Security BSides Kansas City Re-cap

by kriggins on September 19, 2010

in Conferences

Updated 9/20/2010: Changed attempted ACH fraud bit from 'this year' to 'to date.'

Last Friday, the 17th of September, was the first ever iteration of Security BSides Kansas City. It was held in conjunction with the Kansas City Infragard chapter's CyberRAID contest. This was bad because I couldn't take any pictures :), but great because of the cross pollination that happens when events take place in conjunction with each other.

BSidesKC was a one day, one track conference packed full of great talks given by great speakers. Below you will find brief descriptions of each talk along with links to the slides where available.

If you ever have the chance to make it to a BSides event, take it! The generally smaller venues create an environment where great conversations can and do happen. BSidesKC was no exception. I was able to meet in person several of the people I chat with on Twitter like @jfug, @n0b0d4, @surbo, and @davehull. I also was able to see @hal_pomeranz and @ax0n again.

The FBI's Response to a Computer Intrusion

The first talk of the day was given by three FBI agents. I will not use their names here as I didn't have a chance to ask for permission to do so. The first part of the talk was a general introduction to the Cyber investigative focus of the FBI. You can read more about that in this post from my FBI Citizen's Academy series (which I need to finish.) They also spoke about some specific cases such as a SPAM case where the instigators were caught and are awaiting sentencing.

The second half dealt with cyber crimes that were focused on exploiting financial services organizations via their customers, i.e. ACH fraud. Some interesting numbers were provided such as the amount of attempted ACH fraud to date, $215 million, and the actual amount lost, $60+ million. Most interesting is that almost all of this type of fraud is perpetrated using customer credentials that have been intercepted via malware on the customers computers. Brian Krebs at Krebs on Security has written extensively on this problem.

Slides: No access to slides.

I Survived IDS Apocalypse '10 and All I Got Was This Stupid T-Shirt

This talk was given by William Metcalf who is a full time developer working for Open Information Security Foundation on Securicata, a network based IDS/IPS. William talked about the features of current release of Securicata and gave us an intro to some of the upcoming features in the roadmap. He also provided some tips for building and high-performance, IDS/IPS on the cheap. One cool thing is that Securicata can make use of GPU acceleration. Some of the features are multi-threading, use Snort's signatures, port independent protocol identification, and more.

A few of the tips Will gave for building an IDS platform on the cheap were:

  • use a Nehalem chip - fast, fast, fast
  • use TNAPI/PF_RING - fast, fast, fast
  • use real hardware raid - fast, fast, fast
  • profile your rules - lose the slow, slow, slow πŸ™‚

Slides: Don't have access to slides.

I See What You Did There

Dave Hull was up next with a talk on timeline forensics. This was a nifty talk and I learned quite a few things I didn't know before. For instance, the NTFS filesystem keeps file timestamp information in two places, $STDINFO and $Filename. Even better, they don't necessarily always agree and best of all, the current champ for malicious timestamp manipulation only affects $STDINFO. Like I said, very nifty stuff. He showed us some ways to use Sleuthkit to build file access timelines and some other tools, like log2timeline, to get other timestamps that exist on a system, of which there are a multitude.

By the way, just in case you didn't know, Dave shared that Vista and Windows 7 do not update the access time timestamp by default. Not very helpful. You probably want to go turn that on, particularly in your enterprises.

Slides: I See What You Did There (pdf)

Seven Ways IT is enabling Cybercrime

It actually turned out to be ten ways. Daniel J Molina of Kaspersky gave this talk on ways in which enterprise IT is not helping the organization be more secure.

#10: Data Center Fixation: Ignoring the propagation of data outside the data center.
#9: Information Amnesia: Forgetting the value of data, i.e. only accounting for cost of physical assets.
#8: I missed this one. Sorry
#7: Device Dyslexia: Ignoring the defense of mobile end points. We now have micro-perimeters that need protection.
#6: Social Media Mania: We need proper controls before it's too late.
#5: Attention Misdirection: We are focusing too much on prevention. We need to give detection and reaction more attention.
#4: Awareness Deficit Disorder: Failing to foster a culture of awareness.
#3: Threat Camouflage: Underreporting of attacks and breaches.
#2: Compliance Complacency: Settling for compliance
#1: Assuming Everything is OK

Slides: Don't have access to slides.

Evil WiFi: Subversive Wireless & Self Defense

Ax0n gave a talk on how to defend against subversive individuals who are attacking your wi-fi infrastructure and your wi-fi clients. He gave us a demo of some nastiness that the can be done. He documents this extensively here. Very interesting and eye opening stuff.


Automating Metasploit: Pwning Hosts While You Sleep

Bill Swearingen gave this talk on automating Metasploit. He gave us a full measure of nifty stuff you can do with Metasploit, like separate attack and listening systems, automated scripting of responses from the listeners, and several other tidbits to make setting up your own automated attack infrastructure. Lots of information and lots of fun.

Slides: Automating Metasploit: Pwning Hosts While You Sleep (pdf)

Things that go bump in the Evite

Unfortunately, I was unable to see this talk given by Surbo in its entirety since we didn't want to be on the road too late and had a 3 hour drive ahead of us. Surbo was gracious enough to give the five minute version. All I can really say is that there are some problems with Evite that really need to be fixed.

Slides: Don't have access to slides.

Again, if you have a chance to make it to a BSides event, take it.



Security BSides Kansas City is Friday!

by kriggins on September 15, 2010

in Announcement, Conferences

I have talked about Security BSides conferences before. They are a lot of fun and free. Free is good πŸ™‚

Because they are small conferences, the atmosphere is very conducive to great conversations and interactions with your fellow information security inclined folk.

BSides Kansas City is this Friday the 17th. The line up looks good and, remember, it's FREE.

They do ask that you indicate if you are coming by either updating the page here or by emailing That helps plan for some things.

I'll be there. You should show up and introduce yourself πŸ™‚ I would love to meet some of my readers!



Vote For My #BSidesSF Talk

by kriggins on February 1, 2010

in Announcement, Conferences

I have submitted a topic for consideration for Security BSides San Francisco 2010 which happens concurrently with RSA.

For those not familiar with Security BSides, the following is from the website:

What is BSides?

BSides is an ad-hoc gathering of information security types born from the desire for people to share and learn in an open environment. It is an intense event with discussions, demos and interaction from participants. It is entirely community driven.Β  It is where conversations for the next-big-thing may be happening.Β  We've followed the BarCamp format... because it works.

My topic:

  • Title: Discussion: What Makes a Good Risk Management Practice?
  • Abstract: All of our organizations have to manage risk, specifically information security risk. What does it mean to do that well? What are the moving parts that make up a good risk management practice? This discussion/panel/talk will not focus on assessment methodologies or frameworks. It will also not focus on the "information security program." We will spend some time focusing on the other moving parts of a risk management practice. Engagement with our business partners, how we bring it all together, how we can manage the inputs and outputs of the risk management process, etc. It will be an opportunity for those interested to share and learn from each other.

This topic is modeled after the RSA Peer-2-Peer sessions in that it is not a presentation. I anticipate a discussion where we can all contribute to the conversation and try to define what we it means to build a good risk management practice in our organizations.

Please vote for my topic by tweeting the following if this sounds like a conversation you'd like to be a part of:

@SecurityBSides I vote for β€œWhat Makes a Good Risk Management Practice?” by @kriggins #BSidesSF



Good afternoon everybody! I hope your day is going well.

Here are today's Interesting Information Security Bits from around the web.

  1. A selection of videos from Blackhat 2009 has been made available. Black provides some links to them, but you can also find them on the Blackhat site.
    Selected video presentation at Black Hat 2009. -- PenTestIT
    Tags: ( blackhat conferences videos )
  2. Here are a couple scripts that allow you to view and search windows event logs on a linux system.
    RaDaJo (RAul, DAvid and JOrge) Security Blog: Looking for the right event
    Tags: ( event-logs perl linux )
  3. Lori calculates the bandwidth of sneakernetting hard drives to the cloud πŸ™‚ Yes, I just made a verb out of sneakernet. πŸ™‚
    The Bandwidth of Sneakernet to the Cloud
    Tags: ( general )
  4. Jack has posted the audio from the B-Sides conference in Las Vegas that occurred at the same time as Blackhat and Defcon.
    Uncommon Sense Security: Security B-Sides Las Vegas 2009 Audio
    Tags: ( bsides conferences )
  5. Alan has started a series of posts that will explore the SAS70 Type II report. Good info in the first post.
    StillSecure, After All These Years: SAS 70 Type II Should you care?
    Tags: ( sas70 )

That's it for today. Have fun!

Subscribe to my RSS Feed if you enjoy these daily Interesting Bits posts.