Thought I would post a few thoughts on today's talks:

For some reason I expected more out of Jose Nazario's talk on Reverse Engineering Malicious Javascript. Basically, it could be summarized as follows: Use command-line Javascript interpreters such as njs to figure out what obfuscated Javascript does without having to execute the malicious code in the context of a web browser. Near the end, he mentioned that he had been seeing increased amounts of Flash-based malware, and mentioned that flasm was a useful tool for extracting the ActionScript from .swf files. Very clearly presented but pretty basic content.

Adam Laurie delivered a great presentation on weaknesses in RFID, peppered with live demos that kept the audience engaged while not glossing over the technical details. He demonstrated the process of cloning various RFID cards using a reprogrammable Q5 tag and some custom Python code. He talked at length about how RFID is implemented in passports and some of the inherent weaknesses in the internationally adopted passport standard. The encryption key is derived from the document number, date of birth, and expiration date, all of which are printed on the passport. He was able to brute force the key for a British passport based on the fact that the passport numbers are issued sequentially (doh) and the issue date was stamped on the outside of the envelope, making the expiration date trivial to derive. The notion of passport profiling based on implementation errors was also discussed, with one example being Australian passports which incorrectly generate the random ID and handle the access control protocol slightly different from other countries.

I have to question what the CanSecWest screening committee was thinking when they accepted the idea of presenting Fun with IPv6 Routing Headers in 3D. The slides were laden with text and packet diagrams, so even though 3D glasses were handed out, they didn't help much. Adding to the frustration was the fact that the presenters, Philippe Biondi and Arnaud Ebalard, spoke with a heavy French accent and most people had difficulty understanding them. Normally when you can't follow the presenter, you can rely on the slides to help you derive some technical context. Unfortunately this was impossible with this 3D slide deck. All I know is that IPv6 Type 0 Routing Headers are similar to source routing in IPv4 and they aren't handled consistently across various OSes and hardware vendors. Here's hoping they publish a legible version of the slide deck because I'm sure there's some interesting content. I lasted about 20 minutes before walking out of the room with a headache.

Tomorrow looks promising, with presentations from Barnaby Jack, HD Moore, and Luis Miras, as well as a couple talks on Vista.

[Update: Flat version of the IPv6 Routing Headers presentation is online.]

About Chris Eng

Chris Eng, vice president of research, is responsible for integrating security expertise into Veracode’s technology. In addition to helping define and prioritize the security feature set of the Veracode service, he consults frequently with customers to discuss and advance their application security initiatives. With over 15 years of experience in application security, Chris brings a wealth of practical expertise to Veracode.

Comments (4)

Dragos Ruiu | April 22, 2007 10:04 pm

If you would have stayed for the rest of the presentation... you would have seen that that talk is likely to be remembered as the most significant problem covered at this years conference. The IETF's recent mistake will soon filter to the news stories... the traffic amplification effects of the source routing issues they point out are stunning. cheers, --dr (yes, we will post a flat slide deck.)

CEng | April 22, 2007 10:39 pm

I agree that the content of the talk sounded quite interesting, and I honestly do look forward to reading the slides once they're online. But you can't ignore the fact that you lost a sizable chunk of the audience before the talk was half-over. For a topic this significant (based on your comment), it would have been more effective to forego the 3D gimmick in the interest of communicating the content clearly.

I guess if I were on the screening committee, I would have accepted the talk on its technical merits but suggested the content be presented in a more traditional format for the sake of clarity. Actually, I was chatting with one of the committee members afterwards and he was pretty much in agreement.

Great con though. This was the first year I've made it out for CSW and I will definitely be back.

Flat Slides | April 23, 2007 6:02 am

CEng | April 23, 2007 8:47 am

Hmm, that last comment came from an IP in France... thanks guys! BTW, the demo you did to show off the physics modeling engine was pretty sweet.

Please Post Your Comments & Reviews

Your email address will not be published. Required fields are marked *

Love to learn about Application Security?

Get all the latest news, tips and articles delivered right to your inbox.