stdout

Speaking Engagements & Presentations

Derbycon V

2015-09-25 00:00:00 +0000

Rails has a strong foundation in convention over configuration. In this regard, Rails handles a lot of security related conventions for developers, keeping them safe from vulnerabilities such as SQL Injection, XSS, and CSRF out of the box. However, authentication and authorization logic is largely left up to the developer. It is here that the abilities of the framework hit the end of the track and it’s up to the developers to keep themselves safe.

In this talk, we take a look at patterns that we’ve seen across some of the largest Rails applications on the internet and cover common pitfalls that you as a security researcher and/or developer can watch out for. We will also be discussing and releasing a new dynamic analysis tool for Rails applications to help pentesters navigate through authentication and authorization solutions in Rails.

44Con 2015

2015-09-11 00:00:00 +0000

Rails has a strong foundation in convention over configuration. In this regard, Rails handles a lot of security related conventions for developers, keeping them safe from vulnerabilities such as SQL Injection, XSS, and CSRF out of the box. However, authentication and authorization logic is largely left up to the developer. It is here that the abilities of the framework hit the end of the track and it’s up to the developers to keep themselves safe.

In this talk, we take a look at patterns that we’ve seen across some of the largest Rails applications on the internet and cover common pitfalls that you as a security researcher and/or developer can watch out for. We will also be discussing and releasing a new dynamic analysis tool for Rails applications to help pentesters navigate through authentication and authorization solutions in Rails.

The Anatomy of a Rails Vulnerability

2014-05-27 00:00:00 +0000

On May 6th 2014, the Ruby on Rails team released updates to address a security vulnerability involving the ‘implicit render’ feature, and identified it as CVE-2014-0130.1 In their advisory, they go on to describe a Directory Traversal vulnerability involving globbing routes including the string ‘*action’. An amendment to that advisory3 broadens the warning, stating that there are ‘additional attack vectors’ and advising that all users upgrade to a fixed version.

In this paper, we explore the attack vectors of this vulnerability, as well additional impacts beyond simple file retrieval. These include remote code execution across a variety of Ruby on Rails deployment environments. If you take away one thing, it should be this: vulnerability impact is not always clear without close review. In this case, the advisories say arbitrary file read, with a highly unusual configuration. We’ll see how to achieve remote code execution with a more common setup.

Thotcon 0x3

2012-04-28 00:00:00 +0000

SSL/TLS is entrusted with securing many of the communications services we take for granted in our connected world. Threat actors are also aware of the advantages offered by encrypted communication channels, and increasingly utilize encryption for exploit delivery, malware command-and-control and data exfiltration.

To counter these tactics, organizations are increasingly deploying security controls that intercept end-to-end SSL/TLS channels. Web proxies, DLP systems, specialized threat detection solutions, and network IPSs now offer functionality to intercept, inspect and filter encrypted traffic. Similar functionality is also present in lawful intercept systems and solutions enabling the broad surveillance of encrypted communications by governments. Broadly classified as “SSL/TLS Interception Proxies,” these solutions act as man-in-the-middle, violating the end-to-end security guarantees promised by SSL/TLS.

In this presentation we’ll explore a phenomenon known as “transitive trust,” and explain how deployment of SSL/TLS interception solutions can introduce new vulnerabilities. We detail a collection of new vulnerabilities in widely used interception proxies first discovered by the Dell SecureWorks CTU and responsibly disclosed to the impacted vendors. These vulnerabilities enable attackers to more easily intercept and modify secure communications. In addition, we will introduce a public web site that organizations can use to quickly and easily test for these flaws.

Blackhat Europe 2012

2012-03-14 00:00:00 +0000

SSL/TLS is entrusted with securing many of the communications services we take for granted in our connected world. Threat actors are also aware of the advantages offered by encrypted communication channels, and increasingly utilize encryption for exploit delivery, malware command-and-control and data exfiltration.

To counter these tactics, organizations are increasingly deploying security controls that intercept end-to-end SSL/TLS channels. Web proxies, DLP systems, specialized threat detection solutions, and network IPSs now offer functionality to intercept, inspect and filter encrypted traffic. Similar functionality is also present in lawful intercept systems and solutions enabling the broad surveillance of encrypted communications by governments. Broadly classified as “SSL/TLS Interception Proxies,” these solutions act as man-in-the-middle, violating the end-to-end security guarantees promised by SSL/TLS.

In this presentation we’ll explore a phenomenon known as “transitive trust,” and explain how deployment of SSL/TLS interception solutions can introduce new vulnerabilities. We detail a collection of new vulnerabilities in widely used interception proxies first discovered by the Dell SecureWorks CTU and responsibly disclosed to the impacted vendors. These vulnerabilities enable attackers to more easily intercept and modify secure communications. In addition, we will introduce a public web site that organizations can use to quickly and easily test for these flaws.

DerbyCon I

2011-10-07 00:00:00 +0000

An Amazon Machine Image (AMI) is a virtual appliance container used to create virtual machines (VMs) within the Amazon Elastic Compute Cloud (EC2). EC2 instances typically interact with a variety of Amazon Web Services (AWS), and as such require access to AWS credentials and private key materials. In this presentation we will explore how AWS credentials and keys may end up being persisted within an AMI. If persisted within a public or shared AMI, these credentials and key materials may be unintentionally shared with 3rd parties. We will discuss the different types of AWS credentials and key materials, how they are used to access different Cloud services, and the risks and potential impacts of compromise of this sensitive information. A new tool, “AMIexposed” will be released that can check an AMI for the most common ways AWS credentials and keys are persisted within an AMI. The results of research using AMIexposed against public AMIs will be presented, helping to quantify the scope and prevalence of AWS credentials and keys exposed within public AMIs. We’ll also discuss the risks inherent in trusting public AMIs to be free of backdoors, trojans, and other malicious hitchhikers. Results of an experiment demonstrating these risks will be presented. Finally, the talk will propose best practices for utilizing AMIs. These will include specific steps for ensuring you organization’s AWS credentials and key materials are not unintentionally persisted within public or shared AMIs, and recommendations regarding usage of 3rd party public AMIs.

DEF CON 19

2011-08-06 00:00:00 +0000

An Amazon Machine Image (AMI) is a virtual appliance container used to create virtual machines (VMs) within the Amazon Elastic Compute Cloud (EC2). EC2 instances typically interact with a variety of Amazon Web Services (AWS), and as such require access to AWS credentials and private key materials. In this presentation we will explore how AWS credentials and keys may end up being persisted within an AMI. If persisted within a public or shared AMI, these credentials and key materials may be unintentionally shared with 3rd parties. We will discuss the different types of AWS credentials and key materials, how they are used to access different Cloud services, and the risks and potential impacts of compromise of this sensitive information. A new tool, “AMIexposed” will be released that can check an AMI for the most common ways AWS credentials and keys are persisted within an AMI. The results of research using AMIexposed against public AMIs will be presented, helping to quantify the scope and prevalence of AWS credentials and keys exposed within public AMIs. We’ll also discuss the risks inherent in trusting public AMIs to be free of backdoors, trojans, and other malicious hitchhikers. Results of an experiment demonstrating these risks will be presented. Finally, the talk will propose best practices for utilizing AMIs. These will include specific steps for ensuring you organization’s AWS credentials and key materials are not unintentionally persisted within public or shared AMIs, and recommendations regarding usage of 3rd party public AMIs.

Blackhat USA 2010

2010-07-28 00:00:00 +0000

Your security infrastructure (firewalls, IDS/IPS devices, management consoles, etc.) holds a very sensitive position of trust. This equipment is relied upon to reliably perform security critical functions under potentially hostile conditions. These are highly valuable assets to an attacker, yet their value is sometimes not captured by conventional risk management. This presentation will explore several new vulnerabilities and weaknesses in these products, with the goal of offering useful recommendations and approaches for mitigating the risk.

This presentation explores a series of vulnerabilities and weaknesses in security infrastructure that we discovered and responsibly disclosed. We’re in the business of managing and monitoring this gear for our clients, so we have great familiarity with all aspects of its operation. We’ve found that security infrastructure appears to be just as prone to security vulnerabilities as other commercial software, if not more so.