“find out what you don’t know…”
DESCRIPTION
“Find out what you don’t know…”. Agenda. Introduction To disclose or not to disclose What is Defcon Defcon 12 Presentations The Future Questions. Introduction. Who am I? Why am I here? What are we talking about?. To disclose or not to disclose…. Vulnerability disclosure - PowerPoint PPT PresentationTRANSCRIPT
Agenda
Introduction To disclose or not to disclose What is Defcon Defcon 12 Presentations The Future Questions
To disclose or not to disclose…
Vulnerability disclosure– Long running debate– Most security companies have a formal disclosure
policy CERT/CC - http://www.cert.org/kb/vul_disclosure.html Microsoft - http://www.microsoft.com/technet/security/bulletin/policy.mspx @Stake - http://www.atstake.com/research/policy/
– Provide various levels of information– But how much information should be provided
What is Defcon?
One of many different “underground” conferences:
Defcon (Aug) Las Vegas, NV
Toorcon (Sep) San Diego, CA
PhreakNIC (Oct) Nashville, TN
HOPE (Jul) New York, NY
What is Defcon?
Defcon is a convention for the more "underground" elements of the computer culture. Defcon is geared towards hackers, programmers, phreaks, cyberpunks, cypherpunks, open source hackers, civil liberty and privacy advocates, HAMs, casual bystanders, lookieloos, feds, reporters, and anyone interested in seeing what's going on in the computer underground today.
– www.defcon.org
Defcon 12 Presentations
A few starting points:– This presentation is just the tip of the iceberg– Over 70+ presentations at Defcon
Look at examples of presentations that effect:– Securing Workstations– Passwords– Trouble on the Internet– Personal Responsibility
Defcon 12 PresentationsSecuring Workstations
Black Ops of TCP/IP 2004– Dan Kaminsky
DNS – Domain Name System – Converts human readable names into IP addresses
DNS tunneling – allows communication via a covert channel
Many interesting uses/issues with protocol http://www.defcon.org/images/defcon-12/dc-12-
presentations/Kaminsky/dc-12-kaminsky.ppt
Defcon 12 PresentationsSecuring Workstations
The Insecure Workstation– The Results of Poorly Defined and Deployed Group Policies– By Deral Heiland
Windows group policies are not bullet proof Misconceptions
– If I can’t get around it - it must be secure– They aren’t hackers they won’t figure a way around it– So they break out of it. That don’t matter (There is nothing
important there) http://www.defcon.org/images/defcon-12/dc-12-prese
ntations/Heiland/dc-12-heiland-up.ppt
Defcon 12 PresentationsPasswords
MySQL Passwords– Password Strength and Cracking– By Devin Egan
How to crack MySQL passwords Why? For auditing. Best practices for MySQL passwords http://www.defcon.org/images/defcon-12/dc-1
2-presentations/Egan/dc-12-egan.ppt
Defcon 12 PresentationsTrouble on the Internet
Mutating the Mutators– Metamorphic computer virus– Sean O’Toole
“How-To” make a virus harder to detect Pseudo code given in presentation http://www.defcon.org/images/defcon-12/dc-1
2-presentations/OTool/dc-12-otool.ppt
Defcon 12 PresentationsTrouble on the Internet
Far More Than You Ever Wanted To Tell– Hidden Data in Document Formats– By Maximillian Dornseif
The problem – The format of data files can be complex and they are getting more and more complex
This problem is not limited to just MS Office data files– Other formats such as HTML, JPEG as well as many others
have problems http://md.hudora.de/presentations/2004-BlackHat/
HiddenData-LV.pdf
Defcon 12 Presentations Trouble on the Internet
Credit Card Networks Revisited: Penetration in Real-Time– By Robert Imhoff-Dousharm
“This interactive demonstration will give first hand experience in understanding and searching out credit card traffic on TCP/IP networks. It will also demonstrate how to deconstruct, rebuild and transmit rouge credit card packets. As an added bonus, prizes will be handed out to those who can craft and transmit rouge packets by end of speech. My incentives and guidance will illustrate how vulnerable credit card data is on merchant networks.“
http://www.defcon.org/images/defcon-12/dc-12-presentations/Imhoff-Duncan/dc-12-imhoff-duncan.ppt
Defcon 12 PresentationsPersonal Responsibility
Bluesnarfing – The risk from digital pickpockets– By Adam Laurie, Martin Herfurt
Bluesnarfing– First publicized by A L Digital, November 2003– ‘Snarf’ – network slang for ‘taking an unauthorized copy’– Copy data via Bluetooth, including phonebook, calendar, IM
and images
http://www.defcon.org/images/defcon-12/dc-12-presentations/Laurie-Herfurt/dc-12-laurie-herfurt.zip
Defcon 12 PresentationsPersonal Responsibility
Attacking Windows Mobile PDA’s – By Seth Fogie
Intrinsically lacking in security Contain sensitive information
– Passwords– Names / Addresses / Phone Number– Credit Card Information– Proprietary business information– Personal email– Business email
http://www.defcon.org/images/defcon-12/dc-12-presentations/Fogie/dc-12-fogie.pdf
The Future
Security will continue to be a challenge– How much security is enough– Cost vs. protection– Is it working– Preparing for the unknown
Never under estimate the threat KNOWLEDGE is the key
Defcon 13 – July 29-31, 2005