I owe the blog several bits on Shmoocon, but work and schedule have conspired to hold me up a bit. So, a week and change delayed, I present some of my thoughts on this years Shmoo.
The rest of Shmoo (following my day one post) was fun, and I had a great time hanging out with a cast of characters from several of our local communities — folks who I know from OWASP DC, CapSec DC, and Refresh DC, in addition to the amazing cast of Shmoos and the wide array of presenters and vendors who were present.
My overall impression of this year’s Shmoo is that while I had a great time, the presentations seemed a bit lacking as a whole. For better or for worse, there were not as many “big names” on the con circuit presenting (though some were in attendance), and not as many talks that made you just sit up and go “woah.” And on the other hand, there’s always an issue with the fact that some of the most headline grabbing talks often are very much “part of the problem” versus part of the solution, and there were some very good talks on remediation and theory, which is far less sexy. Some of the most important talks this year were in that less sexy category, but those talks were (from what I could see) dismissed, underattended, or both.
The “not sexy” problem has come up in a lot of discussion over the past year. I’ve been exposed to them mainly in web app sec circles (see Andrew van der Stock rant), but it’s a recurring theme — patching is not as sexy as buffer overflows, code validation is not as sexy as injections and XSS, and trying to get users to practice “safe” browsing has nothing on building a web scanner out of javascript. Also, not sexy preventative talks often aren’t uber-technical, as the technical challenge they present is way too huge to address in an hour. They are often theory talks, and those too often lose appeal in the hacker con crowd.
Jay Beale of Intelguardians (and Bastille Linux fame) gave a talk about “They’re hacking our clients!” which instead of having a 0-day IE exploit or something of that ilk was about the trend of penetration attempts (for good or for bad) changing the focus of their attacks from the servers to the clients. He pointed out that the bad guys have been doing it for years, and he and his peers are regularly using it now for their testing as well, since it is in many ways far easier than trying to break into hardened servers that are expecting attacks. In many ways, “hacking the client” gives the best Return On Investment for penetration testers — they get the myriad resources available on the workstation, and usually easy access to the internal network. The focus on server security has made them less desirable targets
Jay also weighed in on the “user” argument — as much as we would like to believe the solution can be solved by educating users, it’s not a viable solution any time soon (though I personally still strongly believe in it) — there are too many non-savvy users out there who “need” the Internet, and not a fair expectation to train them. The problem with non-savvy users can also be categorized as “social engineering” or “patch management,” but those are equally unsolvable. In the modern age, you have not only OS and browsers and software, but you then have plug-ins, customizations, and exponentially more things to worry about.
At this point, the talk devolved slightly, but Jay advocated one way to get a handle on this is to filter at your choke points, and restrict access — not necessarily NAC, but rather focusing on clients accessing resources. If you have an organization where “everyone accesses the web,” run them through a proxy, and use the techniques that the bad guys could (to fingerprint and determine versions) for good — if someone isn’t patched, deny them access with instructions on how to remediate. This triggered the crowd, with anecdotes from people having “done this 10 years ago” to rants against stupid users, NAC, et al.
One last takeaway was Jay’s mention of the metagoofil project — it’s a crawler that does recon (via google) on all the documents hosted at an organization (and available through the web) — it crawls them and then strips all the metadata it can — devastatingly powerful at creating a picture of the state of internal resources. Jay proposed cross-referencing your reports with a source such as the Open Source Vulnerability Database (OSVDB) for vulnerabilities, and then going after those who are not up to par — for good, to patch, for bad, as targets — and also extending the proxy idea to other services — prevent connections to mail, ftp, or allow and log.
There wasn’t really a specific conclusion, but as many talks of this type do, it showed a trending from real world examples of people who do it every day, and that the “mainstream” security industry that is in the established world is still behind the curve of where the moving target of the focal point of attackers is currently. I’m sure the talk was poo-pooed by many l33t hackers in the crowd for being something that “everybody knows” or being non-technical, but I think it proved some points and brought out some decent discussion if you could get past the people who immediately went for the vitriol.