I really intended to get this out earlier this week, but me o’ my has this been a busy week.

Anyway, day 2 at RSA 2010/Security BSides started in the reverse order of day1. I went to sessions at RSA first and then tottered over to Security BSides for the afternoon.

My day 1 recap can be found here.

Again, great content in both locations.

RSA 2010

I started the day out at RSA.

2010: A Web Hacking Odyssey – The Top Ten Hacks of the Year by Jeremiah Grossman

In this 50 minute talk, Jeremiah attempted to talk about the top 10 web based hacking hacking methods for 2010. These are not hacks of particular sites, but ways in which sites can be hacked. There were two amazing things about this talk:

1. That he even tried to do it in 50 minutes.
2. That he was successful.

This was a great talk and Jeremiah did a great job of covering a lot of ground. If you are interested in more detail, his presentation deck is available here.

Microsoft SDL Tools: Automating the Security Development Lifecycle by Katie Moussouris and Bryan Sullivan

The next talk at RSA for me was given by Katie Moussouris and Bryan Sullivan and focused on some tools available from Microsoft in support of a Secure Development Lifecyle.

Some pretty nifty stuff was shown and best of all, most, if not all, were free. Many of them plug right into Visual Studio making them even more available to the developer. It is worth your time to explore the SDL site that Microsoft has available for you here and the SDL blog here.

Risk Management: Getting Engage by Kevin Riggins (me)

The next stop on my RSA Wednesday was the Peer-2-Peer session I moderated. Again, there will be a separate post about it, but the short and sweet is that we all need to find ways to get information security risk management engaged in the business and the business engaged in information security risk management.

This was my last session at RSA for the day. I headed over to Security BSides for pizza and more great sessions.

Security BSides

The first order to business was to grab some lunch

SDL Lite by Marisa Fagan

Marisa’s lightning talk was a quick demonstration of how we can implement a SDL “lite” process. Interesting stuff. Marissa could really use your help. Errata Security is conducting a survey about the use of secure development methodologies. From the post:

Errata Security is conducting a survey on the real world usage of software development methodologies such as Microsoft SDL, OWASP's SAMM, and BSIMM. We are interested in learning which organizations are successfully implementing these methods, and also the reasons companies are abstaining from using these methods.

Help her out and take the survey.

The Great Compliance Debate: No Child Left Behind or The Polio Vaccine with Jack Daniel, Josh Corman, Anton Chuvakin, Michelle Klinger

This was a good compliance/PCI discussion that included both the panel and the audience. I am not going to try to summarize it, but it is probably worth your time to catch the video.

Risk Management - Time to blow it up and start over? by Alex Hutton

Alex know risk. I enjoyed this talk and it definitely generated some thought for me. As Alex said, though, this wasn’t a “throw everything you are doing away” talk. It was look at the current state and trying to figure out if there is a better way. From his description:

Now that the industry is trying to formalize the concept of risk management into neat little compartments like standards (ISO 27005/31000), certifications (CRISC) and products, (GRC) guess what?  We're doing it wrong.  Fundamentally wrong.  This talk will discuss why all this current risk management stuff is goofy and what sort of alternatives we have that might help us understand our ability to protect, our tendency towards failure, and how to match that up with what management will stomach.

He did mention the new Verizon framework that looks pretty nifty.

That was pretty much it for the day from a conference perspective. I went back to my hotel to work for a bit and then it was time to head to the Security Bloggers Meet-up which was a lot of fun. You can see some photos from that event here if you are interested, luckily none of my ugly mug

-Kevin

Good afternoon everybody! I hope your day is going well.

Here are today's Interesting Information Security Bits from around the web.

1. This is a nice SANS Gold paper on identifying load balancers during a pen test.
   identifying_load_balancers_in_penetration_testing_33313 (application/pdf Object)
   Tags: ( pentest )
2. Gunnar offers up a method of figuring out your security spending budget.
   1 Raindrop: Three Steps to a Rational Security Budget
   Tags: ( budget spending )
3. Marco will be exploring the Windows 7/Server 2008 firewall in this series. Should be interesting.
   Digital Bond >> Win7/2008 Firewall Part 1
   Tags: ( firewall windows-7 )

That's it for today. Have fun!

Subscribe to my RSS Feed if you enjoy these daily Interesting Bits posts.

Kevin

Good afternoon everybody! I hope your day is going well.

Here are today's Interesting Information Security Bits from around the web.

1. This will be a very helpful tool for anybody trying to wrap their arms around enterprise logging.
   Anton Chuvakin Blog - "Security Warrior": Simple Log Review Checklist Released!
   Tags: ( logging cheatsheet checklist )
2. If you are or want to perform application security tests, you really should have this in your tool belt.
   OWASP Testing Methodology | ethicalhack3r
   Tags: ( webappsec pentesting )
3. Lori delivers another gem. Read this.
   The Corollary to Hoff's Law
   Tags: ( cloud security )
4. Hoff has published the slides from his keynote at the Cloud Security Alliance Summit.
   Slides from My Cloud Security Alliance Keynote: The Cloud Magic 8 Ball (Future Of Cloud) | Rational Survivability
   Tags: ( cloud csa )
5. Richard uses a fantastic analogy to point out a very true fact about APT. You should read this.
   TaoSecurity: Making a Point with Pressure Points
   Tags: ( apt )
6. JJ shares some thoughts from her RSA Peer-2-Peer session on NAC.
   Security Uncorked >> NAC, Endpoint Security and Revelations from the RSA P2P
   Tags: ( nac )
7. This post has some pointers to some very good reading regarding cloud computing and security.
   Understanding the Top Security Threats to Cloud Computing - SecureCloudReview.com
   Tags: ( cloud guidance )
8. Like Gunnar says, SSL is not the panacea. Check out his post.
   1 Raindrop: Web Services on SSL - Giving Attackers Room to Roam
   Tags: ( webservices ssl )
9. Digital Soapbox - Down the Security Rabbithole!: "ControlScan" Security Seal Fraud Exposed
   Digital Soapbox - Down the Security Rabbithole!: "ControlScan" Security Seal Fraud Exposed
   Tags: ( seals )
10. DevCentral: When Everything is a Threat Nothing is a Threat
    When Everything is a Threat Nothing is a Threat
    Tags: ( threats )

That's it for today. Have fun!

Subscribe to my RSS Feed if you enjoy these daily Interesting Bits posts.

Kevin

I am at the RSA conference again this year. At the same time and nearby, Security BSides is holding an event.

Most of you are are probably aware of the RSA conference, but many may not be familiar with Security BSides. From the site:

What is BSides?

BSides is a community driven unconference built for and by information security community members.  The goal is to expand the spectrum of conversation beyond the traditional confines of space and time.  It creates opportunities for individuals to both present and participate in an intimate atmosphere that encourages collaboration. It is an intense event with discussions, demos and interaction from participants. It is where conversations for the next-big-thing are happening.  We've followed the BarCamp format... because it works.

The format is intimate, i.e. small, and the content is voted on by the community. This was my first opportunity to participate in this type of conference and I found it a great environment for learning and interacting with peers.

Security BSides

I spent the morning at BSides and it was time well spent.

Life on the InfoSec D-list by Andrew Hay

The opening keynote was delivered by Andrew Hay. Andrew started a series of interviews called the D-list a while back and I consider myself fortunate to have been included. Before you take umbrage at the name D-list, you need to understand what Andrew means.

Being on the D-list means you are in the trenches getting the work done. You are contributing to the field and active in the community. You may not be a "star", but you care and are committed to the profession.

He talked about the importance of community and gave some tips on ways to possibly move up the chain should you be so inclined.

I thought it was a great keynote and that perspective is in no way influenced by the fact that I consider Andrew a good friend   We all have ways we can contribute to the profession and community and being on the D-list is not to be scoffed at.

Preparing for a PCI forensic investigation by David Barnett

After Andrew's keynote, David Barnett delivered a talk about PCI investigations. David is an ex-QIRA. For those who don't know, a QIRA is a Qualified Incident Response Assessor. This is the individual that will show up to perform the incident response assessment in the event you are involved in a PCI DSS breach.

David shared what is involved when a QIRA comes on site and also offered some tips on how to manage an incident in a manner that will make it much less painful. From his talk description:

Reviewing lessons learned from dozens of past forensic cases,  this presentation will highlight how to prepare for a PCI mandated forensics investigation including;  what steps should be taken to limit fines and fees, how to ensure you have proper legal representation, how to limit the scope of the investigation, and what questions to ask before deciding on who will conduct the forensic investigation.

This was an interesting talk with a great deal of information in it. I hope to get the slide deck and will offer other thoughts after that.

So what's the Alternative by Michael Santarcangelo, JJ (Jennifer Jabbusch), Marisa Fagan

This talk was a panel that explored what can be done to remove the inherent risk that  passwords bring to the table. It was a lively discussion and was particularly interesting since Michael attended via Skype. His head was huuuuge

Of particular note to me was the discussion about the difference between identity and authentication and how in most cases we have merged the two. Very interesting stuff. The conversation continues on Twitter. Join in here.

Moving venues

After the password panel, I moved from BSides, which was held in a co-working site not too far from the Moscone center, over to RSA.  Transportation back and forth was generously provided by BigFix. I hopped on the bus and enjoyed a nice ride back to the conference site.

Security "Groundhog Day" – Third Time's a Charm with Martin McKeay, Rich Mogull, Ron Woerner, Dave Lewis and Mike Rothman.

This was the second time I attended this panel and its third iteration. It is a fun and informative discussion about what is going on in the security industry and that we can't keep doing the same things and expecting a different outcome. There was a lot of ground covered from APT to what technologies should die to several other topics. Very interesting stuff.

Case m00p by Mikko Hypponen

After repeating my Groundhog Day experience , I went to a talk given by Mikko Hypponen of F-Secure. Mikko’s talk was a walk-through of the investigation and eventual apprehension, at least of some members, of the computer hacking  gang called m00p. Mikko is a very engaging speaker and this was a very interesting talk.

Nothing cutting edge because the case itself was a little older, but very interesting to see the steps that Mikko went through to track these folks down. The most amusing part about the story was the gang’s constant need to tell what they did and their naiveté in thinking that Mikko would not share that information with law enforcement.

Winnovation- Security Zen through Disruptive Innovation and Cloud Computing by Christofer Hoff and Rich Mogull

This rapid-fire information onslaught was an extension of a talk Chris and Rich gave last year. It focused on the fact that innovation is often disruptive and that cloud computing is acting as such an agent right now. Chris and Rich are fun to watch and at the same time introduce a great deal of information.

One of the biggest takeaways I had from this talk is not necessarily new, but still very important. We have to talk to the business in a manner that shows we are supporting their effort, but at the same time help them understand we want to do so in as secure a manner as is appropriate. Rich offered up some tips and good questions to ask and hopefully I can get the slide deck later so they can be shared more widely.

Speaker’s Dinner

The final event for the first day of RSA/BSides for me was the speaker’s dinner. I attending as a speaker this year. I led a peer-2-peer session on Wednesday that I will talk about in a separate post. I enjoyed the dinner and discussion even though the drinks and hors d’ oeuvres time was packed, hot and loud

I thought the first day of both conferences was fantastic and the rest followed along the same path. More on that later.

-Kevin

Hello from San Francisco! It is RSA week which means that the Bits posts will go on hiatus for the next week. This will be the last one until Monday of next week. Sorry, but just to much too do

Here are today's Interesting Information Security Bits from around the web.

1. Happy Birthday HiR! Ax0n and crew offer some great stuff. You should be watching.
   HiR Information Report: 0x0d - Happy Birthday, HiR!
   Tags: ( general )
2. This is very very cool. Going to have to talk to somebody about this while at RSA this week. Incident Metrics Framework.
   Verizon Business Security Blog >> Blog Archive >> Verizon Incident Metrics Framework Released
   Tags: ( framework )
3. Zach finds out some interesting (read scary) things about foursquare login on the Android.
   I'm in ur 4sq, snarfin ur password -- Part I - Intrepidus Group - Insight
   Tags: ( foursquare android )
4. Andrew interviews Joshua Corman. I hope to meet Joshua this week.
   Andrew Hay >> Blog Archive >> Information Security D-List Interview: Joshua Corman
   Tags: ( interview d-list )
5. Some goodness from Shmoocon. The video and presentation for the Social Zombies talk.
   Social Zombies II Slides, Video and Demos from Shmoocon -- spylogic.net
   Tags: ( shmoocon social-engineering video )
6. JJ is releasing a new paper at RSA that will be worth a gander.
   Security Uncorked >> RSA Sneak Peek: The Universal NAC Feature Model doc
   Tags: ( nac )

That's it for today. Have fun!

Subscribe to my RSS Feed if you enjoy these daily Interesting Bits posts.

Kevin

Good afternoon everybody! I hope your day is going well.

Here are today's Interesting Information Security Bits from around the web.

1. A nifty tool pointed too by Agusto that helps dig out those user/password pairs hanging around on shares.
   Very nice tool for pentests | Security Balance
   Tags: ( tools pentesting passwords )
2. If you live in the UK, you want to read this short post about your health records.
   Light Blue Touchpaper >> Blog Archive >> Opting out of health data collection
   Tags: ( privacy health )
3. OpenDNS is trying to make your DNS experience safer.
   OpenDNS Blog >> OpenDNS adopts DNSCurve
   Tags: ( dns dnssec dnscurve opendns )
4. This looks interesting. See how well you are alerting/stopping data leakage in your org.
   Hydra: Data Leakage Vulnerability Test System | Fidelis Security Systems
   Tags: ( dlp data-leakage tools )

That's it for today. Have fun!

Subscribe to my RSS Feed if you enjoy these daily Interesting Bits posts.

Kevin

Good afternoon everybody! I hope your day is going well.

Here are today's Interesting Information Security Bits from around the web.

1. Rob is starting up a new endeavor that should be interesting.
   Practical Exploitation
   Tags: ( general )
2. Craig is looking for some people to take a quick survey on Cloud Security Threats. Help him out.
   Cloud Security Threats Survey | Cloud Security
   Tags: ( survey cloud )
3. Pretty slick.
   Running a command on every machine in your domain from the command line
   Tags: ( scripting )
4. This is a good read for all in infosec independent of the job focus.
   From the CIO: Why You Didn't Get the CISO Job - CSO Online - Security and Risk
   Tags: ( general business )

That's it for today. Have fun!

Subscribe to my RSS Feed if you enjoy these daily Interesting Bits posts.

Kevin

Good afternoon everybody! I hope your day is going well.

Here are today's Interesting Information Security Bits from around the web.

1. The latest Packet Challenge is up.
   "Name That Tune" - Packet Challenge << I Smell Packets
   Tags: ( challenge forensics )
2. The speaker list has been finalized for CarolinaCon. Check it out.
   CarolinaCon: The NC Regional Technology Conference - March 19th, 20th, and 21st 2010
   Tags: ( conferences carolinacon )
3. More OSSEC fun. This time using Logwatch.
   Combining Logwatch and OSSEC >> chrisbrenton.org
   Tags: ( ossec logging )
4. Here is a nifty reverse engineering example.
   Traversing a 'DLL': Financial Crimeware (Banker) << TraverseCode.com
   Tags: ( reverse-engineering malware )
5. The Symantec State of Enterprise Security Report for 2010 is out. I haven't read it yet, but it is on the pile.
   Symantec State of Enterprise Security Report (application/pdf Object)
   Tags: ( report )

That's it for today. Have fun!

Subscribe to my RSS Feed if you enjoy these daily Interesting Bits posts.

Kevin

Good afternoon everybody! I hope your day is going well.

Here are today's Interesting Information Security Bits from around the web.

1. Here is a quick list of things to try when pen testing a Citrix installation
   Narkolayev Shlomi: Hacking Citrix and Terminal Server Techniques
   Tags: ( citrix pentesting )
2. Good article on the data cleanup portion of identity management.
   Data Cleanup Part 1: Primary UserIDs : The Security Catalyst
   Tags: ( identity-management )
3. Neat website on SSL.
   SSL Labs
   Tags: ( ssl )

That's it for today. Have fun!

Subscribe to my RSS Feed if you enjoy these daily Interesting Bits posts.

Kevin

Good afternoon everybody! I hope your day is going well.

Here are today's Interesting Information Security Bits from around the web.

1. Beware of hasty decisions, early indicators and selection bias.
   (Mis)reading the runes << wirewatcher
   Tags: ( incident-response )
2. The call for papers for Defcon 18 is open. Get to work.
   DEF CON(r) 18 Hacking Conference - Call for Papers Announcement
   Tags: ( cfg defcon-18 )
3. As if managing VoIP wasn't difficult enough already, let's through in steganography.
   A new VoIP threat - steganography - RiskPundit
   Tags: ( voip steganography )
4. This might be a good post to keep handy in the event you need to backout a patch and can't boot.
   Using Linux to back out a Windows XP patch - Computerworld Blogs
   Tags: ( patching recovery )
5. Challenge number 2 is ready for your attention. Give it a go.
   Forensic Challenge 2010/2 - "browsers under attack" is now online | The Honeynet Project
   Tags: ( forensics challenge )
6. A lovely article about flash cookies and what they can tell a forensic investigator.
   Local Shared Objects, aka Flash Cookies
   Tags: ( flash cookies privacy )
7. An interesting topic, tokenization, is covered quite well in this post on InfoCynic.
   A New Approach to Enterprise Data Security | Infosec Cynic
   Tags: ( encryption tokenization )
8. A few things you should be aware of regarding the HITECH act.
   7 Things You Need to Know About HITECH | Optimal Security: The Lumension Blog
   Tags: ( hitech )
9. Alex opines on the cloud, metrics and faith. A good read.
   On Cloud Security Metrics >> Dub Cloud
   Tags: ( cloud metrics )
10. I have attended a couple virtual conferences and enjoyed them. A good line-up here.
    Infosecurity (UK) - 2010 Virtual Conference on Endpoint Security - Beyond the Perimeter - Full conference programme revealed
    Tags: ( conference virtual )

That's it for today. Have fun!

Subscribe to my RSS Feed if you enjoy these daily Interesting Bits posts.

Kevin