"Discover what you don't have the foggiest idea… ".


92 views
Uploaded on:
Category: General / Misc
Description
"Discover what you don't have the foggiest idea… " Motivation Prologue To unveil or not to uncover What is Defcon 12 Presentations The Future Inquiries Presentation Who am I? What am I doing here? What are we discussing? To uncover or not to unveil… Weakness exposure Long running civil argument
Transcripts
Slide 1

“Find out what you don’t know…”

Slide 2

Agenda Introduction To reveal or not to unveil What is Defcon 12 Presentations The Future Questions

Slide 3

Introduction Who am I? What am I doing here? What are we discussing?

Slide 4

To reveal or not to disclose… Vulnerability exposure Long running open deliberation Most security organizations have a formal divulgence strategy CERT/CC - http://www.cert.org/kb/vul_disclosure.html Microsoft - http://www.microsoft.com/technet/security/release/policy.mspx @Stake - http://www.atstake.com/research/approach/Provide different levels of data But what amount of data ought to be given

Slide 5

What is Defcon? One of various “underground” gatherings: Defcon (Aug) Las Vegas, NV Toorcon (Sep) San Diego, CA PhreakNIC (Oct) Nashville, TN HOPE (Jul) New York, NY

Slide 6

What is Defcon? Defcon is a tradition for the more "underground" components of the PC society. Defcon is equipped towards programmers, developers, phreaks, cyberpunks, cypherpunks, open source programmers, common freedom and protection supporters, HAMs, easygoing spectators, lookieloos, feds, correspondents, and anybody inspired by seeing what\'s going ahead in the PC underground today. – www.defcon.org

Slide 7

Defcon 12 Presentations A couple beginning stages: This presentation is only the ice sheet\'s tip Over 70+ presentations at Defcon Look at cases of presentations that impact: Securing Workstations Passwords Trouble on the Internet Personal Responsibility

Slide 8

Defcon 12 Presentations Securing Workstations Black Ops of TCP/IP 2004 Dan Kaminsky DNS – Domain Name System – Converts comprehensible names into IP addresses DNS burrowing – permits correspondence through a secret channel Many intriguing uses/issues with convention http://www.defcon.org/pictures/defcon-12/dc-12-presentations/Kaminsky/dc-12-kaminsky.ppt

Slide 9

Defcon 12 Presentations Securing Workstations The Insecure Workstation The Results of Poorly Defined and Deployed Group Policies By Deral Heiland Windows bunch arrangements are not projectile verification Misconceptions If I can’t get around it - it must be secure They aren’t programmers they won’t figure a path around it So they break out of it. That don’t matter (There is nothing essential there) http://www.defcon.org/pictures/defcon-12/dc-12-presentations/Heiland/dc-12-heiland-up.ppt

Slide 10

Defcon 12 Presentations Passwords MySQL Passwords Password Strength and Cracking By Devin Egan How to split MySQL passwords Why? For inspecting. Best practices for MySQL passwords http://www.defcon.org/pictures/defcon-12/dc-12-presentations/Egan/dc-12-egan.ppt

Slide 11

Defcon 12 Presentations Trouble on the Internet Mutating the Mutators Metamorphic PC infection Sean O’Toole “How-To” make an infection harder to distinguish Pseudo code given in presentation http://www.defcon.org/pictures/defcon-12/dc-12-presentations/OTool/dc-12-otool.ppt

Slide 12

Defcon 12 Presentations Trouble on the Internet Far More Than You Ever Wanted To Tell Hidden Data in Document Formats By Maximillian Dornseif The issue – The configuration of information records can be mind boggling and they are getting more unpredictable This issue is not constrained to simply MS Office information records Other arrangements, for example, HTML, JPEG and also numerous others have issues http://md.hudora.de/presentations/2004-BlackHat/HiddenData-LV.pdf

Slide 13

Defcon 12 Presentations Trouble on the Internet Credit Card Networks Revisited: Penetration in Real-Time By Robert Imhoff-Dousharm “ This intelligent exhibit will give direct involvement in understanding and looking out charge card activity on TCP/IP systems. It will likewise exhibit how to deconstruct, remake and transmit rouge Visa parcels. If that wasn\'t already enough, prizes will be given out to the individuals who can art and transmit rouge bundles by end of discourse. My motivations and direction will show how defenseless charge card information is on trader systems. “ http://www.defcon.org/pictures/defcon-12/dc-12-presentations/Imhoff-Duncan/dc-12-imhoff-duncan.ppt

Slide 14

Defcon 12 Presentations Personal Responsibility Bluesnarfing – The danger from computerized pickpockets By Adam Laurie, Martin Herfurt Bluesnarfing First announced by A L Digital, November 2003 ‘Snarf’ – system slang for ‘taking an unapproved copy’ Copy information by means of Bluetooth, including phonebook, schedule, IM and pictures http://www.defcon.org/pictures/defcon-12/dc-12-presentations/Laurie-Herfurt/dc-12-laurie-herfurt.zip

Slide 15

Defcon 12 Presentations Personal Responsibility

Slide 16

Defcon 12 Presentations Personal Responsibility Attacking Windows Mobile PDA’s By Seth Fogie Intrinsically ailing in security Contain touchy data Passwords Names/Addresses/Phone Number Credit Card Information Proprietary business data Personal email Business email http://www.defcon.org/pictures/defcon-12/dc-12-presentations/Fogie/dc-12-fogie.pdf

Slide 17

The Future Security will keep on being a test How much security is sufficient Cost versus assurance Is it working Preparing for the obscure Never under evaluation the danger KNOWLEDGE is the key Defcon 13 – July 29-31, 2005

Slide 18

Questions?

Slide 19

Links Defcon http://www.defcon.org/Defcon Media Archive http://www.defcon.org/html/joins/defcon-media-archives.html Sound of Knowledge http://www.tsok.net/tape