Shmoocon 2009 Day 1

The next three posts will contain my notes from Shmoocon. This post contains notes from each session I attended on day 1. I’m not trying to necessarily reconstruct the notes into a coherent thought. Hopefully it will be somewhat readable.
Opening Remarks
by Bruce Potter
People are getting owned a lot.
Trends

  • Increased success in getting past our defenses
  • Increasingly malicious motivations. The bad guys aren’t after web defacements
  • In spite of the above, we haven’t changed our methods. Its a lot of the same
  • Spear phishing and drive-bys are unabated.

What we have is a Maginot line…in depth
Of 66 million websites indexed by Google, 5 percent had drivebys.
These sites with drivebys weren’t just the risky underbelly of the web. It was every category of website. I don’t think that is surprising to anyone who has paid attention to security.
These findings were published last year in in USENIX.
The malicious content on these sites was then scanned using three top Antivirus vendors. The best detection rate among these three vendors was only 75%. The worst was 30%. These are untargeted attacks. Imagine the ability of an attack targeted at your organization to cut through your antivirus defenses.
So What do you do?
NAC? Most people don’t have that deployed even if they’ve bought it.
Firewall Internally?
Token authentication?
Change jobs?
Digging ourselves out
As with most security talks and papers I felt like a solution wasn’t really there. Fixing fundamental problems. I’m not sure if Bruce defined this. If he means teach everyone to code securely, then burn to the ground existing software and start over. Well, keep waiting for that.

The other talks on day one were quick 25 minute talks, I didn’t always have notes.
Open Vulture – Scavenging the Friendly Skies
Open Source UAV Platform
Ethan O’Toole and Matt David
I didn’t take a lot of notes on this one. The talk was put together fine. It pointed out the existing/competing projects and how they were different.
Building the 2008/2009 ShmooBall Launchers
by Larry Pesce and David Lauer
When building a pressure based launcher, you’ll have problems with PVC tubing not being rated for the PSI.
The Day Spam Stopped (The Srizbi Botnet Takedown)
by Julia Wolf
We all know about McColo being taken offline in November and the corresponding drop in spam rates.
The bad guys lost their command and control of the botnet when McColo was taken down. The good guys figured out how the botnet was selecting the hostname/domain name used in the backup. (The exact math of that is probably available at blog.fireeye.com or look for the slides when available on the Shmoocon website). By registering those domain names they prevented the bad guys from regaining control.
Under U.S. law they felt they could not send out a “uninstall” command to the botnet army. It would also be risky since the botnet is in kernel and you could potentially BSOD the clients.
No one asked about the return of spam that has been reported in January. Is that other botnets taking up the slack? I thought I had heard that a Spanish ISP had brought the badguys ASN back online briefly allowing them to regain control.
Automated Mapping of Large Binary Objects
by Greg Conti, Ben Sangster, and Roy Ragsdale.
The goal of this project is to accurately identify regions in an arbitrary binary object.
Typically you would use a hex editor and a lot of elbow grease. This is trying to automate that, even to the point of identifying one type of encryption versus another.
I found the talk interesting. When you’re doing manual static analysis of files, this could come in handy.
Decoding the Smartkey
by Shane Lawson
Quickset Smartkey attempts to allow the consumer to rekey their lock without removing it from the door. It is also resistant to bumpkeying. Here is a video from Quickset on how to rekey.
Unfortunately, as this talk demonstrates, because of the technology used to allow rekeying it is possible to determine key height compromising the lock.