Nasty Idea of the Night: Bittorrent "Worm"

It's been awhile, but then again, it's always been awhile, but I digress.

So a nasty idea popped into my head tonight. Imagine attacking a BitTorrent by finding a buffer overflow in the client software and each host compromised checks it's peer list and compromises all those as well? Add extra nasty and have the payload also check for other torrents and send the exploit payload to those as well.

Interesting points:

• Could move incredibly fast.
• Complicated issues with client vulnerabilities vs protocol vulnerabilities. Unlikely to write an attack that works universally. 
• Price the RIAA would pay for such a thing? *What's the keystroke for infinity*
• Tracker vulnerabilities.

Just a random thought. More to come.

CapSec Recap

As I posted at quite short notice yesterday was the initial meeting of CapSec, the CitySec group of DC being started by Matasano Chargen member Dan Moniz. I'd corresponded back and forth with Dan a few of times on the CitySec message board, so it was a pleasure to speak with him in person, as well as the other folks who showed up.

The meeting itself was small but definitely worth while and quite fun. I showed up at the Brickskeller around 7:20 and walked in to find a table set up with a small CapSec sign. I was the third person to make it, with the grand total rounding out to five. Low attendance? Perhaps, but we all had a great time anyway. It was an excellent opportunity to actually have a nice conversation, talk with everyone, get everyone's perspective, and I genuinely enjoyed everyone who showed up. 

What did we talk about you may ask? I have no idea, and that's what made it great. Everything from old jobs we've had, current trends, the iPhone, and what our favorite beers are. What was amazing was the connections that people put together throughout the night. I've always felt that the security community is small and tightly knit, and last night proved it. There were many "O I know those guys, we've hung out at " moments. 

All in all it was a great experience. We work in an exciting and dynamic industry that's full of exciting and dynamic people. It's always fun to just get to hang out, be social, talk infosec, and enjoy a couple nice drinks. So my many thanks to Dan for starting this group up, I know I'll be a regular attendee.

CapSec Tonight!

I don't know how I missed it considering my activity on CitySec, but tonight, June 28, is the first meeting of the CapSec security meet up. The meeting will be at:

The Brickskeller
Dining House and Down Home Saloon
1523 22nd St, NW
Washington, DC 20037

Google Map

I'm stoaked for this meeting. It should be a good time to meet up with a bunch of actual, no BS, infosec folks who care more about tech than they do about their CISSP number. So come on out and join up, it should be a great experience.

Gettin' Fired up with Firefox and Snort

Snort...
Firefox...
Two great tastes that taste great together...

What?!?

Yes folks, no joke about it. I haven't been really excited about an open source security project since the early days of Metasploit, before a young HD Moore turned the security industry on it's heads and added his name to lists of hacker greats. Called Firekeeper and it's meant to be a client application level intrusion prevention system for everyone's favorite open source browser, the venerable Firefox.

Firekeeper is a re-engineered version of the Snort detection engine, using standard Snort rules, this allows for one of the best IDS engines in the world. Integrated as a Firefox plugin this allows for detection of application level threats specific to Snort. All of this runs in the browser, nothing extra to set up, and runs on the fly. This gives it amazing possibilities, looking at only a small subset of signatures so it stays fast, with easy access to all sessions running in Firefox. It is even able to look into SSL sessions, something normal network IDS can't do without lots of fun expensive things like SSL accelerators and such.

Now the idea of application layer firewalls has been about for sometime, but this is something new and altogether different. These typically function on the server side, protecting web applications and things like huge enterprise information systems. This was a great idea during the late 90's, when server attacks were en vogue, but we've moved past that now. While server side attacks will never go away (I mean come on, they're so easy to find (not the vulnerabilities, the servers)) we've moved into an era of client side attacks, and browsers have always been a favorite. Firekeeper provides a level of protection that can't really be duplicated. Network IDS attemtps to work in the context of the network to protect the browser, it's counter intuitive. You wouldn't post a battleship to protect a fort 2o miles inland, you'd send tanks and solders. Firekeeper puts the protection in the right context, protect the browser at the browser.

Is this a sure fire way to protect the browser? I'm not sure but I tend to doubt it though its worth looking into. At the worst it's another layer of depth for securities beloved "Protection in Depth" model (which I've been questioning more and more lately after hearing Bruce Potter speak last week at the NoVA OWASP group). At the very least though it shows that people are taking novel approaches to protecting themselves and others, and that gives me hope.

P.S. How about a Mac version plz?!

Speakin' at Shmoocon

Well, it's official now. From Shmoocon.org:

A Plenary Session on the Security and Social Impact of the One Laptop Per Child program

The Children's Machine, also known as the XO-1 and previously as the $100 Laptop, is a low-cost, power-efficient and durable machine developed by faculty members of the MIT Media Lab at the One Laptop per Child non-profit organization (OLPC). The laptop's purpose is to redefine learning for children in developing countries, particularly those living in the most remote areas and in the poorest of countries, by providing them with access to knowledge and modern forms of education. The laptops contain flash memory instead of hard drives and use a custom operating system based on Fedora Core Linux, which includes a new security architecture called Bitfrost. They are built to utilize wireless mesh networking, a form of mobile ad-hoc networking, to allow machines to communicate without requiring configuration by the user. The laptops will be sold to governments and issued to children by schools on the basis of one laptop per child.

What may be the consequences of such a massive distribution of computers to children in developing nations? A much larger Internet population in a few short years appears to be a certainty. Will tens or hundreds of millions of computers running Linux drastically alter the computer security landscape? What is the potential for the laptops to be abused by criminals or closed and oppressive governments? And how will the Internet affect millions of children who find themselves with access to a world decades ahead of their own culture?

Bio: Sean Coyne

Beginning his career as the only Business School member of Penn State's NSA Center for Information Assurance Excellence, Sean is now is a sought after consultant at Booz Allen Hamilton specializing in Information Security for government clients. Sean's technical know-how coupled with a big picture view has led him to help found the Vulnerable Minds think tank, studying the impact of information security on society.

Bio: Ivan Krstic

LiveJournal doesn't have an angry mood anymore, as Ivan Krstić used it all up. Ivan has been angry on all seven continents.

Bio: Jason Scott

Jason Scott runs TEXTFILES.COM, an online collection of the last 30 years of Bulletin Board System-era history, files and artifacts. He is also the director of "BBS: The Documentary" (www.bbsdocumentary.com), a 3-DVD, 8-episode documentary about the BBS, a project 4 years in the making. He has begun production on GET LAMP (www.getlamp.com), a documentary on text adventures. He speaks on topics of computer history and social commentary at various conferences, including Shmoocon 2006, where he presented a history of hacker conferences. Jason currently lives in Massachusetts, and is secretly in love with Bruce Potter.

Bio: Scott Roberts

An up and coming member of the DC InfoSec community. Scott began his interest in Information Security trying to get access to the Internet in 9th grade computer classes and it has lead him to a position as a Global Security Analyst at Symantec Managed Security Services. Along with Vulnerable Minds, a think tank he helped found, Scott is also involved in various projects involving Snort, large scale architectures, and teaching information assurance.

I'm not gonna lie, Sean and I are stoaked. This is really shaping up to be a great talk. Jason Scott has done some really great talks before from Shmoocon, Defcon, and others. Not to mention any guy making a profession of love to Bruce Potter can't be bad at all, just amusingly crazy. He's teaming up with Sean to take a look at the sociological, economical, other -ical type things that will come up with the OLPC.

Ivan Krstic, as I have mentioned before, is an unbelievably smart gentleman, not that it's a surprise, I mean he did design Bitfrost (which will be a major topic of our panel). As much as I'm looking forward to speaking with him I'm equally excited to just get the chance to pick his brain as one of the most out of the box people in computer security.

Sean... well I see him most days, but he does have a lot of great angles on this quite interesting issue. It'll be great to hear what he comes prepared with, and even better to hear what he does with the various questions that I'm sure will be thrown his way.

As for my piece I'm planning on tag teaming the technical end of things with Ivan, looking at the implications of such technology on the security space. There is so much to cover around this, both for the kids with the laptops, the world at large, and what lessons can be learned.

It should be a great panel and I'm honored to be with such an esteemed group. So track us down at Shmoocon. I'll be doing another post on Shmoocon later this week but regardless track me down to say hi. I'll be the loud guy with the short hair and the speakers pass. If you're lucky you may even get one of the new Vulnerable Minds business cards (Thanks again Timoni! The new logos look great!).

Quick Note

Ivan Krstic is scary smart. That is all.

SSL: The best thing since huristic search

It's been quite awhile since I've posted. My regrets. I just started a new position with my current firm that has taken up quite a bit of time and I'm learning a very complicated set of new ropes.

In addition the time I've had free has largely gone to another project. This project culminated in a last minute Call for Papers submission to ShmooCon tonight. I won't say much more until we know what the status of things is but I believe that fellow Vulnerable Minds researcher Sean Coyne and I have quite a compelling presentation in store, so grab your ShmooCon tickets if you don't already have them, and hopefully we'll see you in March. Now back to your regularly scheduled post:

I was surprised when I checked Lifehacker tonight and saw them touting the benefits of using https://gmail.com (using the SSL encrypted version) instead of http://gmail.com. Now I wasn't surprised because I think it's a bad idea, it's one I've nearly blogged about before myself. I just never bothered to do so because I assumed most people knew about this neat little Google trick.

If you read the fine, if somewhat brief, Lifehacker post about encrypted Gmail they do a nice job of explaining the basics, but leave out one crucial fact about this trick. This encryption technology isn't just for Gmail itself, but many Google technologies, at least those that have personal data involved. So if you're interested in using any Google technology and are concerned about who might be listening on the wire it's worth adding a 's' in the address bar and seeing what happens. You might be surprised.

I recommend trying out:
https://mail.google.com/mail/
https://www.google.com/calendar/render
https://www.google.com/reader/view/
https://docs.google.com/

Keep in mind that any links inside Google, such as those in the upper left corner or on the homepage, won't link to the secure versions of the page. I recommend setting up your own bookmarks to the SSL versions, and then browse away at your coffee shop of choice (I'll be at Murky) without the fear of that odd kid in the corner wearing nothing but black, sipping on hist latte, running Wireshark snooping your Google apps traffic.

On a slight side note I'm struck, looking at all these urls, that Google is somewhat inconsistent with their resource naming. Strange.