ShmooCon 2012 Review

The past weekend (January 28-29, 2012), several people from SeNet attended the 2012 ShmooCon security conference (www.shmoocon.org).  This is always an excellent conference and a great value at only $150 (if you can get a ticket).  Here is a list of some talks we attended, along with our comments.

  • A Blackhat’s Tool Chest: How We Tear Into That Little Green Man – Mobile security was a hot topic and there were several talks on this subject.  This talk focused on Android security.  It explained how to reverse-engineer mobile applications on Android and the speaker released a tool to make this process easier.  This is definitely something to check in the near future.
  • Java Backdoors and Cross-Framework Abuse – This was a somewhat technical talk on how to take advantage of Java archive files (JAR, WAR, EAR) in order to place backdoors and elevate privileges.  Although the subject matter was not ground-breaking, it did provide a clear picture on this attack.  The speaker was very knowledgeable; however, his presentation style was not very dynamic.
  • Introduction to Near Field Communication (NFC) Mobile Security – NFC is on the horizon and with it comes a lot of features to help the end user.  The first portion of the presentation was an overview of NFC, the standards, and the specifications.  This part was a little dry but the second part, which included a demonstration of some of the attacks, was quite interesting.  As this technology becomes more widely deployed in the United States, we should keep this topic in mind when it comes to security.
  • OPFOR Works Both Ways: How Offense and Defense Must Train Each Other – This presentation explained how an organization’s incident response team and penetration testing team should work together to train each other.  It also noted that penetration testing has moved away from its original purpose: testing a system like an attacker.  Currently, so much scoping and so many rules go into a penetration test that it is not a true simulation of an actual attack.  I agree that there can be significant costs associated with penetration testing.  Often, companies do not want to pay for the level of effort that truly simulates what attackers are doing.  To increase the value of penetration testing, there must be a balance between the two focus levels.
  • Credit Card Fraud: The Contactless Generation – This was a very interesting talk that focused on credit cards with built-in Near Field Communication (NFC). Rather than swiping the card, these credit cards now have built-in chips that allow the user just to put them close to the card reader and the card is charged accordingly. Although the communication between the card and the reader is encrypted, the communication between the reader and the attached computer via serial port is not and can be captured easily since it is in clear-text format. The presenters then demonstrated that process. They were able to capture the card information and clone the credit card information to another blank card using a magnetic card reader/writer that they got from eBay. Then, they were successful conducting online shopping with the cloned card.
  • Inside Apple's MDM Black Box – This talk focused on how Apple’s Mobile Device Management (MDM) system works.  As more and more people want to bring their mobile devices (iPads, iPhones, etc.) into the network infrastructure, mechanisms must be in place to manage these devices.  The speaker talked about how and what MDM can do.  He also released his own tool that can manage these devices using the same technology, with some limitations.  He also discussed security weaknesses (primarily Man-in-the-Middle [MITM] attacks in the MDM architecture) that he uncovered as part of his research.
  • What is a Name – This talk replaced the talk that was supposed to be given on smart meters.  (Apparently, the utility company upon which the original speakers based their research did not want the presentation given at the time.)  In any event, this talk was very interesting and entertaining.  The speaker did some cool research and, using some DNS tools, was able to create a database of the entire Internet located here (https://www.deepmagic.com/ptrs/).  This information should be very useful for reconnaissance and some other purposes.
  • Whack-a-Mobile: Getting a Handle on Mobile Testing with MobiSec Live Environment – This talk was given by the always-entertaining Kevin Johnson.  I find the best talks to be those that not only have useful information but also engage the audience.  He released a testing framework (MobiSec) for mobile platforms.  The tool was based on research that was funded by DARPA Cyber Fast Track Program; now, the plan is to make it an OWASP project.   This research should make the examination and testing of these devices and applications easier as this project develops.

Overall, it was a great conference and SeNet is looking forward to returning next year.

Gus Fritschie, Rehan Bashir, and Roey Katz