defcon | 0x0F0001

A large number of us hear about a potential "undercover" reporter at the con without a press badge.

Kingpin presents hardware hacking freescale chips, and how he made the badge, with a programmable scrolling led pannel this year. It's always good to be reminded that it all starts with the hardware. and that cool stuff is being done with less than 16K of memory.

Bruce Schneier q&a session. I never turn down an opportunity to see Bruce. Among discussing the recent interview with the TSA chief he has been blogging about, he pointed out that everything we do in the information age outputs data, it's all over the place, we can't get rid of it easily. He said "data is the pollution of the information age". Everything we do in cyberspace outputs some form of data, it's all over the place, we can't get rid of it easily.

He wen on further to postulate that we will be judged in a few decades (as individuals in the industrial age are/were) on how we manage this new type of pollution.

In response to another question, Bruce again pointed out encryption strength doesn't matter. No one tries to crack the crypto, they attack the key management. The FBI cracks hushmail/pgp with keyloggers.

He also talked about this forensic company (I think it was accessdata) that FBI/CIA/etc contracts with that has an 80% chance of cracking any file they get as long as they get the hard drive along with it. The company compiles a dictionary from all the printable strings contained on the hard drive. Think of all the cr@p in pagefiles, slack space, things tagged onto the end of 3 year old word docs...that sort of thing. They mutate it and create a personalized dictionary attack...and it works most of the time.

Martyn Ruks @ mwr infosecurity Gave a really good presentation on mq series architecture and surface area open to exploit. In addition to presenting 2 new vulnerabilities, one of which appears to be a 0-day, he demonstrated several tools he wrote and mentioned he would be releasing core the python classes he wrote to research attacks on and enumerate MQ.

This year they Q&A breakout rooms....so after the talk, you could spend another hour asking questions with about 4 or 5 other people. It was great. T-Rob, a cool MQ guy who works for IBM (although not officially representing IBM) was there. He has this comment to add to some mainstream MQ user forums.

The takeaway beyond MQ, from this talk, is that there are minimal vulnerability assessment tools (and methodology for that matter) to assess the security of large enterprise middleware infrastructure. And when testing or reviewing reports of pentests that involve middleware, don't accept a clean nessus/iss/retina scan as sufficient and assume your secure.

Some of the things that come to mind are ldap, j2ee, appserver rpc protocols, as well as enterprise management systems protocols used to manage Symantec (ESM), IBM (tivoli) and others. All of these have been found vulnerable and the vendors have silently patched them with little notice.