ShmooCon 2010 – Day 1

Posted onFebruary 5, 2010 Edit on by Tim Donaworth

The first night of ShmooCon is a wrap, at least for the presentations. First off, my shout-outs to all those that actually made it this year. The DC weather hasn’t been too kind to any of us, especially those traveling in specifically for this Con. But to those who made it, I salute you (even more so to those who had to walk a couple miles to get to their hotel because they didn’t make or take reservations at the Marriot).

Bruce Potter opened up with the event schedule and went on into his own little opening that had a common theme of “common sense”. He used the recent hiccups in the TSA as the base analogy. Basically the metric that we’re using to try and fix today’s security problems is solely based on the amount of money that we throw at it. Simply – the future looks grim if we continue the way we’ve been going.

Collin Brack kicked off the actual presentations with one titled: GPU vs. CPU Supercomputing Security Shootout. I was actually looking forward to this talk. Sadly, I was a little disappointed. I guess I was looking for some more in-depth technical slides or live demonstrations on how GPU vs. CPU compare. It was basically a link-filled slide hyping GPU. Nothing against Collin here, I’m sure it was a great presentation for those who had no clue that GPUs could be used for computation calculations, just didn’t have my vote. Key points: GPUs are great for many small calculations.

Larry Pesce, Mick Douglas followed up with “Information disclosure via P2P networks: Why stealing an identity via Gnutella is like clubbing baby seals”. This was a pretty good presentation. They showed what types of personal information they were able to find simply by parsing the P2P networks with a bit of command line scripting and mutella. It was entertaining and informative. Key point: careful with what you share on P2P, don’t share your entire C drive.

At this point I needed to stretch and take a small break, so I used this time to make my donation for my ShmooCon t-shirt. Also, I’m not entirely sure who or what the presentation was at this time. I thought I remembered Bruce mentioning one of the speakers not making it. And all the others were on the schedule, so this block was a blank to me.

I did return for Dan Crowley’s talk about “Windows File Pseudonyms”. It was a good presentation about the many different ways you could reference files without actually using a ‘C:\file.txt’ notation. Most involved some sort of ‘//’ notation or localhost network traversal. Some of this information I knew, but it was good to see it put to actual usage. He demonstrated with a php file upload attack exploiting file name safeties in the code. Key point: watch out for string comparisons for file checks, actually do a file/directory check for paths and files.

Doug Wilson’s “Learning by Breaking: A New Project for Insecure Web Applications” was probably the quickest presentation in ShmooCon history. I say this because as I stepped out for about 8-10 minutes figuring I’d come back just in time for the good stuff, the presentation was already over and he was taking questions. I was really kinda ticked at myself for this one as this was exactly something I was looking forward to seeing as I’ve attempted to set up my own WebApp test environments in the past. I’ll definitely be looking back over the recorded presentation for this one and checking out the site. Key points: Don’t be late for the presentations you WANT TO SEE!

“Guest Stealing…The VMware Way” by Justin Morehouse and Tony Flick brought to the surface an old attack involving a directory traversal vulnerability in VMware Server. They basically explained how they came across it, along with a live demonstration. It’s something that’s long been patched, but it was good to see it in action anyways. Key points: Patch!

The final keynote “Closing the TLS Authentication Gap” presented by Steve Dispensa and Marsh Ray was a very good look into the actual process of discovering a real (and major) vulnerability, and the process it takes to disclose this information in a timely and yet safe manner without simply dropping it as a 0-day for the world to engulf. They discovered many of the issues weren’t technical at all, simply getting vendors and companies to cooperate with what needed to be done. It was a great view into the process and something I think all of us should look into. It gives a good showing at how hard it is to be an actual White Hat.

So, the fun continues tomorrow at 10am EST – I’m beat from a long day and not looking forward to trudging back through the snow, but hey, it’s ShmooCon!