ShmooCon Wrap-Up

As soon as I returned from DoD Cybercrime, I headed to ShmooCon. I attended last year but didn't speak. This year David Bianco and I presented Network Security Monitoring with Sguil. I was very surprised by the number of people who attended our talk. I hope you liked it. I brought about 30 books provided by various publishers over the years, and distributed them in an ad-hoc manner at the end of the talk. If you received a book, I would very much appreciate seeing a review posted to Amazon.com.

I started ShmooCon by arriving late to Dan Geer's keynote. Even seeing only half the talk, I was incredibly impressed. Dr. Geer is a biostatistician in search of a computer security hypothesis to test. I cannot do his talk justice, as I was reduced to trying to take notes by writing in the margins of a book excerpt I received in my conference bag. Here are a few highlights:

• Dr. Geer noted that our field "suffers nothing but ambiguity over who owns what risk." It is "completely the opposite" in banking, thanks to "massive simulations" and explicit assignment of risk.


• Dr. Geer reported that a "major bank" "will not spend any more time on prevention, only response." When a patch arrives from Microsoft, they simply apply it. If the patch breaks something, they fix it. The bank no longer cares about Mean Time To Failure. All they track is Mean Time to Repair. Dr. Geer said this approach is not unusual and it is more common than you might think.


• Dr. Geer warned that "we are in danger of being overtaken by people with credentials and process instead of skill and knowledge." This sounds like a warning against auditors and non-technical people.


• One sixth of security vulnerabilities are found by the owners of the flawed software. That means five sixths are found by others.


• Dr. Geer uses a disease model for computer security. He said we don't need every system to be patched, only "enough." This is called "herd immunity." Enough members of the community are immune to keep the disease from destroying the group.

After Dr. Geer's talk I listened to Joe Stewart of LURHQ describe his sandnet concept. The sandnet is a research network for analyzing malware. Joe said that malware can be investigated by code review or behavioral inspection. Code review is complete but time-consuming and skill-intensive; behavioral inspection is incomplete but faster and easier. Sandnets assist with behavioral inspection by giving malware a real host and a simulated network in which to operate.

A sandnet is unique because it is a structured, semi-automated way to use real machines for malware analysis. Too much malware that Joe researches is VMware-aware, mostly using a backdoor I/O function call. Since his sandnet runs on real hardware, the malware doesn't realize it is being watched. To simulate the network, Joe has a gateway pretend to be the Internet. If the malware needs to retrieve a certain file, Joe watches for what it requests and then places it on his gateway where the malware expects to find it. Expect to see more details released through LURHQ shortly.

Next I watched acidus (Billy Hoffman from SPI Dynamics) describe Covert Crawling. Essentially he has implemented a means to mirror Web sites in a manner that simulates a human user rather than a simple retrieval of all Web site pages. In some ways his work appeared to be a "solution in search of a problem," because he assumes Web site administrators pay attention to their logs and check who is mirroring or otherwise investigating their sites. On the other hand, I know his work will be of great interest to many parties who want to add another layer of discretion to their Web site surveillance activities.

After acidus I saw Dan Kaminsky's latest "Black Ops of TCP/IP" presentation. I think I first saw Dan speak four years ago, and he always delivers. His latest research demonstrates a way to abuse IP fragment reassembly timers to fool IDS/IPS. He explained that highly complex inline devices are easy to fingerprint, since each device accepts or rejects traffic differently -- especially at layer 7. Dan also presented updated data on his adventures investigating Sony, and introduced Xovi, his streaming graph visualization framework. Dan said you can feed Xovi Tcpdump data, which I would love to try.

I started Saturday by arriving late for Jennifer Granick's keynote. (Hey, I live about an hour away, I need to find parking, etc.) Thankfully she ran about 20 minutes over her allotted time, so I probably listened to her for 50 minutes or so. She spent a good deal of time talking about the implications of the Bush administration's domestic spying program. With privacy in mind, I then turned to a talk on improvements in Tor that frustrate identifying hidden servers. Basically the old version allowed malicious parties to identify hidden servers by joining the Tor network and carefully inspecting traffic.

After hearing about Tor I attended a fascinating talk about Kryptos by Elonka Dunin. Kryptos is a scuplture at CIA HQ with four sections of ciphertext. Three have been decoded, but the fourth remains a mystery. I recommend visiting Elonka's site for more information.

I turned back to computer security issues by attending a BoF on reverse engineering hosted by Pedram Amini and Chris Eagle (author of ida-x86emu and Naval Postgraduate School professor). That was an insane group. Greg Hoglund from Rootkit.com sat in the front row and contributed a lot to the discussion of reverse engineering, including his work analyzing Warden. Pedram encouraged people to share what they know at OpenRCE.org. A lot of people chimed in regarding Ilfak Guilfanov (IDA Pro developer). Steve Micallef's IDA Plugin document was brought up, as was rom.by (warning: Russian).

I managed to see most of Mike Rash's presentation on single packet authorization (SPA), which was cool. I was nervous because I was speaking next, so it was tough to concentrate. After my talk I participated in a Snort BoF held by Brian Caswell and Lurene Grenier. They made good points on high-performance Snort operation, including using an architecture-specific compiler to get better performance. In other words, avoid GCC and use an Intel compiler on Intel, an AMD Compiler on AMD, and so on. Brian mentioned zero copy as a means for faster packet collection, along with Endace NICs. I was fairly burnt out after that, so I headed home. I didn't return for the talks on Sunday, since I wanted to go to church and spend some time with my family.

Four aspects of ShmooCon stand out.

1. The Shmoo Group threw tons of manpower at this conference. I saw red shirts everywhere. This was welcome and unlike any other conference I've attended.


2. The quality of the talks was very good. They were not all stellar, but the value for the money is absolutely unparalleled.


3. I have not spoken with so many recognized speakers, authors, and researchers anywhere else. I personally shared at least a few words with Eric Cole, Jenifer Granick, Greg Hoglund, Brian Krebs, Dan Langille, Dru Lavigne, Ike Levy, Johnny Long, Mike Poor, Mike Rash, George Rosamond, Marcus Sachs, Ed Skoudis, and Visigoth. Several Sguil users were there, including #snort-gui regulars like Hanashi (with whom I presented), nr, snortboy, and transzorp. Many people were kind enough to say hello, and one even gave me a coin from his three letter .gov agency.


4. Many of the talks are available for sale in DVD format from Media Archives. I am sure their Web site will be updated to reflect ShmooCon soon, but I already see my talk in their catalog.

Kudos to the Shmoo Group and founder Bruce Potter.

If you didn't attend ShmooCon last year, please consider it for 2007. If you did attend this year, what did you think?

Incidentally, did anyone attend the BoF were SANS certification and teaching schedules were debated? If so, would you mind posting some comments here?