Security Conferences

It is my intention next year to attend at least a couple of security conferences if not more.

Below is a list of the most established and ones I found attractive.

CSI

The largest information security conference on the East Coast is also the only security conference expressly assembling experts to challenge the status quo.

CSI thinks that we should forget about tweaking the status quo. We’re already well into a post-perimeter world but without a consensus on the strategic plan moving forward. It’s time to grapple with the issues and technologies that can radically alter the way security works-now, and in the months and years ahead.

Site Link

Defcon

It’s the largest underground hacker convention in the world!

When: July 31 – August 2, 2009
Where: Riviera Hotel & Casino in Las Vegas, Nevada, USA
Cost: $100 (USD) NB. It’s cash only. (free if you’re a full badge Black Hat attendee)

Site Link

Black Hat

The Black Hat Briefings are a series of highly technical information security conferences that bring together thought leaders from all facets of the infosec world – from the corporate and government sectors to academic and even underground researchers. The environment is strictly vendor-neutral and focused on the sharing of practical insights and timely, actionable knowledge. Black Hat remains the best and biggest event of its kind, unique in its ability to define tomorrow’s information security landscape.

When: Various
Where: Las Vegas, Amsterdam, Tokyo, Washington DC
Cost: Varies

Site Link

SecTor

SecTor brings the world’s brightest (and darkest) minds together to identify, discuss, dissect and debate the latest digital threats facing corporations today. Unique to central Canada, SecTor provides an unmatched opportunity for IT Professionals to collaborate with their peers and learn from their mentors. Held at the Metro Toronto Convention Centre in downtown Toronto, SecTor runs two full days. The event features Keynotes from North America’s most respected and trusted experts. Speakers are true security professionals with depth of understanding on topics that matter. SecTor is a must attend event for every IT Professional.

When: October 5-7, 2009
Where: Toronto, Ontario, Canada
Cost: Early Bird: $499, Standard: $749, Full: $999 (CDN)

Site Link

ShmooCon

ShmooCon is an annual East coast hacker convention hell-bent on offering three days of an interesting atmosphere for demonstrating technology exploitation, inventive software & hardware solutions, and open discussions of critical infosec issues. The first day is a single track of speed talks, One Track Mind. The next two days, there are three tracks: Break It!, Build It!, and Bring It On!.

When: February 6-8, 2009
Where: Wardman Park Marriott, Washington DC, USA
Cost: From $100-$300

Site Link

Chaos Communication Congress

The Chaos Communication Congress is an international, five-day open-air event for hackers and associated life-forms. The Camp features two conference tracks with interesting lectures, a workshop-track and over 30 villages providing workshops and gettogethers covering a specific topic.

When: December 27th to 30th, 2008
Where: bcc Berliner Congress Center, Berlin, Germany
Cost: 130 € – 1500 €

Site Link

Toorcon

ToorCon is San Diego’s hacker conference bringing together the top security experts to present their new tricks of the trade and have fun in the sunny and beautiful city of San Diego.

When: September 2009
Where: San Diego, California, USA
Cost: From $120-$200

Site Link

HITB Security Conference

The main aim of our conferences is to enable the dissemination, discussion and sharing of network security information. Presented by respected members of both the mainstream network security arena as well as the underground or black hat community, this years conference promises to deliver a look at several new attack methods that have not been seen or discussed in public before.

When: Various
Where: Dubai, Malaysia
Cost: Varies

Site Link

Phreaknic

PhreakNIC is an annual gathering in Nashville, TN, for hackers, makers, security professionals, and general technology enthusiasts. Hours upon hours of both informative and entertaining presentations are given by volunteers and many areas are set up with the intent of encouraging socialization.

When: October 2009
Where: Nashville, Tennessee, USA
Cost: $25

Site Link

SANS

SANS provides intensive, immersion training designed to help you and your staff master the practical steps necessary for defending systems and networks against the most dangerous threats – the ones being actively exploited. The courses are full of important and immediately useful techniques that you can put to work as soon as you return to your offices. They were developed through a consensus process involving hundreds of administrators, security managers, and information security professionals, and address both security fundamentals and awareness, and the in-depth technical aspects of the most crucial areas of IT security.

When: Various
Where: Various
Cost: Varies

Site Link

Techno Security Conference

TheTrainingCo. is both new and old. As a corporation, it is the culmination of a dream that we have been sharing with people for the past decade. In that sense, it is new. We officially opened our doors in early 1999.
We are old in that the experiences of our senior staff are almost unmatched in their knowledge of the subjects being addressed at our conferences and speaking engagements. Every bit of that hard earned knowledge came as a result of years of highly specialized work and contact with thousands of people. Our two senior members alone bring more than one half of a century of pioneering efforts in the fields of Techno-Security and Cyber-Crime Prevention.

When: May 31 – June 3, 2009
Where: Myrtle Beach, SC, USA
Cost: $895

Site Link

CEIC Conference

CEIC offers lectures and hands-on labs delivered by industry-leading experts, which gives attendees the opportunity to learn the latest techniques and methodologies in computer forensics, eDiscovery, incident response and enterprise investigations.

When: May 17-20, 2009
Where: Loews Royal Pacific Resort, Universal Orlando, USA
Cost: $895

Site Link

IntrusionWorld Conference

The IntrusionWorld Conference & Expo is the forum for business and corporate executives, Industry, government, legal and academic experts that aim to present the state-of-the-art of the practice, emerging technologies in intrusion prevention. Peer-to-peer groups will help us understand the trends and confront the challenges inherent in today’s intrusion prevention technologies, products, systems implementation and risk management. Field practitioners will exchange best practices and lessons learned. Participants will share ideas and expand business and professional contacts during lunch roundtables, workshops, receptions and other activities.

When: May , 2009
Where: Baltimore, MD, USA
Cost: $875

Site Link

The Last Hope

We all knew these days would come. The Last HOPE is the seventh Hackers On Planet Earth conference.

When: July, 2009
Where: Hotel PennSylvania, New York, USA
Cost: $

Site Link

RSA Security Conference

In information security, you’re trained to expect the unexpected. Changes occur in a nanosecond. Stay on top by staying one step ahead — attend RSA® Conference 2008!
Join us for the most comprehensive forum in information security. Come learn about the latest trends and technologies, get access to new best practices, and gain insight into the practical and pragmatic perspectives on the most business critical issues facing you today.
Connect and collaborate. Build your professional network. And mingle with 17,000 of the industry’s best and brightest.

When: April 20-24, 2009
Where: Moscone Center, San Francisco, California, USA
Cost: From $1495 – $3295

Site Link

Info Security Canada

When it comes to your critical information – it’s not a question of if it’s at risk, it’s a question of when. Stay in front of the fast, ever changing information security curve, at Infosecurity Canada 2008, your first and best line of defense.

When: June, 2009
Where: Toronto, Ontario, Canada
Cost: TBD

Site Link

[ad]

Secure Internet Browsing

Just read an article over at Internet News – Which Top Apps Have the Most Security Holes? and to my surprise Firefox was right up there on first place.

I consider myself a pretty safe Internet surfer, doing the obvious and making sure that I do not visit a website that could put my PC at risk.

A long time ago when I started to use Firefox and became a fan hooked on add-ins and tabbed browsing, I decided to continue to use Internet Explorer exclusively for banking. On the Firefox side I also take preventative measures including a couple of add-ins which I think are critical. The first is Adblock Plus and the second is NoScript.

This practice makes even more sense now, although I constantly make sure that I keep up with security updates.

For enterprises, the fact spells trouble — especially since many of these apps slip in without IT knowing. Additionally, the news comes as businesses face growing security threats, punctuated by a slew of recent data breaches, while also contending sharply reduced spending on IT projects.

What is surprising is that Microsoft showed up at number 10 with only Microsoft Windows Live Messenger. I have to say that Microsoft has done a superb job and mastered patch deployment and as long as you have an Internet connection and automatic updates turned on you’re half way there.

Additional measures I have decided not to take is to privatize my Internet browsing. A couple of popular practices are to tunnel your browsing through your home Internet connection in order to prevent your employer from snooping or blocking web traffic and the other is to anonymize the traffic either by going through a proxy or using a product that will rotate source IP addresses every time a connection is made (onion routing), making it virtually impossible to analyze the traffic.

Unfortunately I believe that once you get online, there is really no way to cover your tracks. There is nothing that isn’t traceable and if someone wants to find you bad enough they will so keep it legal.

[ad]

Its the FMI’s Turn at Being Hacked

Within weeks of the World Bank’s story breaking about its computer systems being breached by hackers, Fox News has reported here that Cyber-Hackers have broken into the IMF computer system.

The International Monetary Fund (IMF) is an international organization that oversees the global financial system by following the macroeconomic policies of its member countries, in particular those with an impact on exchange rates and the balance of payments. It also offers financial and technical assistance to its members, making it an international lender of last resort. Its headquarters are located in Washington, D.C., USA.

The IMF of course absolutely denies that the event took place. The spyware discoveries came at a particularly sensitive time for the international bailout institution, which along with the World Bank is expected to play a central role in trying to combat global financial turmoil.

This is too much of a coincidence in my opinion. Any information taken by the attackers will likely be used as leverage to blackmail the institutions rather than being made public to embarass them.

In fact, the computer assaults on the World Bank and the IMF are only part of a rash of sensitive cyber-burglaries that even reached into the U.S. presidential campaign. Both London’s Financial Times and Newsweek recently reported that the computer network of the White House, and the Obama and McCain campaigns, were seriously breached.

The Pentagon claims the Chinese army has established units to develop viruses to attack enemy computer systems. Chinese hackers penetrated the Pentagon last year, in an attack that obtained e-mails from the system serving Defense Secretary Robert Gates.

Despite vigorous Chinese denials, “everyone in the intelligence community knows that China is the biggest player in cyber espionage,” says John Tkacik, a former head of China intelligence for the U.S. State Department. Tkacik told FOX News that later this month, President-elect Obama will be presented with a new top-secret National Intelligence Estimate (NIE) report that “will cause the scales to drop from his eyes” regarding Chinese cyber-espionage.

“What the Chinese are particularly interested in at the IMF is what loans the IMF is likely to give to other countries,” says Nick Day, a former British intelligence officer who runs Diligence, a private investigative firm that does extensive work for many international corporations and institutions.

“The geopolitics of this is that essentially you’ve got a few countries in the world that are stacked on huge foreign capital reserves — Russia, China, Japan, the Middle East — and the rest of us are pretty much borrowers to those lenders.

[ad]

World Bank Hacked

Earlier this year, the World Bank suffered a server security breach in which hackers were able to compromise critical servers.

In what Fox News characterized as an “Unprecedented Crisis“, were one of the largest repositories of sensitive data about the economies of every nation, had been raided repeatedly for more than a year.

It is still not known how much information was stolen. But sources inside the bank confirm that servers in the institution’s highly-restricted treasury unit were deeply penetrated with spy software last April. Invaders also had full access to the rest of the bank’s network for nearly a month in June and July.

In total, at least six major intrusions — two of them using the same group of IP addresses originating from China — have been detected at the World Bank since the summer of 2007, with the most recent breach occurring just last month.

In a frantic midnight e-mail to colleagues, the bank’s senior technology manager referred to the situation as an “unprecedented crisis.” In fact, it may be the worst security breach ever at a global financial institution. And it has left bank officials scrambling to try to understand the nature of the year-long cyber-assault, while also trying to keep the news from leaking to the public.

• Click here to see the e-mail.

The crisis comes at an awkward moment for World Bank president Robert Zoellick, who runs the world’s largest and most influential anti-poverty agency, which doles out $25 billion a year, and whose board represents 185 member nations. This weekend, the bank holds its annual series of meetings in Washington — and just in advance of those sessions, Zoellick called for a radical revamping of multilateral organizations in light of the global economic meltdown.

The bank’s chief information officer, Guy De Poerck, has engaged Price Waterhouse Coopers to do a confidential million-dollar assessment that is expected to tell him what’s going on in his own department.

What is very peculiar about this story is that no other news agency has reported the event and that Fox News was able to acquire internal e-mails and memos regarding the attack.
Jack Conde, Senior Enterprise Risk Management Officer at World Bank shared with executives on July,10, the extent of the breach here. According to the memo at least 17 servers were breached and were slowly being taken offline to perform forensics.

The memo goes on to say what steps they will take in the future to prevent information leaving the network, like implementing an outgoing firewall rule preventing communications being initiated from within the network.

A major effort is underway to implement a firewall rule that will bar all outbound traffic from server networks to the internet with exceptions made for servers with a legitimate reason to make such connections. To this end, ISG staff is creating a daily report of traffic which will be vetted by ISG service managers and OIS to insure that all exceptions are explained and justified. The rule will be implemented on Friday. This effort will curtail any data lost from production servers in the future.

This a normal reaction to a breach, were measures that should have been in place were not, but any such action should always be considered carefully to determine if it will actually prevent data loss or provide a false sense of security.

In the age of spyware, malware, keyloggers and hamachi, the biggest threat to corporate data comes from within.

What would be achieved by a firewall rule restricting Internet access? Well, absolutely nothing when the servers have access to every PC on the internal network and subsequently these PC’s have inherent access to the Internet.

In this particular situation were the attacker was able to compromise in excess of 17 servers and go undetected for so long, can only lead to 2 conclusions. Either the security guys are clueless or the attacker or attackers knew what they were doing.

In plainspeak: “They had access to everything,” says the source. “They had the keys to every room at the bank. And we can’t say whether they still do or don’t until we fully and openly address what’s happening here.”

Now this is not a small business, a law firm, or a retail chain. This is the World Bank, so I am inclined to believe that the keepers of the data are professionals and subsequently it would be wise to think that the attacker is not stupid.

Having access to the servers that were compromised and knowing that sooner or later someone was going to discover the breach, it wouldn’t be far fetched that the attacker would create false accounts and personnel records to back them up in the SAP (ERP), HR and Secure ID systems of the 10,000 plus employee organization.

This would give an attacker the capability to restore access once the breach was discovered triggering the containment plan. Additionally the attacker had gained system administrator access providing access throughout the corporation, providing the potential of creating backdoor’s into virtually any desktop computer in the network.

After FOX News published its story, a World Bank spokesman issued the following statement:

“The Fox News story is wrong and is riddled with falsehoods and errors. The story cites misinformation from unattributed sources and leaked emails that are taken out of context.

“Like other public and private institutions, the World Bank has repeatedly experienced hacking attacks on its computer systems and is constantly updating its security to defeat these. But at no point has a hacking attack accessed sensitive information in the World Bank’s Treasury, procurement, anti-corruption or human resources departments.”

In the security field, you have to be paranoid and levelheaded, specially if you are working in an outfit like this.

Hey World Bank…. if you need a hand… drop be a line.

[ad]