I never actually posted the rest of my notes from CanSecWest. At this point, I'd be leaning towards leaving it at that, but since I've had a couple requests to finish up, I'll oblige, providing I can still remember the salient points. So without further ado, CanSecWest Day 3:
Andrea Barisani and Daniele Bianco from Inverse Path gave an informative and entertaining presentation on Unusual Car Navigation Tricks in which they explained how RDS-TMC traffic messages could be easily forged to create "events" that would then be received and displayed by TMC-capable GPS devices. Normally TMC is used to indicate that there is a traffic jam at a particular location, so that the GPS can determine alternate routes. However, "traffic jam" is only one of many event codes supported by the protocol; others included "air raid", "bull fight", "boxing match", etc. While this added some humor to the proceedings, the more serious angle was whether or not there could be an impact on emergency services or even national security as we become more reliant on the technology. There was some discussion of encryption in the protocol, which is limited to bitwise XOR on fixed keys, as it was designed to support subscription content as opposed to preventing malicious data.
Jonathan Wilkins from iSEC Partners demonstrated ProxMon, a tool he'd developed to build some automation into web application penetration tests. It basically scrapes WebScarab logs (support for other proxy log formats in the future) and extracts useful information such as server information, cookies generated, common frameworks in use, etc. to build a repository of metadata about the application being tested. It is primarily a passive tool but has some built-in scanning capabilities as well. It seems to do a good job at automating a bunch of tasks that most people currently accomplish using grep, awk, and various Perl scripts cobbled together. With some additional effort -- it's an extensible Python framework -- it could evolve into a more valuable tool.
Tavis Ormandy from Google presented Untrusted Code in a Virtual Machine in which he essentially fuzzed various VM packages to determine ways in which code running on a guest OS could potentially affect the host OS. While not a new idea, the research was interesting as it focused on a few select attack vectors applied across a range of VM implementations. The primary targets were BITBLT operations against the emulated VGA device, random I/O port activity, and instruction set fuzzing.
I think around this point I started getting a little lazier with my notes, as I was doing all this on my BlackBerry keyboard. Of the remaining talks I enjoyed the one on Attacks of Nortel VoIP Implementations. Not at all surprising but certainly entertaining.