Welcome to another edition of our Weekly Rewind – where we summarize all our posts from the last week. The top stories this week were 3) “Defcon Day 2 Talk Note – The DCWG Debriefing”, 2) “Defcon Day 1 Keynote Notes – Shared Values, Shared Responsibility”, and 1) “Defcon Day 3 Talk Notes – Sploitego”. If you missed anything or happened to be offline, we hope you find this summary post useful as a quick reference.
A la Schneier … you can also use this rewind post to talk about the security stories in the news that we haven’t covered.
Defcon 20 – Day 1 of The DC Edition: Well it’s time and we are transitioning from Black Hat to Defcon. Continuing on our theme from Black Hat here is day 1 of our recommendations for those that are looking to get that DC experience here out of Defcon 20. The tracks don’t seem to have any specific names … just Penn & Teller, Track 1, Track 2, Track 3, and Track 4. Of these the Penn & Teller and Track 1 seem to take up most where you might want to hang out. Beyond these sessions there are some govie-type talks or presentations I personally might be interested in that take place in other defense-based tracks and I point them out below as well. Any other talks you saw on this day? Let us know in the comments below. (continued here)
Defcon Day 1 Keynote Notes – Shared Value, Shared Responsibility: As usual, here is the official abstract…We as a global society are extremely vulnerable and at risk for a catastrophic cyber event. Global society needs the best and brightest to help secure our most valued resources in cyberspace: our intellectual property, our critical infrastructure and our privacy. DEF CON has an important place in computer security. Were you at Defcon and saw this talk? What did you think? Let us know in the comments below. (continued here)
Defcon Day 1 Talk Notes – An Inside Look into DIB Technical Security Controls: And some notes I took based mostly on my tweets during the talk put together in a slightly more intelligible way… Overall James provided some good background about what the DIB is, details on how screwed up the process is, and how the requirements to join the DIB do not achieve it’s goal of protecting our nation’s security. He touched on several efforts he suggested to try to genuinely make the process better but the “system” just pushed him down. At some points the talk was just absolutely hilarious with how backwards DSS is doing things. I think the best part was during the Q&A when most of the questions revolved around how frustrated the audience members were too. I think James may start a DIB-anonymous meeting here at Defcon where we can all vent our frustrations. Were you at Defcon and saw this talk? What did you think? Let us know in the comments below. (continued here)
Defcon 20 – Day 2 of The DC Edition: If yesterday wasn’t enough … now we are on to the second day of Defcon. Continuing on our theme from Black Hat here is day 2 of our recommendations for those that are looking to get that metro DC experience here out of Defcon 20. The tracks don’t seem to have any specific names … just Penn & Teller, Track 1, Track 2, Track 3, and Track 4. Of these the Track 2 seems to be the place to hang out. Yeah you may miss some of the big talks but you’ll also miss all the lines. Beyond these sessions there are some govie-type talks or presentations I personally might be interested in that take place in other defense-based tracks and I point them out below as well. Any other talks you saw on this day? Let us know in the comments below. (continued here)
Defcon Day 2 Talk Notes – Bruce Schneier Answers Your Questions: As usual, here is the official abstract… Bruce Schneier will answer questions topics ranging from the SHA-3 competition to the TSA to trust and society to squid. And some notes I took based mostly on my tweets during the talk put together in a slightly more intelligible way… Note I did skip the first question on where to find a good but cheap food in LV. Were you at Defcon and saw this talk? What did you think? Let us know in the comments below. (continued here)
Defcon Day 2 Talk Note – The DCWG Debriefing: And some notes I took based mostly on my tweets during the talk put together in a slightly more intelligible way… Overall this talk wasn’t too exciting and the speakers mostly mumbling didn’t help. Still it was good to hear the other site of the story rather than just what the press chose to publish (including us unfortunately). Were you at Defcon and saw this talk? What did you think? Let us know in the comments below. (continued here)
Defcon Day 3 Talk Notes – Sploitego: When I woke up this morning … a little later than usual … I really didn’t really have anything picked out to attend. I skipped most of the morning talks opting to meet up with a few folks instead. In the afternoon I didn’t see anything too DC-centric so it was sort of a free-for-all for me. With that in mind I attended some of the more technical tool talks. The first presentation I checked out was an interesting add-on to Maltego called Sploitego. Unfortunately, I didn’t tweet too much during this talk so this post will just be a quick writeup of my thoughts. Sploitego is basically a set of additional transforms that allows security professionals to use Maltego as a GUI for common local pen test activities. As an example some of the transforms Nadeem wrote included Nmap and Nessus. Were you at Defcon and saw this talk? What did you think? Let us know in the comments below. (continued here)
Defcon Day 3 Talk Notes – Subterfuge: As we mentioned earlier in our Sploitego post, Sunday was sort of a free-for-fall day with not too much DC-centric content. With that in mind I attended some of the more technical tool talks. The second presentation I listened to was on a new tool called Subterfuge. Unfortunately, I didn’t tweet too much during this talk so this post will just be a quick writeup of my thoughts. Subterfuge allows almost anyone to perform MITM attacks on your local network using ARP spoofing. This attack isn’t anything new however think of it as the Firesheep of MITMing. Were you at Defcon and saw this talk? What did you think? Let us know in the comments below. (continued here)
Tesco – Just the Tip of the Plaintext Password Iceberg: It seems like today is an appropriate day to write about this whole Tesco fiasco. I’m sure as I’m writing this you all have already noticed receiving your Daily Dave (or other mailman-based application) password reminders. We’ve covered this issue at length in other posts. The scary thing is that storing passwords in this manner is more often the standard rather than the exception. Just check out PlainTextOffenders.com to get an idea of the number of culprits out there. Have you been affected by the Tesco password issue? Post your comments below. (continued here)
Australia in Crosshairs with Over 2,300 Dumped Passwords Hashes: There are four new smaller password hash dumps that we discovered on OZDC.net over the past few weeks. Of course many of the records also contained other interesting data such as emails, usernames, obfuscated credit card numbers, credit card types, names, user ids, and nicknames. It appears websites in Australia are being targeted as two of the four dumps we’ve found are in the .au domain. In our last password hash post we got some good Linux commands to strip out just the hashes. Anyone got something in Python that can do the same things? Let us know in the comments below. (continued here)
#####
Hope everyone had a wonderful week. Have a great weekend!