October 28, 2008
Hello again people.
In a bit of a time pinch, so here is the agenda for the day for those who care 🙂
- ‘The New Face of CyberCrime’ film screening and panel
- Blinded by Flash: Widespread Security Risks Flash Developers Don’t See
- Why Security Programs Fail
- The Future of Privacy
- Security in the Era of Identity 2.0
- DLP: What will be
- The Many Faces of Social Engineering
Should be an interesting and busy day.
August 13, 2008
I went to Defcon 16 this last weekend in Las Vegas. It was a really interesting and different experience for me this time. I would love to tell you about the great talks and the cool hacks, tools and demos. However, I can’t because I chose to inflict upon myself the experience of participating in the Mystery Challenge.
To briefly describe the Mystery Challenge is very easy, but not very informative. Basically, you agree to participate in a contest about which you are told absolutely nothing. Yup, no idea what you are going to be doing or what will be involved. I was on the Trusted Catalysts team, a community team from the Security Catalysts forums.
This year’s challenge required code breaking, puzzle solving, hardware hacking, lockpicking, finesse, software coding, forensics, book repair and just about anything else you can think of that relates to security and a lot of things that don’t. I am not going to give a blow by blow recounting of the event. I will say that it did give me the opportunity to stretch myself and, for that reason alone, was something that was well worth doing. This Wired article does a pretty good job of describing what was involved.
I learned a lot and met some great people who graciously put up with having a dork like me on the team. I heartily recommend building a team and participating if you ever have the opportunity. It was probably the best opportunity I have ever had to get my geek on with a group of people who don’t look at you like you are insane when you start talking about things like cryptographic frequency analysis, one time pads, chip timing differentials, ROT13 and asking questions like who can pick this lock?, does anybody have an arc welder?, and what day is it? Everybody who participated were great and I congratulate the teams that tied for first place. Well played!
June 6, 2008
So, just got back from our vacation and while I noticed many occasions where security was definitely not priority one, the most egregious was in pretty much every place we stayed. Most of the places we stayed have a policy where you return your room key to the front desk whenever you leave the hotel.
The epic fail comes in when we would return to the hotel from gallivanting about in exotic locations 🙂 You walk up to the desk and say your room number and the helpful individual there hands you your key and off you go. No identity verification of any kind. Oops.
Now, if it is a small hotel with limited staff, the argument can be made that they recognize you and no further controls need to exist. Not really buying it, but there it is. The real problem I noticed is in the last hotel we stayed. Pretty much every day there was someone new behind the counter and over the course of four days I was asked for my name exactly once! To give credit to that indiviual, she even checked the register to ensure that I was the one staying in the room I asked for.
Second problem, the keys were located in plain view. This means it was easy to see which rooms were empty, i.e. key present, and which weren’t, i.e. key gone.
So what’s my point? I have an observation and a question.
1) don’t leave stuff you want to keep in your hotel room even if the hotel says it safe unless you can secure it somehow
2) When you see things like this do you/should you bring it to the attention of those responsible?
June 2, 2008
I am back from vacation. Unfortunately, that means there are quite a few items in the old inbox to be read, RSS feeds to catch up on, messenger pigeons to respond to, etc…
I plan to start back up with Interesting Information Security Bits posts tomorrow or Wednesday at the latest, however I will not be posting a backlog from my time away.
Have a great day.
April 29, 2008
A few weeks ago I wrote about participating in Cyber Defense Competitions as a Red Team member. This weekend I had the opportunity to do so again. This time with a bunch of High School students.
This weekend was the annual IT Olympics event that is put on by Iowa State. The event is an opportunity for the High School students who participate in the IT-Adventures program to get together and compete. There are three competitions:
- Game Design
- Cyber Defense Competition
While the robotics and game design competitions were very interesting, I was there for the CDC. The Red Team didn’t actually get to start attacking until Saturday morning, so I volunteered to show up on Friday and help the students with anything they might need during the setup period. These kids are amazing.
Twenty-fourish teams showed up and we had about 20 Red Team members. In my previous post I mentioned three ways in which you can provide value to the students when participating in this type of event:
- Keep good notes
- Write down remedies
- Attend the debrief
I am happy to say that we accomplished all three goals. Probably the best decision made was to setup a Wiki with pages for each team where we could all keep notes as the contest progressed. These notes then became the outline for our talks with the teams in the debrief.
If you have never had the opportunity to work with kids that are interested in IT, I highly recommend you find a way to do so. It is truly a rewarding experience.
April 24, 2008
Good Morning/Afternoon/Evening depending on where you are or when you read this. Another day full on interesting bits on the intarwebs.
http://www.liquidmatrix.org/blog/2008/04/23/its-a-hump-day-miracle/ – Dave Lewis talks about the difference between the reality of work as a CISO compared to the work of the average 9-5er. He is interested in your feedback.
Vladuz goes down. A case study for corporate activism – Richard Stiennon talks about cross jurisdictional cooperation between law enforcement agencies and companies.
My Information Security and Privacy Convergence Webcast Now Available – Realtime IT Compliance – Rebbecca Harold did a webcast for ISSA that is now available.
Security4all: The dangers of Web 2.0: information gathering tactics 101 – Benny Ketelslegers has a post up about the information we leave behind as we interact on the web. He points to a tool called maltego which can help you see what is out there.
Data Classification Is Dead – rmogull has put forth an interesting perspective on Data Classification.
Vulnerability notifications? – Keels Leune talks about customer notification when no verifiable breach has occurred and if it is warranted.
How to audit an Internet Facing Server with Nessus – The folks over at Tenable have some guidance on using Nessus to audit and Internet facing server.
Darknet points us to a nifty tool called Pash-the-Hash that allows us change our credentials in memory.
That’s it for now. Have a great morning/afternoon/evening.
March 25, 2008
I have moved my RSS feed to feedburner for anyone who is watching.