Today, February 7, was the final day of ShmooCon 2010, “Snowpocalypse 2010” as some fans have called it. Twenty inches of snow in Washington, DC, didn’t stop dedicated fans from attending this year’s annual ShmooCon East coast hacker convention.
This three day event located at the Wardman Park Marriott, Washington DC, USA, was packed full of intense, fast tracked presentations demonstrating technology vulnerabilities and exploitation, software and hardware solutions, and open discussions of critical information security issues.
ShmooCon 2010 Contests and More
The Hacker Arcade, ShmooCon’s, “high-tech version of Chuck-E-Cheese,” was in its fifth year. With prizes for gamers and contest entrants, competitors arrived at ShmooCon with a host of innovative games they had developed to enter into the competition and to share with other gamers. Regarding Hack-or-Halo, ShmooCon wrote, “For those not in the know, Hack-or-Halo is a ShmooCon exclusive, the very best hacking-plus-gaming competition in the world.” The TF2 Lan Party featured a TF2 Tourney revolving around Team Fortress 2 (TF2 Official Blog), plus a team oriented Cheater Tourney to see who writes the best gaming cheat code.
Blackberry Mobile Spyware
In his presentation, “Blackberry Mobile Spyware – The Monkey Steals the Berries,” Tyler Shields focused on spyware used as a tool to steal personal and private data from computers and mobile devices like the Blackberry Mobile and others. Shields explained how the spyware is typically installed on unsuspecting users’ computers and mobile phones where it can monitor, capture, log, and depart with data targeted by an attacker.
Shields introduced “TXSBBSpy,” spyware source code used by security researchers to assist the development of security mechanisms. See the links below for the full source code, video of a proof-of-concept BlackBerry spyware package developed by Tyler Shields, and the slides shown at ShmooCon.
- Slides: Blackberry Mobile Spyware (PDF).
- TXSBBSpy Demo by Tyler Shields at Veracode Research Lab.
- Source: txsBBSpy.java download.
The Friendly Traitor: Our Software Wants to Kill Us
During this presentation, Kevin Johnson and Mike Poor, focused on examples using features of client applications. They explained that SWF has wide-spread support, and ActionScript adds powerful feature sets that can be used for cross domain attacks.
Johnson and Poor used a simple Python “scanner script” to demonstrate an attack using these basic steps: read the Alexa Top 1 million domains list, compare the domain to the Google Safe List and discard if not listed, and retrieve and parse crossdomain.xml.
Back to the Glass House
Jim Manley, discussed advanced USB malware during his presentation, “Back to the Glass House.” The propagation of traditional USB malware is very viral: infecting every computer users access, traveling and infecting computers across geographic boundaries, and transferred by users as they access separate wireless networks.
Cracking the Foundation: Attacking WCF Web Services
Brian Holyfield made hacking WCF Web Services look easy. During his talk about HTTP/S proxies and MC-NBFS, Holyfield pointed out that there was limited support for MC-NBFS/MSBin1 in most common proxy tools. He suggested Richard Berg’s Fiddler Binary XML Inspector for reading binary XML messages.
When talking about MetaData over SSL, Holyfield reminded the audience that the default Visual Studio template does not provide for an “s” at the end of http. During the remainder of the presentation, Holyfield demonstrated leveraging MetaData for manual testing using WcfTestClient, which automatically parses WSDL or MEX. WcfTestClient ships with Visual Studio 2008+. In addition, Holyfield discussed WCF Storm, which supports most WCF bindings. See the links below for resources and downloads.
Pulling the Plug: Security Risks in the Next Generation of Offline Web Applications
Michael Sutton discussed, “Security Risks in the Next Generation of Offline Web Applications.” Two main topics of interest were Google Gears and HTML5. Sutton said that Google did not intend to compete with HTML5, however, Google did develop Google Gears as a web application. In 2007, Google dropped “Google” from the name so that Gears might attract a wider audience.
Gears has three main components: a local web server, a full relational database, and a client side database. Sutton continued with a detailed demonstration of a variety of real-world vulnerabilities that have been uncovered, including a new class of cross-site scripting and client-side SQL injection.
Better Approaches to Physical Tamper Detection
The last presentation of the day and ShmooCon 2010, was “Better Approaches to Physical Tamper Detection,” by Roger Johnston and Jon Warner. The importance of physical security is often over looked especially when it comes to fail safes for tamper protection. To some extent, this could be because physical tamper detection is easily defeated; some might say, why bother with it?
Johnston and Warner provided the audience with a better alternative referred to as the anti-evidence method. They demonstrated the method using prototype anti-evidence seals and real-time monitors. They cited the work by the Vulnerability Assessment Team (VAT) at Argonne National Laboratory. They described the VAT as a “Multidisciplinary team of physicists, engineers, social scientists, and hackers who conduct vulnerability assessments and develop novel approaches to security.”
Day Three Closing Comments
It has been another exciting day at the ShmooCon 2010 East coast hacker convention at the Wardman Park Marriott, Washington DC, USA. Be sure to check back here at InfosecEvents for our upcoming post, “ShmooCon 2010 Wrap Up.” See you then!