Monday, February 18, 2008

Shmoocon 2008 (my $0.02)

So I missed day one of the con as I was stuck on planes and in airports for damn ages. After a few hours sleep I headed to DC to meet up with Chris and Joe and check out the presentations. Chris filled me in on H1kari's GSM presentation which sounded really cool. Gonna have to check that out.
I got to sit in on Jay Beale's "They're Hacking Our Clients!..." presentation. It was a repeat of the Toorcon talk and did not bring in much new material at all. Jay is a real sharp guy and a great presenter but he really was not talking about anything the folks listening did not already know. The user is the 'new' attack vector. He made good points and mentioned ideas for looking at user-agent strings from browsers, mail client identifiers and using those in conjunction with tools lie Squid to prevent access to mail or the web until the user patches. I believe the term is NAC. All Jay was proposing is a simple form of NAC. Still the method of implementation is not a bad idea but it's trivial to spoof user-agent strings to bypass that. Injecting iframes with mr-t into the user's brower once a day was also suggested. Not a bad way to detect third party plugins but what about when the user is on the road or at home?

I really want to see what happens when IT prevents a user from getting mail until he patches his computer. It seemed to me that the presentation forgot the fact the productivity trumps security every time. If what we do impacts a users ability to do perform their job we have failed at our job.

I'm not even going to comment on "Why are Databases so Hard to Secure" by Sheeri Cabral. She might be sharp and have DB knowledge but she really did not present well on what is an interesting topic. All I can remember is "ACLs are good".

Next up was "VoIP Penetration Testing: Lessons Learned" by John Kindervag and Jason Ostrom. This was an awesome talk. Great presenters and a really interesting topic. VLAN hopping with voiphopper! Damn cool and the did a live demo too! I can see sooo many networks getting owned with this! unplug phone, plug in laptop, own network!

At that point I was fried after no sleep and 24 hours of travel so I blew off the next talks and crashed in the hotel room for a few hours. Drinks and dinner with Chris and then hanging with Joe and talking up a storm. Lots of fun.

Today I got to see valsmiths and danny's talk on Malware Software Armoring Circumvention. All I can say is DAMN! Very, very cool stuff! Follow Chris's link below and check it out. Well worth it if you are into RCE at all.

I was really excited to see Josh Wright's and Brad Antoniewicz's presentation on attacking EAP implementations. I was not disappointed at all. A damn cool talk about a very cool topic. So many of my clients use PEAP, TTLS or another flavor of EAP and so I was really interested to see attacks against 802.1x implementations in action. They show how easy it is to capture credentials, either hashes in the case of ms-chapv1/2 or in plain text PAP credentials, simply using a rogue AP and a patched version of FreeRADIUS. A live demo too!

Chris and I ran into dre and Marcin. It was cool to put a face to the names. After that I had to run to a cab and head back to the train.

All in all it was a good con. It was definitely more about chilling with some friends and meeting new people.

dean de beer


Sheeri K. Cabral said...

Sorry to disappoint -- I completely estimated wrong about what people wanted to see (new rule: don't present at a con I haven't been to yet!). If you'd like more technical stuff, I definitely recommend picking up Ron Ben Natan's "Implementing Database Security and Auditing" -- chock full of examples, technical information, and pretty much exactly what people would have wanted.

Amazon link to the book (I took out any referral information)

Anonymous said...

Hey Dean, it was fun meeting you and Chris as well. Shoot me an email sometime.

CG said...

cool thanks Sheeri. to be fair i missed the first part, which talking to people after, i would have been more interested in. one guy who left said he wanted to see code and i was like you should have stuck around there was plenty of sqlcode later :-)

dean de beer said...

Hey Sheeri,

Thanks for the link. I'm busy with a client right now where database security at a table and column level needs to be implemented. I guess I was hoping for bits and bytes from the talk thats why I was a bit disappointed.

Joshua Wright said...

Thanks for coming to our Pwned Extensible Authentication Protocol talk. We had a good time, even if the demo didn't work the first time around. It's hard to concentrate when someone is shooting Shmoo balls at your junk from a CO2-powered cannon.

I've posted the talk slides on my website at


laura said...

I was napping during the db talk dramas, but I heard about them afterwards...

Sheeri, I saw your paper submission Sat. night while we were having dinner discussing what went wrong. I think if you had stuck to what you submitted you'd have been better off.

Sheeri K. Cabral said...

Laura -- you're exactly right. I should have, and when I realized the body of material was too large, I should have taken one small part and done it, instead of generalizing more.

dean de beer said...

Hey Josh,

Yea, even with the hiccups the presentation rocked. Larry Pesche is hilarious. He almost GOT Jay Beale too. Adds to the fun. Thanks again,

dean de beer said...

hey Sheeri,

I know the dilemma of trying to choose between a focused talk or being more general with the topic. Is the whole presentation going to be posted or the one used at the con? I would like to see it.