The Glider

So, where is HBGary? Since they got pantsed I’m imaging a lot of people would like to talk to them.

Oh, that’s where they are.

(Image credit: colbinator)

Apparently they decided not to attend in person when their booth was vandalized. Here is a pic of the vandalization…

(Image credit: Bob McMillan)

Everything old is new again. This year at RSA 2011 we find that the themes of years gone by are looking on with some disdain as this year appears to be suffering from an identity crisis. Last year for example everyone was flogging that their product/service/widget could help you defeat the wily evil that is Advanced Persistent Threat or more commonly referred to as APT. While this had the ability to induce vomiting for many in the security community it did not stem the tide of marketing materials.

This year, an identity crisis. I have seen several competing themes trying to emerge. The top five this year are Cloud Security (duh), Wikileaks, Stuxnet, Mobile Security and APT. So, who will be the clear winner? That remains to be seen. Cloud Security does appear to be leading the pack.

Now, Bill Brenner from CSO made an excellent observation. In 2005 there was a rash of companies that were flogging their various anti malware solutions. A great number of them were gobbled up and lost to the mists of time. Will we see the same with the various Cloud Security startups? Best guess would be yes. We’ll more than likely see a repeat of years gone by in this cycle of life.

So, what’s your vote for this years theme? No, Alice & Bob isn’t the correct answer.

(Image used under CC from paurian)

This year at RSA 2011 the conference has made things a little easier. Rather than lugging around a large printed schedule (which they still provide) they now have an app. Perhaps taking a cue from other conferences such as Defcon who released their app two years ago, RSA has released their own app. It’s not bad. Certainly much better than lugging around some dead trees. Check it out. It’s a free app in the AppStore.

Here are some more screen captures below.

Looking forward to a very busy week in San Francisco this week while I, along with several thousand other people, make the most of the RSA 2011 conference.

Be sure to keep an eye on Securosis.com for updates as well as here.

Attending RSA? Ping me on Twitter @gattaca.

(Image used under CC from digital_freak)

It appears that things may be getting closer to going live for Shmoocon tickets. One can only hope. I completely admire the Shmoocon team’s dedication and determination to get things up and running. I have to wonder though, why not go through a third party and pass the costs back to the attendees? What, another $9 on the ticket? Done.

From Shmoocon:

We’re still tuning and shaking out the bugs. As you can imagine there’s a lot of changes when moving from a single host with all software running in one place to a distributed setup like we have in the Moose Cluster. We’ve made good progress, but we won’t be ready this week.

That said, we do think we’ll be ready on Tuesday. So we’re scheduling the next attempt to sell tickets for noon EST (yes, EST now) on Tuesday, November 16th. So, get F5 ready. We should be ready for you.

Fingers crossed that they’ve gotten all of the bugs worked out. Good luck!

Article Link

The presentations from the Sector Security Conference 2010 are now online. Albeit the keynotes are still not up but, the should follow in short order.

Article Link

I just wanted to say a big thanks to everyone from the various companies and twitter folk who supplied information for the parties list.
Also, thanks to Jhaddix whose list we have now partnered with.

(Image used under CC from kevindooley)

I’ve been meaning to talk about CONFidence and EUSecWest for quite a while, but May was such an intense month for me, that’s hardly left me with any time for other things. I eventually got caught up with other matters, which resulted in me publishing this post about 2 months late.

I’ve been researching, pentesting, and preparing two different presentations which I gave at CONFidence in Krakow, and EUSecWest in London. pdp has also been busy presenting at AusCERT2009. In his Weaponry 2.0, pdp talked about current challenges experienced by pentesters, shared some of his experiments (i.e.: using QEMU) and introduced his Jeriko pentesting environment (NOT framework!).

My CONFidence presentation was on PCI DSS, and credit card theft from a pentester’s perspective. I attempted to explain why it’s possible for unsophisticated criminals to compromise credit card data. I also shared my frustrations with the PCI DSS standards, including some of its current weaknesses.

On the other hand, my EUSecWest presentation was on attacking magstripes gift cards, which apppear to be on the rise in the UK. The core of the research is about cloning (activated) gift cards without physically swiping the magnetic stripes. Trust me when I say that there is a lot of truth on Drago’s tweet regarding this research! My EUSecWest slides have just been recently published. More details will soon be available on a white paper which will be available on Corsaire Research website.

Thanks

I’d like to thank the organizers of these two great conferences, namely Andrzej Targosz from CONFidence and Dragos Ruiu from EUSecWest (plus their respective crews of course).

Also, special thanks to Corsaire who sponsored the time needed to prepare my presentation. I originally started my magstripe gift cards research about 3 years ago, but left it unattended for so long. If it wasn’t for Corsaire, this research wouldn’t have been resumed.

Finally, but not least, thanks to everyone who helped me prepare my presentations such as Jan Fry, Amir Azam, pavlovs_dog, Monsy Carlo, etc.

---
recent posts from the gnucitizen network:

Initial Preview of Websecurify Scanner (scanner.websecurify.com)
Websecurify Mobile 1.0.2 for iOS
Cold, Coffe, Code
The Upcoming Websecurify Mobile
Websecurify 1.0.2 for Windows and Mac has Arrived