Historical Document - Last Updated Mon Dec 27 17:35:07 2004

CanSecWest 2001

The computer security conference CanSecWest was held in Vancouver over 3 days at the end of April 2001.

We were all stuffed into the Pacific Palisades on Robson. Too small, really - the rooms and especially corridors were on the small side with a single-linked topology that meant discussions in the hallway became traffic bottlenecks. However, it wasn't too hot or too cold and the alarms didn't go off (not like BlackHat 99 - actually someone told me that that was done by a hacker attending DEFCON who couldn't afford BlackHat).

We got ID cards with a little message in hex written along the top. It read, as I recall, "ALLYOURCARDZAREBELONGTOUS". An in joke I think; I found allyourbase.swf (Flash) linked on one of the speaker's websites.

Overheard during a presentation (answering a cellphone) - "Hang on, I'm in a room full of security guys ...".

The conference had a wireless LAN set up and many attendees brought laptops. One guy sitting next to me actually bought some concert tickets online while chatting to a friend on IRC, during one of the presentations.
Packet sniffing on the wireless LAN was rampant (mentioned in the c|net story below) so that one speaker placed his email password on a slide figuring everyone knew it already. He'd just logged on to a webmail site (Yahoo ?), realized what he'd done, said "Oh sh*t", and dashed out the door to an Internet cafe to go change it (not trusting the hotel LAN, and I presume there is no SSL access to Yahoo! mail).
Someone mentioned that they'd been at the IETF where a wireless LAN was set up and said that passwords were going past in clear too fast to read. The wireless LAN I think operates with a shared key so that all users with access can see each others traffic. Encryption isn't normally enabled at public venues like this anyway.

We got copies of the conference presentations, plus a lot of other neat stuff, on business-card recordable CD-ROMs. If you haven't seen these, they are an 8cm CD cropped to 6cm high that hold about 60Mb and fit in the inner ring of your CD-ROM drive.

CanSecWest in the News

Papers and toolkit

Papers presented at the conference, plus a variety of reference material, tools, etc. are available here from TRIUMF.
The list of speakers and topics is here (well, here really). Note that many speakers have not yet placed their presentations on the Web where they said they would. Some are in PowerPoint and will require PPT (or maybe StarOffice) to view.

SSH with Kerberos

Nico (?) from securite.org talked about implementing SSH with Kerberos (at Cisco, I think). The idea is to give single sign-on to a large variety of servers, routers, hosts etc. Propagating SSH keys got too unwieldy.

Kerberos (version V was used) doesn't do encryption or authorization, just authentication. It uses a DES shared key to grant tickets. Initially one gets a TGT (ticket-granting-ticket) valid for a certain length of time (7 hours here), which is then used to get a ticket for access to each of the servers. There is a single TGT server (which might be mirrored or otherwise given some redundancy) and one or more ticket servers. Kerberos V currently works with SSH1 & SSH2 (not Openssh at present). Suggested not to use PAM or NIS. Suggested using DNS ( HESIOD) to share usernames (not passwords, obviously) and Kerberos for authentication.



Renaud Deraison talked about the security scanner Nessus and the scripting language NASL. He said that Nessus is designed to be used by everyone - which I hadn't really grasped - so that it can be set up running on a server with access control for users to test their own areas. Version 1.2 is coming soon he says.



Matthew Franz of Cisco - Author of Trinux : A Linux Security Toolkit - talked about various scanning & attacking tools. I scribbled notes for later entry in a search engine - Naptha, hping, p0f, nmap, sing, Ofir Arkin, ISAKAMP, H323, ehtereal, iplayer, ISN, IKE, AH/ESP, udsic, isic, tcpkill.

He showed some plots of IP sequence number for different operating systems - how easy it is to fake a packet and break into someone's session. Microsoft are pretty predictable (as I suspect are some older O/S like Ultrix) while recent Linux and OpenBSD are nearly perfectly random.
Flooding attacks on stateful protocol - if the initial state (waiting for connect) is flood-resistant, later ones may not be (connected and waiting for data, perhaps)

Forensic Readiness

John Tan of @Stake talked about forensic readiness - i.e. having your system ready to make it easier to do forensic analysis when it gets broken into. He also gave out a neat bootable business-card CDROM (which I have available). The Coroners Toolkit (TCT) was recommended - basically automates doing all the ps -auwwx, netstat, w, arp -a stuff plus some rudimentary disk analysis and undeletes. TCT has a MAC (modify/access/change) time analysis script to figure out which files have been modified or executed recently. General things: run disks 50% full or less, for forensics *do not do a normal backup* (modifies MAC) - instead use dd to make a disk image. Can do this over NFS or use netcat. Run TCT process grab first to a floppy (or NFS, maybe), then disk image, then can use TCT MAC analysis on disk image mounted read-only. Chain of custody rules say you should make checksums of everything and sign off from person to person etc.. Use FedEx to ship - their normal logging procedures are OK it seems. Photograph hardware, screen contents etc. & maybe run security video on storage. Idea is to show evidence cannot have been tampered with - antistatic bags with signed dated paper seals, etc. Uncertainty principle says you can't win - if you pull the plug you preserve 100% disk contents but lose everything in RAM such as running processes, network connections, user list etc. If you run things to preserve state you change the state and may write to the disk. If you do nothing and wait for the cops you probably lose state such as arp cache & net connects, processes may write to disk, and the cops probably pull the plug anyway. Forensic acquisition should be done in-house.
TCT is good for other systems too because Linux can mount other filesystems (MSDOS, VFAT, NTFS ...)


Dave Dittrich talked about this too. Have a SCSI card. Use twisted 10Bt to a laptop (to copy disks).

Peer to Peer

Mixter talked about peer-to-peer networking (Napster, Gnutella, Intel Edge etc.). OpenCOLA search engine.

NIDS evasion

K2 talked about NIDS evasion techniques. RFP talked later about rfproxy and whisker tools. Basically, if a scanner is looking for "/cgi-bin/phf", then a script can avoid it by looking for the Hex equivalent e.g. "%2f%63%67%69%2d%62%69%63%2f%70%68%66". More esoteric version convert to UTF, or introduce null-bytes into TCP packets.


Lance Spitzner talked about the honeynet project. Basically, this was a couple of out-of-box systems on an ISDN line with a sniffer watching them. Average time for a stock RedHat 6.2 system to be broken into - 3 days. He tells an anecdote of a professor at a University installing a system and going off to teach a 1-hour class. When he got back to his office the system was already compromised.

PKI crypto

Dug Song talked about SSH and PKI crypto. He has written some tools to attack SSH. I think these rely either on people ignoring the "host key has changed" warnings (some Windows clients don't even display them apparently), or getting hold of private keys e.g. from NFS exported home directories. I asked him about using a secure trusted machine to do passwordless logins using RSA/DSA key pairs, and he said this was OK. Another issue was PGP keys visible with NFS, and I presume the same thing applies to backups (NFS is a sniffable protocol, so backups done with NFS could potentially expose private keys and passwords, even if the backup media is physically secured).

NT rootkit

Gary Golomb (I think) talked about the NT 2000 rootkit. This acts like the Unix ones to hide hackers processes and files from examination. It works a bit like the Linux LKM rootkits - anything running at the application level such as personal firewalls, virus checkers etc. will not see hidden stuff since it will be filtered out at system level.


Jay Beale talked about the Bastille Linux project. Version 1.2 is on the way. Will feature a GUI and easier post-install operation (originally Bastille was intended to be run right after a system install before you have changed anything). He's working for Mandrake now and got them to ship Bastille with it, but it won't run by default (it asks 35 tricky questions, while the install scripts are trying to get simpler to use).

Jay also talked about boot security, e.g. protection from "LILO: linux init=/bin/sh" or someone with a screwdriver.


Fyodor talked about the nmap scanner and gave some examples, scanning the wireless LAN and finding laptops in the audience. He also demonstrated a neat attack on the BlackIce Defender personal firewall; essentially by spoofing the Windows name service (easy) he could subvert the lookup process in Blackice, so that an attack was reported as coming from "your mother" instead of or whatever.


Theo talked about the OpenBSD project - arguably the most secure OS out there. They have proactively audited the entire source tree looking for security holes and bugs (300Mb), doing things like eliminating all gets(), sprintf() and strncpy(). They provide some secure alternatives e.g. strlcpy(). They say 3 years since a remote hole in the stock install.

He was feeling a bit depressed he said since they'd not discovered a problem in the glob() function in libc. Then he said, hey, at least we're better than everyone else, and they can steal our code to see how to do things right.

crypto a 2-edged sword

Kurt Seifried talked about various crypto things, such as crypto or the lack of it in email. He mentioned a scenario where someone could attack a DNS server, plant bogus MX records, then intercept email, read or alter it, then retransmit it, without actually touching the mail server itself at all.

I think he was also complaining that use of crypto would interfere with a lot of products that "we take for granted". By which he means various monitoring tools that commercial companies might run to make sure their employees don't blab company secrets over email, and don't spend their time on the Web visiting porn and gambling sites. I had a bit of an argument with him about how an encrypted email virus could possibly propagate. I think with PGP it couldn't, since the user has to enter a password for each encrypted message, but I guess if the key is held in memory all the time you're logged in and the virus has access to both your address book and to everyones public keys it could happen. It wouldn't work to mailing lists, though.


Martin Roesch talked about Snort (which we run here). Version 2.0 (or maybe 1.8) is on the way. He says on a modern machine it can handle about 150Mbit/s with a 1% data loss, or 300Mbit/s with a 50% loss. Talked about tagging sessions - if someone does something suspicious, you watch everything he does, instead of watching everything all the time. I mentioned the problems with hacker tools spoofing addresses and he said an arp plugin might appear.

to Security Page