Strydehax the Olympics!

My buddy strydehax put a couple of hours into investigating the controversy surrounding the age of Chinese gymnasts. Check it out here.

NYSEC, OWASP Chicago

I'm off to NYC for NYSEC tonight, and tomorrow I'm off to Chicago for some work and some play. I was originally going to Chicago to hang out with my buddy, but coincidentally, there is a local OWASP chapter meeting on Thursday. Even cooler is that Rohyt had been scheduled to speak there, so I also get to go show some support for Intrepidus.

In other news, I'm finally starting to get caught up with work and back in the swing of things after Vegas. I'm continuing with more SSL VPN research, as well as some generic SSL research to follow my live.login.com stunt. Unfortunately, I have more ideas than I have time to research them.

SSL VPN Slides - BlackHat 2008

Yesterday I delivered my presentation on web based SSL VPN security at BlackHat in Las Vegas. The slides can be viewed here.

Thanks to all who attended my presentation. I'll be writing a paper soon to highlight the major points, so stay tuned for that.

Thoughts on IE8

I read quite a bit of stuff on the IE8Blog today. Most interesting to me are the improvements surrounding ActiveX controls. Among the big changes here are Per-User (non-Admin) controls and Per-Site Controls.

Per-User Controls are installed by standard users without the need to elevate privileges. Administrative rights will no longer be required because the control will only be exist within the profile of the user who installs it, preventing exploitation of other users of the system.

More importantly, Per Site controls allow users to white list certain sites to use certain controls. This is a great break through in the fight against ActiveX re-purposing attacks, where malicious web sites abuse functionality in legitimate controls. Where security conscious developers once had to maintain their own white-listing code within the control, IE8 will do this for them by default.

This is great for complex web applications (like SSL VPNs) that use ActiveX controls to perform sensitive/dangerous actions on the client. Unfortunately, there are still many organizations out there that haven't even embraced IE7 yet, so these defenses may not help the users who really need them for quite some time.

On the XSS front, IE8 will also have a few new tricks. One of them is a client side black-list XSS filter (like a wimpy NoScript) that will block attacks and notify users. Unfortunately, to avoid "breaking the web", it appears from this post that the filter will only block the most obvious SCRIPT tag injections.

Another new feature is the toStaticHTML() JavaScript method. This looks like another blacklist, but is intended to allow a web site to render third-party Web2.0 content safely in the browser. Hopefully it uses a robust black list!

Another new feature that I'm really excited about is domain highlighting. In order to prevent phishing and other social engineering attacks, IE8 will highlight what it determines to be the owning domain name in the address bar. Anything site controlled, like sub-domains and URL text, will be grayed out, so that the user can more easily key in on the important parts: the protocol and domain name. Simple, but effective.

Recent OWASP Events

Last week I presented at FROC.us and my demos worked fine. Last night at the OWASP NY/NJ chapter meeting my demos failed hard! Fortunately for me, everyone was very nice and understanding, and the presentation was able to hold its own without the demos. Thanks for everyone who came out to both of these events!

You can view my slides here:

FROC.us - SSL VPN Security (different from what I'll be presenting at BlackHat)

June 18 2007 OWASP NY/NJ - Reverse Proxy Abuse

Here are videos of the demos I tried to show last night:
Abusing XMLHTTP for local resource access
Exploiting 5 WebApps with 1 HTTP Request

I had some resolution issues that prevented me from getting them up on YouTube, but I'll try again later when I have more time.

CAPTCHAs anyone?

Man Allegedly Bilks E-trade, Schwab of $50,000 by Collecting Lots of Free 'Micro-Deposits'

Talk about abuse of functionality! Doesn't look like this guy did much to fly under the radar either. He was opening THOUSANDS of accounts per day with these brokers. In some cases, he even linked fraudulent accounts and accounts opened with his real personal details to the same bank account.

The best part, in my opinion, is that he did the same thing the Google checkout service, seemingly within their terms of service:

"When the bank asked Largent about the thousands of small transfers, he told them that he'd read Google's terms of service, and that it didn't prohibit multiple e-mail addresses and accounts. 'He stated he needed the money to pay off debts and stated that this was one way to earn money, by setting up multiple accounts having Google submit the two small deposits.'

The Google caper is not charged in the indictment. (.pdf)"

[insert interesting title here]

I guess you could tell by my lack of posts that I've been pretty busy recently. Fortunately, it's been mostly with fun and interesting things.

One of the projects I've been working on is reversing a patched SSL VPN ActiveX component in preparation for my BlackHat talk. I've been staring at Olly and IDA until my eyes feel like their going to bleed. But, I've been making progress, learning a lot, and I've come up with some additional material to talk about. One such topic is that of hard coded passwords in binaries. Jeez. If you work for a security product vendor, you should know better!

I've also been getting ready for my first SSL VPN talk next week at Froc.us. I have some cool stuff to share with those folks, and it should be a good time. Plus, I've never partied in Denver before. Looking forward to seeing a new city.