Hacking in Canada

The past several days have been a busy and exciting time in the world of hacking.  There have been presentations, demonstrations, and uber-pwnage, happening across the globe. 

Well...mostly Vancouver and Amsterdam

Here are some highlights and personal favorites from Canada.

The CanSecWest applied security conference drew to a close today, although I still haven't heard the details about the end of day 3.  All that is internet media, has been focused on the PWN 2 OWN contest.  For those just awakening from a coma, this is basically a competition for OS (all three) hacking; matching some of the top security geeks, armed with their best 0day exploits.  Hack it and you can keep it, but the real reward, is the $20K, which unfortunately gets halved each day, and the 1337 props from the hacking community.

As everyone knows by now, Charlie Miller and the ISE guys cracked the MacBook Air, on day two, using a 0day exploit in Safari.  Remarkably, they did this in only two minutes, around the same time the Vista machine had finished booting.  Actually, I still haven't heard if the Vista or Ubuntu machines have been compromised.

However, receiving less publicity, were the presentations at the conference.  Some of them included regular updates of the usual stuff at hacker-cons.  Speakers covered topics of virtualization security, fuzzing, AV vulnerabilities, XSS (Flash), the usual Microsoft hacking and malicious cryptography (I enjoyed the book).  Robert Hensing has some good descriptions of the sessions on his blog.  

Andres Riancho talked about his Web Application Attack and Audit Framework, w3af, which is sort of like an early Metasploit for web applications.  This GPL project was initially developed for testing SQL injection and XSS attacks, although, with a fully extendable framework, numerous python plug-ins will follow.  As anything worth downloading, it's hosted here, at Sourceforge, and he's done good job with his documentation.

Websense's, Dan Hubbard, gave a very relevant talk, Web Wreck-utation, about the frailty of reputation based systems.  This topic is fresh on the minds of all security researchers, after witnessing the mass IFRAME injection attacks, which crippled the credibility of some of the most trusted sites.  He also talked about the emergence of CAPTCHA pharms....that's a total exaggeration, but I wouldn't be surprised....but he did talk about how people are getting paid by spammers to decipher these registration annoyances, or bot stoppers; it depends which side you're on.  However, I thought that applications like pwntcha were still the predominant method of cheating the Turing Test. 

What Would Turing Do?

Cutting things a little short today, I will cover some of the more interesting talks from BlackHat Europe 2008 on my weekend edition blog.

I can't think of anything witty to end on.

Boo me off stage at: greyhat@computer.org

Related:

Copyright © 2008 IDG Communications, Inc.

The 10 most powerful companies in enterprise networking 2022