Security BSides Kansas City Re-cap

by kriggins on September 19, 2010

in Conferences

Updated 9/20/2010: Changed attempted ACH fraud bit from 'this year' to 'to date.'

Last Friday, the 17th of September, was the first ever iteration of Security BSides Kansas City. It was held in conjunction with the Kansas City Infragard chapter's CyberRAID contest. This was bad because I couldn't take any pictures :), but great because of the cross pollination that happens when events take place in conjunction with each other.

BSidesKC was a one day, one track conference packed full of great talks given by great speakers. Below you will find brief descriptions of each talk along with links to the slides where available.

If you ever have the chance to make it to a BSides event, take it! The generally smaller venues create an environment where great conversations can and do happen. BSidesKC was no exception. I was able to meet in person several of the people I chat with on Twitter like @jfug, @n0b0d4, @surbo, and @davehull. I also was able to see @hal_pomeranz and @ax0n again.

The FBI's Response to a Computer Intrusion

The first talk of the day was given by three FBI agents. I will not use their names here as I didn't have a chance to ask for permission to do so. The first part of the talk was a general introduction to the Cyber investigative focus of the FBI. You can read more about that in this post from my FBI Citizen's Academy series (which I need to finish.) They also spoke about some specific cases such as a SPAM case where the instigators were caught and are awaiting sentencing.

The second half dealt with cyber crimes that were focused on exploiting financial services organizations via their customers, i.e. ACH fraud. Some interesting numbers were provided such as the amount of attempted ACH fraud to date, $215 million, and the actual amount lost, $60+ million. Most interesting is that almost all of this type of fraud is perpetrated using customer credentials that have been intercepted via malware on the customers computers. Brian Krebs at Krebs on Security has written extensively on this problem.

Slides: No access to slides.

I Survived IDS Apocalypse '10 and All I Got Was This Stupid T-Shirt

This talk was given by William Metcalf who is a full time developer working for Open Information Security Foundation on Securicata, a network based IDS/IPS. William talked about the features of current release of Securicata and gave us an intro to some of the upcoming features in the roadmap. He also provided some tips for building and high-performance, IDS/IPS on the cheap. One cool thing is that Securicata can make use of GPU acceleration. Some of the features are multi-threading, use Snort's signatures, port independent protocol identification, and more.

A few of the tips Will gave for building an IDS platform on the cheap were:

  • use a Nehalem chip - fast, fast, fast
  • use TNAPI/PF_RING - fast, fast, fast
  • use real hardware raid - fast, fast, fast
  • profile your rules - lose the slow, slow, slow 🙂

Slides: Don't have access to slides.

I See What You Did There

Dave Hull was up next with a talk on timeline forensics. This was a nifty talk and I learned quite a few things I didn't know before. For instance, the NTFS filesystem keeps file timestamp information in two places, $STDINFO and $Filename. Even better, they don't necessarily always agree and best of all, the current champ for malicious timestamp manipulation only affects $STDINFO. Like I said, very nifty stuff. He showed us some ways to use Sleuthkit to build file access timelines and some other tools, like log2timeline, to get other timestamps that exist on a system, of which there are a multitude.

By the way, just in case you didn't know, Dave shared that Vista and Windows 7 do not update the access time timestamp by default. Not very helpful. You probably want to go turn that on, particularly in your enterprises.

Slides: I See What You Did There (pdf)

Seven Ways IT is enabling Cybercrime

It actually turned out to be ten ways. Daniel J Molina of Kaspersky gave this talk on ways in which enterprise IT is not helping the organization be more secure.

#10: Data Center Fixation: Ignoring the propagation of data outside the data center.
#9: Information Amnesia: Forgetting the value of data, i.e. only accounting for cost of physical assets.
#8: I missed this one. Sorry
#7: Device Dyslexia: Ignoring the defense of mobile end points. We now have micro-perimeters that need protection.
#6: Social Media Mania: We need proper controls before it's too late.
#5: Attention Misdirection: We are focusing too much on prevention. We need to give detection and reaction more attention.
#4: Awareness Deficit Disorder: Failing to foster a culture of awareness.
#3: Threat Camouflage: Underreporting of attacks and breaches.
#2: Compliance Complacency: Settling for compliance
#1: Assuming Everything is OK

Slides: Don't have access to slides.

Evil WiFi: Subversive Wireless & Self Defense

Ax0n gave a talk on how to defend against subversive individuals who are attacking your wi-fi infrastructure and your wi-fi clients. He gave us a demo of some nastiness that the can be done. He documents this extensively here. Very interesting and eye opening stuff.


Automating Metasploit: Pwning Hosts While You Sleep

Bill Swearingen gave this talk on automating Metasploit. He gave us a full measure of nifty stuff you can do with Metasploit, like separate attack and listening systems, automated scripting of responses from the listeners, and several other tidbits to make setting up your own automated attack infrastructure. Lots of information and lots of fun.

Slides: Automating Metasploit: Pwning Hosts While You Sleep (pdf)

Things that go bump in the Evite

Unfortunately, I was unable to see this talk given by Surbo in its entirety since we didn't want to be on the road too late and had a 3 hour drive ahead of us. Surbo was gracious enough to give the five minute version. All I can really say is that there are some problems with Evite that really need to be fixed.

Slides: Don't have access to slides.

Again, if you have a chance to make it to a BSides event, take it.