Sunday, February 06, 2005

Shmoocon Day Two

Here are a few impressions of the talks I saw during the second day of Shmoocon in Washington, DC.

The day started with a rant by Riley "Caezar" Eller on the state of security. Caezar wrote Bypassing MSB Data Filters for Buffer Overflow Exploits on Intel Platforms and works for CoCo Corp. (CoCo appears to stand for Connection Optimizing Cryptographic Operator.)

He pleaded for someone to invent a new Internet and asked why other speakers at security conventions do not make similar requests. Such pleas are similar to those who call for replacement of gasoline-powered automobiles with hydrogen-powered vehicles. It's easy to create an end-user product like a hydrogen-powered car, assuming the extra costs could be reduced. However, who will finance and build the infrastructure that makes such a vehicle worth buying and driving? Therefore, we see more success with incremental products like the Toyota Prius, which leverage existing fuel infrastructure while offering a more fuel-efficient power system.
I next attended Roger Dingledine's talk on Tor, an anonymous communication system that implements onion routing. I saw Aaron Higbee of the SecureMe blog there. Roger's presentation was excellent. He was one of the few speakers who managed to speak clearly, at an understandable speed, in complete and thoughtful sentences, without wasting words. He said Tor has about 15,000 users currently with 100-200 routing servers. Tor is not just for hiding a client's Internet identity; servers can be hidden as well. For example, Bloggers Without Borders is operating a "hidden" Web server. Tor is not peer-to-peer in the sense that all clients are also servers. Rather, you can be a Tor user without carring other people's traffic.

Next I attended a presentation by Lance James and Lucky225 of Secure Science Corporation. They demonstrated that telephone security was, is, and will continue to be broken. This talk was an eye-opener for me, since I don't spend any time on the voice side of the house. The pair showed how features of systems like Free World Dialup can be used to make free calls beyond the intended uses. They explained how Caller ID is completely worthless and trivially spoofed. Check VOIP-Info for an introduction to this world. They also mentioned,,,,, and the Kphone tool.

I had lunch with Andy Williams from Reuters (who wrote Hackers, Virus Writers Target Mobile Phones based on a Shmoocon briefing) and Marty Roesch, Snort creator and Sourcefire founder. (I saw Ron Gula of Dragon IDS and Tenable Security at the con, but couldn't find him for lunch.) Marty made an interesting comment on "intrusion prevention systems" (aka "layer 7 firewalls"). He said it is a commonly accepted security practice to implement access control via a "default deny, allow some" policy. Intrusion preventions systems completely break this best practice. They try to "deny some" and then they "allow all." The tragedy of the situation is compounded when organizations follow Gartner's advice to remove their intrusion detection systems and proxies (another "dead" security tool). Now we have exploit traffic that passed through the IPS with no way to audit or contain it. This argument is similar to my discussion Considering Convergence? where I recommend against collapsing access control and detection into one appliance.

I then saw Michael "Abadd0n" (zero or letter O, not sure) Lynn introduce radio frequency security issues. Mike wrote AirJack which he presented at Black Hat USA 2002. He is obviously a really smart guy, but he spent way too much time on RF theory and background issues. Even though he spoke extremely fast, he never really got to discuss anything very interesting. He was excited about the Universal Software Radio Peripheral and related GNU Radio projects.

A similar electro-magnetic theme followed, with a presentation on infrared hacking by Major Malfunction. I wish Mike's RF briefing had followed Major Mal's lead in terms of presentation style. Major Mal demonstrated how he completely owned the television systems in several hotels by figuring out the IR commands used by the TV remote. He also discussed brute-forcing and replaying codes to open garage doors, vending machines, auto alarms, and other devices. It seems IR is totally broken too.

The second-to-last talk for the day discussed a wireless IDS project by Laurent Butti and Franck Veysset from France Telecom. Their unnamed product is not yet open source and they do not have any public Web presence yet. (I saw the name "semper" in the title of the demo, so perhaps that is the name of their wireless IDS?) The Snort-Wireless project appears stalled, so it would be nice to see an alternative. They reminded me of an open source switch management project called Netdisco. An audience member piped up about the 3rd Generation Partnership Project (3GPP) and its support for embedding GPS coordinates in device messages.
I ended the day listening to David Hulton (aka H1kari) explain Field Programmable Gate Arrays. K1kari organizes Toorcon and wrote bsd-airtools. He builds embedded systems for Pico Computing and showed how to deploy FPGAs to create fast password-cracking systems. The boards he used are built by Xilinx. More information is available at

No comments: