Day 2 of the EUSecWest/core06 security conference in London...

by Justin Clarke

Related link:

The second and last day of EUSecWest has been and gone. It turned out to be a fun experience, with a lot of valuable and interesting information shared by the speakers, and a lot of interesting folks met at the conferece. Here are my notes from the main speakers today (I haven't included the lightning talks or vendors because I was busy drinking beer by that stage...):

style="font-weight: bold;">Shreeraj Shah
from net-square
talked about web application attacks and defences.  He
and demonstrated a number of tools he has written for the enumeration
of information from the MSN Search engine, as well as some cool tools
for web services testing and penetration, including:

  • MSNPawn - discovery and enumeration of information about
    hosts (including discovering running hosts by the server IP address)
    from querying using the MSN Search web service

  • MSNKnight - for building a profile about the site, by
    acting as a local proxy

  • wsPawn - for footprinting web services

  • wsKnight - for interacting with the web service using a
    WSDL file

  • wsAudit - for performing attack fuzzing on web services

style="font-weight: bold;">Justin Clarke
(me) from Ernst &
talked about automating web application assessment and
exploitation.  The talk seemed to go down fairly well.
 I demonstrated some of the tools that were written for href="">Network
Security Tools, as well as one tool (SQLBrute) that is
available from my site.
 I also completely forgot to demonstrate one small tool
(IEnterceptor)... whoops.

Andy Davis
from Information Risk
talked about ColdFusion security.  They
have been doing a lot of research on version 7, 6.1 and 6.0 of CF, and
talked about some of the issues (especially in the admin interface)
that can be leveraged for nefarious purposes.  Some of the
issues they found haven't been fixed yet (in the services etc that ship
with CF), so we can look forward to more once Adobe release the fixes.

Tim Hurman
from Pentest Limited
talked about the security over personal ARM devices, such as common
PDAs.  This covered some similar ground to Barnaby Jack's talk
yesterday, with the differences that Tim was using JTAG to debug IPAQ's
and the like, and went on to demo an "always on" vulnerability in (I think) the
vCal parsing via Bluetooth OBEX file transfer on a (I think) HP 5xxx IPAQ running Windows Mobile
2003.  The exploit was a nice Window showing "0wn3d".
 Tim mentioned how this type of issue could be used to
formulate an "airborne virus" that you could pick up from an infected
device, which would attack your desktop PC when in the sync cradle, and
attack other mobile devices via Bluetooth when not attached.
 Nice :-)

Raffael Marty
from ArcSight
talked about visual security event analysis using the href="">Afterglow
toolset.  Raff went through a number of visualisation
examples, and these did look very useful for this type of application.
 I will definitely be having a look into these sometime soon.

style="font-weight: bold;">Michael Boman
from KPMG Singapore
talked about network security monitoring theory and practice, and also
network monitoring console.  This looked pretty useful, and a
possible alternative to some of the (expensive) commercial consoles
that are becoming more available.

Jim DeLeskie from href="">Teleglobe
& Danny McPherson from href="">Arbor Networks,
talked about securing the infrastructure from the point of view of the
service provider.  This was pretty interesting to me as well,
especially when talking about the provider techniques and limitations
when responding (or not) to DDOS attacks.

Andrea Barisani
from Inverse Path
(and the Gentoo
team) talked about the Gentoo rsync server compromise that happened in
December 2003 (of a core portage rsync server), the detection of the
compromise, analysis of what happened (including identification of the
flaw in rsync), and the coordination of working with the rsync
developers in fixing the flaw.  Very informative.