Back from ShmooCon ’07

I’ve been traveling the past couple of weeks and my last stop was ShmooCon at the Wardman Marriott in DC. I arrived early on Thursday and not many people were around, so I met with folks that responded to my blog that were participating in the ShmooCon Labs. The ShmooCon Labs used the old concept of setting up a network with vendor supplied gear and let attendees pay extra money ($50). This lets the attendees get some exposure to vendor products and learn how to configure and implement them in a realistic fashion.

I didn’t pay to get in, but while standing near by I participated in a discussion of reliably capturing IPv6 packets. The ShmooCon Labs IDS captured all traffic that crossed the network through a SPAN port on one of the Cisco switches and IPv6 was one of major concern. The original idea as to just leave tcpdump open and have it write out to a file, I thought that was somewhat odd as the file size could get out of hand making data management/parsing a little problem. I recommended tshark which offered the ability to split files by size, after alittle while we had it working and file were being split correctly.

Friday

Friday consisted of eight thirty minute presentations all in a row. Seating was somewhat limited so taking advantage of getting a better seat while speechs started/stopped was a must. H1kari (Dave Hulton) from OpenCiphers presented on “Hacking the Airwaves with FPGAs”, Dave gave a great presentation that showed off-loading repetitive tasks in FPGA’s tremendously speeds up processes. FPGA’s are nothing new, but having the ability to put them in a PCMCIA or ExpressCard is. Sounds great huh? The median price range seems to be around $2K, nothing too expensive for a motivated or sponsored attacker.

The next topic by Adair Collins and Eoin Miller (pronounced Owen) discussed Cachedump. This seems to be a huge problem in a number of organization becaused employees take their laptops home. The problem is once someone has logged into a laptop offsite, credentials are cached so the user can login at home away from the network. The problem exists for admin and domain admin accounts as well and expands to any application that uses winlogin.dll (everything). What it came down to is, disable cache credentials across the board and cause a large inconvenience to your users via group policy or leave it enabled and have change some registry values once the user logs in (removing local admin and some other stuff). Adair and Eoin have a vbs script that they wrote which helps automate some of these tasks.

The next presentation I attended was Johnny Long’s talk on “No-Tech Hacking”. If you haven’t caught any podcasts or presentations by Johnny you should, he’s hilarious. His presentation went over what you can find out about a person by taking pictures of people and their belongings, sometimes by asking, sometimes not. Another point covered was dumpster looking without ever “diving”, a large number of employees never even know a shredding bin exists and find it easier to just throw away sensitive information at their desk instead of getting up. He also showed a video showing how easy it is to get by a guarded gate.

Friday evening a Podcasters/Bloggers meet up took place at Chipotle. Maybe 30 or 40 people were there, completely filling the place with a lot of great conversations.

Saturday

In the morning I skipped between two talks by Simple Nomad whose topic was “Hacker Potpourri” and Ofir Arkin’s presentation on “Bypass NAC Systems (Part II)”. Simple Nomad went over a large variety of topics, all very clever and Ofir elaborated on how everything used within a NAC system can be spoofed easily. Since this post is getting lengthy, I won’t expand on Ofir’s presentation, but details can be found here. Basically unplug a printer and go.

The 1300 hour talks were very popular, Billy Hoffman from SPI was going to release his Jikto tool, but made the decision not to do so. The tool could only be used for harmful activities, but he went on to demo what he wrote and I believe not releasing the tool was a good idea.

Matt Franz was mentioned (for 2003 BGP fuzzing) during the 1400 presentation by Raven on “Backbone Fuzzing”. She elaborated on how bugs are still be found on critical network infrastructure devices and how many new technologies probably have more.  She’s looking to build a team of coders to help “raise the bar” on these types of network protocols/devices.

Seth Fogie’s presentation on Windows Mobile Software was interesting, it’s amazing how many holes and attacks that can be done against a handset. My intention for attending was to get some insight on some of the embedded devices that use similar OS/firmware. Afterwards I asked Seth if he had any experience with such a thing and his knowledge only involved mobile handsets.

Dan Kaminsky talked about the Chomsky hierarchy, which resembled a S4 presentation by Nate Kube from Wurldtech. Dan’s talk expanded on how humans remember information according to level of importance, for example a person’s name. He made points that made the entire scratch their head, but overall it was one of my favorites.

The last talk of the day I attended was “Extensible 802.11 Packet Flinging” by Josh Write and Mike Kershaw. Josh has authored many popular tools one being cowpaTTY (WPA cracker) and Mike wrote and manages the famous Kismet. They presented on a new framework LORCON, which simplifies the driver nightmares most have experienced at one point in time on the Linux platform. It also simplifies development and usage of other apps that utilize wireless hardware.

Saturday evening I sat in and watched the Pauldotcom folks make their episode 64 podcast, a great group of talented guys who made a show without even a topic list.  I frequently listen to their show and it was great to finally meet them in person.

Sunday

Sunday I only attended part of one talk by Adam Laurie on “RFIDiots”. He performed a number of demonstrations on stage about the problems with RFID, I wish I could have watched the entire thing.

Overall out of all the conferences (cons) I’ve attended this has been the favorite. I will attend next year and years to come if the quality remains the same.