The second day followed ShmooCon’s traditional security Build It/Break It/Bring It On tracks. I jumped around a bit but spent most of my time in the Break It sessions.
After fighting local DC traffic coming in from Northern Virginia, I arrived just in time for Jay Beale’s “They’re Hacking Our Clients! Why Are We Focusing Only on the Servers?” presentation (presentation, video). He reiterated the common catchphrase of security protections often being “crunchy on the outside” but “chewy on the inside” and stressed how attackers are now focusing on the “chewy inside” with client-side attacks. Statistically in any large organization, it is very possible that a small number of users will get compromised through emails, malicious web sites, or many other client types. Once a single machine is compromised, the “chewy inside” is often wide open for exploitation. Jay finished up by discussing some possible client-side defenses to reduce your attach surface. One interesting idea involved collaborating data from caching proxies (that collect IP and application version information) with a vulnerability database to produce reports of applications that need to get patched.
After lunch I headed over to see Sheeri Cabral presenting “Why Are Databases so Hard to Secure?” (presentation, video). She started with a little information on her background and continued on with some basic security strategies, applying them to databases. Then she gave an overview of what a database is and why they are so hard to secure. Basically, there are many different attack points (e.g., network, OS, 3rd party apps, and in-house apps), each run by someone different. After some ShmooBalls tosses and audience insults on just giving basic information, she started describing some general philosophies in securing databases as well as code examples of security features that security professionals can use. Unfortunately, the audience’s dissatisfaction continued, the talk finished with several minutes of mic feedback, and the staff rushed her off the stage for the next presentation.
I stayed in the same room for “VoIP Penetration Testing: Lessons Learned, Tools, and Techniques” (presentation, video) by John Kindervag and Jason Ostrom. John started with a summary of advantages of converged networks and then the business risks it introduces (e.g., publicly accessible IP phones). He then described how IP phones work by using different VLANs and auto-configuration and its advantages reducing cable runs by having an extra Ethernet port that PCs can use. John next continued with some of the lessons learned from the various VoIP assessments they had performed using the VoIPHopper tool Jason had developed. Most assessments resulted in DoS against the IP phone system; however, in several cases they were able to gain admin access to the IP phone server. I had heard of this tool before on the BlueBox Podcast and had seen an online demo. Jason took over the talk to detail VoIPHopper. Essentially, this tool eases VLAN jumping with on-the-fly Ethernet header tagging. In this case, it was customized specifically for VoIP VLANS. Jason then demonstrated some of the tool’s new features (e.g., easily add/remove VLANS and MAC spoofing) and continued with two scenarios for gaining access to IP phone VLANs – replacing the phone completely and piggybacking off of the phone. The first scenario involved replacing a hypothetical publicly accessible IP phone with a PC running VOIPHopper. The demo successfully showed how this tool could be used to emulate IP phones. In the second scenario Jason demonstrated how VoIPHopper could gain access to the VLAN by piggybacking off of the phone’s extra Ethernet port to sniff VLAN traffic. After two successful demos, Jason described how many mitigation strategies recommended by vendors don’t work. He noted that the best solution is to use the phone’s CDP security, setup MAC address filtering to only allow the MAC of the phone on the switch port, and disabling the PC port and/or PC voice VLAN access. With this type of configuration, he wouldn’t be able to compromise the IP phone system. The presentation ended with a summary of planned features for VoIPHopper.
After a nice break and some great conversations with some vendors and other attendees, I attended “Advanced Protocol Fuzzing – What We Learned when Bringing Layer 2 Logic to ‘SPIKE Land'” (presentation, video) by Enno Rey and Daniel Mende. Enno started out with a definition of fuzzing and the need for an associated layer 2 tool. They talked about their experience in choosing a fuzzing framework and their initial decision to settle on SPIKE. Next, Daniel went into the technical details of using SPIKE and how they modified it to work at layer 2. The next part of the presentation detailed the functions added and code changes made to SPIKE for a variety of protocols including MPLS, LLDP, VTP, and DTP followed by demonstrations. In many cases they were able to lock up common network devices or cause erratic behavior (e.g., “blinking like Christmas tree”). After running into limitations with the SPIKE framework, they decided to switch to Sully. They discussed its advantages, the changes they made to support layer 2, and the migration of the SPIKE scripts. Although they were able to inconsistently crash some devices, they noted that many of the Sully-based results varied from SPIKE and that further research is necessary to determine why. All of the code modifications and additional functions for SPIKE and Sulley are available on their web site.
On my way over to Lockpick village I ran into an ad-hoc presentation by Offensive Security demonstrating using Backtrack to exploit Vista. The two scenarios involved bypassing anti-virus software and Windows ASLR. The first attack involved modifying an old Trojan to hide from an anti-virus program. Using several tools (a PE editor to change file properties, a hex editor, and OllyDbg), the presenter basically appended a simple XOR encoder/decoder onto the Trojan, prepended a jump at the beginning of the program to an encoder/decoder, and replaced the original code with an encoded version. After these modifications, the Trojan ran but was undetectable by the anti-virus software. The second demo about bypassing ASLR was a little too complicated for me to follow. It seems that you can somehow calculate the random offset Windows creates at each boot-up. With this value attackers can continue old-style buffer overflow compromises.
Beyond the sessions I attended, Saturday just seemed to be packed with many other excellent presentations. I’ll definitely be waiting for several videos to come out and will update this post when I do.
I finished up the day by watching some of the Halo tournament and grabbing a beer with some other attendees. Unfortunately, I wasn’t able to make it to the Saturday night party, but I’m sure fun was had by all.
As they did for Friday, the following bloggers provided more commentary on Saturday’s activities as well:
- Roger’s Information Security Blog: Shmoocon 2008 Day 2
- SecurityNewsPortal: Shmoocon 2008 Day 2
- Uncommon Sense Security: Shmoocon, Day Two
- Dan Griffin’s Blog: ShmooCon 2008 – Day 2 Recap
Comprehensive Conference Schedule
Here is a comprehensive list of Saturday’s schedule talks as well as links to the presentations and videos (posted as they are available). Descriptions of each session and speaker bios can be found at ShmooCon’s speaker page:
- Active 802.11 Fingerprinting: Gibberish and “Secret Handshakes” to Know Your AP (Sergey Bratus, Cory Cornelius and Daniel Peebles): Presentation, Video
- SIPing Your Network (Radu State, Humberto Abdelnur, and Olivier Festor): Presentation, Video
- They’re Hacking Our Clients! Why are We Focusing Only on the Servers (Jay Beale): Presentation, Video
- Passive Host Characterization (Matthew Wollenweber): Presentation, Video
- Practical Hacker Crypto (Simple Nomad): Presentation, Video
- Using Aspect Oriented Programming to Prevent Application Attacks (Rohit Sethi and Nish Bhalla): Presentation, Video
- Flash Drives & Solid State Drives Data Recovery Comparison to Hard Drives: Animated (Scott Moulton): Presentation, Video
- Virtual Worlds – Real Exploits (Charlie Miller and Dino Dai Zovi): Presentation, Video
- Smarter Password Cracking (Matt Weir): Presentation, Video
- 21st Century Shellcode for Solaris (Tim Vidas): Presentation, Video
- Why are Databases so Hard to Secure (Sheeri Cabral): Presentation, Video
- VoIP Penetration Testing: Lessons Learned (John Kindervag and Jason Ostrom): Presentation, Video
- Got Citrix? Hack It! (Shanit Gupta): Presentation, Video
- Advanced Protocol Fuzzing – What We Learned when Bringing Layer2 Logic to “SPIKE Land” (Enno Rey and Daniel Mende): Presentation, Video
Bring It On!
- Climbing EVEREST – An Inside Look at Voting Systems Used in the US (Sandy Clark, Eric Cronin, Gaurav Shah and Matt Blaze): Presentation, Video
- Forced Internet Condom (Aaron Higbee and Jaime Fuentes): Presentation, Video
- A Hacker Looks Past 50 (G. Mark Hardy): Presentation, Video
- TL1 Device Security (Rachel Bicknell): Presentation, Video
- I Will Be Your Eyes and Hands: Colossal Cave, Adventure and Reality (Jason Scott): Presentation, Video
- You Must Be This Tall to Ride the Security Ride (Joel Wilbanks and Pete Caro): Presentation, Video
- Legal Issues for Bot-net Researchers and Mitigators (Alexander Muentz): Presentation, Video