ToorCon Seattle (Beta) in Seattle was a new experiment by the ToorCon folks. It was essentially an informal and free invite-only conference, total attendance numbering around 150, with a single track of speakers each having 20 minutes to speak on their current (and potentially in-progress) research. The format was very similar to the format that the AHA! meetings take, so I was right at home speaking there. The conference talks were held on a single day, during the day, in a night club called the Last Supper Club.

The badges for this conference were really unique and interesting in that they looked like chocolate bars. The badges themselves were wrapped in a paper candy-bar wrapping themed after a Wonka bar, and the conference being invite-only, some of the bars had golden tickets in them which ensured your invite to next year’s conference. I don’t know what the ratio of bars with golden tickets to bars without were, but I was lucky enough to have gotten a bar with a golden ticket.

Finally, here are my comments for the various talks that I attended:

Automating Exploitation

Pusscat

I only saw the last half of this talk, however having hung out quite a bit with Pusscat prior to the conference I had a chance to discuss with her about the research prior to her presentation. Essentially, she’s been working on tools that help automate the exploit development process, such as loading an overflow buffer with recognizable cookie sequences so that when an overflow occurs, it is possible to automatically determine the address of the overflow, size of the overflow, and the offset needed for overwriting certain addresses like EIP based on finding the pre-loaded cookies in memory and calculating their distance from the buffer’s beginning.

Plastic Money, Plastic Trust: Why you should never trust a merchant with your credit card

Rodney Thayer

Rodney’s talk was all about the security implications of credit card use. He covered some of the basic known attacks such as waiters and bartenders who take your card for extended periods of time being able to swipe and record all of the data on the card and clone it later, as well as some of the legal issues such as merchant provider compliance.

Tits & Bits – The inside scoop of pr0n 2.0 content delivery

Matt Peterson

Having worked long ago for an ISP who catered mostly to “adult” websites, I was fairly interested in seeing how things had progressed in this industry since then. Matt Peterson talked briefly about bandwidth requirements of porn websites and then talked a bit about new methods of content delivery that allowed a content provider to display to the user specific frames of video from within a video and then allow the user to select start and end-points of what they wanted to see so that the server only had to serve up small sections of a larger video based on user interest.

Security Breaches are good for you, like a root calnal

Adam Shostack

This talk was some interesting case study information and statistics regarding security breaches being publicized and how they effected an entity’s stance in the market. The interesting bits here seemed to be that many times, publicly disclosing that you have had a security breach had little to no impact on whether or not customers continued to conduct business with you. Also, many corporate entities in countries that don’t require public disclosure of security breaches were doing so anyway, presumably the result of some form of morality.

Body Hacking – Functional Body Modification

Quinn Norton

Quinn is a journalist for Wired covering various technology topics, including body hacking. This was by far my favorite talk of the conference because I’m very interested in functional augmentation of the human body. At one point, Quinn had a small rare-earth magnet implanted in one of her ring fingers which, after a few months of training her brain, afforded her a kind of 6th sense regarding electromagnetic fields. For example, she could detect a hard drive spinning up in her laptop as she typed, or could tell a live telephone wire from a cold one. At some point though, things went terribly wrong when the bio-sheath protecting the magnet from her body breached and her body began to break down the magnet, eventually resulting in the magnet shattering inside her finger and loss of the 6th sense. A week or so prior to the conference she had the magnet removed, and this story was the beginning of her talk. She also covered a new EEG headset developed to be used as a video game controller, as well as some pharmaceuticals that have been recently developed that allow the user to forgo sleep and improve mental focus without any adverse side effects or potential for addictiveness. She noted that society tends to label some types of body modification, such as lasik surgery, as good, whereas others such as modification through pharmaceuticals that don’t “treat” an illness as bad.

Master Recon-Tool (Mr. T)

RSnake

RSnake presented a tool he’s working on that aggregates many types of web reconnaissance type tasks. Web stuff isn’t really my thing so I kinda tuned out…

Vulnerability Disclosure Panel Remix

Katie Moussouris

Katie recently joined Microsoft in their community outreach group. Her “talk” was essentially composed of running around the audience asking questions about vulnerability disclosure, responsible disclosure, for-profit disclosure, etc., which was an extension of a panel that she was either hosting or participating in at ShmooCon on the same subjects. As vulnerability disclosure practices are about as close as you can get to a religious debate other than what’s the “best” OS, and I tend to stay away from those (being perfectly comfortable in my own opinion), so I really don’t feel like stating an opinion on this talk.

A taxonomy & tool for automated vulnerability chaining and path discovery

Toby Kohlenberg

Toby pointed out that many vulnerabilities, when viewed individually, may not have much value, but in certain circumstances when leveraged together they become much more devastating than their individual components. He then went on to detail a taxonomy that he and a colleague developed for describing vulnerabilities that aided identifying these types of inter-vulnerability relationships. Unfortunately there is way too much work to be done in my opinion to build up this database of information before it can be effectively used for the purpose stated. However, he mentioned that he was in discussion with the OSVDB project about integrating his methods into the OSVDB description process, so perhaps there is some hope of getting there in the future. Personally I felt that the work was way to theoretical and academic in nature and wouldn’t be able to be applied practically.

Social networking sites: covert channels for Botnets

dr.raid & Postmodern

These guys presented some interesting things they had noticed when digging through the HTML output of various social networking sites like MySpace. Apparently, some botnets are using theses sites as command and control channels, some even through very odd looking syntax that mirrored the type of grammar used by social-networking site users like “OMG PLZ tell 4U!” They also presented some proof of concept code they developed to demonstrate the methods.

DisAsterisk

I)ruid

This was my talk. I briefly described the Asterisk extension module API, covered what we’ve developed so far in the fuzzing component of the module, and then covered our future goals for the project. I also spoke briefly about SteganRTP, my new research in using steganography with Real-time Transport Protocol. You can find my slide deck at the ToorCon Seattle (Beta) website.

Further Adventures in Visual Data Exploration

Dan Muthufukin Kaminsky

Building on his talk at ShmooCon, Dan demonstrated multiple methods for visually representing data, demoed a tool used to quickly identify repeated bytes of data in large volumes of code, and then explored a visual method for identifying repeated digits in audio-based CAPTCHA challenges using similar methods.

Ferret and the continuing adventures of Data Seepage: Web 2.0

David Maynor & Robert Graham

This talk was not well received at all… Basically, during all of the previous talks, the speakers were sniffing the wireless network being provided and used their Ferret data aggregation tool to grab a bunch of information on people using the network, i.e., the audience, and then dropped all of that information during their talk. Needless to say, there were many people who were not pleased. They also got heckled quite a bit because at the core of their talk, all the tool was really doing was sniffing unencrypted data on a shared medium, which is straight outta 1992. The only real benefit that they provided was the tool to make aggregating the sniffed information easier to read, which I don’t think the audience really saw much value in.

Memory Manager Attack and Defense

Richard Johnson

Richard works for Microsoft doing internal product security analysis. He first covered the differences and similarities between various OS’s heap management methods such as Windows, Linux glibc, the *BSD’s, and OpenBSD’s homegrown version. He then covered previous research and attacks against these methods, and finally drew some parallels between the various methods and described methods of protecting them.

After these talks there were a slew of 5-minute “lightning” talks, which I won’t cover in detail. I will however say that Chris Abad’s “Web 4.0” rant was by far the most amusing.