Arabic, I couldn't tell what it was about, but I wish they had a few extra meals :-).
SAIC setup a "root wars" contest where they had various systems, including Solaris, set up with vulnerabilities open. It took the contestents several hours to own the systems, but I think all were had. They gave points for owning systems and took points away for excessive bandwidth used.
The following are not necessarily my views nor of my employer.
I have not verified anything below.
I could have easily misquoted or misparaphrased also.
These are my notes, so it has typos and isn't highly polished.
I may have misinterpreted other people's words or ideas.
- Keynote: Past, Present, & Future of Security, by Robert X. Cringely
- Keynote: Security Has Little to do With Security, by Bruce Schneier
- Top 75 Hacker Tools by Justin Lundy,
- Vulnerability Reporting and Legal Liability, by Jennifer Granick
- 802.11 TGi Proposal, by Laurent Butti & Franck Vieysset, France Telecom,
- Electronic Freedom Foundation, by Cory Doctorow.
- /dev/erandom -- Provably Secure PRNG by Seth Hardy
Keynote: Past, Present, & Future of Security, Robert X. Cringely
I've read many of his columns, but I've never heard him. He's a funny speaker with a long perspective in the computer industry.
Robert invented the Trashcan for the Lisa. This was motivated by accidentally deleting his book manuscript after it was 2/3's complete on an IBM word processing system that had broken backups.
The main point of his talk was that people worry too much about logical security but forget about physical security. For example, one software company they had a good firewall, but haven't even considered "screening"---capturing screen content from a van that may be parked outside. Social engineering is more common and a lot easier than breaking in through a network. At another company more leaks occurred at the bar across the street than through the network. At the Monterey Naval Postgraduate School, Robert was looking for an Internet connection for his email. No phone jacks, so he looked for a wireless connection. He found 4. The next day he asked the network people there about them, they knew about 1, which was a honeypot, but had no idea there were another 3 WAPs running.
An idealistic attitude among some people was that "information is power." Information will liberate people from oppressive governments and corporations. However, that's not true. Information is not power, but power is power. Lawsuits and court orders to reveal ISP customers is a reality. Another example is China. Robert asked ChinaNet how can you possibly firewall 1 billion Chinese? They said it will probably never work completely, but they will keep trying until it does work. Perfection is not a requirement.
Keynote: Security Has Little to do With Security, Bruce Schneier
The next keynote speaker (How can you have more than one keynote?) was by Bruce Schneier, of Counterpane, on why security has so little to do with (technical) security. His main points was there was to much immediate emotional reactive solutions to security and too much focus on logical security over good planning and also worrying about physical security. There are also tradeoffs--is the solution worth it? Also, security is not always in your control or your decision. For planning, some good questions to ask are: 1) What assets do you need to protect, 2) what are the risks to the assets, 3) how will these risks be mitigated, 4) what is the impact of proposed solutions, and 5) what are the costs and tradeoffs. In any case, risks can never be reduced to zero--there's always some inherent threat.
Bruce was asked about Cyber warfare. He said there's much more concern about physical warfare. That's because cyber warfare (or actually cyber inconvenience) brings unpredictable results. You never know the impact of the disruption in advance, and it's really a inconvenience--and not anything like real terrorism.
Encryption and the DMCA law is being used to lock people into proprietary software. For example, MS is encoding Word documents for it's next version, making attempts by 3rd-party software to read Word documents, such as StarOffice illegal, just like playing DVD movies with open software is illegal now.
He was also asked about his colleague Daniel Geer who was fired from @stake for saying what everyone knows--a monoculture of MS software is a security risk, because security breaches impact almost everyone. He was fired, even though everyone should know what he said is his personal opinion and not any companies he works for. MS is a major client for he company he works for. But, he said, he will have no problem getting a job and the firing gave more attention to the report, especially to the mainstream media, than if the company would have just ignored it.
Top 75 Hacker Tools by Justin Lundy, www.tegatai.com.
Cavaet: some tools sometimes give warnings which require analysis--not blind acceptance.
- Nessus - LEADING vulnerability scanner with remediation suggestions, customizable
- Etherreal - sniffer/analyzer
- Snort - lightweight intrusion detection with downloadable rule set. GUI frontend
- Netcat - "swiss army knife" tool that does everything: read/write TCP/UDP data. Low level. Often used in exploits
- Cryptcat - netcat + encryption protocols
- Tcpdump - classic sniffer, widely ported
- Hping2 - ping "on steroids". Can bypass firewalls, some sniffers can't detect it
- Firewalk - reconstructs firewall rules by probing a firewall
- Dsniff - set of network audit tools for logins / passwords, including SQL and other stuff. Can capture NFS files.
- Arpspoof/Dnsspoof - spoof IP address lookups via name or mac.
- Webspy - monitors web surfing by a 3rd party
- Niketo - web server security scanner
- Ettercap - automated man-in-the-middle ssh attacker
- John The Ripper - leading password cracker
- Nbtscan - gather Windows Netbios information
- Lophtcrack 4 - Windows password cracker/sniffer (commercial)
- Tripwire - (old school) file integrity monitor. Limited functionality. Not useful if data set writable
- Kismet - POWERFUL 802.11 sniffer
- AirSnort - captures 802.11 passwords
- Netfiler/Ipfilter/Pf - packet filter/firewall software
- Ngrep - monitor for network data patterns
- Ntop - network traffic display
Vulnerability Reporting and Legal Liability
By Jennifer Granick, director of Stanford's Center for Internet & Society. http://cyberlaw.stanford.edu/security/ Remember, IANAL and I may be mis-paraphrasing. Jennifer reviewed various legal issues, such as full disclosure and DMCA. It was a unique experience to hear a lawyer who's technically competent :-).
Full vulnerability disclosure. There's a dual nature of full disclosure--to exploit systems and protect systems. Disclosure can be protected by free speech rights because disclosure tools are software, which is considered a form of speech. However, it's also a tool that can be used for harm. One important question is is the vulnerability (and software) disclosed with an agreement or intention to be used for illegal acts. If so, it's considered conspiracy and therefore an illegal act.
DMCA goes beyond copyright in that it controls how you use copyrighted works, not just restricting you against making copies.
Security testing is OK and not a violation if in good faith and done with authorization and the results are not distributed to cause harm.
Spyware is illegal unless all parties consent (need a Federal warrant). This includes keyboard monitors, for example.
Reverse engineering is OK for enabling software interoperatability.
Jennifer made a general point that rights in the "real" world have been erroded in the "electronic" world. For example, you can take your car apart and add or modify parts. Do that to an XBox, for example, may get you in jail.
802.11 TGi Proposal by Laurent Butti & Franck Vieysset, France Telecom, sysinfo.com
802.11 has a infamously weak security protocol. Proposed workarounds break wi-fi interoperability.
802.11 TGi proposal authenticates with IETF EAP. WPA subset of IEEE 802.11 TGi. Intended for ratification Q2/2004. Goals are a new framework with high-flexibility authentication methods independent of protocol. EAP has multiple methods, e.g. TLS tunnel, and was originally for PPP. Avoid man-in-middle attacks with handshake protocol. WPA is an existing standard now. Avoids HW upgrades, backward compatible, and may be "good enough." They gave a live demo.
Electronic Freedom Foundation, http://eff.org/share/
Cory Doctorow talked about civil liberties, Internet, and copyright. He's a science fiction and technology writer.
EFF won ruling that email is like phone conversations--can't tap without a warrant. Lost that with recent Homeland Security Act, where any government employee with an excuse can look at your email.
EFF lost copyright ruling, where the Supreme Court said copyright is renewable forever, as long as it's for incrementally limited times.
Previous fears against new technology reducing income to artists unfounded. Piano music rolls, radio, VCRs, and cable TV all had new micro-payment models that resulted in more income to artists than before.
RIAA lawsuits will only result in tools with better anonymity and encryption and higher use of these technologies. Russian State Dept. is telling scientists not to come to America because they put people in jail for talking about the wrong thing.
/dev/erandom -- Provably Secure PRNG
Seth Hardy, tsumega.com
Improves Linux /dev/random and /dev/urandom, including removing unneeded operations.
Discussed random, pseudorandom, quasirandom, uniform distribution, entropy measurement, extractors. Entrophy gathering currently lacks in Linux--keyboard/mouse oriented and not good for servers--but that's another area. /dev/random blocks, urandom doesn't.
Extractor takes "bad" distribution and "smooths" distribution to a "good" one. This is hard, and part of Seth's academic work. Warning: "Provable" does not mean the implementation is unbreakable or bug free.