Chicago Conferences 2015

So another Chicago security conference season is in the books including @Thotcon & @BsidesChicago. This is the second year that I’ve attended from afar since I moved to the Detroit Metro area. This has presented it’s own challenges from places to stay, getting to the venues and trying to see all my friends from that area.

The weekend started with dinner with my friend @4n6woman on Wednesday night and rooming with another friend and their coworker. Thursday morning brought us Thotcon 0x6 and my 5th trip to this conference. Thotcon 0x2 was my first security conference so I have a soft spot in my heart for this one. The email from the organizers promised some updates and a number of new things in store for this year. I had a VIP badge so I was excited to see how they have changed things. The venue was the same one that they had for the last few years but a new configuration gave them a little more room, more areas, & less bleed-over from the hallway-con that has been an issue in the past. It is still in the middle of BFE from those of us that don’t live on the CTA lines though. While the conference itself seemed better from a layout perspective, this part still irks me. I’ve spoken with the conference organizers about this and the big issue I’ve been told is cost & the ability to get a good venue near the city for less money brought them back.

I spent a lot of day one on talking to friends and catching up but I did see the talk by a very smart lady I know @wbm312 who did yet another great talk this year called “Hacking the CFAA”. Great content and I wish I had a few hours to sit and talk to her about all the legal ramifications around the security work that we do on a daily basis. Day two brought a number of talks that I wanted to catch by friends and a few I didn’t know. One of the #BurbSec IRC crew (admford) did a talk on “How to Influence Elections on a Budget”, my friend @jack_daniel let us know “What we know & what we need to know”, another friend @claudijd spoke about sketchy “Trojaned Gems” in Ruby, and the #AwkwardHug master @jaysonstreet talked about “BREAKING in BAD!” where he is the one who doesn’t knock. I had to head back to NW Indiana that night so I didn’t get to see the after party but I had a few drinks with some friends on that side of the state line so it was all good.

Moving on to Bsides Chicago on Saturday brought a new venue, new speakers, and a new list of talks to learn from. The venue was different this year and outside of the ultra-loud A/C it was a pretty good set up. If you were paying attention the A/C the venue speakers could overcome the A/C for the talks. The keynote from @gdead was the first time I’ve heard him speak. Great talk & a lot of good points made including “I don’t care if you disagree, but let’s have a constructive conversation about it”. Later @harmj0y and @sixdub talked about abusing trust relationships in Active Directory, and the main reason for my attendance,  @runasand talked about the Tor tools and their uses. These were the talks that stuck out to me & I feel gave some really great information on what is going on and thoughts about what to do about it when you go back to work Monday morning.

Overall the weekend was great. I had some new beers from a brewery across from the Thotcon venue, I was able to see a bunch of people I haven’t seen in a while, connect with some new friends, and just relax a bit from the stress of our daily lives as security professionals. What did you feel was the greatest thing about the weekend? Leave a comment or hit me up on twitter.

-Scott

Is this thing on?

Wow it’s been a while, huh?

I guess I should write more. For now, let’s start with the easy stuff. I am hitting a few conferences this year and I hope to see you all during at least one of them. Here’s the list:

I’d love to hang out with anyone reading this so hit me up on Twitter & let’s make plans. If you want to split a room at one of them, that’s negotiable depending on how well I know you. I’m all about saving some money. If you just want to toast a drink I’m cool with that too. You never have too many friends.

Recap of CSA Norway, BruCON, & Dublin

Well it’s been a bit since I returned from Europe but I had a great time. Kai Roer set me up with a speaking engagement at the Cloud Security Alliance Norway chapter in Oslo. The topic was Vulnerability Management in the cloud. They were engaging and asked really great questions. We were able to stream it online so my team members who couldn’t make the trip could see it as well. The talk covered the decisions that need to be made about if scanning needs to take place, how often, what are the costs, and who’s responsible for resolving the vulnerabilities. The other reason for venturing to Norway was to meet Kai and see some of Norway. He was a gracious host and the country is beautiful. I need to put that on my list of places to go back to in the future for a longer trip!

BruCON was next on the itinerary and Ghent was beautiful. The conference was held at Ghent University and they had a great lineup of speakers like Jennifer Minella, Jim Fear, and Adam Schoeman giving talks on multiple technical levels. I was finally able to meet Jacob Kuehndorf when I roomed with him in Ghent. He’s a really great guy and was really helpful as I battled a head cold during my trip. I also was finally able to say hi to Marisa Fagan who also made the trip to Belgium all the way from San Fran. I caught up with a few people I know on that side of the pond like Trey Darley, Wim Remes, and Xavier Mertins and some from my side like Chris & Leigh Lytle, and Katie Moussouris.  I do have to admit that Wim Remes was right though. He did find a Belgian beer that I liked when I got over there (even if it was through the proxy of Chris Lytle) so kudos to him on that one!

After BruCON was over, I headed to Dublin for a couple days to see what other gems I could find in my favorite country. Still battling the head cold I didn’t think that the “peat fire” in one tourist spot was a good idea though so I got my new tattoo & tried to meet up for a pint with a few friends. I wasn’t able to catch anyone near Dublin at the time but I reconnected with a couple people I knew at the hotel I stay at so it was still a good time. After that it was time to head back to Detroit and to the real world.

I attached a photo of the new tattoo below. Rachael is a great artist and I’ll be back there in May for Source Conference Dublin to get some script work done around it.

 

Credit vs Debit cards

This post is probably going to be mostly questions as I know little about the payment card industry, but here goes.

I was going through the drive-thru at a fast food establishment the other day and I was thinking about what card to give them. I have read the stories about how credit cards are “safer” than debit cards because any lost money through fraudulent use is the credit card company’s issue. You don’t really have to do much of anything other than report it, they reverse the charges and they worry about tracking down what happened.

Debit cards on the other hand, you do have a dog in the fight. From the same stories it says that you are sometimes liable for up to $500 if you don’t report it in the first two days. Well if you’re not paranoid and checking your bank online every day it’s easy to go over that line. Plus if you lost the money in the account, you may bounce things while waiting for it to be returned.

This brings me to the question about chip & pin. So let’s say the geniuses in DC decide they are going to force chip & pin because it will limit fraud, save time, etc. Great idea right? What will the consumers say? We’ve all heard the stories about people being upset that they have to remember passwords for however many different accounts. Now add a different pin to every credit card they own. At what point will they say “enough is enough” and ditch them?

They already have to use a pin to get money out of the ATM though so what about putting a chip in those cards & starting chip & pin that way? Would that even be an option? I would assume that the start-up cost to upgrade all the ATMs along with all the swipe pay terminals would be huge. The question would be: Would consumers be willing to upgrade to a chip & pin system if it meant they were no longer liable for the money fraudulently taken from their debit account?

No idea, just throwing it out there. Though my guess is no, they’ll just complain.

Sweet Home Chicago

Well another year, another Chicago conference weekend in the books. Last weekend was the THOTCon/BsidesChicago tandem which started my conference circuit with THOTCon 0x2. Since then I’ve hit a number of conferences across the Midwest and even Ireland, but I went back to my home town to see old friends & make new ones.

You could tell that both conferences did their best to not only provide relevant content, but also create an atmosphere where people wanted to be and wanted to learn. The struggle with this is that without doing the traditional “conference setup” of rooms with chairs and permanent audio equipment you run into bleed over from “hallway con” or other areas. Both conferences struggle with this because of venue choices in Chicago. You are restricted based on your budget & locations that can hold hundreds of people, as well as public transit and a venue that can serve alcohol. That said, I think both did their best to reduce the noise so those who wanted to hear the talks could do so.

So regarding the presentations, I have to say it was difficult to do a “best of” on each. I was able to catch a number of them at both conferences and many had really relevant or interesting topics. I sat in on my friend @claudijd and his fiancée @L_ORA about a privilege escalation vulnerability in Cisco firewalls, as well as a talk by Joe Cicero on P.I.S.S.E.D. (Privacey In a Surveillance State, Evading Detection). Both were very detailed and gave a great overview on their topic. I had to give “best talk” to two different presentations for this one though. I couldn’t make up my mind on who presented better nor on what topic was better between them.

@wbm312 gave a great talk about the legal issues on taking devices across the border, including the fact that the US Government considers anything within 100 miles of a border, International Airport, or main body of water (Great Lakes, etc.) as the “constitution free zone“. This hit close to home as I just came back from visiting my girlfriend in Vancouver, BC.

@hacks4pancakes also did an outstanding job on her talk with the “Ten Commandments of Incident Response (For Hackers)”. It briefly touched on “burn out” which I believe is an issue in Information Security, but also gave lessons learned from her personal experiences. One main takeaway for me was the fact that technical skills are great, but let your technician work on the problem rather than sit in meetings asking when it will be finished.

Moving on to Saturday was BsidesChicago. A number of talks were given by coworkers or friends at this one. I had to leave a bit early as I was fading fast (whole introvert thing getting in the way), but I have to say I enjoyed @securitymoey’s talk on “InfoSec Big Joke – 3rd Party Assessments“. He brought up some pretty good points including vetting the answers that your service provider returns. If you aren’t doing it, no one is.

Overall I had a good time and got to hang out with some great friends that I don’t get to see often now that I’ve moved to “the mitten” of Michigan. Looking forward to seeing them all again soon & in the interim back to learning!

Moving & Technology

So something I hadn’t thought about when moving until today was the lack of technology. Of course I’ll still have my phone but I’m moving on Saturday and I will be without internet for a week at my house. I will obviously live but it got me thinking. A lot of us rely on technology to do our day-to-day tasks like pay bills, chat with friends, look up directions, or just find a good restaurant. Many of these tasks have been transferred to our phone but there are things that are just easier when you have a keyboard.

Typing this blog entry would have taken forever on a phone, or I could let google/siri/whathaveyou try to translate my speech. Either way it is much easier to type out my thoughts and surf on a cable connection than a phone connection.

All in all it’s not the end of the world. I’ll be back online on Saturday the 22nd, and the blog will be down for a week. No big deal.

Sexism isn’t just in infosec

For a while now, people in my industry have been talking about sexism in infosec, and rightly so. Sexism exists in a lot of the world and it’s wrong no matter the location or profession. I started to think about how prevalent it is and I wanted to get some other opinions from women who worked in or dealt with other male dominated fields. I decided to talk with my sister who is a manager for a big-box home improvement store, as well as one of my friends I’ve known for about 20 years who has previously worked in law enforcement, volunteers as a firefighter/EMT, and works as a dispatcher for both.

I gave them the same three questions and asked for their honest opinion of what they see on a daily basis. Here’s what they said:

1) Do you feel that your opinions and contributions hold less weight in your industry or that you’re cast-off or slighted because you’re female?

  • Sister: Every day I see customers walk by a female associate who knows more than the male associate to ask a question only to see the male associate turn to the female associate to find out the answer for them.
  • Friend: While my industry is predominately female, I work closely with a predominately male profession.  I do feel that many of those on the male-dominated side tend to brush off the contributions the female-dominated side provides them.   While at my volunteer position, I feel brushed off frequently because of my gender.

2) Do you think you’ve been passed over for promotions/raises/accolades, etc. solely based on the fact that you’re a female?

  • Sister: No, my management (male & female) pushes me to do more because I care about doing a good job.
  • Friend: In my profession, no.  In my volunteer position, yes.

3) Do you feel that those you work with/for or those you serve harass or flirt with you because they feel that because you’re a female that they can, or feel that they can get you to do something for them?

  • Sister: No, I feel that because they are trying to flirt with me, I can shut them down completely and walk away. It may be diff in technology because there is no immediate cost to the customer.
  • Friend: I am fortunate that I work and volunteer with a group of people that treat me with respect, and that when there is harassment or flirtation it is all in good fun.  I previously worked under a supervisor who treated me as if I were incompetent because I was female. He would send my male co-workers to check up on me and make sure I was doing the job right.  He treated me as if I were his secretary rather than his team member, and I eventually refused to work under him.

While this may not be a norm or even a majority in all professions, there still exists a bias towards male opinions and contributions in many societies and we need to keep talking about it. This post was not meant to downplay the sexism in infosec, rather I want to broaden the discussion and make it more about how we treat the women in our society. They are intelligent and hardworking and deserve our respect. Don’t down play what they offer and they may just teach you something new.