Blog

We just got back from Vancouver, where we presented at CanSecWest 2008. We presented a topic called "Wreck-utation," which discussed reputations on the Internet and how they may be vulnerable. The point of our presentation was to demonstrate how the recent influx in compromises and misuses of legitimate Web sites makes reputation security systems much less effective than advertised.

Stephan Chenette (left); Dan Hubbard (right)

There were quite a few interesting talks at CanSecWest this year. Some of our favorites were:

- Oded's talk on "Virtually Secure," where he presented a powerful VMWARE Security API
- "Cross-Site Scripting Vulnerabilities in Flash Authoring Tools," presented by Rich Cannings of Google, in which he presented a summary of his findings on public Flash applications with XSS vulnerabilities
- "Cold Memory Forensics Workshop" from the pentesters at Intelguardians (based on the Princeton/Wind River research report)

Will Whittaker gave a lightning talk on his findings on crossdomain.xml in Flash and highlighted the use of loadPolicyFile to allow cross-site request forgery (CSRF) within a Flash application. Perhaps one reason Adobe has not fixed this, is because CSRF can be accomplished by an attacker in a myriad of alternative ways.

View from CanSecWest hotel

During the show there was also a contest called p0wnage. Three laptops with Windows, Linux, and OSX were up for grabs along with prize money of $20,000, $10,000 or $5,000 to the first person who could exploit them or clients installed on them. The prize money made us think that perhaps we should have waited on our latest Excel zero-day that we disclosed to Microsoft, and that was patched recently :)

The hosts at CanSecWest were excellent as usual, and the event lived up to expectations. We hope to see everyone next year!