Went to ShmooCon for the first time this year -- it was a killer time. Quick run down of stuff learned:
-- Solid-state drives and USB sticks should not be trusted as erasable media. Short end of the story: if you need to keep sensitive data on these, use crypto, because there's no guarantee you will be able to remove data when it comes time to delete. Recommended secure wiping for these devices: hammer.
-- Client side exploitation is becoming as (if not more) important in a pentest as server vulnerability assessment. This isn't new to any one in the security industry, but it seems like clients paying for pentests just don't get it. Jay Beale spoke about this, and it was a pretty entertaining talk.
-- SIP/VoIP vulns .. there was an ok talk on this stuff, but the demonstration of illustrated attacks fell through :(. The short of it: XSS/XSRF in web servers embedded into VoIP gear. Also, "chess grand-master" cryptographic architectural weaknesses in the nonce exchange/authentication used by many VoIP devices.
-- Nerdcore rap is becoming scarily popular. Expect more on this.
-- Open bar @ Shmoo party = hackers spilling drinks, and secrets ;P
0 comments:
Post a Comment