Datasäkerhet och Informationssäkerhet

Robert Malmgren AB

“Trust is good, control is better.”

2010/06/23

AppSec Research, Stockholm

OWASP, the group that focus on security at the programming and implementation stage of software engineering, is holding a 2 day conference in a sunny Stockholm. Its held at the University of Stockholm in their new Aula Manga. Its a beutiful place, but it is built with one major drawback - no; NO! outlets anywhere in that humongous room....

The keynote where delivered by 2 people from Google: Chris Evans and Ian Fette. The keynote was entitled "Cross-Domain Theft and the Future of Browser Security". They talked about malware detection and protection with the Google blacklist initiative, and more interesting for us - they spend alot of time talking about sandboxing as a good security mechanism, how sandboxing is part of chrome, etc. Google seem to focus alot of their attention for protecting the client environment by sandboxing the render process in Chrome. The problem with this approach is that add-ons and extensions still might be unprotected.

The 2 most interesting other talks I attended during the day where Ivan Ristic talk called "How to Render SSL Useless" and Steve Ocepek and Wendel Henrique's talk entitled "Owning Oracle: Sessions and Credentials". Istvan describe 10 basic errors many sites have - many problems which errodes the trust that SSL/TLS is suppose to create for you.

The Oracle session was quite interesting, since they focused alot on demoing their attacks. They showed their home brewed tool "thicknet" and "vamp" to do some session hijacking. This is of course not something new in general - tools like hunt, juggernaut, ettercap, etc, have been doing this things for ages. The interesting part here is the decoding of the TNS, SQLNet and similar. The different cases they demoed included injecting SQL statements, downgrade attacks that forced old type DES encrypted passwords beeing sent and sniffed, and sniffing of windows challenge-response that got captured and cracked with your standard windows password cracker.

Ocepek and Henrique's tool, thicknet, can be found here


----
Written by Robban @ 2010-06-23