Having attended BSides Toronto a couple of times (and always having a great time), I was very excited to attend BSidesSF, just ahead of the RSA Conference. This is a simple post on observations and the sessions I watched during “day one”.
Yes, BSidesSF is two days and two or more tracks, much larger than my reference with BSides Toronto. This means that not only I had to choose which sessions to watch, but that there’s more tomorrow. 🙂
I just noticed the videos for some talks are already at IronGeek. Talk about fast turnaround!
- Venue: the OpenDNS offices. While acoustics can be a challenge sometimes, the venue itself is great: spacious, easy to access, bright. Someone mentioned it would get warm in there, but frankly I didn’t notice. WiFi worked well (I hope everyone behaved) and it was pretty easy to get from session to session.
Meals: breakfast and coffee breaks in the back (oh, the bagels and donuts…), food trucks in the alley for lunch. Good food, great conversations.
On to the sessions:
- Gopal Jayaraman from SierraWare (@SierrawareLLC) started off (early by about 10 minutes, but we were all ready anyway) with a good discussion on how the Certificate Model is broken and it can be abused. He then introduced the topic of Certificate Pinning – the practice of ‘locking’ use of specific certificates within the application itself so as to prevent Man-in-the-Middle attacks. While a good feature for privacy, it makes network traffic opaque to monitoring systems. He then went on to describe the approach his company is taking by offering a “Virtual Mobile Infrastructure” (VMI, similar to VDI) that can address the Certificate Pinning issue – and many other mobile security issues – by providing a secure gateway that can intercept the application calls and network traffic. An eye opener and good map for further readings on my part…
- Next session I attended was a look into practical countersurveillance tips by Lisa Lorenzin (@llorenzin) – title of the talk was a bit edgy (go look it up…) and the content (and delivery) was solid: a call to action for individuals to evaluate how comfortable they are with surveillance and what they want to do about it. This can go from simple changes to behaviour (use HTTPS, use different search engines, …) all the way to moving services away from the Googles of the world and into your own servers. As she mentioned during the talk, this is not to protect against targeted surveillance, but more as a statement against the bulk collection done nowadays. Lots of references to Snowden and politics, the good work done by the EFF and others.
- Last session before lunch had a last minute change: Russell Thomas (@MrMeritology) couldn’t make it and Allan Friedman (@allanfriedman) stepped in with minimal advance notice. He did a great job describing the broad strokes of Economics of Information Security (a topic near and dear to me) and described the work he’s involved in: helping the government stimulate voluntary cooperation between multiple stakeholders in issues related to cybersecurity. He touched on what the main topics of interest are – network & infrastructure security, web security & consumer trust, and processes & markets – and called upon us to comment on who are the key partners that should take part in this conversation. Public policy is usually a dry subject, but he did a great job explaining what he’s up to.
- The afternoon sessions started with Josh Pyorre (@joshpyorre) describing his approach to adding Intrusion Detection to cloud-based systems, with detailed demos on how his IDS – based on Apache and Snort – can be placed in-line to protect traffic bound to cloud-based Web servers. I really liked the detailed technical content on the session, though I think the approach needs to be expanded when dealing with larger sites that take advantage of cloud-based scaling (think AWS’s Elastic Load Balancer). Still, a good session from a solid presenter.
- I then attended Lucas Zaichkowsky‘s (@LucasErratus) session on state of password security – hint:very poor! – and a simple explanation arond the basic crypto concepts involved – things like salt, extra rounds, etc…. He then described his experience running password cracking on a sample of known passwords out there. With minimal hardware – less than $1000 worth – and a good strategy for directing the computing efforts, he was able to recover a significant number of passwords. He wrapped up with recommendations, particularly a focus on defensive planning, including broader adoption of two-factor authentication and use of password management solutions. Really nice presentation.
- In “Analyze This!”, Aaron Shelmire (@AShelmire) covered some ideas behind the basics of Data Science as it relates to security, and then delved into examples of ‘features’ that are present in malware than can lead to identifying it among the vastness of network traffic. It was extremely entertaining and informative to review packet captures of malware samples such as Zeus, Upatre and Pirpi, among others, and identify key ‘tells’ that these strains have. He also discussed similar analysis of endpoint analytics (registry keys, services, etc…) and wrapped up with examples on user analysis: how differences in behaviour between users and attackers are apparent when looking at RDP sessions and logon activity. Extremely interesting!
- Finally, Robert Lucero (
@jediguybob) wrapped up the day with a nice discussion on the use of internal certificates for protecting microservices architectures. He showed some nice demos illustrating the concepts and delivered it flawlessly. If nothing else, his talk was a great reminder that implementing certificates without proper care and planning can lead to nasty consequences, as even giants such as Microsoft, Google and Amazon have seen.
In addition to the sessions, I was able to catch up with former colleagues, meet new people and catch up with some folks I’d only known on-line. And there’s more tomorrow, as we dive into Statistics, Malware, and other topics.
Many thanks to all the organizers, speakers, volunteers, and sponsors. Great conference so far!