Important Takeaways from ShmooCon 2011

Monday, February 07, 2011

Rafal Los


Conferences are more than just going to interesting talks, meeting interesting people, and attending after-parties. 

Sometimes, if the conferences is really a gem (like ShmooCon) you actually learn something.  After attending this year's ShmooCon 2011 I sit here waiting to go home... and think it relevant to share my thoughts.

Sometimes, There is No Hope

There was a talk given by Trent "Surbo" Lo based on his research and repeated attempts to get a certain organization's attention on security flaws in their online application/site. 

The talk, titled "An Evite from Surbo? Probably an Invitation for Trouble" wasn't just about research into some obscure, hard-to-exploit SQL Injection attack... it was a talk that exposed flaws in the very basic underpinnings of an architecture so flawed that the only possible logical recourse -after extensive thought over a 'team gathering' - was a thorough rm -rf * of the site code. 

Sometimes you just can't fix a site because it's so fundamentally flawed that there isn't anything that can be done short of re-writing it... from scratch. Interestingly enough, some of the unintentional functionality in the site that Surbo demonstrated made issues like SQL Injection and XSS entirely irrelevant. 

In the end, what Surbo demonstrated was something we've been shining a spotlight on for a while - thinking about security before code is even written. If the appropriate attention is given to requirements, architecture and design considerations rather than just piling on cool features sometimes security stands a chance.

Passwords are Still a Problem

With Gawker and a bunch of other sites being essentially gutted and their password databases being posted to BitTorrent sites for public sharing, what we're starting to realize is that people are still bad at password management. 

I don't know if any of you paid attention to the ZF0 madness a while back  but having pathetically easy-to-break passwords isn't an exclusive trait of the club of clueless Internet users. People that work in security and should really know better are still using the same password across the Internet... or using a password generation key that is easily breakable.  I blame websites, not people. 

Think about it - you probably have 100+ places where you've registered your username and password... and that's just in the past year!  Is it even conceivable that you'll remember them all if you have a different password for each site?  Unless you've got a memory at least an order of magnitude better than mine the answer is no. 

So what's the deal with inconsistent password policies?  It would be much easier to have a sane algorithm for generating passwords and remembering them if password policies across sites were even remotely similar.  We heard discussion this weekend of abolishing the concept of a 'password' and going with a pass-phrase which is significantly more effective -but wait there are challenges. 

A quick look through the first 5 sites I log into shows me that some of them allow spaces, some don't; other sites require special characters while some don't even allow them; some sites have a maximum of 10 characters, while others have a minimum of 10 what gives?  Can we have a little sanity around passwords? These two are just my favorite. 

If you missed the conference, and managed to miss the streaming video too then you still have a chance to purchase the talks on DVD.  There are a very select few conferences I would actually buy and then watch the recordings from - ShmooCon is one of those. 

But more than just the conference content that happened on stage the conversations, hallway mini-cons and brainstorming sessions that happen are priceless.  If you can get one next year, this is one ticket you should get at any cost.

Cross-posted from Following the White Rabbit

Possibly Related Articles:
Enterprise Security
XSS SQl Injection Passwords Authentication ShmooCon
Post Rating I Like this!
shawn merdinger I'd add:

Ryan Speers and Ricky Melgares presented ZigBee Security: Find, Fix, Finish

"Security will not get better until tools for practical exploration of
the attack surface are made available" -- (Joshua) Wright's Law
Rafal Los Agreed. Tools for practical exploitation will be made illegal by those who fear that they are used for purely evil, or by those who are too lazy to fix their code.
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.