Archive

Archive for the ‘Event’ Category

A Northern Geek’s trip South West

June has been a busy month, hot on the heels from BSides London (review here), I again found myself on a train BSides-bound, this time heading for Liverpool.

Before getting to the tech, I’ll point out that this was my first time in Liverpool. After a very brief visit I found the city to be beautiful, conference location in the docklands certainly didn’t hurt; and I’ll be intending a return visit to hit the tourist spots as soon as I can manage it.

As I’m currently more response than I was with my London wrap, I’m not currently able to link to the talks’ recordings. But after watching Cooper and team run around diligently manning cameras and audio equipment I’m sure that they’ll be available shortly, and I’ll endeavour to update once they are,

The day got off to a bang courtesy of the welcome address, without repeating verbatim, it was an excellent sermon reading from the (un?)Holy Book of Cyber….

From there, I was fortunate enough to attend the (mostly) excellent talks below.

Key Note – Omri Segev Moyal

Reading Omri‘s talk abstract prior to the event, I was unsure I was going to agree with the premise “Focus on malware, not Infrastructure”. Thankfully it seemed I’d gotten the wrong impression, and instead of focusing on corporate infrastructure (as I’d expected), Omri covered malware analysis without focusing on the infrastructure required to do so.

Any long time reader may be aware that malware analysis was the initial goal that kicked off this humble blog (though I got distracted along the way); and those readers may also tie a link between the drop in post volume and me leaving access to a datacentre. Migrating to alternative models is something I’ve been working on in the background – but oh boy did Omri provide a firehose laden crash course to jumpstart that journey

I’ll not go too deep into technical detail of material covered, largely as I hope to implement some of the ideas in the coming weeks, covering in more detail once I’ve actually gotten my hands dirty myself. I will just say that the demo quickly spinning up a DNS sinkhole without (your own) infrastructure got the creative juices flowing – and was very in keeping with other talks of the day (but I’ll get to that later).

<update> Omri’s presentation deck can now be found here, with some associated code examples on GitHub </update>

Martin King – This is not the career you are looking for

It pains me to say it, as I’m not sure I can trust anyone who doesn’t like cheese; Martin dropped plenty of wisdom and advice for those contemplating a career in infosec, advice that I wish I’d had (and paid attention to) when I was starting out. I’m paraphrasing as my notes from the talk aren’t the best (Martin, please correct any point that’s been misquoted), but Martin’s top 10 tips:

  1. Today, Every company is an IT company.
  2. Never stop learning, and always be eager for more knowledge.
  3. You are the asset, your brain is more important than your muscles ability to mechanically tick boxes without impact.
  4. There’s MANY great free resources available, leaving no excuse for point 2.
  5. Learn to Google, knowing the answer is less important that always being able to find the answer.
  6. Don’t be the stereotypical infosec tech that hates people. People skills are more important that technical skills when it comes to being able to make an impact in an organisation.
  7. “Failure is the best teacher”
  8. Question everything; and automate everything else
  9. There’s as many paths into an infosec career as there are people with infosec careers: Being you is the best option.
  10. The industry is INCREDIBLE. Ask for support and you’ll (likely) get it.

Sean Lord – Deception Technology

With the topic being deception technology I was understandably looking forward to this talk. As Sean stated at the very beginning of the talk “this is not a vendor pitch”…..

Andrew Costis – LOL-Bins

For those unaware, LOL-Bins are nothing to laugh at: Living Of the Land Binaries are those tools that come (mostly) pre-installed on targeted operating systems that a hacker can leverage to achieve their goals without requiring additional software (which may trigger AV alerts).

Andrew did a good job of explaining the core concepts, the LOLBAS Project, Mitre ATT&CK framework, and most importantly; how it can all be brought together to strengthen resilience against intrusions.

Panel – How to submit a CFP

Takeaway from this session was simple, and invoked a certain brand: JUST DO IT!

Peter Blecksley – On the hunt

Yes, that, Peter Blecksley. This was the first talk that I was disappointed wasn’t recorded; but given the content of the session it’s not too surprising. Peter was an EXCELLENT speaker, detailing some of his former life undercover with Scotland Yard, in witness protection as a result, Hunted TV show and, most importantly, the particulars of his current man-hunt for “Britian’s most wanted fugitive” (head here to see if you can help).

Kashish Mittal – One Man Person Army

Kashish discussed his experiences building up several SOC teams, and the tips he’s learnt along the way.

One of the key pointers I took from the talk was the importance making an impact early, and building a reputation for getting results. Starting a new function within an organisation can be daunting, primarily because a complete version of that function has a laundry of capabilities you eventually need to be able to perform, but prioritise your goals and:

Secure > Document > Repeat

Ian Murphy – The logs don’t work

Like Omri’s keynote, I was dubious of Ian’s premise; but I found the talk far less provocative than the abstract suggested, and I found myself agreeing with all (most?) points made. Briefly:

  • Alert fatigue eventually mean even critical alerts end up being ignored. If an alert isn’t actionable, why are you alerting on it?
  • There’s not enough innovation in InfoSec. When Gartner claimed “IDS is Dead”, as an industry we changed the D to a P, and moved the same device in-line.
  • Assume breach; both already and will be in the future
  • Humans are always the weakest link.
  • Unless you’re a LARGE company, attempting to build a dedicated, fully functional SOC is nothing more than “a CISOs ego-trip”. Leverage the skillsets of specialists.

Jamie Hankins – WannaCry

I must start with a confession: Prior to this talk I don’t think I was aware of Jamie, or his proximity to the events of the WannaCry/NHS saga. That was a failing on my part, and one I’ll attempt to redress in the future.

I was also sat in the room early before the session, and was aware Jamie’s immense nervousness prior to his talk, being a first timer; I was genuinely worried that Jamie may truly bottle the session and run.

So, with all that said; what was the outcome when Jamie started? Best. Session. Of. The. Day. Seriously, I’ve no idea why Jamie was nervous, and judging by the rest of the audience shares my opinion.

Unfortunately, the session wasn’t recorded; for reasons that make sense when you consider the current ‘experiences’ of Jamie’s partner in (not) crime after getting some media attention.

Keeping with the above, and honouring the request for no pictures (which was brilliantly ignored by an attendee in the front row, despite the bouncing “no photos” screensaver projected on stage); I’ll refrain from covering most of the talk, but will share a couple of notes covering the wider.

  • NCSC’s CiSP platform and team are amazing – As a user of the platform during the incident in question I must concur. Seeing the industry come together and collaborate during an incident as ALWAYS amazing.
  • Doesn’t matter what is going on, everything gets dropped 12mins before Starbucks closes
  • The effort to prevent damage from Wannacry infections is continuing long after the media circus has subsided.

Beer Farmers

What can you say about a Beer Farmers’ talk? It was entertaining, engaging, and spoke a LOT of truth. But I wonder at the value of such a talk as it’s mostly preaching to the converted; and given the delivery style, I doubt it would be overly well received outside of the echo chamber.

Finux – Machiavelli’s guide to InfoSec!

Arron has come a long way since I was fortunate enough to listen to him speak nearly 10 years ago at an OWASP meet; But one thing that hasn’t changed is Finux’s enthusiasm for telling a story, getting a point across, and making an audience want to listen.

When audience were asked to raise their hands if they’d read Machiavelli’s work, mine remained down. So I was a little surprised to discover how well some of the teachings could be transcribed to the modern world, and InfoSec in particular. Especially as it would give speakers someone to quote other than SunTzu, I wonder if Arron will start a trend after pointing out the options.

Summing Up

Many, many thanks to BSidesLiverpool organisers, crew, goons, speakers and attendees. I wish I could have spent more time with all of you, thoroughly enjoyed the time we did share, and I hope to do it all again soon.


Andrew

Advertisements
Categories: Event, InfoSec

A Northern Geek’s Trip South – 2019 edition

2019/06/28 1 comment

How time flies; and with it, another BSides London is a long distant memory.

My itinerary for the pilgrimage South was familiar, mostly following a well worn pattern

  • InfoSec Europe Tuesday
  • BSides itself Wednesday
  • Thursday? Recovery time in the capital, before heading for the train back to (my) civilised society.

And throughout: a generous smattering of catching up with ex-colleagues as the whole industry descends on the capital. I’ll not embarrass (or incriminate) those by name, but you know who you are, was good to see you all, and must do it all again soon

Tuesday – InfoSec Europe

InfoSec is what it is; was a good excuse to meet contacts at various vendors and partners for the first time, and catching up with some old contacts.

The conference hall felt like it had been hit by austerity; less crowded than previous years, fewer ‘booth babes’ (not a bad thing, maybe vendors are finally getting the message, and vendor swag? still available, but the good stuff seemed to be under the table, given out at discretion rather than just a free-for-all grab as attendees did the rounds.

Wednesday – BSides London

What’s not to like? This year topics were as varied as ever, with all sessions I attended being top-draw. Very briefly:

PowerGrid Insecurities
for reasons that make sense if you were there, this talk wasn’t recorded but WAS very informative. I now know to be more wary of squirrels than terrorists when it comes to outages on the power grid. And I may, unfortunately, now be able to explain the random tape from old-school cassettes I found around the local substation…..
A Safer Way to Pay – Card Payment Infrastructure
Chester provided a great overview of both the current, and future, state of card payment infrastructure. If you’re involved in financial transactions, PCI audits or similar this talk covered some of the background tech and networks involved.
Fixing the Internet’s Auto-Immune Problem – BugBountys and Responsible Disclosure
Debates and topics around disclosure, responsible or otherwise; are always interesting. Chloe’s take on the current legalities, and more importantly what is going to be needed in the future to provide a safe and stable foundation for non-contracted testers definitely did a good job of expressing the views of one side of the debate, and kickstarting some interesting conversations in LobbyCon.
When the Magic wears off – ML
Firstly, an admission: I ended up in this talk by accident after getting my track numbers confused. That said, the talk was interesting; but it confirmed my reasoning for not originally having it on my agenda – I simply didn’t have enough background knowledge in ML to fully understand the content; which was interesting to follow along to, but you’re going to need the analysis for someone in this world to fully explain it to you.
Build to Hack, Hack to Build – Docker (in)security
Docker (and Kubernetes) isn’t something I’ve much real world exposure with (yet: as with everything, it’s on a growing list of side projects I’ve not found time for). Session was a great introduction into the world of container (in)security, and I left with some frameworks and tooling to help bootstrap my future efforts in area – watch this space
They are the Champions – Security Champions
There’s always more security projects, than InfoSec resources in any org; so tips for leveraging the wider business never hurt. Jess always provides a thorough, professional and powerful presentation, but personally I think this was almost to it’s detriment this year, feeling too polished and sales-pitchy for a BSides. Not necessarily a criticism, but I’d prefer a return to singing in Klingon for a memorable talk.
Closed for Business – Taking down Dark Markets
I’ve always found the real-life war-stories of LEA’s taking on various dark marketplaces fascninating, so getting the chance to hear some modern examples in person was definitely high up on my priority list for this year’s sessions. John didn’t disappoint, if you’ve got an hour to kill, be prepared for an interesting journey.
Inside MageCart – Web skimming tactics revealed
This session was one of those talks that manage to bridge the gap between fascinating to me personally, and relevant professionally (helping to convince $employer to fund the trip). Left the talk with a better understanding of the techniques and incidents behind the headlines, as well as some interesting tid-bits around what could be the next evolution of the campaigns. Hopefully enough so to stay one-step ahead of the curve, and avoid being front-page news myself.

CyberRange – OpenSource Offensive Security Lab in AWS
This talk introduced a newly released toolkit for rapidly spinning up, and tearing down, offensive, defensive and vulnerable lab environments in AWS. And who doesn’t like having a packed toolkit of toys to play with, and a safe environment to use them on? – project here
Closing Remarks
This years closing remarks were bitter-sweet: capping off a great and successful day is always good, but came with a new (to me) announcement of a changing of the guard for the team behind BSidesLDN. This inevitable resulted in reminiscing back to events gone by, and as one of the handful at the first BSides London, it is remarkable to see how far the event and community around it has come since the first event in the Skills Exchange.
Thursday – recovery^W PCI Council
I’ve already said my usual itinerary uses Thursday as recovery (I love BSides but it’s one intense day), whilst catching some of the tourist spots on a meander back to KingsX. This year? “your trip to London? You said Thursday was free?” I did…. Off to a half day with the PCI Acquirers group it is.
Will admit I wasn’t looking for to this (the terms PCI, QSAs and auditors trigger my PTSD….), and getting to the (very fancy) venue in jeans, conference tee-shirt and backpacks stuffed for the full weeks trip I was feeling out of place with every other attendee suited and booted. That said, I was pleasantly surprised. All sessions (bar one, will mention no names, but I think the hostess wanted a shepard’s crook to hoist the overrunning speaker of stage) were excellent. So much so, I came back to the office with the suggest that we send colleagues to future events whenever we’re able.
Highlight of the event for me was John Elliot discussing MageCart. As I’d been in a BSides session covering the topic the day before, comparing the perspective of industry with that of those closer to the internals of PCI it self was fascinating. Unfortunately, unlike BSides, the event wasn’t recorded for later consumption; but as luck would have it, John had provided the same talk (in longer form) for a webinar session the week prior, which was recorded – enjoy
Another BSides in the can, until next year
Andrew
Categories: Event, InfoSec

A Northern Geek’s trip South

2011/04/23 Comments off

Tuesday started fine, train down the capital a chance to meet up with the London work team. So far so good, until a colleague suggested a ‘quiet’ drink after work. Ended up not being too quiet after all.

With Wednesday starting off with ‘why?….’, I found some energy and headed for Security BSides London. As I’d already reconnoitered the location on Tuesday getting to the location was a breeze, only to find the door locked. Javvad Malik to the rescue, arrived at same time and managed to call one of the organisers to let us in. After brief introductions all round I met Soraya Iggy in person for the first time, absolutely nothing like I was expecting but great in every way. After receiving goodie bag (and getting repeated grief from Iggy to change into con shirt) I enjoyed some good geek chat whilst watching the venue fill.

After the official opening of the event, I headed upstairs to track two, which started with Aaron Finnon discussing DNS tunneling techniques. I was looking forward to this talk as I’d got half of the information over a drink after Aaron gave his famous SSL talk when OWASP Leeds travelled to Newcastle. My main takeaway from the discussion was that with the use of some relatively simple tools it can be relatively simple to bypass most captive wireless portals if they aren’t sufficiently tying down egress traffic. First on my to-do list of ‘I wonder what happens if you try this in my environment?’.

Second session was David Rook and Chris Wysopal, discussing ‘Jedi Mind’ tricks for building security programs. Having watched recordings of both presents from other events I was looking forward to getting the live  experience, and neither disappointed. The presentation was great and I took a lot away for how to both discuss security issues with non-infosec people, and how to talk about the problems in business terms to get buy-in to effect real change in an organisation. I was somewhat surprised, as this started a trend of the event with my favourite presentations being non-technical in nature.

Third session was one that I’d heard a few people dismiss before the event as being a bit lame. I’d already picked it out as my preferred session for this timeslot (it was a tough call, other track was Justin Clark discuss web app attacks, but the end would have over run with the next talk I wanted to see). I’m glad I didn’t let the naysayers dissuade me, Ellen Moar and Colin McLean did a great job demonstrating just how simple it is for anyone with basic computer knowledge (script kiddie) to cut and paste their way past defensive countermeasures (AV). Content wasn’t anything groundbreaking (which is why I think some weren’t keen), but I think it’s the first time I’ve actually seen someone ‘prove’ what we all accept as gospel. Scary stuff.

Final session of the morning was Xavier Mertens discuss logging and event management. Not the most thrilling of topics I’ll admit, but it’s something that so few organisations seem to get right I was interested to find out if there were any ‘better’ ways that could improve the process. Not only are there apparently better ways, but apparently there are also free better ways, so I’m going to talk a closer look at OSSEC.

After lunch Steve Lord provided an ‘interesting’ look into different types/levels of pentester and what it means to be in the industry. The talk received a lot of laughs, but in hindsight I wish I seen a talk with more technical content. For me, bsides was for education and networking, I’ll leave comedy to the comedians.

Next talk was better, Wicked Clown, expanding on his Brucon Lightening talk showing how to break out of a restricted RDP session. This was a great presentation, and was another attack to add to my ‘what if’ to-do list. More importantly he also provided a simple fix to prevent the attack vector, considering it’s a single checkbox, and the workaround breaks how most would ‘expect’ the service to behave I’ll echo his confusion as to why Microsoft don’t have the checkbox ticked by default. Perhaps secure out of the box is too much to ask?

David Rook took to the stage again, this time alone and discussing static code analysis with Agnitio. I’d taken a look at Agnitio since David released it, but as I’m not much of a dev (see the utilities I release for proof…) haven’t been able to try it in anger. If you’re interested, the talk slides are available on the Security Ninja blog. If the tool can reach the stated end of it’s road map of being the ‘Burp Suite of static analysis’ then it should be a fantastic tool.

Next talk I saw was Manuel demo (reverse~re)engineering of DRM within Android applications. I found the talk fascinating, mostly by how quick Manuel was able to put the pieces of the puzzle together and bypass the protections put in place to do exactly what he was attempting. Whilst the presentation was good, it was one of those where you felt your comparative IQ drop as you see black magic being wielded at the keyboard before your eyes.

The event finished with ‘Security YMCA’, words cannot describe this ‘experience’ so I won’t attempt to, and leave you with this YouTube video. (WARNING: once seen, cannot be unseen). Unfortunately trying to hide at the back didn’t help in the end, so I must apologise to Ellen as I managed to say thanks for an interesting talk by subjecting her to my ‘singing’ attempts. To ensure the the guilty aren’t protected, those at the front assaulting your sensors are:

During most cons I’m usually sat in the office getting snippets from Twitter, or reading a blow by blow account as Chris John Riley posts during every session. I always wondered how he found the time to get it all done, after seeing it in person I’ve still got no clue…
Thursday provided no let-up, with Infosec Europe next on the agenda. Feeling lively I left hotel in Farringdon early just after seven, and proceed to walk to Earls Court. Yes, for those that know London this is around 5 miles as the crow flies, it’s even longer if you keep taking the wrong turn as you’re too busy admiring the sights of London (managed to cover Oxford Street, Regent Street, Piccardilly,  Buckingham Palace and Hyde Park on the way. Unsurprisingly I was slightly tired when arriving. As this was my first visit to InfoSec I was surprised by the size, but with bag for freebies in hand, I hit the stands to talk to vendors. Without a boring stand by stand account it was good to meet some people in person for the first time, and to get some hands on demos of products I hadn’t yet seen in person. Some of the marketing was in high spirits however, I got my favourite quote from a vendor who shall remain nameless (I’m nice like that) stating:
we don’t have a solution for the iPhone, as it’s a secure platform why bother?
The offering had looked promising until then; after that comment? Thanks, but I’ll pass…
I did take advantage of the Syngress stand’s discounts and filled out my to read pile. (Ninja Hacking, Seven Deadliest USB Attacks, Cybercrime and Espionage and Digital Triage Forensics). Although I didn’t take as much advantage as the gentleman in front of me in the queue, who literally bought one copy of every book on display; totalling over £450.
The trip ended with a bottle of lager sat outside the British Museum in some glorious weather (which unfortunately didn’t follow me back home). I don’t want to name names, as undoubtably I’ll forget someone, but my most common phrase this week has been ‘Good to finally be able to put a face to the twitter handle’, it really was good to meet people I’ve spoken to online for a while, and to make some new contacts as well. Looking forward to the next time we’re able to meet up.
–Andrew Waite
P.S. sorry for formatting towards the end, seems to be a strange limit with the number of paragraphs wordpress will accept per post. Will try to correct in due course.
Categories: Event, InfoSec

OWASP at Northumbria Uni – June 2010

June 16th marked the first time the Open Web Application Security Project’s (OWASP) Leeds/Northern Chapter ran an event at Northumbria University, meaning it was the first time I was able to attend. Jason Alexander started off events with a brief overview of OWASP and the projects the group is involved with.

ENISA Common Assurance Maturity Model (CAMM) Project

Colin Watson did a good job of explain the work he and others have been working on. The project have released two documents which Colid discussed, the Cloud Computing Risk Assessment[.pdf] and the Cloud Computing Information Assurance Framework[.pdf]. Don’t be put off by the focus on ‘Cloud’, whilst this was the focus and reasoning behind the work at the start of the project, the information and processes Colin describes could easily be related to any IT environment and at first glance seem to be well worth a read.

Open Source Security Myths

Next up David Anumudu gave a somewhat brave talk considering the audience discussing and (potentially) debunking the assumption that open source software is more secure than it’s closed source competitors. David picked on the now famouse phrase from The Cathedral and the Bazaar, ‘ Given enough eyeballs, all bugs are shallow’. David argues that while this is true and reasonable, it only works in practice if all the eyeballs have both the incentive and the skills to effectively audit the code for bugs, something is rarely discussed. A sited example of insecurities in prominent open source software was that of the MD6 hashing algorithm, intruced at Crypto 2008, where despite being designed and developed by a very clued up team still had a critical flaw in it’s implementation.

My ultimate take away from this talk was that software’s licensing model has no direct impact on the security and vulnerabilities of any codebase, only the development model and developers themselves have any real impact.

SSL/TLS – Just when you thought it was safe to return

Arron Finnon (Finux) gave a great presentation on vulnerabilities and weaknesses with the implementation of SSL protection. Arron argues that most problems with SSL are actually related to the implementation rather than methodology itself, and that despite the high profile of problems related to SSL most techies still don’t ‘get’ it; and most users, regardless of user awareness training will continue to blindly click through the cert warning prompts.

Several of Moxie Marlinspike’s tools were discussed, mainly SSLStrip and SSLSniff. I was aware of both tools, but hadn’t tried them out in my own lab yet, after Arron’s discussion of the problem and capabilities this is definitely something that I intend to rectify shortly. Especially when combined with other SSL issues, including the SSL renegotiation attack and the Null Prefix[.pdf] attack issues with SSL can be deadly to an environment.

Main takeaway from this talk was that SSL isn’t as secure as some would state, and that when planning to defend against the attack vectors we need to stop thinking ‘what if’ and start working towards ‘what when’.

AppSensor – Self aware web app

Colin Watson came back to the front to discuss the work currently being undertaken with the AppSensor project. The idea behind the project is to create web applications that are ‘self aware’ to a lesser extent enabling any user making ‘suspicious’ web requests to be limited or disconnected to limit the damage that they can cause to the target system, and works on the premise that the application can identify and react to malicious users in fewer connection requests than the user needs to find and exploit a vulnerability.

The identification comes from watching for a collection of red flags and tripwires built throughout the system, from simply looking for X number of failed log-in attempts to real-time trend analysis looking for an unusual increase in particular functionality requests. A lot of the potential indicators and trapped reminded me a lot of an old post on the Application Security Street Fighter blog, convering using honeytokens to identify malicious activity, which I’ve covered previously.

Summary

Overall I really enjoyed the event, I’m hoping that the Leeds/Northern OWASP chapter decide to run more events within Newcastle, but if not it’s convinced me that the events are worth the time and cost to travel down to the other locations. Always good to discuss infosec topics face to face with some really knowledgeable people.

–Andrew Waite

Breaking into the loop

2010/06/12 Comments off

For those that don’t know, the first run of the InfoSec Mentors programme got off the ground this week. My mentee, Jacob (@BiosShadow), has released his first blog post, Being out of the Loop, since we were paired together and it has struck a chord with my own experience with similar problems and got me thinking at the same time.

To sum up Jacob’s post he his frustrated that there is no active infosec community within a reasonable distance of his location. I can relate to this sentiment; when beginning the slow road towards an infosec career, before I was even aware a legitimate career in the field were possible, my own interactions and learning opportunities were limited to reading books or online articles. The online infosec community is, in my opinion, great; and the debates, relationships and friendships that can be developed is something that I don’t think is found in any other industry, but you can’t fully replace the benefits from a face to face meeting.

One of the early mistakes I made was assuming that information security and computer threats were only of interest to those solely focused on information security. I’ve since discovered that different aspects of infosec can be of interest or concern to anyone in the IT or business arenas, and I’ve been involved in some interesting discussions and debates on information security with some very intelligent people at some of my areas flourishing IT user groups whose focus isn’t infosec specific. It was one of these groups, SuperMondays, that provided my first public speaking opportunity and despite my topic, honeypots, being quite specialist I believe the talk was very well recieved.

Since first finding SuperMondays I have continued to discover a great and vibrant IT community in my region (NorthEast England), and I’m continually surprised when I continue to stumble upon other groups in the area like the Northern UK Security Group (must find time to travel across to Manchester) and I am eagerly awaiting the local-ish OWASP chapter from Leeds heads North to Northumbria University next Wednesday.

If you feel the same frustations as Jacob and myself (and others), throw a message out on twitter or your blog etc. letting people know who and where you are. You just might be surprised to find others in your area with the same problems.

For my part: If you’re in the North East of England (or general area) get in touch and let me know, always keen to discuss information security with anyone willing to listen.

–Andrew Waite

Categories: Event, InfoSec

Digital Security & Governance for SMEs

2010/04/28 Comments off

Yesterday I had the pleasure of attending the Digital Security & Governance for SMEs at Northumbria University. The purpose of the event was to help SMEs better understand that threats targeting their information systems, their responsibilities in securing personally identifiable information (PII) and to introduce NUWARP (more later).

After the event was introduced, the first slot was taken by David Reynolds, CEO of the International Association of Accounts Innovation & Technology Consultants (IAAITC). An accountant may have been a strange choice to start a Digital Security event but that was the point, David covered sensitive information that is handled by all types of businesses as well as covering the legal and regulatory requirements that impact all businesses. Covering the most common compliance topics including the Data Protection Act (DPA) and Payment Card Industry Data Security Standard (PCI DSS) David did an excellent job of highlighting that information security is relevant to all employees and business types, not just ‘IT’ companies or the secret techie hidden in the back corner.

Next up Paul Holborow from RMT discussed data loss and the impact that this can have on a business. Given the press coverage it received in 2007 it is no real surprise that Paul’s main case study focused on Revenue and Customs lost CDs, but Paul may have been slightly unnerved to discover some of HMRC’s auditors could be found in the audience. If you’ve spent much time working with information security or business continuity planning Paul’s talk wouldn’t have contained too many surprises, one tip that I did take from the talk was that the Information Commissioner’s Office (ICO) maintains a public list of the complaints that it has investigated, if you’re interested in a particular complaint, or just curious about what the ICO gets involved in give it a look here.

Phil and Colin, both from the University discussed their work into monitoring data leakage from an organisation. Like Paul’s talk previously if you understand and have worked with data leak prevention (DLP) technologies you’re unlikely to be surprised, but the content was definitely new to some of the delegates who I observer furiously scribbling notes. It also seemed to come as a surprise to several delegates when Phil stated that approximately 70% of security breaches are the result of insider’s not ‘mysterious hackers out there’. There were some excellent real-world examples, the one that seemed to hit home to most of the audience was the scenario of the sales person taking the client database with them to a new job. A lot of the statistics used in the talk were sourced from Cyber-Ark’s white paper ‘The global recession and it’s effect on work ethics’ (registration required), definitely worth a read if you’re interested in this area.

Chris Laing provided a live demo of an external attack. As Chris introduced himself as ‘an ethical hacker paid to break into your systems’ I was looking forward to the display, but was disappointed when Chris took control of a Windows 2000 server using an old MSRPC exploit with Metasploit. The scariest aspect of the whole event was the fact that almost every delegate took a deep breath and turned white. I did ask Chris the thinking behind using an old exploit and target, and was told he was concerned about scaring the audience too much and that some of them may be concerned that he was making exploits ‘known’ that target systems they run in production. Personally I would argue that if the exploit is already in Metasploit (framework 2, demo used WHAX as an attack platform) then it is already ‘known’ and that the demo could have had a much greater impact targeting a more recent platform. However I can understand Chris’ reasoning, and the demo still had an impact on those that hadn’t seen Metasploit at work before. My only concern would be that some may have left the event thinking ‘that was scary, glad we upgraded from Windows 2000….’

The last presentation slot was taken by Alison Pickard who discussed ‘What is effective information crisis management’. Covering the ‘softer’ side of information security Alison’s talk did an excellent job of highlighting how simple it can be for organisations to fall foul of information security regulations. Alison introduced an excellent resource that I wasn’t previously aware of in JISC infoNet. if you’re responsible for personal information or it’s security (stop thinking, after Alison’s presentation this means EVERYONE) I’d definitely recommend have a browse and seeing what you can learn.

To finish the event after scaring most of the delegates Chris again took the stage to introduce the Northumbria University Warning Advice and Reporting Point (NUWARP). For those unfamiliar with WARPs, they are:

‘a community based service where members can receive and share up-to-date advice on information security threats, incidents and solutions.’

I was definitely impressed with the proposed services to be provided by NUWARP, hopefully the group should be able to significantly improve the security awareness and defenses of local businesses and those in a wider area. Although there is a cost attached to the services provide I was honestly surprised with how low this was in relation to the specialised knowledge and information available, and as NUWARP is set-up as a non-profit all costs get fed back into the service so the resources available can only improve.

As a taster and bonus to event delegates the event pack included a number of high quality ‘best practice’ data sheets covering a full range of information security topics including the DPA, passwords and securely outsourcing. If you want additional information on NUWARP contact Chris or Phil using information in the links above, the NUWARP is something I would definitely recommend investigating to see how it could help your organisation.

— Andrew Waite

Categories: Event, InfoSec, Legal, Presentation

Month of PHP bugs 2010

Following in the now well-established form of a ‘Month of X Bugs’ php-security.org has just opened it’s call for papers for a second month, to update and expand on it’s successful run month in 2007.

I’ll admit that I largely ignored the original Month of PHP Bugs (MOPB), at the time I had just made the decision to stop coding in PHP and try a more mature language. I had found PHP to be a very simple language to learn and code it, but as a result I also found it very simple to code very badly in as well. (and I’ve since found that a bad coder can code badly in any language, hence why I gave up the career path of developer).

However, this month’s SuperMondays event changed my perspective slightly. Lorna Jane gave a great presentation on using PHP to provide a web services architecture, at first glance looks like PHP has improved and matured significantly since I last used it. For those interested Lorna’s talk was recorded and is available here, and Lorna’s own take on the event can be found here.

So while I’m not in a position to contribute to the month’s releases, I will be paying closer attention to the resources released this time around. If you think you can contribute the organizers have posted a list of accepted topics:

Accepted Topics/Articles

  • New vulnerability in PHP [1] (not simple safe_mode, open_basedir bypass vulnerabilities)
  • New vulnerability in PHP related software [1] (popular 3rd party PHP extensions/patches)
  • Explain a single topic of PHP application security in detail (such as guidelines on how to store passwords)
  • Explain a complicated vulnerability in/attack against a PHP widespread application [1]
  • Explain a complicated topic of attacking PHP (e.g. explain how to exploit heap overflows in PHP’s heap implementation)
  • Explain how to attack encrypted PHP applications
  • Release of a new open source PHP security tool
  • Other topics related to PHP or PHP application security

[1] Articles about new vulnerabilities should mention possible fixes or mitigations.

And prizes are available for the best submissions:

# Prize
1. 1000 EUR + Syscan Ticket + CodeScan PHP License
2. 750 EUR + Syscan Ticket
3. 500 EUR + Syscan Ticket
4. 250 EUR + Syscan Ticket
5.-6. CodeScan PHP License
7.-16. Amazon Coupon of 65 USD/50 EUR

So what are you waiting for? Get contributing…

–Andrew Waite