Coffee To Code

I always enjoy reading the Christmas Challenges created by Ed Skoudis and Yori Kvitchko over at ethicalhacker.net. This year’s puzzle was “The Nightmare Before Charlie Brown’s Christmas” and offered a chance to play around with VoIP, which I don’t get to do much of normally.

The winners were just posted, and my entry got the nod for Best Creative Entry. This is particularly awesome for me since the original Counter Hack (by Skoudis) was one of the first security books I ever bought.

I highly recommend reading through the contest and the answers; as always, the technical walkthrough is hugely informative, and they cover a massive toychest of wicked VoIP hacking utilities. There’s also some pretty nice command line kung foo (hat tip) that makes me remember the power of the Unix philosophy of small tools.

I posted this some time ago in a different forum and was recently asked to repost it here, and I’m happy to get it a wider audience. I think this is important for everyone and equally relevant for any internet user, be they high school students, parents, or yes, we software professionals. There’s plenty more to be said on everything contained below, but I hope a degree of succinctness will set off the core ideas.

~PST

——————————————

I. You have the right to remain silent.

You do not need to blog. You do not need to “Reply to this post.” You
do not need to Get MySpace, and you do not need to Facebook Me. If you
say nothing, the blogosphere will not deflate and strangers on
message boards will not miss your advice. If you say nothing, the
internet will not notice.

II. Anything you say can and will be used against you in the court of public opinion.

Nothing on the internet is private. Your real name, your AIM handle,
your livejournal, and the email address you had in high school are all
out there for anyone who cares to look. Just because you don’t know
how to find it doesn’t mean it can’t be found. The internet has a very
long memory. You should be willing to bet that it’s longer than yours.
Anyone you meet could know things about you that you have forgotten
you ever said. Speak slowly and carefully… there are a lot of people
listening.

III. You have the responsibility to be skeptical about everything; if you lack the ability to do so, find someone who will do so on your behalf.

The internet is not a library. The internet is not a newspaper. The
internet is a cacophonous bazaar of peddlers, kooks, and unruly
children sharing the same advertisement littered street corner as
politicians, scientists and parents. There are no signposts that
announce when you’re in the wrong part of town, and no one is going to
tell you when you’re being lied to or misled. An open and  skeptical
mind and a sense of personal responsibility are the rules of the road;
no shirt, no shoes, no service.

As everyone’s gearing up for the madness this week, I thought I’d join in. I’ll be giving talks at both BlackHat and Defcon on some of my recent work in webapp fingerprinting.

At BlackHat: (Wed 7/28, 1515) BlindElephant: Web Application Fingerprinting with Static Files

At Defcon: (Fri 7/30, 1400) Web Application Fingerprinting with Static Files

The Defcon talk is essentially a shorter, more technically focused version of the BH talk. Links to code available here after the talk!

I’ve been sorting through the massive amount of content on display over the next week, and the various posts others have made on what they intend to catch have been useful. Here’s some of my “want to see” list (I actually found there’s usually at least two presentations I really want to see in each timeslot, but I gotta choose):

Wednesday:

• 1000-1100 Wayne Huang, Caleb Sima: Drivesploit: Circumventing both automated AND manual drive-by-download detection
• 1115-1230 Charlie Miller, Noah Johnson: Crash Analysis using BitBlaze
• 1345-1500 Barnaby Jack: Jackpotting Automated Teller Machines Redux
• 1515-1630 Me! BlindElephant: Web Application Fingerprinting with Static Files

I’m kinda bummed I’m at 1515 because I actually really wanted to catch Arshan Dabirsiaghi:
JavaSnoop: How to Hack Anything Written in Java.

Thursday:

• 1000-1100 Nathan Hamiel, Marcin Wielgoszewski: Constricting the Web: Offensive Python for Web Hackers
• (My colleague Ivan Ristic is also giving his talk State of SSL on the Internet: 2010 Survey, Results and Conclusions Routers in this slot; it’s good stuff, so I’m torn.)
• 1115-1230 Julien Tinnes, Tavis Ormandy: There’s a party at Ring0 (and you’re invited)
  • (Gunter Ollman is also talking a 1115. If you’ve never heard him speak or want an intro to the economic underpinnings of malware and botnets, definitely check it out)
• 1345-1500 David Byrne, Charles Henderson: GWT Security: Don’t Get Distracted by Bright Shiny Objects
  • (Though I am interested in the TitanMist project, I’m skeptical of all “frameworks”)

And finally, my coworker Rami is going to be giving the details on the malware detection he built. He’s modest about the underlying techniques, but the full system is pretty cool. Do check it out.

• 1515-1630 Rami Kawach: NEPTUNE: Dissecting Web-based Malware via Browser and OS Instrumentation

I hope to get to BSides for at least a while, and I haven’t even figured out what I’m going to catch at Defcon (somehow it seems less amenable to planning than Black Hat)

If you’ll be be around, look me up! As usual, email or @coffeetocode on Twitter.