Find out what you dont

know
Agenda

Introduction
Todisclose or not to disclose
What is Defcon
Defcon 12 Presentations
The Future
Questions
Introduction

Who am I?
Why am I here?
What are we talking about?
To disclose or not to disclose

Vulnerability disclosure
Long running debate
Most security companies have a formal disclosure
policy
CERT/CC - http://www.cert.org/kb/vul_disclosure.html
Microsoft - http://www.microsoft.com/technet/security/bulletin/policy.mspx
@Stake - http://www.atstake.com/research/policy/

Provide various levels of information

But how much information should be provided
What is Defcon?

One of many different underground conferences:

Defcon (Aug) Las Vegas, NV

Toorcon (Sep) San Diego, CA
PhreakNIC (Oct) Nashville, TN
HOPE (Jul) New York, NY
What is Defcon?

Defcon is a convention for the more "underground"

elements of the computer culture. Defcon is geared
towards hackers, programmers, phreaks,
cyberpunks, cypherpunks, open source hackers, civil
liberty and privacy advocates, HAMs, casual
bystanders, lookieloos, feds, reporters, and anyone
interested in seeing what's going on in the computer
underground today.
www.defcon.org
Defcon 12 Presentations

A few starting points:

This presentation is just the tip of the iceberg
Over 70+ presentations at Defcon

Look at examples of presentations that effect:

Securing Workstations
Passwords
Trouble on the Internet
Personal Responsibility
Defcon 12 Presentations
Securing Workstations

Black Ops of TCP/IP 2004

Dan Kaminsky
DNS Domain Name System Converts human
readable names into IP addresses
DNS tunneling allows communication via a covert
channel
Many interesting uses/issues with protocol
http://www.defcon.org/images/defcon-12/dc-12-
presentations/Kaminsky/dc-12-kaminsky.ppt
Defcon 12 Presentations
Securing Workstations

The Insecure Workstation

The Results of Poorly Defined and Deployed Group Policies
By Deral Heiland
Windows group policies are not bullet proof
Misconceptions
If I cant get around it - it must be secure
They arent hackers they wont figure a way around it
So they break out of it. That dont matter (There is nothing
important there)
http://www.defcon.org/images/defcon-12/dc-12-presen
tations/Heiland/dc-12-heiland-up.ppt
Defcon 12 Presentations
Passwords

MySQL Passwords
Password Strength and Cracking
By Devin Egan
How to crack MySQL passwords
Why? For auditing.
Best practices for MySQL passwords
http://www.defcon.org/images/defcon-12/dc-1
2-presentations/Egan/dc-12-egan.ppt
Defcon 12 Presentations
Trouble on the Internet

Mutating the Mutators

Metamorphic computer virus
Sean OToole
How-To make a virus harder to detect
Pseudo code given in presentation
http://www.defcon.org/images/defcon-12/dc-1
2-presentations/OTool/dc-12-otool.ppt
Defcon 12 Presentations
Trouble on the Internet

Far More Than You Ever Wanted To Tell

Hidden Data in Document Formats
By Maximillian Dornseif
The problem The format of data files can be
complex and they are getting more and more
complex
This problem is not limited to just MS Office data files
Other formats such as HTML, JPEG as well as many others
have problems
http://md.hudora.de/presentations/2004-
BlackHat/HiddenData-LV.pdf
Defcon 12 Presentations
Trouble on the Internet

Credit Card Networks Revisited: Penetration in Real-Time

By Robert Imhoff-Dousharm

This interactive demonstration will give first hand experience in

understanding and searching out credit card traffic on TCP/IP networks.
It will also demonstrate how to deconstruct, rebuild and transmit rouge
credit card packets. As an added bonus, prizes will be handed out to
those who can craft and transmit rouge packets by end of speech. My
incentives and guidance will illustrate how vulnerable credit card data
is on merchant networks.

http://www.defcon.org/images/defcon-12/dc-12-presentations/Imhoff-
Duncan/dc-12-imhoff-duncan.ppt
Defcon 12 Presentations
Personal Responsibility

Bluesnarfing The risk from digital pickpockets

By Adam Laurie, Martin Herfurt
Bluesnarfing
First publicized by A L Digital, November 2003
Snarf network slang for taking an unauthorized copy
Copy data via Bluetooth, including phonebook, calendar, IM
and images
http://www.defcon.org/images/defcon-12/dc-12-
presentations/Laurie-Herfurt/dc-12-laurie-herfurt.zip
Defcon 12 Presentations
Personal Responsibility
Defcon 12 Presentations
Personal Responsibility

Attacking Windows Mobile PDAs

By Seth Fogie
Intrinsically lacking in security
Contain sensitive information
Passwords
Names / Addresses / Phone Number
Credit Card Information
Proprietary business information
Personal email
Business email
http://www.defcon.org/images/defcon-12/dc-12-
presentations/Fogie/dc-12-fogie.pdf
The Future

Security will continue to be a challenge

How much security is enough
Cost vs. protection
Is it working
Preparing for the unknown
Never under estimate the threat
KNOWLEDGE is the key

Defcon 13 July 29-31, 2005

Questions?
Links

Defcon
http://www.defcon.org/
Defcon Media Archive
http://www.defcon.org/html/links/defcon-media-
archives.html
Sound of Knowledge
http://www.tsok.net/tapelist.tpl?
_wsConference_Codedatarq=2000-
DEFCON&ac=DEFCON