This is part 2 of my RSA Conference 2006 wrap-up. I started with part 1. My first talk of day 2 was Bruce Schneier. Bruce is a great speaker, but I seemed to remember his material from 2002. His major point involved this fact: there are far too many legitimate users compared to attackers. This makes detection and prevention difficult. I believe this is a form of Axelsson's 1999 base rate fallacy (.pdf) paper. Bruce made the interesting point that by charging the conference fee ($1900 or so) to replace a lost badge, RSA had transferred a security problem entirely to the attendees.
Next I saw Nitesh Dhanjani discuss penetration testing techniques and tools. I worked with Nitesh at Foundstone, and his talk was excellent. He emphasized how he only uses open source tools for his work, because they are so easily customized to meet his requirements. Nitesh described how the Metasploit WMF exploit works. He showed how to create a new NASL script for Nessus, and made the point that the fact Nessus 3.x is closed-source makes no difference to him. Anyone can still make custom NASL scripts. Nitesh then showed how to code an Ettercap plug-in.
He continued his presentation by describing problems with the Google Firefox anti-phishing toolbar, namely that it sends all GET requests in clear text to Google -- even those referenced via HTTPS. If a user is browsing the Web with this extension enabled, and is logged in to Gmail, then Google also reads the user's Gmail cookie. Hence, Google knows exactly who you are and what you're browsing. Nice. I should also mentioned Nitesh used the socat tool, which I had never seen before. Nitesh finished by discussing how to use Tor to anonymously attack Web servers, which is a problem without much of a solution at the moment. I wonder if Tor servers will have to run inline filters to police this sort of activity, in the spirit of the "control" aspect of my Defensible Network Architecture framework from Extrusion Detection?
I have to board my plane shortly... part 3 will probably arrive this weekend.