IT Underground trip report

[Dave Aitel <dave () immunitysec com>]

It's customary for people at Immunity to write trip reports. I share 
mine below.

Download full version in OpenOffice format at 
http://www.immunitysec.com/downloads/IT-UNDERGROUND.sxw .

-dave


IT-UNDERGROUND Report
Oct 18, 2004
Dave Aitel




In this picture are a bunch of speakers who were at the IT-UNDERGROUND 
conference in Warsaw. From left to right you have:
Mike Shema, Paul Wouters, David “H1kari” Hulton, Thorston Holz, Dave 
Aitel, Rakan El-Khalil, Joanna Rutkowska.

The particular location in this case is a dumpling house in Old-Town. 
Warsaw tends towards small, finely decorated places. Prices range from 
10 Zloty to 15 Zloty for a plate. (3.5 Zloty to a Dollar).

Overall, the conference went quite well, I think. A large part of this 
was no doubt because they had 2 translators in each of the three rooms, 
and so you could understand what the speaker was saying in Polish or in 
English, no matter what your primary language was. Unlike many 
conferences, most speakers gave more than one talk, and some gave up to 
three talks. It worked well. I would say there were 250 people at the 
conference – reasonably large.


Speakers and Talks

I didn't catch all the talks, so I'll only comment on the ones I did catch.


Robert Lee Ayers is a Director for Critical National Infrastructure 
Defence for Northrop Grumman Mission Systems Europe

A former US DoD official, Bob now is a UK citizen. He did the keynote:

This presentation will examine the characteristics of an effective 
program for defending the nations Critical computing and communications 
systems. The audience will gain the knowledge required to understand how 
to construct a national CNI Defence programme.
Target audience: Senior government officials.

Interestingly he differentiated between a “conventional war” and a 
“logical war”. In his words, there is a “clear indication of victor” in 
a conventional war. As well, a conventional war is, as Clausewitz would 
agree, between nation states, whereas a logical war is not.

He uses this terminology, which some people may not be familiar with:
Strategic warning: You are going to be attacked
Tactical warning: You have been attacked

An interesting point he made is that with a “logical war” you have 
difficulty knowing how bad the problem is.

All good indicators are observable and measurable
possess a state of normality
are logically predictive of the anticipated event
takes place sufficiently far in advance of the event to allow you to 
take an action

"One indicator of a nuclear attack is a bright light in the sky. 
However, it is not a GOOD indicator because you don't have time to respond"

He claims that logical attacks have no strategic warning and that 
tactical warning requires rapid data collection and effective reporting 
mechanisms, which are almost always missing.

Offensive IW techniques occur prior to declaration of war.

I would say that IW is also extremely hard to model - which means hard 
to train for! (The military motto of “train like we fight” is nearly 
impossible to achieve, in my opinion.)

He also claimed that all of the major internal switches (Cisco boxes) 
were compromised and concocting a sniffing operation for up to 4 years 
in 1992-1994. He says CERT had published a report on this, but I can't 
find it.

He mentions that all service providers hide problems – problems pose a 
risk to revenue. I would add that MS is a service provider...

One weird statistic he posed is that “50% of all corporations have 
"offensive attack programs" ready to use.” He claims a large percentage 
of them are “hacking back”. I don't see it. I think some of them are 
hiring outside companies that do DoS attacks on phishing companies, but 
I don't see a “hack back” strategy.

I would comment on his talk with two things I think are incorrect:
1.He claimed that there is no mobilization cost to “Logical” war.
2.He claims there is a low cost of entry to logical war.

I think there are a lot of things that make a logical war expensive, and 
I think the proof is in the pudding: Al Qaida is using bombs. Bob's 
strict Clausewitzian ideology was weird to me. I thought most modern 
military thought had stepped away from Clausewitz. Religious wars are 
not between nation states, they are fundamentally between ideologies. 
And powerful non-religious ideologies are just as warlike – Communism, 
for example. Thinking of war as a purely nation-state endeavor is to 
think of the rightful collection of power as a purely nation-state 
endeavor. Most nation-states have little if any political legitimacy in 
the modern world, so a trend towards non-nation-state warfare makes more 
sense now than ever. Anyways, on to speakers. Not everyone gets a 
mention because I got really jet-lagged for the second day and can only 
attend one talk at a time.



Rakan El-Khalil

INFORMATION HIDING IN EXECUTABLE BINARIES
Rakan El-Khalil is currently on sabbatical in France. He is a recent MS 
CS graduate from Columbia University. While he was there he worked on a 
variety of projects at the CS Research Lab, such as an IDS that uses 
machine-learned models to detect network threats and a syscall based 
permission system on OpenBSD [predating systrace].

So I didn't see his talk, but I spoke to him a bit. The only thing I 
disagree with is that it's “not possible” to do a graph based 
stenographic implementation. I think it'd be fun for someone to try. 
Rakan thinks getting that much of a decompile would be prohibitive.

Thorsten Holz
His talk was on honeypot compromising. It was good. I don't have a lot 
of comments on it. Read his paper or something. There's some english 
errors in it I wanted to fix, but I don't remember any technical flaws 
or anything. Thorsten is a nice guy. The first night we got in, he 
walked with me through the Warsaw cold in search of food. We ended up in 
a tiny restaurant where we ordered a #1 and #2 (which turned out to be 
liver and onions and chicken). Polish isn't as easy to read as you'd think.

David h1kari Hulton
David thoroughly impressed me. He dresses like a Matrix fan, with a long 
leather coat, but I assume that's some sort of west coast thing. He's 
doing some generally solid work in a lot of different fields. For 
example, he wrote bsd-airtools, and actually improved on the WEP attacks 
in a way that makes sense. His work on embedded stuff was cool too. For 
example, he improved an attack on GSM cards to make it workable.

Joanna Rutkowska
Joanna Rutkowska is an independent security researcher. She focuses on 
various exploitation techniques, application and system protection 
against unknown exploits, system compromise methods and their detection.

Joanna was one of the stand-outs from the conference. She's a native 
Polish person. A “Pole” I guess, although that sounds weird.
Anyways, she gets “it” as far as I can tell. Her talks were on Linux and 
Win32 rootkits, and how to detect them. And, of course, the subtext was 
how to make them better. During lunch she schooled us in how to detect 
Vmware using one instruction. (In Immunity terms it's called “Sinan's 
Favorite Instruction” - we'll let the rest of you guess at that though.) 
Joanna actually asked questions during my talks, which is interesting in 
that the few women in this industry tend not to do so, since they 
already get more than enough attention.
She also wins the “Speaker who tested the SideKick II camera out the 
most at the request of my friends” award. So if you're reading this in 
email, and not in .sxw, then you're missing out. No doubt the picture 
doesn't do her justice. There are a few more floating around. Contact 
your local haxor warez connection. She noticed that the infosec 
community is quite “Gossipy” which is definitely true. On one hand, this 
makes it quite a lame society, but on the other hand, a bit of chatter 
is good for finding leaks and bad nodes.
There were a lot of other talks I missed. One in particular I always 
hate is the “panel discussion”. Why people insist on these things I'll 
never know. Maybe there's a way to do it in a way that makes sense, but 
I've never seen it. Example questions “Is Linux or Windows security 
better?” Sheesh.

As always, if you have additional comments, pipe them in.
_______________________________________________
Dailydave mailing list
Dailydave () lists immunitysec com
http://www.immunitysec.com/mailman/listinfo/dailydave