Lyte's Blog

Bad code, bad humour and bad hair.

Ruxcon 2011

My head’s just now starting to recover from 4 days of Ruxcon. 2 days training, 2 days conference, plus a lot of partying networking.

It’s the first properly security related thing I’ve ever been to, but I was amazed just how quickly I was able to catch on to many of the modern techniques being used to pen test systems out in the wild right now. I don’t think it’s because I’m super smart, I think it’s because most of the flaws that are exploitable are super obvious and you really only need one piece of broken logic to get in to somewhere you don’t belong. It was also quite impressive just how creatively a lot of the people there were able to look at 2 or 3 relatively minor bugs and escalate them in to a full system access hack.

Pen testing also isn’t all the low level buffer over flow stuff I was expecting either, sure there are guys there that can do that and other much fancier stuff to get out of buffer overflow, smash your stack and completely own your box, but there’s still the good ol’ “hmm that acl doesn’t look quite right”.

I managed to catch both talks by Adam and James from Insomnia, what was impressed on me most was that I understood almost everything these guys were doing. Further more a lot of what James was talking about to escalate privileges in a Windows environment was stuff that I was tinkering (sometimes a little too successfully with) back at high school :/

Another pretty interesting stream is just how prolific SQL injection is. I thought (before Thursday) that parameterised SQL queries had solved all the injection problems and the world of IT Security had moved on to harder targets. Turns out I was wrong. This seems to be mainly because half of programmers out there still haven’t actually heard about SQL injection :( It’s compounded by the fact that those that have probably don’t realise just how easy tools like sqlmap make it. With sqlmap you can take a blind SQLi (SQL injection) attack and have it fire up a SQL prompt for you that lets you write arbitrary select queries, or dump the DB to CSV… wow. Better yet, even parameterised SQL normally can’t parameterise the fields in the “ORDER BY” so a lot of programmers will be utilising parameterised SQL thinking it makes them completely safe, when in fact they’ve just made it fractionally harder.

There was way too much other cool stuff to talk about, I’m definitely going to try and go again next year.