Wednesday, July 14, 2010

RECON 2010

I'm back in Montreal for a month (after disappearing from Quebec for 8, after my sabbatical ended) and the highlight so far is RECON 2010. I've tried to attend in the past, but timing never worked out. This year I made it and I offer the following comments:

The talks are outstanding. The schedule is exhausting, particularly since the talks are outstanding and it's difficult to walk away from any of the talks to rest. It's a conference for those with 20 year old stamina (I'm 45, but have 25 year old stamina--almost good enough). The beer was good. The hotel almost caught on fire while I was in the shower. Note: If you hear faint beeping sounds while in a Canadian hotel, that might be the fire alarm. I hardly noticed, and it took a call from my wife to send me rushing down the stairs, barefoot. I always wanted to walk down a main street in Montreal barefooted, so my dream was fulfilled.

Sebastian Porst talked about obfuscating malicious payloads in PDF and zynamics has a new tool that's worth checking out called PDF Dissector.

Danny Quist (founder of talked about some extensions to Ether (which itself is a set of patches to Xen to support malware analysis via hardware virtualization). Danny also showed off some very nice visualisation techniques for understanding execution flow during malware unpacking. His stuff is set for release in 2011(?). Check out the Ether page here. This was a great talk and will hopefully open up some avenues for collaboration, because my research group at UNO is also working on live forensics/malware detection and mitigation via VM introspection.

Ricky Lawshae (from BreakingPoint in Austin) discussed "picking" electronic locks using sequence number prediction. Yes, channelling Mitnick-style attacks into 2010. Now I'll have to stop telling my students that sequence number attacks are "so yesterday"...

There were also talks on picking (and destroying) physical locks, 8-bit/16-bit hardware hacking, reverse engineering embedded systems, deep looks at the obfuscation schemes of some recent malware (Swizzor and Mebroot), porting Syndicate (one of my favorite games in grad school) to modern architectures, building a router from scratch for SDSL service, and others. Check out everything at RECON.

RECON is moving to an annual schedule, so be sure to check it out in 2011. Attendance is limited, so register early once for 2011 that's possible.