After reviewing the speaking schedule and event lineup this year I thought it would be helpful to mow down a path of ‘must-see’ interesting talks and events.  With 5 tracks and countless side events going on not to mention the line jockeying that will undoubtedly have to take place to even get into some of these talks, a loose but objective plan may prove useful yet again.

Full schedule: https://www.defcon.org/html/defcon-18/dc-18-schedule.html

Thursday, July 29th

1300 Capri Room 111 Go Go Gadget Python! : Introduction to Hardware Hacking

Events

2000 Top of the Riv – Penthouse Monaco Tower The Summit

Friday, July 30th

1000 Track 4 Welcome and Making the DEF CON 18 Badge

1100 Track 2 Cloud Computing, a Weapon of Mass Destruction?

1200 Track 1 DNS Systemic Vulnerabilities and Risk Management: A Discussion

1230 Track 5 Crawling BitTorrent DHTs for Fun

1300 Track 4 How Hackers Won the Zombie Apocalypse

1400 Track 4 Build your own UAV 2.0 – Wireless Mayhem from the Heavens!

1500 Track 2 Tales from the Crypto

1600 Track 4 VirGraff101: An Introduction to Virtual Graffiti

1700 Track 3 An Observatory for the SSLiverse

1800 Track 3 Bad Memories

1900 Track 4 Getting Root: Remote Viewing, Non-local Consciousness, Big Picture Hacking, and Knowing Who You Are

Saturday, July 31st

1000 Track 2 Exploiting SCADA Systems

1100 Track 2 Kim Jong-il and Me: How to Build a Cyber Army to Defeat the U.S.

1200 Track 5 Katana: Portable Multi-Boot Security Suite

1300 Track 3 Trolling Reverse-Engineers with Math: Ness… It hurts…

1400 Track 2 Wardriving the Smart Grid: Practical Approaches to Attacking Utility Packet Radios

1500 Track 5 My Life As A Spyware Developer

1600 Track 3 How to Hack Millions of Routers

1700 Track 1 Resilient Botnet Command and Control with Tor

1800 Track 4 Hacking with Hardware: Introducing the Universal RF Usb Keboard Emulation Device – URFUKED

1900 Track 1 You’re Stealing It Wrong! 30 Years of Inter-Pirate Battles

Events

2000 Contest Area Crash & Compile

2100 Track 1 Hacker Jeopardy

Sunday, August 1st

1000 Track 5 WiMAX Hacking 2010

1100 Track 5 Hardware Hacking for Software Guys

1200 Track 2 Powershell…omfg

1300 Track 1 How I Met Your Girlfriend

1400 Track 4 Breaking Bluetooth By Being Bored

1500 Track 2 Toolsmithing an IDA Bridge, Case Study For Building A Reverse Engineering Tool”

1600 Track 4 ExploitSpotting: Locating Vulnerabilities Out Of Vendor Patches Automatically

1700 Track 3 0box Analyzer: AfterDark Runtime Forensics for Automated Malware Analysis and Clustering

The interactive schedule is here: http://www.thenexthope.org/grid/. While most of the schedule appears to be 133t sc3ne topical, I took the liberty of highlighting some of the more ‘interesting’ talks:

Check for last minute updates and session discussions via IRC irc://irc.2600.net

Configuring the client is actually fairly straight forward and only requires the setting used to configure the Firewall VPN and a rudimentary understanding of IPSEC. The guidance within this article is simply mapping the VPN settings directly to the client configuration.

0) Open the NetScreen-Remote Security Policy Editor through the Start menu or by right clicking the task bar icon and selecting Security Policy Editor…

Remote Party Identity and Addressing

1) Create a new connection.  In this example I chose to call the connection ‘Home’.  Ensure that the “Remote Party Identity and Addressing” section matches the VPN Server “Phase 2 Proposals” Proxy-ID section.

Client Identity

2) Next, select “My Identity” and set the pre-shared key used when configuring the VPN Server.  You should also configure the “ID Type” under the ‘My Identity” section.  For the Dial-Up VPN the ID Type should be set to “Email Address” and should correspond to a user configured on the VPN Server within the “Remote VPN Group” (though this may be called something else).  The “Secure Interface Configuration” and “Internet Interface” sections can be left alone.

Security Policy

3) Next, select “Security Policy” and set the Phase 1 Negotiation Mode to “Aggressive Mode”.  (NOTE: “Main Mode” may also be selected for identity protection provided the server supports it.  The Juniper KB article shows Aggressive mode being selected.) It is important to note that the NetScreen VPN uses the Diffie-Hellman Group 2 Key Group.  Group 2 will also have to be selected within the Phase 1 proposal tab as well.  NetScreen also supports Replay Protection and Perfect Forward Secrecy (PFS) however these need to be enabled on the server side as well.

Authentication (Phase 1) and Key Exchange (Phase 2)

4) For the next two tabs “Authentication (Phase 1)” and “Key Exchange (Phase 2)” be sure to configure the proposals that line up with the VPN Server Phase1 and Phase 2 settings. Specifically align the Encryption Algorithms and the Hash Algorithms.

That should be about it.  The biggest mistake most people seem to make is matching the Proxy-ID IP Address and Subnet to the “Remote Party Identity” ID

The code works fresh from the box however, pay attention to Python’s preference for tabs:

class SMB2(SocketServer.BaseRequestHandler):
 def handle(self):
   print "Who:", self.client_address
   print "THANKS SDL"
   input = self.request.recv(1024)
   self.request.send(packet)
   self.request.close()

launch = SocketServer.TCPServer(('', 445),SMB2)
launch.serve_forever()

There really is nothing special that is required to make this work.  Executing the Python script will open a socket listening on TCP/445.  When the target attempts to access SMB services on the attacker, the target will hang.

I was not able to produce a BSOD and in some test cases the target was recovered once the SMB session was terminated.  NOTE: any SMB session connection will do, however as Laurent pointed out the ‘dir’ method is the easiest.

Just for grins, I captured the errant packet as it flew across the wire.  This is the encoded back from Laurent’s source in PCAP format decoded in Wireshark.

Why do we care?  How many organizations or even home users block egress SMB ?  Not many I’m certain.

The challenge is that both of these classification schemes require some degree of learning supervision to effectively classify this type of data.  The MLP NN uses the backpropagation algorithm for supervised training which generates a scaling factor to determine the error in each output node and influences nodes in previous or hidden layers accordingly.

In my supposed spare time, I plan on using the Matlab Neural Network Toolbox to implement both classifiers and compare their effective abilities to properly identify unique events of interest within a sample set of sFlow data.

Analysis of the Wireless Covert Channel Attack:
Carrier Frequency Selection: http://www.iu.hio.no/nik07/bidrag/Dyrkolbotn.pdf

A Dynamic Trust Model Based on Naive Bayes
Classifier for Ubiquitous Environments: http://uclab.khu.ac.kr/resources/publication/J_56.pdf

“The Rockefeller-Snowe initiative will carve a course for our country to embrace a 21st century national security policy that will protect and preserve American cyberspace,” said Snowe. “Uniquely designed to establish a fully integrated public-private partnership to coordinate cyber security efforts, this legislation will ensure we have many of the tools to target, isolate and effectively combat cyber-attacks in America.”

Many of the legislation proposals were based on recommendations of a landmark study last year by the Center for Strategic and International Studies:

• Create a National Cybersecurity Adviser in the Executive Office of the President
• Establish a National Cybersecurity Advisory Panel
• Adds regulatory requirements to ensure industry compliance
• Authority to shutdown computer networks in the event of a cyberattack
• Require NIST to establish “measurable and audit-able cybersecurity standards”
• Establish a 4-year cybersecurity review cycle of US cyber defense capabilities
• Implement comprehensive, real-time cybersecurity and vulnerability status of Federal IS
• Require the implementation of DNSSEC within 3 years
• Education standards for secure coding practices
• Establish Federal secure products and services acquisition board

The Rockefeller-Snowe effort having only been recently introduced, will likely pickup the recommendations from the 60-day Cyber Security study currently underway.  Given the focus of the study, the findings will likely build upon this effort and supersede this initiative.

Edit: Working draft of the bill can be found here:  Draft Cybersecurity Act 2009

The threat du jour as it were or even the threat of the year turned out to be just another April Fool’s computer threat.   I can’t figure it out, is it the large media outlets or is it the malware writers that have a love affair with April 1.  Perhaps a little of both.  There is an interesting exercise in Google there.

Like most things of this nature, once the pop culture media has elevated a topic to the top of the hype bubble, at least enough to ensure sufficient AD revenue, the story is either stale or so far out of the context of reality only those who the aliens at Hulu are after would be willing to entertain the story.  So by extension, pop media = Hulu = aliens?  Interesting.

I think the security industry as a whole is largely to blame for some of this.  Like an adolescent child, we’ve grown accustom to resorting to brute force tactics (re: tantrums) to get attention for the cause.  Now don’t get me wrong, the security profession as a whole has advanced to well beyond a respectable field but we continue to employ the FUD principle to justify our means.  Scare tactics like these are only useful for so long.  Eventually, the general populous will catch on and cry foul while these industry pundits continue to cry “WOLF!”   If I had the choice between having to justify funding or use scare tactics to ‘invoke’ attention, I choose the former.

Cudo’s the virus writers though, he/she/they did one hell of a job invoking a response; great diversionary tactic.  I wonder how much money was actually spent on “battleing Conficker” considering the invested human capital when we should have been focusing practical solutions that would have prevented the worm to begin with.