SecuraBit

Before It Bytes!

BsidesROC(ked)!

I had the pleasure of attending BsidesROC this past Saturday in Rochester, NY while visiting family.  The only previous experience I’d had with Bsides was in Las Vegas last summer, and I must say out of the many small conferences I have been to over the last couple of years, these guys did a very impressive job!  The conference consisted of two tracks with a total of 15 talks.

Here’s a rundown of the events:

  • The Rochester chapter of TOOOL was kept very busy with a constant flow of lock pickers, both new and veteran, and managed to sell out of the kits they had available.
  • Interlock, the local hackerspace was also there and had a number of great projects to show off.  I always love seeing hackerspaces at conferences!
  • Hacker Battleship, a unique play on the CTF which was really fun for the 24 who participated.  Someone SQL injected the scoreboard too 😉

There were just over 200 attendees and everything flowed very smoothly.  The event had the feeling of something that just happened there every weekend, and there were flying SHARKS! Albeit without laser beams for the safety of all present of course. 😉

Some other misc stats:

  • The 3D badges took approximately 50 hours to print and were awesome!
  • 3129 DHCP leases were handed out throughout the day.
  • 6 flying sharks and fish, including one flying red angry bird.

Looking forward to next year!

Press Release: The BSides Las Vegas Innovation Challenge

Aka “The Science Fair”

Produced by: A.P. Delchi

OVERVIEW: 

Remember the heady days of the science fair? Demo parties? People coming together to show off the amazing bits of awesome that they had made in their basement? It’s time to revive this tradition and bring it to the modern day security conference. From an open call to the world, twelve teams representing hackerspaces and maker groups will be selected to come to Las Vegas to compete in four categories in front of a panel of  judges to demonstrate what they have accomplished. Awards will be based on cash and hardware provided by sponsors and donations from across the industry. 

THE CHALLENGE: 

Get your hackerspace, maker group, or team of friends who tinker in your basement and prepare your best projects and innovations to be presented to the BSides Las Vegas conference. This is an open call to groups that have established themselves, or are up and coming and ready to amaze the world. Submission methods are up to the group, but videos, pictures and live demonstrations are suggested. The call for submissions will be seeking entries for the following categories: 

Category One: Things that make things.

Did your group build a 3D printer, laser cutter, CNC device or some other piece of awesome that helps you make other things? What did you do with it after you built it? For example some folks have built 3D printers and used them to fabricate parts from skateboard wheels to carrying cases. Show us what you built, and what you built with it!

Category Two: Biohacking

Has your group experimented in gene splicing, implants, aeroponics, automated hydroponics, biofuels or other such biologically inspired projects? Bring your beakers and your Jacobs ladders to the people who rarely hear about such things. Innovations such as a kit to test food to see if it contains GMOs, Innovative home farming methods using automation and chemistry are what we are after.

Category Three: Vehicles

Get out of the garage and in front of the people! Have you turned your ordinary car into a hackmobile? Converted an old school bus into a rolling data center? Does your car have more storage space than your home computer? We are talking more than just thumpy bumpy sound systems – we want to see your home made Batmobile. Atomic engines to power! Nessus scanners active, rolling Wi-Fi hotspots activated! Make it so!

Category Four: Demos

From the good ‘ol days of demo parties, show us what you’ve got! You will have your moment on stage to display your awesome. Remember the talent show scene from Revenge of the Nerds? We now have EL wire and wearable MIDI. Take us on a magic carpet ride of awesome that shows what your team can do. Unlike the other categories, you will perform at the awards party and no one will know until it’s over who will win this category. Clap your hands everybody, and everybody clap your hands!
 
Open submissions start NOW. Submissions can be anything from photographs, videos, live streaming or wherever your imagination takes you. send your YouTube links or other submissions to: [email protected]
 
Six months out from the event a panel of judges will select three submissions from each category for a total of twelve groups who will be invited to come to BSides Las Vegas and make their presentations. From there a second panel of judges hand-picked from the old , new, and weird school will judge the submissions with the winners being announced at an open party during the conference. 

THE PRIZES: 

Prize packages will be determined based on sponsor and donor contributions. At this time hundreds of trained squirrels are working to contact potential sponsors and contributors to make the rewards the best we can muster. As this develops we will keep you updated. 
 
In each of the four categories, the prizes will be : 
  • 1st place : Amazing package of stuff and things, to further your awesome and make your innovations come true. 
  • 2nd place : A not as amazing as first place but still enough to give you toys to take back and build, innovate and make things happen.
  • 3rd place: Guaranteed entry into the competition next year without having to go through preliminary judging. 
Prizes for the first three categories will be awarded at an awards party to be held after judging. The demo competition and awards will happen as part of that party. Plans for live bands, DJ’s and sponsor demonstrations are in the works!

SPONSORS & DONORS: 

Does the idea of a show of awesome and supporting hackerspaces & maker group innovation make you feel warm and fuzzy inside? Do you want to donate hardware from your company, or sponsor the event in other ways?  Let us know! We will be reaching out in every way we can to ensure that the sponsors and donors as well as the participants are recognized in the forward march of human driven innovation. Security BSides Las Vegas, Inc. is a registered Nevada non-profit educational and charitable organization and the contest organizers are ready to work with you to help make this an amazing competition. 

NOW GET OUT THERE AND START BUILDING!

SecuraBit Episode 108: 50% Survived DEFCON Edition

Hosts

 

 

Guests

 

 

Topics

 

 

Upcoming events

 

Links

 

 

Chat with us on IRC at irc.freenode.net #securabit
iTunes Podcast –http://itunes.apple.com/us/podcast/securabit/id280048405
iPhone App Now Available –http://itunes.apple.com/us/app/securabit-mobile/id382484512?mt=8

SecuraBit Episode 107: Summer Con Preview

Hosts

Guests

Topics

Upcoming events

Links

Chat with us on IRC at irc.freenode.net #securabit
iTunes Podcast – http://itunes.apple.com/us/podcast/securabit/id280048405
iPhone App Now Available – http://itunes.apple.com/us/app/securabit-mobile/id382484512?mt=8

ChrisAM’s Picks for BSidesLV and DEFCON Talks 2012

On tonight’s show we will be talking about our choices for talks this year at BSidesLV and DEFCON.

It was very difficult to pick only one talk per time slot. My picks below are of interest to me personally. I do not mean to imply that one topic or speaker is better than any other, but we all have to make a decision for each hour of the conferences. You’ll notice that I am more interested in security policy, incident response, and network defense rather than reverse engineering, and exploitation.

(I will update this post later for continuity and with direct links to each talk description)

BSidesLV:

Wednesday
1100: Ambush – Catching Intruders at Any PointMatt Weeks
1200: When Devices Rat Us OutKen Westin
1400: Big Data’s Fourth V: Or Why We’ll Never Find The Loch Ness MonsterDavi Ottenheimer
1500: Why have we not fixed the ID problemDallas
1600: Shot with your own gun – how appliances are used against youChristopher Campbell
1700: Mirror Mirror – Reflected PDF Attacks using SQL injectionShawn Asmus
1800: Sexy DefenseIan Amit

Thursday
1000: Mainframed – The forgotten FortressPhil Young
1100: Metrics that suck even lessWalt Williams
1200: The leverage of language, or, How I realized Information Theory could save information securityConrad Constantine
1400: The Magic of Symbiotic Security – Creating an ecosystem of security systemsJosh Sokol & Dan Cornell
1500: Lightning Talks
1600: Lightning Talks
1700: Lightning Talks
1800: IPv6 Panel / Drinking Game

Defcon:
Friday
1000: The Christopher Columbus Rule and DHS – Mark Weatherford
1100: Socialized Data: Using social media as a cyber mule – Thor
1200: Not so super notes: How well does US dollar prevent counterfeiting? AND The open cyber challenge platform project
1300: How to Channel Your Inner Henry Rollins – Jayson E. Street AND Bad (and sometimes Good) Tech Policy: It’s not just a DC thing
1400: Changing the security paradigm: taking back your network and bringing pain to the adversary – Shawn Henry
1500: An Inside Look into Defense Industrial Base (DIB) technical security controls: How Private Industry protects our Country’s Secrets – James Kirk
1600: Bypassing Endpoint Security for $20 or Less – Phil Polstra
1700: Anti-Forensics and Anti-Anti-Forensics: Mitigating Techniques for Digital-Forensic Investigations – Michael Perklin

Saturday:
1000: World War 3.0: Chaos, Control & the Battle for the Net – Corman, Kaminsky, Moss, Beckstrom, Gross
1100: Hacking Humanity: Human Augmentation and You – Christian Dameff, Jeff Tully
1200: Botnets Die Hard – Owned and Operated – Aditya Sood, Richard Enbody
1300: The End of the PSTN As You Know It – Jason Ostrom, Karl Feinauer, William Borskey
1400: <ghz or bust: DEF CON – ATLAS
1500: Exchanging Demands – Peter Hannay
1600: Connected Chaos: Evolving the DCG/Hackspace Communication Landscape – Blackdayz, Anarchy Angel, Anch, Dave Marcus, Nick Farr
1700: The DCWG Debriefing – How the FBI Grabbed a Bot and Saved the Internet – Paul Vixie, Andrew Fried

Sunday:
1000: OPFOR 4Ever – Tim Maletic, Christopher Pogue
1100: KinectasploitV2: Kinect Meets 20 Security Tools – Jeff Bryner
1200: Looking Into The Eye Of The Meter – Cutaway
1300: DC RECOGNIZE Awards – Jeff Moss, Jericho, Russ Rogers
1400: Can Twitter Really Help Expose Psychopath Killers’ Traits? – Chris Sumner, Randal Wald
1500: Sploitego – Maltego’s (Local) Partner in Crime – Nadeeom Douba
1600: How to Hack All the Transport Networks of a Country – Alberto Garcia Illera

Securabit Episode 75: Booze over IP

Securabit Episode 75:  Booze over IP
February 9, 2011

Hosts:
Anthony Gartner – @anthonygartner http://anthonygartner.com
Chris Gerling  – @chrisgerling
Christopher Mills – @thechrisam
Jason Mueller – @securabit_jay
Andrew Borel –  @andrew_secbit
Tony  (myne-us)  – @myne_us

Guests:
Mike Dahn
twitter:  @mikd

Joe Gottlieb
Twitter: joe_gottlieb

General topics:
Mike:Bsides origins and other.  http://chaordicmind.com/blog/
Joe: Open Security Intelligence http://www.opensecurityintelligence.com/

On Monday, February 14th, SIEM and log management vendor SenSage will introduce the Open Security Intelligence forum to the security community to become involved in. The concept of the community is to share best practices in open security analytics to improve our collective security defenses. Specifically, Joe Gottlieb, President and CEO of SenSage would like to discuss:
– Current challenges with today’s SIEM tools, which are a decade old
– Why security analytics needs to be ‘open’
– Why integrating business intelligence tools (i.e. Pentaho, Microsoft Exchange, Cognos, etc.) with SIEM tools can create useful dashboards that help security analysts mine huge data stores for the ‘needle in the haystack’ information they need
– Why ‘security quants’ (analysts that can look deep into the data and develop complex yet useful SQL queries) will become the next role in the SOC
– The benefits of joining the community and sharing best practices

The community will be hosted on a web portal – www.opensecurityintelligence.com – that is under development and will be discussed in our Feb. 14 release. Also, Joe is also giving a talk at Security BSides  SF on 2/14 at 3pm PT on this very topic.

–HBGary Federal
http://krebsonsecurity.com/2011/02/hbgary-federal-hacked-by-anonymous/

–Nasdaq
attack does not yet have reports of how they where attacked. The comment on the website was for the 1999 attack where someone defaced the nasdaq website.

Quotes from http://www.wallstreetandtech.com/technology-risk-management/229201267

The operator of the Nasdaq Stock Exchange said it found “suspicious files” on its computer servers, in a Web application called Directors Desk which is used by members of corporations’ boards of directors who want to share information and files.

“What seems most likely is that the web servers were compromised in an attempt to use them to inject malicious software into their clients,” commented one reader of the nakedsecurity.sophos.com blog.

–Bsides
http://www.securitybsides.com/w/page/12194156/FrontPage
to contact: info (at) securitybsides dot org -or- call 415-742-1739

–Exploit developers corner
Looking for exploit developers!

If you have recently published an exploit or have a previously published exploits you would like to talk about contact us at [email protected] or can contact Tony (myne-us) directly on IRC at freenode #securabit to have a small interview about your discovery.

List of common questions.

-How did you find the vulnerability?
-What is your goal in vulnerability research?
-How did you go about disclosing the vulnerability and how did the vendor respond?
-And more…

!!Caution!!:  No undisclosed vulnerabilities (0 day)! These vulnerabilities need to be reported to the vendor and patched or exceed a time period where vendor did not patch. If interested in releasing exploit on the show that is fine if can show proof you disclosed to vendor or see the proof of concept already posted on exploit-db or have a CVE.

Us:NetWitness Spectrum at RSA http://www.netwitness.com/products/spectrum.aspx

Upcoming events
RSA Conference 2011 (14 -18 Feb 2011)
#BSidesSanFrancisco (14 – 15 Feb 2011)
#BSidesCleveland (18 Feb 2011)
#BSidesHalifax (5 Mar 2011)
#BSidesGSO Greensboro, NC (9 Mar 2011)
CanSecWest2011 (9 – 11 Mar 2011)
#BSidesAustin (11 – 12 March 2011) http://www.keepsecurityweird.org/
BlackHat Europe 2011 (17 – 18 Mar 2011)
#BSidesChicago (16 – 17 Apr 2011)
#BSides London, (20 Apr 2011)
#BSidesROC Rochester, NY (21 May 2011)
#BSidesDetroit (3 – 4 Jun 2011)

Links:
http://securabit.com
Chat with us on IRC at irc.freenode.net #securabit
iTunes Podcast – http://itunes.apple.com/us/podcast/securabit/id280048405
iPhone App Now Available – http://itunes.apple.com/us/app/securabit-mobile/id382484512?mt=8

SecuraBit Episode 72: Take risks, get owned!

SecuraBit  Episode 72:  Take risks, get owned!
Recorded on December 29, 2010

Hosts:
Anthony Gartner – @anthonygartner http://anthonygartner.com
Chris Gerling  – @chrisgerling
Christopher Mills – @thechrisam
Jason Mueller – @securabit_jay
Andrew Borel –  @andrew_secbit

Guests:
Jack Jones discusses Risk Assessment and the FAIR method http://riskmanagementinsight.com/

General topics:

Risk Management, Small biz vs Enterprise
Monte Carlo?
How to Measure Anything: Finding the Value of Intangibles in Business by Douglas W. Hubbard
http://www.amazon.com/How-Measure-Anything-Intangibles-Business/dp/0470539399/ref=tmm_hrd_title_0

OnePassword – http://agilewebsolutions.com/onepassword
KeePass – http://keepass.info/
LastPass – http://lastpass.com/

Upcoming events
#BSidesMSP (7 Jan 2011)
ShmooCon (28-31 Jan 2011)
RSA Conference 2011 (14 -18 Feb 2011)
#BSidesSanFrancisco (14-15 Feb 2011)
#BSidesAustin (11-12 March 2011) http://www.keepsecurityweird.org/

Links:
http://securabit.com
Chat with us on IRC at irc.freenode.net #securabit
iTunes Podcast – http://itunes.apple.com/us/podcast/securabit/id280048405
iPhone App Now Available – http://itunes.apple.com/us/app/securabit-mobile/id382484512?mt=8

SecuraBit Episode 69: Picking Locks and Messing up Podcasts, Welcome to Gringo Village!

SecuraBit Episode 69: Picking Locks and Messing up Podcasts, Welcome to Gringo Village!
November 3, 2010

Hosts:
Christopher Mills – @thechrisam
Andrew Borel –  @andrew_secbit
Anthony Gartner – @anthonygartner http://anthonygartner.com
Jason Mueller – @securabit_jay
Rob Fuller – @mubix
Tim Krabec – @tkrabec http://www.SMBMinute.com

Guests:
Deviant Ollam – http://deviating.net/ – Author of Syngress Practical Lock Picking
General topics:
Practical Lock Picking By Deviant Ollam http://www.syngress.com/hacking-and-penetration-testing/Practical-Lock-Picking/

Review submitted by a coworker:
Practical Lock Picking by Deviant Ollam was an enjoyable read. The author does a good job of covering the art and science of picking locks. He chose two of the most common types of locks for the bulk of his material which helps keep the focus of the book tight. He leads the reader from the basic operational principles of the locks, to flaws in the design & manufacture and finally how to pick the locks. The coverage of pick types and other tools of the trade round out the readers knowledge of the subject. His down to earth style and simple language help the reader understand the material and develop the skills to pick these types of locks. His logical progression of starting with one pin and working your way up to all the pins in the lock will help the reader build confidence in their skills. The final sections on bypassing the door reminds the reader that locks are part of a system and sometimes the way to defeat a system is not the direct approach. Overall I would give this book 4 out of 4 stars.

Shmoocon Tickets??

The Open Organization Of Lockpickers http://toool.us/
Lock Picking Videos – http://www.youtube.com/deviantollam
General Information http://deviating.net/lockpicking/

IE Zero Day
Microsoft Security Advisory (2458511)
Vulnerability in Internet Explorer Could Allow Remote Code Execution
http://www.microsoft.com/technet/security/advisory/2458511.mspx

Enhanced Mitigation Experience Toolkit v2.0
http://www.microsoft.com/downloads/en/details.aspx?FamilyID=c6f0a6ee-05ac-4eb6-acd0-362559fd2f04

SpyEye v. ZeuS Rivalry Ends in Quiet Merger
http://krebsonsecurity.com/2010/10/spyeye-v-zeus-rivalry-ends-in-quiet-merger/

Upcoming events
#BSidesDFW November 6, 2010
#BSidesDE November 6, 2010
AppSec DC 2010 November 8-12, 2010
#BSidesOttawa November 12-13, 2010
RUXCON 2010 December 4-5, 2010
DojoCon December 11-12, 2010
#BSidesBerlin December 28-30, 2010
ShmooCon January 28-31, 2010

Links:
http://securabit.com
Chat with us on IRC at irc.freenode.net #securabit
iTunes Podcast – http://itunes.apple.com/us/podcast/securabit/id280048405
iPhone App Now Available – http://itunes.apple.com/us/app/securabit-mobile/id382484512?mt=8

SecuraBit Episode 63: Walking to the Waffle House with Andy Willingham

SecuraBit Episode 63: Walking to the Waffle House with Andy Willingham
August 11, 2010
Hosts:
Anthony Gartner – @anthonygartner http://anthonygartner.com
Chris Gerling – @chrisgerling
Christopher Mills – @thechrisam
Jason Mueller – @securabit_jay
Andrew Borel –  @andrew_secbitGuests:
Andy Willingham (Southern Fried Security Podcast) – @andywillingham http://www.andyitguy.com/blog/

General topics:
DEFCON/BLACKHAT/BSides Recap
–Chris – experience this year, and a review of the medical facilities in Las Vegas
–General entertaining banter

Shiny Old VxWorks Vulnerabilities
http://blog.metasploit.com/2010/08/vxworks-vulnerabilities.html

Facebook name extraction based on email/wrong password
http://seclists.org/fulldisclosure/2010/Aug/130

Apple Fixes PDF Vunerability that allowed webbased Jail Break.
iOS 4.0.2 Software Update http://support.apple.com/kb/DL1061

Interview with Andy Willingham
ShmooCon 2011 Dates Announced
http://tinyurl.com/29nzc46

Microsoft drops the patch bomb
http://www.securabit.com/2010/08/10/microsoft-drops-the-patch-bomb/Andriod Malware and Unexpected Features
http://crave.cnet.co.uk/mobiles/android-gets-its-first-texting-malware-50000303/

Free Android antivirus clocks up 2.5m downloads
http://www.theregister.co.uk/2010/08/11/free_android_security_app/

A Review of Verizon and Google’s Net Neutrality Proposal
http://www.eff.org/deeplinks/2010/08/google-verizon-netneutrality

Upcoming events
South Florida ISSA’s Hack the flag and chili cook-off  Saturday August 14, 2010 from 12:00pm – 5:00pm
http://sfissa.org/index.php/sfissa-mm-events/htf-main/85-hack-the-flag-2010
Hacker Halted http://www.hackerhalted.com/ Tim Is speaking October 14th
Louisivlle Infosec 10/7. http://www.louisvilleinfosec.com/
Atlanta B-Sides 10/8. http://www.securitybsides.com/BSidesAtlanta
HacKid – http://www.hackid.org/ 10/9-10/10
Phreaknic 10/15. http://www.phreaknic.info/pn14/

Links:

http://www.securabit.com
Chat with us on IRC at irc.freenode.net #securabit
iTunes Podcast – http://itunes.apple.com/us/podcast/securabit/id280048405
iPhone App Now Available – http://itunes.apple.com/us/app/securabit-mobile/id382484512?mt=8

SecuraBit Episode 62: Visualizing Data with NetWitness

SecuraBit  Episode 62: Visualizing Data with NetWitness

Hosts:
Anthony Gartner  @anthonygartner http://anthonygartner.com
Chris Gerling @chrisgerling
Christopher Mills @thechrisam
Andrew Borel @andrew_secbit

Guests:
Eddie Schwartz – @eddieschwartz

General topics:
BSidesLV http://www.securitybsides.com/BSidesLasVegas
BlackHat https://www.blackhat.com/html/bh-us-10/bh-us-10-home.html
Defcon https://www.defcon.org/html/defcon-18/dc-18-schedule.html

Shmoocon Woot Video http://www.youtube.com/watch?v=HJ0ypgZU_D0
NetWitness Visualize http://visualize.netwitness.com/

Brief panel on certifications.

iPhone App Now Available. http://itunes.apple.com/us/app/securabit-mobile/id382484512?mt=8

http://itunes.apple.com/us/podcast/securabit/id280048405

Upcoming events
South Florida ISSA’s Hack the flag and chili cook-off  Saturday August 14, 2010 from 12:00pm – 5:00pm
http://sfissa.org/index.php/sfissa-mm-events/htf-main/85-hack-the-flag-2010
Hacker Halted http://www.hackerhalted.com/ Tim Is speaking October 14th

Links:
http://securabit.com
Chat with us on IRC at irc.freenode.net #securabit
iTunes Podcast – http://itunes.apple.com/us/podcast/securabit/id280048405
iPhone App Now Available – http://itunes.apple.com/us/app/securabit-mobile/id382484512?mt=8