Monday, October 7, 2013

Day 3 at DerbyCon 2013

As I return to trying to write-up my notes on DerbyCon 2013, I'm more amazed than ever at the efforts of Adrian Crenshaw (aka Irongeek) in getting all of the presentations online so fast.  He's already been posting presentations from his next security conference and I'm still just trying to write a few terse thoughts on the presentations that I saw over a week ago.  So, again I want to send out thanks for his contributions in particular, not just at DerbyCon but to the entire infosec community.  Thanks also to the entire staff at the conference.  It wouldn't have been possible without all of you.  Thanks especially to Dave Kennedy, his wife and family for their immense efforts in organizing the Con.  That takes a lot of work across many months.

Sunday was another good day at DerbyCon. Rick (Minga) Redman's presentation on Cracking Corporate Passwords started the day for me.  Intuitively, I think you're right, Rick, auditors should be auditing password quality on a statistical basis.  But, when you talk about going from 85% being easily cracked down to only about 65%, I'm not sure how this is actually going to help stop attackers.  I mean, if I only have passwords for 65 of your users I can still access a lot of stuff and quite possibly, everything that I want.  At best, I think we'll improve our odds of defeating the attacker by a miniscule amount.  In doing pentests, I think on only one engagement was I ever kept away from total ownership of the network by good passwords, and even in that case I got all the data I wanted.  Either way, I highly recommend viewing Rick's presentation.  It's very eye-opening for those of us trying to build good password policies and develop security awareness in our users.

Robert Salgado's talk on SQL injection was another highlight.  He gave a good synopsis on some of the techniques out there and presented quite a few methods I hadn't seen before.  He talked about firewall fuzzing with allowed whitespace characters and showed off the SQL Injection Knowledgebase, which was new to me.

Terry Gold's presentation on physical access control systems was the last big standout for me and came just before the closing ceremonies.  He covered a number of weaknesses in these systems and ways to leverage them for unauthorized access, including brute-forcing of card numbers.  I have a better idea now about the capabilities and differences between low- and high-frequency access cards.  Some other fun tools were shown.

While not as useful to me directly, the talk by Solomon Sonya and Nick Kulesza on the remote administration tool (RAT) they've developed points toward a lot of promise.  It has some really cool features and may be useful to you.

The presentation by Luis Santana on phishing on the tool that he's developed to automate these campaigns was also really good.  PhishPoll is a really nice addition to the pentester's tool set.

You can find all of the videos from these presentations on by just clicking the YouTube link at the very bottom.  Irongeek also has a good index with abstracts up on his site here:

Other links to people and things mentioned above include:

Any links to commercial sites does not imply an endorsement of specific products.  They're just a place to connect with the people that I found interesting and helpful.

Friday, October 4, 2013

How many auditors does it take to change a lightbulb?

Changing the lightbulb would be a conflict of interest for Audit.  In evaluating Management's lightbulb changing practices, 2 out of 20 sampled lightbulbs were found not to have been changed in a timely manner.  Additionally, 8 of the 20 sampled lightbulbs were found to have fingerprints on them, which has been shown to reduce the useful life of lightbulbs.  Based upon these findings, audit concludes that the design of the lightbulb management control does not include proper guidance for implementers.  Further, monitoring of troubletickets for lightbulb changes are not monitored to ensure timely resolution and issue closure.

The risk entailed with these control gaps is that insufficient lighting may lead to personal injury and financial losses to the organization.