DEFCON 16 Day One

It would probably be more interesting to blog about my numerous traveling mishaps (summary: never stay at Circus Circus however close it may be to your conference), but I thought a quick bullet point version of the first day at DEFCON 16 would be more relevant. Incidentally this trip was possible because of a generous training budget benefit provided by Near Infinity.

Making the DEFCON 16 Badge, Joe “Kingpin” Grand

  • The default firmware makes the badge function as a TV-B-Gone (it really turned on/off my hotel room TV ... cool)
  • You should be able to transfer files between SD card readers in badges (haven’t tried)
  • Later in the day I soldered for my first time ever and added a mini-USB port to the card in the “Hardware Hacking Village.” This was a rush, very cool. Thanks to Joe and Andrew for the assistance.

Deciphering Captcha Michael Brooks

  • It never occurred to me you could generate all possible outcomes of a captcha algorithm to break it, cool idea
  • Never read a script at a conference, however interesting the topic may be, I left after 5 minutes

Whitespace: A Different Approach to JavaScript Obfuscation, Kolisar

  • Problem: Your Cross Site Scripting Code needs to evade human and/or automatic detection
  • Solution: Embed JavaScript code in whitespace as tabs (1) and spaces (0)
  • This was a really cool demo

New Tool for SQL Injection and DNS Exfiltration, Robert Ricks

  • SQL Injection is still a widespread vulnerability
  • Once you get in you can do all kinds of things, their demo included viewing the database schema
  • They showed a tool that automatically exploits vulnerabilities really fast, very cool

Living in the RIA (Rich Internet Application) World, Alex Stamos, David Thiel & Justine Osborne

  • A review of security vulnerabilities in five new RIA technologies: Adobe AIR, MS Silverlight, Google Gears, Mozilla Prism, and HTML 5
  • All technologies significantly increased attack surface and had vulnerabilities
  • Surprisingly Silverlight seemed to come out on top (go MS) followed by Adobe AIR
  • Google Gears, Mozilla Prism, and HTML 5 all have a long way to go

Bringing Sexy Back: Breaking in with Style, David Maynor & Robert Graham

  • Penetration testing is generally boring work, just run a few tools
  • Banks and federal agencies need to do more serious and creative pen-testing
  • Scenario: Russian czar hires developers with a 1 million budget and wants to break in to your company
  • Approach 1: Put iPhone in box, attach external power supply, turn on, fed ex to target company, while box is in mail room TTY to phone bypass physical security, attack wireless network
  • Approach 2: “Spear Phishing” – Start fake company, get domain name, get SSL certificate, send “New 401(k) Provider” e-mail to target company, link to bogus website, sign malicious ActiveX control so there aren’t warnings when they download
  • Wow, this talk was really cool, really eye opening

Keeping Secret Secrets Secret & Sharing Secret Secrets Secretly, Vic Vandal

  • As a presenter always err on the side of going too fast, and assuming your audience is smarter than you, this presentation sucked
  • Steganography is more than least significant bit image modification, it generally is about hiding things in plain sight such as hiding data after the EOF character in text files

Free Anonymous Internet Using Modified Cable Modems, Blake Self & Durandal

  • I didn’t actually attend this, I’m hoping Joe or Andrew will blog about it, because man did it sound cool. I’ll post a link if I see anything.

All in all this conference is absolutely amazing and eye opening. It really does give you a completely different perspective on the security industry.


Anonymous said…
Non-hackers should stay away from hacker Cons. Those who are just figuring out that SQL injection is a real thing shouldn't be in IT, much less at a hacker Con. Can you say "clueless l-user"?
Lee Richardson said…
"Just figuring out SQL injection?"

Uh, not sure what gave that impression, it was the tool and the DNS part of the exploit that was cool, not SQL injection itself.