Wednesday, October 08, 2008

what i did on my sector vacation

well, today was the second/last day of sector '08 and now that it's over i figure i might as well write about my experience there... i don't do a lot of these sorts of posts primarily because i don't go to a lot of security conferences (the only other one i've been to was rsa '02) but since i'd heard good things about the last sector and since it is practically in my back yard (well, ok, it's approximately 1.5 hours away on public transit) i didn't feel all that guilty about broaching the subject with the higher-ups at work (the smaller price tag helps too)... it came at a pretty hectic time for me at work, but thankfully i was still able to attend...

the opening keynote of the first day was with the royal canadian mounted police; it was pretty dry - unless you're a fan of alphabet soup, there were a lot of acronyms that i had never heard before and i'm sure i'll never hear again...

the first talk i went to after that was kevvie (kevvie?) fowler's sql rootkits and encryption presentation... this was an excellent talk if for no other reason than it gave me information i can put to direct use when i get to work tomorrow (awesome - instant value for my employers in the first session of the first day)... it was also a pretty good at not misusing the term rootkit as so many others are want to do these days...

the lunch panel was unfortunately not all that memorable for me... maybe i was too busy eating or maybe the people talking just had too short a period in which to make a lasting impression, i dunno... maybe i'm just not a panel person...

the second talk i attended was jay beale's middler presentation... once again possible value for my employer, at least possibly... it's an unsettling realization that there's now an automated tool that can affect confidentiality, availability, and integrity of web data (by virtue of allowing an attacker to read, withhold, or even modify your data) basically if any part of your session happens outside of ssl...

next up for me was bruce potter's presentation on novel malware detection... now i admit this one was for me and not my employers - the first two sessions where the only ones where i could find that looked like they might touch anything relating to work so from here out it's purely for my own interest... bruce was a very entertaining speaker, however he got on a bit of an anti-av rant that wasn't really part of his presentation (that dealt more with detecting anomalous network activity by analyzing logs)... i just rolled my eyes at the rant - i considered saying something, but since 'the hoff' was just across the aisle and 1 row back i felt certain it would have resulted in smack upside the head and instructions to stop being such a jerk... ok, not really, but an in-person presentation is a very different forum from the online kind (where perhaps i'm known for being a jerk) in a number of ways, not the least of which being time constraints, and had no desire to sabotage the presentation (though as for that the length of the rant did that slightly anyways since bruce wound up running out of time)...

the final talk i attended the first day was matt sergeant's presentation on tracking current and future botnets... there was a fair bit of interesting details about current and past botnets, about their sizes and how those metrics were generated, about characteristics unique to the emails sent by each, etc., but matt (like bruce potter before) got a little anti-av saying they needed a kick in the butt about detecting those emails... my knee-jerk reaction (all internal because i didn't want to sabotage this talk either) was that av is in the business of detecting malicious code not emails generated by malicious code, but as i let that stew for a while i realized 2 things... the first was that that was remarkably like something i said back in the mid-to-late 90's about av software not detecting trojans... not that i thought they shouldn't detect trojans, but just that it was a defensible position to take - obviously detecting trojans was better than not doing so and i'm glad they started but there was a time when anti-virus software was literally just anti-virus... now that it's morphed into anti-malware it's once again defensible to say that detecting something that isn't malware (and emails aren't) is outside av's scope but (and this is the second thing i realized) the users would be better served and better protected if av did detect these things - it would serve as a negative control on a botnet's ability to acquire new nodes (at least until the bot designer change's the smtp footprint/fingerprint of the bot)...

so in that respect i think i'll agree with matt sergeant that av could be and perhaps should be doing more... his misapplication of a sophos graph of malware prevalence, however, i won't agree with... he really, really ought to know better than to try to compare a botnet's size with entries on a malware prevalence table... here's why it just doesn't work: a malware prevalence table breaks down malware prevalence on a per variant basis while botnets today are generally heterogeneous from a variant perspective (which is to say there are many times many different variants of a particular family of malware in any given botnet thanks to things like server-side polymorphism) so while a botnet may be huge, the prevalence of any particular variant in that botnet's ecology is still probably pretty low... that being said, something i've been mulling over in my mind for a little while now is whether prevalence tables broken down by family instead of variant are the more interesting metric these days in light of botnets and malware campaigns in general... personally, i'd like to see both types of tables...

the opening keynote for day two was with stephen toulouse and had the best opening ever ([looks at giant screen] 'dear lord, is that what i look like' - or something to that effect)... stepto thinks us security folks can bring some valuable insights and thought patterns to fields outside of security - i certainly hope so, i'm in software development and while i'm not high enough up the food chain to make the big decisions (and frankly don't want to be) i have been able to direct some things which i hope have been of benefit...

the first talk i went to on the second day was deviant ollam's presentation on lockpicking... i found the lockpicking at sector absolutely fascinating, both in this talk and also in the lockpick village... perhaps it goes back to me breaking into my own home as a kid when i (frequently) lost/forgot my keys, but i just went into sponge mode and absorbed as much as i possibly could... i imagine there were a lot of questions about dudley combination locks since that seems to be what we have up here in place of master combination locks and since they aren't exactly the same (our dials go up to 60, so there)... one of these days i should really put in some time and try to see if i can brute force a dudley lock combination because i have 4 here but only one with a known combination...

day 2's lunch keynote was johnny long's presentation on no-tech hacking... it was very entertaining to see the scope of the average (and often not-so-average) person's obliviousness to security concepts, but it was also a little disheartening especially when he ended the presentation without offering any hope for change... i think we all know there's a scarcity of security awareness in the general population, that's one of the reasons why i started looking into whether memetic engineering might be able to help things along (re: secmeme.com)... if only i had time to work on all the things i want to do (though i'm sure johnny's talk will provide a wealth of inspiration for the security idiot meme)...

the next talk i attended was james arlen's security heretic presentation... this presentation was in a rather unfortunate time slot, since chris hoff's virtualization presentation was going on at the same time (i thought of going to that one but really, the only thing i use virtualization for is sandboxing)... this was also the presentation that seemed to get the least amount of respect from attendees as people were constantly coming and going (and i picked a seat near the door, uggh!)... unfortunately it was also not the talk i was expecting it to be... while i was expecting to hear about one security pro's journey (as the description suggested) what i got instead was a very large number of calls for a show of hands... i'm sure it all makes sense to people who have been in similar positions but for someone like me who hasn't it just doesn't help me relate...

the last talk i went to was jason wright's presentation on finding cryptography in object code... strangely enough, i went to a talk on the same subject at rsa '02 where they talked about finding magic constants... jason lead off with that (which made me a little bit nervous) but that was only for context as the meat of the presentation was more about frequency of occurrence of operations usually only seen in crypto which was interesting... it also wound up being the shortest talk i saw...

and then it ended, and we gathered for one last time in the keynote/lunch hall, i interrupted hoff fulfilling his security rockstar duties to say hi (sorry i didn't see you later when everyone made for the door, chris, i did look though but i'm sure you'd already attracted another crowd), and then they handed out prizes (prizes! i don't remember that at rsa) and it was done... it was a great experience, i enjoyed the talks a lot, i didn't network as much as i probably should have ('cause i generally suck at that) but oh well, at least i can put some more faces to familiar names now - perhaps if the next time is soon enough (ie. not 6 years in the future) i'll be able to put that to good use...

0 comments: