Sunday, February 17, 2008

Shmoocon 08 Day 2

Ok, i got up a little late and it took the spouse a min or two to get me to the metro, then the metro was doing work on one of the tracks, suffice to say i was late, i got there for noon talks, i tried to get a hotel room friday nite but no dice, did get on saturday nite so i didnt have to deal with the metro crap.


started with Jay Beale's They're Hacking Our Clients! Why are We Focusing Only on the Servers" talk. it didnt seem any different that the slides from toorcon. The jist is that we should incorporate client side testing into pen tests, because that's how people are getting in now and that we shouldnt allow customers to cop out and say "we have a user education program so no attacking the clients." He then went on to talk about some VA stuff like checking squid logs for clients on your network that are running vulnerable versions of apps like browsers or mail clients. You would then blackhole those guys off until patches were applied. I'll let Dean vent the most on that, because he raised the great point of if you blackhole some mucky muck's laptop and tell them to patch their box you're gonna get you ass fired up especially since its usually IT's job to patch stuff and most users dont have permissions to even update stuff most of the time.

next up was Why are Databases so Hard to Secure by Sheeri Cabral, i rolled in late and must have missed the good stuff because by the time i got in there i just saw a bunch of SQL in there and some talk about how developers should do something or the other...meh

after that was VoIP Penetration Testing: Lessons Learned by John Kindervag and Jason Ostrom for me the best talk of the day. they talked about some features they added to voiphopper. If you have seen the security focus article on VoIP hacking they just added to that. it was good though.

Got Citrix? Hack It! by Shanit Gupta talked about different ways to break out of Citrix apps to get command shells, IE boxes, or explorer boxes. pretty neat.

Advanced Protocol Fuzzing - What We Learned when Bringing Layer2 Logic to "SPIKE Land"
by Enno Rey and Daniel Mende. I'm a big believer in listening to a few talks at a con that are above your skill level so you can rise up to that. i'm not an exploit-dev guy, i wish i was so i took the opportunity to listen to the layer 2 fuzzing talk. enno and daniel basically modifed SPIKE to fuzz layer 2 cisco protocol like DTP, VTP, MLPS and two others i dont remember. no exploitation, but they were able to get some "fun" reactions from different cisco products.

talked some way cool wireless stuff with one of the intelguardians. He showed me wi-spy and zigbee and talked about the cool things in the future that could be done against zigbee type products.

didnt make the shmoo party, had dinner with dean and talked about the talks and some other projects we got working then hung out, had beers, and talked SQLI with j0e and dean.

1 comment:

Sheeri K. Cabral said...

If you'd like more technical stuff, I definitely recommend picking up Ron Ben Natan's "Implementing Database Security and Auditing" -- chock full of examples, technical information, and pretty much exactly what people would have wanted.

Amazon link to the book (I took out any referral information)