Dave G. | May 27th, 2008 | Filed Under: Gatherings
For those of you in the DC area, CapSecDC will be held tomorrow @ 7PM at:
Stetson’s
1610 U St NW
Washington DC 20009
You can walk there from Metro, either the U Street Cardoza Metro on the Green/Yellow, or Dupont on the Red line. They will hopefully be out back in the patio.
Thomas Ptacek | April 24th, 2008 | Filed Under: Gatherings
ChiSec is the single best gathering of security professionals in the Chicago metro area: it’s free of charge, free of vendors, and free of membership. You just show up, and so do other people, and somehow, by the power of the long tail cluetrain infoconomy, the whole thing works itself out, as if some mysterious tipping “point”, aided by the wisdom of the crowd and the power of thinking without thinking, is propelling it towards a freakonomic logic of life that is made to stick.
Where was I? Moneyball! No, wait: the location. It’s at Houlihan’s on Wacker, which is on the corner of Wacker and Michigan. This ChiSec only: a sure-to-be-exciting discussion about why we continue to have ChiSec at a Houlihan’s. Come armed with suggestions for alternatives!
ChiSec is next Wednesday. You do not need to RSVP.
Dave G. | September 14th, 2007 | Filed Under: Gatherings
It was the best of times, it was the worst of times. I take that back. It was mostly the latter. I had to be out the door by 4:30AM to catch my plane to Chicago. Which would be bad enough under normal conditions, but I just moved to a new apartment, and those noisy kids are keeping me up past 11PM again. Two boot, when I get downstairs I realize that the cab strike has begun. Still, capitalism prevailed and a cab pulled over and took me to JFK.
Chicago
I was flying to Chicago for both a meeting and to go to their OWASP meetup. The meeting was hosted at ABN AMRO by Cory Scott (ex-@stake). If I had to guess there were close to thirty people there. Everyone really seemed to know each other. There were two talks:
“Automated Thrash Testing - Andrew Gironda (“Dre” on our blog).” While I am still not 100% clear on what Automated Thrash Testing is, Dre did map a lot of QA processes back to security. I think. I learned a lot about QA processes, but it would have been nice if it focused a little more on security testing. To be fair, my mind was slowing turning into mush thanks to a lack of sleep around the middle of his talk.
“Defeating Information Leak Prevention - Matasano’s Own Eric Monti (This is Eric’s talk from Blackhat).” I didn’t get to see all of Eric’s talk at Blackhat, so getting to see the parts that I missed was excellent. Unfortunately, I am biased so I will refrain from commenting on Eric’s talk.
This followed by drinking. By the time drinking was underway I was only partially conscious. There was a lot of good conversation, ranging from application testing to how one could make their friends fight to the death if you win the lottery. Then I cab it back to the airport where I fall asleep and wake up to a security guard knocking on my door wondering how I overslept a wake-up call and room service. This knock was clearly outlined in the manual under “Is your guest deceased?”.
New York
I catch the next flight back to New York. After two hours of sitting next to the Chicago finalist for the World’s Sexiest bartender contest, I arrive back in New York City. Just in time for day 2 of the New York City Cab Strike. After the world’s longest taxi experience, I arrive at Matasano HQ on Wall St. This gives me just enough time to check email, relay events and head to OWASP New York.
Hosted at the American Stock Exchange, its a totally different vibe. Somewhere in the neighborhood of 75 people. Wooden room. Sandwiches. A podium. Sandwiches. A lot more people dressed formally. Sandwiches. Four speakers:
“OWASP update.” Tom Brennan For better or for worse, OWASP NY/NJ is a lot more connected to OWASP Central. In this case, it meant not listening to Jeff’s message to all of OWASP due to technical difficulties. There was definitely more mention of memberships. Which, as I said before, is a good thing. Tom also ran through some OWASP stats and some questions to engage the audience. The stats weren’t too surprising but there was a funny moment when the stat on what part of the industry came out and there were zero law enforcement on the list. This is funny because of:
“Hackers…BotNets oh My! Obtain a briefing on the current BotNet investigations etc.”, NYC FBI Cyber Crime Unit. This was a pretty good session. Not surprising is the fact that BotNet authors are getting smarter. Surprising is that international law enforcement co-operation appears to be getting better. Especially Romania <-> USA co-operation. Apparently, getting a wiretap in Romania is unusually fast. I thought I detected a little bit of envy that it was so easy. That look disappeared quickly as several in the audience basically volunteered to hack Romanian BotNet herders. The questions at this point were all about slicing and dicing what would be tolerated by the FBI. This part of the Q&A should have ended with him yelling in an Austrian accent “It’s not a tumoor!”, but he managed to not pull out his gun and rid the world of three heckling pen testers.
“Why today’s vulnerability assessments are failing and a case for industry standardization”, Mark Clancy. This speaker pointed out that it is really difficult to look at the results of a vulnerability assessment and determine the competency of the testers, the severity of the results, the amount of coverage and more. This is a real problem for consumers of penetration testing results (think Enterprises). When you have an F10 organization, the number of vulnerability assessments that have to reviewed is astonishing. They are often coming from vendors who hired their own penetration testing team. Then they are often editted down by the vendor. There was a great moment where he stopped talking and people started to solution, but then realized that there were no easy answers.
“Stock fluctuation from an unrecognized influence”, Justine Bone-Aitel, Immunity Security. I’m not sure this was an accurate title for the talk, but it’s always good to see the Immunity folks. The best part of the talk was the statistics on Immunity’s zero day. I am so serious when I say they should do an entire talk around their statistics on tracking their zero day.
“Financial Real-Time Threats: Impacting Trading Floor Operations/JBroFuzz: Effective Fuzzing for Network and Web Applications”, Dr. Yiannis Pavlosoglou , Information Risk Management. This session wasn’t as crisp as I would have liked. I think it was an anatomy of an attack combined with this is what a trading floor might look like. The anatomy of an attack part didn’t seem to be particularly convincing. Due to time constraints and technical difficulties, this talk got cut short.
They also went out drinking, but I was out of steam.
What did I learn from this whole lotta OWASP?
There is a lot of regionality to OWASP. The feel at both OWASPs were totally different and both totally appropriate for their locations. While both OWASPs had their differences, thematically they were on target. Most importantly, OWASP members like to go out drinking.
Thomas Ptacek | August 27th, 2007 | Filed Under: Gatherings, Uncategorized
Come see Eric Monti reprise our Black Hat talk on Extrusion Detection and Content Management and Filtering systems. Next Wednesday, September 5th, at Chicago OWASP. From the abstract:
Some “Extrusion Detections” products rely on network gateway IPS/IDS approaches, whereas others work in a way more closely resembling host-based IDS/IPS. The main difference is that instead of detecting/preventing malicious information from entering a company’s perimeter, they focus on keeping assets inside.
We’ve been evaluating a number of products in this space and have run across a large number of vulnerabilities. They range from improper evidence handling, to inherent design issues, all the way to complete compromise of an enterprise, using the Extrusion Detection framework itself as the vehicle.
Capsule summary: Eric and I got a chance to test several market-leading “Extrusion Detectors”. None of them emerged unscathed. Eric will talk about the techniques and methods we used to pick these black-box systems apart, and what types of vulnerabilities we found.
Chicago OWASP is open to all comers, but you do need to RSVP to Jason Witty (jason at wittys dot com) sometime before next Tuesday. Meetings are held in the LaSalle Bank building on Madison. Check the OWASP page for more details. See you there!
Thomas Ptacek | August 27th, 2007 | Filed Under: Gatherings, Uncategorized
Nate Lawson reports on BaySec, “I counted nearly 45 people at one point, a new record. I think we might be even bigger than Chicago.”
Well, let me tell you something, Nate. BaySec will never be bigger than Chisec. We will count people twice. We will count dead people. We will pay people to show up. We will hurt people who don’t show up. We’ll burn their houses to the ground. Their families. DEAD. You want to the truth? You can’t handle the truth! Because when you look over at a pile of goo that used to be your best friend’s face, you’ll know what I’m saying! Forget it, Nate! It’s Chinatown!
Oh, also, Chisec is this week on Thursday. Same time, same place. No RSVP required.
Dave G. | August 14th, 2007 | Filed Under: Gatherings
August 15th: Enormous Room: 567 Mass Ave, Cambridge 02139. Look for the Elephant on the left door next to the Central Kitchen entrance. Come upstairs. We sit on the left hand side…
Don’t worry about being “late” because most people just show up when they can. 6:30 is a good time to aim for. We’ll try and save you a seat. There is a parking garage across the street and 1 block down or you can try the streets (or take the T).
In an attempt to establish a trend, we’re going to go with the “last Thursday of every month” at the Brickskellar, until further notice. (August 30)
August GRSec will be Tuesday August 28th (2 weeks from now).
Details here: http://grsec.blogspot.com/
NYSEC is a-comin’ in a week. It will be located at Pound And Pence, 55 Liberty St. in the financial district, on Tuesday August 21, starting at 6PM. They usually run between two and three hours, and are chock full of smart and interesting security folks.
Reminder: There is a google calendar for NYSEC. It lets you export into your calendaring software.
MAILING LIST UPDATE: We have been sending out email on the nysec mailing list. If you aren’t receiving it, you need to resubscribe.
What?! There is no CitySec in your city?! Start one!
Dave G. | August 14th, 2007 | Filed Under: Gatherings, Industry Punditry, Navel Gazing
First of all, I loved blackhat this year. I know it was quiet and relatively drama free compared to previous years, but it was just good to see a lot of old friends. For us, Blackhat was crazy busy. We had 3 talks and 1 panel. Plus we had a panel at DEFCON as well (making it the first DEFCON I had been to in many years).
THE TALKS
For those of you that haven’t spoken at Blackhat, it is a process by which things invariably go wrong and you find yourself pulling out your hair. I think it is a combination of busy season for our business, plus having to write talks, plus travel logistics, plus having to rewrite talks at the last minute just makes things super stressful. And, oh yeah, your business doesn’t disappear just because you go to Vegas.
Eric Monti spoke about DLP systems along with Thomas Ptacek. The research was awesome, and we are definitely not done talking about that space.
Tom spoke along with Nate Lawson and Pete Ferrie on Virtualized Rootkits. The hub bub was covered by the press, in articles like this one.
Jeremy and I spoke about FIX and how to assess FIX based applications. That talk was a lot of fun to build and deliver. We have been doing a lot of work in that arena, and it was great to get up on stage and talk about it. It was a shame we only had 20 minutes to give the talk. I expected this talk to be more contentious, but there was a lot of nodding in the crowd.
THE PANEL
This year I was asked to do the sisphean Vulnerability Disclosure and Ethics panel, moderated by David Mortman and Paul Proctor. The panel included Rob Graham/Errata, Window Snyder/Mozilla, Jon Stewart/Cisco, Ian Robertson/RIM, Steve Lipner/Microsoft and myself. These were the parts of the panel I enjoyed:
When asked the dreaded “Would you hire a hacker?”, neither Lipner nor Stewart touted a party line like “We don’t hire hackers! EVIL!”. Instead they spoke about how they hire people, and gave a war story or two.
Someone asked Window how Mozilla balance profit motive against developing secure software. Ok, they asked all the other vendors that too, but it was still funny to see someone ask a non-profit the corporate greed question.
The discussion on ethics around zero day signatures ala TippingPoint. I wrote about the risks of this in 2005. Maynor and Graham proved that this something we need to be thinking about.
The discussion of vulnerability markets came up, and should researchers get paid for finding and reporting vulnerabilities to vendors. I wish we had more time to talk about this.
I got to do this panel twice. In and of itself, this wasn’t that interesting. But doing it once at DEFCON and once a Blackhat reminded me about how different the views were between the two conferences attendees. On a related note, I’m old.
My dislike of panels is only surpassed by my desire to talk.
The biggest problems with this panel are:
Agreement. We all agreed way too much. Need differing opinions or at least devil’s advocate.
Committing to Something It is difficult for people to really take a stand on any topic. It is hard to say something meaningful when you can’t necessarilt speak for your organization on every topic.
These, by the way, are challenges for every panel on Earth.
THE PWNIES
Finally, the Pwnies happened this year, for which I was really excited about. It came together last minute, but was a lot of fun. Mad props to Alex S., Dave A., HD Moore, and Dino Dai Zovi for not only being some of the most talented folks in computer security, but also the funniest. Also, to Jeff Moss for giving the Pwnie awards a home. It got a shocking amount of coverage.
Dave G. | August 8th, 2007 | Filed Under: Gatherings
In an attempt to establish a trend, we’re going to go with the “last Thursday of every month” at the Brickskellar, until further notice. (August 30)
NYSEC is a-comin’ in a little less than a two weeks. It will be located at Pound And Pence, 55 Liberty St. in the financial district, on Tuesday August 21, starting at 6PM. They usually run between two and three hours, and are chock full of smart and interesting security folks.
Reminder: There is a google calendar for NYSEC. It lets you export into your calendaring software.
What?! There is no CitySec in your city?! Start one!
Thomas Ptacek | July 25th, 2007 | Filed Under: Gatherings, Uncategorized
Atlanta is an excellent security city, between ISS, Georgia Tech, and the constellation of tiny security startups twinkling in and out of existence. And, like Chicago in February, you can’t really be outdoors anyways right now (it’s like 120 degrees with 100% humidity), so you might as well spend the evening at the inaugural HotSec meeting. It’s at the Brick Store Pub near Decatur (wherever that is), starting at 6PM.
Phoenix might also be an excellent security city, but I’ll never know, because I’m to terrified that I’ll burst into flames to ever leave the airport. Unfortunately, SunSec is not in the airport; it’s in Scottsdale. It’s tomorrow. Follow the link for more details!
In both cases, you do not need to RSVP, and you do not need to “join up”; that’s the whole point of the meetup. Just show up, drink beer, and meet the local security people in your area.
Thomas Ptacek | July 19th, 2007 | Filed Under: Gatherings, Uncategorized
0000 43484953 45432031 32206973 20544f4e |CHISEC 12 is TON| 0010 49474854 2c206174 20486f75 6c696861 |IGHT, at Houliha| 0020 6e277320 0a6f6e20 5761636b 65722c20 |n's .on Wacker, | 0030 646f776e 746f776e 2c207768 65726520 |downtown, where | 0040 5761636b 65722061 6e640a4d 69636869 |Wacker and.Michi| 0050 67616e20 696e7465 72736563 74206174 |gan intersect at| 0060 20746865 20726976 65722e20 57650a73 | the river. We.s| 0070 74617274 20617420 372c2077 6520656e |tart at 7, we en| 0080 64206172 6f756e64 2031302e 20596f75 |d around 10. You| 0090 200a646f 206e6f74 206e6565 6420746f | .do not need to| 00a0 20525356 502e0a0a | RSVP...| 00a8
Matasano is a team of internationally respected security experts who have led security efforts at @stake, Microsoft, ISS, Secure Computing, Arbor Networks, Secure Networks, Bloomberg, Sandia Labs, and others. Read more about our team and how we can help you today.
©2008 Matasano. All Rights Reserved.
