I’ve been running a little behind on these, but I’m trying to catch up. I’m also going to try to insert links to the actual presentations as they go up.
Quick takes:
“Is your IPhone Pwned?”: This was turned into a more general talk about the whole class of smartphones, including Windows mobile devices. They demonstrated one exploit that involves settings on Windows devices from some vendors. (Basically, the exploit involves misconfigured security settings that allow a remote computer to send malicious WAP push messages that the phone will accept.) Patching mobile vulnerabilities is difficult; there’s a lot of QA issues that have to be dealt with by each vendor for each platform, plus the FCC gets involved if you touch the radio code. Beyond that, the presenters spent a lot of time discussing the design of their Fuzzit tool for finding phone vulnerabilities. Key takeaway: the state of mobile security today is roughly equivalent to the state of network security as of 1999.
“Hacking With the iPod Touch”: Key takeaways:
- There’s a lot of tools available for penetration testing on the iPod Touch if you’re willing to jailbreak the device. (Wilhelm’s presentation includes a long list of available tools. Did you know that you can run Perl, Python, and Ruby on the iPod Touch? Neither did I.)
- Nobody gets suspicious if they see you fiddling with your iPod Touch. A full-sized laptop, or even a netbook, might be a different matter.
“That Awesome Time I Was Sued For Two Billion Dollars”: Jason Scott is a pretty good speaker, but this was sort of a “meh” talk. “Yeah, I got sued for two billion dollars by someone who is apparently mentally unbalanced (in the speaker’s opinion -DB) and the case got thrown out of court.” Key take away: Don’t let yourself be intimidated by legal (or legal-looking) documents.
“Three Point Oh”: Couldn’t get in to see Long’s talk.
“Something About Network Security”: Kaminsky’s talk this year concentrated on vulnerabilities in the PKI infrastructure, and specifically certificate attacks. I still think Kaminsky is the cat’s pajamas, but his talk this year seemed a bit off, compared to some of his previous talks (for example, the tunneling data over DNS hack).