21 April 2011

I am pleased to present that BSidesLondon was I great success. Awesome technical talks, awesome people, very good conversations there, and most importantly, it was very well organized! I really appreciated it that there was no alcohol allowed, Club-Mate as the "Hacker-drink" was available.

It started by explaining where BSides came from originally (here). As Lenny Zeltser mentions on his blog it is ok to

  • Join a conversation in progress
  • You need to let them into the conversation
  • Introduce yourself
  • Move from group to group
  • Have a business card or even better, a "calling-card" available with your contact details
  • Wear an name-tag

and this went really well.

The first talk after the introduction I attended was "DNS Tunneling: It's all in the name!" from Arron "finux" Finnon. DNS is usually allowed in corporate or "commercial" environments and it showed some nice ways how to tunnel through DNS ("TXT" records) back out to the internet. He pointed out that some crazy fella even transferred shellcode this way. SysAdmins: Are you watching your DNS traffic?

Chris Rook about pownerizing

It went on then with "Jedi Mind tricks For Building Application Security Programmes" by David Rook & Chris Wysopal. We as security aware people, we must not come down with "you must not / do not" explaining to developers what security is. Most importantly we need to explain properly what this all is about. David pointed out that "SQL injection", "jacking" or "pwnerizing" (see the picture) could be easily mistunderstood by developers, which is true I would say and was quite amusing.

The next one was "Practical Crypto Attacks Against Web Applications" by Justin Clarke. This was about how EBC and CBC works and practical attacks against those. Unfortunately I missed some of his talk, I need to get the slides from somewhere.

Xavier Mertens had his talk about "All your logs are belong to you!". You can find the slides here. All systems are logging something and most importantly, they are your logs. Dont shy to ask your cloud provider to get logs about the services you are using. I can only agree with him that OSSEC is a great and wonderful open-source tool to analyze your logs automatically. The OSSEC Dashboard looks like a brilliant solution and I have to give that a try!

After the lunch break, Steve Lord was explaining in his talk "Breaking, Entering and Pentesting" the career path of a pentester. Starting as a "Nessus Monkey", going through various stages and finally ending up as a professional pentester (aka "Jedi Master") - and not in management. Brilliant talk. Steve was also at DC4420 btw.

Wicked Clown had then his talk about "Breaking out of restricted RDP". It was good to see that you dont need "restricted" literally and how easy it easy to break out of it. Have a look at his websites for the slides, videos and more information.

David Rook presented then his second talk about "Agnitio: its static analysis, but not as we know it". Slides are here. If you are into source review then this is something for you, you can find it here.

Manuel Leithner was then presenting "Your money, your media - a DRMtastic Android reverse (re)engineering tutorial". It points out once again DRM is just "scary" and can be circumvented if you want to.

And the final one was Security YMCA by Chris John Riley, The Suggmeister, Arron "finux" Finnon and Frank Breedijk presenting the developer survey about security in a little bit different way, wan you can see here. It seems that most developers are not security aware - and we must communicate A.S.A.P:

*Young man, I was once in your shoes. *
*I said, I was down and out with the blues.*
*I felt no man cared 'bout se-cu-ri-ty*
*There's just too much in-du-vi-du-a-li-ty*
*That's when someone came up to me,*
*And said, young man, take a walk in the street.*
*I really, want to know what you say*
*If only I could only un-der-stand you*
***You must communicate A.S.A.P***

Finally, I want to say thank you to Matt Summers (@dive_monkey) for organizing this event. As I mentioned in the intro, perfectly organized, there was nothing missing. Looking forward to the next one.

PPS: Thanks Tomasz!

Living IPv6 from the back




blog comments powered by Disqus