I meant to write about this last week but have been pretty busy with some other projects I have been working on. I have to say I had a great time at toorcon Seattle this year. Props to David for getting this event all put together.
There were definitely some good talks, which inspired me to do a bit more poking around. The first one I want to mention was the talk titled “Get Off of My Cloud: Cloud Credential Compromise and Exposure” This touched on amazon’s ec2 public AMI distribution and the security risks involved with using AMI’s not created by you. It brought up some interesting points and some issues that people may have overlooked. He mentioned that they have written some tools to “clean up” the AMI’s before sharing them out to the public. They didn’t release the scripts at the con and he mentioned that they weren’t publicly available yet so I went ahead an wrote some scripts (in bash) to look for the vulnerabilities when using an ami for the the first time, whether it a be a public ec2 AMI or an AMI that is put out by amazon.
The second talk that I found real interesting was the “We Are The Robots: Social Hacking With Bot Swarms” which talked about the connections made by users on twitter. They had a competition with bots on twitter to see what relationships bots can create between two other people and what information links them.
The last talk I that was interesting was “Highly concurrent Python for brute forcing and discovery”. I only have just started using python in some projects so this was a bit more advanced that I was used to but seriously great information. He talked about Python coroutines and epoll to build your own high performance brute forcing and discovery tools.