I attended my second Shmoocon earlier this month in Washington DC, a conference which I’ve begun to describe to my friends as a ‘hacking and security’ conference. Shmoocon is a wonderful mix of computer security folks, physical security folks (lockpicking), and hackers (folks just interested in how things work). It’s fun to attend and find many examples that prove you really aren’t as safe as you thought, you really can’t trust most companies or people, but there is plenty that you can do about it, once you know to how to defend yourself. One of the best things Shmoocon offers is a different perspective on the world, which I always savor.
The weekend was quite busy: a drive down from Pittsburgh to my friends house just outside DC after work Thursday. I crashed hard that night and headed into town Friday morning. It was my goal to find some street food in DC and this taco truck on K ave (I think) provided the means! Food from trucks is so good!
Friday night, all Saturday, and Sunday were spent on a mix of attending talks, playing TF2 for Hack Fortress, and drinking copiously. There was an RIT alumni mixer Saturday night which showed my how many RIT alums are in DC!
Two talks I really enjoyed were “Computer Search and Seizure” and “Inside the App: All Your Data are Belong to Me.” I only caught the tail end of the search and seizure talk, but it was being given by a lawyer from the EFF and seemed worthwhile enough to watch the talk again once it comes online.
The other talk covered sniffing iPhone backups for passwords and other “secure” info. Here is the summary:
Inside the App: All Your Data are Belong to Me Sarah Edwards Everyone knows their life is stored in their iPhones and iPads, but to what extent? Forensic software can quickly and easily extract the data contained in the default applications such as Address Book and Safari. This software can be run by the most inexperienced of investigators and is often just a click of a button to perform an “analysis”. iOS applications have become very prevalent and many people do not know the amount of revealing data that can be found in them. This presentation attempts to show the extent to which a person’s private information can be exploited by doing simple analysis of iOS applications. People have the right to know what data an app may store about them. This private information may be used by malicious adversaries, intelligence agencies or law enforcement. Take the time - know your apps.
This talk showed that many iPhone apps cache or store plain-text passwords and app data in an organized format that is easily accessible in the iPhone backup. One idea I grepped from this was using iPhone backups as a data export feature from websites that do not offer a better method. Several website/apps covered included LinkedIn, Facebook, and a few bank websites. Banks are thankfully good about allowing you to export data, but Facebook has had a mixed history, only in recent months allowing you a partial download of your data. Perhaps the iPhone backup might offer more data?
Overall, another busy and interesting weekend!