My co-presenter, Justin Morehouse, just posted our slides here on SlideShare. I hope to have the iNergy code posted to Google Code later this week. Enjoy and feedback is always appreciated!
DEF CON 18 – Getting Social with the Smart Grid Slides Posted
Posted in Conferences, DEFCON, Smart Grid with tags Conference, DEF CON, Security, Smart Grid on August 10, 2010 by Tony FlickGetting Social with the Smart Grid @ DEF CON 18
Posted in Conferences, DEFCON, Smart Grid with tags Conference, DEF CON, Security, Smart Grid on July 6, 2010 by Matthew FlickTony will be co-presenting “Getting Social with the Smart Grid” at this year’s DEF CON in Las Vegas.
Littered with endless threats and vulnerabilities surrounding both social networking and the Smart Grid, the marriage of these two technologies is official, despite protests by the security community. Consumers love it because they can brag to their friends about how green they are. Businesses love it more because it provides fresh material for their marketing departments. Hackers love it the most because it opens up attack vectors, both new and old.
During this presentation we dissect readily available social Smart Devices, examining where they get things right, and where they fail. We expand on the failures, discussing and demonstrating attacks against consumers (think PleaseRobMe.com), the Smart Devices themselves, and the social networking sites they communicate with. We want consumers, device manufactures, and social networking sites to understand how to get social with the Smart Grid securely, and prevent social networking privacy from becoming even more complex. The tools we release during this presentation will allow consumers to review their Smart Devices’ social footprint, and provide device manufacturers with recommendations that can be implemented immediately. Attendees will leave our presentation armed with a deep understanding of the strengths and weaknesses of social Smart Devices, how to attack their current weaknesses and leverage their current strengths, and utilize our tools to further research how we all can better secure the social side of the Smart Grid.
Tony’s slated for the last speaking slot on Sunday, so for those of you who will be sticking around, make sure you drop by.
We’re Doing It Wrong
Posted in Application Security, Events, Security Awareness on May 12, 2010 by Matthew FlickAs an industry, we have failed. Miserably. Web application security professionals–yes, including myself–have implemented a broken methodology and graduated from failing to properly identify the problem to failing to present an effective solution. The net sec methodology of: 1. Scan for Vulnerabilities, and then 2. Apply Security Patch, simply does not work for the custom web application environment. This statement may seem obvious, but it’s exactly what the industry has tried to do.
Our first failure was in identifying the problem. Early warning professionals considered web application vulnerabilities similar to those of other applications, and that they could be identified with vulnerability scanning tools and then remediated with a patch (albeit a custom patch). They were at least partially correct in theory; the problem was in the practice. This failure led to the development of web application vulnerability scanning products as the basis of the web application security industry.
We finally realized that the root cause of the problem was related to application development. More specifically, the security of an application is in the hands of its developers. And what was our solution to this problem? Inject security people into the development process. We trained developers how to break their applications. We tested pre-alpha code that will be significantly changed another dozen times. And some people did threat modeling, which I still have not found to produce useful results.
Security comes down to control. For application security, this means who is in control of the functionality and data available within the application. This is why it is necessary that current and future application developers and computer security professionals learn the foundation of how to build secure applications from the start. To promote this effort, we are offering a discounted AppTrust Developer Training course at Virginia Tech this summer to ensure that the next generation doesn’t fall into the trap of doing it wrong and starts off doing it right.
To learn more visit the event site.
GuestStealer Wrapup
Posted in Cloud Computing, GuestStealer, Penetration Testing, ShmooCon, Virtualization Security, VMware, Vulnerability Assessment on March 1, 2010 by Tony FlickIn addition to the previously mentioned Nmap script, GuestStealer has now made its way into a Nessus plugin and a Metasploit module. Nessus Plugin 44646 was released by Tenable a few weeks ago and the Metasploit module was pushed up to the trunk last week.
GuestStealer has been mentioned in several articles and blog posts recently, including DarkReading – Tech Insight: Securing The Virtualized Server Environment and The Hacker News Network. While most have been accurate, several early blogs stated that GuestStealer used a cross site scripting attack to steal the guests. So to clarify and avoid any confusion, GuestStealer exploits the directory traversal vulnerability described in CVE-2009-3733. For further information, check out the presentation slides or presentation video.
GuestStealer 1.1 and PaulDotCom Webcast
Posted in Cloud Computing, Conferences, GuestStealer, ShmooCon, Virtualization Security, VMware, Vulnerability Assessment with tags GuestStealer, ShmooCon, Virtualization Security, VMware on February 18, 2010 by Tony FlickJustin and I will be on the PaulDotCom podcast tonight to discuss the latest developments with GuestStealer and the Smart Grid book. For more information, check out tonight’s episode guide and join the live discussion tonight.
Also, GuestStealer v1.1 is now available for download. This is a bug fix release that improves the error handling and prevention of downloading the same vmdk file twice (when that vmdk self-references itself). Thanks to the efforts by Ron at Skull Security, the new version is available on the tools page.
ShmooCon 2010 Stealing Guests… Slides Online
Posted in Conferences, ShmooCon, Virtualization Security, VMware on February 10, 2010 by Tony FlickLuckily I was able to escape Washington DC’s 3rd round of snow to enjoy the tropical 40 degree weather here in Tampa today and write this post. Despite the blizzard and its many names, the ShmooCon faithful came out in full force to make another great conference. As usual, ShmooCon featured interesting presentations, shenanigans, and a chance to hang out with those friends you usually only see at Cons.
I want to thank everyone who attended the Stealing Guests…The VMware Way talk, especially since no one threw shmooballs at us. For those of you who haven’t done so yet, head on over to the Tools section of the Web site to grab GuestStealer and try it out yourself. Also, Ron over at Skull Security created an Nmap script to identify vulnerable VMware systems. Visit his blog to download the script and view instructions for installing the script.
For those of you who were unable to attend the talk…or find a video, here are the slides.
I would also like to thank everyone who came up to the FYRM booth and talked to Matt and I. The security bug killing/reaction time testing flash game appeared to be a big hit, which drew many contestants…some more determined than others. For those of you that didn’t win this time, check back often to find out details for round 2!
Stealing Guests…For a Free Hard Drive
Posted in Conferences, Events, ShmooCon on February 2, 2010 by Tony FlickDuring the Stealing Guests…The VMware Way presentation at ShmooCon this weekend, FYRM will be holding a contest to give away an external hard drive. The first person to exploit the discussed vulnerability on the target virtual machine and yell out the hidden phrase will win the hard drive.
In the presentation, a Perl script will be released to easily exploit the vulnerability. The to-be-released tool runs on Mac OS X (with MacPorts) and most Linux distros. Currently, the tool requires the following Perl dependencies:
- LWP::Simple
- XML::Simple
- Data::Dumper
- Crypt::SSLeay
Bring your laptops and netbooks to the presentation to try the tool and win the hard drive. Check back often for any updates.
XAB Presentation @ USF Whitehatters Club
Posted in Application Security, Events on January 27, 2010 by Tony FlickMatt and I will be giving a presentation on XAB (Cross Site Scripting Anonymous Browser) at the University of South Florida’s Whitehatters Computer Security Club’s next meeting on January 29th at 5:00PM. If you are a student at USF interested in learning about computer security, I highly encourage you to get involved with the club. See you there!
Security Awareness for Fourth Graders
Posted in Events, Security Awareness on January 24, 2010 by Tony FlickBack in November, I had the opportunity to take part in the Great American Teach In. This event takes place at schools around the Tampa, FL area and invites local volunteers to come into the classrooms to teach kids about their job. The objective is to familiarize kids with differing careers and hopefully get them excited so that they do well in school. For my experience, I spoke to a group of 4th graders regarding online safety and security. I figured a lesson in online safety would be more beneficial than teaching them the latest social engineering techniques or how to execute a cross-site scripting attack that pops up an alert box with their friend’s name in it. I can only imagine what would happen with the kids going home and telling their parents that Mr. Flick taught me the best way to break into data centers. For full-disclosure purposes, my hidden agenda in this blog entry is to convince you to volunteer next year and potentially provide some tips if you do volunteer. While this event was in the Tampa, FL area, most schools have a similar type of event.
I tried to keep the powerpoint slides to a minimum and cover only relevant topics for fourth graders like cyber-bullying, acceptable/appropriate use, adult supervision, not believing everything that you read online, protecting their sensitive information, not meeting people that you met online,…and of course answer tons of questions from the kids. Considering most adults consider presentations to be a Death-by-PowerPoint event, fourth graders probably won’t be too excited to look at slides either.
I was completely surprised at how much the class was a microcosm of a company/organization. While there were too many examples to list, I would like to go over a few. First, how many of you have used food to bribe people in attending your meetings or security awareness classes? This is usually a pretty common technique and I took full advantage of it. Now, I of course didn’t have to worry about attendance, since it was school, but it came in handy for other reasons. Before I dove into the extensive 7-slide PowerPoint presentation, I asked the class if they had any questions. No one raised their hand, so I informed them that anyone who asks a question would get a piece of candy. In a strange coincidence, every single student immediately raised their hand to ask questions.
The potential to get candy got most of them to pay attention, but shockingly not every student gave me their complete attention. Apparently, gossip and trying to get me to tell them how to hack their friend’s computers were more important to fourth graders. Just like water-cooler gossip at a company, some of the kids were more interested in whether I was dating the teacher than my comments on cyber-bullying. If any of the students who were whispering about it do happen by this blog post, yes I did hear you and no I am still not confirming or denying it.
While some of the questions I received were fairly predictable (ex: is it safe to put pictures of my dog online?), some took me by surprise. I don’t have any kids, so I wasn’t exactly sure how to answer questions like “how do you use Club Penguin safely”, since I had no clue what Club Penguin was. Thankfully, one of the teachers informed me it was basically a kid’s chat room, so I was able to answer it. The kids did ask several serious questions though, including:
- If someone is cyber-bullying me, I should tell an adult, but what do I do if a family member is cyber-bullying me?
- If someone I don’t know tries to talk to me in Club Penguin, what should I do? At what point should I call the police?
- If I go to an inappropriate Web site on my parent’s work laptop, will they get in trouble?
- Will a firewall protect me from the bad Web sites?
The last question is particularly interesting considering it is very similar to a question I get asked all the time “does a firewall mitigate web application attacks?” So in my effort to convince you to volunteer your time, here is a list of some of the benefits of volunteering your time:
- Good way to get rid of your excess Halloween candy
- The hand-drawn thank you cards from the students will be very entertaining
- Great reminder that your job makes a huge impact
All in all, I had a lot of fun talking to the class. Most importantly though, I was able to help the kids understand how to deal with the dangerous situations they face when they go online. While it would obviously be preferable that they never have to face those dangerous situations, it is most likely inevitable. Which is why I highly encourage you to get involved and volunteer your time as a security expert.
ShmooCon 2010 Sponsor
Posted in Conferences on January 24, 2010 by Tony FlickShmooCon 2010 will be taking place in a few weeks and I am excited to make the annual trek up to D.C. to co-present the “Stealing Guests… The VMware Way” talk. I am also pretty excited about the activities and contest setup at our booth. Make sure you stop by before you start drinking.
