Historical Document - Last Updated Mon Dec 27 17:35:07 2004
The computer security conference CanSecWest was held in
Vancouver over 3 days at the end of April 2001.
We were all stuffed into the Pacific Palisades on
Robson. Too small, really - the rooms and especially corridors were
on the small side with a single-linked topology that meant
discussions in the hallway became traffic bottlenecks. However, it
wasn't too hot or too cold and the alarms didn't go off (not like
BlackHat 99 - actually someone
told me that that was done by a hacker attending DEFCON who
couldn't afford BlackHat).
We got ID cards with a little message in hex written along the
top. It read, as I recall, "ALLYOURCARDZAREBELONGTOUS". An in joke
I think; I found allyourbase.swf
(Flash) linked on one of the speaker's websites.
Overheard during a presentation (answering a cellphone) - "Hang
on, I'm in a room full of security guys ...".
The conference had a wireless LAN set up and many attendees brought laptops.
One guy sitting next to me actually bought some concert tickets online
while chatting to a friend on IRC, during one of the presentations.
Packet sniffing on the wireless LAN was rampant (mentioned in the
c|net story below) so that one speaker placed his email password
on a slide figuring everyone knew it already. He'd just logged on to
a webmail site (Yahoo ?), realized what he'd done, said "Oh sh*t", and dashed
out the door to an Internet cafe to go change it (not trusting the hotel
LAN, and I presume there is no SSL access to Yahoo! mail).
Someone mentioned that they'd been at the IETF where a wireless LAN was set up
and said that passwords were going past in clear too fast to read.
The wireless LAN I think operates with a shared key so that all users
with access can see each others traffic. Encryption isn't normally enabled at
public venues like this anyway.
We got copies of the conference presentations, plus a lot of other neat stuff,
on business-card recordable CD-ROMs. If you haven't seen these, they are
an 8cm CD cropped to 6cm high that hold about 60Mb and fit in the inner
ring of your CD-ROM drive.
Papers presented at the conference, plus a variety of reference
material, tools, etc. are available
here from TRIUMF.
The list of speakers and topics is here (well, here really). Note that
many speakers have not yet placed their presentations on the Web
where they said they would. Some are in PowerPoint and will require
PPT (or maybe StarOffice) to view.
SSH with Kerberos
Nico (?) from securite.org talked about implementing SSH with
Kerberos (at Cisco, I think). The idea is to give single sign-on to
a large variety of servers, routers, hosts etc. Propagating SSH
keys got too unwieldy.
Kerberos (version V was used) doesn't do encryption or
authorization, just authentication. It uses a DES shared key to
grant tickets. Initially one gets a TGT (ticket-granting-ticket)
valid for a certain length of time (7 hours here), which is then
used to get a ticket for access to each of the servers. There is a
single TGT server (which might be mirrored or otherwise given some
redundancy) and one or more ticket servers. Kerberos V currently
works with SSH1 & SSH2 (not Openssh at present). Suggested not
to use PAM or NIS. Suggested using DNS (
HESIOD) to share
usernames (not passwords, obviously) and Kerberos for
Renaud Deraison talked about the security scanner
Nessus and the
scripting language NASL. He said that Nessus is designed to be used
by everyone - which I hadn't really grasped - so that it can be set
up running on a server with access control for users to test their
own areas. Version 1.2 is coming soon he says.
Matthew Franz of Cisco - Author of Trinux
: A Linux Security Toolkit
- talked about various scanning & attacking tools. I scribbled
notes for later entry in a search engine - Naptha, hping, p0f,
nmap, sing, Ofir Arkin, ISAKAMP, H323, ehtereal, iplayer, ISN, IKE,
AH/ESP, udsic, isic, tcpkill.
He showed some plots of IP sequence number for different
operating systems - how easy it is to fake a packet and break into
someone's session. Microsoft are pretty predictable (as I suspect
are some older O/S like Ultrix) while recent Linux and OpenBSD are
nearly perfectly random.
Flooding attacks on stateful protocol - if the initial state
(waiting for connect) is flood-resistant, later ones may not be
(connected and waiting for data, perhaps)
John Tan of @Stake talked about forensic readiness - i.e. having
your system ready to make it easier to do forensic analysis when it
gets broken into. He also gave out a neat bootable business-card
CDROM (which I have available). The
Coroners Toolkit (TCT) was
recommended - basically automates doing all the ps -auwwx, netstat,
w, arp -a stuff plus some rudimentary disk analysis and undeletes.
TCT has a MAC (modify/access/change) time analysis script to figure
out which files have been modified or executed recently. General
things: run disks 50% full or less, for forensics *do not do a
normal backup* (modifies MAC) - instead use dd to make a disk
image. Can do this over NFS or use netcat. Run TCT process grab
first to a floppy (or NFS, maybe), then disk image, then can use
TCT MAC analysis on disk image mounted read-only. Chain of custody
rules say you should make checksums of everything and sign off from
person to person etc.. Use FedEx to ship - their normal logging
procedures are OK it seems. Photograph hardware, screen contents
etc. & maybe run security video on storage. Idea is to show
evidence cannot have been tampered with - antistatic bags with
signed dated paper seals, etc. Uncertainty principle says you can't
win - if you pull the plug you preserve 100% disk contents but lose
everything in RAM such as running processes, network connections,
user list etc. If you run things to preserve state you change the
state and may write to the disk. If you do nothing and wait for the
cops you probably lose state such as arp cache & net connects,
processes may write to disk, and the cops probably pull the plug
anyway. Forensic acquisition should be done in-house.
TCT is good for other systems too because Linux can mount other
filesystems (MSDOS, VFAT, NTFS ...)
K2 talked about NIDS evasion techniques. RFP talked later about
rfproxy and whisker tools. Basically, if a scanner is looking for
"/cgi-bin/phf", then a script can avoid it by looking for the Hex
equivalent e.g. "%2f%63%67%69%2d%62%69%63%2f%70%68%66". More
esoteric version convert to UTF, or introduce null-bytes into TCP
Lance Spitzner talked about the
was a couple of out-of-box systems on an ISDN line with a sniffer
watching them. Average time for a stock RedHat 6.2 system to be
broken into - 3 days. He tells an anecdote of a professor at a
University installing a system and going off to teach a 1-hour
class. When he got back to his office the system was already
Dug Song talked about SSH and PKI crypto. He has written some tools
to attack SSH. I think these rely either on people ignoring the
"host key has changed" warnings (some Windows clients don't even
display them apparently), or getting hold of private keys e.g. from
NFS exported home directories. I asked him about using a secure
trusted machine to do passwordless logins using RSA/DSA key pairs,
and he said this was OK. Another issue was PGP keys visible with
NFS, and I presume the same thing applies to backups (NFS is a
sniffable protocol, so backups done with NFS could potentially
expose private keys and passwords, even if the backup media is
Gary Golomb (I think) talked about the NT 2000 rootkit. This acts
like the Unix ones to hide hackers processes and files from
examination. It works a bit like the Linux LKM rootkits - anything
running at the application level such as personal firewalls, virus
checkers etc. will not see hidden stuff since it will be filtered
out at system level.
Jay Beale talked about the
Linux project. Version 1.2 is
on the way. Will feature a GUI and easier post-install operation
(originally Bastille was intended to be run right after a system
install before you have changed anything). He's working for
Mandrake now and got them to ship Bastille with it, but it won't
run by default (it asks 35 tricky questions, while the install
scripts are trying to get simpler to use).
Jay also talked about boot security, e.g. protection from "LILO:
linux init=/bin/sh" or someone with a screwdriver.
Fyodor talked about the nmap scanner and gave some examples, scanning
the wireless LAN and finding laptops in the audience. He
also demonstrated a neat attack on the BlackIce Defender personal
firewall; essentially by spoofing the Windows name service (easy)
he could subvert the lookup process in Blackice, so that an attack
was reported as coming from "your mother" instead of 18.104.22.168 or
Theo talked about the
- arguably the most secure OS
out there. They have proactively audited the entire source tree
looking for security holes and bugs (300Mb), doing things like
eliminating all gets(), sprintf() and strncpy(). They provide some
secure alternatives e.g. strlcpy(). They say 3 years since a remote
hole in the stock install.
He was feeling a bit depressed he said since they'd not
discovered a problem in the glob() function in libc. Then he said,
hey, at least we're better than everyone else, and they can steal
our code to see how to do things right.
crypto a 2-edged sword
Kurt Seifried talked about various crypto things, such as crypto or
the lack of it in email. He mentioned a scenario where someone
could attack a DNS server, plant bogus MX records, then intercept
email, read or alter it, then retransmit it, without actually
touching the mail server itself at all.
I think he was also complaining that use of crypto would
interfere with a lot of products that "we take for granted". By
which he means various monitoring tools that commercial companies
might run to make sure their employees don't blab company secrets
over email, and don't spend their time on the Web visiting porn and
gambling sites. I had a bit of an argument with him about how an
encrypted email virus could possibly propagate. I think with PGP it
couldn't, since the user has to enter a password for each encrypted
message, but I guess if the key is held in memory all the time
you're logged in and the virus has access to both your address book
and to everyones public keys it could happen. It wouldn't work to
mailing lists, though.
Martin Roesch talked about
Snort (which we run here). Version 2.0
(or maybe 1.8) is on the way. He says on a modern machine it can
handle about 150Mbit/s with a 1% data loss, or 300Mbit/s with a 50%
loss. Talked about tagging sessions - if someone does something
suspicious, you watch everything he does, instead of watching
everything all the time. I mentioned the problems with hacker tools
spoofing addresses and he said an arp plugin might appear.