The Derby Rolls On

Ok, second day not quite down, but wanted to get this out before the evening festivities begin.  So many great talks and too little time…  A few of the highlights:

– Tactical Post Exploitation with Carlos Perez (darkoperator).  This is is a topic that I’d like to see gather some really good steam.  This was a great subject to go over as many of the talks focus on the post exploitation pieces of pentesting.  It’s always great to show how you got in, but for me the meat and potatoes is showing what you got and could do with it.  As management and many Information Security Officers become more complacent with their networks becoming more secure through penetration testing and vulnerability scanning, they’ll become even more lax with the data security pieces.  As we all know they like a good show and tell because they tend not to believe what their security team has been telling them for years.  Oh, and because firewalls make an impenetrable wall of steel to keep out the huns, H4x0rs, and baddies.  After the talk it further enamored me with the idea of becoming a modern day James Bond and getting the goods, the girl, and the getaway all with a smile and a martini; shaken, not stirred.  This talk just solidifies my thought of all of the standard OS tools that we tend to ignore as security/pentest professionals to get more information on the target outside of what is normally presented (e.g. IP addresses, database names….).

– The Dirty Little Secrets They Didn’t Teach You in Pentesting Class with Chris Gates and Rob Fuller (carnal0wnage, mubix).  Both of these guys were awesome and covered quite a bit of material in a very short amount of time.  Again this talk had a bit more focus on the post exploitation aspect of the test rather than on how to exploit.  The fact that they did talk about the extension of the current toolset within Meterpreter and some of the other tools and techniques that they use was extremely valuable.  Again, the extensibility of the tools to provide additional information on the targets versus just obtaining the information of what was compromised and how is going to become more important to prove out that the soft chewy center needs to be hardened just as much as the perimeter.  It’s like that old Tootsie Roll Tootsie Pop commercial with the owl:

Boy: Mr. Owl, how many licks does it take to get to the center of a Tootsie Roll Tootsie Pop?
Owl: I’m not sure, let find out… A one, A two, A three, crrruuuunch! A three.
Boy: *Scowls*

Now put management into the role of the boy and security as the owl.  Hmmmm….. eerily it fits all to well.  Okay enough on that tangent.

– I spent sometime in the Lock Picking Village and Hardware hacking room as well.  The 3D printer was incredible and so was the robotic pony!!!  It’s amazing to see what happens with art meets technology.  I spent the majority of my time learning how to pick locks.  All I can say is that the movies make it all to easy.  I spent a fair amount of time trying to unlock some of the locks at the table in the middle of the room.  After reading the directions selecting my lock, positioning the tensioner and inserting the rake, I went to work.  Applying that tension ever so slightly and operating the rake so that the pins would align and lock in the down position was a bit difficult at first but the more I jiggled and moved the rake back and forth the pins started to fall.  Alas, the final pin the back was not complying!  I kept at it for quite a while before moving onto a much easier set of locks to gain some confidence back that I could to it.  Once I did those I went back to the original lock that I started with, the same one that many others had even said was tough.  Just like the beginning of that song “Rock and Roll Fantasy”… I feel the pins drop, one, two three… and that’s where the song ends.  While I did keep at it for quite a while I still couldn’t “pop the lock”.  With head held high and with what pride I had left, I told everyone good bye and promptly sought out a barley pop.

With day two coming to a close, I”m going to attend a few more talks for the day and then head out for dinner.  If you didn’t make it out for DerbyCon all I’ve got to say, “you missed out sucka!”.

M, I’m coming in.  Have Q get the Astin Martin ready for the evening operation. Thanks, J.

Advertisements

DerbyCon the beginning…

I have to say without a doubt that the first day at DerbyCon was tremendous!  Everything seemed very well run from the beginning and organized.  The Hyatt Regency has very nice conference facilities that are easy to access; literally just through the main entrance.  It’s also nice having the track rooms and other activities (Lock Picking village, Hardware Hacking, Vendors) on the same floor and accessible within an extremely short walk.  Some of the sponsors of the event such as Accuvant, fishnet security, Rapid7, No Starch Press, and Syngress were onsite.  Enjoy the venue for now, I suspect as it continues to grow in popularity a much bigger space will need to be found.

Even though Black Hat and DefCon were just last month the presenters had fresh and new material that had not been seen (at least that I can recall).  It was also nice only having the one track to choose from to ease one into the cornucopia of security goodness that will occur over the next few days.  A few notable moments and observations:

  • Those attending the con seem to be much more of the Black Hat crowd, the 30-something security professionals (there were a few mohawks out there but not many).
  • Dave Kennedy, Adrian Crenshaw, Martin Bos have pulled together the “who’s who” in information security for this event.  There’s not a talk on schedule that doesn’t pique my interest!
  • The venue is excellent for the inaugural event.  The audio/visual was excellent and there were no technical mishaps or outages during the technical presentations.
  • Seeing the Adaptive Penetration Testing session with Dave Kennedy and Kevin Mitnick may have been the icing on any Fanboy’s proverbial cake.  To see both present and then Dave reveal the new changes in the SET by performing a demo was awesome and I know made many anxious for the updated release this weekend.

There was one talk that really stood out and that was Johnny Long’s Hackers for Charity update.  It’s interesting and refreshing to see the community aspect of the Con.  With so much individual projects and presentations, to actually see what the Security and H4x0r community can accomplish for a great cause is very inspiring.  This is not the only Con to have this type of presentation for a need in the community but again, to hear of the scale and difference that people are trying to make with their skills, time, and resources is truly astounding!  I’m also impressed that regardless of the religious beliefs of Johnny that individuals can see that what he’s doing is much more than a calling for him.  Providing the Ugandans with food and a valuable skill, they are not only giving them a lively hood, they are giving them hope for a better life which they are realizing with Johnny’s non-proft and others that are linked with his group.  Another extension of what he’s doing can be found at InfoSec Without Borders.  This is an initiative to help charities and non-profits with their information security needs.  I hadn’t given it much thought in the past or even realized that non-profits don’t have the staff or ability to help secure their assets and data.  This struck me just as hard as what Johnny’s non-profit is doing in Uganda.  Both of these really have me wanting to give back both in time and money and I will definitely be reaching out to see what I can do to help.  I hope that others step-up and consider volunteering or donating to these worthy causes.

Great first day!  Heading off to the Accuvant party at the Maker’s Mark Lounge on 4th Street for some frosty adult beverages and a chill night.

Get ready for the ride, the next two days are gonna be off the hook!

  • December 2017
    M T W T F S S
    « Apr    
     123
    45678910
    11121314151617
    18192021222324
    25262728293031
  • Categories

  • oddjob

  • Enter your email address to follow this blog and receive notifications of new posts by email.

    Join 60 other followers