On Wednesday I will be getting in mid-morning so I’m just going to head over in the afternoon around 1:00 or so. Unfortunately, this means I can’t take part in some of the interesting morning talks. Regardless, starting at 1:00 I will probably hit the Collegiate Cyber Defense Competition talk by Chris Lytle and Leigh Hollowell. The presentation looks to focus on lessons learned from these competitions and how they can be used as a learning tool. I am thinking of starting an internal competition similar to this within my company. That combined with its focus as a learning tool really makes this talk a worthwhile talk for me. Next up will probably be “The Dark side of Twitter, Measuring and Analyzing Malicious Activity on Twitter” from Paul Judge and David Maynor. If you don’t know it by now, I’m sort of addicted to this whole Twitter thing [there I said it] therefore I really want to learn more about its potential downsides. Their talk will summarize malicious activity on Twitter based on two years of data and 20 million user accounts. Finally since I’ll be giving the first of three career/community-related talks, I plan to stay for Joseph Sokoly’s “Infosec Young and Restless” and then see what the Infosec Mentoring Panel has to offer. Joseph will look at improving our community image and the panel will touch on getting the most out of mentor/mentee relationships. [I'm counting this as one talk ... even I have a hard time following my own rules.]

Thursday will be a bit more difficult as I’ll have a full day of talks to choose from as well as the start of some Defcon activities. I will probably start the morning out with “Social Network Special Ops: Extending Data Visualization Tools for Faster Pwnage” from Chris Summer. Visualization has always been a fascination of mine (especially for showing pretty pictures to management). That combined with information that can be extracted from social networking data and its associated connections looks to be quite an interesting way of gaining invaluable insight about an organization or person. I’m usually in favor of best practices however I do understand it has its pros and cons. For that reason I plan to check out “The Road to Hell is Paved with Best Practices” from Frank Breedijk and Ian Southam to get some of the cons. It seems it will be a fairly balanced presentation though that will answer the question “Will best practices make use more secure?” Finally, I will probably head over to see Zach Lanier’s “It Melts In Your Hand: An Overview of Security (Failures) In Mobile Applications.” Mobile is big and will only get bigger in the future. The presentation will touch on security not only from a device perspective but how these devices are connected.

Well those are some quick recommendations for BSidesLasVegas. Be sure to check out the BSidesLasVegas Talks page for more details on these presentations as well as other talks that you may be interested in. Are there any “hidden gems” I missed? Let us know in the comments below…

And if anyone wants to meetup, just mention @grecs on Twitter or find the guy with a gray Breezewood shirt on Wednesday. And like I mentioned above I’ll be giving at talk on this day as well at 4:00 titled “Infosec Communities for Career Success: Understanding, Participating, and Cooking One Up” so you can also catch me after that. There are tons of people I’ve met through Twitter and mailing lists and would enjoy finally meeting a few of you in person. See ya!

Anyway, as of Sunday night here are the conferences we’ve confirmed.

July

• SANS What Works in Forensics & Incident Response Summit (Fairmont Washington DC; 07-08 to 07-09)
• Cybersecurity Symposium (Hilton Washington; 07-08)
• PCybersecurity & Innovation in the Information Economy Symposium (Ronald Reagan Building & International Trade Center; 07-27)

August

• EVT/WOTE Workshop (Wardman Park Marriott Hotel; 08-09 to 08-10)
• CSET Workshop (Wardman Park Marriott Hotel; 08-09)
• WOOT Workshop (Wardman Park Marriott Hotel; 08-09)
• CollSec Workshop (Wardman Park Marriott Hotel; 08-10)
• HealthSec Workshop ((Wardman Park Marriott Hotel; 08-10)
• HotSec Workshop (Wardman Park Marriott Hotel; 08-10)
• Metricon Conference (Wardman Park Marriott Hotel; 08-10)
• USENIX Security Symposium (Wardman Park Marriott Hotel; 08-11 to 08-13)
• SANS WhatWorks in Virtualization & Cloud Computing Summit (Fairmont Washington DC; 08-19 to 08-20)

September

• NoVA Hackers Association Metasploit Workshop (ICF International; 09-18)
• Software Assurance Forum (NIST; 09-21 to 10-01)
• IT Security Automation Conference (Baltimore Convention Center; 09-21 to 09-30)

And be sure to subscribe to our RSS feed or follow us on Twitter at @novainfosec and @grecs to be alerted about any last-minute events or to receive updates on the conferences listed above. Finally, check out our Calendar for a complete list of infosec events in and around NoVA, DC, and MD.

This year they are seeking presentations on the following topics:

• OWASP Tools and Projects
• Cloud Application Security
• Government Approaches to Application Security
• Application Security Case Studies
• Application Security and Business Risks
• Metrics for Application Security
• Web Services Security
• Source Code Review
• Web Application Security Testing
• Secure Coding Practices
• Privacy Concerns
• Vulnerabilities/Exploits in the Web App World
• Defense & Countermeasures in the Web App World
• Other web application security topics

For more information on AppSecDC, see its description in our Infosec Conferences section as well as OWASP’s AppSecDC conference and CFP pages. And don’t forget to check out our Calendar for a list of similar infosec events in and around the NoVA area.

Anyway, as of Sunday night here are the conferences we’ve confirmed.

April

• SANS Northern Virginia Bootcamp Conference (Hyatt Regency Reston; 4-6 to 4-13; help support us by registering through our affiliate link)
• Security in the Clouds (Holiday Inn Alexandria; 4-14)
• PrivacyCampDC Conference (Center for American Progress Action Fund; 4-17)
• Global Privacy Summit (Wardman Park Marriott Hotel; 4-19 to 4-21)

May

• HIPAA Conference (Voice of America/Wilbur Cohen Building; 5-11 to 5-12)
• GMU – AFCEA Symposium (George Mason University; 5-18 to 5-19)

June

• Cyber Security Conference (Ronald Reagan Building & International Trade Center; 6-3)
• SANSFIRE Conference (Hilton Baltimore; 6-6 to 6-14; help support us by registering through our affiliate link)
• SANS What Works in Pen Testing & Vulnerability Assessment Summit (Hilton Baltimore; 6-14 to 6-15; help support us by registering through our affiliate link)
• Software Assurance Working Group Sessions (Booz Allen Hamilton; 6-21 to 6-23)

And be sure to subscribe to our RSS feed or follow us on Twitter at @novainfosec and @grecs to be alerted about any last-minute events or to receive updates on the conferences listed above. Finally, check out our Calendar for a complete list of infosec events in and around NoVA, DC, and MD.

The conference delivered topics from different security sectors, including cloud computing, cyber security, data center and virtualization, and defense innovations. The event featured top industry experts from well known companies and government institutions.

The keynote speeches at GovSec included its usual mix of law enforcement and technology with Bill Bratton, former police chief of Los Angeles, New York and Boston, Anthony Zuiker, creator and executive producer of CSI: Crime Scene Investigation, and Steven R. Chabinsky, the deputy assistant director in the FBI’s Cyber Security Division.

Bratton talked about technology’s role in police work and its likely role in the future.  He also noted that local police departments have the knowledge but lack the resources for cyber security-related police efforts.

Meanwhile, Zuiker discussed cross-platforming. He noted “traditional media is dead, and that newspapers, magazines and TV must become more interactive.”

In the last keynote of the day Chabinsky said that “How the United States handles cybercrime could help determine the future of the country.” He framed the issue of online crimes, including hacking and copyright infringement, as a question of both economic and national security. Chabinsky added that almost every cyber criminal is now a member of an online forum or chat service and that “… like you have doctors who are specialists instead of general practitioners, we have cyber criminals who are specialists instead of general practitioners.”

Chabinsky described 10 types of specialized cyber criminals:

• Programmers who write malware and exploits
• Vendors who sell stolen data
• Techies who maintain the needed information technology infrastructures
• Hackers who exploit the vulnerabilities
• Fraudsters who create social engineering schemes
• Hosters
• Cashiers who control accounts
• Money movers
• Tellers
• Leaders, who assemble the teams

The only education session that I was able to attend was the International & Initiatives on Cybersecurity. The training included six mini sessions and was presented by the American Bar Association’s Privacy & Computer Crime Committee. The discussion focused on an international legal framework to counter cyber security. Some countries have no cybercrime laws and to close this divide in cyber security, an ITU Toolkit for Cybercrime Legislation is made available. The ITU Toolkit aims to provide countries with sample legislative language and reference material that can assist in the establishment of harmonized cybercrime laws and procedural rules.

Well those are some quick notes on some of the activities from day 1. We’ll be in attendance tomorrow as well and look forward to some interesting topics. If you would like to learn more about GovSec, see its description in our Infosec Conferences section as well as the main GovSec conference site. They also have a Twitter account at @GovSecUSLaw so be sure to follow them tomorrow for all the latest conference happenings.

Well, the contest closed last night and we are ready to announce the winner… Congrats goes out to @dfrain! To claim your free pass, please DM your full name and email to our @grecs Twitter account so we can pass them along to the GovSec organizers.

And even if you didn’t win, we still have something for you. The kind folks over at the 1105 Government Group are also offering a 10% discount just for our blog readers. All you need to do is head on over and register for the conference though this special link.

For more information on GovSec, see its description in our Infosec Conferences section as well as the main GovSec conference site. They also have a Twitter accont at @GovSecUSLaw so be sure to follow them for all the latest conference happenings.

Doug Wilson discussed an OWASP project that combine a variety of vulnerable web applications on a virtual machine that can be used for testing web application security tools and techniques. The project is entirely free and open source. The project is also useful for testing white box tools and techniques such as source code analysis.

Trevor Hawthorn’s talk “The New World of Smartphone Security” tackled security concerns that are not being discussed and have not been publicly disclosed. In the talk he examined mobile-to-mobile attacks within cellular IP networks, specifically focusing on iPhone attack surfaces,  worms, location-based gaming privacy concerns, and web application security.

Richard Goldberg’s discussion was about the less obvious legal risks inherent in storing and accessing data in the cloud. He focused on real-world problems and solutions.

“The aim is to foster a greater understanding of the relevant issues, legal and privacy risks, potential solutions, and which problems do not have solutions.”

Finally, Pete Markowsky covered the differences among reviews system management mode and the relationship between SMM and Virtualization on the AMD-V platform and how to install a SMI handler.

See InfosecEvent’s ShmooCon 2010 - Wrap Up post for a complete list of all conference coverage.

Well, the folks over at the 1105 Government Group have offered us a free pass to give away to any of our readers/followers. In old fire hall style, we’ll be giving the pass away through a raffle. To enter just check out the @grecs or @novainfosec Twitter feeds and RT the special raffle tweet that we’ll be putting out in the next few hours. The contest will last for one week and at that time we’ll pick a winner. Note that you must be a US resident to be eligible for the contest.

Updated below on 3/11 at 3:00 PM:

Just in case you missed the tweet to RT, here is what you’ll need to post on Twitter. I’ve used @grecs below but you can also use @novainfosec.

RT @grecs GOVSEC #CON RAFFLE: To enter 4 free pass to GovSec in 2 weeks RT this! See http://bit.ly/a1IfRk for details. #GovSecTix

Note that because of tracking problems, you MUST post it exactly as above. If not, the system that’s tracking this contest on Twitter may miss your RT.

For more information on GovSec, see its description in our Infosec Conferences section as well as our previous post. Finally, head on over to the GovSec conference site for all the information pertaining to this event. And be sure to keep up to date with the latest conference happenings by following @GovSecUSLaw on Twitter.

As you can see below, I’ve only gotten links to a few presentations. If you still need to post your presentation, please let me know via Contact Us or mention @grecs on Twitter and I’ll update this post as I get them.

Presentation Summaries

First, I like to put up some short synopses of the talks written by Justin Monroe and Chris Wheeler. They were a tremendous help both nights paying attention to the actual content while I coordinated everything.

Social Engineering Toolkit v0.4 Overview (David “ReL1K” Kennedy)

ReL1K released the newest version of his “Social Engineer’s Toolkit.” Version 4, codenamed “Pink Pirate” was released Saturday in the BackTrack4 repository as well as his website, secmaniac.com. The framework is a python driven open source suite which makes use of Metasploit Framework’s client-side attacks (PDF, Aurora, etc), and has the ability to auto-target a client operating system. It also integrates with G-Mail and sendmail to streamline sending phishing e-mails to targets.

SHODAN for Penetration Testers (Michael “theprez98″ Schearer)

SHODAN, a meta-data search engine for application banners was presented by theprez98, who showed several demonstrations of its usefulness. The engine stores OS version, country, open ports (currently only 21, 22 and 80), and makes the data easily searchable. As the engine stores banners from each service, it is not uncommon to find default configuration information in the header (such as a default password), as well as the version information of the service. At the time of the presentation, there were apparently 136 machines still running Windows NT 3.9. (slides)

Influencing Security (Marcus J. Carey)

In a presentation about influencing security, Marcus J. Carey took a philosophic approach to solving security issues. Likening the decrease in HIV infections in Thailand by means of peer pressure, he suggested that security professionals persistently teach users about information security, instead of doing training once a year. He also stressed a non-adversarial role with the people the policy is designed to protect, and instead of treating them poorly when the policy was broken.

Funnypots and Skiddy Baiting (Adrian “IronGeek” Crenshaw)

IronGeek presented some of his endeavors in “Funny Pots and Skiddy Baiting,” loosely defined as “messing with the people trying to break into your machines.” He suggested mapping loopback addresses (127/8) to a subdomain on your network, and then encouraging them to break into the machine at that hostname. If they manage to get in, they may own their own machine. Other fun endeavors included mapping your hostname to that of another website (say, 12.120.54.169), “lemon” wiping a drive with an arbitrary pattern of data for forensic investigators to find (coined from the “lemon party” shock site). He also demonstrated a robots.txt redirect, where snooping users would get redirected to shock sites when they visited the “Disallow” directories. His final and perhaps most humorous website involved using php-ids to detect attacks against a website and have Clippy pop up to help with their failed attempts. (slides)

Browser Fingerprinting Using a Stopwatch (Nicholas “aricon” Berthaume)

Aricon demonstrated how to more accurately fingerprint browsers based on more than the user-agent, HTTP headers, and Javascript. WebApp scanners often spoof headers, making it useless to fingerprint an attack. The timing and download order of images can be used to accurately fingerprint a browser using some custom mod_security rules. Differences start to show with basic HTML, but adding images and more content gives a much more accurate result. He did mention that plugins such as Greasemonkey, AdBlock Plus, and NoScript skew the results, as do VPNs, SSH tunnels and other proxies. He plans to release the mod_security ruleset and his fingerprinting scripts on his website. (slides)

Pentoo (Zero Chaos)

Zero Chaos, a Pentoo developer, was met with a barrage of Shmoo balls at the start of his presentation. Pentoo is a lightweight penetration testing distro based on Gentoo. It can be run from a Live CD and uses only 200MB of RAM. Pentoo is updated with the latest utilities and kernel configurations. Pentoo also has 13 users worldwide ( ), and began development before BackTrack.

Sleephacking 101 – How to Stay Awake for 20 Hours a Day without Turning into a Zombie (Benny “security4all” ???)

@Security4All gave a presentation on “sleep hacking,” discussing human sleep cycles and how to get more energy out of sleep. Although monophasic, humans are better suited to a polyphasic sleep cycle. Biphasic sleep involves getting 6-7 hours of sleep per night, and a nap at noon. Spain has institutionalized this cycle through siestas. For those who wish to get more out of their day, the everyman cycle provides 4 thirty minute naps, and a 2-3 hour block of sleep at night. Those looking to gain a sickening about of extra time in their day can try the uberman, characterized by 6 twenty minute naps per day, and separated by a four hour period of being awake. Also, for those who need the extra kick, drinking coffee before taking a nap increases the nap’s effectiveness, so long as the nap is kept to twenty minutes. There are also sleep cycle apps in the iTunes store to help adjust to the different sleep cycles. (slides)

Payment Application – Don’t Secure Sh!t (PA-DSS) (Christian “cmlh” Heinrich)

Christian Heinrich gave a presentation entitled “Payment Application – Don’t Secure Sh!t.” The presentation characterized the differences between the PA-DSS, PCI-DSS and PCI-PTS standards, focusing primarily on the strengths and weaknesses of PA-DSS. Visa has mandated compliance of all machines with this standard by 12 July 2012. The PA-DSS standard also depends on the PCI-DSS standard, as there is no sense in reinventing the wheel. It does contain a sunset clause for securing wireless data with WEP, as the newest revision mandates WPA, as well as mandates secure remote software updates through a system like SSL, although the most recent attacks on SSL have not been considered. (slides)

Wow, excellent summaries from Justin and Chris. Thanks again guys! Additionally, every one of the speakers should have gotten a parting gift sponsored by Trusted Signal. And if you want to relive the excitement of the Firetalks, be sure to check out IronGeek’s FireTalks from Shmoocon 2010 page. One of the things you may notice in the videos is the beautiful fireplace that helped cozy up this event. Mrs. Rybolov was kind enough to make this piece from scratch … and speaking of Rybolov, he himself provided a tremendous amount of coordination throughout both nights. Before moving on to announcing the winners, I’d also like to thank the ShmooCon team (go Heidi & Bruce and the rest of The Shmoo Group!) for allowing us to host this event in conjunction with ShmooCon and providing space, a projector, and audio!

Prize Winners

Now on to the prize winners …

3: Sleephacking 101 – How to Stay Awake for 20 Hours a Day without Turning into a Zombie

security4all won at $75 Think Geek Gift Certificate from nVisium Security.

2: Social Engineering Toolkit v0.4 Overview

ReL1K received a 32GB Kanguru e-Flash brought to you by nVisium Security.

1: SHODAN for Penetration Testers

thePrez98 won the grand prize of a Acer Aspire One D250 Netbook provided by Hurricane Labs.

Congrats to everybody!

///

For all information regarding this year’s Firetalks and links to related posts, see the ShmooCon 2010 Firetalks master post. On a personal note I had a lot of fun pulling this whole thing together and it was great to meet so many awesome people that I’ve only previously chatted with on mailing lists, Twitter, etc. I look forward to trying to keep up with everyone throughout the year and maybe (if  I get lucky in the ShmooCon ticket lottery ) next year at ShmooCon. See ya!

The Conference itself includes four tracks: Critical Infrastructure Planning, and Protection; Cybersecurity and Information Assurance; Domestic and International Terrorism: Deterrence, Preparation and Response; and Law Enforcement Case Studies and Tactics. The Cybersecurity and Information Assurance track looks the most interesting related to our focus however if you are in law enforcement, the Law Enforcement Case Studies and Tactics track is FREE.

Both the Expo and Conference include vendors, information, and tracks focusing on legal issues as well with the U.S. Law Conference & Expo being held in conjunction with GovSec. And if that weren’t enough, FOSE will be co-located, providing a unique mix of physical and cyber security conference sessions and exhibitions.

Anyway, here are the logistics for this year’s conference:

• Who: 1105 Government Group
• What: GovSec Expo & Conference
  • GovSec, the premier conference and exposition for government security, is produced by 1105 Government Information Group. Established in 2002, GovSec features tools, systems, and products that meet the comprehensive security needs of federal, state, and local governments and the U.S. military, including: asset protection; cyber and information protection; and the integration of these critical functions.
• When: 3/23 – 3/24/2010
• Where: Washington DC Convention Center (801 Mount Vernon Place NW Washington, DC 20001)

For more information on GovSec, see its description in our Infosec Conferences section. And while you’re here, be sure to check out our Calendar for a list of similar infosec events in and around NoVA, DC, and MD. Finally, head on over to the GovSec conference site for all information pertaining to this event. And be sure to keep up to date with the latest conference happenings by following @GovSecUSLaw on Twitter.