Security/Conferences/DerbyCon2011

From MozillaWiki
Jump to: navigation, search

Attendees

  • Curtis
I wrote all these notes and they are my personal interpretation, these views do not necessary represent 
the views of the Mozilla Corporation, Mozilla Foundation or anyone other than me.
In short, it's me all me and my fault.

DerbyCon Overview etc

This was a very enjoyable conference, a small venue, in a nice location and filled with great speakers, topics and attendees. I had lots of conversations on both of our bounty programs (web and client), there was lots of interest in what we were doing with add-on compatibility with regards to rapid release, our nascent enterprise ideas. Overall there was a very positive vibe of Mozilla and Firefox and a desire for us to continue doing leading ideas in Privacy (DNT was mentioned several times) and security.

Day1

Keynote HD Moore: Acoustic Intrusions

A very interesting talk and oddly ended up being a bookend to the last talk I went to. HD has come up with a tool called warvox (http://warvox.org/more.html) that can do all kids of audio comparison. He used it to figure out that the safe in the hotel had unique sounds for each key and he could pick those up in the hall through the walls and thus know the combination to a safe if he could hear it. It was also shown how he could run through voice mail boxes and find interesting sound patterns or compare the voice on the voice mail to other phone voice mail and thus find the home address of a person. It could also be used to distinguish all kinds of different phone systems, modems, fax machines etc. Essentially a very useful tool for penetration testers.

Johnny Long: Hackers for Charity Update

I had never heard of Johnny or his charity work, but none the less it was very interesting, and in the end this con of ~1200 raised more money for the charity than Def Con.

Kevin Mitnick + Dave Kennedy: Adaptive Pen Testing

This was basically a talk on all kinds of ways to penetration test and a framework for pen testers. They showed pwnie plugs and Social Engineers Toolkit (SET) and gave demo's and told all kinds of stories around pen testing as an assessment for businesses.

PTES Panel

A discussion panel of several well know penetration testers who are advocating the use of PTES (http://www.pentest-standard.org/index.php/Main_Page) as a standard framework for etheical penetration testing. Basically the CEH of pen testers.

Chris Nicerson: Gorillas in the Wire

This was supposed to be "Compliance an Assault on Reason" but Chris and the crowd changed it. This turned out to be a great talk for me. As this was a general review and overview of Guerrilla tactics and how to view ones opponent when they are generally larger and more powerful than your side. For me this was of great value as I have been thinking of ways to use asymmetrical means to achieve security goals.

Pat McCoy & Chris Silvers – Hook, Line and Syncer: The Liar for Hire’s Ultimate Tacklebox

This showed a ton of tools that could be used by penetration testers in the realm of social engineering and reconnaissance. They choose a hypothetical target (one of their bosses that OK'd them doing this), and then used things like facebook and other social networks to get tons of personal information about the target that could be used to social engineer them to gain information. They also used that information to get and gather information about the targets employer that could be used to gain access to the physical and digital assets of the target.

Vlad Gostom - Smile for the Grenade! Camera go Bang!

Vlad gave a great overview of a homegrown project to produce a flare gun fire-able camera system. They were inspired by military versions that are out of reach and very expensive for both the normal user and law enforcement. This kind of system could be used to reconnoiter a target location from as high as 600 feet for approx 4 minutes (at best conditions). This system was still very much alpha and has only had a few successful launches, but a fun talk none the less as they worked through technical, legal and explosives issues.

Day2

Georgia Weidman: Throw it in the River? Towards Real Live Actual Smartphone Security

Georgia had a great talk on the state of smartphones and some ideas on how security for various parts could be improved, including update mechanisms. She showed how SMS messages could be spoofed and an easy way to combat the problem (an app she had written herself) that could encrypt or sign an sms message. This is important because of how sms is being used for 2nd factor auth for many services. I approached her after the session and had a nice talk about our start with B2G, gave her my card and encouraged her to take a look and please help us out by getting involved. Georgia has a lot of great insights on the mobile industry, experience with many platforms, and programming experience that I think is a very valuable combination.

Emanuele Gentil & Marco Rondini - Cyber Warfar: Cross Application Scripting (CAS)- The new frontier

I was very disappointed when this talk was canceled as the abstract looked really intriguing, I will have to see if I can find more about these two and topic.

The other tracks in this time slot did not grab me so I spent time hallway trolling and introducing myself to various people.

Thomas Hoffekcer: Exploiting PKI for Fun & Profit or The Next Yellow Lock Icon

This talk covered how the DoD uses PKI for encrypted email and how the little cert icon in email is the new yellow lock for users who are not paying attention. He also showed flaws in the system that can be used for information gathering by outside parties as the verification system for external partners is weak.

Matthew Becker - Survival Hacking your way out of Armageddon

This was a fun talk that centered on how to use the type of skills that many pen-testers and hackers have to survive natural/unnatural disasters. He covered some basics of survival and what one might need to have on hand before or what one could scrounge for given what many of us carry around with us. Again a fun talk that was designed to get one thinking of how to use skills in different ways.

You’re Going to Need a Bigger Shovel – A Critical Look at Software Security Assurance

Raf is always an entertaining speaker, I had seen a different side of this talk at Lousiville Infosec conference the Thur. before. This talk centered on using what you have to accomplish what you want, especially if your not the largest player on the block. So again this fit into my mind track of asymmetrical thinking to achieve software sec. This was an excellent talk on how to define what needs to be achieved, the resources at hand and organizational means that may help or hinder an SSA program.

Rick Hayes & Karthik Rangarajan: OSINT Beyond the Basiscs

This was another talk of how to use readily available sources to gather social intelligence on a target to be used for social engineering. As it turns out they had decided to use Firefox to create a new "browser" that could aggregate the searches and data so the user did not have to visit multiple sites and could view the output on a more combined page. They were very interested to talk to me about not only our rapid release process but about add-ons, extensions and the jetpack API. These two also have a regular podcast called the InfoSec Daily Podcast.

Rick Farina: Free Floating Hostility

This was a fun talk, just Rick railing on all the things in tech that drive him crazy, especially the media and Apple. Thankfully he left browsers out of the mix.

Jack Daniels: Surviving a Teleporter Accident (It Could Happen to You)

Jack used the story of a "teleporter accident" to illustrate how common infosec topics (threat modeling, assurance, asset classification, risk analysis, etc) could be told in story form to make them more palatable to non-technical or non-infosec audiences.

Day3

Chris Robers: A Tribute to Dr. Strangelove

Chis used publicly available information to show how an attacker could gain information on aircraft avionics and missile systems without having to directly attack the holder of the information. He used supplier and downstream consumers of the information and parts as well as the provided diagnostics information from manufacturers to find out he could then compromise avionics packages. Again and interesting look at using indirect methods to garner desired information about a normally closed and specialized topic.

Jayson E. Street: Steal Everything, Kill Everyone, Cause Total Financial Ruin! (or how I walked in and misbehaved)

This was a very entertaining talk that was an overview of physical penetration testing that Jason had done. he had video, pictures and all kinds of things he carried in his "vest of doom". This boiled down to that if we are not teaching users the right things to do then breaches of physical and social access are our (infosec) fault and not the fault of the user. We need to teach, test and reteach concepts so that users can be better protectors of our and their own information.

Jamison Scheeres: Social Engineering is a Fraud

Jamison took the counterpoint that SE requires deception to achieve its goals of garnering information from users. He used an overview of classical SE (ponzi, grifting confidence schemes) as a back drop for more modern applications of the techniques in the information world.

Kevin Johnson & Tom Eston: Desktop Betrayal: Exploiting clients through the Features They Demand

This turned out to be one of the best talks for me. Kevin and Tom showed several examples of how new features in software, especially in HTML5, might be used to compromise users.

One of my favorites really throws back to HD Moores talk. They showed a hypothetical attack where HTML5 audio could be used to attack a user via content. The page would load both an audio listener and audio channel to control a computer without the users knowledge. So the audio output would be above or below human hearing range but still detected by the laptop microphone. Thus the listener could then accept commands and execute them outside the users control.

I talked to both of them after their session and they were very interested in what we were doing with audio, video, full screen etc and how these new features pose risks to users. We also have a chat about rapid release, the LTR proposal, silent updates and add-on compat. I exchanged contact info with Kevin and I think we may want to approach him about some of his thoughts on these newer features.

Louisville Infosec

I attended this as an addition to DerbyCon, this is much more focused on corporates and their infosec needs. The majority of conversations here centered around what we were going to do for corps given rapid release. So I spent a lot of time talking about the current proposal and encouraging them to join the working group and get involved in the conversation.

Interesting Insights:

  • Juniper gave a talk where they claimed pirated apps or trojan-ised apps cost carriers $9 per support call, thus stressing the need for good review before showing up in an app store. Open ecosystems (ie. Google) were seen as easier to successfully attack then closed (ie. Apple).
    • They also showed in-app purchase attacks, thus a reviewed app that went bad later. Showing a need for continued review beyond initial landing.

I spent most of my time reconnecting with people from local infosec shops, talking up our enterprise working group and LTR concept to warm reception. They generally want an option other than IE but rapid release makes that very hard and as such they are still running older Firefox versions if any at all. Developers are really driving this demand for them but the risk for them in terms of compatibility and maintenance is just too large for many of them.

Retrieved from "https://wiki.mozilla.org/index.php?title=Security/Conferences/DerbyCon2011&oldid=354615"