While attending [DeepSec 2007](https://deepsec.net/), I was making notes of the most interesting/surprising information presented. I hope they are useful; if you want more, slides from the presentations might be available on [wiki.deepsec.net](http://wiki.deepsec.net/index.php/DeepSec_2007).
### The Business Case for Removing Your Perimeter
B2B application interconnection, company mergers and divestments, and consultants working in the company's offices made the idea of "my network" obsolete several years ago. Protecting from unauthorized network access (e.g. using firewalls) is ineffective; all applications need to be protected (by authenticating users or client applications) instead of assuming the network is secure.
### New Security Model of Bluetooth 2.1
Current Bluetooth security model:
* Small devices (e.g. headsets, mice) can't be configured with a variable PIN. Their fixed PIN can be physically observed (if printed on the device) or brute-forced—allowing e.g. eavesdropping on somebody's phone conversation.
* Link keys never expire; once a key is extracted/guessed, it works forever.
* Replay and MITM attacks are possible.
* The link key is per-device, not per-service; it is not possible to allow a client to only access some functions of the device.
The newly proposed security model: "secure simple pairing":
* Uses ECDH (provides eavesdropping protection); MITM protection possible with user input.
* Devices announce their UI capabilities (e.g. keyboard/display/one button/nothing), together select a suitable authentication mode.
* A debug mode, using predefined keys, is provided; one side can force the other to use debug mode (because the other might not have any UI to enable debug mode).
* No chips supporting 2.1 manufactured yet.
### Economics of Information Security
* Because UK banks are less liable for fraud than US banks, UK banks were comparatively careless about security and there was more fraud in UK
* Software markets, with high fixed and low marginal costs, and with network effects, lead to natural monopolies. Firms therefore prefer short time-to-market to product quality, and they want to make it easy to create complements (plugins, add-on software), choosing simple-to-use APIs instead of secure APIs.
* The software market WRT security is a "market of lemons"; proposed solution is to create a *market for new vulnerabilities*; then a product with high price offered for new vulnerabilities is supposedly more secure. (*mitr*: Who is supposed to buy the vulnerabilities?)
* Third-party web site certificates are ineffective: e.g. TRUSTe places almost no requirements, and TRUSTe-certified websites are more likely to be untrustworthy than a random internet website.
* Similarly, websites reachable via paid advertising are more likely to be untrustworthy than websites reachable from search results.
* Possible remedies: make certification entities liable for damages; require publication of user's complaints.
* Phishing has become quite advanced: the "rock phish" group uses meaningless `.com` domain names (registrars used not to remove domains that didn't infringe on trademarks); the DNS domains point to compromised machines acting as proxies; wildcard-like DNS is used, which results in many unique URLs for a single phishing site. The IP pool is automatically managed, adding new zombies for each zombie taken down.
* Largest phishing targets: PayPal, EBay, Bank of America, Wachovia.
* There are companies specialized for taking down phishing sites; they seem to react faster than bank's in-house teams.
* Median lifetime of a phishing site hosted on Yahoo! is 7 hours, much lower than its competition.
### Windows Heap Protection: Bypassing Requires Understanding
(Really selling a "debugger" for reverse-engineering memory layout)
* Windows XP SP2 heap protection: checks consistency of back and forward links; metadata XORed with a random key.
* Windows Vista: each heap block contains a checksum.
### Web 2.0 Application Kung-Fu - Securing Ajax & Web Services
* Same-origin policy can be defeated using `
Deepsec, une conférence européenne attendue......
ReplyDeleteAu milieu d'un paysage que beaucoup jugent de plus en plus fade, Deepsec se démarquait clairement par un programme original et était déjà vue comme un évènement marquant avant même d'avoir eu lieu. Cette conférence a-t-elle tenu ses promesses...
Just landed on this post via Google seek. I love it. This situation change my perceptual experience and I am acquiring the RSS feeds. Cheers Up.
ReplyDeleteMany thanks for the great information and facts. I'm thinking in case you might point me in direction of more recourses?.
ReplyDelete