We really enjoyed running FireTalks last year. It was a great chance to meet a lot of the online friends we made up to that point. With the completion of the third round of tickets and some coordination calls with the ShmooCon team, we proudly announced the ShmooCon 2011 Firetalks!
If you followed the FireTalks in the past, this year’s was essentially run the same however there were a few differences we noted. First, instead of having four 15-minute sessions each night, we expanded up to six. We hoped to accommodate many of the awesome submissions that the ShmooCon team was not able to accept due to the finite number of speaking slots. Additionally, we ran the CFP a little more like a traditional conference instead of on a first-come-first-serve basis. The goal was to have a nice mix of established and new speakers. But other than those two changes, most everything else remained the same.
For all the latest happenings, check back to this post periodically. It was the home for any and all information relating to the ShmooCon 2011 FireTalks. You could have subscribed to our main RSS feed or followed us on Twitter at @novainfosec since we put out short “update” posts with just the new information and a pointer back to this “master” post. And as usual … I regularly updated my Twitter stream at @grecs with all the information using the #firetalks tag. If you need to quickly refer back to this post, you could have also used the longish bit.ly link we created at bit.ly/shmoocon2011firetalks.
Anyway … here were the logistics for this year’s FireTalks in traditional NovaInfosecPortal.com form:
- Who: ShmooCon/NovaInfosecPortal.com
- What: ShmooCon 2011 FireTalks
- CFP Due Date: 1/23, midnight EST
- Event: 1/28, 8:00 PM & 1/29/2011, 8:00 PM EST
- Where: Washington Hilton Hotel (1919 Connecticut Avenue, NW Washington, DC 20009; International Ballroom – West [where the Bring It On track will be])
For a historic look at the whole FireTalks idea, please check out the History section of last year’s post. From @catalyst, @mubix, @carnal0wnage, and many others, we are standing on shoulders here. Now onto what happened with this whole FireTalks thing…
We had six 15-minute speaking slots each night. Hopefully, the talks provided a nice mix of established and new speakers. Here was the 2011 schedule.
|8:00||@Grecs||Welcome & Announcements||n/a|
|8:15||Ralph “@RalphBroom” Broom & Danny Gottovi||Protocol Security: You’re (Still) Doing It Wrong||Despite the wide availability and known advantages of encrypted communications across the Internet, use of these protocols is still not universal. We describe the current threat space impacted including the recent release of FireSheep, and present the findings of our research into secure protocol usage at security conferences DEFCON and ShmooCon, and on the Tor network, which we expect to be higher than the general population. We close with the implications of these numbers applied to the general population and summarize what service providers and end-users can do about it. This is original research.|
|8:30||Rick “Zero_Chaos” Farina||Radio Chaos: Why Retired Men Know More about Hacking than You Do||This presentation will revolve around radios that nearly all businesses use. Several misconceptions are constantly spread around the hacker community about radio communications such as encryption use and general security. Curious about what is going on around you? Wonder who the local police are pulling over? Will the local fire department save that cat from the tree? What are the goons doing right now…. Wonder no more! Learn things that your parents and their retired friends already know such as tone squelch, repeaters, trunking, and digital modes so you will never be left out of the loop again.|
|8:45||Lisa “@llorenzin” Lorenzin||What I Learned about Security at Burning Man||A brief photographic tour of critical security lessons I’ve learned over five years as a citizen of Black Rock City. (Warning: contains nudity)|
|9:00||Irongeek “@irongeek_adc“||Intro to I2P||Tor is great, but what about alternatives? This talk will cover installing the I2P darknet client, as well as hosting services. Make your mark on cipherspace.|
|9:15||Jimmy “@shah_jim” Shah||Mobile Botnets and Rootkits: An Overview||Geinimi-Android botnets? Zeus in the Mobile? Symbian botnets? iPhone Botnets? Millions of phones at risk? The press coverage on smartphone threats is at times somewhat accurate, distant and occasionally(if unintentionally) misleading. They tend to raise questions such as: – how close to PC levels(100K+ to millions of nodes) mobile botnets have reached? – have mobile rootkits reached the complexity of that on the PC? – are criminals targeting our bank accounts or our identities through our phones? The talk will be a quick overview the state of rootkits and botnets on smartphones from the perspective of anti-malware researchers, including: – demystification of the threat from mobile rootkits and mobile botnets – the differences, if any, between mobile rootkits and mobile botnets vs. their PC counterparts – up close look[*] at how samples seen in the wild and researcher PoCs function – coverage of recent mobile botnet and botnet pre-cursors. [*] Short of examining disassemblies or mentioning actual API calls|
|9:30||Jack “@jack_daniel” Daniel||Is it better to burn out than fade away?||Is it better to burn out than fade away? It had better be; based on what I’m hearing from others in the information security field we are nearing a crisis. Everyone experiences occasional feelings of frustration in their careers, but what can we do for ourselves and peers to minimize the suffering? Join the conversation as we looks at the questions involved, and maybe even a few answers.|
For those that missed it, here was the video for Friday night…
|8:00||Grecs||Updates & Announcements||n/a|
|8:15||Valerie “@hacktress09” Thomas||Gurlz Rule and Boys Drool: How a Hacktress Can Take Your Social Engineering to the Next Level||What if I told you that pieces to your social engineering puzzle are missing? Would you believe me? For centuries women have served their countries and causes as spies; often infiltrating the most impossible of environments. In this presentation we’ll explore the role of the hacktress, female based attack vectors, and put some new twists on old tricks.|
|8:30||DaveMarcus||Using Social Networks to Profile, Find and Own Your Victims (slides)||Social engineering through social networks is one of the most complex threats to deal with and protect against. The more you know about your victims likes, dislikes, hobbies and activities, the better chance you have of successfully social engineering them to do whatever you want. What if there existed a set of tools that told a scammer or cybercriminal everything they wanted to know about their intended targets? What if their intended targets were, in fact, freely sharing this information with the very attackers that sought to steal their data? This presentation will take the audience through the most powerful set of tools ever created for the wily social engineer and cybercriminal: Bing, Twitter, Facebook, TwitScoop, TinyURL and other social media sites. By focusing on how to cleverly mine these sites for key user words, trends and topics and combining these results with an URL shortening service like TinyURL, we will demonstrate how any user can be sent any amount of malware, phishing attacks or any other social engineering-based attack at the cybercriminals command with a lure that will work every time.|
|8:45||Schuyler “@Shoebox” Towne||We Need to Start Attacking Disc Detainer Locks||Disc Detainer locks have been around for 100+ years, but until recently few in the US were even aware of them. Over the last 5 years low-end disc detainers have flooded the bicycle and motorcycle lock market. Now you can even find cheap disc detainer padlocks at truck stops with “HIGH SECURITY” emblazoned on the packaging. There are high security disc detainer locks out there, but that’s not what we’re getting from these companies. This talk will cover the basics of how these locks operate, simple picking instructions and I’ll introduce the early stages of a brute force dialer I’m building.|
|9:00||Raphael “@armitagehacker” Mudge||Armitage: Cyber Attack Management for Metasploit||Armitage is a new interface for the Metasploit framework built around the attack process. It visualizes your sessions and targets, intelligently recommends exploits, manages post-exploitation, and makes it easy to attack using compromised hosts. The goal of the project is to make Metasploit’s advanced features available to you. This short talk will demonstrate Armitage’s coolest features and touch on future developments. After this talk, you should visit http://www.fastandeasyhacking.com to learn more.|
|9:15||Michael “@theprez98” Schearer||Net Neutrality, the FCC, and the End of the Internet as We Know It (in 15 Minutes or Less)||On December 21, 2010, the FCC adopted “net neutrality” rules by a closely-watched 3-2 vote. But whether or not you support the idea of net neutrality, other questions remain: First, what is broken about the current process that needs fixing? Second, and more importantly, why did the FCC act despite the warnings of Congress and despite the Comcast decision, both of which claimed that that FCC lacked such authority? Third, was the process transparent? Lastly, what are the future implications of the FCC’s actions? This lightning-fast discussion will cover the basics of net neutrality, the role of the FCC in regulating the Internet, and the future legal and policy implications of the FCC’s neutrality rules. Is the future of the Internet really at risk?|
|9:30||Gal “@shpantzer” Shpantzer||Security Outliers: Cultural Cues from High Risk Professions||What do security officers have in common with airline pilots, surgeons, and special operation teams? This presentation explores factors involved in successful risk management for security leadership, by drawing upon lessons from other high risk professions that have a cultural legacy of dealing with risk. We derive early warning indicators of communication disconnects and provide a list of training objectives to dramatically improve risk management outcomes. Focusing on Layer 8 wetware issues enables strategic change that doesn’t have to cost an arm and a leg (read, no forklift upgrades), because the focus is not on the hardware/software stack. This talk was successfully delivered at RSA/CSI/DojoCon in 2010 and is updated with new interviews and research on aviation, surgery, military special operations and other fields that infosec could learn from and adapt to our relatively new profession.|
And here was the video for Saturday night…
To ease our submission load, we used the free EasyChair Conferencing System. We used it to handle submissions for AppSecDC this year and it worked nicely. It just required that you create an account, login, and select Submissions from the top menu. From there just fill out as much information as you can and hit the submission button. To get started head on over to the EasyChair SC2011FT portal. Note that the CFP closed 1/23 at midnight.
Similar to last year we had prizes for the top 3 presentations provided by some awesome sponsors. The top speakers were based on a 3-person panel scoring each presentation from 1 to 10. In case of a tie, we had a secret forth person pick the final winner.
Here were the sponsors for this years event…
Grand Price: Apple iPad – 16G with Wi-Fi
Courtesy of Astaro
|1st Runner-Up Prize: Acer Aspire One AOD255-2509 10.1-Inch Netbook||Brought to you by Aplura, LLC|
2nd Runner-Up Prize: $100 Think Geek Gift Certificate
Courtesy of Aplura, LLC
|Session Recordings||Adrian “IronGeek” Crenshaw for the main recording; Georgia Weidman for backup & streaming|
|Fake Cardboard Fireplace (yes, the same one from last year)||Mike Smith|
This year had 12 awesome presentations but only three could come out on top. For 2011 the ShmooCon FireTalk winners were:
- Second Runner Up: Lisa “@llorenzin” Lorenzin – “What I Learned about Security at Burning Man”
- First Runner Up: Dave Marcus – “Using Social Networks to Profile, Find andOwn Your Victims”
- Grand Prize: Schuyler “@Shoebox” Towne – “We Need to Start Attacking Disc Detainer Locks”
Once again congrats to the winners!
Of course this event would have been nothing without all the people that helped us put this thing on. Please give a big shout out to the following folks.
- Jack “@jack_daniel” Daniel (sponsorship)
- Adrian “@irongeek_adc” Crenshaw (session recordings)
- Georgia “@vincentkadmon” Weidman (backup session recordings; streaming)
- Mike “@rybolov” Smith (fireplace; judging panel)
- Nathi “@nathiet” Thwala (TBD)
- Jason “@jasonmoliver” Oliver (security – the physical kind)
- DaKahuna “@DaKahuna2007” (A/V coordination)
- Mike “@theprez98” Schearer (timer)
- CFP / Sponsor Support
- Update 1 (aka – Time Change & Sponsors Needed)
- Update 2 (aka – Speaker Announcement & New Sponsor)
- Update 3 (aka – Schedule & Prizes)
- Update 4 (aka – Winners, Videos, & Slides)
Well that is pretty much it…. Thanks for all the support. See ya!