conferences

Security BSides Kansas City is Friday!

by kriggins on September 15, 2010

in Announcement, Conferences

I have talked about Security BSides conferences before. They are a lot of fun and free. Free is good 🙂

Because they are small conferences, the atmosphere is very conducive to great conversations and interactions with your fellow information security inclined folk.

BSides Kansas City is this Friday the 17th. The line up looks good and, remember, it's FREE.

They do ask that you indicate if you are coming by either updating the page here or by emailing bsideskc@gmail.com. That helps plan for some things.

I'll be there. You should show up and introduce yourself 🙂 I would love to meet some of my readers!

Kevin

{ 0 comments }

RSA 2010/Security BSides Recap – Day 02

by kriggins on March 13, 2010

in Conferences

I really intended to get this out earlier this week, but me o’ my has this been a busy week.

Anyway, day 2 at RSA 2010/Security BSides started in the reverse order of day1. I went to sessions at RSA first and then tottered over to Security BSides for the afternoon.

My day 1 recap can be found here.

Again, great content in both locations.

RSA 2010

I started the day out at RSA.

2010: A Web Hacking Odyssey – The Top Ten Hacks of the Year by Jeremiah Grossman

In this 50 minute talk, Jeremiah attempted to talk about the top 10 web based hacking hacking DSC_4875 methods for 2010. These are not hacks of particular sites, but ways in which sites can be hacked. There were two amazing things about this talk:

  1. That he even tried to do it in 50 minutes.
  2. That he was successful.

This was a great talk and Jeremiah did a great job of covering a lot of ground. If you are interested in more detail, his presentation deck is available here.

Microsoft SDL Tools: Automating the Security Development Lifecycle by Katie Moussouris and Bryan Sullivan

DSC_4885 The next talk at RSA for me was given by Katie Moussouris and Bryan Sullivan and focused on some tools available from Microsoft in support of a Secure Development Lifecyle.

Some pretty nifty stuff was shown and best of all, most, if not all, were free. Many of them plug right into Visual Studio making them even more available to the developer. It is worth your time to explore the SDL site that Microsoft has available for you here and the SDL blog here.

Risk Management: Getting Engage by Kevin Riggins (me)

The next stop on my RSA Wednesday was the Peer-2-Peer session I moderated. Again, there will be a separate post about it, but the short and sweet is that we all need to find ways to get information security risk management engaged in the business and the business engaged in information security risk management.

This was my last session at RSA for the day. I headed over to Security BSides for pizza and more great sessions.

Security BSides

The first order to business was to grab some lunch 🙂

SDL Lite by Marisa Fagan

DSC_4887 Marisa’s lightning talk was a quick demonstration of how we can implement a SDL “lite” process. Interesting stuff. Marissa could really use your help. Errata Security is conducting a survey about the use of secure development methodologies. From the post:

Errata Security is conducting a survey on the real world usage of software development methodologies such as Microsoft SDL, OWASP's SAMM, and BSIMM. We are interested in learning which organizations are successfully implementing these methods, and also the reasons companies are abstaining from using these methods.

Help her out and take the survey.

The Great Compliance Debate: No Child Left Behind or The Polio Vaccine with Jack Daniel, Josh Corman, Anton Chuvakin, Michelle Klinger

DSC_4898This was a good compliance/PCI discussion that included both the panel and the audience. I am not going to try to summarize it, but it is probably worth your time to catch the video.

Risk Management - Time to blow it up and start over? by Alex Hutton

Alex know risk. I enjoyed this talk and it definitely generated some thought for me. As Alex said,DSC_4901 though, this wasn’t a “throw everything you are doing away” talk. It was look at the current state and trying to figure out if there is a better way. From his description:

Now that the industry is trying to formalize the concept of risk management into neat little compartments like standards (ISO 27005/31000), certifications (CRISC) and products, (GRC) guess what?  We're doing it wrong.  Fundamentally wrong.  This talk will discuss why all this current risk management stuff is goofy and what sort of alternatives we have that might help us understand our ability to protect, our tendency towards failure, and how to match that up with what management will stomach.

He did mention the new Verizon framework that looks pretty nifty.

That was pretty much it for the day from a conference perspective. I went back to my hotel to work for a bit and then it was time to head to the Security Bloggers Meet-up which was a lot of fun. You can see some photos from that event here if you are interested, luckily none of my ugly mug 🙂

-Kevin

{ 2 comments }

Good afternoon everybody! I hope your day is going well.

Here are today's Interesting Information Security Bits from around the web.

  1. The latest Packet Challenge is up.
    "Name That Tune" - Packet Challenge << I Smell Packets
    Tags: ( challenge forensics )
  2. The speaker list has been finalized for CarolinaCon. Check it out.
    CarolinaCon: The NC Regional Technology Conference - March 19th, 20th, and 21st 2010
    Tags: ( conferences carolinacon )
  3. More OSSEC fun. This time using Logwatch.
    Combining Logwatch and OSSEC >> chrisbrenton.org
    Tags: ( ossec logging )
  4. Here is a nifty reverse engineering example.
    Traversing a 'DLL': Financial Crimeware (Banker) << TraverseCode.com
    Tags: ( reverse-engineering malware )
  5. The Symantec State of Enterprise Security Report for 2010 is out. I haven't read it yet, but it is on the pile.
    Symantec State of Enterprise Security Report (application/pdf Object)
    Tags: ( report )

That's it for today. Have fun!

Subscribe to my RSS Feed if you enjoy these daily Interesting Bits posts.

Kevin

{ 0 comments }

Good afternoon everybody! I hope your day is going well.

Here are today's Interesting Information Security Bits from around the web.

  1. OT, but very cool. Make your own QR code temporary tatoos.
    QR Code Temporary Tattoos Howto | The Guerilla CISO
    Tags: ( general )
  2. I think I pointed to something about this a bit ago, but here is more on chip and pin having issues.
    Light Blue Touchpaper >> Blog Archive >> Chip and PIN is broken
    Tags: ( chip-and-pin )
  3. Fun stuff here. Using WCF to scan inside the perimeter.
    Abusing WCF to Perform Remote Port Scans - Gotham Digital Science
    Tags: ( scanning )
  4. Dave opines about 5 reasons your security program may be struggling.
    ShackF00 >> 5 Reasons Your Security Program is a Failure
    Tags: ( general security-program )
  5. Just in case you were not aware of it, OWASP has a broken web application project. It's a VM with vulnerable apps.
    owaspbwa - Project Hosting on Google Code
    Tags: ( webappsec education )
  6. Join the rant against the term "best practice." Drives me nuts, just like it does Adam.
    Best Practices for Defeating the term "Best Practices" << The New School of Information Security
    Tags: ( general )
  7. Josh has some good point about social networking and its use are work.
    Josh More - Starmind Blog >> Should we allow our employees to engage in social networking?
    Tags: ( social-networking )
  8. Check it out if you are in Europe or have a really big travel budget.
    Pimping the Security Non-Cons: Troopers 2010 | Rational Survivability
    Tags: ( conferences )
  9. Some cool and interesting stuff going on in the A6 world. Check out Chris's post about A6 and CloudAudit.
    The Automated Audit, Assertion, Assessment, and Assurance API (A6) Becomes: CloudAudit | Rational Survivability
    Tags: ( cloud a6 cloudaudit )
  10. Fun with social engineering and Metasploit.
    Social-Engineering Toolkit (SET)
    Tags: ( social-engineering metasploit )
  11. .:[ Layered Security ]:.: 802.11n card that works with BackTrack 4 - woohoo!
    Tags: ( backtrack tools wireless )
  12. Security-Shell: NoMore AND 1=1 - Web Application Testing Tool released
    Tags: ( webappsec sql-injection )
  13. 7 Things Every Information Security Professional Should Know -- My Information Security Job
    Tags: ( careers )

That's it for today. Have fun!

Subscribe to my RSS Feed if you enjoy these daily Interesting Bits posts.

Kevin

{ 0 comments }

Vote For My #BSidesSF Talk

by kriggins on February 1, 2010

in Announcement, Conferences

I have submitted a topic for consideration for Security BSides San Francisco 2010 which happens concurrently with RSA.

For those not familiar with Security BSides, the following is from the website:

What is BSides?

BSides is an ad-hoc gathering of information security types born from the desire for people to share and learn in an open environment. It is an intense event with discussions, demos and interaction from participants. It is entirely community driven.  It is where conversations for the next-big-thing may be happening.  We've followed the BarCamp format... because it works.

My topic:

  • Title: Discussion: What Makes a Good Risk Management Practice?
  • Abstract: All of our organizations have to manage risk, specifically information security risk. What does it mean to do that well? What are the moving parts that make up a good risk management practice? This discussion/panel/talk will not focus on assessment methodologies or frameworks. It will also not focus on the "information security program." We will spend some time focusing on the other moving parts of a risk management practice. Engagement with our business partners, how we bring it all together, how we can manage the inputs and outputs of the risk management process, etc. It will be an opportunity for those interested to share and learn from each other.

This topic is modeled after the RSA Peer-2-Peer sessions in that it is not a presentation. I anticipate a discussion where we can all contribute to the conversation and try to define what we it means to build a good risk management practice in our organizations.

Please vote for my topic by tweeting the following if this sounds like a conversation you'd like to be a part of:

@SecurityBSides I vote for “What Makes a Good Risk Management Practice?” by @kriggins #BSidesSF http://bit.ly/BSidesSFtalks

-Kevin

{ 2 comments }

Good afternoon everybody! I hope your day is going well.

Here are today's Interesting Information Security Bits from around the web.

  1. Woot! ShmooCon will be video streaming the conference live!
    ShmooCon 2010 - Latest News
    Tags: ( conferences video shmoocon )
  2. Here is a very reasoned look at the recently announce flaw in certain FIPS140-2 certified USB devices.
    Is FIPS 140-2 Fatally Flawed? | Optimal Security: The Lumension Blog
    Tags: ( fips140-2 usb )
  3. Andrew's next D-list interview is up. This time it's Chris Boyd, more affectionately known as paperghost. I haven't had the pleasure of meeting Chris is real life, but I have in the land of the intarwebs.
    Andrew Hay >> Blog Archive >> Information Security D-List Interview: Chris Boyd
    Tags: ( interviews )
  4. Dennis shares some thoughts on first steps in getting an information security program up and running from scratch.
    Security From Scratch: Getting the Lay of the Land : The Security Catalyst
    Tags: ( program )

That's it for today. Have fun!

Subscribe to my RSS Feed if you enjoy these daily Interesting Bits posts.

Kevin

{ 0 comments }

Happy New Year everyone! Welcome to the first edition of Interesting Information Security Bits for 2010. We have great crop of things to check out today.

Here are today's Interesting Information Security Bits from around the web.

  1. If you couldn't make it to #26C3, many of the talks are now available on video. Check it out here.
    Download the #26C3 videos and bonus material | Security4all - Dedicated to digital security, enterprise 2.0 and presentation skills
    Tags: ( conferences 26c3 videos )
  2. Uh-oh. Not good.
    NIST-certified USB Flash drives with hardware encryption cracked - The H Security: News and Features
    Tags: ( usb encryption )
  3. Interesting look at small and mid-sized companies being targeted by cyber gangs. By the way, this is Brian Krebs's new site. He is no longer with the Washington Post. Make sure to add it to your RSS reader.
    Buried Warning Signs -- Krebs on Security
    Tags: ( online-banking theft )
  4. Very cool. A new e-mag has been started. Into the Boxes is an e-mag about digital forensics and incident response. Good stuff.
    Into The Boxes: Issue 0x0 << Into The Boxes
    Tags: ( incident-response forensics )
  5. Jack is ready to get the Shmoobus back on the road. If you are in northeast and looking for a ride, check it out.
    Uncommon Sense Security: Shmoobus II
    Tags: ( conferences shmoo )
  6. Mike Rothman has joined Securosis. Good things will come of this.
    Securosis Blog | Introducing Securosis Plus: Now with 100% More Incite!
    Tags: ( general )
  7. Nifty. Version 2 is now available of the Web Application Security Consortium's Threat Classification
    The Web Application Security Consortium / Threat Classification
    Tags: ( wasc threat-classification )
  8. A neat map of the WASC Threat Classification document to the OWASP Top Ten RC1.
    Jeremiah Grossman: WASC Threat Classification to OWASP Top Ten RC1 Mapping
    Tags: ( owasp wasc threat-classification )

That's it for today. Have fun!

Subscribe to my RSS Feed if you enjoy these daily Interesting Bits posts.

Kevin

{ 0 comments }

To those in the U.S., welcome back to work unless, of course, you are reading this when it was posted 🙂

Here are some Interesting Information Security Bits from around the web.

  1. Sounds like Paul and I have the same pet peeve. If you are accepting credentials on a page, serve the whole page over SSL, not just the form submission part.
    Not just plain old http | Paul Ducklin's blog
    Tags: ( https integrity )
  2. Are you wondering what is a public network and what is not from a PCI perspective? If so, check out Branden's post.
    Branden Williams's Security Convergence Blog >> The Gobble-Gobble of Public Networks
    Tags: ( pci public )
  3. The call for papers for HITB 2010 Dubai is now open.
    The Professional Security Testers Warehouse for the CEH GPEN QISP Q/ISP OPST CPTS - Hack In The Box (HITB) Security Conference 2010 Dubai
    Tags: ( conferences cfp hack-in-the-box )
  4. Some interesting data about usernames and passwords used during brute force attacks. It was collected by Microsoft.
    Microsoft Malware Protection Center : Do and don'ts for p@$$w0rd$
    Tags: ( passwords )
  5. The Notocon videos are available now.
    The Professional Security Testers Warehouse for the CEH GPEN QISP Q/ISP OPST CPTS - Notacon 2009 video files are now online
    Tags: ( conferences notocon videos )
  6. Ever beat your head against the wall because you can't figure out why that stupid program keeps running every time you restart your computer? This fine list will help track down that pesky critter.
    Immutable Security >> Windows Startup Locations
    Tags: ( windows startup )
  7. This is very very cool. How about being able to ssh to your host on port 80, even when it has a fully functional Apache server running on the same port? Like I said, that is seriously cool.
    Creating Ghost Services with Single Packet Authorization
    Tags: ( access-control tools )

That's it for today. Have fun!

Subscribe to my RSS Feed if you enjoy these daily Interesting Bits posts.

Kevin

{ 0 comments }

It is Thanksgiving Day week in the U.S. and that means a couple of days off. I decided to tack on an extra day and won't be working tomorrow either. Yay! Five days off in a row.

Anywho, I will also be taking those days off from the Interesting Bits posts so this one will have to tide you over until Monday 🙂

Here are today's Interesting Information Security Bits from around the web.

  1. 10 things to think about not doing when on Facebook. This list will keep you safer.
    Errata Security: 10 Facebook Don'ts
    Tags: ( facebook )
  2. Is your iPhone infected with the Duh worm? Paul tells us how to clean it up.
    How to clean up the Duh iPhone worm | Paul Ducklin's blog
    Tags: ( iphone worm )
  3. Russel is looking for some collaborators on an research project he is working on. It looks to be very interesting. From his post: "The topic is the arms race between attackers and defenders from the perspective of innovation rates and "evolutionary success" - the Red Queen problem (running just to stand still). Here's a sample research question: "can bureaucracies (defenders) keep up with a decentralized black market (attackers)?", and similar." Read the rest of the post and drop him a line if you are interested.
    Information Security as an Evolutionary Arms Race - Research Collaborators Wanted << The New School of Information Security
    Tags: ( research )
  4. Shrdlu once again has penned an article that you should go read. Metrics are great, but they have to mean something.
    The meaning of metrics
    Tags: ( metrics risk )
  5. There is 0-day out there for IE 6 and IE 7. Microsoft's recommendation in some cases is to upgrade to IE 8. Um, oops.
    Major IE8 flaw makes 'safe' sites unsafe
    Tags: ( ie vulnerabilities )
  6. An interesting post that explores a conundrum that some organizations face when trying to comply with PCI. What happens when some of what I do requires me to be out of compliance with PCI-DSS?
    Branden Williams's Security Convergence Blog >> Multi-Function Service Providers, What To Do?
    Tags: ( pci )
  7. From the post: "We have uploaded the audio recording of select talks from the Ohio Information Security Summit that took place October 29-30, 2009 in Cleveland, Ohio." Looks like some good stuff is available. Check out the post for the details.
    Security Justice >> Blog Archive >> Select Talks from ISS2009 Now Available for Download
    Tags: ( audo conferences talks )
  8. A new tool is available that shows some interesting things about the internet.
    Room362.com - Blog - SHODAN The Computer Search
    Tags: ( tools )

That's it for today. Have fun!

Subscribe to my RSS Feed if you enjoy these daily Interesting Bits posts.

Kevin

{ 0 comments }

Good afternoon everybody! I hope your day is going well.

Here are today's Interesting Information Security Bits from around the web.

  1. The Security Baselines for Windows 7 and IE 8 are now available.
    Now Available: Security Baselines for Windows 7 and Internet Explorer 8 - Springboard Series Blog - The Windows Blog
    Tags: ( windows-7 ie8 )
  2. The call for submissions for Peer2Peer sessions at RSA 2010 has opened. Have a topic you want to explore with others in your industry/field/profession? Go ahead and suggest it.
    Peer2Peer Sessions
    Tags: ( rsa-2010 cfp )
  3. Xavier's first day recap of Hack.lu is up.
    /dev/random >> hack.lu Day #1
    Tags: ( conferences hacklu )
  4. Jeremiah offers some interesting thoughts on black box vs white box software testing.
    Jeremiah Grossman: Black Box vs White Box. You are doing it wrong.
    Tags: ( webappsec )
  5. Another good article on methods and tools to monitor/gather intelligence about your company that might be mentioned on-line. This one focuses on blogs, message boards, and metadata.
    Enterprise Open Source Intelligence Gathering - Part 2 Blogs, Message Boards and Metadata -- spylogic.net
    Tags: ( monitoring )
  6. This is scary.
    hype-free: Why network neutrality is a big deal
    Tags: ( general )
  7. Anton's notes from the day he spent at NIST's SCAP conference.
    Anton Chuvakin Blog - "Security Warrior": Notes from NIST SCAP 5th Security Automation Conference
    Tags: ( conference nist-scap )
  8. Alex has posted a nice exploration of impact vs asset valuation. This is a very FAIResque treatment of the issue if you ask me, which is a good thing in my opinion.
    Verizon Business Security Blog >> Blog Archive >> The curious case of asset Valuation.
    Tags: ( risk-analysis asses-valuation )

That's it for today. Have fun!

Subscribe to my RSS Feed if you enjoy these daily Interesting Bits posts.

Kevin

{ 0 comments }