Information Security News: San Diego's ToorCon keeps hackers current

[InfoSec News <alerts () infosecnews org>]

http://www.linux.com/feature/120046

By Joe Barr  
October 23, 2007

ToorCon 9, a hacker's convention, kicked off with registration and a 
reception Friday evening in the San Diego Convention Center. Keynotes 
and the talks were held Saturday and Sunday. This was my first time at 
ToorCon, and I learned why it is so highly regarded among the hacker 
community. It's good.

There were probably a few feds in the crowd, but for the most part 
attendees were hackers or hacker wannabes. ToorCon occupied only a small 
fraction of the enormous convention center; the whole thing was 
conducted in three meeting rooms on the upper level.

While we were both waiting to register, I met Scott Moulton, who owns a 
forensics company in Atlanta and gave a talk on Saturday about 
recovering data from damaged flash drives. While Moulton and I were 
talking, Johnny Cache happened to walk by and Moulton pointed him out to 
me. Cache and David Maynor were vilified by the Apple community's 
bloggers last year after the shameful fiasco at Black Hat last year, 
when strong-arm legal tactics by Apple not only made it impossible for 
them to mention the Apple Wi-Fi card in their taped demo of a Wi-Fi 
exploit, but also to defend themselves from attacks in the blogosphere. 
Cache was not at ToorCon to give a talk, but simply to attend.

On Saturday, I spent a few minutes with ToorCon's founder David Hulton 
(h1kari), event coordinator George Spillman (Geo), and Johnny Cache, and 
learned a little bit about the history of ToorCon. Hulton said that he 
and a friend started the con nine years ago, when he was 15. They had 
just returned from DefCon 4 in Las Vegas and decided to do a local 
version. His friend couldn't participate the following year, but he 
continued with it, never dreaming, he said, that it would grow to be as 
popular as it is today.

I also ran into a couple of DefCon regulars -- part of the CoffeeWars 
crew -- on Friday evening: students like the one who came to hear one of 
his teachers give a talk about teaching hacking in college, a college 
math teacher from Chicago there to learn what he could, a sprinkling of 
talent from San Diego 2600, and assorted l33t and not-so-l33t attendees 
ranging in age from their teens to at least their 60s.


The keynotes

ToorCon 9 began Saturday morning with an eye-opening, irreverent, 
F-bomb-laced keynote entitled "Wolverine, Yo' Mama, Spooks, and Osama" 
delivered by a security engineer named Beetle, who explained he was a 
last-minute replacement for a speaker who had to cancel. By the time he 
finished, I don't think anyone was left feeling shortchanged by the 
substitution.

Nobody was safe from Beetle's wrath. His rant covered the deciders who 
dictate the story lines at Marvel Comics, the Slashdot crowd, Google, 
politicians in Washington, the American public, and the hacker community 
itself.

After deconstructing the story lines of several comic books over the 
past year or two, applying criticisms and sarcastic commentary as 
needed, he paused and asked what some in the audience were wondering: 
Where he was going with all of this? Then he dived back in and started 
to work on Slashdot and Google. With graphs showing the number of 
comments that various stories that appeared on Slashdot got, he 
illustrated how stories are much more popular on Slashdot before all the 
facts are known, when opinions are shaped by fanboys and bloggers who 
opine without the benefit of a clue.

Beetle used the aforementioned story of Johnny Cache and David Maynor to 
illustrate his point. The truth of the matter was finally revealed when 
Maynor was freed from the non-disclosure agreement last year, but 
interest in the matter was basically gone.

As for Google, he began by referencing the NSA and its spooks, and the 
controversial monitoring and data mining they are doing on American 
citizens. Then he remarked how Google did much the same thing with our 
search requests, then sold the results so they could be used for 
targeted advertising.

Beetle also lampooned America's attitude toward China. He pointed out 
that we, led by the politicians in DC, were all in an uproar over lead 
paint on children's toys, but concern about China as the source of spam 
or Internet attacks on our military and government networks? No uproar 
over that, so evidently that's no big deal.

Several things had happened by the time Beetle finished: the F-word had 
become nothing more than punctuation, the crowd almost unanimously had 
been entertained and won over by his rants, and everyone was wide awake. 
That's a good way to start a con.

After a second keynote called "Black Ops 2007: Design Reviewing the 
Web"-- Dan Kaminsky had the misfortune to follow Beetle -- the con was 
off and running.


The talks

There were only two tracks at ToorCon -- one about hacking things and 
one about defending things from being hacked. One of the three meeting 
rooms was labeled Attacks, another Defense. The third room housed a live 
hacking competition, where teams competed to see how many and how 
quickly they could own various servers on the LAN. Also in the room were 
a book publisher hawking its wares, representatives from the Hacker 
Foundation selling T-shirts and memorabilia, and others.

On Saturday, all the talks were an hour long. On Sunday, the talks were 
only 20 minutes long, a format which seems to be growing in popularity 
at hacker cons. Most often, the crowd would stay in the same room when 
one talk was finished and wait a few minutes for the next to begin.

One of the more popular talks was called "Exposing Stormworm." You may 
have heard or read some of the buzz about Stormworm this past summer. 
It's a new generation of botnets that are being used by spammers to make 
sure you always know about the best deals on penis enhancement and 
get-rich-quick stock purchase opportunities. Brandon Enright, a network 
security analyst at the University of California, San Diego, and a code 
contributor to open source projects such as Nmap, came to ToorCon not to 
hype the dangers of Stormworm, but to deliver the results of research 
that monitors its size.

The Stormworm botnet is an impressive phenomenon. Enright displayed 
graphs of active -- defined as being online and capable of being 
controlled -- Stormworm nodes based on monitoring the night before his 
presentation. They numbered about 22,000. That's a powerful force, but 
far short of some of the estimates that have been seen in print. Enright 
said that while many millions of Windows systems have been infected by 
Stormworm, they haven't all stayed infected, as its fingerprints are now 
well known.

VoIP and Wi-Fi were popular topics, for both tracks. I attended three 
20-minute talks on VoIP. The first explained how to hack a VPN used for 
VoIP and hop into the data network. The speakers suggested I attend 
another talk, this one on defense side, on the same topic. That one 
suggested I catch Druid's talk on Context-keyed Payload Encoding. From 
those three talks it's clear that VoIP, like Wi-Fi, was designed without 
concern about security. Hopefully, both areas will eventually provide 
better security, but today they are a collection of vulnerabilities.

I also enjoyed a panel talk on "Building Hackerspaces," hosted by Nick 
Farr of the Hacker Foundation and Eric Johnson (3ricj), who is involved 
with a hackerspace in the Seattle area. I learned that a hackerspace is 
similar to a LUG, but not the same. It's a community-owned and -governed 
space where people who enjoy hacking can gather and work together on the 
project of the moment.

ToorCon 9 was a great con. I think I enjoyed it more and learned more 
than at any other I've attended. It may be smaller in attendance, but 
not in content and style. A DVD containing all the talks is slated to be 
for sale, or if you're the patient type, you can wait for the videos to 
appear on the ToorCon Web site.


__________________________________________________________________      
CSI 2007 is the only conference that delivers a business-focused
overview of enterprise security. It will convene 1,500+ delegates,
80 exhibitors and features 100+ sessions/seminars providing a
roadmap for integrating policies and procedures with new tools
and techniques.  Register now for savings on conference fees   
and/or free exhibits admission. - www.csiannual.com