Planning on attending the mother-load of conferences next week in Las Vegas? Are you a first-timer, or generally have trouble planning where to go and what to do? Here is a good list for you, this will take you from Wednesday when Black Hat and Security BSides Las Vegas begin until Sunday of DefCon Closing Ceremonies.

SecBarbie’s talk picks of the week:

Black Hat

Wednesday 1:45pm – 3pm

Augustus 1 & 2

Barnaby Jack – Jackpotting Automated Teller Machines Redux!

Wednesday 3:15pm – 4:30pm

Roman

Dan Kaminsky – Black Ops Of Fundamental Defense: Web Edition

Wednesday 4:45pm – 6pm

Augustus 5 & 6

Fyodor – Mastering the Nmap Scripting Engine

Milano 5 – 8

Alex Hutton / Allison Miller – Ushering in the Post-GRC World: Applied Threat Modeling

Thursday 10am – 11am

Augustus 3 & 4

Chris Hoff – Cloudinomicon: Idepotent Infrastructure, Survivable Systems & Bringing   Sexy Back to Information Centricity

Thursday 11:15am – 12:30pm

Roman

Cesar Cerrudo – Token Kidnapping’s Revenge

Forum 25

Lee Kushner, Mike Murray   -  Your Career = Your Business

Milano 5 – 8

Tiffany Rad - The DMCA & ACTA vs. Academic & Professional Research: How Misuse   of this Intellectual Property Legislation Chills Research, Disclosure and   Innovation

Thursday 3:15pm – 4:30pm

Milano 1 – 4

Samy Kamkar - How I met your girlfriend

Wednesday also has the Cloud Security Alliance Summit with some pretty amazing, insightful, and wicked cool folks such as:

Chris Hoff   –   Cloudersize Keynote

Josh Pennell   –   Hacking the Hypervisor 2010

Steve Riley   –   Security and compliance in the Amazon cloud

Security BSides – Las Vegas 2010

I can’t even begin to pick the Security BSides talks (special mention to the InfoSec Mentor Panel that I’ll be on Wednesday at 6pm) as I would whole-heartedly endorse all of them. Bravo to the talk selection guys! So, here is the BSides Schedule:

DefCon 18

Friday 1pm – 2pm

Track 4

Dennis Brown - How Hackers Won the Zombie Apocalypse

Friday 2pm – 3pm

Track 3

Jim Rennie, Eric Rachner - Search & Seizure & Golfballs

Friday 3pm – 3:30pm

Track 5

Righter Kunkel - Air Traffic Control Insecurity 2.0

Friday 4pm – 5pm

Track 4

Tottenkoph - An Introduction to Virtual Graffiti

Friday 5pm – 6pm

Track 2

Sumit Siddharth - Hacking Oracle from Web Apps

Friday 6pm – 6:20pm

Track 5

Marisa Fagan - Be A MENTOR!

Friday 9pm – ???pm

Track 1

Hacker Jeopardy!!!!!!!      – Bring Booze!

Saturday 10am – 11am

Track 2

Jeremy Brown - Exploiting SCADA Systems

Saturday 10am – 11am

Track 4

Chris Paget - Extreme-range RFID Tracking

Saturday 11am – 12pm

Track 4

Barnaby Jack – Jackpotting Automated Teller Machines Redux!

Saturday 12pm – 1pm

Track 1

Nicholas Percoco, Christian Papathanasiou – “This is not the Droid you’re looking for..”

Saturday 1pm – 2pm

Track 1

frank^2 - Trolling Reverse-Engineers with Math: Ness…. It Hurts…

Saturday 3pm – 4pm

Track 2

James Arlen - SCADA and ICS for Security Experts: How to avoid Cyberduchery

Saturday 3pm – 4pm

Track 5

Garry Pejski - My Life as a Spyware Developer

Saturday 4pm – 5pm

Track 4

Jayson Street - Deceiving the Heavens to Cross the Sea: Using the 26 stratagems for Social Engineering

Saturday 5pm – 6pm

Track 4

Leigh Honeywell, follower - Physical Computing, Virtual Security: Adding the Arduino Microcontroller Development Environment to your security toolbox

Saturday 7pm – 9pm

Track 5

DefCon Security Jam III: Now in 3D?

Saturday 10pm – ??pm

Track 4

10,000 Cent Pyramid

Sunday 10am – 11am

Track 4

Mike Bailey - Web Services we just don’t need

Sunday 11am -  12pm

Track 2

Valsmith, Colin Ames, Anthony Lai - Balancing the Pwn Trade Deficit

Sunday 1pm -  2pm

Track 5

mc.fly, rvd, vyrus, no maam - ChaosVPN for Playing CTFs

Sunday 2pm -  3pm

Track 3

David Smith, Samuel Petreski - A new approach to forensic methodology - !!BUSTED!! Case Studies

Sunday 4pm -  5pm

Track 1

The Suggmeister - Social Networking Special Ops: Extending Data Visualization Tools for Faster Pwnage

Sunday 5pm -  6pm

Track 1

Justin Morehouse, Tony Flick - Getting Social with the Smart Grid

Sunday 6pm

CLOSING CEREMONIES!!!!!

Please reclaim all lost livers here!

If you are NOT going to be in the melt-your-face-off land of Las Vegas next week, you can follow all of the action and some of the parties via my live-conference feed on twitter @IOBarbie !

-SecBarbie

Inside the heart of a QSA

by @Diami03

One of my true passions as an assessor is when clients actually thank me at the end of an engagement for identifying their weaknesses and then the periodic communications thereafter when they seek my security know-how as they evaluate new initiatives.

For those who do not know who I am, I am a disillusioned, frustrated, confused security professional. Oh, so we have met?! What’s making me feel hopeless, you ask? I must have forgotten to mention I’m a security professional that is also a QSA. Makes sense now, doesn’t it?

I’ve been recently feeling a crisis of info sec faith. For those of you who follow me on Twitter (@diami03), you may have noticed my ire at performing PCI assessments on the rise. To get some perspective, understand I am a security assessor by heart. I enjoy meeting clients who are truly interested in securing their environment, helping them identify security gaps, and then brainstorming about remediation solutions. I had been performing security assessments for the past 5 years using various security industry standards for guidance, my favorite being ISO27002. In those 5 years, the rates of compliance based assessments, most notably PCI, were on the rise but I was able to satisfy my information security fix with those clients who just wanted to understand their environment and to secure it.

Sadly, those days are long gone. Now I’m left with a checklist and a list of clients a mile long who are waiting in line to be branded as PCI compliant. Gone are the clients whose sole concern was for all of the information they housed. No longer am I able to assist clients understand their environment and help steer them down the path of information security righteousness. No, those days are long gone. Now I’m told to mind my business. If I make a security recommendation based on an observation, and I am unable to point to a PCI requirement mandating it, then I’ve committed an act of blasphemy.

Fine, with all that said, what’s my point? I’m not really sure I have one, other than to exorcise these feelings of impotence and publicly restate my commitment to security and not just a checklist babe. I also thought I might shed some light on the internal battle some QSAs are feeling which you might not be aware of. Although many of you have a negative view of QSA assessors, which I blame the PCI QSA process for, understand that there are a few of us silently screaming but unable to be heard. This is my silent cry!

I get it, not everyone is happy in their jobs. As was made clear in the 2009 Dark Reading article, “One in Two Security Pros Unhappy in Their Job” we are not all 100% satisfied in our current positions, and “that IT security pros feel they could be doing more.” For now I’ll continue doing PCI assessments because, quite frankly, I like the idea of being able to pay my mortgage every month. I would like to make one thing clear however, that I do not plan on just sitting back and letting the problems fester, but am attempting to raise awareness by giving talks, writing blog posts, and sharing my frustrations and suggestions for change with the industry.

After attending the talk given by Mike Murray at RSA Conference in San Francisco last week on “Tweeting for Dollars: UsingSocial Media to Enhance your Career in Security” I found myself even more intrigued by some people’s message in the social media spectrum. One of the major points that Mike made during his talk was that not only do organizations need to have a social media strategy, but each person who is engaging in social media should think about theirs as well. Regardless of any intent, each person in social media has a brand. It is our responsibility to ensure that this brand is reflective of what we desire it to be. Some brands are easier to spot then others, but what is your brand saying about you?

The best question that someone asked in the presentation was that of a gentleman ‘screwing up’ his twitter account. By his definition of screwing up, it meant that he wasn’t focused on tweeting about his career only, he was tweeting about everything and talking to people. This wasn’t a screw up at all, this gentleman was having a conversation, he was doing social media right! The humanity of social media is what makes it so attractive to readers. People have been using the internet for years to read press releases, and some even use RSS feeds on a daily basis to keep up on those news articles. They don’t need Twitter or Facebook to keep up on that, Social Media let’s us all know that every celebrity, industry pundit, and random people you met at a convention all have something else going on outside of their career, or hobby that they are known for.

As an organization, it is also very important to decide on how the corporate brand is going to be reflected by the employees. Compose a social media policy stating if employees are allowed to share corporate information, or if that is going to be left only to be executed by the corporate social media accounts and team. If employees are allowed to share certain corporate data, it is very important to identify and classify what information is never to be shared in the social media space. The organization is also responsible to educate the employees of these policies to ensure a clear, unified message.

So how would a person or an organization drive their brand while engaging their audience? Have a conversation! Read whatyour followers are doing, and engage them. Sure, throw out important information that is self-serving as well (ie. Blog Post announcement, PR release links, etc.), but also retweet and share other contributors information. Know who you audience is, and get to know them!

Sharing is caring!

]]> http://www.secsocial.com/blog/?feed=rss2&p=400 0 http://www.secsocial.com/blog/?p=359 http://www.secsocial.com/blog/?p=359#comments Wed, 10 Mar 2010 03:40:49 +0000 SecBarbie http://www.secsocial.com/blog/?p=359

SecurityBSides in San Francisco on March 2nd and 3rd held at Parisoma was an experience that those in attendance will not soon forget. This is not for the reasons of Andrew Hay’s opening slide with his pink dress, but for a community of security professionals sharing and collaborating in a fresh new way from the vendor is king conference that was across town. What makes this conference so very different is the interaction at a granular level that the attendees can have with the speakers and sponsors. Not only are the actual talks much more interactive, but the sponsors who are in attendance can actually interface with the attendees and understand their needs as well as have the opportunity to convey their message in a conversation, not an expo-floor 5 minute pitch.

Some of the talks that were covered over the 2 days of the event are listed here.

Media coverage of SecurityBSides here.

Thank you to the vendors & volunteers that made this event possible!

Upcoming SecurityBSides Events:

March 13, 2010 - BSidesAustin – “Keep Security Weird” – Coinciding with SxSW Interactive

April 24-25, 2010 - BSidesBoston – weekend after SOURCE Boston.

July 29-30, 2010 - BSidesLasVegas – coinciding with Black Hat / Defcon

Here are some highlights from SecurityBSides San Francisco acquired using the ancient art of screen capture from the Flickr streams of Jack Daniel and Vissago.

<Fade IN:>

A few weeks back, I was sitting in my office in the middle of a meeting with one of my Directors and my phone rings. It came through as one of our trunk lines, so I knew it was a transfer form the receptionist, I was in a good mood, so I answered it. Low and behold it was my first call from a Rapid7 Sales representative (First that I actually answered that is). Knowing that Rapid7 recently acquired Metasploit, I gave the gentleman a listen. He talked up the RSA party, HD Moore, and the products that Rapid7 is currently marketing compared to some of the competitors. All in all, it was a perfectly fine conversation and I did walk away with some value add. My only critique was that it was pretty long, and I’m pretty busy to spend that much time talking about a product that we aren’t yet seeking a new vendor for.

<Announcers Voice:> Later the same day

I receive another call from a Rapid7 sales representative who had no idea that I had just spoken with a gentleman earlier! I might have been a little curt on the phone, but please refer back to the fact that I am actually extremely busy, and had already invested 40 minutes on the phone with the previous representative.

Later the same day I asked my twitterverse for information about Rapid7 products, because I trust my colleagues who have used them more then I could EVER trust a demo. Thanks to the great social community of Security Twits I gathered a great deal of information. Additionally, I learned from someone close to internal Rapid7 that Rapid7 follows all the Rapid7 mentions on twitter... what fun would a day be without throwing a #Rapid7 after some tweets?

<evil-grin>

In all seriousness, Rapid7 is doing some very positive things for the industry in regards to sponsorship of the SecurityTwits event at SourceBoston, employing some AMAZING researchers, and advancing the MetaSploit project with commercial funding!

Rapid7, please work on a sales team lesson in positive versus negative social media networking. Here are my examples of Rapid7 Negative Social Media Marketing:

LinkedIN

• Requests to professionals who they have never met or never worked with:

TwitterNames Ommited: “ Anybody know what’s the bright idea with Rapid7‘s sales team suddenly trying to join people’s networks on linkedin??”

“ Ok @Rapid7, your salespeople’s newfound relentless addition of my linkedin have grown irritating & bothersome. Please DIAF.<- Ah :”

• The February 16th slew of LinkedIN Spam from “Business Developers” that most of my colleagues received. Not cool!

Twitter:

• Rapid7 twitter feed is just a Press Release reel, there is no interaction with the community, same can be said for the Facebook page!

Notable mention:

Having the “JR” account reps monitor twitter for Rapid7 mentions — Boiler Room meets Rapid7!

+

The RSA Party!

I’m sure everyone is thrilled that Rapid7 is hosting a party at RSA. But again, this is another marketing fail. They might not want to use the acronym “VIP” as it generally doesn’t mean invite everyone in the world, post it on twitter, then brag about having 1,000+ people at the party.

In case you didn’t RSVP… you can do so here http://www.rapid7.com/forms/rsarsvp.jsp

Come on Rapid7, you can do better then this!

I’m sure you are a great organization, it sure looks as if your employees have fun working there, but I have to say that Rapid7 Sales and Marketing gets the *first ever* Official SecBarbie FAILBarbie award of the month for doing bad all by themselves!

If you have been living under a rock somewhere and somehow haven’t heard about this revolution known as SecurityBsides, well, perk up folks! With SecurityBSides San Francisco being the second large-scale un-conferences that compliments a large corporate conference, the proposed talks are already shaping up to be something so very special to our industry! This is an un-conference that is completely powered by the people, so if you haven’t yet voted for the talks that you would like to hear, do it or don’t complain!

Here is my short-list of talks that I think are going to be wonderful

*Some are not yet picked to present, so if you agree, vote often!

The Great Compliance Debate: No Child Left Behind or The Polio Vaccine

Panel Discussion: Joshua Corman , Jack Daniel (@jack_daniel) , Anton Chuvakin (@anton_chuvakin) , Andy Ellis (@CSOAndy), a surprise guest

How to Design and Develop Your Own Security Event

Stacy Thayer, Ph.D. @stacythayer

My Life on the Infosec D-List

Andrew Hay

Hacking the Sales Cycle

Gal Shpantzer

Being Inbred Isn’t Just a Problem for Hillbillies.  Groupthink and the InfoSec Industry

Vikram Phatak

Risk Management – Time to blow it up and start over?

Alex Hutton

What kind of self-serving person would I be if I didn’t put a shameless plug in for the Gender Panel: Unicorns, Clubhouses, and Ruffled Feathers: Women in Security:

Rounding out the panelist this year will be:

Jennifer Jabbusch – CISO of Carolina Advanced Digital, Inc.

Andrew Hay – 2008 “Security Thought Leader” award winner by SANS Institute / Security Blogger / InfoSec Professional

Lisa Lorenzin – Crazy smart solutions architect for an organization that I’m not sure if she’s listing (you have google, figure it out yourself)

Gurdeep Kaur – Author of controversial SANS Reading Room Paper “Women in IT Security Project Management”

Michelle Klinger – Full time QSA, defender of all things saucy and womanly.

To quote the weather channel

“The storm may reach the top 3 of all-time in the Washington, D.C., area and may rival the record of 28″ from the

“Knickerbocker” storm of 1922.”

I am taking a little break in the festivities to let you all know that it has officially snowed pretty hard at ShmooCon VI. My flight has been canceled for Sunday, so with any luck at all I will be arriving back in Chicago (aka, the land that can handle 6″< of snow) sometime early next week.
With that, I have to say that the spirits of all the con goers is absolutely amazing! Trash-bag sleds are being used as well as certain individuals who have snowboards and snowshoes. The content of the event has started out with a bang, and the actual tracks tomorrow look exceptionally promising!

Thank you to @quine ‘s employer for hosting the Securitytwits meet-up this afternoon, it was VERY enjoyable! Syngress held a very nice happy-hour meet-up, and the DC949 party was absolutely killer! Festivities are still commencing as I type, but sometimes one must just call it an evening!

Notice I said people, not women.

If you are interested in speaking on a panel at SecurityBSidesSF about Gender (Unicorns, Clubhouses, and Ruffled Feathers: Women in Security) and how it is impacting our industry by sharing diverse stories that have shaped your career, and tips for how as an industry we can improve, please contact me!

Gurdeep Kaur who wrote the paper on “Women in IT Security Project Management” has agreed to sit on the panel to discuss her findings and her experience that prompted the research. Also Jennifer Jabbusch will be speaking again as she did on the original panel at SeucrityBSidesLV.

I am looking for 3 more panelist to make up a 5 person panel.

First of all, I want to give SANS a big kudos for actually posting a piece that is gender based, this was a risk, and I’m glad they took it. Many more organizations would benefit from helping broaden the horizons of gender awareness in the technical fields. Conferences have been very apprehensive in accepting a round-table panel composed of industry professionals (not marketing women) to discuss the state of the industry in regards to gender. Currently, the panel is being held at SecurityBsides events and there will be some perspective European conferences this year that are opening up to the conversation. There are also many women that do not feel comfortable speaking out or helping other women gain entry to the field, this is a definite gender issue, but one we need to address on a different plane, and more in another post.

The second point in the original post was that of the review itself, the content of the research for the paper itself was fine, where I felt there was a deficiency was when it took a turn away from fair representation. Perhaps the advisor could have proofed the paper and suggested some edits to keep it broad enough as to not be easily identified as personal rhetoric, thus reinforcing the research points. I am fortunate enough that the author of the piece HAS agreed to speak on the Gender panel at BSidesSF that will occur during the week of the RSA Conference in San Francisco.

Again, for any women that may be reading this, here is a list of some great sites on the internet that discuss current gender issues.

The Geek Feminism Wiki

Executive Women’s Forum

Signed,

- A Facebook Privacy Memoir Part I

Facebook is so lovely, you can learn about what your friends who you don’t have time to keep up with are doing, look at their pictures, watch some of their videos and generally cyber-stalk them with their permission. Opps, we call that ‘being social’ not stalking now. In the last few years people have really enhanced the art of the me-me using social networks such as Facebook under the guise of “maintaining transparency”. This does beg the question, how much is too much?

In the last year Facebook has come a long way when it comes to the privacy settings, and nearly everyone is hiding something from the general population so we do have a start for some security.  If you want to be ubber technical about it, you can use friend lists and play with your privacy settings to create different views for each segment of your life, but who has time for this? Just like any system, add more complex controls and the users who should be using them the most will not.

I have used firewall graphical interfaces that are less complicated then the Facebook privacy settings. This is mostly due to the privacy settings for Facebook are not all in one place. There are the Privacy settings in the drop down, but then you have to customize your photo privacy settings in a whole different screen. Now add in the option to great groups for your contact and manage the settings by those groups as well. All of the technical minded people might think this is a piece of cake, but my aunt who isn’t that technical, can barely handle navigating from one profile to the next much less the privacy settings! Yet, she has no problem posting pictures, tagging me on the pictures, and sharing them with her friends.

As a Christopher Burgess wrote in his Cisco Security Blog about ‘Security – Who is Responsible’

“ When we wish to use an automobile, we are required to go through a number of steps even before we get the vehicle rolling.  During the drive, we adhere to the rules of the road (drive on the appropriate side, use our signals, stop at red-lights, go when green, etc.).  When the engine light illuminates, the brakes start to screech, or the steering pulls too far left, we take note and either perform the required maintenance or we take it to the garage shop for service. We correct. The mechanic isn’t sitting in the backseat providing telemetry surrounding your vehicle’s operation, and unless my grandmother is in your backseat, you’re probably not being told how to steer, accelerate or brake.  You are responsible.  All of these actions are the responsibility of the operator—the user.  You, the user, will decide “How do I maintain my vehicle and operate it?”  When you violate motor vehicle laws (and are caught), what occurs?  You receive a ticket and tickets carry consequences.  In the US the consequences might include a monetary fine, points on your license and, for some, a mandatory trip to court.  With choices and actions come consequences.

In the online world, we have the same basic responsibilities for security as a driver has in the physical world for safety.”

The unfortunate fact is that there is no education on the do’s and don’t of social media for people such as my aunt, nor would millions of high school students who are competing for the largest friend list and posting every little moment of their life even listen it it was! So here are my two tips for Facebook and a link to Cracked’s 10 Commandments of Facebook.

Don’t friend ANYONE you don’t know, and deny friend request if you don’t know them!

Don’t friend anyone you don’t know if you post anything to your Facebook that you wouldn’t post on a pubic or work bulletin board! You don’t really know who is on the other side of the profile.

If you don’t know the person, deny the friend request promptly! Unfortunately there is a bug in Facebook right now that allows people who request you as a friend to see your live feed while the friend request is pending. As of right now, there is not a privacy setting on the live feed. This is bound to change soon, but it is good measure to always deny friend request until you know that person.

Unless part of your job is using Facebook, don’t update your Facebook from work!

You don’t know who is really on the other side of your ‘Friends’, so unless part of your job is social media, don’t update your Facebook status from work. Wait for lunch, or after work. This is ESPECIALLY important if your organization doesn’t allow access to Facebook.

The 10 Commandments of Facebook

Until next time….