ShmooCon 2010The ShmooCon 2010 East coast hacker convention is a three day event at the Wardman Park Marriott, Washington DC, USA. This years’ annual ShmooCon convention started at 12:30 p.m. EST, Friday, February 5, 2010, and according to the ShmooCon 2010 Schedule, will end around 2:00 p.m. EST, Sunday, February 7, 2010.

The central theme for day one was “One Track Mind,” a single track consisting of seven 30-minute speed talks. Day two and day three will each present three tracks: Break It!, Build It!, and Bring It On!

You don’t have to be there to see ShmooCon 2010. ShmooCon will be live streaming the entire event this year. See ShmooCon Live Streaming Video for video titles and links. After day one opening remarks by Bruce Potter, the ShmooCon 2010 “turbo” talks were underway.

GPU vs. CPU Supercomputing Security Shootout

GPU vs. CPU Supercomputing Security Shootout, by Collin Brack. There was no debating the facts and figures Brack showed the audience illustrating the processing power of multi-processor GPGPU (General Purpose Graphics Processing Unit) technology over the processing power of the general purpose CPU. For certain computational tasks, low cost, high performance GPU technology has found its way into the world of supercomputing and the information security industry.

After a brief mention about Nvidia’s CUDA versus competing GPU technologies from ATI and OpenCL, Brack presented GPU verus CPU benchmarks of security tools including aircrack (10x speed-up), Pyrit (8x), CUDA Multiforcer, BarsWF MD5 cracker (3x), RainbowCrack multi-GPU CUDA version, and others. Brack emphasized results obtained with Pyrit, a GPU cracker for attacking WPA/WPA2 PSK protocols.

Sometime before ShmooCon 2010, Brack had submitted code modifications to the Pyrit svn. Using Pyrit 0.2.5-svn r208 on his MacBook Pro Core 2 Duo 2 2.5Ghz computer with precomputed tables, Brack recorded the results at about 300,000 keys per second; with his code modifications in Pyrit r209, Brack achieved about 1,000,000 keys per second. With more than three times greater performance, Pyrit r209 seems like a viable alternative.

Information Disclosure via P2P Networks

Larry Pesce and Mick Douglas presented, “Information disclosure via P2P networks: Why stealing an identity via Gnutella is like clubbing baby seals.” Larry and Mick started their presentation with a few stories about arrests of persons accused of identity theft. They shared with the audience an interesting collection of files, images, and other finds that they acquired by way of their own experiments; experiments conducted to determine how hard or easy it would be to obtain information from P2P file sharing sites. Wow, what a collection: Turbo Tax returns complete with social security numbers, bank routing numbers and account numbers, identification cards and drivers licenses, passports, and some entertaining stuff from . . . Paris Hilton’s P2P file sharing network.

Larry and Mick mentioned that next generation P2P will include encrypted traffic. However, until then, think twice about what you might actually be sharing across P2P file sharing networks. Some users might think they signed up on a P2P network to share music files, yet unknowingly have left there entire hard drive open for the taking. The remainder of this presentation was primarily about The Cactus Project, which is a “tool intended to be used for all sorts of purposes on the Gnutella bases P2P network.”

Windows File Pseudonyms

In his presentations, “Windows File Pseudonyms,” Dan Crowley discussed some interesting quirks in path and filename routines found in Windows systems. Pointing out that, “One file can be referred to with many different filepaths; some are well known, and some are not,” he proceeded to show examples of what lesser known ways would be most apt to subvert security mechanisms.

As Crowley began with DOS 8.3 naming conventions, he went on to show that file type may be determined based on user input in cases where the extension is determined by what follows the last dot. Examples of equivalent file paths were provided; discarding trailing characters, paths given Windows shell: file.txt, file.txt….., file.txt/././././file.txt/././././“>file.txt/././././. and more. DOS special device files, CON, PRN, and COM1. The possibilities were seemingly endless.

Although not practical for use against NTFS, Crowly did provide live demonstrations showing how these quirks can be used to “bypass filters and access control mechanisms, evade IDS detection, alter the way that files are handled and processed, and make brute force attacks to enumerate files easier.”

Keynote – Closing the TLS Authentication Gap

Keynote – Closing the TLS Authentication Gap, by Steve Dispensa and Marsh Ray. When discovered in late 2009, the SSL and TLS Authentication Gap vulnerability was a serious vulnerability involving how web servers use SSL and TLS. The flaw allowed an active man-in-the-middle attacker to inject arbitrary content into an encrypted data stream.

Dispensa and Ray described the TLS Authentication Gap as representing “One of the most complex security disclosure processes in recent years.” They discussed the discovery of the flaw, provided a technical overview and demonstrations, and then discussed the rationale and lessons learned in coordinating the disclosure.

Day One Closing Comments

“One Track Mind,” a single track consisting of seven 30-minute speed talks, covered an array of interesting information security topics. We look forward to the next two days’ ShmooCon 2010 presentations. That’s it for now. It looks like attendees are on their way to this evenings’ “Hack or Halo Practice.”