If you have been living under a rock somewhere and somehow haven’t heard about this revolution known as SecurityBsides, well, perk up folks! With SecurityBSides San Francisco being the second large-scale un-conferences that compliments a large corporate conference, the proposed talks are already shaping up to be something so very special to our industry! This is an un-conference that is completely powered by the people, so if you haven’t yet voted for the talks that you would like to hear, do it or don’t complain!

Here is my short-list of talks that I think are going to be wonderful

*Some are not yet picked to present, so if you agree, vote often!

The Great Compliance Debate: No Child Left Behind or The Polio Vaccine

Panel Discussion: Joshua Corman , Jack Daniel (@jack_daniel) , Anton Chuvakin (@anton_chuvakin) , Andy Ellis (@CSOAndy), a surprise guest

How to Design and Develop Your Own Security Event

Stacy Thayer, Ph.D. @stacythayer

My Life on the Infosec D-List

Andrew Hay

Hacking the Sales Cycle

Gal Shpantzer

Being Inbred Isn’t Just a Problem for Hillbillies.  Groupthink and the InfoSec Industry

Vikram Phatak

Risk Management – Time to blow it up and start over?

Alex Hutton

What kind of self-serving person would I be if I didn’t put a shameless plug in for the Gender Panel: Unicorns, Clubhouses, and Ruffled Feathers: Women in Security:

Rounding out the panelist this year will be:

Jennifer Jabbusch – CISO of Carolina Advanced Digital, Inc.

Andrew Hay – 2008 “Security Thought Leader” award winner by SANS Institute / Security Blogger / InfoSec Professional

Lisa Lorenzin – Crazy smart solutions architect for an organization that I’m not sure if she’s listing (you have google, figure it out yourself)

Gurdeep Kaur – Author of controversial SANS Reading Room Paper “Women in IT Security Project Management”

Michelle Klinger – Full time QSA, defender of all things saucy and womanly.

To quote the weather channel

“The storm may reach the top 3 of all-time in the Washington, D.C., area and may rival the record of 28″ from the

“Knickerbocker” storm of 1922.”

I am taking a little break in the festivities to let you all know that it has officially snowed pretty hard at ShmooCon VI. My flight has been canceled for Sunday, so with any luck at all I will be arriving back in Chicago (aka, the land that can handle 6″< of snow) sometime early next week.
With that, I have to say that the spirits of all the con goers is absolutely amazing! Trash-bag sleds are being used as well as certain individuals who have snowboards and snowshoes. The content of the event has started out with a bang, and the actual tracks tomorrow look exceptionally promising!

Thank you to @quine ‘s employer for hosting the Securitytwits meet-up this afternoon, it was VERY enjoyable! Syngress held a very nice happy-hour meet-up, and the DC949 party was absolutely killer! Festivities are still commencing as I type, but sometimes one must just call it an evening!

Thank you all for the response, but I want to clarify two points that I’m not sure I communicated well in the original post.

First of all, I want to give SANS a big kudos for actually posting a piece that is gender based, this was a risk, and I’m glad they took it. Many more organizations would benefit from helping broaden the horizons of gender awareness in the technical fields. Conferences have been very apprehensive in accepting a round-table panel composed of industry professionals (not marketing women) to discuss the state of the industry in regards to gender. Currently, the panel is being held at SecurityBsides events and there will be some perspective European conferences this year that are opening up to the conversation. There are also many women that do not feel comfortable speaking out or helping other women gain entry to the field, this is a definite gender issue, but one we need to address on a different plane, and more in another post.

The second point in the original post was that of the review itself, the content of the research for the paper itself was fine, where I felt there was a deficiency was when it took a turn away from fair representation. Perhaps the advisor could have proofed the paper and suggested some edits to keep it broad enough as to not be easily identified as personal rhetoric, thus reinforcing the research points. I am fortunate enough that the author of the piece HAS agreed to speak on the Gender panel at BSidesSF that will occur during the week of the RSA Conference in San Francisco.

Again, for any women that may be reading this, here is a list of some great sites on the internet that discuss current gender issues.

The Geek Feminism Wiki

Executive Women’s Forum

Signed,

- A Facebook Privacy Memoir Part I

Facebook is so lovely, you can learn about what your friends who you don’t have time to keep up with are doing, look at their pictures, watch some of their videos and generally cyber-stalk them with their permission. Opps, we call that ‘being social’ not stalking now. In the last few years people have really enhanced the art of the me-me using social networks such as Facebook under the guise of “maintaining transparency”. This does beg the question, how much is too much?

In the last year Facebook has come a long way when it comes to the privacy settings, and nearly everyone is hiding something from the general population so we do have a start for some security.  If you want to be ubber technical about it, you can use friend lists and play with your privacy settings to create different views for each segment of your life, but who has time for this? Just like any system, add more complex controls and the users who should be using them the most will not.

I have used firewall graphical interfaces that are less complicated then the Facebook privacy settings. This is mostly due to the privacy settings for Facebook are not all in one place. There are the Privacy settings in the drop down, but then you have to customize your photo privacy settings in a whole different screen. Now add in the option to great groups for your contact and manage the settings by those groups as well. All of the technical minded people might think this is a piece of cake, but my aunt who isn’t that technical, can barely handle navigating from one profile to the next much less the privacy settings! Yet, she has no problem posting pictures, tagging me on the pictures, and sharing them with her friends.

As a Christopher Burgess wrote in his Cisco Security Blog about ‘Security – Who is Responsible’

“ When we wish to use an automobile, we are required to go through a number of steps even before we get the vehicle rolling.  During the drive, we adhere to the rules of the road (drive on the appropriate side, use our signals, stop at red-lights, go when green, etc.).  When the engine light illuminates, the brakes start to screech, or the steering pulls too far left, we take note and either perform the required maintenance or we take it to the garage shop for service. We correct. The mechanic isn’t sitting in the backseat providing telemetry surrounding your vehicle’s operation, and unless my grandmother is in your backseat, you’re probably not being told how to steer, accelerate or brake.  You are responsible.  All of these actions are the responsibility of the operator—the user.  You, the user, will decide “How do I maintain my vehicle and operate it?”  When you violate motor vehicle laws (and are caught), what occurs?  You receive a ticket and tickets carry consequences.  In the US the consequences might include a monetary fine, points on your license and, for some, a mandatory trip to court.  With choices and actions come consequences.

In the online world, we have the same basic responsibilities for security as a driver has in the physical world for safety.”

The unfortunate fact is that there is no education on the do’s and don’t of social media for people such as my aunt, nor would millions of high school students who are competing for the largest friend list and posting every little moment of their life even listen it it was! So here are my two tips for Facebook and a link to Cracked’s 10 Commandments of Facebook.

Don’t friend ANYONE you don’t know, and deny friend request if you don’t know them!

Don’t friend anyone you don’t know if you post anything to your Facebook that you wouldn’t post on a pubic or work bulletin board! You don’t really know who is on the other side of the profile.

If you don’t know the person, deny the friend request promptly! Unfortunately there is a bug in Facebook right now that allows people who request you as a friend to see your live feed while the friend request is pending. As of right now, there is not a privacy setting on the live feed. This is bound to change soon, but it is good measure to always deny friend request until you know that person.

Unless part of your job is using Facebook, don’t update your Facebook from work!

You don’t know who is really on the other side of your ‘Friends’, so unless part of your job is social media, don’t update your Facebook status from work. Wait for lunch, or after work. This is ESPECIALLY important if your organization doesn’t allow access to Facebook.

The 10 Commandments of Facebook

Until next time….

One might ask why would a Techie-geek security management person like myself would go to #140 Conference in New York? There are lThe security reason of interest to myself and to my organization is related to information leakage through twitter as well as furthering social education about new technology risks. 

What is #140Conf : You can check it out in the words of Jeff Pulver on his ideas of creating the conference.

Having just spoke of the issue of adult social networking education last week, I feel that this will be a fantastic opportunity to get to the grass roots of how viral social networking can change personal brand definition and how information leakage impacts organizations. The magnitude of people getting fired, expelled from schools, and socially blacklisted due to lack of some forethought when using twitter is absolutely amazing, couple this with what information can be distributed with malicious intent and we have one powerful medium. Security Awareness needs to be outreached to better educate everyone on the impact of what they say today on the life they will live tomorrow. 

Please look forward to my photo-blog that I will be uploading daily through my trek through the #140conf jungle, as well as the recaps of key topics.

After the ceremonious un-boxing of the Sourcefire 3D-1000 IPS in my bedroom (hey, it’s saturday morning, give me a break!) I did what any good techie would do, discard the fine-print manuals for the big shinny slick ‘Quick Start Guide’. In this lovely document everything seemed pretty rudimentary all except one section.

Safety and Regulatory Compliance: The 3D sensor should be installed and maintained by a qualified personnel only. Hmmm, I’ve been doing this stuff for some time now, but how qualified am I? I guess we were about to see.

After quickly running through the setup instructions on my secondary ethernet connection, adding the license file, and setting up the management port on my DMZ range (not necessarily in that order), I was set to put in in-line  in passive and start watching some data flow. REALLY? Wait, this only took me a few minutes to get to this point, why was this so simple? Should I be concerned. Not at all, Bravo to the folks at Sourcefire for compiling and producing a hardware IPS that is so straight forward! I was able to get this fully functional in passive mode with default settings reconfigured in less then 5 minutes. Bravo!

Equipment Used:

• Cisco PIX 515E Firewall
• Cisco 2800 Router
• Private T1 Internet Circuit
• Sourcefire 3D-1000 IPS

First of all, Security Sociability has officially been moved to it’s home domain! YAY!  Thanks to WordPress making it so effortless, this only took me 2 days of many work-related interruptions to accomplish!

Now here is where the party really beings! RSA Conference 2009 starts in a few days, and I depart for California tomorrow. Somehow a little nobody like myself ended up with a pretty impressive social itinerary so far!  I plan to blog at least a few times next week on schedule of events, talks, recaps, and of-course bar fights!

Just as a reminder…. I still haven’t gotten my invites to some of the parties yet (no naming names… you KNOW who you are), I’m assuming it’s just some DNS redirection that didn’t get it to my MX record yet…. I have faith it will resolve!

It was time to finally pull the plug on my original blog called ‘Security Coarkboard’. I have imported the posts to SecSocial, but aside from that, it’s gone. This was my first hack at blogging on Security topics, and after a lost password and failing ambition to retrieve it, it died an untimely death.

Best to all.

A new page has been added to SecSocial, finally the Mac OS X Tools page is up (see top right corner)! This is a list that is comprised of favorite tools for security assessments as well as tools needed for OS X Reversing. With any luck this compilation will be dynamic, and everyone is encouraged to contact me if I have left out any fantastic tools.