{"id":10,"date":"2012-01-30T17:36:50","date_gmt":"2012-01-30T22:36:50","guid":{"rendered":"http:\/\/jlg.name\/blog\/?p=10"},"modified":"2012-11-06T16:37:37","modified_gmt":"2012-11-06T21:37:37","slug":"shmoocon-2012","status":"publish","type":"post","link":"http:\/\/jlg.name\/blog\/2012\/01\/shmoocon-2012\/","title":{"rendered":"ShmooCon 2012"},"content":{"rendered":"<p>Last weekend I attended ShmooCon for the first time.<\/p>\n<p>I enjoyed it, though it was more useful for a \u201cstreet cred knowledge\u201d standpoint that it was for developing enterprise-class security products.\u00a0 My favorite items were:<\/p>\n<ol>\n<li>The best work presented:\u00a0 \u201cCredit card fraud: The contactless generation\u201d: \u00a0This talk demonstrated, using actual equipment and an actual volunteer from the audience, that it is possible to create a working credit card replica without ever having physical access to one of the new \u201ccontactless\u201d RFID credit cards. \u00a0Moreover, the foil sleeves that are supposed to prevent remote reading don\u2019t work perfectly.\u00a0 This area of continuing work truly scares me, since the technology is being used by banks to shift responsibility for fraud onto the consumers.\u00a0 <a href=\"https:\/\/webmail1.telecomsys.com\/exchweb\/bin\/redir.asp?URL=http:\/\/www.forbes.com\/sites\/andygreenberg\/2012\/01\/30\/hackers-demo-shows-how-easily-credit-cards-can-be-read-through-clothes-and-wallets\/\" target=\"_blank\">http:\/\/www.forbes.com\/sites\/andygreenberg\/2012\/01\/30\/hackers-demo-shows-how-easily-credit-cards-can-be-read-through-clothes-and-wallets\/<\/a><\/li>\n<li>\u201cInside Apple\u2019s MDM Black Box\u201d:\u00a0 The speaker has reverse-engineered the process by which MDM (mobile device management) traffic travels from an enterprise server, through Apple, to an iOS device; and demonstrated how third parties can build their own MDM devices instead of having to buy a big expensive product to do so.<\/li>\n<li>\u201cA New Model for Enterprise Defense\u201d:\u00a0 One of the IT folks at Intel (Toby Kohlenberg) is pushing a solution to the multiple-fidelities-of-application-access problem.\u00a0 Their main goal is to change access control decisions from a binary yes\/no decision to a more nuanced approach based on \u201cmultilevel trust\u201d.\u00a0 For example, the goal is when a salesperson accesses corporate resources:<strong> From a coffee shop<\/strong>, they are limited only to viewing customer information and order status.<strong>\u00a0 From a hotel room<\/strong>, they can modify orders and view pricing information, and all accesses are fully logged and audited.<strong>\u00a0 From within a corporate site, <\/strong>they can modify customer information and change pricing information.\u00a0 The talk was about how Intel has started a long multi-year effort to try to achieve this vision.\u00a0 They\u2019ve only just started, and unfortunately it seemed it would be a long time before their applications supported fine-grained access control.<\/li>\n<li>The announcement of <a href=\"https:\/\/webmail1.telecomsys.com\/exchweb\/bin\/redir.asp?URL=http:\/\/www.routerpwn.com\" target=\"_blank\">www.routerpwn.com<\/a> by a Mexican security researcher.\u00a0 The purpose of Routerpwn is to demonstrate just how easy it is to break the security on many common routers; for example you click on a Javascript link and enter an IP address and boom, you\u2019ve reset the administrative password.<\/li>\n<li>My favorite talk: Brendan O\u2019Connor presented work on building low-cost sensor\/wifi devices that can be stealthily placed or launched-by-drone into a target environment of interest.\u00a0 (There\u2019s nothing new about stealth placement, except he was able to make a workable device for $50, far cheaper than the usual $500 or $5000 devices.)\u00a0 He also announced that he won one of the DARPA cyber fast track awards.\u00a0 <a href=\"http:\/\/blog.ussjoin.com\/2012\/01\/dropping-the-f-bomb.html\">http:\/\/blog.ussjoin.com\/2012\/01\/dropping-the-f-bomb.html<\/a><\/li>\n<\/ol>\n","protected":false},"excerpt":{"rendered":"<p>Last weekend I attended ShmooCon for the first time. I enjoyed it, though it was more useful for a \u201cstreet cred knowledge\u201d standpoint that it was for developing enterprise-class security products.\u00a0 My favorite items were: The best work presented:\u00a0 \u201cCredit card fraud: The contactless generation\u201d: \u00a0This talk demonstrated, using actual equipment and an actual volunteer [&hellip;]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":[],"categories":[4],"tags":[],"_links":{"self":[{"href":"http:\/\/jlg.name\/blog\/wp-json\/wp\/v2\/posts\/10"}],"collection":[{"href":"http:\/\/jlg.name\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"http:\/\/jlg.name\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"http:\/\/jlg.name\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"http:\/\/jlg.name\/blog\/wp-json\/wp\/v2\/comments?post=10"}],"version-history":[{"count":4,"href":"http:\/\/jlg.name\/blog\/wp-json\/wp\/v2\/posts\/10\/revisions"}],"predecessor-version":[{"id":13,"href":"http:\/\/jlg.name\/blog\/wp-json\/wp\/v2\/posts\/10\/revisions\/13"}],"wp:attachment":[{"href":"http:\/\/jlg.name\/blog\/wp-json\/wp\/v2\/media?parent=10"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"http:\/\/jlg.name\/blog\/wp-json\/wp\/v2\/categories?post=10"},{"taxonomy":"post_tag","embeddable":true,"href":"http:\/\/jlg.name\/blog\/wp-json\/wp\/v2\/tags?post=10"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}