44Con: bigger, better, uncut
Nick Barron, security consultant
This year's 44Con did the industry proud, from the new attack on Enigma to the caffeine-infused BlackBerry Lounge.
So, as expected, the second 44Con was even better than last year's. Of course I may be somewhat biased, as I was part of the crew this time round. This wasn't without its risks. The primary organisers, Adrian and Steve, were walking wounded; Adrian due to an inconsiderate motorist who hit his bike, and Steve due to what can best be described as an unfortunate socialising injury. We then lost our floor manager, Campbell, to a back injury, and press liaison John to a damaged leg. Even SC's Dan Raywood succumbed to sunstroke and had to cancel.
Still, the conference brought together an eclectic range of speakers and specialists from all over. The highpoint for me was the presentation by Bob Weiss and Benjamin Gatti on a new attack on the WWII Enigma cipher. What many people fail to realise is that the Bletchley Park work required some hints of plaintext (cribs) to get started. The new attack not only works purely on ciphertext, but also runs fast enough to crack messages in real-time on a laptop. Not only is this impressive from a theoretical perspective, but it may benefit historians by helping decode the backlog of uncracked WWII messages. Full details are at www.enigmacrack.com.
MWR presented two pieces of new research. The first demonstrated weaknesses in off-the-shelf Chip & Pin terminals, with the amusing title ‘PinPadPwn'. They inserted a modified card into a terminal and turned it into an arcade racing game.
The second was an analysis of 4G LTE mobile networks, something of interest to me as I'm fortunate enough to live in one of the initial rollout cities for the new service. While this didn't include the same level of ‘pwnage' as the previous demo, it certainly gave the audience a thorough grounding in the technical and security issues. See the slides at http://mwr.to/lte.
44Con's very own ‘Dr Phil', Philip Polstra, returned with a range of clever embedded device tricks. He presented ‘the Deck', a small, battery-powered, homebrew forensics/penetration testing kit, and an updated version of his USB interface that allows the impersonation of any USB device ID (neatly bypassing most data loss prevention products).
‘Awkward hugger' Jayson Street, visiting from the US, gave a superb and passionate presentation on how we need to adjust our attitude to educating the less-security-aware people in the business. Not a technical presentation, but a great one for managers and infosec techies alike.
Several presenters also ran a number of workshops. It's safe to say that if you attended any one of these, you got more than your ticket price back in training value.
The sponsors this year were also great. The BlackBerry Lounge – complete with the ever-so-British ‘Gin O'Clock' – was open throughout the event, serving an average of one cup of coffee every two minutes throughout the day (BlackBerry will also be glad to hear that my handset was one of the few mobiles that worked throughout the Faraday-cage-like venue). MWR generously sponsored the Thursday-night party (which emptied both hotel bars). We also had support from Raytheon, Sourcefire, NCC Group, Elcomsoft, ITC, Crest, Tiger Scheme and Carbon Black. I'd like to publicly thank them all for supporting the industry and the infosec community in such a generous fashion.
The 44Con website (www.44con.com) is currently undergoing a revamp, and will soon be updated with material from the conferences and, hopefully, some of the videos recorded of the presentations (attendees this year could purchase a professionally produced DVD, so no more ‘which talk should I go to?' worries).
44Con is back next year and promises the same combination of friendly atmosphere, low travel costs and excellent technical content. There's also the free 44Cafe taster event running alongside April's infosec show. If you're in the UK, you should definitely consider booking your ticket as soon as they become available.
I can guarantee that you won't be disappointed.