Toorcon '09
October 23rd-25th, San Diego
First non-Defcon con, and boy, was it amazing. A little backstory, I've been going to Defcon since DC 15, 2007. I've had a blast all three years, and was thrilled to be there among, this last year, 8,000 plus people. There are a few issues with large numbers of people in such a small area, though. The crowds are one of them, but even worse, someone you may meet one day, you might not see again over the weekend. Toorcon is quite a bit better, in both those regards. With no more than 150 people, a nice staff, and two small conference rooms, Toorcon is, in many respects, more enjoyable than Defcon. I saw the same people everyday, made a few friends, and definitely enjoyed myself.
Of the twenty six talks available, I went to seven (eight, if you include Kaminsky's talk on X.509, of which I'm not all that familiar with), and I enjoyed all of them. I was also able to hit almost every on that I wanted to, except one or two, due to some last minute schedule changes. The people were nice, the talks were great, and Toorcon reminded me why I go to these things.
A small recap of all the talks I went to. I'll do my best, but there are some spots where I'm a bit fuzzy; some of it either went over my head, or I was just too tired to fully grasp it. So no shame intended to any of the speakers.
Saturday
14:00
"Exploiting subdomain-based trust relationships on the web"
A simple talk, but really brought attention to something that we all need to be looking for. Many times, organizations will either outsource or split up their use of web services to subdomains. These subdomain services have complete access to many things, such as being able to run javascript under that main domain, cookies, and flash elements.
Take IMGS.BANK.COM for example: if imgs.bank.com is insecure (run by a third party, or just an insecure web application) it can be be fatal to bank.com's security. If the imgs.bank.com subdomain application is vulnerable to such attacks as XSS or SQL Injection, it's very possible for imgs.bank.com to access bank.com's sandbox. Cookies may protected (if configured correctly), but XSS would be difficult to handle, since imgs.bank.com has the same rights to bank.com and bank.com does.
15:00
"The Frequency Hopping Spread Spectrum Story"
Rob Havelt
I'm not very familiar with this subject, but it was based around FHSS, which stands for Frequency-Hopping Spread Spectrum. Bluetooth is also based off of this. Basically it's on a frequency that's not easily accessible, but is only separated by the hardware layer.
16:00
"IP Video Attacks!"
Jason Ostrom & Arjun Sambamoorthy
This was by far the coolest demo I've ever seen. The ability to intercept and record Video IP and VoIP calls has been around for a while. This talk to it a step further. Not only can video be recorded and reviewed later, but feeds can now be displayed and listened to in real time – AND – a video source of your choice can be injected into that stream! Either as a loop or a one time playing.
The capabilities and repercussions of both these attacks are huge. Some examples:
Real Time Interception: When important decisions need to be made with very small amounts of time to waste, such as
Someone eavesdropping on an important internal financial meeting, or on others making important stock choices. Is it still considered insider trading?
Video injection: Having the ability to directly inject videos into a feed. With the ability to loop video, an attacker can force any IP Video feed to, instead of playing the proper feed, play a video from a file.
This can in a few scenarios, one of the most recognizable, a real life movie heist! An attacker takes a sample of undisturbed video, then plays it back, looping, then swoops in, the Video IP camera system completely unaware anything has happened.
They've also discovered a few ways of defeating devices that have any sort of anti-arp spoofing features enabled.
17:00+
Lockpicking and chilling
I learned how to lock pick (sort of) and had some great conversations with people, and exchanged some business cards. It was great!
21:00
Party sponsored (partly) by “Microsoft”
Title pretty much says it. Microsoft partly sponsored a party for all the Con attendees. Everyone received entrance and a free drink to 'Mister Tiki Mai Tai Lounge' Saturday night. It was a whole lot of fun. Except for those under the age of 21, like myself. I did, however, eventually get in, by my ninja quick skills. Okay, I walked through the waste level gate on the porch, and just said “yes” constantly to the guy that bugged me when he finally saw me. At least I made some friends with others under the age of 21 while we were trying to get in, so it was all good. Fun night of hanging out with everyone, played with some fancy camera equipment from Dan Tentler (@Viss.)
Sunday
12:30
"portplexd"
Brandon Gilmore
A wonderful small tool, it's actually something that I've always thought would be cool to achieve. It's much easier to read the configuration than to explain how it works. http://code.google.com/p/portplexd/wiki/Configuration
13:00
"Breaking SWF and AMF"
Kartik Trivedi
A talk basically pushing the idea that SWF and AMF files may have more to them that meets the eye, and should be decompiled and examined.
13:30
"SMB/RPC scanning w/ Nmap"
A bit Nmap kung-fu with Ron Bowes.
17:30
"Web
Shells" "A
bug does not always mean a vulnerability"
Dan Kaminsky, Brian "Red Beard", "Aestetix"
An impromptu talk about not jumping to conclusions.
An incredibly awesome Con. Very small, but it packed quite the punch, and I met quite a few people that I hope to see in the future.
I will always have time for Toorcon.