Louisville Metro Infosec 2009

A Small Conference with a Big Presence

Last week I attended the Louisville Metro Infosec conference that was held at Churchill Downs in Louisville, Kentucky. The sold out event hosted 375 people and 28 sponsors. Although this was a small local event, it had the feel and energy of a much larger conference.

Louisville is the home of the "Louisville Slugger" factory where they still provide the bats for major league baseball players.

Bob is Evil

There were several great presentations and everyone spoke highly of each talk they attended. My presentation was titled "Bob's Great Adventure: Attacking and Defending Web Applications". The presentation was in two parts: the first part on attacking web applications and the second covering how to defend them. The entire presentation is wrapped into a story about an "evil hacker" named Bob who plans to break into a web site defended by Alice. There are several reasons the presentation was wrapped into a story. In addition to entertainment value, it allowed me to underscore some very important points. First, most attackers do not show the same care as a professional penetration tester. Attackers will not operate within a maintenance window, think twice about destructive behavior and will go to great lengths to accomplish their goals without consideration of consequences. An attacker will not care about taking out an ISP that is in the way of the target. The other important point about attackers is that the tools they use may not be public. This sometimes frustrates the audience when I talk about a tool that is not in public circulation. However, we cannot be "one dimensional" about defense. Our networks and systems need to have a defensive program that protects against both known and unknown threats. We will not always have the luxury of being able to use the attacker's weapons, see how they work and develop protections.

Additionally, the story allows me to tell both sides of web application security and cover not just the attacks, but the defenses as well. After giving this talk twice, I have found that it accomplishes the goal of scaring people, while at the same time giving them ideas for implementing practical defenses. For example, after I gave the presentation, we had a great discussion that covered how to prevent MySQL users from being able to write files to the file system.

As with all of my materials, I try to give people something they can take back to the office and put to use that helps them do their jobs. Below are some of the highlights from my presentation:

• There are methods for fingerprinting and bypassing web application firewalls available to attackers
• When attacking virtual hosting environments, an attacker will not think twice about breaking into a site hosted alongside your site to gain access to your data
• You can chain multiple web proxies together to collect more results and better formulate attacks (e.g., chaining WebScarab through Ratproxy)
• SQL injection vulnerabilities not only give an attacker access to your data, but can be used to gain remote command execution
• Defenders need to collect, analyze and monitor logs then take action accordingly
• Patch “less critical” vulnerabilities such as local privilege escalation
• Use perimeter devices properly and block outgoing traffic to make an attacker's life more difficult while better protecting resources
• Harden your systems using industry standard guidelines, such as the CIS Benchmarks

More Capture The Flag

Adrian "Irongeek" Crenshaw, known primarily for his useful information security web site www.irongeek.com, ran a CTF at the event. The game was focused primarily on attack, challenging players to obtain an encryption file (filled with mock medical information) and decrypt it to view the contents. The game was won in the late morning by some creative hackers who were at first puzzled as to how to obtain the password. It turns out there was a webcam attached to one of the machines that needed to be rotated slightly. Once aimed at the computer screen of a mock desktop computer, there was a sticky note that contained the password. This was a fun event where players could sharpen their skills.

The Internet is Evil

While all of the presentations got rave reviews, one of the keynote speeches was particularly interesting. John Strand gave a keynote speech titled "The Internet is Evil". Most of us know that the Internet is evil, but John wants us to do something about it. He challenges us to think differently about defense, question how much, if any, Internet access your users should have. He also brings up a good point about the perceptions of users. Many believe that the average user is not knowledgeable about computers, when in reality they are using anonymizing proxies to bypass corporate web filtering. John then went on to identify two areas of "security" that need improvement. I put "security" in quotes, because it's a false sense of security that the following provide:

• Anti-virus - John points out a new service that allows you to upload your binary and have it encoded by several different programs, then review a report of which Anti-virus engines caught it, and which ones did not. You can find more information on the PolyPack web site.
• SSL - SSLStrip is a tool that tricks the user into running a connection over HTTP instead of HTTPS. You can watch a video demonstration of this tool in action to get a better idea how it works. John then goes on to show how this could be combined with attacks against BGP to intercept traffic without having to be on the same subnet as your victims.

John then went on to cover defensive techniques that work, such as using firewalls not only to restrict outgoing access, but also to enable the built-in firewall on all of your hosts (especially desktops). The other interesting idea he presented was to treat your user desktop subnets as hostile. I know this may sound like a radical idea, but if the users are accessing the Internet and exposing their systems to malicious code, it's best to treat them as if they are already infected with malware. I've used this tactic when developing security strategies for universities and it works quite well.

Conclusion

The Louisville Metro Infosec conference was an informative and fun environment to meet people and talk about information security. Everyone was very welcoming, friendly and eager to discuss all things related to information security, from the latest attacks, to the latest defensive strategies.