Security/Conferences/DerbyCon2011
Day1
Keynote HD Moore: Acoustic Intrusions
A very interesting talk and oddly ended up being a bookend to the last talk I went to. HD has come up with a tool called warvox (http://warvox.org/more.html) that can do all kids of audio comparison. He used it to figure out that the safe in the hotel had unique sounds for each key and he could pick those up in the hall through the walls and thus know the combination to a safe if he could hear it. It was also shown how he could run through voice mail boxes and find interesting sound patterns or compare the voice on the voice mail to other phone voice mail and thus find the home address of a person. It could also be used to distinguish all kinds of different phone systems, modems, fax machines etc. Essentially a very useful tool for penetration testers.
Johnny Long: Hackers for Charity Update
I had never heard of Johnny or his charity work, but none the less it was very interesting, and in the end this con of ~1200 raised more money for the charity than Def Con.
Kevin Mitnick + Dave Kennedy: Adaptive Pen Testing
This was basically a talk on all kinds of ways to penetration test and a framework for pen testers. They showed pwnie plugs and Social Engineers Toolkit (SET) and gave demo's and told all kinds of stories around pen testing as an assessment for businesses.
PTES Panel
A discussion panel of several well know penetration testers who are advocating the use of PTES (http://www.pentest-standard.org/index.php/Main_Page) as a standard framework for etheical penetration testing. Basically the CEH of pen testers.
Chris Nicerson: Gorillas in the Wire
This was supposed to be "Compliance an Assault on Reason" but Chris and the crowd changed it. This turned out to be a great talk for me. As this was a general review and overview of Guerrilla tactics and how to view ones opponent when they are generally larger and more powerful than your side. For me this was of great value as I have been thinking of ways to use asymmetrical means to achieve security goals.
Pat McCoy & Chris Silvers – Hook, Line and Syncer: The Liar for Hire’s Ultimate Tacklebox
This showed a ton of tools that could be used by penetration testers in the realm of social engineering and reconnaissance. They choose a hypothetical target (one of their bosses that OK'd them doing this), and then used things like facebook and other social networks to get tons of personal information about the target that could be used to social engineer them to gain information. They also used that information to get and gather information about the targets employer that could be used to gain access to the physical and digital assets of the target.
Vlad Gostom - Smile for the Grenade! Camera go Bang!
Vlad gave a great overview of a homegrown project to produce a flare gun fire-able camera system. They were inspired by military versions that are out of reach and very expensive for both the normal user and law enforcement. This kind of system could be used to reconnoiter a target location from as high as 600 feet for approx 4 minutes (at best conditions). This system was still very much alpha and has only had a few successful launches, but a fun talk none the less as they worked through technical, legal and explosives issues.
Day2
Georgia Weidman: Throw it in the River? Towards Real Live Actual Smartphone Security
Georgia had a great talk on the state of smartphones and some ideas on how security for various parts could be improved, including update mechanisms. She showed how SMS messages could be spoofed and an easy way to combat the problem (an app she had written herself) that could encrypt or sign an sms message. This is important because of how sms is being used for 2nd factor auth for many services. I approached her after the session and had a nice talk about our start with B2G, gave her my card and encouraged her to take a look and please help us out by getting involved. Georgia has a lot of great insights on the mobile industry, experience with many platforms, and programming experience that I think is a very valuable combination.
Emanuele Gentil & Marco Rondini - Cyber Warfar: Cross Application Scripting (CAS)- The new frontier
I was very disappointed when this talk was canceled as the abstract looked really intriguing, I will have to see if I can find more about these two and topic.
The other tracks in this time slot did not grab me so I spent time hallway trolling and introducing myself to various people.
Thomas Hoffekcer: Exploiting PKI for Fun & Profit or The Next Yellow Lock Icon
This talk covered how the DoD uses PKI for encrypted email and how the little cert icon in email is the new yellow lock for users who are not paying attention. He also showed flaws in the system that can be used for information gathering by outside parties as the verification system for external partners is weak.
Matthew Becker - Survival Hacking your way out of Armageddon
This was a fun talk that centered on how to use the type of skills that many pen-testers and hackers have to survive natural/unnatural disasters. He covered some basics of survival and what one might need to have on hand before or what one could scrounge for given what many of us carry around with us. Again a fun talk that was designed to get one thinking of how to use skills in different ways.
You’re Going to Need a Bigger Shovel – A Critical Look at Software Security Assurance
Raf is always an entertaining speaker, I had seen a different side of this talk at Lousiville Infosec conference the Thur. before. This talk centered on using what you have to accomplish what you want, especially if your not the largest player on the block. So again this fit into my mind track of asymmetrical thinking to achieve software sec. This was an excellent talk on how to define what needs to be achieved, the resources at hand and organizational means that may help or hinder an SSA program.
Rick Hayes & Karthik Rangarajan: OSINT Beyond the Basiscs
This was another talk of how to use readily available sources to gather social intelligence on a target to be used for social engineering. As it turns out they had decided to use Firefox to create a new "browser" that could aggregate the searches and data so the user did not have to visit multiple sites and could view the output on a more combined page. They were very interested to talk to me about not only our rapid release process but about add-ons, extensions and the jetpack API. These two also have a regular podcast called the InfoSec Daily Podcast.