Here’s a whole mess of notes I made as part of my week at AusCERT 2016. It’s my first conference, and I didn’t know what to expect, but it was an overall good experience. Tuesday I couldn’t get into any of the tutorials, so I ended up working. Sigh :(
I got into the Monday tutorial “Cyber Incident Handling” run by AusCERT’s General Manager, Thomas King. A day-long summary of the NIST guide and the ASD ISM along with some discussion about incidents. More high-level and aimed at managers than I was expecting, but worth going to.
Chris Soghoian, ACLU
- reminded us that encryption’s required for everything we do.
- the intelligence community says they’re going for bad guys, but that also means us, because we’re in the way.
- overall, an amazing speaker and I can’t wait to look up more of what he’s up to.
Nick Savidies, Symantec
- saving ourselves from the top 1% really requires us to focus on the rest of the 99% of the stuff we should be doing.
- CSO - LootCrate “Summon” from September 2015 - review here
- AusCERT polo shirt and calico bag
- ZScaler soft hammers
- LEGO Minifigure, Kendo Fighter from Series 15! :)
Tech #1 John Bambenek - malware
- He runs Fidelis Security
- MISP / www.misp-project.org
- Spoke about Kev, great project pulling apart malware.
- also malwareconfig.com
- Gave great advice to remember to mine your:
- spam folders and blocked things
- proxy logs
- anything else you’ve got that can provide data, don’t ignore the blocks
Tech #2 Justin Clacherty - Building Automation
- KNX building automation standard
- not encrypted
- fairly easy to hack
This stuff is going to get more and more problematic unless vendors really engage with security, I’m surprised there aren’t more problems.
Tech #2 Hinnie Hetterna - Welcome to the after-hack part : Detecting and mitigating the pivot
- talking bout tools turning into weapons, defending the fortress etc.
- I’d love to see his full course on tactics, techniques, procedures
- Packet beat - profile data on the fly - I’m definitely going to check this one out.
Tech #3 Mark Carey-Smith - Maximising Efficiency in Security Operations
Mr Carey-Smith’s talk had a point, but I think it missed it. Collaborating with customers, automating repeated tasks and fostering communication are important points. The talk got waylaid by a needless, too-technical but not-technical-enough introduction into BIND RPZ which was only tangentially related to some really cool things they’re doing with finding Fast Flux/Dynamically Generated Domains.
Death by powerpoint was a terrible risk - everything that was said was written on the slides - when will people learn?
Darren Kitchen - The Curse of Convenience: How Plug and Play became Plug and Pwned
- “Over 9000” dropped twice, cute. :)
- talked about:
- the original pineapple
- the rubber ducky
- the turtle
- Great speaker, very good at what he does.
Aamir Makhani - Spies, Geeks, and Tracking: using Threat Intelligence to hunt for data
- He bought old drives and phones etc. mined it and found gold.
- Remember to check out your devices’ location data - frequent locations are amazing
- Facebook - put in the phone number, get name/profile - never get notified
- Photobucket recent uploads - the mobile app automatically uploads everything to a public feed by default, it’s amazing what you can find.
Zoltan Balazs - Sandbox Detection: Leak, Abuse, Test
Good overview of how bad actors can detect that they’re in a sandbox. It’s the things you don’t think about until you have to which matter :)
Bradley Schatz - Speeding up Forensics
Bradley’s done a lot of great work, and he gave a good talk on the history of Forensic imaging techniques. Smelt heavily of an ad by the end however.
- Hoodies + green text + bad music = hackers
- Want to get ready for hacking in windows? Open cmd and type “color a”
- used in the cujo security-in-a-box ad
- You (we?) should learn to use sqlmap.py
- Motherboard: “another day, another hack: is your fisting site updating its forum software”
- El Reg wins the combined headline/stock photo competition.
Zoltan Balazs the Hungarian - Hacking highly secured enterpise environments
- I won a Rubick’s cube!
- “they think the barrels are full of fish, but they’re actually full of hobbits”
- He does his demos in pre-recorded video, not live - I think this is much better idea for most presenters - though there’s some notable exceptions who are amazing! :)
Wayne and Sun Huang from Proofpoint - Russian actors
- Ten minutes of showing us uninteresting PHP scripts rather than talking about the details of the hack, sounded amazing, but I had to leave.
By the end of the conference I was quite drained, a week of trying to concentrate while sitting in terrible hotel chairs, and sleeping in a bed which could be best described as horrible took a toll. I definitely learned a lot, and had some good chats with vendors about their upcoming products. I’m sure I’ll be fending off salespeople for months, but I can see some good things on the horizon. :)