ShmooCon hacker event gets under way

The third annual convention draws security researchers and other experts to debate everything from wireless hacks to data breaches

The third annual ShmooCon convention kicked off in Washington, D.C., on March 23 and will run throughout the weekend with a series of lectures and presentations covering a wide range of enterprise security issues.

Held at the Wardman Park Marriott Hotel through March 25, ShmooCon aims to serve as an East Coast hacker convention -- and an unofficial complement to the annual Black Hat confab in Las Vegas -- focused on technology exploitation, security products, and discussion of newly emerging threats.

As in previous years, the list of scheduled speakers includes some of the security industry's leading personalities, including an opening keynote from Avi Rubin, a professor at Johns Hopkins University's Information Security Institute and one of the most outspoken critics of existing electronic voting systems.

Some of the best-known hackers scheduled to present at the show include Johnny Long, known recently for his white hat attacks on Google technologies; G. Mark Hardy, a government security specialist; and Katie Moussouris, who works for Symantec and has been known to use her smile to get by corporate security guards and then break into their companies' networks.

One of the most highly anticipated presentations planned for this year's ShmooCon is a talk on JavaScript malware given by Billy Hoffman, lead research engineer at Atlanta-based software maker SPI Dynamics, who impressed the audience at last year's Black Hat show with his talk on Web services vulnerabilities.

As part of his speech, which has been tentatively titled "JavaScript Malware for a Grey Goo Tomorrow," Hoffman will show off a new Web-based vulnerability scanning tool he has designed and dubbed Jikto, in a nod to its similarity to the Nikto open source Web server security testing program.

While observers some have described Jikto -- which uses the AJAX (Asynchronous JavaScript and XML) computing language to crawl Web sites and applications for holes, and can be dropped into other people's browsers to use them as unknowing sources of such information -- as the perfect way for hackers to aggregate data for use in future attacks, Hoffman said the technology was designed for less insidious purposes.

And while he will detail how the tool works to find JavaScript coding errors, which Hoffman said are still rampant in many popular Web sites, the researcher will not release the technology or its source code to the public.

"I created this with purely academic interests in mind, to show that this is the state of the art in JavaScript testing and that attackers are creating full-featured threats running in JavaScript," Hoffman said. "I'm trying to prove that these are very serious issues and show off how it can be done before someone in the Black Hat community figures out how to do this without telling anyone."

Hoffman maintains that Jikto will illustrate how easy it is for attackers to create cross-site scripting and other Web-based code injection exploits that can be carried out against even well-known and highly secured sites and applications.

One of the technologies creating the current windfall of available Web vulnerabilities is the use of emerging Web services technologies such as AJAX -- a programming language that combines Asynchronous JavaScript and XML -- that is meant to help speed the performance of sites by making them more dynamically interactive.

"More and more Web worms are using AJAX to comb through sites, find new targets, and spread themselves," Hoffman said. "The rise of Web malware using AJAX is a big trend and the sophistication of these attacks is also increasing; AJAX is being combined with Flash in some instances for attacks that use the strength of each to deliver their payloads; we're seeing hybrid uses of multiple technologies."

By making his gadget public, Hoffman said he hopes more IT security executives will get the message about locking down their Web sites, which he admits is a very tough job. For its part, SPI markets penetration testing tools used by businesses to ferret out security issues from their online sites and applications.

Other noteworthy sessions planned for the sold-out event include talks on the positive impacts of enterprise security breaches, a hacker based in Iraq, vulnerabilities in Windows Mobile, and the overall security of radio frequency devices.