These are some of the favorite talks I saw at Defcon.
Bruce Potter: Malware Detection through Network Flow Analysis
As expected, Bruce brings a lot of passion and “no fear” opinions to his presentations, which are much-needed as the industry spreads out and becomes more stuffy mature. Bruce spoke to using network flow analysis for finding intruders or suspicious activity. This was a Black Hat talk that ran right to the end of the session, and one question I would have posed to Bruce is how he would deal with Skype and how it makes connections to all sorts of otherwise suspicious endpoints with the P2P component. Really, if there is one talk I would hit at any con, I think a Bruce Potter talk would be it. The guy rocks.
Jay Beale: Owning the Users with Agent in the Middle
Jay didn’t even get to the real meat of his presentation, only scratched the surface of his tool The Middler, and didn’t get into subverting the automatic software installation process. Jay seems like one of those guys who can go on for hours if you just get his geek brain going. I dig that mentality! This talk alone should make one fear open networks (i.e. networks you don’t own) much more. I’m not even sure The Middler will be released (I’m skeptical since it is very powerful-sounding), but it should be something like a cross between ettercap and Hamster and a web proxy. It will reroute traffic through the host box, and allow all sorts of twiddling of the HTTP traffic in between the victim and web server, including persisting non-SSL session and javascript injection into pages.
Panel (Mogull, Pesce, Maynor, Hoff): All your Sploits (and Servers) are belong to us
This “panel talk” was really three smaller presentations in one, with some added humor by Hoff as he commendeered one screen to post heckles. Honestly, this “talk” gets props for several reasons. 1) BEER ON STAGE! Come on, there needs to be more beer on stage; I think I only saw 3 talks with beer; it’s Defcon! 2) It was opened with a Spot-the-Fed session. 3) While distracting from the talks, the heckling and interruptions by Maynor/Hoff really fit the atmosphere of Defcon. 4) The talk content was definitely interesting as well.
Movie Night With DT: Hackers Are People Too and Appleseed: Ex Machina
Ok, this was not necessarily a presentation, but rather two movies. The first was by a second-generation Defcon attendee who took video shots and interviews at Defcon 15 to help teach the world that hackers are not evil criminals you hide your children from. The second movie, Appleseed, is one I’ve never seen before and was awesome to see on screen. While the room was large, the screens small, and the sound system sub-par, I enjoyed it since I sat in the second row right next to the speakers.
Taylor Banks & Carric: Pen-Testing is Dead, Long live the Pen Test
Carric and Taylor look the part of the old-school guard of pen-testers; basically with piercings and facial hair and attitude that fit what Defcon is all about. They both went over some of the history of pen-testing and why the pen-test from 8 years ago is dead, but new pen-testing with actual methodologies has been born. I really like their speaking style, and their stance on things like certs and self-taught knowledge and the repeatability of a pen-test (this fits with my life/hard science background). Another abbreviated Black Hat talk, and if I can get my hands on their preso vid from there, I’ll happily pirate watch it.
Schuyler Towne and Jon King: How to make friends & influence Lock Manufacturers
I’ve been dabbling in lock-picking for a while now, and as such this and the Tobias talk really helped fill in a lot of information for me. Schuyler talked about the lock-picking industry and how to properly work with lock vendors if you happen to find a weakness in their locks. I really appreciate that he made a distinction between software and physical lock full disclosure. Software is easy to update, but actual locks almost never get updated or replaced, and it is costly to have someone use a kit on a lock to upgrade it. Not only that, but locks do protect some amazingly sensitive and dangerous stuff, unlike most software. Jon King talked about breaking into Medeco M3 locks and he successfully did a demonstration on stage. What I took away from his talk, however, is that he’s only been doing this hobby for about 3 years, yet has been able to make some huge discoveries.
Marc Weber Tobias: Open in 30 Seconds: Cracking One of the Most Secure Locks in America
Tobias and company went into detail about breaking into more locks, and the various ways to defeat protection mechanisms and bypass others. He also stressed key control, which is important and not something I have actively heard before. It’s a no-brainer, but a no-brainer that still makes a lightbulb ding on after hearing it once.
Nelson Murilo & Luiz “effffn” Eduardo: Beholder: New WiFi Monitor Tool
Unfortunately, Murilo’s English was not so good, but I really dig what his tool, Beholder, wants to do. It really should not be hard to monitor a wireless network for various “stuff” and I think his tool is a great addition to any wireless implementation, especially for networks on a budget.
Valsmith & Colin Ames: MetaPost-Exploitation
This talk got a bit old-school because “the old stuff still works!” They talked about hiding your presence after actually gaining root on a box, and using it to attack others or just hiding your tracks. While this got old-school and was interesting, it still surprises me few people talk about hiding files in ADS.
David Maynor & Robert Graham: Bringing Sexy Back: Breaking in with Style
While a bit lacking in cohesiveness, I like their humor and respect their knowledge. I’m not sure I agree that we should arm everyone with guns a toolbar which does a quick vuln scan on every site/page they visit, but it is ideas like that that can get us thinking deeper than our day-to-day usually affords us.
I missed several talks I’d like to see, some because they were just too packed to bother with, or because they were held concurrently with other talks I wanted to see. I hope to catch these on video at some point, unless I hear that they’re not worth the effort to go beyond the presentation materials on the attendee cd.
Time-Based Blind SQL Injections Using Heavy Queries…
Compliance: The Enterprise Vulnerablity Roadmap.
Strace & RSnake – Xploiting Google Gadgets: Gmalware & Beyond
Satan is on my friends list: Attacking Social Networks.
Advanced Physical Attacks: Going Beyond Social Engineering…
SensePost – Pushing the Camel through the eye of a needle.
Fyodor – NMAP-Scanning the Internet.
G.Mark Hardy – A Hacker Looks at 50.
Gaming- The Next Overlooked Security Hole.
Mati Aharoni – BackTrack Foo- From bug to 0day.
Is that a unique credential in your pocket or are you just pleased to see me?
Autoimmunity Disorder in Wireless LANs.
Career Mythbusters: Separating Fact from Fiction in your Information Security Career.
Grendel-Scan: A New Web Application Scanning Tool.
Renderman – How can I pwn thee? Let me count the ways.
Identification Card Security: Past, Present, Future.
Jay Beale – They’re Hacking Our Clients! Introducing Free Client-side Intrustion Prevention.
Renderman – 10 Things that are Pissing me off.
DAVIX Visualization Workshop
Hey man, thats a really good point. I sort of forget about ADS cause thats one of the first things I look for now, but your right almost no one ever talks about it. Ill remember that 🙂
V.
on the ADS note, frankly its easier to hide the shit in plain sight especially if you have any host based security stuff working against you.
w00t! Thanks for mentioning Schuyler and I’s talk; glad you enjoyed it…god I love defcon 🙂
You may be right. I’m not sure how many recent host-based security products monitor ADS access/use, I just know that tools to scan for ADS always took such a long time, making them highly annoying. But when one is run, I admit, the files will stick out.