Wednesday, February 18, 2009

Shmoocon Roundup

Shmoocon has to be my favorite computer security conference. Everyone's actually happy smart and nice which is amazing. As far as the content goes, you see a lot of work in progress, and initial findings which is a plus. Many of these talks will probably be polished up and the final product displayed in August when Defcon rolls around, but here you can get a rough snapshot of where the security community will be going in the next 6 months or so.

Then there's the Shmoo staff who as one person put it, is the only hacker group nobody hates, which says a lot. They really do their best to make the conference accessible, and ensure the conference helps the security community as a whole.

As far as the talks go, here is my take on the ones that stood out

Building an All-Channel Bluetooth Monitor by Michael Ossmann and Dominic Spill
  • This was the rockstar talk in my opinion. I've done a lot of wireless security, and the lack of tools to audit bluetooth has always worried me. Not currently exploitable, and secure are two different things. My worry is that someone will come out with an exploit against bluetooth and there is going to be trauma when it happens, (or worse yet we won't have the ability to effectively audit or protect against it). This research, (done by the good guys), is helpful since hopefully it will allow us to discover and fix the vulnerabilities before malicious attackers do. Furthermore, I'm playing around with GNU software defined radio right now so this talk was a double dose of amazing.
  • I was really impressed by their research, and their willingness to try live demos as well.

Automated Mapping of Large Binary Objects by Greg Conti, Ben Sangster and Roy Ragsdale

  • We really need this to help speed up the initial analysis phase of forensics investigations. By quickly identifying files of interest regardless of the file extensions or file headers, this will have a huge impact on the time it takes to analyze a hard drive.
  • From the talk it looks like the tool still falls pretty much into the proof of concept phase, but I downloaded it and look forward to playing with it. Hopefully I'm wrong about the tool's maturity, but even if I'm not this is certainly something I would like to see maintained and improved.
  • They also have a network visualization tool on their website, rumint which looks promising as well.

Building Wireless Sensor Hardware and Software by Travis Goodspeed and Joshua Gourneau

  • I watched this talk after shmoocon via a video I purchased from media archives.
  • Good technical data, and one of their implementation, (belt buckle) lost one of the creators his virginity. That's quality applied research right there ;)
  • I'm glad I bought this talk since it is one of those that I'll probably need to watch two or three more times to feel like I have a handle of the different points they are making. The short roundup though is they provided a lot of DIY info on how to build your own wireless devices.

802.11 ObgYn or "Spread Your Spectrum" by Rick Farina

  • Two thirds of this talk were very good. I could have done without the part on wireless IDS's though
  • Part of it made me wince, because I've been in conversations before where people said that "We aren't using the 802.11 spectrum so we are secure".
  • I'm so happy I bought that Ubiquity wireless card a few years ago since the tools were designed for it. I'm looking forward to doing some new wardriving with it.

Storming the Ivy Tower: How to Hack Your Way into Academia by Sandy Clark

  • I was kind of annoyed by the focus on Ivy League universities. Yes, part of it is because I'm going to a state school myself, but it's also a class thing. I think people's accomplishments should be based on what they do, not where they are from.
  • I also wished that they had spent some time talking about the ethical issues of doing hacking research at college.
  • That being said, there was some good advice for all those people out there looking at getting back to college.

Sunday I didn't really see that much. I had my presentation in the morning and then spent most of the rest of the day hanging out and talking with other people. I can't recommend that enough as I made a lot of good contacts and got the chance to have detailed discussions with people who have a lot more applied knowledge than I do. I really wish I could clone myself as I was constantly balancing the desire to see the presentations, participate in the contests, and meet new people. In short, I had a great time. My only problem is that there's a lot of different tools and techniques I want to play around with now so there goes my free time...

Sunday, February 15, 2009

We do not take a trip. The trip takes us.

Finally back from Shmoocon and Washington D.C. I had an absolute blast and now I'm ready to get back to work. While there's a lot I want to talk about regarding the Con and some of the other research going on, I'll save that for my next post. I finally got a chance to sit down and watch my own presentation on rainbow tables, and there are a couple of things I'd like to add.
  1. The real focus on this research is to help law enforcement. Ideally I see a central agency who has the spare computer power generating rainbow tables containing very complex word mangling rules and large dictionary files. They would then distribute these tables to state and local agencies who don't have the resources to do much in the way of password cracking. This way these local agencies can cheaply crack a large number of passwords without having to invest in the resources to do so. Now this won't help with salted files, but in instances where the bad guy uses the same password on both their local computer and their encrypted file it would help out.
  2. The MsCache hashes are salted with the username "Administrator". The oracle hashes are salted with the username "SYS".
  3. It looks like I'm going to be able to get more storage space, so expect some of the other tables I talked about showing up online soon.
  4. If you download a table, make sure you also download the associated dictionary file and rules file. I really should have labeled everything better, but in the short term if there is any confusion, just check the config file and it will say which dictionary/rule file is required.
  5. I can't believe I made a joke about Paris Hilton in front of everyone. There goes me showing this talk to my parents...
  6. Truthfully, if you have any suggestions or comments, please let me know and I'll see what I can do
  7. Yes, I'll try to write up some additional documentation.
  8. I apologize to everyone I talked to after the presentation. When I speak in front of people it scares the living daylights out of me, and it takes me a bit to go back to normal afterwards.
  9. To the person asking about using the GPU to speed up the hashing, yes I think it can be done, but there are a lot of tricky issues with rainbow tables since you can't parallelize the creation of an individual chain. The question then becomes can your parallelize your IndexToPlain function to keep up with creating enough hash requests to make the GPU efficient.