.:Computer Defense:.

I guess it's time for that post SecTOR write-up. Time to share every little thing I can remember... which, luckily for you, isn't much. I'm going to divide this up in sections to make it easier to organize my thoughts (or for you to skip parts).

Canadian Information Security Awards

Kudos to the organizers for attempting this, but it was a bust. I don't think it should be abandoned though. I just think we need improvements for next year. So few products are limited to one country for contribution that I wonder if a lot of people didn't vote because they didn't know what counted. I'd like to suggest new categories for next year:

• Best Canadian Security Blog
• Most Innovative Canadian Security Research
• Canadian Information Security Professional of the Year

Those are things I'd be interested in voting on and I think the prize of a netbook is much better suited as an individual award.

Speakers

Once again SecTOR had top notch speakers, some returning and some new. I have to admit though, that I didn't see nearly as many talks as I wanted to... I spent to much time chatting with people in the vendor area, keynote hall and hallways. I took in three talks the first day and that was the extent of it. I saw Raf's Web 2.0 talk... I love the look on people's faces when he mentions Native Client. I also took in RSnake and Hoff's sessions. I had intended to see two or three more sessions but other commitments kept me away from those. From what I heard, everyone enjoyed what they saw... and the complaints were few and far between, if they existed at all.

I definitely enjoyed being able to meet up and chat with a few of the speakers, at the speakers dinner and sitting around the bar afterward. I was able to share some stories and hear some at the same time. While Toronto has a strong security community, it's nice to expand the contact list and network until you can't even hold your beer, and even then you can simply pass over the business card as you fumble with your pint.

Reception & Speakers Dinner

While I preferred the reception in previous years with the open bar in the keynote hall, I was fairly impressed with the reception at Joe Badali's. The food was good and the drinks were free. We filled tables and chatted and had a great time.

Even though I'm in Toronto, I had never been to Joe Badali's before so I wasn't sure what to expect from dinner. I was surprised by how good the food was. I opted for the vegetarian option (pasta) and it was incredible. I will say that the last thing I expected to see at the speakers dinner was a lap dance... but at least it was good for a laugh (video I recorded coming later).

Vendors

Vendors are great because their money helps keep your ticket price down. I had the opportunity to chat with a number of vendors this year and while the talks were interesting... everyone's always interested in the swag, so let's give a run down of that.

In the 'best geek swag' category, eSentire had password keeper Post Its at their booth, unfortunately I didn't stop by and get any... they were pretty cool looking though but beyond the humor not overly useful.

In the 'best over all' category, I want to give it to nCircle, but people might call me biased. We had the only t-shirt give away and the slogan was my idea... so I need to vote for it We also had caffeinated chocolates that were mighty tasty.

Beyond that, most of my swag didn't even make it home... I've got a ForeScout stress cube that survived and I gave away my Tripwire flashlight because someone asked for it (always a nice offering, although when I first saw it I was hopeful for a laser pointer).  I took a couple of pens, which weren't bad but unfortunately there were limited offerings of notepads and papers, one of my favourite conference take aways... I did manage to snag some Post Its from Rapid7 but that was about it.

In the, 'I thought it would be cool but it wasn't' category is the travel alarm clock from Sentry Metrics. They had mentioned to me that the clocks were a rush order, so they can't be held responsible but the company that was peddling the clocks originally definitely had a horrid product. I actually have pictures from a table at Lonestar with the clock spread out in pieces. The hinge came out of the box broken, the open button worked once and the instructions reminded me that "PM is displayed in the afternoon". It was good for a laugh over beer and that was about it.

Socializing

The best part of SecTOR was the social scene... just like it usually is. Whether it was chatting at the con, or afterward at the bar, it was a great time. I got to put faces to names that I've chatted with and never met but also gather with people that I don't get to see often enough. We had some great conversations, some ideas for interesting concepts/research to put together and a whole lot of fun.

I'm already counting the days until SecTOR 2010, it'll be a great time!

Tomorrow is SecTor and I'm rather excited. There are so many talks I want to take in that I, unfortunately, can't see them all. On top of that the speakers dinner and meet-up at the Loose Moose should be awesome.

nCircle will have a booth this year and will be giving away T-Shirts and chocolate. So stop by and say hey to everyone there. I'll be floating around but I still haven't finalized my schedule (too many good talks, too many people to see, the conference needs a third day to fit everything in).

Anyways, ping me on twitter (@treguly) if you're floating around and want to meet up to chat or grab a drink. If I'm not around, it means I'm rushing to finalize my slides for the SSLFail.com panel.

I'll start of by saying the second day of SecTor was amazing compared to the first day. We started off with Stepto giving the opening keynote. While it wasn't anything groundbreaking, it was exactly as advertised and well presented. I fully enjoyed hearing him walk through how he got into security, his time with MSRC and how things he'd learned working in security applied to other aspects of his life... it was great.

Following the keynote, I was torn between Pwning the Proxy and Lock picking. In the end personal interest won out and I attended the lock picking session. There was quite a bit of interest information shared and I managed to take a couple pages of notes. One of the coolest things was the how-to on making a combination lock shim using a piece of aluminum from a pop/beer can.

Following the lock picking session was lunch. The meal was much better than the day before. One thing that I didn't get was why so many tables were reserved and there was staff keeping people from sitting at them. The same thing existed on day 1 and the tables were never used, so why were they there are day 2?

Lunch was also great because Johnny Long was the lunch keynote. If you've never seen Johnny speak... make every attempt you can to see him somewhere. He spoke with regards to his No Tech Hacking book (proceeds of which go to Charity) and the presentation was quite amusing and a lot of fun to watch. He gave examples of information gathered by shoulder surfing, dumpster diving, etc. It essentially centered around the non-technical side of reconnaissance or pen-testing. The entire crowd spent the time laughing and fully enjoying themselves (or at least that's how it seemed).

After lunch I checked in on Hoff's virtualization talk. It actually had some interesting information and I was really glad that I'd attended it. I was unaware that there was a Cisco vSwitch for ESX but I really like the concept. It'll enable some very interesting things to happen.

I had planned on attending the talk on identifying crypto in code for the last session of the day, but a old coworker showed up and we spent the session catching up in the keynote room. Following that there was some brief conversation and the wrap-up (which including the awarding of prizes). I did note that a couple of the prizes weren't given away (Checkpoint wireless router/firewall for instance), so hopefully that wasn't just a scam to get business cards.

Then a small group of us (9 people I believe, both speakers and attendees) went out for all you can eat sushi, and a few drinks. I really enjoyed myself day 2 and really enjoyed the con as a whole, there were just some really bad experience on the first day.

I'm definitely looking forward to SecTor 2009!

I debated what to write here, and if I would present the positive or negative points but I figured the only fair way was to describe both, so without further ado, I present SecTor Day 1 - The Good, The Bad and the Ugly.

I figured I'd describe my day from start to fishing, instead of breaking it up by what I did or didn't enjoy.  The day started off with breakfast at Cora's, a group of us met there only because this years SecTor schedule made no mention of a breakfast similar to the one provided last year. Of course, when we showed up, it turned out there was a provided breakfast... at least we know for tomorrow.

The initial keynote was done by the RCMP and I don't even know what to say. Last year's RCMP presentation was depressing (many people that I spoke to today said it was the worst part of last year, and there was a debate over which RCMP keynote was actually worse. This years was made worse by the fact that it was first thing in the morning. It was presented with little enthusiasm and I'll say it... it sucked.

When the RCMP speaks, you'd expect to learn something interesting, in fact a number of attendees mentioned that to me today. Yet nothing interesting was learned. I was eager for this talk (as I was eager for the keynote last year), I figured they had learned from last year and that this year the RCMP would do better. I took about a page of notes, but got nothing of interest. The names of a few councils (ITAC Cyber Security Forum and CBOC's Council on Security & Tech) and learned that there was a Cyber Security Conference in Gatineau on Nov. 5 & 6. That could have been a single slide, or better yet a hand-out. The rest was useless, this was evident by the people falling asleep and the notes left on Twitter.m

I was also rather offended by a closing remark that David Black made regarding them looking for trained University graduates. I attempted to open my notebook and write down his email address to contact him but unfortunately the slide was removed from the screen. If anyone wants to pass this along to him, it would be appreciated. [Begin Side Rant] I'm getting really tired of this biased hiring practice in many places that requires a University degree, it's a useless, archaic requirement (much like the requirement for various certifications [which we see more and more people dropping from job postings]).  Many of the really bright IT/IS people that I know have no formal education or a college education... it's a shame to see so many places discriminate... especially places like the government. I'd think that workplace equality would include method of education, and place the importance on actual skills and knowledge[End Side Rant].

Needless to say... KeyNote #1 was a fail.

Up next was the first session. None of the session interested me, so I decided to check out the lock picking village. I was in the hall by the vendor displays, so I visited each display on my way over, and failed to make it to the lock picking village before the first session was over. I did have some great conversations with the vendors that were present though. A big thank you to all of them for the sponsorship that they provide.

While there was nothing that caught my interest, I know people that attended both 'Double Trouble: SQL Rootkits and Encryption' and 'Network Security Stripped: From layered technologies to the bare essentials". I can say that I didn't hear negative reviews about either presentation. In fact most people liked what they saw, and those that didn't like it were fairly neutral in their comments.

Lunch and a Panel Discussion were up next. The lunch was Monday's left overs... my chicken fell off the plate and bounced; there was Twitter discussion around having a chicken bouncing competition. Yet that was almost the highlight of the lunch. The real saving grace on the panel was Hoff. I understand why everyone was up there; a number of them were sponsors and probably wanted to say their piece, but still... We basically had 8-minute, extremely dry lightning talks. A panel usually involves some sort of discussion or interaction, they was basically everyone bragging about themselves and drew quite a bit of twitter traffic

Following lunch, we had what I would call worst organizational decision made by the organizers. They did fairly well this year... there is some good content (you just have to dig to find it -- My favourite part of today was hearing (a couple of times), 'the talk that you submitted would have been much better than this'), the swag was cool, a lot of people had positive comments about the notebooks and the bags and there's an increased social aspect. The mistake however, was a really bad one... it was the mistake of placing the bulk of the good speakers in competing time slots. This happened today by having HD Moore, Jay Beale and Raven in the same time slot. Those are three talks I would have gladly gone to see, and I had to pick one. From what I hear this happens tomorrow as well. I'm really looking forward to Hoff's talk, however I've been told that James Arlen is quite the impressive presenter as well.

In the end I decided to go with Jay Beale's discussion of the concepts behind his new tool, 'The Middler'. It was everything that a tool presentation should be. The tool wasn't shown or mentioned... the concepts and techniques were discussed. Not only did the presentation have some interesting information (I filled three pages in my notebook) but Jay did an amazing job with his presentation. This presentation alone made up for the lackluster performances up to that point (although I was quite disappointed about the stacking of the time slot).

To briefly go back to the time slot, I believe the concept that was tried was to put the big speakers up against each other and then everyone else was grouped together, this was to ensure a somewhat even distribution of attendees and to avoid empty rooms. My feeling on this... if the persons presentation runs the risk of an empty room, regardless of what they are up against... don't accept the presentation. I'll stop ranting on this now... it's done and unfortunately it can't be fixed.

For the next time slot, I decided on attending Googless. I was excited... it seemed really relevant to some of the work that I do. I don't even want to talk about this presentation... the slide show background was disturbing, and Christian had no life to him, as well he asked for donations on like the third slide (also the first time I've seen a license on a presentation) and informed us that would have to wait until December to see obtain the slide deck. I guess Christian thought that this was the most popular presentation at SecTor... judging by how many of us walked out during the presentation, I really doubt that. It wasn't good.

I spent the last portion of that presentation speaking with colleagues before the rooms emptied out and the last series of sessions were to begin. I had originally intended to see the RFID presentation, however I managed to catch up with Jay Beale to further discuss the Middler as I was rather intrigued. So we were able to sit and discuss it for a short period of time. A few more people joined us and we moved to the keynote room for discussion and to await alcohol. This once again was an amazing opportunity to network with people, and proved to be more useful than attending the talks (or so I read (and heard)). I once again have to say kudos to the organizers for this... Anything that lets you get together with other people to basically 'talk shop' is a great thing and many opportunities were presented.

During the Microsoft sponsored reception our table grew and we had a lot of fun. Then speakers departed and the bar closed, and unfortunately I wasn't able to make it to the party, however the day still had a number of high points. I realize this may seem like a griped a lot, but given that this was year two, I had higher expectations than last year and I'm not sure those expectations were fully met... but as I said, I did enjoy quite a bit of it. Tomorrow is another day, and there are a number of time slots where I'm interested in more than one presenter, so we'll see how it goes.

So I was lucky enough to be able to take part in SecTor training this week (as I previously mentioned). I spent all day Monday in HD Moore's Metasploit training.

Having been been an avid metasploit user for quite some time, I was hoping that the training would include some features that were unknown to me.  I definitely wasn't disappointed.

The initial portion of the training was fairly straight forward and included writing a basic auxiliary module and a plugin. The basics of Metasploit use were also covered.

This occupied roughly half the day, at which point we had lunch... the food wasn't great but it also wasn't awful. Then we were right back into the training.

Over the course of the afternoon we covered meterpreter, NTLM (smb_relay, and some others), Wireless and IPv6. A number of new and interesting things were covered and I really enjoyed the afternoon.

Following the training, myself and a colleague who also attended to the training met up with HD and a few other speakers and attendees to grab dinner. This was the sort of thing that I really enjoy about the cons, sitting around the table with a few beer talking shop. While I enjoy the talks, a lot of the time there's nothing overly new and it's when you're chilling and chatting that you really get a chance to discuss the interesting things.

At the end of the day, the training was definitely worth it. The only real shame (although a bonus for those of us attending) was that the training room was so empty... We had ~11 people. My worry is that SecTor won't be able to get decent trainers next year unless they can increase the attendance numbers.

Stayed tuned for another post on SecTor - Day 1... (which will eventually be followed by SecTor - Day 2).

So I spent today in training @ SecTor. I attending HD Moore's metasploit training and rather enjoyed myself... I picked up a couple of things that I'd been previously unaware of.  Since I was already onsite, I took advantage of the open registration booth and picked up my SecTor goodies.

Instead of the cooler bag (last years very cool SecTor registration goodie), there's a rather nice tote with the SecTor logo on it. Inside the bag was the usual advertising literature, a nice Leed's notebook with a metal (I think) cover, with the SecTor logo, and a pen and BlackBerry screen cleaner.

The badges are quite nice... given that the program includes a picture of the DefCon badge, I imagine they were trying to go with something along those lines. Rather than the hard plastic, "corners will cut you when you attempt to touch it" badge of last year, the badge this year is rather cool. There's a usb cable enclosed on the back of the badge and when you connect it, you find that it's a 1GB storage device. Definitely a step up.

I took pictures to attach, but I'm getting an error, so I won't be uploading them tonight... I'll try again tomorrow.

Now given that it's 2AM and I'm meeting people for breakfast in 5.5 hours, I should probably grab some sleep... but on that note... The program this year doesn't mention a breakfast, so some of us are meeting at Cora's on Spadina (not far from the MTCC) at 7:30 if anyone happens to read this between now and then and wants to join us.

Just a quick little note to share with people. In my efforts to add to the social activities associated with SecTor and to foster discussion, I've created a new website, SecTorAttendees.com. On the page you'll find a forum and a mailing list. I would invite everyone who is attending SecTor to join both and share in the discussion. For those of you that aren't quite sure yet, sign up and you'll most likely find a reason (hopefully in time to beat the end of August price increase)... and for those of you that can't make it to SecTor this year, you're all welcome as well, you'll see what's happening so that you can make it next year.

Hey All,

I wanted to do a brief repost over here to direct everyone to the 5-part non-technical blog series that I did on cons (for the most part) and con experiences. This was my contribution to blogging following Blackhat / DEFCON.

1. Being a Research Engineer at a Blackhat Booth
2. Competitors Can Be Civil
3. Why DEFCON Sucks
4. Why the Social Aspect of Cons is Important
5. What Can Be Done to Improve the Cons.

Enjoy!

Hey Everyone,

So Blackhat/Defcon is behind us... Instead of blogging about the talks, I've taken a different approach and I've been doing some non-technical blogging. In the end it will be a 5-part series, but the first three are already up.

They are:

1. Being a Research Engineer at a Blackhat Booth
2. Competitors Can Be Civil
3. Why DEFCON Sucks

The last two will most likely appear early next week.

Also, now that Blackhat/ DEFCON are over... What's next? As far as I know the next Con I'll be attending is SecTor. Last year was the first SecTor and I had the opportunity to attend. SecTor will actually make it's way into my upcoming blog series (from above) on the VERT Blog. That being said, I wanted to remind people that it's coming up, after all... it's held in Toronto and I live in Toronto, so the more people that attend, the more people I get to meet.

For anyone who didn't get a chance to visit SecTor last year and is curious about the quality / style of the talks, I tried to write-up everything that I saw.

• Overview
• Growing the Security "Profession"
• TCP/IP Perversion
• Zen and the Art of Cybersecurity
• Web Application Works - The Future of Browser Insecurity
• Exploit-Me Series
• Defending Layer 8
• Black Ops 2007: DNS Rebinding Attacks
• Hacking Hollywood
• Modern Trends in Network Fingerprinting.

Of course, these are biased because they're all my opinion, but I do recommend the Con for anyone that can make it up this way. Let me know if you'll be coming up and we'll make arrangements to get together for a beer.

SecTor Day #2
Speakers: Ryan Poppa and Jay Graver
Presentation (pdf)
Download Audio (with Slide Deck) (wmv)

This was the final talk that I attended prior to the wrap up. I already knew what to expect for the most part, since Ryan and Jay are colleagues at nCircle.

The hour long presentation started with 30 minutes of background presented by Jay. The discussion itself focused around network fingerprinting (detecting versions of operating systems and listening services over a network) and, more specifically, HTTP server fingerprinting. The background included a comparison of currently available tools and included nmap, amap and httprint. Jay looked at the results of these tools against modern servers... first while displaying their standard banners and then using obfuscated banners. When faced with obfuscated banners the tools didn't fare so well.

The second half of the presentation, presented by Ryan, included what was really the "meat" of the presentation... the discussion of a new tool, httpfp [link coming as soon as the tool is released], which uses a new approach to fingerprinting. Ryan pointed out numerous aspects of a HTTP Server response that can be used to determine the type of software that the server is running, even if banner obfuscation is being used. Some of the included identification points were:

• Case of the Content-Length header (Content-Length/Content-length/content-length)
• The existence of Public or Allow headers
• The order of the options presented in the Public/Allow header

The concept is definitely cool and I'm really looking forward to see what advancements and improvements will be made in the future. It was also a great way to round-up the conference.

[Updated Links]