Skip to main content
April 19, 2007

CanSecWest Day One Highlights

Thought I would post a few thoughts on today's talks:

For some reason I expected more out of Jose Nazario's talk on Reverse Engineering Malicious Javascript. Basically, it could be summarized as follows: Use command-line Javascript interpreters such as njs to figure out what obfuscated Javascript does without having to execute the malicious code in the context of a web browser. Near the end, he mentioned that he had been seeing increased amounts of Flash-based malware, and mentioned that flasm was a useful tool for extracting the ActionScript from .swf files. Very clearly presented but pretty basic content.

Adam Laurie delivered a great presentation on weaknesses in RFID, peppered with live demos that kept the audience engaged while not glossing over the technical details. He demonstrated the process of cloning various RFID cards using a reprogrammable Q5 tag and some custom Python code. He talked at length about how RFID is implemented in passports and some of the inherent weaknesses in the internationally adopted passport standard. The encryption key is derived from the document number, date of birth, and expiration date, all of which are printed on the passport. He was able to brute force the key for a British passport based on the fact that the passport numbers are issued sequentially (doh) and the issue date was stamped on the outside of the envelope, making the expiration date trivial to derive. The notion of passport profiling based on implementation errors was also discussed, with one example being Australian passports which incorrectly generate the random ID and handle the access control protocol slightly different from other countries.

I have to question what the CanSecWest screening committee was thinking when they accepted the idea of presenting Fun with IPv6 Routing Headers in 3D. The slides were laden with text and packet diagrams, so even though 3D glasses were handed out, they didn't help much. Adding to the frustration was the fact that the presenters, Philippe Biondi and Arnaud Ebalard, spoke with a heavy French accent and most people had difficulty understanding them. Normally when you can't follow the presenter, you can rely on the slides to help you derive some technical context. Unfortunately this was impossible with this 3D slide deck. All I know is that IPv6 Type 0 Routing Headers are similar to source routing in IPv4 and they aren't handled consistently across various OSes and hardware vendors. Here's hoping they publish a legible version of the slide deck because I'm sure there's some interesting content. I lasted about 20 minutes before walking out of the room with a headache.

Tomorrow looks promising, with presentations from Barnaby Jack, HD Moore, and Luis Miras, as well as a couple talks on Vista.

[Update: Flat version of the IPv6 Routing Headers presentation is online.]

Related Content

Chris Eng, Chief Research Officer, is responsible for integrating security expertise into Veracode’s technology. In addition to helping define and prioritize the security feature set of the Veracode service, he consults frequently with customers to discuss and advance their application security initiatives. With over 15 years of experience in application security, Chris brings a wealth of practical expertise to Veracode.

Love to learn about Application Security?

Get all the latest news, tips and articles delivered right to your inbox.