Slashdot Mirror

> Filtering user input properly would have stopped this though

Yeah but I think a lot of people underestimate the difficulty of "properly".

Even when it comes to simple stuff like escaping angled brackets:

http://cansecwest.com/csw09/csw09-weber.pdf
http://www.securityfocus.com/archive/1/437948/30/0/threaded

More here:
http://nedbatchelder.com/blog/200704/xss_with_utf7.html
http://www.securityfocus.com/bid/31183/discuss
http://ha.ckers.org/blog/20060817/variable-width-encoding/

Worse if you need to allow _some_ fancy stuff but not all.

To use a car analogy, browsers nowadays are like cars with 1000+ gas pedals, many placed in strange and unexpected places. But not a single brake pedal.

To stop, you must ensure that NONE of the 1000+ gas pedals are pressed.

If a hacker rides past and manages to press one of those pedals, you crash and burn.

I've been proposing a brake pedal for browsers for years: http://slashdot.org/comments.pl?sid=1384497&cid=29565569

I really don't care what it ends up looking like as long as it works and is easy to use.

What if one day your filters disagree with some of your users browsers in their parsing? All the different browsers and filters might be correct according to different interpretations of the standard(s) - just some ambiguity makes them all right and yet some different.

With my proposal as long as they interpret the brake pedal correctly, they could still be safe (there's no 100%, but hey at least things will be safer).

Agh, the line: browser treated some unicode characters as ""

Should read:

browser treated some unicode characters as "<".
See this: http://cansecwest.com/csw09/csw09-weber.pdf

Forgot that Plain Old Text is not Plain Old Text in Slashdot.

Oh yeah there's also: http://www.securityfocus.com/archive/1/437948/30/0/threaded

I've read both Slashdot articles. They look similar to me. The older one is far superior.

Basically, if you have a keyboard of poor quality that has poor shielding and no noise reduction components, it is possible to read signals. The question is, which keyboards and computers are poorly designed and poorly shielded?

Read the complete story: This PDF, not referenced by Slashdot, tells the whole story: CanSecWest/core09 March 16-20, 2009 (PDF). Quote from page 41: "This doesn't work against USB keyboards because of differential signaling". Also, on page 12: "The [PS/2 keyboard] wires are very close to each other and poorly shielded".

Slashdot articles of especially poor quality: Are they paid advertisements? I've read Slashdot articles for years, and there is now a new phenomenon. A publication runs an article of very poor quality and Slashdot links to it, possibly to lead Slashdot readers to the publication so that they will read the ads. This article was submitted to Slashdot by a professional writer, Hugh Pickens, who is possibly acting as a public relations agent. He has written at least 413 Slashdot articles. Does someone at Slashdot accept money to publish his articles?

Quote from the OLDER article referenced by the OLDER Slashdot story:

'March 12, 2009, 02:46 PM - IDG News Service -

'Inverse Path researchers Andrea Barisani and Daniele Bianco say they get accurate results, picking out keyboard signals from keyboard ground cables.

'Their work only applies to older, PS/2 keyboards [PS/2 connector, not PlayStation], but the data they get is "pretty good," they say. On these keyboards, "the data cable is so close to the ground cable, the emanations from the data cable leak onto the ground cable, which acts as an antenna," Barisani said.

'That ground wire passes through the PC and into the building's power wires, where the researchers can pick up the signals using a computer, an oscilloscope and about $500 worth of other equipment. They believe they could pick up signals from a distance of up to 50 meters by simply plugging a keystroke-sniffing device into the power grid somewhere close to the PC they want to snoop on.

'Because PS/2 keyboards emanate radiation at a standard, very specific frequency, the researchers can pick up a keyboard's signal even on a crowded power grid. They tried out their experiment at a local university's physics department, and even with particle detectors, oscilloscopes and other computers on the network were still able to get good data.'

You are forgetting that the winners were both from computer security firms. I would imagine that they would already own so many computers that the prize would be just a drop in the ocean. It would certainly be insignificant compared to the value of the PR that their security firm would receive by winning the competition.

According to the rules of the competition, the judges randomly allocate the timeslots for each of the computers to the competitors. This means that all of the computers were being attacked simultaneously and there wasn't a great rush for just one of the machines.

The rules also state that "You can't use the same vulnerability to claim more than one box, if it is a cross-platform issue". It would be interesting to see whether the Ubuntu system was really immune to this exploit after all. However, it is reassuring that it took 7 hours for the system to be hacked. I thought that it would fall a lot faster than that!

...but the conference name is CanSecWest. Seeing as this is the 8th year of the event, perhaps a spelling correction could be suggested. http://cansecwest.com/

What, did you expect anything else from something sponsored by Microsoft? It was easy to tell that the loser was going to be Apple or Ubuntu.

getthefacts baby!

It appears on the Cansec website that the contest was for shell access on a regular users account.

2007-04-20-14:54:00.First_Mac_Hacked_Cancel_Or_All ow
Just to review the rules, the first box required a flaw that allows the attacker to get a shell with user level privilages. The second box, still up for grabs, requires the same, plus the attacker needs to get root.

http://cansecwest.com/

FX of Phenoelit gave an amazing talk on this at CanSecWest/core03 back in 2003 that outlined how to turn a JetDirect printer into a webserver, fileserver or even a port scanner! We all had a huge chuckle at the thought of someone tracking down a port scanner on the network only to find it was coming from an HP printer.

The entire presentation is still available online in both PDF and PPT format.

The tools used to hack the printers are available here.

FX of Phenoelit gave an amazing talk on this at CanSecWest/core03 back in 2003 that outlined how to turn a JetDirect printer into a webserver, fileserver or even a port scanner! We all had a huge chuckle at the thought of someone tracking down a port scanner on the network only to find it was coming from an HP printer.

The entire presentation is still available online in both PDF and PPT format.

The tools used to hack the printers are available here.

[shillery notice: I am CEO at MailChannels]

spamd gave us our initial inspiration. I talked with Bob Beck at the Cansecwest security conference after he presented on spamd and was -- to put it mildly -- blown away.

It's important to understand that spamd does not actually deliver mail. It just responds r e a l l y s l o w l y and then returns a 400-series code to force the sender to try again. After the first time, a packet filter rule is added that redirects that sender to a real MTA, which receives the message.

So in essence spamd is (primarily) used as a grey-listing system.

Traffic Control actually delivers the mail in addition to efficiently slowing down connections from _certain_ senders.
In that way it's a lot more sophisticated and less prone to deliverability problems. Deliverability is a major concern for corporate customers -- even though spam is also a big deal.

Well, the trend is toward more interconnectivity, not less. Companies are interconnecting process control systems networks with their intranet, albeit in very controlled fashion. Check out the preso on security testing SCADA and control networks from the recent CanSecWest conference, people doing security testing in these environments need to be *very careful*(tm)

http://www.cansecwest.com/slides06/csw06-byres.pdf

oops, did I crash your Solaris 2.6 server with my nmap -O ?
vs.
oops, did my nessus scan just cause an oil refinery to explode? uh...my bad. ;)

Don't bother with the moronic article -- get the PowerPoint slides from the presentation at CanSecWest at http://cansecwest.com/slides06/csw06-duflot.ppt

The Cansecwest presentation is here.

Seems like nobody was sharp enough to google, find the slides, and provide a link:
http://www.cansecwest.com/slides06/csw06-duflot.pp t

So, here's a link to the actual PowerPoint presentation. Don't just click on it without reading the caveats below.

He has a sample exploit there on an OpenBSD system.

Here's the guy's bio from the talk:
Loïc Duflot
Security Issues related to Pentium System Management Mode
Loïc Duflot is a security engineer and researcher for the scientific division of the french Central Directorate for Information Systems Security in Paris. He is also a 2nd-year Phd student in Paris XI university. His research work is mostly focused on the security aspects of interactions between hardware components and software. He's also interested in innovative hardware attacks on cryptographic tokens and smartcards.

Note that the French have one of the best security agencies in the world. The main caveat is whether there's anything in the PPT presentation which can exploit your system. I wouldn't put it past the French whatsoever. So, you might be wise to view the presentation on a secure system of yours (preferrably not an x86 one? :) ).

What a crock. At least the editors could have linked to the actual presentation (beware, it's a ppt). I was at CanSec West and this is not as scary as you would think. The exploit requires escalated privileges to begin with. The only thing it can currently be used for is bypassing secure levels inside of OpenBSD, where you already have root. Next time the editors could do a little research before posting, oh wait, this is slashdot. --m

USB and Firewire allow devices to peek/poke through (physical) memory at will. With the iPod, we have a device that's:

1. Can be attached to a computer without being suspect
2. Can run Linux with programs of your choice
3. Has a built-in mass storage system

Any open USB/Firewire port is a potentially huge threat to your whole system's security. If you look here: http://www.cansecwest.com/resources.html, you'll find a pretty detailed presentation on using iPodLinux to hack a computer (kill an X Window screensaver, here) through firewire, and another less detailed one on other DMA-attack vectors (PCMCIA and USB, mostly, iirc). So while it looks like this attack only uses characteristics 1 and 3 of the iPod, the second one is where the money's at (and requires a much larger investment).

Fill those ports with cement!

I saw a talk by a guy named David Maynor back in May. Here's the USB vulnerability presentation which includes the details of the vulnerability.

it's fairly similar to the firewire problem.

Yes, check out CanSec West: http://www.cansecwest.com/ Great con. Great speakers. Not much hype or BS.

Is anyone aware of a hacker con taking place in Canada?

Uhhhh, cansecwest?

CanSecWest has been running for a while in Vancouver http://www.cansecwest.com/

http://www.cansecwest.com/

As you should know the FCC considers the spectrum used by 802.11 devices as UNLICENSED. I'm glad that 802.11 has some requirements so that vendors who make devices to that spec can interoperate, but that's a whole different ballgame. If I have my 802.11a/b/g card running and get stomped on because of a cordless phone, or a microwave, the FCC doesn't care - it's unlicensed. Moreover, they like this, and look to promote it: "While our rules have been successful in encouraging innovation, we need to review them to eliminate unnecessary impediments to new technology." (that's a quote from this FCC presentation: FCCpowerpoint). In other words, if there are any other boundaries people are coming across in the unlicensed spectrum, they want to remove any regulations so that more innovation can occur.

As a counter point of where the FCC does incur its wrath, one need not look far (though this is diverging from the discussion about vendors licensing firmware binaries, you seem really confused, so I'll make this excruciatingly pablumized). Licensed spectrum is a whole different ball of wax, the FCC went and raided a local pirate radio station in Santa Cruz with a bunch of federal agents not too long ago, who were operating a LPFM station (37W for what it's worth, paltry compared to my 300W microwave oven, or even lightbulb usage). RAIDED. Armed, dragging hippies out of bed at GUNPOINT because they were running an FM radio station. Guess what is never going to happen in the unlicensed spectrum (802.11 space) because some hippie is using it? Ok, I'll let you answer that yourself, but while Atheros, TI, Intel, whomever might have a hissy fit, it won't be the FCC. I can understand why people in IEEE 802.11, and the chipset vendors might want things closed up so that people don't go making non-compliant devices, or firing 802.11 framing over different wavelengths. That would make things like spendy frequency convertors harder to sell, and if you had a bunch of easily made 802.11 jammers written in software, just think of the pain in the ass that would be (e.g. Mike Shiffman's unreleased, but demo'd at core02 "omerta" tool developed with libradiate. Oh, btw - Mike didn't need any funky firmware hacking to write omerta, it turns out there are many easier ways to break 802.11 without resorting to mucking with individual vendor hardware implementations, who would have thought? Oh, real security experts two years ago.

You need to stop deceiving yourself or maybe you need to stop believing other supposed experts' lies. There's no SDR, firmware binary, or driver HAL binary that could be tweaked to a level of hardware that the FCC might really be concerned about when it comes to unlicensed spectrum.

This smart AC also explains things well, and doesn't seem confused about differences between FCC regulations and IEEE committee protocol requirements or vendor agendas as you do. Perhaps you need to get out more.

He then predicts "hackers will understand how to begin launching attacks 'within five minutes of walking out of that meeting.'"

That meeting will cost a bleeding-edge hacker CAN$1800+. (Unless their social-engineering skills are up to the challenge of scamming free registration at a security conference...)

The article talks about how the government has been "fortifying" its networks against this, does that means they quickly rewrote the tcp protocol?

• It mainly affects the Border Gateway Protocol (BGP) that occurs at a high level in the net. Few computers are involved.
• The issue was first publicized about a month ago at CanSecWest, so those in the know have had a month to work on this.
• The steps to mitigate the problem are a matter of tweaking settings (like window size) or setting up protocols (like encryption). This is not a matter of rewriting the entire protocol.

This is just after CanSecWest in Vancouver. I'd much rather see these speakers http://www.cansecwest.com/speakers.html Than some lame ass art

What could be more affordable for Americans than a security con in Canada? Not only is the beer better, but it consistently has top quality presentations

What could be more affordable for Americans than a security con in Canada? Not only is the beer better, but it consistently has top quality presentations

CanSecWest is a great conference in Vancouver every year. It's cheaper than Blackhat or SANS, has much more technical content, and if you're coming from the US the difference in currency makes all the incidentals (hotel, food, etc) much cheaper.