Facebook Google Plus Twitter LinkedIn YouTube RSS Menu Search Resource - BlogResource - WebinarResource - ReportResource - Eventicons_066 icons_067icons_068icons_069icons_070

Tenable Blog

  • Twitter
  • Facebook
  • LinkedIn

Shmoocon 2010 Security Conference

ShmooCon has always been one of my favorite conferences. It is very well run and provides a small, intimate environment to discuss all things related to hacking and information security. You truly feel a part of this conference in every way. For example, you are encouraged to throw small stress balls called "Shmooballs" at any speaker you disagree with. The conference founders felt that many conferences had talks that were complete nonsense yet no one would stand up to say anything in opposition. As a speaker at ShmooCon you may literally find yourself running for cover. This year there was even a "Shmooball Launcher" contest,
that scored the homemade launchers in several different categories.

Larry Pesce participating in the Shmooball launcher contest at ShmooCon 2010 in Washington, DC. Larry's Shmooball launcher proudly displayed the Nessus banner throughout the conference and received a lot of attention from curious conference attendees.

This year's ShmooCon had some excellent presentations and workshops, including one that reportedly used Nessus to find a directory traversal vulnerability in VMware (more to follow on that one). Some of the other highlights include:

Bluetooth & Cell Phone Security

Bluetooth security has remained a topic that often does not carry a lot of weight with senior management. To Bluetooth device manufacturers’ credit, many of the attacks are opportunistic and difficult to pull off (especially when targeting an organization or particular person). Joshua Wright has done some outstanding research in this area, showing how Bluetooth headsets can be used as listening devices. Many of these attacks rely on a device to be in “discoverable mode”, meaning they are looking for other devices to pair with. A great example of an opportunistic attack that Josh describes is when you are getting off an airplane and everyone turns their phones on, forcing them into discoverable mode until they find the appropriate Bluetooth headset to pair with. Building on Josh's research and others, Michael Ossmann covered the dangers of using Bluetooth keyboards in his talk titled, "Bluetooth Keyboards: Who Owns Your Keystrokes?". Many of the same type of opportunistic attacks are possible. For example, when you turn off your computer and turn it back on again it opens a window of opportunity that an attacker can use to pair with your devices, and even perform man-in-the-middle attacks by using a setup that requires the attacker to have two Bluetooth devices attached to a computer. Michael also did a live demo where he showed how a mouse’s USB dongle could be used to inject keystrokes into the remote host. This increases the risk level of running Bluetooth in your environment. To help people test their own environment Michael has posted a Bluetooth security checklist on his web site.

GSM now joins the ranks of another wireless protocol that has fallen from grace, going from theoretical to practical in the hacking category. Using OpenBTS and some open source hardware called USRP (Universal Software Radio Peripheral), an attacker can communicate with your phone, then route VoIP on the backend to complete your calls. Of course, the attacker is running Wireshark and recording all of your calls and other data (including text messages). Putting sensitive data on your phone is also dangerous for Blackberry users, as described in the talk "Blackberry Mobile Spyware - The Monkey Steals the Berries" by Tyler Shields. You can view a demo of the software that he created to capture of SMS messages, emails and phone call logs from these devices.

While these attacks potentially allow attackers access to your data, they are difficult to exploit unless you are in physical proximity of the target. Antennas can increase the range of attacks, but they still fall into a category of attacks that do require an attacker to be within a certain range (compared to attacks, such as client-side exploitation or web-application attacks, which allow an attacker to be anywhere and even “anonymize” the source).


Lockpicking is one of those "black arts" that until recently had not been in the spotlight. Thanks to the Toool organization, and especially Deviant Ollam, you can attend many security conferences around the world and visit the Lockpick Village. Here, you will find presentations on how locks work, how to pick locks and how to choose the right lock for the right job. If you have anything to say about physical security in your organization, you should check out this material. Having the correct locks on server room doors, equipment deployed in the field and in your office space is an important component of your security program. For example, I asked Deviant which locks offered the best level of security for a gym locker that would store your wallet, keys, and cell phone while you worked out. Deviant recommended a new lock from Master Lock called the 1500iD Speed Dial which uses a series of up, down, left, and right movements as the combination for the lock. It also touts " Maximum security with anti-shim technology" to deter someone trying to use a shim to open the lock.

What is "security"?

There was much discussion of "APT" (Advanced Persistent Threat), mostly in the context of "it’s nothing new". Attackers will go after a specific target; however, it’s tough to know how and when. The possibility has always existed, however, and your organization could be a target. The big question is “what do you do about it”? One angle is to use the current buzzword and media hype to scare management into implementing more security. This is only going to get us so far on the path to "security". If security in your organization relies on waiting for "the next big thing" to happen in the security world, you've already lost. Decisions regarding your response to a particular threat are business decisions, however; we should not wait for the media, competitors or others in the same industry to dictate the response. The actions taken (including no action at all) must be based on your own strategy, policy, and procedures. Business decisions have repercussions that may not be felt in the short-term (just as the automotive and financial industries have come to realize). Those responsible for security must understand business, but should we conform to standards that have led to major industries requiring government bailout money? Take the time to educate upper management, not just about good security, but good business as it relates to security. If your intellectual property is at-risk, show them how. Discuss the worst case scenario and get some defensive measures in place. Many people ask, "how do you ‘sell’ security to management?" The answer is you should not be "selling" anything; it should be part of your business practices.

Related Articles

Are You Vulnerable to the Latest Exploits?

Enter your email to receive the latest cyber exposure alerts in your inbox.

Try for Free Buy Now
Tenable.io FREE FOR 30 DAYS

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Sign up now.

Tenable.io BUY

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Purchase your annual subscription today.

65 assets

Choose Your Subscription Option:

Buy Now
Try for Free Buy Now

Try Nessus Professional Free


Nessus® is the most comprehensive vulnerability scanner on the market today. Nessus Professional will help automate the vulnerability scanning process, save time in your compliance cycles and allow you to engage your IT team.

Buy Nessus Professional

Nessus® is the most comprehensive vulnerability scanner on the market today. Nessus Professional will help automate the vulnerability scanning process, save time in your compliance cycles and allow you to engage your IT team.

Buy a multi-year license and save. Add Advanced Support for access to phone, community and chat support 24 hours a day, 365 days a year. Full details here.

Try for Free Buy Now

Try Tenable.io Web Application Scanning


Enjoy full access to our latest web application scanning offering designed for modern applications as part of the Tenable.io platform. Safely scan your entire online portfolio for vulnerabilities with a high degree of accuracy without heavy manual effort or disruption to critical web applications. Sign up now.

Buy Tenable.io Web Application Scanning

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Purchase your annual subscription today.



Buy Now

Try for Free Contact Sales

Try Tenable.io Container Security


Enjoy full access to the only container security offering integrated into a vulnerability management platform. Monitor container images for vulnerabilities, malware and policy violations. Integrate with continuous integration and continuous deployment (CI/CD) systems to support DevOps practices, strengthen security and support enterprise policy compliance.

Buy Tenable.io Container Security

Tenable.io Container Security seamlessly and securely enables DevOps processes by providing visibility into the security of container images – including vulnerabilities, malware and policy violations – through integration with the build process.

Get a Demo

Get a Demo of Tenable.sc

Please fill out the form below with your contact information and a sales representative will contact you shortly to schedule a demo. You may also include a short comment (limited to 255 characters). Please note that fields with asterisks (*) are mandatory.

Try for Free Contact Sales

Try Tenable Lumin


Visualize and explore your Cyber Exposure, track risk reduction over time and benchmark against your peers with Tenable Lumin.

Buy Tenable Lumin

Contact a Sales Representative to see how Lumin can help you gain insight across your entire organization and manage cyber risk.

Request a Demo

Request a demo of Tenable.ot

Get the Operational Technology Security You Need.
Reduce the Risk You Don’t.

Request a Demo


Continuously detect and respond to Active Directory attacks. No agents. No privileges. On-prem and in the cloud.