Alright, I am back from day 2 of CanSecWest. Even though we started right at 9:00 AM today, surprisingly many people made it to the conference room at the Sheraton Wall Centre on time. I am detecting disturbing lacks of party dedication there. Or maybe all these people were just like me hoping for a free breakfast. Unfortunately, the free food provided by the hotel gets worse from year to year. Anyway, let's take a quick look at the talks today as the line-up was amazingly strong today.
The day started off with a talk about malware on gaming consoles and mobile devices by DongJoong Ha and KiChan Ahn. They talked about what kind of network attacks are possible by owning some kind of always-connected gaming consoles. They also showed how malicious code can be injected in pirated software to build up botnet capabilities with the help of people that really, really need to get the latest Super Mario game for free. I really enjoyed the talk even though they did not really present new ideas. Rather, they ported known techniques from older devices to game consoles. Still, you can never be wrong talking about game consoles in front of a crowd of nerds.
The second talk was called Dynamic Cryptographic Trapdoors by Eric Filiol. That was the only talk I skipped. Eric is a pretty smart guy and when he talks about cryptography it will fry my brain. I did not need this again. Rather, I went outside to hack away for an hour on my Flash RE tools.
After Eric's talk I went back inside to see Haifei Li's talk about ActionScript 3 vulnerabilities in Flash. He focused on type confusion in the ActionScript virtual machine caused by mismatches between what the ActionScript code verifier verifies and what the ActionScript JIT compiler compiles and executes. Due to my day job I have seen exactly that kind of bug roughly a million times already. Still, Haifei's talk was interesting and it is good to see what kind of work other people do on Adobe stuff.
After lunch (my food quality complaint still applies), Andrea Barisani and Daniele Bianco of Inversepath talked about Chip & PIN cards which are very popular in Europe. The talked a bit about the Chip & PIN standard, its weaknesses, and potential attack vectors. They also brought some surprisingly small skimming devices to show to the audience. Even though this is not my kind of topic, the talk was the most interesting talk of the day. As part of their presentation, Andrea and Daniele produced a short movie that can only be described as legendary. I have already asked them to upload the video to YouTube but unfortunately they did not warm up to that idea.
The next talk was by Ilja van Sprundel. Oh no, wait. When it was time for Ilja's talk he was not to be found anywhere. Instead, Graeme Neilson went on stage to give his talk first. Graeme talked about different network devices like switches and how to install rootkits on them. As part of his research he took a look at 10 devices from different vendors like Cisco, Juniper, Checkpoint, and others. He then gave three live demos of how fast he can put his own code onto those devices because of lacking code integrity checks by the network devices.
Afterwards it was finally Ilja's time on stage. Unlike the other speakers, he was not content with water. If the man wants beer, the man gets beer. He talked about iPhone security issues but unlike many other researchers he did not focus on iOS but rather on security vulnerabilities on the application level and the iPhone standard library. Stuff like cross-site scripting in default HTML components, format string vulnerabilities, or the misuse of the C-string functions. Unfortunately, Ilja was confused and surprised by the order and content of his own slides once in a while (see photo).
Then it was time for Michael Ossmann to give his talk about Bluetooth hacking. I do not know anything about Bluetooth or hardware hacking in general, so I can not comment on the content of the presentation. However, his slide set design was one of the best I have ever seen at a security conference and his speaking style was very pleasant too. The audience seemed entertained.
The last talk of the day belonged to Marc Schoenefeld. It was a talk about finding font parser bugs with his fuzzer. Most of the time when someone speaks about his awesome fuzzer at a con, he will not talk about the exploitable bugs he has found with it (because he has not found any). Marc did the opposite. He described bug after bug he found in the font parsing engines of the major browsers and operating systems. I have never seen anybody give his talk as tiefenentspannt as he did. It was great. I can only come up with one word to summarize his talk: Telephone.
And now I am off to the Tron-themed conference party!
Random observations of the day:
- Apple and Blackberry tried to game the Pwn2Own rules by releasing OS updates for their devices only days before the contest. Then they sent their biggest nitpickers to the Pwn2Own people to make sure that new OS version was used in the contest. This caused endless delays and much eye-rolling in the audience. All crocodile tears proved useless in the end and both the Blackberry phone and the iPhone fell as usual. No surprises there. More investment in security and less investment in Lincoln-Douglas courses might have helped. - Google apparently does not have a single PR person here. Why bother if your browser always survives Pwn2Own? - This is the first conference ever I am attending where my presence has literally no purpose. I am not giving a talk. I am not trying to connect with anyone. I am not giving product pitches or demos. I feel like I am a bum loitering around there. - Did I mention the food quality already?