Defcon 14 in Vegas

Defcon had its 14th year in Las Vegas just a few weeks back (specifically August 4 – 6). I haven’t attended for a few years. The old Defcon had gotten too glitzy and commercial. It had lost the juvenile antics and outlaw spirit, becoming another commercialized security fest, with slick marketing-like presentations lacking in technical substance. No more Mylar balloons launched over Area 51 anymore.

I decided to attend this year mainly because I felts I was losing my edge in technical security issues. My employer is going through fits regarding our training budget, so the $80 registration fee was something I could easily swallow.

After many years at the Alexis Park, Defcon moved to the Riviera. It’s a larger hotel, with a full-on casino (unlike the Alexis Park, which distinguished itself as the one place in Vegas with no gambling, hence friendly to the under-18 set). The hotel was OK as far as accommodations was concerned. It was at the chintzy side of the strip, though a reasonable walk to the better hotels. The layout of the hotel was very confusing – it took me the full 2 days before I could figure out how to get from point A to point B. I also found the staff to be a bit on the surly side.

I was very pleasantly surprised at the conference presentations. Defcon has made the full transition to a professional security conference very well. The speakers were all well prepared, spoke well, and presented valuable topics in a comprehensible fashion. No more swaying drunks trying to talk about PBX hacking.

Here are the sessions I attended with a short summary for each:

• Visual Log Analysis – The Beauty of Graphs (Raffael Marty) – Different visual styles for presenting firewall logs, basically tree maps (node-to-node) and bar-charts ( leveled breakdown by protocol, with cell size proportional to number of events). He really likes Afterglow for parsing logs and providing them in a standard format for GraphViz or LGL to display.


• 802.1x Networking (tommEE pickles) – Tutorial on how to build a small secured wireless access system, including use of RADIUS for authentication.


• Evolving Art of Fuzzing (Jared DeMott) - Very good stuff on software quality assurance in general, and specific issues with fuzzing. Notes the trade-off between random tests and total test time (lots of random cases mean testign will take a lot longer). A big issue is how to know when the application is “broken” by input. For example, running the app in a debugger will give you useful information, but the debugger itself changes how the application responds (e.g., to timing attacks).


• IBM Networking Attacks (Martyn Ruks) – Looks at Datalink Switching (DLSw) as a means of attacking large IBM mainframes. DLSw is a method for encapsulating SNA in IP. Very good intro, could be used as a tutorial in SNA.


• Secure Cloaking and Anonymous Services (Michael Rash) – A lot about Tor and how to combine it with single packet authentication.


• Fun with 802.11 Device Drivers (Johnny Cache) – Showed a video of a machine being rooted via a vulnerable 802.11 device driver. Nothing a firewall can possibly do about this attack, as it occurs at layer 2. Scary stuff.


• UNCLASSIFIED Information Sharing with Non-Traditional Partners (Linton Wells) – The straight guy in the group. He gave a very polished talk on DoD humanitarian initiatives, ending with a pitch for Defcon attendees to join up and become part of the DoD team.


• Corporate Network Spying (Andrew Whitaker) – Very basic Hacking 101. Nice summary of methods for attacking switched networks. I only stayed for the first hour.


• Traffic Analysis Panel (Jon Callas, moderator) – Think your encrypted communications will keep you safe? Think again. An amazing amount of information can be inferred from traffic analysis, and there is no feasible way to mask traffic patterns given the current Internet. Typing patterns can reveal what you are saying, even if you use SSH.


• Graphical Representations of Security Relationships: Awesome or Bullshit? (Foofus) – Awesome graphical representations are simple and illustrate a specific useful relationship. Bullshit presentations are complex and impossible to read.


• Phishing Tips and Techniques: Tackle, Rigging, and How & Where to Phish (Peter Guttman, all the way from New Zealand) – Server certs mean nothing. Most Web users have absolutely no clue about what they mean. Users are trained by bad sofvtware to ignore security warnings, and US banks are miserable when it comes to securing their own Websites. A successful phish should skip the server cert and just make a nice fancy dynamic Web page
  

that looks just like a real bank’s.