CONFidence 2010

I had the honor to attend CONFidence 2010 and hear some great talks on security as well as meet people of the industry which are outside your regular circle.

This included speakers you would not normally meet, such as from Israel, Russia, Germany and other countries.

I really enjoyed the lecture by Dan Kaminsky on how to change Internet security “one step at a time” by providing, maybe for the first time? a secure solution for session cookies as well as solve the SQL injection issues with as little burden as possible on the developers.

Though those two ideas require proof, i.e. they are just theory now, if they do become actual code lines, I am sure people will take a deeper look into them – as the name Dan Kaminsky will surely draw attention to them.

The lecture on “Don’t touch my WinNY” proved both funny and technically interesting with the display of a 0day in the WinNY (file sharing) product.

Mario’s lecture on “The Presence and Future of Web Attacks Multi-Layer Attacks and XSSQLI” proved once again how much more work and research can be done in this field, with browsers constantly changing the rules of the game and creating new ways for attackers to inject malicious content.

Yaniv’s “Microsoft Patch Analysis” shows how straight forward of a process you can do for converting a patch by Microsoft to an exploit – the process may not be easy, but once you nail the method it shouldn’t be hard to recreate for every patch that comes out.

The second day lecture of “Hacking games for fun and profits” proved how wrong I am on playing games to earn prizes, the two presenters showed that they could easily win any online contest without having to actually put any effort to playing the game – that calls it quits for me on getting my highest score on Game X (change X to whatever game you like).

Alexey’s “De-blackboxing of digital camera” showed me how much can be done with very little, having access just to the led of the camera allowed them to dump the camera’s memory via a blinking led data transfer method – even though it was slow, it proved useful in bypassing the protection mechanisms implemented in the camera.

Chris’s “Web browser PKI/SSL security policy weaknesses and a potential solution” talked about how the wording shown to people in relation to SSL should really change – and I have to agree – saying to someone that the certificate name doesn’t match doesn’t tell mom and pop what they should do about it, is that a good or bad thing? should they continue or not?

To summarize, there is a lot to learn, and much to listen to, hope to catch you all again on the next conference with new information and new techniques.

Keep up the good work,