We returned from CeBIT, one of the largest and most influential technology conferences in the world, last week.

The lead theme at this year's conference was that of "Shareconomy", finding benefit in exchanging ideas and information.  As a security lab, we embrace the idea of the Shareconomy and have a tremendous amount of threat intelligence to contribute. 

Websense Security Labs were an active participant in the show throughout the week.  In case you missed it here is how we got involved:

Speakers Corner

We delivered a presentation introducing results from a recent independent security test which highlighted security effectiveness across the kill chain.  You can download the test report from our website.  The "7 Stages of Advanced Threats" are explained here.  

SpeakUp Live

Our usual interactive discussion session format went on the road at CeBIT as we opened up the topic of securing mobile devices in the workplace.

Audience participation (via a remote voting system) drove the conversation into areas of:

• How do I secure my data on employee-owned smartphones?
• Do I feel protected from the risks brought about by Bring Your Own Device (BYOD)?
• What do I perceive to be the biggest risks in regards to BYOD?

The majority of attendees at our CeBIT discussion (65%) felt that they were not adequately protected from the many risks associated with BYOD.  Specifically, 46% of attendees were equally concerned about the risks from malicious mobile applications and lost devices, and the issue of securing their private data from data theft.

We look forward to seeing you and collaborating at future security conferences around the globe.

I returned this past weekend from SOURCE Boston, where I presented the new features and architecture of Fireshark v2.

I have had the opportunity to speak at many conferences before, but this was my first time doing so in my university town of Boston (Northeastern), and my first time speaking at SOURCE. SOURCE has conference locations in Seattle, Barcelona, and Boston, and attempts to bring security experts together to create a very positive mix of business needs and technology expertise. Boston is a bustling city with a number of technology companies and top universities. The location alone is worth the visit.

That aside, I was impressed with some of the presentations I saw. Here are a few worth mentioning, which are available online at http://www.sourceconference.com/boston/speakers_2011.asp:
 

• On The Use of Prediction Markets in Information Security - Dan Geer, Alex Hutton, Greg Shannon
• The Exploit Intelligence Project - Dan Guido, iSEC Partners (great talk!) 
• Incursion - From Internet To SCADA, Critical Systems Compromise Case Studies in Pictures - Val Smith, Attack Research, and Chris, SecureDNA 
• Fuel for pwnage: Exploit kits - Vicente Diaz and Jorge Mieres, Kaspersky Lab
• Reverse Engineering Flash Files with SWFREtools - Sebastian Porst (Flash analysis tool released!)
• Reversing Obfuscation - Adam Meyers, SRA International
• Streamline Incident Types for Efficient Incident Response - Predrag Zivic and Mike Lecky, Canadian Tire (really interesting talk on identify tracking)
• Network Stream Hacking with Mallory - Raj Umadas, Jeremy Allen, The Intrepidus Group (Mallory is a tool worth checking out!)
• Adding another level of hell to reverse engineering - Ben Agre, Raytheon (Something as reverse engineers that we'll have to become acustomed to more and more: used junk code!)

and finally...

My presentation: Fireshark v2 - An Analysis Toolkit for Malicious Web Sites - Stephan Chenette, Principal Security Researcher, Websense Labs (to be publicly available on or before May 5)

(Figure 1: Stephan Chenette introducing Fireshark v2, an analysis tool kit for malicious websites)

I want to thank Stacy Thayer,  SOURCE founder, the SOURCE advisory board and all attendees.

(Figure 2: SOURCE founder, Stacy Thayer)

Earlier this week we were fortunate enough to attend the Demo conference in Palm Desert. For those of you who are not familiar, Demo is mostly designed for startups and entrepreneurs to gather and launch their latest products and companies. We were lucky enough to be accepted to demo our newest generation of our Facebook security application Defensio.

Overall the conference had a very positive vibe and there were some interesting new technologies introduced in the key categories: Social, Mobile, and Cloud. Our key value of protecting your brand reputation and image within Facebook resonated very well and we look forward to attending again.

Video of the Demo:

http://bcove.me/5m5g6gyb

Pictures from Demo:
http://www.flickr.com/photos/democonference/5486857611/in/set-72157626044840317/
http://www.flickr.com/photos/democonference/5486857689/in/set-72157626044840317/
http://www.flickr.com/photos/democonference/5486865475/in/set-72157626044840317/
http://www.flickr.com/photos/democonference/5487452544/in/set-72157626044840317/

Full conference images available here: http://www.flickr.com/photos/democonference/sets/
Full conference videos available here: http://www.demo.com

I have just come back from Amsterdam where I was a speaker at the Hack In The Box conference. HITB held its annual conference here in Europe for the first time. The event was hosted in the beautiful 'Venice of the North', Amsterdam (Netherlands), the home of canals, windmills, tulips, and probably the best cheese in the world. One of the most beautiful hotels in the heart of Amsterdam, the Krasnapolsky, offered a welcoming environment for this occasion.

My subject was FireShark, which is an open source tool written by Stephan Chenette, our Principal Security Researcher at Websense. Stephan originally created an ultimate de-obfuscation tool by hooking Internet Explorer's DLLs and dumping eval and document.write calls. This tool was presented at Toorcon last year and the code was released. Later on he moved to a Firefox plugin where he could use proper APIs provided by Firefox, as opposed to hooking function calls in DLLs. He also added new ideas to the project which gave the tool new functionalities. Currently FireShark covers two main problems: ultimate de-obfuscation, and creating a graphical map of compromised Web sites. Both of these features are based on monitoring Firefox's internals to discover redirections, iframes and newly created DOM objects. Because the Web page is loaded into a real browser instead of an emulator, it does not matter how the obfuscation works: the browser sees all the results of the JavaScript code running while visiting the page, which is then logged by FireShark. No emulation is involved, therefore this is an 'ultimate de-obfuscation'. Later on this log can be analyzed to see the real intention of the code. Also in the meantime it logs all redirections and iframes made by the page, and that data can be post-processed to generate a nice graphical map about connections made to other Web pages. For example, if there is a mass-injection campaign we could see that all the compromised Web sites are making connections to one suspicious landing site. Will we discover something new by seeing all of these? Hopefully that question will be answered soon.

This year at the HITB conference, we had the option to hear many very interesting talks from various security experts from all over the world, including deep analysis of shellcode, hardware hacking, and traveling to the Russian cyber underground.

I attended the following talks:

• Keynote 1: Security Chasm - Dr Anton Chuvakin
  Anton is a well-known security expert and the author of many books about this subject. In his talk he emphasized the importance of focusing on real security issues rather than conceptual theories. He was wondering why people are more afraid of getting a fine by not wearing a seatbelt rather than worrying about the risk to their life. He also took a nice overview of the history of information security and a prediction on how it will be changed in the following 5 or 10 years. 
• Breaking Virtualization by Switching to Virtual 8086 Mode - Jonathan Brossard
  Jonathan had a nice talk about the security issues of virtual machines, especially escaping code from virtualized servers. Server virtualization is very important nowadays, mostly used in Web hosting environments. As he pointed out, an attacker might take over the host computer breaking out of the virtualized hardware using an almost forgotten CPU mode, the virtual 8086 mode. 
• From Russia With Love 2.0 - Fyodor Yarochkin
  Fyodor is an independent network security researcher who digs deep down into the world of the Russian cyber underground, revealing many of their secrets and myths. He explained how they are organized and why they do what they do - unsurprisingly it is all about the money. Fyodor also pointed out that many people do not even realize they are involved in a cyber crime. They get a temporary job offer over the Internet and once they finish their assignment they receive the money online. Sounds like a legitimate business; however, in the end the work is related to illegal activity.  
• Keynote 2: Ten Crazy Ideas That Might Actually Change the State of Information Security - Mark Curphey
  Mark is the director of the MSDN Subscription Engineering team at Microsoft. He had some very interesting ideas about the fundamental issues of information security, and laid down 10 ideas that could change the security industry. He compared this work to how WHO stopped one of the deadliest diseases in the history of human kind, smallpox. Mark also highlighted that maybe security experts should work in the same way as a Chinese doctor: paid only if healthy, not when sick. 
• Maltego 3: Start Your Engines - Reolf Temmingh
  Reolf is the founder of Paterva Ltd, the creator of Maltego. Maltego is an open source intelligence and forensics application. It can be used to connect information and their sources together revealing many interesting details about a subject or even about people. Fyodor was actually using Maltego for his findings about the Russian cyber underground. Reolf presented the capability of the new version 3 to the audience.  
• Abusing Microsoft's PostMark Validation Protocol - Dimitru Codreanu
  Dimitru is a Senior Researcher at BitDefender. He did research on a GPU and FPGA-assisted application that can break Microsoft's PostMark Validation Protocol. This protocol helps with fighting against spam, and it was claimed that to break this system, the spammer needs to invest hundreds of thousands of dollars in hardware. Dimitru showed the weakness of the protocol and that using a GPU (graphical card like nVidia GeForce) or an FPGA card inserted into an ordinary PC could lead to signing 3-8 million mails per day with PostMark Validation, with an investment of only around a few hundred dollars.  
• Subverting Windows 7 x64 Kernel with DMA Attacks - Cristophe Devine & Damien Aumaitre
  Cristophe and Damien are Security Researchers at Sogeti/ESEC and they made a very interesting showcase of how vulnerable our computing systems are to hardware-based attacks. They have inserted a PCMCIA card into a laptop running Windows 7 for a couple of seconds, which then accepted any random string entered to the Windows Logon screen as a valid password. They have pointed out that hardware that can use DMA (such as FireWire / IEEE1394, PCMCIA, ExpressCard and PCI card) is bypassing any security protocol in the operating system, leaving our computers open to attacks. 
• Top 10 Web 2.0 Attacks and Exploits - Sheeraj Shah
  Sheeraj is the founder of Blueinfy and the author of many books on Web 2.0 Security. In his talk we got an overview of the top 10 Web 2.0 attacks, exploits, and hacking techniques. He also explained new tools and methodologies to prevent attacks like these. 
• The Traveling Hackersmith 2009-2010 - Saumi Shah
  Saumi is the founder of Net-Square and the author of many books and tools. He was talking off the record this time about discovering security issues in online flight bookings and hotel room reservations during many of his travels. As it was off the record it would not be ethical to write down his subject in detail. He emphasized that he does not want to prove a point; however, overall my conclusion was that he was worrying about Web shops in general, how highly insecure they are, simply because either the developer does not know much about information security or because they just do not think a cyber criminal would target their site at any time.

The conference material can be downloaded from the HITB Web site.

Last week, Ulysses and Hermes attended the SyScan'10 Singapore conference, where 17 speakers presented 14 different topics, including software and hardware security.

The many interesting topics at this conference included integrity checking of Microsoft Office documents, Chrome sandboxing, Office vulnerabilities, PHP exploits, and mobile phone attacks.

Our presentation described the threat trend of SWF and PDF applications and how various kinds of attacks rely on vulnerabilities in Web browsers to spread threats on the Internet.  We showed how antivirus solutions work and how hackers change the content in malicious files to bypass them. We also demonstrated several ways to fight against the technology of embedded malicious content in SWF/PDF files and resolve the issue of content stripping for end users.

Thanks to the organizers for a great conference in a great place!

You can download our presentation here.

Although not an exhaustive list of upcoming security conferences, here are a few of the conferences taking place this summer and into 2011 that we recommend. Many of our researchers are speaking at these conferences, so plan on seeing some of their talks. They will give you a glimpse into various research projects being worked on inside our labs.

   -- this symbol indicates that we'll be speaking at the conference

June

EUSecWest

When: Jun 16 – 17, 2010
Where: Leidseplein, Amsterdam, Netherlands

Presentation: DarunGrim - A Tool for Binary Diffing and Automatic Vulnerabilities Pattern Matching
Websense Security Labs Researcher: Jeongwook (Matt) Oh

SyScan Singapore

When: Jun 17 – 18, 2010
Where: Singapore

Presentation: An RIA Security Solution - Flash and PDF Threat Handler
Websense Security Labs Researchers: Ulysses Wang & Hermes Lei Li

July

RECon

When: Jul 9 – 11, 2010
Where: DoubleTree Plaza Montreal, Montreal, Canada

Presentation: Using Fireshark to analyze a malicious Web attack
Websense Security Labs Researcher: Stephan Chenette

The Next HOPE

When: Jul 16 – 18, 2010
Where: Hotel Pennsylvania, New York, NY, USA

BlackHat USA

When: Jul 24 – 29, 2010
Where: Caesars Palace, Las Vegas, Nevada, USA

Presentation: ExploitSpotting: Locating Vulnerabilities Out Of Vendor Patches Automatically
Websense Security Labs Researcher: Jeongwook (Matt) Oh

BSides Las Vegas

When: Jul 28 – 29, 2010
Where: Las Vegas, Nevada, USA

DEFCON 18

When: Jul 29 – Aug 1, 2010
Where: Riviera, Las Vegas, Nevada, USA

Presentation: ExploitSpotting: Locating Vulnerabilities Out Of Vendor Patches Automatically
Websense Security Labs Researcher: Jeongwook (Matt) Oh

August

SyScan Taipei

When: Aug 19 – 20, 2010
Where: Taipei, Taiwan

September

SOURCE Barcelona

When: Sep 21 – 22, 2010
Where: Museu Nacional D’art de Catalunya, Barcelona, Spain

BRUCON 2010

When: Sep 24 – 25, 2010
Where: The Surfhouse, Brussels, Belgium

Presentation: Fireshark - Linking the Malicious Web (NG)
Websense Security Labs Researcher: Stephan Chenette

SyScan Vietnam

When: Sep 25 – 26, 2010
Where: Ho Chi Minh City, Vietnam

Virus Bulletin

When: September 29 - October, 1 2010
Where: Vancouver, BC, Canada

Presentation: P0isoning the social web
Websense CTO: Dan Hubbard

Presentation: Categorizing the entire web with autonomous system numbers
Websense CTO: Dan Hubbard & Websense Security Labs Researcher: Saeed Abu-Nimeh

October

MaLWARE 2010

When: October 20-21, 2010
Where: Grand Hotel De La Reine, Nancy, France

November

PACSEC

When: November 10-11, 2010
Where: Aoyama Diamond Hall in Tokyo, Japan

December

RUXCON 2010

When: Dec 4 – 5, 2010
Where: Royal Melbourne Institute of Technology (RMIT), Melbourne, Australia

Dan Hubbard, myself, our awesome event managers, and the rest of the Websense crew have arrived home after attending and presenting at RSA 2010 in San Francisco. It was another successful year as the conference was very well attended and the presentations were quite informative.

Figure 1: Stephan Chenette's FireShark RSA Talk

Figure 2: Dan Hubbards's Threats to Cloud Computing RSA Talk

I presented the details of a Web security Firefox plugin that I will soon be releasing open sourced called FireShark. The plugin helps in visualizing various Web attacks such as mass URL injection attacks like Gumblar, Beladen, or Nine-ball. I have to personally thank Wladimir Palant, who you should know from his development effort on a plugin called AdBlock plus. Wladimir was instrumental in offering tips to Firefox plugin writing. Thanks Wladimir!

Essentially FireShark is a local plugin that, when used in a clustering architecture, can become a very powerful mechanism in visualizing the malicious Web. In my presentation, I shared several real-life scenarios of compromised Web sites. On one occasion, FireShark mapped out one particular malicious community that later, when operation b49 was exposed, uncovered that many of the hosts involved were also Waledac spamming domains. FireShark made it easy to see that these domains were responsible for acting as control points, redirecting users from legitimate compromised Web sites to landing pages serving rogue antivirus. More so, FireShark's post processing mechanism could conduct analysis on compromised machines, intermediary machines and the final landing pages, so that not one piece of information was left unknown. This includes the original source code, the de-obfuscated source code (final DOM view), and any window prompt or malware that the user is optionally asked to download and install. This is useful for one Web site, but FireShark does this for millions of sites every day. By correlating all the data, FireShark is able to take the normalized data and link various previously assumed unrelated attacks.

Figure 3: A Web site that was compromised and part of a small malicious community, graphed with GraphViz from FireShark output

Figure 4: Stephan Chenette (me) speaking at RSA

I sat down with Rob Lemos in an interview while at RSA; so if you're interested in knowing more about FireShark until it's released, you can read the article here.

Days before my presentation, Dan Hubbard co-presented with researchers from ZScaler outlining some of the current top cloud computing threats. Dan's presentation as well as all presentations given at the Cloud Security Alliance conference at RSA can be found here.

Here are a few images of the conference. If you were there, you know that our Websense booth was not easy to miss; it was probably the largest and most impressive booth I've ever seen.

Principal Security Researcher: Stephan Chenette