Random Developments

SecureCon, a free two-day conference on computer security issues is happening here (it started yesterday), and I’ve attended a few of the sessions. The attendants are mostly university people, but there are a few corporate employees and non-affiliated people around. It is not a “marketing” conference; that is, presentations go into technical details and corporate presenters get some “hostile” questions at the end of their talks.

Today started with a presentation by Sam Trad, from Cisco, about their Network Access Control products, notably Cisco Trust Agent and related technologies. This is a piece of software that is installed onto network clients and that authenticates the client to the network before it’s granted access. During this authentication process, the agent tells the network what kind of software the client has installed, and the network can have policies in place that, for example, allow access only to WinXP boxes with SP2 plus the most recent patches, or Win2000+SP4+a current antivirus, and so on. The agent reportedly already comes with some antivirus packages, and will be part of future Windows OSs. For other OSs, you’re out of luck for now. A very good question raised by someone was: since we’re authenticating a host based on what the host tells us he’s got, what’s to keep this information from being spoofed? One might be able to write an exploit that takes advantage of an unpatched system and that reports it as a fully patched one to allow it to connect. The presenter mentioned something about “multiple levels of security”, but I don’t think anyone was really satisfied that this is not a problem.

This was followed by a talk by Damien Miller, from Netstar, about network worms. Nicely presented, if a bit scary at some points. His opinion, not stated that flatly, is “we’re doomed”. And I tend to agree, to some degree.

After this talk, I left the conference to do some work, and will be back for the last session, on urban hacking and hacktivism. And yesterday there was a practical session on security auditing, followed by a “hackathon” where attendants were invited to try to hack into three servers and retrieve specific pieces of information from them. Now, that was a scary session. The PCs were running Linux off a CD (the Auditor security collection from remote-exploit.org), and the available tools made it a breeze to remotely access vulnerable systems. As an example, a remote shell was started on a Win2k box with just a few keystrokes, using ready-made exploits. That’s way too easy. (during the contest, I got the two pieces of data from the Windows server, but did not have time to get into the Linux ones; a colleague of mine who attended a later session won).