The ToorCon organization puts on some of the best conferences in my opinion, and this last weekend was version 1.0 of their Seattle conference (beta was last year, which I also attended). Friday night was entirely 5-minute lightning talks and then Saturday was entirely 20-minute turbo talks. Sunday was workshops, which unfortunately I could not attend since I had to fly back to Austin mid-day. Last year was invite only and if you were there last year you received a coupon code for a discounted rate this year ($300), otherwise it was a little expensive to attend ($1000). Overall there were a number of excellent speakers with excellent content.
Due to the sheer number of talks (and I did see all of them), I’ll only cover the ones I found most interesting below:
I was the very first talk of the lightning talk track. I spoke about my handle, it’s origin, why it’s spelled funny with that close parenthesis, and the benefits of that particular character over the past 18 years or so that I’ve been known by that handle. I also covered a few case studies of the systems it’s broken entirely on it’s own such as the BlackHat USA 2006 registration system and a ShmooCon Arcade game called “Slash’Em!”
This was interesting because I’m a phone person and didn’t have time to actually do the challenge last year at DEFCON. I didn’t realize just how much effort they put into putting the challenge together, and if they do it again at this year’s DEFCON I’ll most likely participate. It was an interesting mix of hardware and software from lineman’s butt-sets to Asterisk for the core of the system.
This was a quick overview of lottery scratch-off cards and how to determine before playing if you have a winning ticket or not. The talk covered techniques such as back-lighting, re-applying the scratch medium, and various printing properties that can give away status such as vibrancy of the inks throughout the print run, sharpness of the paper cut, and printing errors.
Shyama spoke about her new role as a project manager and some interesting observations about geek and hacker-type people. She then went on to describe her approach to managing those types of people because of the traits observed.
Travis quickly covered some of the interesting things he had found while reverse engineering a hardware traffic light controller for compatibility purposes. Some of the things covered were the firmware, predictable static locations in memory where certain values resided, access to the device, etc.
This was an interesting overview of a project which I can best describe as a distributed application framework. The applications in question are referred to as “seeds” and each seed type has different capabilities and purpose. The one demonstrated called “Blue Seed” was like a network monitor which could track network hosts by MAC address. These seeds communicated back with the central monitoring and control component, “contempt”, where you could instruct and configure the seeds. The first thing that came to mind when listening was it’s Metasploit analog, the Meterpreter.
Justin spoke about a collectible card game he’s working on which deals with the subject matter of hacking and security. As a gamer for life, and as an amateur game designer myself, I totally intend to get involved with this project. … As soon as I figure out how to contact Justin.
While not technical, I found this very interesting as I have a lot of friends who practice Yoga and I’ve been meaning to study it a bit myself. Ken covered three Yoga poses which can deal directly with issues that hacker types face such as carpal tunnel syndrome and ADD.
Joel described an amplification DoS vulnerability he accidentally found in IAX while trying to write a soft-phone last year. I remember the advisory on the vulnerability when it came out and it was one of the biggest amplification ratio’s I had seen in quite a long time, something like 1,000 to 1 amplification in the response.
This was an interesting walk-through of reversing a crackme application that dealt with finding the code paths, identifying anti-reversing/anti-debugging code in the crackme app, and reversing out the function that verified the serial numbers that the app took as input. Once identified, valid serial numbers could be generated that would satisfy the crackme’s input requirements. I found this very interesting as it’s something I’m actively learning how to do better and improve my skills at.
This was probably my favorite talk of the entire conference. Adam described the process of hijacking a core from a multi-core system and using that core entirely outside of the context of the original running operating system. This type of technique could be extremely useful for rootkitting systems and staying out of view of anti-virus and other system protections.
Aaron Portnoy & Cameron Hotchkies
Aaron and Cameron discussed some problems with using IDA while reverse engineering and presented some scripts that they have developed for solving some of those problems. I was very interested in this as well as I’m actively attempting to improve my skills with IDA and I regularly experience some of the annoyances they were talking about.
TProphet took us on a trip down memory lane about phone phreaks, free conferences, and noteworthy busts of those involved, then compared to the current state of the Phreak now with VoIP in the mix and how some things never really change all that much.
I always really enjoy Quinn’s talks, she’s an excellent speaker, really gets the audience’s attention and involvement, and actually makes you think. I can’t say I saw anything new in this presentation though, it was essentially a condensed version of her usual talk on body modification, self improvement, and body augmentation, although this time the focus seemed to be on mental programming and pharmaceuticals, likely due to the time constraint.
This was probably my second favorite talk of the conference. While fairly high-level and a bit on the side of methodology/process rather than technical, it was still extremely relevant and easily applied to many aspects of vulnerability and exploit development. Essentially, Matt described the current state of software protection systems like the GS flag, ASLR, non-executable stacks, etc. and how they are impacting the usefulness of generic exploitation techniques. He then went on to propose a methodology for ranking or categorizing information systems and software based on how exploitable they would be if a vulnerability were present, using the presence or absence of various aforementioned protection systems and other factors as part of the weighting system. This allows a vulnerability researcher to focus on parts of software where, if a vulnerability is found, it is more likely to be exploitable.
On a completely different subject than what he usually talks about, Richard relayed his recent journey through learning all about audio formats and streams, weaveforms, etc. while developing a Guitar Hero or Rock Band type interface for learning a real instrument rather than playing with a game peripheral. Further, he covered a bit of applying the data modeling and parsing techniques he learned to general information stream processing like packet data or data files.
Raven has been doing network backbone security research for quite a while now. Her talk was essentially discussing some of the various protocols found within the backbone, how they broke down to their data fields, and which fields were ripe for targeting with fault injection and fuzzing techniques. I always find it interesting when people are discussing lower-layer networking protocols like these.
divide showcased some web resources for the Washington State area where you could do things like make the association between a automobile license plate and a vehicle’s VIN, the owner’s name and address, birthdate, etc., and generally build a profile of a person from some easily observable data about them. I can’t say this was anything new to me, since we’ve been doing this in Texas (and other states) for years using sites like PublicData, although his point was well received that as more and more of this information and the systems managing it goes online and becomes available to the public this type of information gathering is only going to become more and more prevalent and continually easier.
This was probably my third favorite talk of the conference. Karsten made crypto analysis easily understandable to the crypto-layperson unfamiliar with deep mathematics (like me!) and described the process of breaking apart cryptosystems into their components and attacking the weaker components individually and brute forcing the stronger ones when possible. He also outlined a class of tools that help you do this and specifically talked about his favorite one, MiniSAT.