Patrick Gray travelled to the Kiwicon security conference in Wellington, New Zealand. The following is a summary of the second day of the event
Kiwicon day two got off to a cracking start on November 18 with a presentation by Graeme Neilson from Aura Software Security. He showed delegates precisely how easy it is to trojan Blackberrys.
But all code that runs on Blackberrys is signed, right?
Yes, Neilson says, but the maker of the portable device, Research in Motion (RIM), isn't too fussy about who it sells certs to. If you want to get your Trojan code signed to run on a Blackberry, just go to the Research In Motion Web-site, plug in your details, pay a fee and voila! You're in business.
The next presentation, by Nick von Dadelszen, showed us why we shouldn't necessarily regard thick client software - think SAP, Oracle etc - as being any more secure than Web applications. In fact, von Dadelszen explained, the servers that handle client requests are often less secure than Web application servers because it's assumed the client will handle all of the logic associated with various tasks.
What happens if you try to dump client information before you've logged in, for example? The client takes part in the authentication procedure, so if you skip that by bypassing the client are you in like Flynn? Is the application server equipped to deal with attackers using subverted client software?
A talk by Joshua showed us how nerds wanting to help Hezbollah - the militant Lebansese organisation - have used black hat search engine optimisation techniques in an information warfare campaign. By tricking Google into thinking its propaganda pages were in fact pro-Israel, Hezbolla got a leg up in the war for hearts and minds.
Thoth's presentation on hypervisor malware was an excellent rundown on virtualised root-kits without the usual hyperbole. In a highly technical session, Thoth presented his undergraduate thesis. The good news is hypervisor root-kits are actually detectable, for now. The presentation was light on conclusions and heavy on thrashing out as much technical detail as possible. Thoth stayed away from making sweeping conclusions, an academic approach and something the headline-hungry commercial security world should probably consider doing once in a while. The presentation indicated this is a field of research that has a future.
A super-secret staff member from New Zealand's equivalent of Australia's Defence Signals Directorate - the Government Communications Security Bureau (GCSB) - got up in front of 200 hackers and told them very little that couldn't be found out through a quick scan of the GCSB Web-site. Still, it was grand that he made an appearance - he even attempted to engage the attendees as eyes and ears. Know something? Call us! You will NOT wind up in Gitmo! For serious!
Security-Assessment.com's Paul Craig showed everyone just how insecure the average Internet kiosk is. An insecure public Internet kiosk shouldn't be a huge issue, but how many times have you seen a businessman at an airport check his company web-mail using one of those things? What are the odds his e-mail password is the same as his VPN password? Food for thought and a reminder to all security managers and CSOs that you may as well assume your users are writing their passwords on their business cards before handing them out.
Finally, Immunity Inc's Adam Boileau delivered a sad, sad presentation that showed delegates how hideously insecure carrier-grade Ethernet networks are. All those lame attacks that work on your LAN actually work inside your provider's network, too. It was enough to make grown-ups weep. You'll be hearing more on this one in coming weeks.