ShmooCon is sadly over and now it’s time to play catch-up. I had this crazy idea that we would be able to keep up blog posts throughout the con but obviously that didn’t work out as we were just having too much fun meeting everyone. Anyway, here is the first in a series of post-ShmooCon articles for your reading/watching/listening pleasure. This first post features the videos @irongeek_adc made of the ShmooCon Firetalks on Friday night. The scary thing was that he actually had these videos out by Saturday morning… You can also check out all the ShmooCon 2013 FireTalks videos (and tons of other great content) over on IronGeek.com.
Thin Slicing a Black Swan: A Search for the Unknowns
Michele “@mrsyiswhy” Chubirka & Ronald Reck
As infosec professionals we are swimming in prodigious amounts of data, but it isn’t making us better at our jobs, it seems to make us worse. In Verizon’s 2012 Data Breach Investigations Report, it was found that across organizations, an external party discovers 92% of breaches. We continue to desperately grasp at that straw of, “more data,” but what if this is simply information gluttony? Incident response’s bloated model drives it closer to a form of security archeology rather than its promise of real-time relevance.
When Did the Smartphone Pentest Framework Get Awesome?
Georgia “@georgiaweidman” Weidman
SPF came out and it was good but not spectacular, so Georgia went and lived in a cave for 2 months and came out with a much better SPF. Custom post exploitation apps using any front end you have the code for, Permission based post exploitation apps and apps that try every exploit known for the device, integration with other tools, More exploits for more platforms. If you think you’ve seen SPF, you are mistaken. Everything demoed in this presentation will be brand new functionality never before shown. When many people hear Smartphone Pentest Framework they think this tool lets you run attack tools from a smartphone. Instead this tool lets you assess the security posture of smartphone devices. As smartphones enter the workplace, sharing the network and accessing sensitive data, it is crucial to be able to assess the security posture of these devices in much the same way we perform penetration tests on workstations and servers.
ShellSquid: Distributed Shells With Node
Shellsquid was built out of necessity. Corporate egress controls often limit outbound connections to http (tcp/80) and https (tcp/443); often requiring the traffic to exit through a proxy. When attacking victims it is then a necessity to use reverse payloads that connect on one of these two ports and are proxy aware. The safest option being https. This is straight forward. Start your listener and go. But what if you’re attacking multiple targets and want to keep them separate? What if you’re working with a team who is all attacking different targets and they can’t share a listener? What are you to do? Shellsquid is meant to alleviate this issue by dynamically routing your reverse connections to a configured listener on a different port and/or machine. Teams of penetration testers can now share a single perimeter systems listening over https, while routing reverse connections to internal hosts.
If You Can Open The Terminal, You Can Capture The Flag: CTF for Everyone
Nicolle “@rogueclown” Neulist
You don’t spend every single conference you attend in a darkened room, listening to techno music and hunched over your laptop. You don’t know every single security tool out there backwards and forwards. This means CTF is completely out of your league, right? Wrong. If you’ve got a competitive streak, a love of puzzles, and a desire to add to your security bag of tricks, you can gain a lot out of competing in Capture the Flag. They’re a great way to practice your security skills and learn new ones. This talk will cover common structures and topics in CTF competitions, some technical and problem-solving skills you’ll want to add to your arsenal, and how to dive in and start playing! There will also be plenty of firsthand stories of pitfalls that new CTF players can easily fall into, and how you can avoid them. You may not leave this talk as the most three-one-three-three-seven CTF player on earth, but that takes a bit longer than fifteen minutes.
Becoming a Time Lord – Implications of Attacking Time Sources
Joe “@joeklein” Klein
On or about November 20, 2012 the NTP server at the USA Naval Observatory was rebooted and somehow reverted to the year 2000. The impact, though subtle, propagated downstream to many servers and systems which rely on NTP. Within days of this incident, a paper out of Carnegie Mellon University was released which discussed potential strategies for attacking GPS software, another source of the time standard. Just a day later, Wired magazine published an article discussing Google’s true time API and the importance of time in their data centers. Could this be a coincidence? Is the universe trying to tell me something? And why am I wearing a bow-tie?
Swinging Security Style: An Immodest Proposal
Wendy “@451wendy” Nather
I have a proposal to make — or rather, a proposition — to improve the overall state of security. Just as in the olden days, when swinging couples would put their house keys in a pile, and whoever drew a set of keys would go home with its owner, I suggest that security professionals do something similar (maybe with USB keyfobs or hardware tokens?). We don’t have enough empathy or understanding in this industry, and changing places with someone who does something very different from you (whether it be auditing, management, pentesting, engineering or something else) can help both personally and professionally. Think of it as job swapping — and if you’re married to your job, that’s kind of like spouse-swapping, isn’t it? Pick someone next to you and help them solve one of their security problems. You don’t even need to bring Crisco.
Any comments on any of the Friday night talks? Let us know in the comments below. Today’s post pic is from Can You Hear Me Now. See ya!