Shmoocon 2008 Notes

I attended my third Shmoocon in a row, Shmoocon 4. As with most conferences, there were some winning talks and some that struggled. I'll have more to say about over-all quality when I discuss the "0wn the Con" session. Since I find myself with a fairly fuzzy memory about specifics of talks I attended at previous Shmoocons, this post is mainly to prevent that from happening again.

I went to H1kari's talk titled "Intercepting Mobile Phone/GSM Traffic." Once again, he was talking about using FPGA, this time to assist in breaking GSM encryption. He also had a lot of nice tidbits about weaknesses in GSM, both in implementation and design. I didn't take notes, but I seem to recall that he mentioned some broadcasts occurring in plain text and that, for some reason, the last 10 bits of the A5 key are zeroed out. (Someone correct me if I am remembering incorrectly). After he finishes computing what are basically GSM rainbow tables, H1kari was talking about cracking GSM in as little as 30 seconds using 16 FPGA and a large amount of disk space. The rainbow tables are being computed using 68 FPGA.

He didn't really address 3G other than saying it is generally superior in terms of security when compared to GSM.

I wandered into the last few minutes of Deviant Ollam's "New Countermeasures to the Bump Key Attack". Although I didn't see enough to comment on the content of the talk, he was getting a great response from the audience and seemed like an entertaining speaker.

The keynote was supposed to be by Edward Felten of Princeton's Center for Information Technology Policy. He apparently had the flu, so one of his graduate students, J. Alex Halderman, had to stand in. Halderman did quite a good job talking about their experience auditing and exploiting voting machines, especially considering what was probably short notice. Most of the information from the talk was widely circulated by the media at one point or another. The keynotes have been consistently good at Shmoocon, so I plan on getting to the keynote at any future Shmoocon I attend.

On day two I attended "SIPing Your Network" by Humberto J. Abdelnur, Radu State and Olivier Festor. There was some very interesting technical content, including discussion of fuzzing, remote eavesdropping, crashing one particular phone using a single packet with an empty data field, and attacking HTTP-enabled phones with cross-site scripting and SQL injection. Their SIP fuzzer is called KiF.

The presenters stated that they can remotely eavesdrop by dialing an IP phone, having it pick up with no user interaction, and then leave the phone in a state where it appears that the call is hung up but the phone will still send voice data. They had technical difficulties with a demo, and really waited too long to skip the demo and push on. They lost some of the audience as a result, but other than that I thought it was a good presentation.

At the end, the presenters, who are French, had a slide with information on their SIP fuzzer's license. The presenters indicated that, since it could be classified as an attack tool and because of French law, there are some restrictive requirements including that the license agreement has to be signed and sent in by the end user via snail-mail.

Jay Beale presented "They're Hacking Our Clients! Why are We Focusing Only on the Servers?" I didn't see any of his opinions as particularly surprising, but it was well presented and he was engaging. It did surprise me when a comment from the audience accused him of fear-mongering. At least in my experience, it is so simple to exploit clients and get internal access that the notion of needing a smart attacker to write a custom exploit against locked-down servers is unnecessary. At this point, I agree with what I think Beale was trying to point out, which is that security has been so focused on Internet-facing servers that clients are relatively easy to exploit and leverage in an attack.

Beale talked about problems with small offices that have private information on client workstations, using the example of his dentist. This struck home for me since my friend mentioned sitting in his dentist's office once and finding their WAP wide open with the factory default administrator account and password.

During the portion of the talk devoted to the difficulty with keeping Windows clients up-to-date in an enterprise, he mentioned non-standard or non-Microsoft software, and vulnerable browser plugins, Adobe Acrobat's plugin for example. It made me think of Richard Bejtlich's posts about thin clients. Of course, thin clients present their own problems and aren't immune to all the security problems of stand-alone desktops, but they may offer advantages by reducing the burdens that are a part of updating.

"VoIP Penetration Testing" by John Kindervag and Jason Ostrom was another interesting talk about voice over IP. The main focus of the presentation was Ostrom's VoIP Hopper, which is a nice pen-test tool that he used to show how insecure VoIP implementations can be. With Cisco VoIP phones, he showed how their default install has the PC-port on the back enabled, it sends out CBP packets, and it has a sticker on it with the MAC address. Some or all of these defaults can be used along with VoIP Hopper to gain access to the VoIP VLAN.

"Advanced Protocol Fuzzing - What we learned when bringing Layer2 logic to SPIKE Land" by Enno Rey and Daniel Mende was a good example of two guys with a strong background in networking who decided to bring fuzzing into their area of expertise and share what they learned. Within a relatively short time, my impression was that they went from little experience fuzzing to customizing SPIKE, and they successfully did a live demonstration showing their ability to crash a Cisco 35xx-series remotely. Dave Aitel already mentioned it on his DailyDave mailing list. This was pretty cool stuff, and it will be interesting to see how quickly others jump into the game.

"0wn the Con" with the Shmoo Group is a talk they have every year that discusses their finances, selection process for talks, methods of collaboration, and more. They also took a lot of feedback from the audience. The main thing I want to point out is that it is really hard to get both consistently good presentations and not rely on the same few presenters every year. Shmoo doesn't want the same old thing, but they want good talks, so it is a difficult balance between risk and reliability. I would say the talks are inconsistent in quality, but it is worth it in my opinion to prevent the talks or presenters from being stale, or having too many repeats from other conferences.

One funny thing is that it took this long for someone to suggest making electronic feedback forms available on the Shmoocon website for each talk. Four years into it, and finally someone has the brilliant idea that people should be able to provide feedback from their laptops while they're listening to the talk instead of using a pen and paper and turning it in at the end of the conference. D'oh!

Tweet