My Defcon 16…or how I hurt my brain

August 13, 2008

Hi folks.

I went to Defcon 16 this last weekend in Las Vegas.  It was a really interesting and different experience for me this time.  I would love to tell you about the great talks and the cool hacks, tools and demos.  However, I can’t because I chose to inflict upon myself the experience of participating in the Mystery Challenge.

To briefly describe the Mystery Challenge is very easy, but not very informative.  Basically, you agree to participate in a contest about which you are told absolutely nothing.  Yup, no idea what you are going to be doing or what will be involved.  I was on the Trusted Catalysts team, a community team from the Security Catalysts forums.

This year’s challenge required code breaking, puzzle solving, hardware hacking, lockpicking, finesse, software coding, forensics, book repair and just about anything else you can think of that relates to security and a lot of things that don’t.  I am not going to give a blow by blow recounting of the event.  I will say that it did give me the opportunity to stretch myself and, for that reason alone, was something that was well worth doing. This Wired article does a pretty good job of describing what was involved.

I learned a lot and met some great people who graciously put up with having a dork like me on the team.  I heartily recommend building a team and participating if you ever have the opportunity.  It was probably the best opportunity I have ever had to get my geek on with a group of people who don’t look at you like you are insane when you start talking about things like cryptographic frequency analysis, one time pads, chip timing differentials, ROT13 and asking questions like who can pick this lock?, does anybody have an arc welder?, and what day is it?  Everybody who participated were great and I congratulate the teams that tied for first place.  Well played!



Interesting Information Security Bits for August 5th, 2008

August 6, 2008

Here we go.

CG points out that Brett Moore of Insomnia Security has released a Putty Hijack tool. Could be useful.

The IT Security Guy gives a heads up about a CIO magazine article about software security. Worth a gander.

All security professionals, at one time or another, will need to give presentations. Security4all has some good pointers on this topic frequently. Today’s pointers refer to your physical presence on the stage. Good stuff.

What out for GIFARS. Not good people, not good at all.

As was probably expected by us all, Twitter is being used to distribute malware. Ryan over at Zero Day has a post up discussing the issue.

Last, but definitely not last, Wesley (not “Wes”), is talking a little about a press release which is about a vulnerability he found in some SCADA software. Looking forward to hearing more about this in the future.

That’s it for today.


Interesting Information Security Bits for August 4th, 2008

August 4, 2008

Well the start of a new weeks is here, along with a batch of interesting things to take a look at. Only blogs again this time.

360 Security, along with many other folks, points out that the Apple DNS Patch Fails To Randomize.

Kurt Dobbins over at Arbor Networks has an interesting post up about the Myths and Realities of the Net Neutrality Debate. Good stuff in there.

Bruce Schneier brings to our attention that the U.S. government has published its policy regarding Seizing Laptops at Borders. Basically, we take when we want to and you don’t have any say in the matter.

Nifty post up at Neohapsis talking about exploiting hardware vulnerabilities in the Intel CPU. Neat stuff. Kris Kaspersky’s talk “Remote Code Execution Through Intel CPU Bugs” to be given at Hack in the Box was the impetus.

Wesley has created his first Metasploit module. It is a nifty tool. You should go take a look if you are interested in pen testing.

CG points to a paper and demo for DHCP script injection. Lots of fun to be had there. has a nice little bookmarklet that make is easy to use MSN IP Search to find domains on the same IP address as the web page you are reading.

Chris Hayes
continues his discussion of risk in response to Shrdlu’s comments on a previous post. Good stuff.

Finally, Gary Warner points us to another story about an insider selling PII.

I will be leaving for Vegas on Thursday so there will be light posting here until next week.


Technorati Tags: , , , , , , , ,

Umm..its not a technology problem.

August 1, 2008

Richard Stiennon says:

So, yes, there is good security awareness training. But I do not include teaching Bobby in reception how to avoid being taken in by Kevin Mitnick. It is futile and silly to expect your average employee to become paranoid enough to ward off social engineering attacks. Rather than invest in posters in the elevators exhorting people to stop strangers in the hallway, you should be investing in better security technology.

I do not agree.  Read the whole article and then come back here. I’ll wait.

I’ve been reading Michael J. Santarcangelo, II’s book Into the Breach. I was lucky enough to get a preview copy. I will be posting in more depth what I think of this wonderful book, but I do want to offer the following from the introduction:

We face a human problem where people are the the problem. The problem is that people have been unintentionally, but systematically, disconnected from the consequences of their decisions. As a direct result, they do not take responsibility and are not held accountable.

I agree that technical controls are important and should be implemented where appropriate. However, I disagree that providing awareness training to our people is a waste of time and resources. It can probably be done better, but it still needs to be done. How can we, as information security professionals, expect our users to treat information with due care if they are not aware of the importance of that information and the appropriate way in which to handle it? I submit that we cannot. We must, therefore, help them understand both the nature of the information they deal with on a daily basis and the way to handle that information that ensures that it is kept secure.

That’s where I stand. I am really interested in your thoughts. What do you think about technical controls vs. awareness?


Technorati Tags:

Intersting Information Security Bits for August 1st, 2008

August 1, 2008

Here we go. Just blogosphere stuff today.

Erix gives is some thoughts on prepping for the CISSA and CISA exams.

Malta Info Security has a post up talking about an application called CrypTool. Learn about cryptography in your spare time.

Chris Hayes recently started a blog talking about risk assessment. Today he has a post up that tackles the question “What is Risk?” It is worth a read.

Kees refers to a Veriozon Business Security Blog post that analyzes scenarios for exploiting the recent DNS vulnerability. He has an additional perspective that is worth checking out.

Security4all lets us know that the videos from The Last HOPE are now available. Thanks. Time to fire up the bittorrent client and make sure you have plenty of disk space.

Nate over at Zero Day brings to our attention that we are now in that time period where we start to see talks pulled from Blackhat.

Rafal reminds us that we really shouldn’t be exposing the administration interfaces of our systems and applications to the wild and wooly internet. He then shows us a way to see how many people are forgetting/ignoring this tenet.

Finally, the list of InforSec events for August is up over at

That is it for today.

Have a great weekend everybody.