OK, first word that comes to mind is INSPIRING. I cant wait to get home and really dig into some ideas that i have and hopefully break stuff. Maybe its exciting in academia when people present papers on new and interesting research but i dont think that beats seeing the first public demo of some new 0wnage technique that will be getting talked about for the next few weeks, maybe but i doubt it.
I have decided that i think the people that talk at these cons continue to do such great work BECAUSE they talk at these cons. I am sure there are some other factors like drive, determination and just being really really smart but being around the tons and tons of great minds and the great atmosphere at most of the cons really inspires me (and i am sure others) to continue to research or just to work on your fu.
If you havent gone to a security con, i highly recommend going even if you have to go alone because you always meet new people who are (generally) like-minded. how many parties can you go to as a security or computer dude and have pretty much everyone at the party be interested in what you are interested in? its great stuff. tonight (after the talks) people were splitting their time between hack or halo and the hack challenge that applied security had set up and plenty of booze and mingling. I unfortunately am packing because i have a plane to catch...yeah big
face.
even the smaller cons will give you a sense of the atmosphere and should inspire you to really keep doing what you are doing and trying to learn everything you can. Again, its something, as a security professional (or striving security professionals) you can do for growth as well as networking.
last thought before i get into the talks i went to, is that this con reinforced my belief that you need to be able to code to be a good innovative security professional. I'll probably start the code or not to code war again but all the people really giving great talks on attacks relied on their coding skills to pull together their concepts into working attacks or at a minimum you would need to code or alter some code to get an attack to work. so if you are wondering if you should devote some study time to learning some sort of programming language the answer is yes. what language, well who knows... that can really be a debate.
ok on with the talks...
the metro got me to the con a bit late so i couldnt even squeeze into Simple Nomad's talk so i sat in on Ofir Arkins's Bypassing NAC systems (part 2). he had given some talks on the subject previously so he just talked more about it pretty good but i only caught the end of it. i did see him speak at Blackhat and Defcon years ago on Xprobe and i remember them being really good talks his NAC one seemed like it was good and people talking outside after seemed to think it was good.
Matt Fisher, Cygnus and PresMike
Web Application Incident Preparation:
*great talk on the differences between traditional incident response and web application incident response. huge issues arise because typically there isnt anything left on the victim box to analyze. you are usually stuck with just log files and have to determine if any data egressed your network or site and to what extent and what type of data that was. they discussed the different types of logging and what to log for your web apps; web server logs, sql logs, os logs, the application logs, etc. they also went over things to do to try to help tune your IDS to catch web app attacks like creating a dummy database whose data should never be traveling across the network unless someone is dumping you whole database in an attack. Really good talk.
All three of the talks after lunch looked good but i went with
Billy Hoffman
JavaScript Malware for a Grey Goo Tomorrow:
*Billy Hoffman works for SpiDynamics
http://www.spidynamics.com/ and those guys are cranking out great research in the web app field. he talked about some of the nasty things you can do with javascript and ajax. big topics were using jikto and XSS to hop hosts with your attacks (something that previously wasnt possible) really great info.
next talk was
Michael Schearer
The Church of WiFi presents: A Hacker in Iraq:
*decent talk about a navy EW guy's time in iraq. mostly dealt with IEDs and what we are doing to address the threat in iraq
next talk
PresMike and Cygnus
Targeted Network Attacks:
*good talk on how an attacker who wanted to target an organization would go about doing it. good stuff on targeting users, getting malware into the organization, and methods for allowing the desired information out of the network and back to the attacker. started a bit slow and a bunch of people left but ended up being really good.
next...
Dan Kaminsky
Weaponizing Noam Chomsky, or Hacking with Pattern Languages
*ok if Dan Kaminsky is talking you have to listen and most of the con crammed into the smallest room to listen and it was worth it even if it wasnt about DNS
last talk i attended
Chris Paget
WPAD: Proxy Attack
* WPAD is Web Proxy Auto Disocvery Protocol (
http://en.wikipedia.org/wiki/Web_Proxy_Autodiscovery_Protocol) Basically with WPAD is that MS browsers if you have the automatically detect proxy settings the browser will send a request for a wpad file which is basically the proxy list, normally this would be ok if you run everything on your network thru a proxy BUT if you dont this could be an issue because if the attack works, now everything on your network is now going thru a proxy that you dont control :-(
he discussed attack vectors and fixes. gave some great demos using a wpad tool that he wrote that will track which IP's are looking for the wpad file after you send the attack and he also demoed a hack proxy tool that would act as the man in the middle and did some really wicked stuff like forging SSL certs, forcing the browser to authenticate in plain text or forcing the browser to authenticate with NTLMv1 which can be cracked...whoo hoo. supposedly releasing the wpad tool but not the hackproxy tool on the ioactive.com site.
well thats it, hopefully people got something out of the recap. a little more info can be found on the speak bios:
http://www.shmoocon.org/speakers.html& shmoocon says they will be posting the presentations and video at some point so it should be worth your time to go back and check it out.
thanks again to Don for sending me and if anyone is planning on going next year, buy your tickets early!
Network Pen Testing : Firecat 1.4
