Friday 18 February 2011

Day 3 - RSA, ISACA and IISP

After all the B-Sides fun and games, I managed to get an Expo pass for RSA (thanks to the Damballa folks) so thought I should pop in, chat to a few key folks and grab some swag to take home.


I got to take apart the Enigma machine at the NSA booth!
Almost won a kindle at the M86 quizshow
Had a good chat with the Australians at the Cryptsoft booth
Learned all about splunk
Had to sit through a very content free Kaspersky talk
Gal Shpantzer gave me a good Becrypt run through
Had far too many burgers at the Qualys bar

Made it back to the hotel in time to try and repack my bags with all the swag (see the picture below) before heading off to the airport. Fairly uneventful trip the 8000 miles back home and arrived in Edinburgh just in time to host a talk by Louise Behan of the Specialist Fraud Squad on behalf of ISACA Scotland and the Scottish branch of the Institute of Information Security Professionals. It's been a long week :-)

From B-SidesSF 2011

Day 2 of B-Sides San Francisco

Day 2 of B-Sides SF (pictures all up now on my Picasa page)

After very little sleep, headed over to Zeum early and as one of the volunteers was missing presumed sick I volunteered to be a Roamer for the day. Red T-shirt (would this mean I wasn't goin to return), earpiece and simple duties (keep an eye out for people going where they shouldn't.)

There were so many good speakers on Day 2 I found myself dotting between them to try and pick up content, but I did enjoy Anton Chuvakin's talk on SIEM. Key point he made was that you need to plan resource for it. I quote "If you only have an hour a month to do SIEM, stick to log management. Dedicate at least 50% of someones time"

Andrew Hay, Richard Bejtlich and Travis Reese's talk on Cyber Security Marketecture was well received as well. Some arguments about particular points, but in a generally productive spirit. I think they focused a little too hard on APT to the exclusion of all else, but they did cover APT in a rational way, unlike the usual FUD. I like the comment about Stuxnet - not very advanced or persistent but definitely a cyber warfare threat.

I also managed to get brief interviews with Jack Daniel of Astaro and Jon Speer of Tripwire to find out what sponsors get out of BSides. They both had remarkably similar viewpoints. They see value from:
  • Connecting with security professionals
  • Learning from and teaching the security community
  • Meeting potential employees
  • Having fun
For those companies not sure, just get involved. Sponsor as little or as much as you can, and be part of the community.

After lunch I managed to win The Manga Guide to Databases in the raffle (Excellent Prize) before the BSidesSF Carousel ride!

Dave Shackleford and Andrew Hay's "A Brief History of Hacking" was also very entertaining, including along the way the good and bad hacker films.

Robert Zigweid of IOActive then spoke about a topic quite close to our hearts here at 7 Elements - Threat modelling taxonomy. He splits out into the following types:

  • spoofing
  • tampering
  • repudiation
  • information disclosure
  • denial of service
  • privilege escalation
And these impact categories:
  • damage potential
  • reproduceability
  • exploitability
  • affected users
  • discoverability
Damon Cortesi's talk on Developers also included Threat Modelling - it is becoming pervasive.

The EFF panel were very well received but I only caught a small piece of it: key usage of end to end encryption to avoid compromise from threat sources as well as to avoid misuse by governments and their view that subject lines and text messages are definitely content, and email addresses and IP addresses may be in certain circumstances.

Raffael Marty's log analysis and visualisation in the cloud. This is an area which is likely to become all too important as more and more services are pushed to the cloud. Loggly have the concept of logging as a service, and Raffael's talk included an important piece on the need for visibility of dynamically scaling virtualised environments and the hypervisor, as well as availability.

I then said my goodbyes to the wonderful BSidesSF folks and volunteers - Banasidhe, MikD, djbphaedrus, Duckie, CindyV etc and headed east for the Owasp meet, where we had very worrying discussion around the security of critical national infrastructure...

Tuesday 15 February 2011

Day 1 of B-Sides San Francisco

The awesome guys at Security Stack Exchange got me 8000 miles across to blog B-Sides San Francisco, and it is an amazing opportunity to mix with Infosec professionals from various industries.

All my photos from this trip are on my Picasa page.

My highlights from Day 1:

Gone in 60 keystrokes:Dr Mike Lloyd:Red Seal
Sure, this was a vendor presentation, designed to point out a problem which his product solves well, but Mike didn't ram that point home. His presentation was solidly grounded in real world experience. Mike listed common errors which creep in on even the simplest firewall rulesets - incorrect netmasks, a user readable label for an IP address not matching the actual address etc.

In a small ruleset, a visual inspection - going over the printout with a highlighter may
be enough, but for an enterprise firewall, not only do you come across much larger rulesets, but the risk or impact may also be higher.
Mike's guidance - instead of trawling the ruleset manually, focus on outcomes to understand what is happening - what does the network do? Where does information flow? Where is authentication used? Where do 3rd parties connect?

Security, Supply Chains and You:Hart Rossman:SAIC
Another good real world talk. Hart provided excellent detail on a variety of areas where supply chain errors will impact a business - nothing new, but solid examples of what goes wrong.

Screw The TSA - I'll Be Where I Want And Get Credit For It:Ray Kelly:Barracuda Networks
Location based social networking - how does it work, how can we exploit it?
Examples include 4square, MeetMoi (a seriously creepy stalking location based dating tool) and Ratio Finder (an app which uses 4square - checks where most women and men are...)
The problem with these apps is the same old one: they trust the browser to send correct data. As an example, 4square sends a variable called VID, along with location coordinates. The only check on 4square seems to be a quick validation on speed (eg if I check in in the UK, and then check in in the US 5 minutes later it won't believe I am there. It will let me check in, but not credit me with really being there)
So why is this interesting?
  • To provide an alibi? Maybe.
  • To create a perception of your lifestyle? Possible.
  • To get free stuff? Definitely: More and more retail outlets provide freebies and giveaways to people who check in - simple win: google for a 4square giveaway, check in and collect.

Letting Someone Else's Phone Ring At 3am: Building Robust Incident Management Frameworks:Andy Ellis:Akamai
As Akamai has an extremely large network, and a vast number of clients depending on uptime and performance, managing outages or loads quickly and efficiently is important. The key, according to Andy, is to minimise those things which can impact the response - human error, tiredness, lack of knowledge, lack of understanding, lack of key contacts etc.
Initial thoughts
  • Automate tools in advance
  • Be prepared for things to break
  • Get to the best person as quickly as possible
  • Segregate response functions to avoid neural congestion
  • Design to scale up and down
  • Learn from your mistakes
3 'standing' conference bridges are used for incidents so main one does not get clogged.
To get the best people on the incident, Akamai encourage self-reliance and delegated responsibilities by training throughout. All development managers are given responsibility for fixing their own area, and are provided training to support this.
During an incident, crisis managers are allowed to bypass controls in order to solve the problem quickly.
Common context has been defined, so all can understand severity (4 severity levels)
4 phases are also used:
  1. it's broken (minutes count)
  2. it's bandaged (hours count)
  3. it's fixed (days count)
  4. learn from it
Each incident has Noc technician. They get platform exec or SME. Each team has to provide a list of folks to call, and the order to call them in.
Multiple roles are avoided. Roles are handed off after 4-9 hours to allow team members to rest. Unnecessary team members are dismissed from the team.
Vulnerabilities and projects are tracked and measured.
Learning at all levels - system owner (what do I fix), directors (How do I stop this sort of thing happening again), c-level (What trends need to be dealt with)

The Afterparty was also a great success, with DualCore keeping the crowd entertained until the early hours.

After that, the hardcore crowd ended up at Denny's, talking security, politics, gun control and the early hacking scene, as well as the Security Stack Exchange concept and my band's nomination for an award (seriously folks - get over to and vote for Metaltech :-)

3 hours sleep - but I'm really looking forward to Day 2!