Thoughts from ShmooconIX (2013)

header
(Image presumably (c) Shmoo group)

First off, I want to thank all of the organizers and speakers – everything went great, even including IPv6 connectivity for most of the event and only one broken chandelier (that I know of, anyway).

Background:
For those who don’t know, Shmoocon is a ~3 day security conference (Friday-Sunday) mostly broken up into three concurrently-running tracks:
“Build It”
“Belay It”
“Bring it on”
… these names give a pretty good idea of the topics that will be focussed on.

There are other talks as well, a “Train the trainer” schedule that runs partially parallel to those tracks, and “Fire Talks” after the main conference ends Friday and Saturday.  There are many other events going on – Ghost in the Shellcode, Barcode Shmarcode, Lockpick Village … it really is quite a packed event.
(The Fire Talks are about 20minutes long, vs. the main conference presnetations which run closer to an hour.)

Aside from being rather well-known for the quality of the talks (more on that later), Shmoocon is also infamous for selling all of their tickets in about 25 seconds.  The conference is intentionally kept small and reasonably priced, so selling all of the tickets is to be expected – but this rate of sell-out-age is amazing … and frustrating, as you burn up the F5 key on your keyboard trying to get tickets.
(The tickets are released in 3 different batches, and each batch uses up all of it’s ‘reservation tokens’ in 10 sconds or less … amazing!)

Another fantastic feature: all of the presentations are streamed live, and recorded.  These recordings are then made available, FREE.  This year’s recordings will eventually be posted at  http://www.shmoocon.org/shmoocon_2013
(No ETA at the time of this writing.  Once posted, these are a great way to catch up on the ~2/3+ of the presnetations you missed!)

The Con
Anyway, let’s talk about a couple of the presentations – maybe get you fired up to go watch the videos (when they get posted).
(I won’t take up your whole day sharing the details for all of the talks I saw, if you want that see the very end of this post …)

#1 – Travis Goodspeed’s presentation about “Anti-Active Forensics” (aka Exploiting the USB Magic School Bus) was great.  Facedancer talks USB, and drives that wipe themselves in the face of “unusual access patterns (signifying forensic activity vs. normal user access)”.  (This was a Fire Talk)

#2 – Michael Rash’s “Port Knocking” presnetation was novel; and I think there could be a play for IPv6 there as well.  Michael, call me.

#3 – Chris Campbell’s “Pwn without tools” shows us the power of Power Shell and using Twitter for Command and Control (C2).  (This talk was also presented long-form at Epilogue, see below.)

Honorable mention goes to many of the presenters … Michelle’s Thin-Slicing (“fighting digital kudzu”), Georgia’s Smartphone Pentest Framework is of personal interest, Joe’s Becoming a Time Lord (“hacking NTP”, with props!) and G.Mark’s Hacking as an Act of War (“The DoD is for when the Dept of State fails”) were phenominal.

It may also go without saying, but I will say it anyway – the real value of attending this conference is just being in the same room(s) with all of these very smart people enaged in technical conversations and bouncing ideas back and forth; questioning and defending positions.
I might even more go so far as saying more information is exchanged in the hallways than in the presentations – learning via proximity :) .

Epilogue
The Northern Virginia Hackers (NoVaHa) put on a post-conference-conference called “Epilogue”.  This was a great day of great presentations as well, culminating in something that may make CCDC Blue Team’ers cry just a little bit.  An interesting experiment was to stream them all via Google Hangouts, which has the nifty benefit of also making them IPv6 reachable :) .
(Note: grecs was nive enough to catalog the videos from Epilogue, https://www.novainfosec.com/2013/02/24/novahackers-shmoocon-epilogue-videos/)

(( For those really into self-abuse, you can follow my “stream of consciousness notes … (please excuse any typos, they were typed on a phone during the talks!):
Days 0, 1:
https://plus.google.com/104134000998523025836/posts/VgWomivWEZf
Day 2:
https://plus.google.com/104134000998523025836/posts/DAMgTNBMZVD
Epilogue:
https://plus.google.com/104134000998523025836/posts/HjcRNxp9Ty7  ))

Feel free to ask me if you have any questions …
/TJ
PS – It was good to see the return of the Shmooball!

An example of “trying and failing” to really do IPv6 …

One of the most common complaints an organization has when trying to move forward with an IPv6 deployment is “lack of vendor support”.  Whether that means your ISP cannot get you the connectivity you need (cough DISA FAIL cough) or that means criticial components of your infrastructre just can’t do it (yet?) – in either type of scneario, this is clearly suboptimal.

Another problem we run into is vendors that say they “do IPv6″, and even seem to live up to that, at first glance.  Only when a deployment commences do you then find out some “little things” that aren’t quite right …

Case in point: F5′s Big-IP Load Balancers.
These devices are fairly popular and claim pretty strong IPv6 capabilities.  And we can configure the virtual IPs (IPv4 and IPv6) that will be the public-facing side of a service being offered – nice, right?

However, these devices don’t do a couple things that we expected … 
* The “virtual inside address” – a Link Local IPv6 address that nodes will use as a default gateway – isn’t used properly.  The Big-IP’s source the Router Advertisements from the “physical Link Local Address”, not the virtual one.  FAIL!
* Additionally, the current version of code does not support managing the device over IPv6.  Even the newer version of code supports IPv4 *or* IPv6 for management, but not both concurrently.  LAME!

(In both cases, we are working with the vendor to try to mitigate this … do you have any similar stories to share?  Send them along!)
Just some quick thoughts on the types of things you need to think through as you deploy IPv6 in your network … I mean, you are (at the very least) starting this process aren’t you??
/TJ

PS – for reference:
http://support.f5.com/kb/en-us/solutions/public/12000/600/sol12648.html
http://support.f5.com/kb/en-us/solutions/public/12000/400/sol12430.html
… feel free to dorp by there and let them know how important these items are for you :) .