Last weekend I attended ShmooCon for the first time.
I enjoyed it, though it was more useful for a “street cred knowledge” standpoint that it was for developing enterprise-class security products. My favorite items were:
- The best work presented: “Credit card fraud: The contactless generation”: This talk demonstrated, using actual equipment and an actual volunteer from the audience, that it is possible to create a working credit card replica without ever having physical access to one of the new “contactless” RFID credit cards. Moreover, the foil sleeves that are supposed to prevent remote reading don’t work perfectly. This area of continuing work truly scares me, since the technology is being used by banks to shift responsibility for fraud onto the consumers. http://www.forbes.com/sites/andygreenberg/2012/01/30/hackers-demo-shows-how-easily-credit-cards-can-be-read-through-clothes-and-wallets/
- “Inside Apple’s MDM Black Box”: The speaker has reverse-engineered the process by which MDM (mobile device management) traffic travels from an enterprise server, through Apple, to an iOS device; and demonstrated how third parties can build their own MDM devices instead of having to buy a big expensive product to do so.
- “A New Model for Enterprise Defense”: One of the IT folks at Intel (Toby Kohlenberg) is pushing a solution to the multiple-fidelities-of-application-access problem. Their main goal is to change access control decisions from a binary yes/no decision to a more nuanced approach based on “multilevel trust”. For example, the goal is when a salesperson accesses corporate resources: From a coffee shop, they are limited only to viewing customer information and order status. From a hotel room, they can modify orders and view pricing information, and all accesses are fully logged and audited. From within a corporate site, they can modify customer information and change pricing information. The talk was about how Intel has started a long multi-year effort to try to achieve this vision. They’ve only just started, and unfortunately it seemed it would be a long time before their applications supported fine-grained access control.
- The announcement of www.routerpwn.com by a Mexican security researcher. The purpose of Routerpwn is to demonstrate just how easy it is to break the security on many common routers; for example you click on a Javascript link and enter an IP address and boom, you’ve reset the administrative password.
- My favorite talk: Brendan O’Connor presented work on building low-cost sensor/wifi devices that can be stealthily placed or launched-by-drone into a target environment of interest. (There’s nothing new about stealth placement, except he was able to make a workable device for $50, far cheaper than the usual $500 or $5000 devices.) He also announced that he won one of the DARPA cyber fast track awards. http://blog.ussjoin.com/2012/01/dropping-the-f-bomb.html