InfoSeCon 2006 Wrap-up

Posted in Security by AST on Friday, May 12th, 2006

Amoxil Generic Buy Clarinex Online Neurontin Without Prescription Topamax No Prescription Soma For Sale Glucotrol Generic Buy Aricept Online Stromectol Without Prescription Lotrisone No Prescription Celexa For Sale

I originally had grand plans to do a day-by-day summary of the conference, but then I decided that I really didn’t want to touch my computer any more than I had to while I was at the conference (well, that and the fact that the wireless in the hotel didn’t cover my room). As a result, I’m going to lump it all together and just focus on overall impressions and highlights.

Personally, I had a great time at this year’s InfoSeCon conference in Dubrovnik. Last year, I had the opportunity to meet some really well-respected security professionals like David Bianco, Vince Gallo, Richard Neely, Jorge Sebastiao and John Sherwood who were all back for this year’s conference. It was great to see them all again and see what they’ve been up to since last year.

This year, I also had the opportunity to meet and have some really good chats with Ron Collette, Steven Cox, Mike Gentile, Marcus Ranum and Radovan Semancik. The nice thing about InfoSeCon is that because it is a smaller conference, you really have the opportunity to interact and get to know people. I think this is a really valuable experience for both the speakers and the delegates.

Some of the things that really stand out in my memory of this year’s conference are:

Vince Gallo’s presentations on Steganalysis and Intel’s new LaGrande technology

The steg presentation was very interesting because it showed that there really are trends that you can identify from seemingly random image information that can be used to detect messages embedded in binary formats. I’m not giving anything away here because the research and implementations that Vince and his team at Inforenz are doing are based on published work that is freely available.

The LaGrande technology is something that I hadn’t heard about yet, but it is intended to allow you to provide, in Vince’s words, a secure “VPN-like channel” for the execution of code within an untrusted environment [software and hardware] that has important applications for trusted computing.

While the technical content of both presentations was very interesting, some of the stories Vince was telling at dinner really reinforced that we really do need to cultivate more people like Vince in the current technology workforce. He’s been in the business of writing security code and building secure hardware devices for more than 20 years.

What this really means is he’s seen a number of the 6-8 year iterations of ideas and technology come and go, and understands the strengths and weaknesses of technologies and techniques at a level that a lot of “senior and experienced” security professionals and developers just don’t have. It isn’t that there aren’t people like or better than Vince in the world, but they’re few and far between because of the way the industry works–you’re not supposed to have 20 years of experience and still be writing code every day. I mean, come on, what’s wrong with you?

However, if you ever have an opportunity to sit down and talk with these guys, you’ll be doing yourself a great disservice if you don’t take advantage of it. Think about this the next time a vendor or consultant tries to sell you a new security solution. Experience really does matter.

Marcus Ranum’s presentations on general security and firewalls

Of all the things you could say about Marcus, saying he was not someone with strong opinions wouldn’t be one of them. His presentation, “Dude, where’d my firewall go?” was very interesting and highlighted a few things that most people don’t think about:

  • Why today’s firewalls are so fast

    Marcus contrasted the early firewalls that he developed against the firewalls of today. There’s a couple of key differences: first, the 1st generation of firewalls enforced protocol correctness based on the limited number of commands that were actually used by deployed software vs. the number of commands that were actually available.

    With the original firewalls, it didn’t matter too much about the vulnerabilities in the software because the firewall wouldn’t let unexpected application protocol traffic (often referred to as layer 7 traffic) past them. The device actually understood what was going on on the connection and would drop it if strange things started happening.

    Today’s firewalls don’t understand applications, so they don’t do anything other than relay traffic to a specific back-end application–with all of its vulnerabilities laid bare to the world for exploitation.

    The second reason that today’s firewalls are so fast is they generally don’t do anything useful out of the box. That’s right, the $60K piece of hardware is actually going to do nothing to protect your network until you enable the controls. What’s that about default to no access or something crazy like that? Oh, and when you do start turning on those controls, it will slow down the traffic going through your network. Wow. What a surprise, but, according to Marcus, people don’t find that acceptable so they turn off the protections. Excellent stuff.

  • Why signature-based tools like IDS and virus scanners don’t work

    This point was illustrated with a brilliant story about castle guards and Vikings (Marcus is also a bit of a military historian). The problem is that the tools (firewalls and anti-virus) don’t know about Vikings, they know about Eric the Red.

    Castle guard: “Are you Eric the Red?”
    Canute the Viking: “Nope.”
    Castle guard: “Ok, then. In you go.”

    At which point, Canute the Viking enters the castle and begins his conquest of England, Denmark, Norway and part of Sweden. Are you starting to see the issue here?

    The issue is that the guard needs to know all of the potential attackers on a first-name and by-sight basis. While this is theoretically possible, in practice it will never work because you’re always reactive and there are a lot more potential Vikings in the world than there are of you. Military history shows us that the people who were always on the defensive generally didn’t end up winning the war.

I hadn’t gotten the opportunity to meet Marcus in the past, but I had read some of his articles. I have to say that you can’t really form an opinion about Marcus until you meet him in person. I certainly have a different impression of him than I did before the conference. There was no question that he was a smart, funny and irreverent guy who knew his stuff, but he’s also a very interesting and genuine guy who really doesn’t just disagree with things for the sake of disagreeing (despite what you may think from reading some of his work). I have a tremendous amount of respect for Marcus and what he knows–even if I don’t always agree with him (now that I know Marcus, I’m sure he’ll take this in the way that it was intended). :)

Jorge Sebastiao giving me the best intro I could have possibly wanted for a presentation on privacy (flash required)

At the end of Jorge’s presentation on Business Impact Analysis, he played the above flash video about the guy who tries to order a pizza and is refused the one he wants because the pizza order taker has access to his health records and other personal information. I don’t really remember how it fit with his presentation, but I think I’ll have to work it in to mine for the next time I give it. Why is it we’re concerned about access to our personal information again?

The tag-team presentation by Mike Gentile and Ron Collette on security program development

I ended up sitting on the plane next to Mike and his wife on the way to the conference and this was the start of a couple of new friendships with the folks from California. All week long, Mike and Ron were talking about what a rebel each of them was and how many people they deal with see what they’re saying about security as highly controversial. I was looking forward to their presentation, and couldn’t imagine what it was going to be like.

You also need to understand they both are accomplished athletes (Mike played soccer and Ron played American football), so to see them present is a very interesting study in both American culture and teamwork. It wasn’t quite one completing the other’s sentences, but it was a very effective presentation technique. Having spent a lot of time with them this week, I can attest that they’re really just like that, but I can imagine the reaction they might get at Fortune 100 companies, because they’re both really down-to-earth and practical guys focused on results.

The best part was that after their presentation, David Bianco made the comment that he really didn’t see anything controversial in their message at all–it was just sound security practices. David’s comment got resounding nods from most of the other people in the audience. However, the issue here isn’t that Mike and Ron were preaching to the choir, because there was really some good stuff in what they said; instead, the issue is that what they said could be considered controversial at all. It underlines the fact that in any aspect of security, most organizations really have a lot to learn about how to do it properly. While this is good news for security professionals, if you really think about it, it’s pretty terrifying as a customer of these organizations. Mike and Ron are going to be really successful because they know what they’re talking about, they can articulate it in a way people understand, they’re genuine and they care about what they’re doing.

In reality, there were a lot more great things that happened at the conference than these, but I don’t want to end up writing War and Peace. I think that everyone I talked to really enjoyed the conference and thought it was worthwhile.

Finally, I want to thank Stanko & Biljana Cerin for all their hard work in putting the conference together. These are two of the nicest, most genuine and hard working people that I’ve met. They really believe in bringing a high level of quality security material to people in Croatia and the surrounding countries. Not only do they believe it, but they are also qualified security professionals in their own right.

I’m already looking forward to next year’s conference–better go start figuring out what I’m going to talk about…

1 Comment »

  1. Insights » Are XML Gateways Really the Answer? said,

    June 1, 2006 at 1:05 am

    […] With this in mind, how does an XML gateway actually prevent you from buffer overflow attacks? Not being someone who implemented one of these things, I’m only guessing here, but one way is to do it based on signatures. This puts it in the same camp as virus checking and NIDS, which, as has been pointed out before (remember the Viking story?), there’s an inherent latency between when a new attack is identified and when the signatures are deployed on any existing devices. Maybe it’s more sophisticated than that, but I’m not really sure how else you’d do it, because there’s no way the gateway can know anything about your implementation language and software. This means something very important to anyone developing their own software: if you have buffer overflow problems in code you write, there’s no way for the gateway to know about it. […]

Leave a Comment