Security B-Sides Atlanta - October 8th

Security B-Sides Atlanta is kicking off their first annual unconference on October 8th at the Think Inc World HQ, 1375 Peachtree St. Suite 600, Atlanta, Ga (The Earthlink Bldg). Information Security experts from all over the SouthEast will be giving speeches on a variety of topics including Incident Response, Enterprise Data Security, Dynamic Web Applications, DOCSIS, Cloud Security, and Malware. Also, we have some entertaining activities related to the security community such as a Career First-Aid Booth, Lockpicking Village, and a Welcome Reception.

Thursday Oct. 7th, all participants are invited to come to a Welcome Reception at Halo Lounge (817 W. Peachtree St. NW Atlanta, GA 30308) from 7-10pm. Drinks and food provided courtesy of our sponsors. (Please RSVP. Halo is 21+.)

Friday Oct. 8th, we've got great speakers on 3 tracks giving out the latest information on a variety of Information Security topics. We start off the day at 9am with a free class on wireless penetration testing taught by Dave Maynor of Errata Security. (Only a few seats left in this class. To register, email marisa at erratasec.com.) Then at 9:30am speeches begin with a keynote from longtime B-Sides supporter Jack Daniel. The heavy speaking lineup follows at 10:00am with speeches by Dave Shackelford, Chris Nickerson, Rob Ragan, Martin Fisher, Gal Shpantzer, Dave Kennedy, Mike Rothman, and too many more to name. This crowd is INTERACTIVE, so be prepared to get into some deep discussions with both the speakers and participants alike. Some of these talks are Restricted (meaning they won't be recorded) so be there in person or miss out! Lunch will be provided, and a cocktail reception closes out the conference at 5:45pm at the Bsides location.

For the latest details, please refer to our website at http://www.securitybsides.com/BSidesAtlanta

Hope to see you there! Thanks to our sponsors:

Free (as in beer) wireless pentesting class

As a contribution to the incredibly awesome Security B-Sides unconference in Atlanta, the gang at Errata Security has put together a free training class based on our techniques for completing a professional wireless penetration test. We'll be going over the 5 basic areas of the "gold standard" wireless security assessment, as we do from time to time for a living.

To see what prerequisite knowledge is required to participate, and to register for the class (only a few spots left!), please

Adobe misses low hanging fruit in Reader

One of the most common features of "secure development" is the ability to avoid functions that are known to be dangerous, functions which have caused major vulnerabilities (such as Internet worms) in the past. These are functions developed in the 1970s, before their risks were understood. Now that we have suffered from these functions and understand the risks, we have come up with safer alternatives. Using these alternatives are cheap and easy, and they can save a development house endless embarrassment and remediation time. More importantly, while verifying that your code is "secure" is an essentially impossible task, verifying that your code contains no banned functions is easy. We call this the "low hanging fruit" of secure development.

One such bad function is "strcat." It copies data from one area of memory into another. However, it does not check that the target memory is big enough. Strcat continues copying beyond the bounds of the target memory, overwriting other parts of memory. Hackers can manipulate the overwritten areas in just the right way to break into the machine. With 48,000 hits on Google for strcat vulnerabilities, some dating back more than a decade, this is a well known potential security issue.

The most recent exploit in Adobe Reader, the "SING Table Parsing Vulnerability" (CVE-2010-2883) contains exactly this function. First found exploited in the wild by Mila Parkour, this vulnerability has seen weeks of front page coverage. Metasploit's Joshua Drake did a great writeup of the exploit, here. Chester Wisniewski of Sophos posted a video that clearly demonstrates what the attack looks like, here. While this particular version of the exploit does use javascript, disabling javascript will not fix the problem (unlike the fix for the recent Adobe Reader Flash attack.)

So why doesn't Adobe fix its low hanging fruit? Why does it continue to use these toxic functions? It's strange, hardware vendors are removing hazardous substances (RoHS) from devices, but software vendors aren't being similarly diligent about cleaning up hazardous functions from old code. Errata Security provides a free tool known as "LookingGlass" that helps people see if their software is using these toxic functions. We ran it on Adobe Reader and found extensive use of these toxic functions back in 2008. LookingGlass can easily tell you if your software has these toxic functions, and quckly see what danger you are exposing yourself to. As of today, the danger from Adobe's software is still quite high.

Apple's secret "wispr" request

When an Apple iOS device (iPhone, iPad, iPod) connects to a WiFi network, the first thing it does is make a request to the URL http://www.apple.com/library/test/success.html. Some twitters (like Adam Shostack) were commenting on this. I thought I'd explain what I've found out about it.

A False Sense of Security

This article describing Hurricane Earl shows a woman putting a pattern of duct tape on the window. Does this duct tape really help?

No, of course not. Duct tape does nothing to stop the glass from shattering, and does almost nothing to stop fragments flying around.

What it does give people is a false sense of security. For whatever reason, they’ve decided not to buy hurricane shutters (even though they live in a hurricane zone) and not board up their windows with plywood. But they can’t just do nothing, so they resort to sympathetic magic like taping up windows. At least they are putting something on their windows.

Such ignorance is not just useless, but in some cases, can be harmful. Some people believe they should leave their windows open a crack during a hurricane, in order to equalize pressure. The opposite is true: this makes it more likely that the hurricane will pop your roof off. The reason is that wind traveling over your roof creates low pressure above, and wind entering your house creates high pressure inside. This lifts your roof off, in precisely the same manner it lifts an airplane wing when flying.

There are obvious analogies with cybersecurity. People do things, like install anti-virus, firewalls, or WEP, because “doing something” makes them feel good. But they haven’t thought through the cause-and-effect whether doing such things actually work.