Pages

Thursday, December 26, 2013

Events for the week of Dec 29, 2013 - Jan 4, 2014

Dec 2013/Jan 2014

  • 12/29-1/4: Spend time celebrating the New Year with family and friends!

If you know of any other security-related conferences, seminars or events, please let me know so I can post them (jb at jeffbsecurity dot com).

Full listing of upcoming events can be found at Security Events Calendar.

Saturday, December 7, 2013

Save the date - BSidesCharm - Spring 2015

BSidesCharm will be held in Baltimore< MD (Spring 2015). Watch for more announcements soon! Always looking for sponsors. Contact BSidesCharm (at) gmail (dot) com or JB jb (at) jeffbsecurity (dot) com.

Thursday, December 5, 2013

Events for the week of Dec 8-14, 2013

Dec 2013


If you know of any other security-related conferences, seminars or events, please let me know so I can post them (jb at jeffbsecurity dot com).

Full listing of upcoming events can be found at Security Events Calendar.

Friday, November 29, 2013

Events for the week of Dec 1-7, 2013 (13)

Dec 2013


If you know of any other security-related conferences, seminars or events, please let me know so I can post them (jb at jeffbsecurity dot com).

Full listing of upcoming events can be found at Security Events Calendar.

Sunday, November 24, 2013

BSides coming to Baltimore - Spring 2014!

Looking for people to volunteer, sponsor and speak at the inaugural BSides event in the Baltimore, MD area. No specific date as of yet, but shooting for a Saturday in May/June 2014. If anyone is interested or knows anyone who may be interested, please contact Jeff - jb at jeffbsecurity dot com or on twitter via jeffbsecurity.

Thursday, November 21, 2013

Events for the week of Nov 24-30, 2013 (2)

Nov 2013


If you know of any other security-related conferences, seminars or events, please let me know so I can post them (jb at jeffbsecurity dot com).

Full listing of upcoming events can be found at Security Events Calendar.

Thursday, November 14, 2013

Events for the week of Nov 17-23, 2013 (16)

Nov 2013


If you know of any other security-related conferences, seminars or events, please let me know so I can post them (jb at jeffbsecurity dot com).

Full listing of upcoming events can be found at Security Events Calendar.

Thursday, November 7, 2013

Events for the week of Nov 10-16, 2013 (9)

Nov 2013


If you know of any other security-related conferences, seminars or events, please let me know so I can post them (jb at jeffbsecurity dot com).

Full listing of upcoming events can be found at Security Events Calendar.

Friday, November 1, 2013

Events for the week of Nov 3-9, 2013 (30)

Nov 2013


If you know of any other security-related conferences, seminars or events, please let me know so I can post them (jb at jeffbsecurity dot com).

Full listing of upcoming events can be found at Security Events Calendar.

Thursday, October 24, 2013

Events for the week of Oct 27-Nov 2, 2013

Oct 2013

Nov 2013


If you know of any other security-related conferences, seminars or events, please let me know so I can post them (jb at jeffbsecurity dot com).

Full listing of upcoming events can be found at Security Events Calendar.

Friday, October 18, 2013

Events for the week of Oct 20-26, 2013 (29 events)

Oct 2013

If you know of any other security-related conferences, seminars or events, please let me know so I can post them (jb at jeffbsecurity dot com).

Full listing of upcoming events can be found at Security Events Calendar.

Thursday, October 10, 2013

Events for the week of Oct 13-19, 2013 (26 events)

Oct 2013

If you know of any other security-related conferences, seminars or events, please let me know so I can post them (jb at jeffbsecurity dot com).

Full listing of upcoming events can be found at Security Events Calendar.

Thursday, October 3, 2013

Events for the week of Oct 6-12, 2013


If you know of any other security-related conferences, seminars or events, please let me know so I can post them (jb at jeffbsecurity dot com).

Full listing of upcoming events can be found at Security Events Calendar.

Thursday, September 26, 2013

Events for the week of Sep 29-Oct 5, 2013

Sep 2013

Oct 2013


If you know of any other security-related conferences, seminars or events, please let me know so I can post them (jb at jeffbsecurity dot com).

Full listing of upcoming events can be found at Security Events Calendar.

Thursday, September 19, 2013

Events for the week of Sep 22-28, 2013

Sep 2013

If you know of any other security-related conferences, seminars or events, please let me know so I can post them (jb at jeffbsecurity dot com).

Full listing of upcoming events can be found at Security Events Calendar.

Thursday, September 12, 2013

Events for the week of Sep 15-21, 2013

Sep 2013

If you know of any other security-related conferences, seminars or events, please let me know so I can post them (jb at jeffbsecurity dot com).

Full listing of upcoming events can be found at Security Events Calendar.

Thursday, September 5, 2013

Events for the week of Sep 8-14, 2013

Sep 2013

If you know of any other security-related conferences, seminars or events, please let me know so I can post them (jb at jeffbsecurity dot com).

Full listing of upcoming events can be found at Security Events Calendar.

Thursday, August 29, 2013

Events for the week of Sep 1-7, 2013

Sep 2013

If you know of any other security-related conferences, seminars or events, please let me know so I can post them (jb at jeffbsecurity dot com).

Full listing of upcoming events can be found at Security Events Calendar.

Thursday, August 22, 2013

Events for the week of Aug 25-31, 2013

Aug 2013

If you know of any other security-related conferences, seminars or events, please let me know so I can post them (jb at jeffbsecurity dot com).

Full listing of upcoming events can be found at Security Events Calendar.

Sunday, August 18, 2013

Events for the week of Aug 18-24, 2013

Aug 2013

If you know of any other security-related conferences, seminars or events, please let me know so I can post them (jb at jeffbsecurity dot com).

Full listing of upcoming events can be found at Security Events Calendar.

Friday, August 9, 2013

Events for the week of Aug 11-17, 2013

Aug 2013

If you know of any other security-related conferences, seminars or events, please let me know so I can post them (jb at jeffbsecurity dot com).

Full listing of upcoming events can be found at Security Events Calendar.

Saturday, August 3, 2013

Events for the week of Aug 4-10, 2013

Aug 2013

If you know of any other security-related conferences, seminars or events, please let me know so I can post them (jb at jeffbsecurity dot com).

Full listing of upcoming events can be found at Security Events Calendar.

Friday, July 26, 2013

Events for the week of Jul 28-Aug 3, 2013

July 2013
Aug 2013

If you know of any other security-related conferences, seminars or events, please let me know so I can post them (jb at jeffbsecurity dot com).

Full listing of upcoming events can be found at Security Events Calendar.

Saturday, July 20, 2013

Events for the week of Jul 21-27, 2013

July 2013

If you know of any other security-related conferences, seminars or events, please let me know so I can post them (jb at jeffbsecurity dot com).

Full listing of upcoming events can be found at Security Events Calendar.

Friday, July 12, 2013

Events for the week of Jul 14-20, 2013

July 2013

If you know of any other security-related conferences, seminars or events, please let me know so I can post them (jb at jeffbsecurity dot com).

Full listing of upcoming events can be found at Security Events Calendar.

Friday, July 5, 2013

Events for the week of Jul 7-13, 2013

This week:

If you know of any other security-related conferences, seminars or events, please let me know so I can post them (jb at jeffbsecurity dot com).

Full listing of upcoming events can be found at Security Events Calendar.

Monday, July 1, 2013

Events for the week of Jun 30-Jul 6, 2013

This week:

If you know of any other security-related conferences, seminars or events, please let me know so I can post them (jb at jeffbsecurity dot com).

Full listing of upcoming events can be found at Security Events Calendar.

Saturday, June 22, 2013

Events for the week of Jun 23-29, 2013

This week:

If you know of any other security-related conferences, seminars or events, please let me know so I can post them (jb at jeffbsecurity dot com).

Full listing of upcoming events can be found at Security Events Calendar.

Sunday, June 16, 2013

Events for the week of Jun 16-22, 2013

This week:

If you know of any other security-related conferences, seminars or events, please let me know so I can post them (jb at jeffbsecurity dot com).

Full listing of upcoming events can be found at Security Events Calendar.

Saturday, June 8, 2013

Events for the week of Jun 9-15, 2013

Events for the week (Jun 9-15, 2013):

If you know of any other security-related conferences, seminars or events, please let me know so I can post them (jb at jeffbsecurity dot com).

Full listing of upcoming events can be found at Security Events Calendar.

Saturday, June 1, 2013

Events for the week of Jun 2-8, 2013

Events for the week (Jun 2-8, 2013):

If you know of any other security-related conferences, seminars or events, please let me know so I can post them (jb at jeffbsecurity dot com).

Full listing of upcoming events can be found at Security Events Calendar.

Sunday, May 26, 2013

Events for the week of May 26-Jun 1, 2013

Events for the week (May 26-Jun 1, 2013):

If you know of any other security-related conferences, seminars or events, please let me know so I can post them (jb at jeffbsecurity dot com).

Full listing of upcoming events can be found at Security Events Calendar.

Saturday, May 18, 2013

Events for the week of May 19-25, 2013

Events for the week (May 19-25, 2013):

If you know of any other security-related conferences, seminars or events, please let me know so I can post them (jb at jeffbsecurity dot com).

Full listing of upcoming events can be found at Security Events Calendar.

Saturday, May 11, 2013

Events for the week of May 12-18, 2013

Events this week:

If you know of any other security-related conferences, seminars or events, please let me know so I can post them (jb at jeffbsecurity dot com).

Full listing of upcoming events can be found at Security Events Calendar.

Sunday, May 5, 2013

Events for the week of May 5-11, 2013

Events this week:

If you know of any other security-related conferences, seminars or events, please let me know so I can post them (jb at jeffbsecurity dot com).

Full listing of upcoming events can be found at Security Events Calendar.

Saturday, March 9, 2013

Updated list of upcoming security events

I just updated my page that lists upcoming security events and conferences. Please give it a look and let me know what you think. I guess it is true that you could spend almost every day at some sort of conference.

Wednesday, March 6, 2013

Conference wrap-ups - ShmooCon, BSidesSF and RSA

Well, finally able to decompress and sort out everything from the past 3 BUSY weeks.

Started out going to ShmooCon in DC. That was the first time I had a chance to go and I was really impressed. For a smaller conference, there really were a lot of great talks. Orin Kerr and Marcia Hoffman had a really good talk on the CFAA. @Aestetix had an awesome talk on Nymwars and Online Identity. Michael Schearer (@theprez98) had a great talk on the law and various court cases as well. The FireTalks in the evening were outstanding. @rogueclown did a really cool talk on getting involved with CTF's. Joe Klein (@joeklein) had an interesting talk on hacking around with system time settings. And Chris Campbell (@obscuresec) had a great talk on using power shell. All of the Firetalks are available online at Irongeek's site. No wonder the barcodes get all snatched up in a matter of seconds. This is definitely one I will try to get back to next year.

Since I was going to be in San Francisco for RSA the next week, I decided to see if there were any tickets left for BSidesSF. Unfortunately I couldn't get my travel plans changed around to allow me to attend both full days, but I was able to get to the Monday sessions. It was definitely a smaller conference feel. The talks I did see were really good. I really liked the Valerie Thomas(@hacktress09)/Harry Regan talk on physical pen tests and Jason Andress's (@jason_andress) talk on Anti-Forensics. Both were really informative. One big drawback I felt was the venue though. The con was held at the DNA Lounge, which really wasn't suited for this type of event. The talks I attended in the small room upstairs (track 2) were hard to follow since there was so much noise from the main room. There was also the big dustup that led to Violet Blue's talk being cancelled at the very last minute. Not sure how that all started, but there are several accounts of it from all sides. I'm really kind of kicking myself now for missing the Sunday sessions. I think there were some really good ones that I would have liked to see. Maybe next year if I go back out to SF, I will plan the trip a little better so I can spend both days at BSidesSF.

Then the rest of the week was for RSA. Spent Monday evening cruising the expo hall checking out vendors that would be good to revisit throughout the week. New this year was a second, smaller expo hall. I don't know the exact count, but I'd guess there were probably about 375 vendors total. Things were definitely toned down from past years. Fewer booth babes and I don't think I saw any booths with cars. Veracode had photo ops with Larry Thomas, aka the Soup Nazi. That was kind of neat. I also saw Darth Vader and a Storm Trooper or two walking around, but I don't recall what booth they were from. I can't tell you how many plastic light sabers I almost got poked with. Maybe not one of the best booth giveaway ideas. Definitely had to keep watch for things like that hanging out of backpacks when the person in front of you abruptly stopped.

I ended up in my hotel room all Tuesday with a stomach bug, so I missed the opening keynotes and track sessions. I'll eventually run through the keynotes on-line as I get a few minutes here and there. I did make it to all the track sessions I wanted to see the rest of the week. The top three had to be (in no specific order): the Sysinternals talk by Mark Russinovich (@markrussinovich), Jeremiah Grossman's (@jeremiahg) talk on Application security and The Five Most Dangerous New Attack Techniques with Alan Paller, Ed Skoudis and Johannes Ullrich. I'm still going back over my notes and the slides from all the other sessions, but these three definitely stood out in my mind. I'm generally not a big fan of the keynote addresses, but I have to say I really enjoyed listening to Billy Beane and Condoleezza Rice on Friday.

Now I just have to go back through all these notes and slides and come up with some really good ideas to possibly turn into talks of my own for later this year.

Sunday, February 3, 2013

Hitting some buzzwords hard lately

Over the last week, we're seeing a lot these buzzwords (not an all-inclusive list by any means): 
  • "Media Hacking": Several stories lately about major media outlets, like New York Times, Washington Post and Wall Street Journal getting hacked.  There is speculation that these attacks were mounted by Chinese hackers, possibly looking for reporter notes and source information.  It is thought the attackers may have been lurking for anywhere from several months to several years before being discovered.  Of course there is a ton of finger pointing now related to all this. Well, yeah, if you happen to have hackers sitting in your system for months or even years, you deserve some fingers.
  • "Extremely Sophisticated Attack": Approximately 250,000 Twitter accounts were hacked recently. Depending on what numbers you believe, there are possibly around 500 million accounts active.  While the 250K is a large number of accounts, it is a relatively small percentage of accounts.  Actually with any 250K sampling, how many of those accounts are fake in the first place?
  • "Ransomware": There is another nasty little piece of code out there that will encrypt some of your files and then ask for money to put them back right.  Researchers are calling this "unusual", in that a lot of the previous types of attacks could be circumvented without paying the ransom.
  • "Sextortion": So the FBI arrests a creep this past week for trying to convince hundreds of young women to flash various body parts at him on web cams.  If they would turn him down, he would place some inappropriate photos in their Facebook accounts which he hacked.  Luckily, this guy didn't do much at all to hide his identity.  He apparently used the same IP address for logging into all these different Facebook accounts.  Unfortunately it took over a year to get the investigation to the point of making an arrest.
  • What the hell?: This one isn't IT-related.  No buzzword here.  It's one of those stories that you just have to share.  A guy was arrested in LA recently for boosting 24 quarts of oil from a Costco.  He apparently strapped them to his body under his clothes.  He then was able to run from the store and get over a fence before eventually being arrested.  My question is how does one have enough mobility to move, let alone run and go over fences, with 24 quarts of oil strapped to themselves?

Monday, January 28, 2013

Corporate security

Lots of happenings in the corporate security world lately.  Most not good.  This article and this article kind of sum it up nicely.

Most companies still do not spend enough time or effort on security, while some are just in plain denial ("hackers aren't interested in us").  In all honesty though, most companies only have the time and financial backing to focus on their specific business - not becoming security experts.  However, these companies still have to understand there are potential vulnerabilities in a lot of the common business products and  plenty of people out there willing to put forth a lot of time looking for any kinds of weaknesses to exploit.


Thursday, January 17, 2013

More news on medical devices

Some recent stories on medical devices and medical-related issues.

  • Listen to my heart beat: HeartID is biometric software that uses your heartbeat to identify you.  It can also be used to continuously monitor the user to make sure it is still the same person who originally logged in.  It's definitely an interesting idea.  You kind of wonder though how accurate this type of thing can be.  Is a normal heart beat unique enough to reliably identify a person?   Especially if you try to log in right after a big fight with your spouse or you're just not feeling well.  How accurate will this perform over the long run?
  • Medical system hacked: SC Magazine reports that researchers have discovered it is possible to hack into patient information in the Philips Xper system.  The researchers also speculate the system uses hard-coded user name and passwords.  This is probably just the tip of the iceberg with this kind of stuff.  For years, all different types of medical systems, monitors and devices were created without even an ounce of security.  Now it's catching up, and fast.  Hopefully it's not too late to get some of this corrected before things get too out of hand.  Although some would say we're almost there now.
  •  Stop checking me out:  Interesting statistics on health care record breaches. It's amazing with all the press this kind of problem has been receiving that there are still new occurrences every week.  It's not always about evil hackers breaking in and stealing the data.  How often do we see news about some laptop getting lost or some usb stick or drive with thousands of patient records misplaced or stolen?  Well, I just ran into the store to get a few things and when I came out, the laptop/drive/tape wasn't on the front seat where I left it.  Gee, really?  Tell me the data was at least password protected or encrypted?  Of course it was.  I made a really good password that nobody can guess and wrote it down on the little sticky note I taped beside the laptop touchpad.

Saturday, January 12, 2013

The connected home

This is an interesting infographic from TrendMicro.  It shows some of the household systems that can be internet connected, and what can happen if somebody happens to hack in to them.

But what about some other things they didn't mention?
  • Utility meters - gaining unauthorized access to electricity, gas or even water feeds could lead to several different homeowner problems.  At a minimum, incorrect usage levels could be reported back to the utility causing over billing headaches.  On the other end, the hacker could shut off the utility service completely.  If somebody in the home is dependent upon oxygen or some other medical device, it could potentially become life-threatening.  Even if nothing malicious is done, access to the usage data could provide hints as to when the house is unoccupied.
  • Comfort systems - I'm still not sure what the benefit to controlling comfort systems remotely really is.  Maybe it would be useful to be able to turn lights on/off periodically when you're not home so you can give the appearance of somebody there.  But when you are home, do you really want anyone outside the home fiddling with your lights?  Maybe just buy some simple light timers and call it even.  Then there is remote control of the HVAC system.  Here again, probably not something you want somebody outside the house messing with when you are home.  It could get even worse though when you're away for vacation.  If the thermostat setting was to be set extremely low or high, depending upon the season, not only could other systems in the house be damaged, but the HVAC systems themselves could be severely overworked, possibly leading to fire damage or complete mechanical failure.
  • Laptops, game systems and mobile devices - "smart" TVs aren't the only things with cameras and microphones in the house.  Remote access to any of these devices could lead to not only invasion of privacy, but potentially some embarrassing private moments.
  • Alarms and sensors - If access falls into the wrong hands, threshhold settings could be changed, rendering the sensors useless.  Same holds true if the sensors are remotely deactivated.  If the sensors alert incorrectly too many times, the monitoring company may impose extra charges on the homeowner.  I guess there is also the possibility of a malicious person running alarm tests in the middle of the night ... denial of sleep attack.

Thursday, January 10, 2013

Security calendar

I have been trying to keep up a calendar of upcoming security events on this blog.  It's at Security Events, which is linked from my home page.  If anyone knows of any conferences or industry events that I don't have listed, it would be much appreciated to send the info my way so I can post it.  My email is jb123 at jeffbsecurity dot com (without the "123").  Thanks a bunch.

Jeff

Saturday, January 5, 2013

First week in Jan 2013

Here are some interesting articles I ran across this week:
  • Who cares about HIPAA: Seems Kaiser Permanente ran out of room or common sense when they decided to "contract" out data storage to a couple in a California town. Most of the records were apparently stored in a warehouse the couple shared with a party rental shop, but some records were also stored in computers at the couple's home.  We're talking about 300,000 records, containing personal and medical information.  Wow, how does stuff like this happen?
  • Give me your password: Two more states recently adopted laws barring employers from requesting login access to potential and existing employee's social networking sites.  That brings the total to 6.  I'm still not sure if it's entirely necessary, but there are apparently enough businesses out there requesting people turn over their credentials.  I guess that would be a definite red flag on a job hunt for me.  If a company is hell-bent on getting you to violate the terms of service for a social networking site, then what other shady practices are they going to coerce you into?
  • Help yourself to my data, wink, wink: This article talks about companies creating bogus data that is supposed to help protect their real data from hackers.  It's an interesting idea, but how feasible is it? If you have a big budget and a large security and IT group, maybe it's workable.  However, most small to mid-size companies have trouble just doing what they need to get by.  Security is still not a priority.  At best it's an afterthought.  So how would all these companies have the extra time and money to develop and maintain a bogus net presence alongside their operational?  Maybe just spend the extra time and money on securing the real data?  Then you don't have to run the risk of the hackers getting pissed off and devoting even more time to coming after the real data.
  • Whatever happened to common sense: This will end up high on the list of dumb things this year.  Underage kid gets drunk, drives into a parked car, drives away and then posts about it on Facebook.  Really?  Wonder how they caught you?

Tuesday, January 1, 2013

Happy New Year!

Happy 2013!! Hopefully the new year brings lots of opportunities and good health for everyone.

Here are some things that have been on my mind over the past few weeks:
  • Stop spying on me - Rental laptops that were found to have back doors and spyware installed to help track them.  Seems Aaron's lost track of a laptop and showed up at the guy's door to get payments or the laptop.  They even showed him photos from the web cam of him using the laptop.  Problem is that the guy had bought the computer outright a few months before.  Ooops!  So they can remotely turn on the web cam, see whats on the screen and watch all the keystrokes.  Wow, that's like a creeper's dream. 
  • It's ok, nobody else will ever see that video - Surprise, surprise, videos sent via Snapchat and Facebook's Poke don't always disappear.  It's an interesting idea, but you would have to think they are cached someplace in order for the video player to work.  And the various network devices along the way that forward the packets from sender to receiver NEVER store any data.  Maybe the endpoint cache just needs to be cleaned up after it's done playing?  Yeah, that's it.  If Facebook says the video disappears once it's viewed, it's gotta be true ;)
  • I said, stop spying on me - Feds want black boxes in all automobiles by 2014. This is supposedly to allow manufacturers to have access to crash data in order to see how safety features are working.  Sounds like it will be similar to the black boxes in planes.  But it seems some people are looking at this as a huge threat to privacy ... big brother tracking to see where you are going and how fast (i.e. speeding).  Fair argument, but it would be stronger if you didn't have a GPS tracking your every move and a phone and tablet running apps based upon location.