Thursday, October 04, 2012

sector 2012

i wasn't sure i was going to post anything about my experience at sector this year. i mean, there comes a point at which you all must get it that it's a good security conference and you should all go, right? well, some thoughts were brought to the fore at the end that pretty much cemented the fact that i was going to post something about it so it might as well be within the larger context of my usual "this is what i saw/heard/thought at sector this year" post.

this year the conference was back in the metro toronto convention center's south building. that's where it was held the first time i went in 2008, back when sector was still small. it's grown considerably since then. before the conference i was thinking that i kinda preferred the old days when it was small. turns out part of that preference was a preference for the south building. sure, they may be sticking us in the deepest, darkest hole in toronto (actually, it's quite well lit) but the space is so much better (and the washrooms so much bigger - no more lines that stretch out past the door, with presenters begging to cut in line so that they can get things done and still make it to their own talk in time).

i pretty much avoided the vendor hall as best i could. unfortunately that meant i didn't spend much time checking out cool things like the lockpick village, but i really didn't feel like i had the tolerance for all that marketing this year. i will say, though, i thought symantec's choice of putting their name on a rubik's cube was  interesting. i don't know if it was their marketing department's intention, but associating yourself with something that seems like it should be easy but turns out to be fiendishly complex sends a really interesting message.

speaking of questionable marketing, dave lewis grabbed this shot of a flyer that was placed around all the tables in the lunch/keynote hall. in case you're not aware, in this context "flame" refers to the 'super surveillance software' that was apparently related to stuxnet. they're trying to say that their whitelist would have stopped flame, but since flame is said to have been able to spread through windows update and since people who use whitelists generally whitelist the binaries that come through windows update, i have a hard time buying their claim.

the first keynote of day 1 was an excellent talk about lawful access by law professor and copyfighter michael geist. like others, i found the statistic that ISPs handed over subscriber data voluntarily (without a court order) over 90% of the time to be pretty troubling, and i also think it genuinely calls into question the need for lawful access regulations. is that remaining few percent really worth trampling privacy without judicial oversight? i don't think so.

the first regular talk i attended was jamie gamble's talk about the vulnerabilities that time forgot. i was surprised to learn that this was actually a fairly *nix centric talk, and that while *nix had once earned a reputation of being much more secure than windows the reality now may well be the opposite because of all the advancements microsoft has made.

the next talk i went to attend was steve werby's talk about QR codes. unfortunately the talk didn't actually happen. however, i could already anticipate what some of the problems with QR codes probably were and charlie miller's lunchtime keynote on attacking NFC had a number of parallels to what i anticipated the QR problems to be. maliciously crafted QR codes that could exploit the reader code itself or QR codes that pointed to websites that exploit the browser.

that charlie miller keynote was quite entertaining, of course, but i can imagine some more creative ways he might have tried to surreptitiously read his friend's hotel key card than just holding his phone up to his friends arse as they walked around. maybe they wouldn't have gotten the phone into the 4cm range from the key, but even a low probability is better than the zero percent chance associated with not even making the attempt.

following the lunch keynote i went to gunter ollman's talk on threat attribution via DNS. i did this in part to test out a theory. when he blogs he mentions DGA (or domain generation algorithms) a lot, maybe even too much, and i wondered if that was going to come up in the talk. it turns out not so much. unfortunately he does seem to be somewhat softer spoken than a lot of the other presenters and when you combine that with the open door and people milling about and chatting outside the room it seemed he was unwittingly competing with background noise and not always winning. i may just give the video of the presentation a watch in spite of having attended it live.

after that i attended  michael perklin's anti-forensic techniques talk where i got a lot of ideas about what to do to make investigations too long and expensive to be of value if i ever turn to the dark side. also there were countermeasures, but i consider the chances of me performing forensic investigation even less likely than turning to the dark side. still, always interesting to hear about topics outside my usual comfort zone.

finally, for the last talk of day 1 i attended the introduction to web app testing talk by dave miller and assef levy. in part because i thought that it could be relevant to the day job and also because i wanted to get a taste for this new security fundaments track that sector was offering and this talk was slotted into.

as an aside, i think the introduction of the security fundamentals track points to the influence of the guys from the liquidmatrix security digest podcast, as they have a similarly named/themed segment on their podcast that i think really stands out compared to the other security podcasts i've sampled. unless, of course, the fundamentals track was introduced last year (when i didn't attend), in which case i suppose the influence traveled in the opposite direction.

day 2 of the conference started out with a keynote by jim reaves about global efforts to secure cloud computing. unfortunately, at that early hour and with that topic, i found my mind wandering to other things more often than not. i'll touch more on that soon enough though.

the first talk i attended on day 2 was jon mccoy's hacking .net applications, which was very interesting and i plan on sharing it with my collegues at work when it becomes available for viewing. thankfully jon handed out materials at the end of his talk so that i can share stuff before the video even becomes available (probably later today, or earlier today depending on whether one goes by when this is written vs when it's published).

after that i attended ed bellis' talk about the security mendoza line. it didn't really speak to me. oh well, you can't please everyone all the time.

the lunch keynote was kellman meghu's very humourous attempt to star wars into an allegory for security efforts within an organization. the empire, as you may recall, encountered some problems on their way to ruling the galaxy and there are a number of things they could have done better.

following lunch i attended steve werby's talk about busting hashes. in fact, i attended it twice - before and after the fire alarm was pulled (which seems like it could have been an excellent diversion for some nefarious activity). it was interesting to learn about how one actually approaches a task like that, as well as how cheaply it could be done using amazon.

finally, i attended chester wisniewski's talk about the blackhole exploit kit. this was the second talk from the fundamentals track that i attended and frankly i'm confused about it's classification as a security fundamental. for one thing, a single exploit kit is a very specific and narrowly defined topic for a talk classified as security fundamentals. further, in spite of being a student of the malware field for over 20 years, i still found a few things worth taking notes about. in fact, as i mentioned to chester afterwards, his talk was on par with malware related talks i'd attended in years past, before they even introduced the security fundamentals track.

now, i know some people may not pay much attention to which track a talk may be in, but i actually do and i suspect very strongly i'm not the only one. i pay attention because experience doing otherwise has taught me the value of  those classifications. talks in the management track bore me (i'm no manager), and i've found sponsored talks to be rather disappointing in the past. this new fundamentals track i'd interpret as being for when you know you're not strong in a subject that you want or need to know more about it, and the earlier fundamentals talk i attended about web app testing certainly bares that interpretation out.

so why did this particular talk (and i suspect the previous fundamentals talk on targeted malware, which i didn't get a chance to see but which at first blush also seems poorly classified) get put in the fundamentals pile? well, there are 2 main possibilities i can see. the first is that the sector folks got some really good non-fundamentals talks that they really wanted to squeeze in somewhere and they just happened to have space where the fundamentals talks were supposed to go. this certainly seems plausible, but in that case there really was no need to present them to attendees as though they were actually fundamentals just because they're taking up spaces that had been reserved for fundamentals talks. that just winds up giving people a false impression of what the experience of attending the talk will be like.

the other possible contributor is something i've actually seen a fair bit of in general security circles. there's an attitude or school of thought that says essentially "malware is old hat, we know this stuff already", and while that may be true for some, the fact that there are attendees, presenters (including this year), and even thought leaders who appear incapable of drawing even the most basic distinction between viral and non-viral malware and instead simply call everything viruses demonstrates pretty clearly that not everyone actually knows this malware stuff already. sure they're familiar with the malware phenomenon (who isn't these days) but there's a world of difference between familiarity with a subject and actually knowing it. i'm familiar with the television show "dancing with the stars", even though i've never watched it and can't possibly know very much at all about it.

and make no mistake, i'm not talking about obscure little details like the difference between keyloggers, screen grabbers, and form grabbers. viral vs. non-viral malware is one of the most basic and fundamental delineations you can make in the malware set. viral and non-viral malware are as different from each other as plants and animals - sure they're both alive and you can kill them both with fire, but the one that runs away is a heck of a lot harder to kill that way.

what i would like to see, what had my mind pre-occupied during the cloud security keynote, and what the introduction of fundamentals track made me think might actually work, is a true malware fundamentals talk - malware 101 if you will - because from my perspective it's needed. it's painful watching one presenter after another, one thought leader after another, one authority after another, all reinforce in the people trying to learn about security the mental model about malware that your mom and pop had back in the mid-90s. how effective has that mental model really been for your parents? has it empowered them to better control malware-related outcomes? i have a feeling it probably didn't, so is that really the mental model you want to foster at the "security education conference" of toronto?

unfortunately, confirmation bias and the dunning-kruger effect being what they are, i suspect any such fundamentals talk would fall on a lot of deaf ears (or not even be attended, as seemed to be the trend with fundamentals talks this year - they seemed to have the poorest attendance with the most walk-outs of all the talks i attended).