Recap of CSA Norway, BruCON, & Dublin

Well it’s been a bit since I returned from Europe but I had a great time. Kai Roer set me up with a speaking engagement at the Cloud Security Alliance Norway chapter in Oslo. The topic was Vulnerability Management in the cloud. They were engaging and asked really great questions. We were able to stream it online so my team members who couldn’t make the trip could see it as well. The talk covered the decisions that need to be made about if scanning needs to take place, how often, what are the costs, and who’s responsible for resolving the vulnerabilities. The other reason for venturing to Norway was to meet Kai and see some of Norway. He was a gracious host and the country is beautiful. I need to put that on my list of places to go back to in the future for a longer trip!

BruCON was next on the itinerary and Ghent was beautiful. The conference was held at Ghent University and they had a great lineup of speakers like Jennifer Minella, Jim Fear, and Adam Schoeman giving talks on multiple technical levels. I was finally able to meet Jacob Kuehndorf when I roomed with him in Ghent. He’s a really great guy and was really helpful as I battled a head cold during my trip. I also was finally able to say hi to Marisa Fagan who also made the trip to Belgium all the way from San Fran. I caught up with a few people I know on that side of the pond like Trey Darley, Wim Remes, and Xavier Mertins and some from my side like Chris & Leigh Lytle, and Katie Moussouris.  I do have to admit that Wim Remes was right though. He did find a Belgian beer that I liked when I got over there (even if it was through the proxy of Chris Lytle) so kudos to him on that one!

After BruCON was over, I headed to Dublin for a couple days to see what other gems I could find in my favorite country. Still battling the head cold I didn’t think that the “peat fire” in one tourist spot was a good idea though so I got my new tattoo & tried to meet up for a pint with a few friends. I wasn’t able to catch anyone near Dublin at the time but I reconnected with a couple people I knew at the hotel I stay at so it was still a good time. After that it was time to head back to Detroit and to the real world.

I attached a photo of the new tattoo below. Rachael is a great artist and I’ll be back there in May for Source Conference Dublin to get some script work done around it.

 

Credit vs Debit cards

This post is probably going to be mostly questions as I know little about the payment card industry, but here goes.

I was going through the drive-thru at a fast food establishment the other day and I was thinking about what card to give them. I have read the stories about how credit cards are “safer” than debit cards because any lost money through fraudulent use is the credit card company’s issue. You don’t really have to do much of anything other than report it, they reverse the charges and they worry about tracking down what happened.

Debit cards on the other hand, you do have a dog in the fight. From the same stories it says that you are sometimes liable for up to $500 if you don’t report it in the first two days. Well if you’re not paranoid and checking your bank online every day it’s easy to go over that line. Plus if you lost the money in the account, you may bounce things while waiting for it to be returned.

This brings me to the question about chip & pin. So let’s say the geniuses in DC decide they are going to force chip & pin because it will limit fraud, save time, etc. Great idea right? What will the consumers say? We’ve all heard the stories about people being upset that they have to remember passwords for however many different accounts. Now add a different pin to every credit card they own. At what point will they say “enough is enough” and ditch them?

They already have to use a pin to get money out of the ATM though so what about putting a chip in those cards & starting chip & pin that way? Would that even be an option? I would assume that the start-up cost to upgrade all the ATMs along with all the swipe pay terminals would be huge. The question would be: Would consumers be willing to upgrade to a chip & pin system if it meant they were no longer liable for the money fraudulently taken from their debit account?

No idea, just throwing it out there. Though my guess is no, they’ll just complain.

Sweet Home Chicago

Well another year, another Chicago conference weekend in the books. Last weekend was the THOTCon/BsidesChicago tandem which started my conference circuit with THOTCon 0x2. Since then I’ve hit a number of conferences across the Midwest and even Ireland, but I went back to my home town to see old friends & make new ones.

You could tell that both conferences did their best to not only provide relevant content, but also create an atmosphere where people wanted to be and wanted to learn. The struggle with this is that without doing the traditional “conference setup” of rooms with chairs and permanent audio equipment you run into bleed over from “hallway con” or other areas. Both conferences struggle with this because of venue choices in Chicago. You are restricted based on your budget & locations that can hold hundreds of people, as well as public transit and a venue that can serve alcohol. That said, I think both did their best to reduce the noise so those who wanted to hear the talks could do so.

So regarding the presentations, I have to say it was difficult to do a “best of” on each. I was able to catch a number of them at both conferences and many had really relevant or interesting topics. I sat in on my friend @claudijd and his fiancée @L_ORA about a privilege escalation vulnerability in Cisco firewalls, as well as a talk by Joe Cicero on P.I.S.S.E.D. (Privacey In a Surveillance State, Evading Detection). Both were very detailed and gave a great overview on their topic. I had to give “best talk” to two different presentations for this one though. I couldn’t make up my mind on who presented better nor on what topic was better between them.

@wbm312 gave a great talk about the legal issues on taking devices across the border, including the fact that the US Government considers anything within 100 miles of a border, International Airport, or main body of water (Great Lakes, etc.) as the “constitution free zone“. This hit close to home as I just came back from visiting my girlfriend in Vancouver, BC.

@hacks4pancakes also did an outstanding job on her talk with the “Ten Commandments of Incident Response (For Hackers)”. It briefly touched on “burn out” which I believe is an issue in Information Security, but also gave lessons learned from her personal experiences. One main takeaway for me was the fact that technical skills are great, but let your technician work on the problem rather than sit in meetings asking when it will be finished.

Moving on to Saturday was BsidesChicago. A number of talks were given by coworkers or friends at this one. I had to leave a bit early as I was fading fast (whole introvert thing getting in the way), but I have to say I enjoyed @securitymoey’s talk on “InfoSec Big Joke – 3rd Party Assessments“. He brought up some pretty good points including vetting the answers that your service provider returns. If you aren’t doing it, no one is.

Overall I had a good time and got to hang out with some great friends that I don’t get to see often now that I’ve moved to “the mitten” of Michigan. Looking forward to seeing them all again soon & in the interim back to learning!

Moving & Technology

So something I hadn’t thought about when moving until today was the lack of technology. Of course I’ll still have my phone but I’m moving on Saturday and I will be without internet for a week at my house. I will obviously live but it got me thinking. A lot of us rely on technology to do our day-to-day tasks like pay bills, chat with friends, look up directions, or just find a good restaurant. Many of these tasks have been transferred to our phone but there are things that are just easier when you have a keyboard.

Typing this blog entry would have taken forever on a phone, or I could let google/siri/whathaveyou try to translate my speech. Either way it is much easier to type out my thoughts and surf on a cable connection than a phone connection.

All in all it’s not the end of the world. I’ll be back online on Saturday the 22nd, and the blog will be down for a week. No big deal.

Sexism isn’t just in infosec

For a while now, people in my industry have been talking about sexism in infosec, and rightly so. Sexism exists in a lot of the world and it’s wrong no matter the location or profession. I started to think about how prevalent it is and I wanted to get some other opinions from women who worked in or dealt with other male dominated fields. I decided to talk with my sister who is a manager for a big-box home improvement store, as well as one of my friends I’ve known for about 20 years who has previously worked in law enforcement, volunteers as a firefighter/EMT, and works as a dispatcher for both.

I gave them the same three questions and asked for their honest opinion of what they see on a daily basis. Here’s what they said:

1) Do you feel that your opinions and contributions hold less weight in your industry or that you’re cast-off or slighted because you’re female?

• Sister: Every day I see customers walk by a female associate who knows more than the male associate to ask a question only to see the male associate turn to the female associate to find out the answer for them.
• Friend: While my industry is predominately female, I work closely with a predominately male profession.  I do feel that many of those on the male-dominated side tend to brush off the contributions the female-dominated side provides them.   While at my volunteer position, I feel brushed off frequently because of my gender.

2) Do you think you’ve been passed over for promotions/raises/accolades, etc. solely based on the fact that you’re a female?

• Sister: No, my management (male & female) pushes me to do more because I care about doing a good job.
• Friend: In my profession, no.  In my volunteer position, yes.

3) Do you feel that those you work with/for or those you serve harass or flirt with you because they feel that because you’re a female that they can, or feel that they can get you to do something for them?

• Sister: No, I feel that because they are trying to flirt with me, I can shut them down completely and walk away. It may be diff in technology because there is no immediate cost to the customer.
• Friend: I am fortunate that I work and volunteer with a group of people that treat me with respect, and that when there is harassment or flirtation it is all in good fun.  I previously worked under a supervisor who treated me as if I were incompetent because I was female. He would send my male co-workers to check up on me and make sure I was doing the job right.  He treated me as if I were his secretary rather than his team member, and I eventually refused to work under him.

While this may not be a norm or even a majority in all professions, there still exists a bias towards male opinions and contributions in many societies and we need to keep talking about it. This post was not meant to downplay the sexism in infosec, rather I want to broaden the discussion and make it more about how we treat the women in our society. They are intelligent and hardworking and deserve our respect. Don’t down play what they offer and they may just teach you something new.

First working python code!

OK, so I decided I would write a temp converter for my first python program. It took me a few tries but it’s running now. It’s probably not the best way to code it, and I don’t have error handling in it but it runs!

Next steps:

• Throw in an if statement for anything below absolute zero to return a message and exit
• Return comment in response to an if statement for appropriate clothing to wear at the temperature entered
• Error handling

If you have ideas of easy things to code for me to practice please let me know. I’ve already got one idea of a countdown to a specific day for a former coworker’s retirement so I may work on that this weekend too.

Code: http://pastebin.com/ZAtqqbab

Dublin potential

So I may be heading to Dublin again next year for SourceConference Dublin in May. Any ideas for me on what to do if I stay a few extra days this time? I’ve listed what I’ve already done below so new ideas within walking distance (or short cab) from Jury’s Inn on Custom House Quay would be great!

• Guinness storehouse tour (normal & connoisseur tour)
• Kilmainham Gaol
• Jameson whiskey tour
• Hop-On-Hop-Off City bus tour
• Temple Bar mini-bar-crawl (Palace Bar, Temple Bar)
• Trinity College / Book of Kells
• Cabaret evening
• Walk down Grafton Street
• New tattoo (plan on doing this again when I decide on a design)

I’ve heard that I should wander around more in Temple Bar, and a couple Google searches have told me to try Kehoe’s for a “local bar” atmosphere but I think I’ll rely on my friend Andrew McKenna for that part of the trip. The music he lead me to last time was amazing.

Good food is a must so tell me where you found some amazing seafood or Irish cuisine.

Comment below and let me know what to try!

First lesson in learning python

So I thought it would be a good idea to put my money where my mouth is on learning. With my new position one of the things we need to be able to do is pull data from the tool we use via their API. I was told that an easier way to do this is with the python language and I had already been wanting to learn it so it seemed like an easy fit. The only issue is that I’ve never been a “coder” so I was hoping this would be a good start down that path.

I enrolled at Coursera in their python class and started watching the tutorials. This went great right up until I got to week 1’s mini project. The project was to write a program that would use a pre-set list of choices to play against the computer in RPSLS or Rock, Paper, Scissors, Lizard, Spock. It’s a variation on the game so there are less ways to tie.

I’ll save you the frustration that I went through for about 2 hours and say that my lesson learned by this was that I, like many people, need to stop the “instant gratification” requirement in my life. I was wanting to do incremental steps to see progress from my work without looking at the overall picture. This caused me to get data that I wasn’t expecting (all zeros instead of 0-5), and frustrated me a lot. What I wasn’t realizing was that one function had to provide data to the next to get the correct response. Going forward I’ll have a better idea of what to look for when I’m getting data but not the data I’m looking for when troubleshooting.

How to focus on learning

So it seems that since my move life has been a bit of a blur. I’ve had to figure out where things are in the area, what vet to go to, get my license & plates changed over, and not the least of all, make sure all the bills get paid on time from the old house or the new apartment. While stressful, none of this is work related. I’ve been struggling to get time to sit down and learn new things like python scripting to plug into the API for the tool we use, or even get better with Linux to broaden my technical skills.

I even have an idea kicking around in my head for a talk the about the information security field and our constant thirst for knowledge but I haven’t had time to sit down and flesh it out. While some of you may be saying “yep, that’s life”, I wonder about those who struggle with time management and how they can continue to learn. When you have a long commute, or take care of a loved one (child or senior) in your off time, how do you manage to stay on top of things and remain relevant? Do you mainline espresso and forego sleep? Read articles when you’re on the train? Give up hobbies you loved in the past to keep up in the industry?

If you could leave a note and let me know what tips or tricks you can impart I’ll make them part of the talk I’m putting together regarding Infosec knowledge sharing.

Greetings from Michigan

Sorry for the long delay between posts. Life has been a little up in the air lately. I am now living near Detroit, Michigan working for VioPoint as a Senior Security Consultant. I had always said I didn’t want to be a consultant because of the travel required but this job seems to fit the requirements of “less travel”. I haven’t had to travel at all yet thankfully so we shall see if that continues.

The team I’m working with is awesome and many of you know them. @ZombieTango, @Dthom, @B31tf4c3, and @JimmyVo are all here and we’re headed up by @jwgoerlich. I’m slowly getting myself settled in my new apartment, house was sold in short order and the only problems I’ve had are with crapcast, so all-in-all it’s been a decent transition. I will be posting periodic work-related blogs on the VioPoint blog at http://www.viopoint.com/blog/. You can catch my first one there regarding auditing automation, and look for new ones coming later. As for this personal blog I just got it back up and running so I will assume that I will be posting more in the coming weeks/months. Keep checking here or Twitter to see if I can keep that up.

Until then I’ll be taking in the fall colors in Michigan and trying to learn as much as I can about the consulting gig.