My favorite talk, as expected, was the Sotirov/Dowd talk on How To Impress Girls With Browser Memory Protection Bypasses. The attack is a conceptually simple, yet completely reliable technique for exploiting vulnerabilities in web browsers. Of course, the media has sensationalized the impact of their findings, but ultimately, this is still significant as far as browser-based exploits are concerned. It’s worth mentioning that part of the technique allowing them to load a .NET DLL at an arbitrary location under Vista was reliant on an implementation bug wherein the OS disables ASLR if the version in the .NET COR header was below a certain value. However, the address space spraying and stack spraying techniques are likely to be extended to other platforms utilizing similar memory protection mechanisms.

As for the girls? I can report first-hand that the ladies at TAO on Wednesday night were hanging on Alex’s every word. They were particularly impressed when he whipped out the laptop for a live demo. Unfortunately, none of the dozen iPhone owners in the immediate vicinity thought to snap a picture (too busy Twittering). Oh well.

I also enjoyed Hovav Shacham’s talk on return-oriented programming. Simply put, he described a generalization of the return-to-libc shellcode approach with the intent to demonstrate that one could achieve Turing-complete computation using “found code” in process images. By chaining together series of mini-computations ending in return (RET) instructions, it was possible to build higher-level programming constructs such as branches and loops. The nature of the x86 instruction set provides some flexibility because instructions are interpreted differently depending on how you align the instruction pointer (i.e. the old shellcode trick of searching the process image for any JMP EBX instruction and using that as your EIP). In RISC architectures such as SPARC, however, you don’t have that luxury; if your %pc isn’t aligned properly you get a bus error. So it was quite interesting to see that they were able to extend the concept to RISC. The practicality of the attack technique is limited by the fact that the shellcode is tuned to a particular binary image — if the shellcode was built using instructions extrapolated from glibc 2.3.5, it won’t work for a system running glibc 2.4.

I thought Scott Stender’s talk on Concurrency Attacks in Web Applications was interesting as well. In a nutshell, spewing thousands of simultaneous requests at web application transactions that are not thread-safe can create interesting problems. In the presentation, Scott ran his demo against a VM running on the attack machine. I found myself wondering how effective the same attack would be over the Internet — would it be significantly less reliable (or not at all)? Race conditions are generally easier to exploit locally than remotely due to more predictable execution conditions. Certainly this is an under-tested vulnerability class though.

One presentation I wasn’t able to attend but want to follow up on is Nate McFeters, John Heasman, and Rob Carter’s talk which discussed the GIFAR attack I’ve been hearing so much about lately. The gist is that you can create a file that is both a valid GIF and a valid JAR, then use some Java applet tricks to initiate HTTP requests on behalf of the victim.

Finally, the Pwnie Awards didn’t fail to disappoint. Drama ensued over the Most Overhyped award, but at least this year some of the winners showed up to claim their awards! Halvar rapping Symantec lyrics was also quite memorable.

All in all, a fun and informative week, but as usual, I was relieved to get the hell out of Vegas and head home on Friday morning.

P.S. For a much more entertaining BlackHat/Defcon Recap, read Jennifer Jabbusch’s account of the week’s events. It’s my favorite one so far!

My favorite talk, as expected, was the Sotirov/Dowd talk on How To Impress Girls With Browser Memory Protection Bypasses. The attack is a conceptually simple, yet completely reliable technique for exploiting vulnerabilities in web browsers. Of course, the media has sensationalized the impact of their findings, but ultimately, this is still significant as far as browser-based exploits are concerned (here is a more accurate report). It’s worth mentioning that part of the technique allowing them to load a .NET DLL at an arbitrary location under Vista was reliant on an implementation bug wherein the OS disables ASLR if the version in the .NET COR header was below a certain value. However, the address space spraying and stack spraying techniques are likely to be extended to other platforms utilizing similar memory protection mechanisms.

As for the girls? I can report first-hand that the ladies at TAO on Wednesday night were hanging on Alex’s every word. They were particularly impressed when he whipped out the laptop for a live demo. Unfortunately, none of the dozen iPhone owners in the immediate vicinity thought to snap a picture (too busy Twittering). Oh well.

I also enjoyed Hovav Shacham’s talk on return-oriented programming. Simply put, he described a generalization of the return-to-libc shellcode approach with the intent to demonstrate that one could achieve Turing-complete computation using “found code” in process images. By chaining together series of mini-computations ending in return (RET) instructions, it was possible to build higher-level programming constructs such as branches and loops. The nature of the x86 instruction set provides some flexibility because instructions are interpreted differently depending on how you align the instruction pointer (i.e. the old shellcode trick of searching the process image for any JMP EBX instruction and using that as your EIP). In RISC architectures such as SPARC, however, you don’t have that luxury; if your %pc isn’t aligned properly you get a bus error. So it was quite interesting to see that they were able to extend the concept to RISC. The practicality of the attack technique is limited by the fact that the shellcode is tuned to a particular binary image — if the shellcode was built using instructions extrapolated from glibc 2.3.5, it won’t work for a system running glibc 2.4.

I thought Scott Stender’s talk on Concurrency Attacks in Web Applications was interesting as well. In a nutshell, spewing thousands of simultaneous requests at web application transactions that are not thread-safe can create interesting problems. In the presentation, Scott ran his demo against a VM running on the attack machine. I found myself wondering how effective the same attack would be over the Internet — would it be significantly less reliable (or not at all)? Race conditions are generally easier to exploit locally than remotely due to more predictable execution conditions. Certainly this is an under-tested vulnerability class though.

One presentation I wasn’t able to attend but want to follow up on is Nate McFeters, John Heasman, and Rob Carter’s talk which discussed the GIFAR attack I’ve been hearing so much about lately. The gist is that you can create a file that is both a valid GIF and a valid JAR, then use some Java applet tricks to initiate HTTP requests on behalf of the victim.

Finally, the Pwnie Awards didn’t fail to disappoint. Drama ensued over the Most Overhyped award, but at least this year some of the winners showed up to claim their awards! Halvar rapping Symantec lyrics was also quite memorable.

All in all, a fun and informative week, but as usual, I was relieved to get the hell out of Vegas and head home on Friday morning.

P.S. For a much more entertaining BlackHat/Defcon Recap, read Jennifer Jabbusch’s account of the week’s events. It’s my favorite one so far!

I have written before about what a joke I think it is when people write that Microsoft???s best days are behind it and that their corporate grave is already being dug.  Google is going to usher in a new age of net centric computing and topple the once and future king. Yeah sure.  Don Dodge had a good article up the other day about Microsoft???s recent end of FY numbers.  The Redmond rockets racked up over 60 billion (yeah with a b) in revenue last year, an 18% increase over the year before!  They dropped 17.6 billion (again with a b) to the bottom line.  To give it some perspective, Yahoo all told only does about 7 or 8 billion in gross revenue a year.  Microsoft grew 9 billion in revenue last year.  That is they grew organically more than a whole Yahoo.  You can check out Don???s article for more financial facts and figures.

I ask you ladies and gentlemen, does this sound like the numbers of a company on the way down?  If you were a betting person, would you be betting against this monster?  I would not be.  Do you think by 2011 things are going to fundamentally change? Next time someone tells you how open source, Linux, Google or anyone else is going to kill Microsoft try to put some of these numbers in prospective.

I have written before about what a joke I think it is when people write that Microsoft’s best days are behind it and that their corporate grave is already being dug.  Google is going to usher in a new age of net centric computing and topple the once and future king. Yeah sure.  Don Dodge had a good article up the other day about Microsoft’s recent end of FY numbers.  The Redmond rockets racked up over 60 billion (yeah with a b) in revenue last year, an 18% increase over the year before!  They dropped 17.6 billion (again with a b) to the bottom line.  To give it some perspective, Yahoo all told only does about 7 or 8 billion in gross revenue a year.  Microsoft grew 9 billion in revenue last year.  That is they grew organically more than a whole Yahoo.  You can check out Don’s article for more financial facts and figures.

I ask you ladies and gentlemen, does this sound like the numbers of a company on the way down?  If you were a betting person, would you be betting against this monster?  I would not be.  Do you think by 2011 things are going to fundamentally change? Next time someone tells you how open source, Linux, Google or anyone else is going to kill Microsoft try to put some of these numbers in prospective.

Thursday was a little different, I got up early and got a few ‘real’ work things done (you know, those things) before heading off to meet Mike Fratto for a project he’s working on. More on that later.

I made it back to the show around lunch-ish but didn’t stop for lunch yet, since the show floor was closing at 4:00pm- I still had some browsing and chatting to do. Starting around 3:45, I took a ‘Last 15 on the Floor’ series of shots from the expo floor.

At some point Thursday or Wednesday, I did stop by the Security Smackdown challenge they had running- pretty neato- bunch of hackers beatin’ each other down for the ultimate Smackdown Title. WWCF: World Wide Crypto Fighting…. or… something like that. There was a guy sporting an overtly over-sized gold WWF-style belt… hence the joke… nevermind.

Anyway, I also stopped by the ‘official’ RSA Bookstore and picked up a little book on 802.1X. When I say little, I mean little… and it was $60. Yes, seriously. To top it off, it’s probably the most poorly-written book I’ve ever read. You’ll see a book review on that later. I want to give it a fair shake and read the whole thing, but I’m not entirely sure I can submit myself to much more of the torture… we’ll see.

Thursday evening was the big RSA Codebreakers Bash and they really did it up right! There were several rooms full of fun, regardless of your taste. One room had a really good cover band and lots of music and dancing, another room had a huge bar area and light display I could have watched for hours. In one area, they had Guitar Hero full band playoffs, and in another yet bubble-head karaoke. Across the hall was a little more subdued, with more quiet sitting areas, perfect for chatting over a glass of wine. They also had crazy looking costumed ladies applying barcode tattoos to whomever was drunk enough to let them paste them on their forehead or face…. yeah… I have no clue about that one. I stopped in for about an hour before calling it a night. Thursday was day 6 in San Fran for me and I was exhausted. I did get some photos for you to try and capture the chaos. View photos from the Bash.

That pretty much sums up my day, and I left the hooplah on a Friday morning flight back to the East Coast. That’s about all I have from RSA 2008, but you’ll be hearing about some fun new projects and events that have grown out of this trip.

Next stop: Interop Las Vegas (yee-haw!)

# # #

This is my first year at RSA, and I really had no clue just how large it was. The expo floor is massive, and it’s filled with near-Interop-sized booths and hooks. To kick the day off, I caught the morning keynotes in the main hall, then took some time finding our partners and other folks on the expo floor. I attended some peer to peer breakouts, but due to the nature of those sessions, I’m not going to publish any information from those. Aside from that, here’s how Day 1 went…

I visited WinMagic and chatted with Thi Nguyen-Huu (their CEO), Joseph Belsanti (Director of Marketing) and several other great folks there, including Diane and Maurice. Later in the day, I stopped back by to hear Rich Mogull’s 15-minute talk on disk encryption and FDE there at the WinMagic booth. They had a full audience for that one, and I believe there are two more both today and tomorrow if you’d like to see it. You may be seeing more info from me on WinMagic’s SecureDoc solution… stay tuned for that.

I found the Juniper crowd and ran into Lisa Lorenzin and fellow TNC’ers at the TCG (Trusted Computing Group) booth. I’m hoping to re-visit there today and see some of the interoperability demos. They had a pretty steady crowd there yesterday.

Of course I stopped by the ISC² booth and have a t-shirt to show for that. (Remind me, I have another tidbit to share with you later).

What else… Oh I’m hoping to stop back over to see the Splunk demo. I’ve heard they have a great logging solution, and we’re getting requests from several customers to recommend a log management product. Yesterday was a bit too chaotic and I due to the noise and traffic flow I wasn’t able to get in a position to actually hear anything. Splunk was the source of my second t-shirt. I have to give them kudos, it’s a ladies baby doll tee and reads “We take the SH out of IT”.

My favorite of the day had to be over in Alan’s neck of the woods at the StillSecure booth. Depending which side of the booth you approached from, you may or may not have enjoyed the humorous ‘Cisco Recycling Center’ theme happening on one side. There was an overhead sign (as seen here), complete with the actual recycling bin (here’s that one). I didn’t take many photos yesterday because I forgot to recharge the camera after all the garden photos- but- I had to at least get these pictures. (And, congrats to StillSecure on their SC Magazine Awards win last night!)

I stopped by the Microsoft booth to learn a little more about the new products and NAP. They gave me a cute little review of how 802.1X worked, explained the endpoint checking and reporting and then one of the guys told me the best place to get more information was on their website. Uh.. okay. LOL. So, sorry but there’s not much information to report back from that experience.

Tipping Point was an unexpected stop for me. Completely unrelated, there’s a project I’m involved with and the team leader from that project sent a text instructing me to go find another team member, who happened to be a global product manager at Tipping Point. I headed that way to find my ‘person’ and was pleasantly surprised by some of the solutions I saw while I was there.  

Throughout my meanderings on the expo floor, I was able to find several fellow Security Bloggers and Security Twits by strategic use of Twitter. :) Among those, I found Jack Daniel, Jennifer Leggio, Stacy Thayer, Dan O’Neill, Rich Mogull and Martin McKeay.

I was able to catch up with Mike Fratto after the sessions and talk him into a ginger ale before he headed off to do a little writing. If you don’t know who Mike is, he’s - well I guess several things - security editor for Information Week, lab director, lead NAC Analyst for Network Computing. I’m not sure of the ‘official’ titles, but he’s the media NAC go-to-guy. Definitely check out his NAC Immersion Center blog.

And today? Another day full of meet-n-greets, keynotes adn breakouts. Tonight? Tonight is the Security Bloggers Meetup!

# # #

I may disagree on the photo comment. First of all, it’s really bad. Secondly, I’ve emailed responses to several of my readers’ comments and (much to my surprise) found they didn’t realize I was ‘a girl’. Shocking right? When they saw ‘Jennifer’ in my email signature they figured it out. So, I don’t know that the photo has any impact on readership, but I could be wrong. However, if you do read my blog because I’m female and you like the photo- I’m okay with that- you’ll still learn something ;)

Note to self: I definitely have to do something about that horrible photo! I’ve been procrastinating for a while and searching for a photographer and stylist to get some new ‘real’ head shots taken. I hate having my photo taken, so I’ll keep you posted on that.

Women in IT…

The timing of your post is amazing as well. Over the past couple of weeks I’ve received several emails from fellow women in IT who wanted to make a connection, swap stories and find a commerad-ess, or two, in the world. I’ve even received postcards and written notes from thoughtful ladies who found my information online. I guess I never realized what a struggle some women have in the ‘man’s world’ of IT. I’m starting to realize it more, as I meet new friends and hear their war stories of moving up and gaining respect in the industry.

I’ve been lucky- I grew up in the IT industry and somehow managed to circumvent a lot of the ‘gender issues’. When I was about 16, I developed and taught computer and Internet-related courseware, and had to teach it to adults (and yes, they’re actually worse than the 2nd graders!) Around that same time, I was sitting on a state agency board as a SME on web usage and development.

I was young and a female (and blonde), so I most certainly had to prove myself and establish a repertoire to gain the respect of my peers; mostly middle-aged and older men who had been in the industry longer than I’d been alive.

Knowing what you don’t know…

Getting thrown in early certainly taught me valuable lessons. I made sure I knew my stuff inside and out, and conversely, I made sure I was comfortable asking questions on topics I didn’t know about. Part of the respect comes from ‘knowing what you don’t know’ and being able to admit it. I think I’m pretty good at that and it’s carried me far. :)   Plus, I had two great role models to learn from.

However it happened- through some combination of luck and hard work- I’m happy to be where I am. Our customers, partners and colleagues look to me for answers and insight. I know they trust me and and that’s an amazing feeling. It’s also what drives me to be the best at what I do, and to keep learning, studying and working at it.

They’ve given me their trust, and I try really hard to give them something back that’s equally as important.

# # #

Imagine Bob Sheppard's one of a kind voice booming over the PA system at Yankee Stadium.  The words echoing off the hallowed stands that Ruth built, near first base where Gerhig stood, over the green grass of centerfield where DiMaggio and Mantle roamed. Ladies and Gentlemen, now hitting for the NY Yankees, number 60, Billy Crystal. For one of my favorite comedians, a life long dream came true for his 60th birthday.

It is no secret that Crystal who grew up in Long Beach, Long Island is a die hard, crazy Yankee fan.  Today the Yankees probably made him "the luckiest man on the face of the earth", or at least since another Yankee said those words.  They signed Billy to a one day contract and let him suit up and take an at bat in a pre-season game.  Alas, the mighty Crystal struck out, but not before fouling a ball off down the line and running the count to 3 and 2. What a special event and great thing to do for a special fan.  I can only imagine the goose bumps that Billy for sure had!  Classy move by the Yankees.

This is the last year for the greatest sports venue in America, Yankee Stadium.  I very much want to take my boys up this season to see at least one game in the old stadium.  In the meantime if anyone really wants to make me happy, maybe you can finagle to get me a similar stint with the Yanks.  If not I would settle for coming and playing QB for the Steelers for a play as well.  But I guess I am no Billy Crystal, but I can dream can't I? Like Yogi says, it ain't over till its over.

Imagine Bob Sheppard's one of a kind voice booming over the PA system at Yankee Stadium.  The words echoing off the hallowed stands that Ruth built, near first base where Gerhig stood, over the green grass of centerfield where DiMaggio and Mantle roamed. Ladies and Gentlemen, now hitting for the NY Yankees, number 60, Billy Crystal. For one of my favorite comedians, a life long dream came true for his 60th birthday.

It is no secret that Crystal who grew up in Long Beach, Long Island is a die hard, crazy Yankee fan.  Today the Yankees probably made him "the luckiest man on the face of the earth", or at least since another Yankee said those words.  They signed Billy to a one day contract and let him suit up and take an at bat in a pre-season game.  Alas, the mighty Crystal struck out, but not before fouling a ball off down the line and running the count to 3 and 2. What a special event and great thing to do for a special fan.  I can only imagine the goose bumps that Billy for sure had!  Classy move by the Yankees.

This is the last year for the greatest sports venue in America, Yankee Stadium.  I very much want to take my boys up this season to see at least one game in the old stadium.  In the meantime if anyone really wants to make me happy, maybe you can finagle to get me a similar stint with the Yanks.  If not I would settle for coming and playing QB for the Steelers for a play as well.  But I guess I am no Billy Crystal, but I can dream can't I? Like Yogi says, it ain't over till its over.