ShmooCon has taken a nosedive. I don’t know where it went wrong, maybe this year was just a horrendously bad year, but the presentations did not meet my expectations. I can’t wait for the videos to go online in 60 days so I can watch myself hitting Simple Nomad in the face with a Shmoo Ball and being the first one to call him out on the poor quality of his presentation or the small businesses talk where Strat and I took turns dismantling all the presenter’s points.
This is the second time I’ve felt like this (the last time was after HOPE). I can’t sit here and complain anymore. If I disliked the presentations so much at ShmooCon, then I should present something myself to make up for it.
Who’s with me? HOPE/ISIS Con ‘08!
This work, unless otherwise expressly stated, is licensed under a Creative Commons Attribution 3.0 United States License.
It’s the “new” missing from “new and interesting research” that was presented. The highlight for me were talks like “Virtual Worlds – Real Exploits” and “VoIP Penetration Testing: Lessons Learned”. These were examples of excellent personal effort. Even in these talks, there were always people in the room who did research on the same or similar topic. But you know you are in real trouble when you have a presenter (Forensic Image Analysis to Recover Passwords, David Smith) talking about new and creative ways to of using strings.
HOPE 7 is this summer, lets make it exiting
I was sitting next to Dan at Simple Nomad’s overview of cryptography and wished I had a few balls to toss as well. (SHMOO BALLS are a Shmoocon tradition to call out a presenter who may need to check their facts.) The presentation attempted to put modern crypto implementations into layman’s terms but was clearly thrown together the day of the conference through a haze of the previous nights festivities. It was a bit of a let down to spend an hour listening to basic pros and cons of crypto tools and the merits of a one time pad, considering the audience was made up of people who presumably have strong security backgrounds.
Overall the line up of speakers was hit or miss. I suppose thats to be expected from most conferences, however, I do think there were some good original presentations.
Although the keynote speaker couldn’t make it, his graduate student Alex Halderman presented on work done at Princeton regarding an electronic voting machine. They were able to demonstrate exploiting the system to alter votes which is scary considering how many of these machines are still in use.
H1kari’s talk on GSM exploits was frightening. Guess I will have to trade in my iPhone if the new 3G version ever comes into existence, or better yet, how about a 700Mhz phone.
I caught Tim Vidas’s talk on Solaris shellcode. For those of you who took part in CSAW, Tim was the forensics winner this year. He did a great job presenting at Shmoocon and demonstrating how to create shellcode on x86.
I always enjoy layer 2 talks as well. Enno Rey and Daniel Mende presented on layer 2 protocol fuzzing and found some issues with some of the newer protocols that should keep some Cisco engineers busy for a while.
Josh Wright and Brad Antoniewicz gave a dynamic talk on Protected EAP and some new attacks to reveal authentication information. While the discussion was technically solid, their energy on stage definitely kept the crowds attention.
I do agree with you guys, this was probably my least favorite of the 3 Shmoocons I’ve attended. It won’t stop me from returning next year to hear Mr. Guido’s talk though!
We should mention the Syn Phishus talk, “Unauthorized Phishing Awareness Exercise”. Blog.phishme.com also mentions it, but I want to say a few more things.
Interesting details in terms of Social Engineering:
1- He setup a server on his laptop.
2- He connected to the company network using the company VPN client, so connecting was easy, but so was tracing him.
3- Wrote out an official-looking email to the security mailing list! (around 200 people)
4- The company recently had a SS theft (I believe). Syn used that as the story in his email and asked the list to sign up with the companies ID theft insurance vendor. This reminds me of Storm Worm’s Tactics – use of recent events to play on people’s emotions.
5- People who followed the link were displayed a box that prompted to log in using domain credentials. Whether they hit submit or cancel, they were directed to a page that explained that this was a phish and gave various advice. This was the only awareness-raising part, as the company kept the incident down, and made no mention of it at all after everything was over.
6- Result: Syn estimates that 10% of the email recipient followed the link. Of course, there is no knowing how many people faked the credentials just to see what the server is.
7-His downfall: one of the managers was on the list and raised an alarm after an hour.
Why such a high success rate? He made it convincing – possession of the VPN client, knowledge of the security mailing list, knowledge of current events, pretext of trying to help the recipients with their troubles and good writing skills helped him pull it off.
Background:
Syn is a security contractor at some company. He is not satisfied with the security and enforcement policies in place (specifically the fact that they do not sign their email), so he provides education by phishing their credentials. He does not warn anyone. He makes it easy for IT to trace him by putting comments in html code of the phishing site and by using corporate VPN. He does not get fired.
Hey, Hope is planning their conference this year through this forum. Let’s keep an eye on it.
http://talk.hope.net/