Cenzic 232 Patent
Paid Advertising
web application security lab

RSA Conference Wrapup

Well another RSA Conference has come and gone. Lots of vendor noise about their product being the only secure one on the market, and other nonsense, as is to be expected. Although I did notice a bit of realism this year. It did seem like everyone had eaten a big helping of humble pie, which was refreshing. Even the sales guys weren’t making as hard as a pitch as I’m accustomed to. So all in all, it was a good time. Lots of drinking, lots of good conversation, and I even managed to sneak in and see Jeremiah’s presentation on the top 10 new webappsec vulns from 2009 (how he managed to fit that all into 50 minutes still boggles the mind). I didn’t make it to as many parties as I would have liked to this year - maybe I’m getting old, or maybe I started drinking too early. Either way…

One notable quote was from Howard Schmidt who said, “There is no cyberwar,” but I don’t think he ever defined what a cyberwar would look like - so I don’t know how we’ve decided we aren’t in the midst of one. Maybe he’s absolutely right and we aren’t in the middle of anything like a war (just the low rumble of espionage), but I’d like to hear his definition one way or another so that I can know when I should start being outraged.

But I wanted to do a quick writeup on the RSA Conference registration computers themselves, while I was thinking about it. For some reason, my entire life, I have just assumed programmers think the same way I do. Then I am always annoyed to find out they don’t. Physical security is tough, don’t get me wrong, but kiosks are one of those things you really need to be careful to protect from physical tampering and logical attacks. Anyway, I was sitting there waiting for one of the pages to load, and it was taking forever. Because there was no onscreen indicator that it was waiting, I started wondering if the form was even working at all, or if there was some dumb JS error or something else that would cause the page to never load. So I clicked on one of the links at the top in the navigation and it gave me a “Diagnose Connection Problems” error and worse yet, it popped out of the Kiosk mode. Never a good sign. It looks like they’re protecting the application from most classes of attacks simply by disallowing outbound network access. Let’s assume there were no way around that for a second (and I’m not convinced of that, incidentally).

Most people would probably say that security is good enough. Any attack I could mount would be useless because I couldn’t exfiltrate the data off of that machine. Oh, but it’s not that simple. For that application to work it must be able to contact the site in question (the registration portal). That portal has access to a database. As such, the database itself is essentially dual-homed (on the Internet and on this Kiosk intranet). So all I should need is some JavaScript malware to steal people’s information as it pretends to register them, and instead log the data into my database fields. I can be somewhere else and check the records in the database for my account, and poof - I have access to whatever data I wanted to log. I can get JavaScript execution by simply typing it into the URL bar and just like magic, I have a way to steal conference registrant’s information. And there’s the cookies and any other tampering I might be able to do in the config options in IE. It’s definitely NOT a huge deal, but rather just another example of how it’s incredibly complex to build a truly secure browser based kiosk system that can defend against determined attackers. No identities were stolen in the making of this post. Now, back to work!

7 Responses to “RSA Conference Wrapup”

  1. Brian Honan Says:

    Have a look at http://ikat.ha.cked.net which is an online tool for hacking into Kiosks. A presentation on the tool given at BruCON 2009 http://2009.brucon.org/material/BruCON-RageAgainstTheKiosk.pdf (a 4MB PDF file) is also available

  2. SAS Says:

    @Brian

    Of course, it’s simply impossible to secure it. If you can open MSIE, or even Notepad (which runs with all rights) you are screwed. No big deal, other than the realization that security is tough, especially on Kiosks, and certainly on a Kiosk that runs a standard OS that runs silly blacklists. ;)

  3. SAS Says:

    Btw, it reminds me of hacking Kiosks at warehouses when I was young, they simply hid the lower menu bar, but forgot to lock the “windows” key, popping the bar back up into view. :) Also, if you can enter CTRLALTDEL (usually you can on the Kiosks I saw) You can open any program via the task manager. Simple, but they might work.

  4. Dan Says:

    >I donít think he ever defined what a cyberwar would look like

    I think you need 3 basic elements before you can call something a “war”.

    It must be significant, sustained and violent.

  5. RSnake Says:

    @Dan - interesting definition. I guess we’re potentially missing significant (depending on what we’re talking about) and definitely missing violent.

  6. paulcraig Says:

    wow thats a real lame kiosk.
    iKAT would have knocked that thing out faster than a pedophile in a maximum security prison.

  7. Khash Says:

    Very nice find. Now I don’t feel so bad for registering with fake personal information.

    BTW, I think for something to be considered “war”, it needs to be planned and organized, but not necessary violent! psychological wars for instance aren’t always violent!