ShmooCon has always been one of my favorite conferences. It is very well run and provides a small, intimate environment to discuss all things related to hacking and information security. You truly feel a part of this conference in every way. For example, you are encouraged to throw small stress balls called "Shmooballs" at any speaker you disagree with. The conference founders felt that many conferences had talks that were complete nonsense yet no one would stand up to say anything in opposition. As a speaker at ShmooCon you may literally find yourself running for cover. This year there was even a "Shmooball Launcher" contest,
that scored the homemade launchers in several different categories.
This year's ShmooCon had some excellent presentations and workshops, including one that reportedly used Nessus to find a directory traversal vulnerability in VMware (more to follow on that one). Some of the other highlights include:
Bluetooth & Cell Phone Security
Bluetooth security has remained a topic that often does not carry a lot of weight with senior management. To Bluetooth device manufacturers’ credit, many of the attacks are opportunistic and difficult to pull off (especially when targeting an organization or particular person). Joshua Wright has done some outstanding research in this area, showing how Bluetooth headsets can be used as listening devices. Many of these attacks rely on a device to be in “discoverable mode”, meaning they are looking for other devices to pair with. A great example of an opportunistic attack that Josh describes is when you are getting off an airplane and everyone turns their phones on, forcing them into discoverable mode until they find the appropriate Bluetooth headset to pair with. Building on Josh's research and others, Michael Ossmann covered the dangers of using Bluetooth keyboards in his talk titled, "Bluetooth Keyboards: Who Owns Your Keystrokes?". Many of the same type of opportunistic attacks are possible. For example, when you turn off your computer and turn it back on again it opens a window of opportunity that an attacker can use to pair with your devices, and even perform man-in-the-middle attacks by using a setup that requires the attacker to have two Bluetooth devices attached to a computer. Michael also did a live demo where he showed how a mouse’s USB dongle could be used to inject keystrokes into the remote host. This increases the risk level of running Bluetooth in your environment. To help people test their own environment Michael has posted a Bluetooth security checklist on his web site.
GSM now joins the ranks of another wireless protocol that has fallen from grace, going from theoretical to practical in the hacking category. Using OpenBTS and some open source hardware called USRP (Universal Software Radio Peripheral), an attacker can communicate with your phone, then route VoIP on the backend to complete your calls. Of course, the attacker is running Wireshark and recording all of your calls and other data (including text messages). Putting sensitive data on your phone is also dangerous for Blackberry users, as described in the talk "Blackberry Mobile Spyware - The Monkey Steals the Berries" by Tyler Shields. You can view a demo of the software that he created to capture of SMS messages, emails and phone call logs from these devices.
While these attacks potentially allow attackers access to your data, they are difficult to exploit unless you are in physical proximity of the target. Antennas can increase the range of attacks, but they still fall into a category of attacks that do require an attacker to be within a certain range (compared to attacks, such as client-side exploitation or web-application attacks, which allow an attacker to be anywhere and even “anonymize” the source).
Lockpicking is one of those "black arts" that until recently had not been in the spotlight. Thanks to the Toool organization, and especially Deviant Ollam, you can attend many security conferences around the world and visit the Lockpick Village. Here, you will find presentations on how locks work, how to pick locks and how to choose the right lock for the right job. If you have anything to say about physical security in your organization, you should check out this material. Having the correct locks on server room doors, equipment deployed in the field and in your office space is an important component of your security program. For example, I asked Deviant which locks offered the best level of security for a gym locker that would store your wallet, keys, and cell phone while you worked out. Deviant recommended a new lock from Master Lock called the 1500iD Speed Dial which uses a series of up, down, left, and right movements as the combination for the lock. It also touts " Maximum security with anti-shim technology" to deter someone trying to use a shim to open the lock.
What is "security"?
There was much discussion of "APT" (Advanced Persistent Threat), mostly in the context of "it’s nothing new". Attackers will go after a specific target; however, it’s tough to know how and when. The possibility has always existed, however, and your organization could be a target. The big question is “what do you do about it”? One angle is to use the current buzzword and media hype to scare management into implementing more security. This is only going to get us so far on the path to "security". If security in your organization relies on waiting for "the next big thing" to happen in the security world, you've already lost. Decisions regarding your response to a particular threat are business decisions, however; we should not wait for the media, competitors or others in the same industry to dictate the response. The actions taken (including no action at all) must be based on your own strategy, policy, and procedures. Business decisions have repercussions that may not be felt in the short-term (just as the automotive and financial industries have come to realize). Those responsible for security must understand business, but should we conform to standards that have led to major industries requiring government bailout money? Take the time to educate upper management, not just about good security, but good business as it relates to security. If your intellectual property is at-risk, show them how. Discuss the worst case scenario and get some defensive measures in place. Many people ask, "how do you ‘sell’ security to management?" The answer is you should not be "selling" anything; it should be part of your business practices.