PHDays
I spent the last week in Moscow speaking at PHDays that was organized by Positive Technologies.
Let me just start this review off by saying I don’t think I have ever been to a conference with as good of lineup, organization, or venue as PHDays had.
The venue was Digital October in Moscow and I don’t think there is anything comparable to it in America. They had huge monitors (40 feet x 15 feet), great technical staff, instant translation, HD online streaming and awesome speaker support.
It has to easily be one of the 5 best security conferences in the world based solely on the talks that were done in English. It had the developers of SQLMAP, W3AF and Mimikatz all speaking about their projects. It had Travis Goodspeed and Sylvain Munaut talking about physical hardware manipulation. Those were just the English talks, the Russian talks were just as good.
The CTF was also pretty awesome to watch. They had a dumpster diving challenge where the teams had to try to find an MD5 hash. I hadn’t seen that before in a CTF and thought it was genius.
They also gave away two A.R. Drones during the CTF to any team that could hack them. Along with a ATM hacking contest that I missed but would have loved to have seen.
When you see the CFP for PHDays 2013 open up you really should submit. You will be treated great and given an opportunity to meet a whole group of people who are really passionate about computer security. I made a great deal of new friends from Russia, The independent nation of Appalachia and Europe over the last week and will never forget this trip.
Trolled in Russia
An hilarious group of guys from a CTF team decided to stop by my PHDays talk and have a little fun.
I will have to say that this was one of the funniest things I have seen in a long time. After the talk I meet up with the guys and I now have a signed anonymous mask for my office.
5 things I learned in Moscow on day 3.
1. If you ever heard a rapper talk about a car in a rap song I have seen it, and possible almost been hit by it, in the last three days.
2. There used to be a pool where this church stands.
3. In old Russian video games Americans are the bad guys.
4. Moscow has the best Sherbert I have ever ate.
5. They have rooms full of beanbags.
5 things I learned in Moscow on day 2.
1. There is a McDonalds no more than 100 feet from the Kremlin. Why cant we be this efficient in America?
2. Rollerblading is still a thing here, a very big thing.
3. They are just as excited about Madagascar 3 as I am.
4. Throwing a coin over your shoulder at Kilmetere Zero is good luck…
for these ladies who stand around and pick up all the coins people throw on the ground…
5. The Tsar likes big bells and can not lie.
5 things I learned in Moscow on day 1.
1. Just because you don’t speak Russian and your driver doesn’t speak English doesn’t mean you both cant belt out “Walking in Memphis” when it comes on the radio in the middle of a traffic jam. I think we bonded.
2. Cheeseburgers in Moscow come with an egg on top (Why was I eating a cheeseburger? Because they were out of salads and it was the next thing on the menu I pointed at).
3. If it fits, its a parking space.
4. If your $70K SUV doesnt stand out enough you cant always have it covered in snake skin.
5. Moscow has 13th Floors and -1 Floors.
We parody and poke holes in what they do.
So basically the Center for Strategic Counterterrorism Communications spends most of their day trolling islamic web forums. Sounds like a pretty decent use of tax payers money.
Last day of session 2012.
Be so good they can’t ignore you.
When being interviewed on TV, make sure passwords are not written on wall behind you.
SMS Charge Scam
There has been some talk in my office about a fraudulent SMS charge scam on peoples AT&T bills over the last couple of months. There were 3 people in my office who got hit with this scam. I finally got around to examining our bill closer and found out that my wife’s phone had been hit by the same scam (For two months! Yes, shame on me for not looking closer at my bill and noticing this.).
The text message that came to my wife’s phone said this:
IQ Power: Welcome to Trivia Alerts! 3xmsgs/wk Monthly charge billed @ 9.99/mo. Reply HELP or call 8888906150 for help, STOP to cancel Msg&Data Rates May Apply
She Ignored it. Who wouldn’t? I have told a million people to ignore scam messages like this. Apparently with SMS text messaging though if you send unsolicited text messages to people saying that you are going to charge them $10 a month and they don’t respond you are allowed to do it?
This is what the charges on my bill looked like:
I had to contact AT&T (super fun) who said they would refunded the funds to my account and applied a purchase blocker to my account to prevent this in the future. Which is a start but it shouldn’t be allowed in the first place.
Yes I will be looking at my bills closer in the future.
What is Twitter good for?
People always ask me “What is twitter good for?”
Here is a good example. Bank of America has a foreclosure on my block that they weren’t taking care of by mowing the grass and doing basic maintenance. After spending a couple of hours mowing my grass in the 90 degree weather I was tired of looking down the block to see this:
So I got mad and tweeted @BofAhelp this last night:
Hey @bofa_help this foreclosed house on my block has foot tall grass. Help? http://yfrog.com/oc4n7dujhttp://yfrog.com/gym6kbwlj
They replied to me this morning and sent me a DM asking for the address of the house and a contact number. They then called me a few hours later telling me they were working on the problem and would keep me updated if they found out anything.
When I came home the house looked like this:
So that is what Twitter is good for! :)
Confidence comes not from always being right but from not being afraid of being wrong.
XPS 13
I have been doing a lot of traveling and speaking over the last year and my old (but trusty) Latitude D630 was starting to show its age (as in wont cold boot unless I remove the battery) and I was running out of room on the lid for conference stickers so I jumped at the chance when Dell offered to give me a new XPS13 Ultrabook.
This is my first ultrabook but just the difference in size is going to make me love the thing. It is a little less than 3 pounds compared to the 6+ pounds of my D630.
The laptop its self is really well put together. I love the Chiclet style keyboard, built in webcam and screen is just amazingly bright and clear. I was watching an episode of the Simpsons on it the other day and it looked a lot better than my TV.
There are two things I am not in love with on this laptop. The track pad seems to lock up when I am using it and it takes a few seconds for it to respond. Update: This is fixed by disabling the Palm Rejection. The other thing I am not crazy about it the displayport, I understand they did it to save room but I will be that guy asking to borrow your displayport to vga converter at every conference. I lose those things faster than a second grader loses his baby teeth.
Overall the XPS13 seems to be pretty awesome. It will be very interesting to see how the battery and the case holds up once conference season starts for me in May.
Isn’t this mostly common sense stuff?
I gave a talk at William Woods University on Friday about protecting yourself on social media sites and after I got done with my talk and was chatting with a group of students who came up to ask some follow up questions they didn’t want to ask in front of the group when one of the kids (I am getting old if I can call a college aged man a kid) came up said:
Great talk but isn’t this mostly common sense stuff? Do people really not know this?
OUCH.
I am pretty sure he just asked me why he wasted an hour listening to me tell people to not post images of their junk on twitter when he could have been out playing Frisbee on the quad.
I told him most people should but a lot of smart people don’t so a refresher isn’t always a bad idea and I then wanted to yell something about staying off my lawn at him.
Then tonight my buddy @jack_daniel goes on a twitter rampage about how security people can barely hide their contempt for the “stupid people” they work with.
It got me thinking about the self-image that I and many security people have.
We want to see ourselves as the Navy Seals of our IT Shop. We do what no one else can do! We do it better, faster and sexier.
When in reality we are Paul Blart trying to tell our users nicely to not click links, have good passwords and not give the companies bank account information to a Nigerian Prince. Often with little real recourse we can take ourselves without calling someone else.
So maybe if we actually started acting like Paul Blart and not the Navy Seals our end users would respect us and we could do what we are actually paid to do, Keep things in order and when something bad goes down call in the people with the real power.
A Security Awareness Program vs. A New Firewall
I had the opportunity to talk to a large group of network administrators and computer professionals for colleges, libraries and K-12 schools in Missouri at the Morenet Connections and HELIX conference this past week about the importance of a security awareness program to their overall networks security.
Far too often we get caught up trying to solve network security problems that could be easily addressed with a “lunch and learn” with a complicated and expensive hardware solution.
When was the last time you sit down with a pizza and explained to your end users:
- Why good passwords matter?
- Why they should use different passwords on all sites?
- How to protect their bank account?
- Why they should use 2FA on their accounts?
It will cost you $20 and likely do more than a $30,000 firewall could do.
