Shmoocon 2008 Day 1

I’m down at Shmoocon this weekend. I’ve been to two of the four Shmoocons. Apparently I only go on even years.
Here are some notes. This is probably going to be even less coherent than usual as its getting late and I need to be back down there tomorrow.

David Hulton, “Intercepting GSM Traffic”

As I understood it, this talk described a “known plain text” attack on the session key between a GSM phone and the tower. It still requires massive computational power. although the hardware and time cost is much lower for this attack that other previous attacks. The solution will probably be more networks switching to 3G.
wiki
David Smith, Forensic Image Analysis to Recover Passwords
This talk described his attempt to recover passwords from coredumps, swap, memory dump, logs , deleted temp files, slack space and internal history.
He is currently working in perl to search for strings of a certain length and then gives them an entropy score.
A audience member suggested starting with a clean OS image to easily rule out the OS files from the gathered strings.
In terms of defenses, I would start with not saving passwords in easily reversible forms (browser saving password for example). Next, I would consider wiping the free space. Full disk encryption would be the best defense assuming you dont get caught while the computer is booted.
Syn Phishus, Unauthorized phishing exercise
This is talk I was most looking forward to. Syn, as a security contractor, decided to phish the computer security department (consisting of 200 employees). He created a phishing campaign announcing the companies ID theft insurance vendor signup. If users clicked on the link in the email, they were prompted to log in using domain credentials, if they hit submit or cancel they were counseled not to be so dang gullible.
The goals for this project were to raise security awareness, demonstrate that policies require enforcement and education, get corporate communications to sign their email and create a service the company could sell. He didn’t tell anyone before doing it. He didn’t want anyone else to take the risk. He tried to make it easy for IT security to respond to by putting information in the comments on the phishing site, and by using a computer connected to the corporate vpn for his phishing attack.
As you might expect this did not go over well with his company. Doing something like this is definitely a career limiting event. You should always have a get out of jail free card, that is something in writing authorizing you.
edited to remove incorrect assumption about Syn and another phishing venture. Sorry about that.
Deral Heiland, Web Portals
This talk was about a pentest facilitated by the company’s internet portal.
Portals provide easy access to corporate data. They call also be huge threats to the internal network.
The problem with this particular (unspecified) portal is two fold. One is it accepted unauthenticated traffic and two, the portal had full access to the network. The portal accepted and processed GET commands so you could create a query to the portal that would have it open a website on the internal network. By trying common internal address space, you could find anything running a webserver. This ranged from things like printers, Compaq Lights Out board, network equipment, the SAN administration. Bad news for the company if a hacker had uncovered this.
This is why they should have required strong authentication for everything on that server. The server should also have been filtered from internal access so that only required services could be accessed. A layer 7 firewall could have prevented the portal from being exploited as well.
Isaac Mathis, Hacking the Samauri Spirit
This was actually a intersting talk about how differences in culture influence security.
Deviant Ollam, Latest News on Bump Key Attacks
This was fairly routine for anyone who is up on bumpkeys.
Anti-bumping technology is starting to make its way into common consumer level locksets. Masterlock and Kwickset appear to be gearing up to sell consumers on this added protection.

2 Comments

  1. Correction: Syn Phishus has NO association with PhishMe.com.
    BTW if you want to meet the PhishMe guys someof us are speaking “Forced Internet Condom” and the rest uhh just listening

  2. sorry about that I’ll correct that above. Obviously I made a bad assumption.
    I was at one of the other talks during the “forced internet condom” talk. Personally I kind of like ma and pa kettle not having netbios ports open. They shouldn’t be able to send mail over port 25 either. If/when the video is posted, I’ll check that out to get the opposing opinion.

Comments are closed.