Toorcon Report
This year I went to security/haxor conference Toorcon for the first time. I have attended USENIX LISA, which rocks, and SANS, which does good training in the guise of a conference. This was a little...different. Not as insane as Defcon, not as polished as I hear Black Hat is, it consisted of a few hundred self-identified members of the 'Digital Underground', mostly whitehats, but some definite criminals. (Note - don't take offense if you are a Black Hat. It's a crime. I'm not calling anybody a terrorist.)
Very serious presentations, even if some of them were hilarious. One was done remotely and anonymously. It was a little dry, but the technique works.
The Capture the Flag tournement drew three teams competing to hack servers in the tournament network. The Midnight Research Labs crew completely dominated the other two, which consisted of much less seasoned attackers. By dominated, I mean almost shut out. Hundreds of points to nil. Only toward the end of the second day did another team get any points at all, and one team LOST points for losing a server. I am acknowledging the MRL, not dissing the other two teams. Hell, I didn't even enter the damn thing and wouldn't have gotten far if I had. I just play defense.
A licensed private investigator who runs "the largest privately held investigation support service company in the country" gave a scary talk entitled, "Privacy is Dead: Get Over It."
Some points: You may one day lose insurance coverage if someone gets a list of your Amazon purchases and it includes "Recovering from H.I.V." Credit card companies track your purchases, and sell your profile to pretty much anyone. The Feds have outsourced profiling efforts to businesses like Choicepoint, so you can't get FOIA satisfaction. You can't make Choicepoint tell you what they do with your information. You can't even SEE their records of you. Subscribe to "Soldier of Fortune" ? That might get you on a list of suspects. It WILL get you on multiple marketing lists. Every place you have lived, all kinds of crap, is easily accessible. In a couple of hours at most, a fairly full dossier can be compiled for a background check or whatever, without any field work at all. This talk went an extra HOUR, twice the scheduled time, and rolled right through the lunch break. Hardly anybody left.
VOIP (Voice Over IP) vulnerabilities - this stuff isn't news, nor did the speaker claim they were. What he did was demonstrate some exploits, like retrieving voicemail by spoofing CallerID. Some cell phone service providers use nothing but CallerID to authenticate access to voicemail. Well, VOIP software and even hardware allows the user to set the CallerID to whatever s/he wants. Duh.
Bridging - you can spoof SIP (Session Initiation Protocol) packets and set up an unsolicited conference call between two people, who will each think that the other person called them. The speaker passes out cards showing how to do this to women he meets in bars.
He played some audio of these exploits in action, and tied it to a computer model of sound processing in the brain. The model had nothing to do with the topic, but was kind of cool. He had a 3-D application showing activity in the "brain" during playback.
I attended the "Deep Knowledge Seminars", which were basically just regular presentations, but an extra day of them you have to pay for. I gambled and registered early to avoid a steep price increase. The gamble was that the lineup and topics weren't announced....it turned out ok. I found one presentation kind of useless, but the rest were good, including one I planned to skip. That was a consistent refrain: the things I was inclined to dismiss were pretty good.
One highlight: Dan Kaminsky is not a serious researcher - he's too busy laughing his ass off to qualify as serious. But he finds very interesting and hilarious stuff. For example, when notorious criminal hacker Sony Corp. overrode user/owner action and installed a rootkit when someone inserted a Sony music CD (something that should have seen prosecution), Kaminsky analysed DNS traffic to track the scope and spread of the infection. He chucked his scheduled presentation and showed a truly sick hack that requires a little explanation. (Apologies if you already know this stuff) DNS is the service that translates a host name, like www.mywebsite.com, to an IP address a computer can use to connect to. It uses small packets, intentionally limited. (If you get a large enough DNS response, the protocol specifies using a different approach than usual.) A covert channel is where someone creates a communication link through a protocol not intended for that purpose. For example, AIM and Yahoo Messenger (et. al.) will try to use 'standard' ports to connect, but if they fail, will try to phone home using a port generally intended for web traffic. The reason is most networks allow web traffic, so you can use port 80 (assigned by the IANA(?) for HTTP, the web protocol). That's the simple model. More advanced covert channels will use the actual protocol, but take advantage of padding and the like to carry the secret information. Anyway, Kaminsky abused the DNS protocol and stuffed streaming video into a covert channel. Because video is large, and DNS packets are small (by default), this is the most extreme case I can imagine. Anyway, Dan is someone to watch. Very, very smart guy on a staggering array of topics.
It's not all serious stuff. There are massive parties and many of the participants regard drinking as a competitive event. After the Con, there were two trains north from San Diego. I was on the 8:20 PM train. I heard unconfirmed reports of drunk, large, hairy, naked guys from the con causing a ruckus on the 9:15 PM.
I'm pretty introverted and boring, and don't drink. So I didn't participate.
It was interesting to see folks I'd met elsewhere, some at LISA 2005.
I plan to go again. I'll have a new baby around then (if all goes well), but San Diego is a pretty awesome place to visit and I missed my family. So I'll try to bring them.
This year I went to security/haxor conference Toorcon for the first time. I have attended USENIX LISA, which rocks, and SANS, which does good training in the guise of a conference. This was a little...different. Not as insane as Defcon, not as polished as I hear Black Hat is, it consisted of a few hundred self-identified members of the 'Digital Underground', mostly whitehats, but some definite criminals. (Note - don't take offense if you are a Black Hat. It's a crime. I'm not calling anybody a terrorist.)
Very serious presentations, even if some of them were hilarious. One was done remotely and anonymously. It was a little dry, but the technique works.
The Capture the Flag tournement drew three teams competing to hack servers in the tournament network. The Midnight Research Labs crew completely dominated the other two, which consisted of much less seasoned attackers. By dominated, I mean almost shut out. Hundreds of points to nil. Only toward the end of the second day did another team get any points at all, and one team LOST points for losing a server. I am acknowledging the MRL, not dissing the other two teams. Hell, I didn't even enter the damn thing and wouldn't have gotten far if I had. I just play defense.
A licensed private investigator who runs "the largest privately held investigation support service company in the country" gave a scary talk entitled, "Privacy is Dead: Get Over It."
Some points: You may one day lose insurance coverage if someone gets a list of your Amazon purchases and it includes "Recovering from H.I.V." Credit card companies track your purchases, and sell your profile to pretty much anyone. The Feds have outsourced profiling efforts to businesses like Choicepoint, so you can't get FOIA satisfaction. You can't make Choicepoint tell you what they do with your information. You can't even SEE their records of you. Subscribe to "Soldier of Fortune" ? That might get you on a list of suspects. It WILL get you on multiple marketing lists. Every place you have lived, all kinds of crap, is easily accessible. In a couple of hours at most, a fairly full dossier can be compiled for a background check or whatever, without any field work at all. This talk went an extra HOUR, twice the scheduled time, and rolled right through the lunch break. Hardly anybody left.
VOIP (Voice Over IP) vulnerabilities - this stuff isn't news, nor did the speaker claim they were. What he did was demonstrate some exploits, like retrieving voicemail by spoofing CallerID. Some cell phone service providers use nothing but CallerID to authenticate access to voicemail. Well, VOIP software and even hardware allows the user to set the CallerID to whatever s/he wants. Duh.
Bridging - you can spoof SIP (Session Initiation Protocol) packets and set up an unsolicited conference call between two people, who will each think that the other person called them. The speaker passes out cards showing how to do this to women he meets in bars.
He played some audio of these exploits in action, and tied it to a computer model of sound processing in the brain. The model had nothing to do with the topic, but was kind of cool. He had a 3-D application showing activity in the "brain" during playback.
I attended the "Deep Knowledge Seminars", which were basically just regular presentations, but an extra day of them you have to pay for. I gambled and registered early to avoid a steep price increase. The gamble was that the lineup and topics weren't announced....it turned out ok. I found one presentation kind of useless, but the rest were good, including one I planned to skip. That was a consistent refrain: the things I was inclined to dismiss were pretty good.
One highlight: Dan Kaminsky is not a serious researcher - he's too busy laughing his ass off to qualify as serious. But he finds very interesting and hilarious stuff. For example, when notorious criminal hacker Sony Corp. overrode user/owner action and installed a rootkit when someone inserted a Sony music CD (something that should have seen prosecution), Kaminsky analysed DNS traffic to track the scope and spread of the infection. He chucked his scheduled presentation and showed a truly sick hack that requires a little explanation. (Apologies if you already know this stuff) DNS is the service that translates a host name, like www.mywebsite.com, to an IP address a computer can use to connect to. It uses small packets, intentionally limited. (If you get a large enough DNS response, the protocol specifies using a different approach than usual.) A covert channel is where someone creates a communication link through a protocol not intended for that purpose. For example, AIM and Yahoo Messenger (et. al.) will try to use 'standard' ports to connect, but if they fail, will try to phone home using a port generally intended for web traffic. The reason is most networks allow web traffic, so you can use port 80 (assigned by the IANA(?) for HTTP, the web protocol). That's the simple model. More advanced covert channels will use the actual protocol, but take advantage of padding and the like to carry the secret information. Anyway, Kaminsky abused the DNS protocol and stuffed streaming video into a covert channel. Because video is large, and DNS packets are small (by default), this is the most extreme case I can imagine. Anyway, Dan is someone to watch. Very, very smart guy on a staggering array of topics.
It's not all serious stuff. There are massive parties and many of the participants regard drinking as a competitive event. After the Con, there were two trains north from San Diego. I was on the 8:20 PM train. I heard unconfirmed reports of drunk, large, hairy, naked guys from the con causing a ruckus on the 9:15 PM.
I'm pretty introverted and boring, and don't drink. So I didn't participate.
It was interesting to see folks I'd met elsewhere, some at LISA 2005.
I plan to go again. I'll have a new baby around then (if all goes well), but San Diego is a pretty awesome place to visit and I missed my family. So I'll try to bring them.
posted by JimmytheGeek at 6:52 PM
0 Comments:
Post a Comment
<< Home