ShmooCon 2014

Last weekend, from 17 to 19 January, ShmooCon was held in Washington, DC. A number of different topics was covered in great talks and we want to give you a short overview of the conference. In the following our favorite talks are briefly summarized.

Privacy Online: What Now?
Ian Goldberg, one of the designers of the OTR Protocol, gave the keynote on the first day. His talk was quite interesting and he presented some really nice approaches, one of those being an attack against PGP. He described the attack as follows: an attacker could copy a key server by downloading all the stored keys. If this is done it is possible to create new key pairs with exactly the same settings as the keys downloaded. The third step is to create all the signing links between the keys as they exist on the real key server. Finally, the attacker uploads these new keys including the signing links to the original key server.
Now, in case Alice wants to retrieve the public key of Bob, Alice would find two keys with seemingly identical properties. If choosing the wrong key for encryption the message will be decipherable by the attacker and in case of MitM situation be accessed. Furthermore, if Alice then signs the “mirror key”, the cloned keys and the original would merge, resulting in further problems.
This was just one consideration discussed in Goldberg’s talk. For the full content, watch the recording, available soon on ShmooCon page.

You Don’t Have the Evidence
Scott Moulton gave an introduction into forensics and data recovery tools. The most important fact, which he wanted to emphasize is that when encountering damaged files, many of the forensic tools have no ability to deal with the damage and quit, crash, or worse. This is where the data recovery tools got their benefit. They can handle nearly any kind of error when reading data from a hard drive. Data recovery imaging tools have some very advanced functions and capabilities for imaging damaged hard drives and damaged sectors that forensic tools are incapable of finishing. He also announced some alternative tools for imaging a hard drive. These are for example dcfldd or ddrescue.

Large Scale Network and Application Scanning
This was a real really nice and entertaining talk. Robert David Graham has written a cool tool called “masscan” which is able to scan the entire Internet in a really short time.
While giving the talk Paul McMillan started a scan on TCP port 5900, widely used for VNC. The scan took only twelve minutes! Furthermore he implemented a nifty feature: if the tool is getting a response of a scanned IP, it is connecting to the VNC server and checks for authentication. If there is none it takes a screenshot and saves the information into a text file. The results were published and are quite interesting. The scan resulted in, well, interesting results, here for example is one of them:
VNC Example
Besides this, several “control screens” from various systems came up including two screens with an NCR branding. The first round of VNC scanning last autumn actually included some results related to public infrastructure and a pool control with an “empty acid tank” button. Notifying the responsible admins led to “diverse” responses, too.
If you like to test this tool as well, you can get it from github.

In the second part of the talk Alejandro Caceres presented his distributed web application vulnerability search engine called PunkSPIDER which is based on PunkSCAN, a web app vulnerability scanner.

Despite the diversity of the talks and the different backgrounds of the speakers some general consensus was present during ShmooCon:
Governmental surveillance cannot be completely prevented but it can be made as hard as possible.
Protocols developed in the future with for the Internet should never transmit data in plaintext. In addition all applications should always support security features like encryption and perfect forward secrecy. In case a user has the option to active or deactivate encryption, it should always be the default setting. However, most of the time enforcing encryption is the better choice, as users tend to make debatable decisions…
With this in mind, future programs and protocols will hopefully be more secure and at the same time lead to more privacy on the Internet.

Overall ShmooCon 2014 was a really cool event. Besides these talks, there were a lot of more nice activities offered like the ShmooCon Labs or the Wireless CTF.
If some of you would like to view the recordings of the talks, they will be published in 60 days on the ShmooCon website.

See you,
the ERNW ShmooCon Crew (Heinrich, Dominik, Brian, Hendrik)