What I learned at SecTor!

  • Article

Security Conference Toronto - SecTor 2007So SecTor 2009 wrapped up the other day and again, like any conference I attend, a lot is learned.  The event was success in my opinion, from the venue to the food to the keynotes and of course the sessions.  Even the vendor area had some exciting things happening.  So what did I learn?  I am going to break it down buy the sessions I attended…

Opening Keynote: "The Frogs Who Desired A King: A Virtualization and Cloud Computing Security Fable Set To Interpretive Dance" - Christofer Hoff

Christofer Hoff has an amazing talent and breaking down complex subjects, simplifying them and driving home a message.  Walking away from this session it is clear that could security will offer a set of new and familiar challenges in the security space.  Christofer (aka @beaker on Twitter) broke down the differences between the *aases and where the responsibility for security differs in each.  Infrastructure as a Service, or IaaS (think Amazon EC2) is much like running any other server in that it is your responsibility to harden it.  From the point that the network traffic hits your server up through the application(s) you are solely responsible for the security of that server.  No surprise there.

It gets a little less clear with Platform as a Service, or PaaS (think Windows Azure) and Software as a Service, or SaaS (think Salesforce.com).  In these instances your responsibility comes in at a different level and there is a level of trust that you must have in the provider.  With PaaS services you are ultimately responsible for the security of the application and the data it is accessing and following SDL guidelines to ensure your application is secure is where your responsibility lies.  You have to trust the provider that the infrastructure is secured properly.  This trust becomes even more important with SaaS where the vendor is also providing the software.

"Hacking the Privacy Legislation" - Tracy Ann Kosa

This was by far one of the most interesting sessions.  Tracy is a fantastic speaker and really knows her privacy legislation both in Canada and abroad.  While privacy laws can be pretty boring and mundane what became evident early on was that everyone’s expectations of privacy are different and those differences can be even more noticeable around the world.  More on expectations in a minute.

"DNSSEC deployment in Canada" - Paul Wouters , Norm Ritchie

There has been a lot of talk about DNSSEC in the last 18 months since Dan Kaminsky disclosed his DNS vulnerabilities.  DNSSEC deployment is underway world wide, including Candada.  CIRA is currently undergoing testing of DNSSEC on certain .CA domain names.  DNSSEC might seem new, but in reality it is just DNS secured and post install it works and acts the same as the DNS you know and love.  In fact the speakers went ahead and set up DNSSEC for the conference networks name resolution to prove that it was simple to set up and unnoticeable to those using it.

"Malware Freakshow" - Nicholas Percoco and Jibran Ilyas

I liked this session the best.  Nicholas and Jibran walked through 4 real life situations where they have gone in to investigate payment system fraud.  It was eye opening in the fact that 3 of the 4 cases discussed could have been prevented by either stronger passwords (aka not the default password) and/or limiting/securing remote access.  While there were other issues within each case the issue that started it all was remote access which lead to systems being accessed.  I know a lot of organizations that have devices managed by an external vendor and those vendors will open remote access so that they can troubleshoot and repair systems remotely.  Ask yourself and then ask the vendor, is the password secure and does remote access need to be open 24/7 or can it be turned on when an issue arises?  You can read some of their stories here and here and grab their whitepapers here.

Lunch Keynote: "A day in the life of a hacker..." - Adam Laurie (Major Malfunction)

Adam Laurie is one of the originals, a DefCon goon, and someone not to trust any RFID equipped cards with :)  RFID is popping up everywhere, in passports, driver’s licenses and it is pretty scary how insecure it is.  To prove it Adam read the RFID data from a passport, edited the security certificate and then replace the photo with a photo of a well known terrorist all within a few minutes.  If you think your RFID credit card, passport, etc… is secured, think again!

"SSLFail.com Panel Discussion" - Jay Graver , Tyler Reguly , Mike Zusman

This was the last session I attended and the panel shared some information that they researched on SSL and it’s failures.  From the ways browsers notify users of SSL, to tools that can be used to strip SSL while fooling users to poor implementation of SSL by admins there are some challenges here.  While there was no answer given it was eye opening to hear that SSL faces its own issues and that they will need to be addressed.  You can read some of their stats here.

“Wall of Shame” – SecTor Management & eSentire

The wall of shame was controversial to some, eye-opening to others and DUH moments to others it did educate.  The wall of sheep/shame is common at security conferences in which people who connect to the unsecured wifi will have traffic sniffed and any unsecured communications posted on the wall.  This usually entails a user name, blanked out password and the protocol and service they are using.  It is meant to embarrass and enlighten the individual.  SecTor provided both a unsecure open wifi network as well as a secured (AES-WPA2 PSK) wifi network but added a twist.  They spanned a port on the switch the access points fed into and sniffed the wire, gathering all the traffic from the secured wifi as well.

A lot of people got caught, including the organizer (BTW Tweetdeck uses SSL to login and post but profile lookups are not secured and each lookup contains your credentials), some press and someone checking his online dating profile :)

The controversy came from the idea that the secure wifi was secured and therefore shouldn’t be on the wall of shame.  The point missed by all was that while the traffic from the PC to the WAP was secured, in every wifi network the traffic eventually hits a wired network.  We do a lot to ensure that the wireless portions of the network are secured but how many people do the same thing on the wired side?

All in all it was a great event, lots learned, lots to think about!  Can’t wait for next year!