Archive for the ‘Shmoocon’ Category

ShmooCon Pregame

Thursday, February 5th, 2009

(Wait, isn’t tonight’s OWASP meeting the pregame? ;-)

So, in about eighteen hours, I’ll be (hopefully) be picking up my badge, and getting started on this years version of ShmooCon.

Shmoocon is definitely a con where the best parts happen “off the record,” in the hallways, bars, and restaurants, or at the events like Hack or Halo, Hacker Arcade, the Locksmith Village, the parties, the list goes on and on. Last year suffered from extremely hit or miss talks, to the point where the end of con seemed based around people asking why some talks were allowed in. However, I’m cautiously optimistic this year looking over the presenter list, and pretty excited about some of presentations this year.

Shmoo’s opening day is traditionally slow, with a lot of people not even really getting to Shmoo until that evening, and then really only to socialize. Only one track runs Friday night, with a scattering of talks that could be big among others that look to be more on the fun/informative side, covering physical and hardware hacking. Of interest to me are “The Day the Spam Stopped,” discussing a botnet takedown that removed a large chunk of spam from the internet. Most spam victories seem to still be all too Pyrrhic, but there have been several instances in the past year where removal of a small chunk of the internet has resulted in a drastic reduction of spam . . . for the next 24-48 hours. However, it shows that large quantities of spam can be tracked to their origin and action taken, perhaps laying the groundwork for a more pro-active approach to at least making things more difficult for the bad guys.

Automated Mapping of Large Binary Objects” looks to be the one preso that could be truly groundbreaking friday evening — the group presenting are an open source tool that will allow analysts to quickly jump to important information segments in binary files, which previously have been a royal pain to analyze in their entirety.

Watching the Watcher,” a talk about third party web tracking should prove informative to those not that familiar with the topic. I’m curious to see their take on it, and willing to go in with an open mind that I might not possibly know everything that they are going to talk about, but I doubt it will be all that new to those familiar with the process.

The rest of the afternoon/evening looks like good clean hacker fun — open source tools to help build your own UAV drone, the art behind recent Shmooball launchers, and hacking Kwikset Smartkey locks.

Friday night, HacDC is throwing the “official?” Shmoo Friday night party (the question mark is there because albeit I have no doubt it’s blessed, there is no mention of it in the Official Shmoo Schedule. For those of you not familiar, HacDC is housed in a church just off 16th street in Columbia Heights. It’s a bus or a cab ride from the hotel if you are headed that way. Check them out if you don’t have other Friday night plans.

I won’t try to pick the “best talks,” but I’ll outline what I’m interested in for what that’s worth. As is usually the case at Shmoo, the most interesting talks look to be in the “Break It!” track, and this year is no exception. I often lament this syndrome, but Shmoo is pretty eclectic, and it’s always easy to make breaking things look sexy. I predict I won’t make a talk at 10 AM. It’s a toss-up at 11 AM as to whether I should check out the obvious web app sec bit of “Fail 2.0, Further Musings on Attacking Social Networks,” which will probably be more of a recap of the many ways complex web apps are complex web apps on the public intarwebs, and (surprise!) you can find holes in that and take advantage of it, versus seeing Charlie Miller put another notch in his cap pwning Android. “Hack the Genome” at noon looks worth going to just because it is such a wack topic (possible overlap between principles applied in cryptography and extrapolating information from genomes), but I might bail on that a little early, because A., the lunch rush during Shmoo is always hell, and B., I really want to be back in time for the “Blinded by Flash” talk at 2 PM.

The intarwebs tells me that this talk has been well received at other cons recently, and I’m looking forward to seeing it – I know that the truly l33t are moving on to hacking zunes via tcp over bongos, but “plain old” web app sec issues are still probably the biggest problem out there, and Flash is what is propelling a large chunk of the next iteration of the web. So, while I’ve grown a little bored of “same old web app” issue talks (though I think they are still VERY valid), ones with Flash excite me, because it’s something that a lot of people still are just getting a handle on. This is one of the few timeslots where I wish I could clone myself, because Jay Beale’s talk looks to be very interesting (practical application of MITM with a software tool, which makes MITM much more interesting than just talking about it in theory), and a talk on US search and seizure law and privacy issues as pertains to computer geeks.

At 1500, I figure I’ll check out the “Spread Your Spectrum” talk to see if there’s anything revolutionary in there. The “Off the Shelf Security” talk has potential (discussing creating a COTS product based system for automated crime response, stitching the pieces together with Open Source software), and the Anti-SAMY talk is a must see – it’s an actual “defense” talk that should be sexy in its own right, and worth seeing (despite my OWASP bias). Conversely, if you want to stick to offense, I’m sure the latest on Fast Track and Back Track will probably be worth the cost of admission. Then dinner and “the party,” and maybe when/if it loses my interest I’ll head to Spellbound DC.

Sunday, Chris Paget’s talk about cloning RFID badges and passports is likely to be the talk of the con. It’s the one with the most direct impact to the world around (especially in DC), and is painfully simple and practical. It’s also getting the most media attention. If there’s going to be one talk that’s going to get “Black-hatted,” this is going to be it — which would be a shame, as Chris has had this problem before. At Black Hat DC in 2007, I ended up chatting with him and several other folks at IOActive about the state and prevalence of RFID in Washington DC, just after his talk was modified due to threat of legal action from an ID manufacturer. The “Disclosure for Web Infections” could potentially be interesting, but who are we kidding, most likely I’ll be at 0wn the Con if I’m not wandering in a hallway or being hungover. Sunday is like that at ShmooCon. The closing group discussion looks to be good fun this year (aren’t they always), and the closing melee is one of the heights of Shmoo.

See you at the con!

Posted in Shmoocon, information security, meetups | No Comments »

Shmoocon 2008 — the “not sexy” talks part II

Tuesday, February 26th, 2008

The second “non-sexy” talk I attended was by Rohit Sethi, and Nish Balla of Security Compass, on Aspect Oriented Programming. This is a topic that I have been told to look into by a variety of my developer friends, and it’s pretty simple and profound, and very timely to have in the sights of security practitioners. Even though the talk was in the “main room,” it was severely under attended compared to most of the talks in that track.

Converting projects to Aspect involves compiling with an extra library and a special library, but no real alteration of source code. Instead, the developer writes aspects, which act as hooks for functions or calls already in the code. So, if you have 100 functions that all are doing similar things, you can write an aspect that will affect all functions that match a regex like filter in the aspect. The aspect will hook any function that matches its parameters, process the call from the function, and then return to where it grabbed the call.

There have been numerous arguments against aspect oriented programming, most of which are based on FUD and were well debunked by the presenters. Aspect oriented programming is more costly from a programmatic standpoint, but if the environment you are doing it in is compiled, the cost is very little.  If it is done at runtime, it’s a bit more, but still tolerable.

The functionality also can be used for code auditing as well — instead of matching functions and modifying them, the aspect can log every time something matching its parameter is hit. An example of the use for this is setting an aspect to check for un-parameterized SQL queries, and then running the program, and checking the log to see where the queries which need to be parameterized without having to go through every line of source code.

The talk was well presented, and showed enough code samples for a working explanation of how aspects worked, but was not so complicated as to lose the non-developers in the audience. The talk had a lot of similarities on a higher level to atlas‘ talk about “VTRACE and Programmatic debugging,” which was later in the con (I unfortunately missed the talk, but I spoke with atlas by the Intelguardians booth afterwards and we discussed the similarities — I intend to waste more of the Internet once the video or slides of it is out and I can compare both of them).

Tags: , ,
Posted in Shmoocon, conferences, information security | No Comments »

Shmoocon 2008 — the “not sexy” talks part I

Tuesday, February 26th, 2008

I owe the blog several bits on Shmoocon, but work and schedule have conspired to hold me up a bit. So, a week and change delayed, I present some of my thoughts on this years Shmoo.

The rest of Shmoo (following my day one post) was fun, and I had a great time hanging out with a cast of characters from several of our local communities — folks who I know from OWASP DC, CapSec DC, and Refresh DC, in addition to the amazing cast of Shmoos and the wide array of presenters and vendors who were present.

My overall impression of this year’s Shmoo is that while I had a great time, the presentations seemed a bit lacking as a whole. For better or for worse, there were not as many “big names” on the con circuit presenting (though some were in attendance), and not as many talks that made you just sit up and go “woah.” And on the other hand, there’s always an issue with the fact that some of the most headline grabbing talks often are very much “part of the problem” versus part of the solution, and there were some very good talks on remediation and theory, which is far less sexy. Some of the most important talks this year were in that less sexy category, but those talks were (from what I could see) dismissed, underattended, or both.

The “not sexy” problem has come up in a lot of discussion over the past year. I’ve been exposed to them mainly in web app sec circles (see Andrew van der Stock rant), but it’s a recurring theme — patching is not as sexy as buffer overflows, code validation is not as sexy as injections and XSS, and trying to get users to practice “safe” browsing has nothing on building a web scanner out of javascript. Also, not sexy preventative talks often aren’t uber-technical, as the technical challenge they present is way too huge to address in an hour. They are often theory talks, and those too often lose appeal in the hacker con crowd.

Jay Beale of Intelguardians (and Bastille Linux fame) gave a talk about “They’re hacking our clients!” which instead of having a 0-day IE exploit or something of that ilk was about the trend of penetration attempts (for good or for bad) changing the focus of their attacks from the servers to the clients. He pointed out that the bad guys have been doing it for years, and he and his peers are regularly using it now for their testing as well, since it is in many ways far easier than trying to break into hardened servers that are expecting attacks. In many ways, “hacking the client” gives the best Return On Investment for penetration testers — they get the myriad resources available on the workstation, and usually easy access to the internal network. The focus on server security has made them less desirable targets

Jay also weighed in on the “user” argument — as much as we would like to believe the solution can be solved by educating users, it’s not a viable solution any time soon (though I personally still strongly believe in it) — there are too many non-savvy users out there who “need” the Internet, and not a fair expectation to train them. The problem with non-savvy users can also be categorized as “social engineering” or “patch management,” but those are equally unsolvable. In the modern age, you have not only OS and browsers and software, but you then have plug-ins, customizations, and exponentially more things to worry about.

At this point, the talk devolved slightly, but Jay advocated one way to get a handle on this is to filter at your choke points, and restrict access — not necessarily NAC, but rather focusing on clients accessing resources. If you have an organization where “everyone accesses the web,” run them through a proxy, and use the techniques that the bad guys could (to fingerprint and determine versions) for good — if someone isn’t patched, deny them access with instructions on how to remediate. This triggered the crowd, with anecdotes from people having “done this 10 years ago” to rants against stupid users, NAC, et al.

One last takeaway was Jay’s mention of the metagoofil project — it’s a crawler that does recon (via google) on all the documents hosted at an organization (and available through the web) — it crawls them and then strips all the metadata it can — devastatingly powerful at creating a picture of the state of internal resources. Jay proposed cross-referencing your reports with a source such as the Open Source Vulnerability Database (OSVDB) for vulnerabilities, and then going after those who are not up to par — for good, to patch, for bad, as targets — and also extending the proxy idea to other services — prevent connections to mail, ftp, or allow and log.

There wasn’t really a specific conclusion, but as many talks of this type do, it showed a trending from real world examples of people who do it every day, and that the “mainstream” security industry that is in the established world is still behind the curve of where the moving target of the focal point of attackers is currently. I’m sure the talk was poo-pooed by many l33t hackers in the crowd for being something that “everybody knows” or being non-technical, but I think it proved some points and brought out some decent discussion if you could get past the people who immediately went for the vitriol.

Tags: , , , ,
Posted in Shmoocon, conferences, information security, meetups | No Comments »

Shmoo day 1

Saturday, February 16th, 2008

a quick update because it’s really late and there is more Con tomorrow –

Having Katsucon just around the corner provide some interesting sightseeing in the neighborhood during lunch — it’s really a shame that both of the conventions aren’t in the same hotel . . .

Talks were short today, and most of the day was about getting reg, swag, and meeting up.

A quick rundown of the highlights I saw in one sentence summaries (or two):

H1kari’s talk on GSM interception and cracking — the tagline was that you could now sniff GSM or affordable equipment – which you can with a < $1000 board and some parts. However, actually cracking the encryption is well in the 6 figure range. The takeaway is that it is doable, and that if your friendly neighborhood hacker can’t afford it, your not so friendly government or large NGO of dubious repute certainly can, if they aren’t already, and standards need to be upgraded.

Deral Heiland’s talk on hacking web portals — Deral and his crew found a java portlet that appeared to allow XSS — on closer prodding, it showed it was something that was actually getting exploited server side. Further digging showed that the portlet could be used as a proxy to do all sorts of nasty stuff to the internal network. Moral — do your app sec on all apps, especially anything touching the intarwebs. And, defense in depth — a variety of other security practices (none of which were in place) would have limited the damage a vulnerable piece like that can do.

Isaac Mathis’s talk on “Hacking the Samurai Spirit” — nothing new if you are japanophile, but he confirmed from years of his experience how hacking is at odds with many facets of Japanese culture, and talked about hacking in a cultural context. The big takeaway is that a lot of non-technical social engineering attacks of an unscrupulous nature work very well on a society with very indoctrinated value sets.

the 1LW folks and associated friends from OWASP and Refresh did lots of gabbing and hanging out in the corridors, bumping into the likes of Brian Krebs, and folks from Intelguardians and IOActive, as well as the normal cast of Shmoo living legends. We ended up burning a chunk of time at the lockpicking pavilion, and grabbed a tasty Indian dinner at Rajaji, and then headed down to U Street for drinks.

More later, it’s late. Tomorrow features the majority of the talks and the official Con Party.

Tags: , , ,
Posted in Shmoocon, conferences, information security, meetups, web people | No Comments »

Shmoocon this weekend

Thursday, February 14th, 2008

For those of you lucky enough to have gotten tickets, Shmoocon is taking place in Washington DC at the Wardman Park Marriott this weekend. The ever growing new darling of the underground security conference scene looks to clock in at about 1500 attendees this year, meaning that it has almost doubled in size every year.

We’ll be there in force, so drop us a line if you want to meet up.

Tags: , , ,
Posted in Shmoocon, conferences, information security, meetups | 2 Comments »