What would you do to get to Shmoo?
Woke up at 4:00 AM
2.5 hours shovelling snow
1 hour to get to train station
1 hour on local commuter rail to BOS
2 minutes to find my train to PVD cancelled
1 hour on on first commuter rail to PVD
Finding my 12:50 train to DC only five minutes late = priceless
In about four hours I will be at Shmoocon and it will to be Epic. This years schedule contains a lot of fresh blood and new faces (which is not a bad thing IMHO). The schedule is so packed with goodness, that I am going to have to make some tough decisions on which sessions to attend. In addition, the after hours action is packed full of awesomesauce. There is the return of Firetalks on both Friday and Saturday evening, Podcasters meetup (including free booze), Jason Scott is previewing his new documentary called Get Lamp on Saturday evening (first computer program I wrote was a text based Adventure game on my TI99-4A), and of course there are the parties and meet-ups that will certainly include scotch and cigars.
On Friday we begin with, Gone in 60 Minutes: Stealing Sensitive Data from Thousands of Systems Simultaneously with OpenDLP with Andrew Gavin. Leveraging enterprise defense products = sexy in my book. Following that there are several cool sessions including a long awaited update from Johnny Long (who is back in the states for the con), and keynote by Peiter "Mudge" Zatko of DARPA.
On Saturday, I am hoping that Jon Oberheide and Zach Lanier has the cure for my much anticipated hangover with their talk; TEAM JOCH vs. Android: The Ultimate Showdown which will highlight their work on subverting the Android OS. I plan to follow-up with Hard Drive Paperweight: Recovery from a Seized Motor! being delivered by Scott Moulton. Scott is a super smart dude who never disappoints. I am guaranteed to learn something there.
Printers Gone Wild! with Ben Smith is in the next slot. Next I need to make some of those tough decisions I mentioned earlier. There is Attacking 3G and 4G mobile telecommunications networks with Enno Rey & Daniel Mende and An Evite from Surbo? Probably an invitation for trouble with Trent Lo aka "Surbo" from i-hacked.comhttp://www.i-hacked.com/. There is no doubt that mobile tech has definetly come of age and consequently will become a target but Trent is also a smart, entertaining dude. Then in at 16:00 there is Defeating mTANs for profit with Axelle Apvrille and Kyle Yang (mTAN = one-time bank password by SMS) and G W Ray Davidson's talk on designing a network for a conferance entitled ShmooCon Labs Goes To College. Both decisions will most likely be down to the wire. On Sunday, the talk that seems to be on averyone's agenda is Georgia Weidman's Transparent Botnet Control for Smartphones Over SMS in which she will release POC for a sms controlled botnet.
Total estimated time to get to the con = 15 hours (and worth it). See you in a few hours Shmoocon
Showing posts with label cons. Show all posts
Showing posts with label cons. Show all posts
Thursday, January 27, 2011
Sunday, August 8, 2010
HacKid Conference
Updated: New Date! Registration and Schedule is live!
I was at SecurityBSides Boston talking to Bill Brenner and his two sons about Lego's when Chris Hoff shared a brilliant idea on twitter. A hacking/security conference for kids and their parents. Soon after Hackid was born and the dates for the first conference were set.
So put aside the weekend of October 9-10, 2010. The first conference will be held at the Microsoft New England Research & Development (NERD) Center in Cambridge, MA. The community driven content has been posted and registration is live. It is the hope of the organizers that this will become the template that can be used at other locations and dates.I think I share a lot of others sentiment when I say this is going to rock!
So put aside the weekend of October 9-10, 2010. The first conference will be held at the Microsoft New England Research & Development (NERD) Center in Cambridge, MA. The community driven content has been posted and registration is live. It is the hope of the organizers that this will become the template that can be used at other locations and dates.I think I share a lot of others sentiment when I say this is going to rock!
Wednesday, March 31, 2010
Socs vs Greasers: The Pentesting Debate
During the Podcasters Meetup at Shmoocon 2010 a conversation began about the worth of penetration testing in the corporate environment. On one side of the tracks, business folks questioning why it was necessary to active exploit business systems while penetration testers argued for such. The conversation and debate has continued on many mediums since Shmoocon and many involved have made some valid points. I have not heard much from anyone who is in the trenches of security operations, however. Since this is my primary role for the small enterprise I support, I thought I could add some of my own perspective to the discussion.
I am the typical one man security show that is not uncommon within business the size of my employer. I deal with all aspects of security for the organization including vulnerability scanning and penetration testing. Other responsibilities include regulatory compliance, incident response, patch/vulnerability management, and security architecture. So my view on penetration testers and the services they have to offer is the same as any other consultant or contractor that walks through my door. I welcome the second set of eyes and assistance.
The reality is with all aspects of my daily responsibilities, I am going to miss things, make configurations errors, and downright fuck up from time to time. The fact the matter is I get tired, have a family, and often don't know my systems as well as I may think I do. I am a juggling clown balancing on a unicycle with a warped rim riding right down the middle of the train tracks separating these two groups.
This debate is not new and many others have already touched upon some of the pros of penetration testing. Defense in depth by way of post exploitation testing is one such argument that is completely valid. There are a few additional arguments I would like to make in regards to the usefulness of penetration testing, however.
I am the typical one man security show that is not uncommon within business the size of my employer. I deal with all aspects of security for the organization including vulnerability scanning and penetration testing. Other responsibilities include regulatory compliance, incident response, patch/vulnerability management, and security architecture. So my view on penetration testers and the services they have to offer is the same as any other consultant or contractor that walks through my door. I welcome the second set of eyes and assistance.
The reality is with all aspects of my daily responsibilities, I am going to miss things, make configurations errors, and downright fuck up from time to time. The fact the matter is I get tired, have a family, and often don't know my systems as well as I may think I do. I am a juggling clown balancing on a unicycle with a warped rim riding right down the middle of the train tracks separating these two groups.
This debate is not new and many others have already touched upon some of the pros of penetration testing. Defense in depth by way of post exploitation testing is one such argument that is completely valid. There are a few additional arguments I would like to make in regards to the usefulness of penetration testing, however.
- Your penetration tester should not be testing things that you know are broken. This wastes the consultant's time, your money, and does no one any good. If you know it is broken, evaluate the risk then fix it or put the appropriate mitigation in place so that it can be tested during the next engagement.
- Sometimes exploitation is the only way to verify something is broken. The Symantec exploit I blogged about last October is a great example of the risk assessment and patch management process failing within an organization. This was a situation where the only way to verify that a system was vulnerable even though it was patched was to run the POC on it. Such situations, while not the norm, are also not unusual. If you are trusting your Vendors to secure your environment, you are doing it wrong. It should be noted that the vulnerability was weaponized several months later as reported by dshield.org here.
- Incident Response! You do have an Incident Response plan right? Thought so! Do you review and practice it? What better time to see how well your IR plan works than when you're actively being attacked. A Penetration Test is a great time for the entire team to have a "fire drill" of sorts. I recently had the opportunity to listen to Andy Ellis speak about incident response. Andy serves as Akamai's Senior Director of Information Security and Chief Security Architect. His statements about availability made an impression on me. If your management is really serious about maximizing up time, then you better have a lean, mean Incident Response team. It is not a matter of; if you have a compromise, it is a matter of when, and how well you respond to it.
APT: There are people smarter than you, they have more resources than you, and they are coming for you. Good luck with that.Matt's advice includes building a security team with "... at least one very bad person" on it. For the small business security professional, that person is often the penetration tester. Besides they are usually much more fun to have a beer with than senior management.
Friday, November 13, 2009
DojoCon 2009
I have had several things I have been meaning to post but my day job has been keeping me crazy busy lately. However, I did manage to find a few hours to check out some of the talks streaming live from DojoCon 2009. For those not familiar with DojoCon, it was created by Marcus J. Carey this year and was held November 6-7, 2009 in Maryland. Marcus not only coordinated the conference but also donated a large amount of the proceeds to Hackers for Charity (HFC). I had the opportunity to watch several talks including the keynote from Marcus Ranum, a great talk by Matt Watchinski of Sourcefire VRT, and a fantastic breakdown on lock picking by Deviant.
I haven't had the opportunity to watch the remaining talks yet but I am looking forward to it. I recommend you check out some of the recordings, drop Marcus a thank you note, and donate to HFC. Marcus did a great job with the con and HFC is a great cause.
Thank you Marcus!
I haven't had the opportunity to watch the remaining talks yet but I am looking forward to it. I recommend you check out some of the recordings, drop Marcus a thank you note, and donate to HFC. Marcus did a great job with the con and HFC is a great cause.
Thank you Marcus!
Monday, June 15, 2009
Special Webcast: SANSFIRE 2009: Geekonomics
I recently discovered the book Geekonomics: The Real Cost of Insecure Software by David Rice after listening to his AusCERT 2009 talk on risky.biz. David is a fantastic speaker and makes some very convincing points of the role of economics, psychology, and sociology in the security inadequacies that plague software. I am still reading his book and hope to post a review once I am done, but I wanted to point that SANS will be offering a special live webcast of David Rice's talk from SANSFIRE 2009 this Wednesday evening, June 17, 2009 at 7:00 PM EDT. If you have an hour to spare I recommend checking it out! You can register for the webcast here: https://www.sans.org/webcasts/show.php?webcastid=92538
Subscribe to:
Posts (Atom)