#toorcon

Title: Paranoids Year: 2019 Location: ToorCon 21, San Diego, CA Download Archive .TIFF (Scanned @ 600dpi)

Title: Toorcon (big) Download Archive .TIFF (Scanned @ 600dpi)

Title: Toorcon (small) Download Archive .TIFF (Scanned @ 600dpi)

This past month, I had the privilege of attending a few excellent cons: the inaugural DerbyCon in Louisville and Toorcon 13 in San Diego.

DerbyCon saw about 1000 people show up at the Hyatt Regency in downtown Louisville, which is pretty impressive for a first-year con. The organizers lined up some well-known speakers like HD Moore and Kevin Mitnick and ran several tracks for most of the weekend, with a wide variety of talks available.

ToorCon continues to remain small while offering a high level of quality in terms of talks and events.

Both conferences were well-run and featured some very interesting talks and ideas.

DerbyCon

Friday at DerbyCon featured most of their well-known speakers. While some of the talks had some interesting ideas, namely HD Moore's discussion of WarVox and what you could do with it when testing phone systems or the like, quite a few talks seemed rehashes of old pentesting war stories or reiterations of the same infosec mantras we've been repeating for nearly a decade.

Dave Kennedy and Kevin Mitnick had some slick social engineering techniques on display in their talk entitled Adaptive Penetration Testing, and they're great storytellers. I wish they had spent a little more time on discussing what makes their method adaptive and what it is they're doing that others are not (apart from having the budget to spend the kind of time they did).

Saturday and Sunday offered three tracks with different talks, with plenty of options. Several folks talked about the Android application security model and what sorts of things Android malware can do. Hint: Android seems to have replaced Symbol as the worldwide platform of choice for malware authors. One speaker discussed some interesting client-side attacks, like some cross-site scripting errors in the Skype client. A few talks, like the guys from Pauldotcom, took a somewhat humorous approach to either defensive counter-measures or forensic investigations. Discuss with your lawyer before attempting any of those.

ToorCon

ToorCon is always a blast. Speaking there is great: the organizers are super and the audience is fun. The Friday seminars had some interesting topics.

I won't repeat what Dave Russell wrote, but the folks from Tactical Intelligence had some very interesting and challenging ideas about how a client could deliberately mislead security auditors or assessors with some clever social engineering techniques.

In fact, clever social engineering techniques made several appearances in various guises at ToorCon this year. One presenter talked about how she uses reconnaissance techniques entirely familiar to penetration testing and social engineering to find optimal clients for her cooking and catering business.

Perhaps unsurprisingly, someone set up a few free phone charging stations in the hallway outside the main rooms. What was surprising is that con attendees actually connected their phones to these devices (as they did at DefCon). I'm not sure what would possess someone to do so at an event like this, but it made for a few interesting data points about juice jacking in the relevant talk.

One speaker made an interesting point about cryptography: despite the fact that crypto is essentially 3000 years old, everything prior to 1977 is broken. Thus, modern or "strong" crypto is less than 40 years old, and is, in his words, just not broken yet. Looking at the trickery involved in good key management, using cryptographically-sound pseudo-random number generators (CSPRNGs), and how performance trade offs often hobble the effectiveness of cryptosystems, it's not hard to see that most crypto available today has some essentially endemic flaw and that, if we're trying to keep things encrypted such that our grandchildren can't read them, existing implementations will probably not aid us. Sobering stuff, that.

As the security conference season winds down for the year, I have become increasingly impressed with Toorcon. Never mind the fact that both my colleague Jacob Ansari and I both spoke this year; the conference itself is probably one of the best bang-for-the-buck conferences available right now.

As always, the first day (Friday - I am glossing over the hands-on workshop prior to this) is seminars. Seminars are 70-minute slots that really have more of a "business conference" feel to them and are intended to provide at least some degree of training. Everything from compliance to exploitation is discussed in these events. This year, two presentations in particular caught my interest.

The first was from Chris Elisan and covered the much-ballyhooed Advanced Persistent Threat (APT). Typically, such a presentation makes me a bit suspect, as APT has been glommed on to as a great MBM - Management By Magazine - term. I don't find many people who can define it particularly well. Chris did a great job explaining the components of an APT, how they fit together, and talked about some of the "solutions" for those people who don't want to pay the big bucks to sign up with your local crime syndicate.

The other was from two guys whose business, at least in part, is built around social engineering your way out of PCI hell. As PCI QSAs, both Jacob and I were interested in this, and a fair amount of it made us laugh (or cringe). A lot of the comments made throughout I could definitely see working on lesser-experienced or corner-cutting assessors, but I like to think I'd be wise to them. :) That said, there were a few "wow" moments people may not have considered - for example, make sure you double-check that those badge-access locks on the doors actually WORK.

Of course, Jacob's talk on transparent data encryption was excellent, and was very well received, too. I always think the mark of a good presentation is the amount of thought-provoking questions asked afterward, and Jacob's presentation did not disappoint!

The remainder of the conference was more typical. Saturday was comprised of 50-minute presentations, and covered a variety of topics. The EFF brought a lawyer (Hanni Fakhoury) on stage to talk about digital evidence and the frightening interpretation of certain laws, and what impact it has on even we law-abiding citizens.

Dan Kaminsky, as only he can do, had a free-form discussion around the current state of the information security industry that began with a great story about the pain of wire transferring a few hundred dollars to a friend in need. The discussion evolved into a central theme: challenge existing theories about what makes for good information security policy and what works to secure our systems. According to Kaminsky, those of us with a stake in making things better need to keep at it and actually develop REAL solutions for protecting our data, yet still make things usable, since there should be no reason for it to take three hours to wire a small sum of money to another party. The solutions our industry has come up with - better passwords, development methodologies and education - have been insufficient thus far.

Another presentation went into the speed that .NET applications can be hacked, and that really there is not a ton we can do about it. It's not a new problem to be sure, but some of the tools available to do this now make it far more accessible. Oh, and for the record, obfuscation isn't going to help. Obfuscation may make a company feel better as far as protecting their intellectual property, but obfuscation techniques are nothing more than minor speed bumps to reverse engineering and modifying code.

On Sunday, the standout talk (aside from mine on fgdump3!) was the opener: "In a Gadda da Vida". Not knowing much about the presentation prior, expectations were a bit low, but Josh absolutely blew the doors off of the place and showed how Shodan and some basics can be used to gain terrifying access to CDMA-enabled devices. SCADA, "Amber Alert" signs, CDMA-to-phone/IP devices, none escaped the analysis, and it was absolutely amazing. Now, I'm not quite as brave as Josh (I wonder if anyone interesting will pay him a visit), but it got me really excited about old-school hacking techniques again. It's just a shame they still work.