Category Archives: BSides Detroit 12

BSides Detroit 12 Interviews 24

Rats and Rogues: BSides Detroit wrap-up.So last week, after Bsides Detroit was over, some of us from #misec talked about it.

So join: LeonardJaimeStephenWolfgangJustin and Chris, as they recap the three days that made up Bsides Detroit. Yes, 3 days. We counted the dinner the night before.

You’ll hear about the two types of training coming to Michigan soon too.

This episode is cross-posted at Rats and Rogues.

BSides Detroit 12 Interviews 23

THIS WEEKEND!!! WE’VE MADE IT!!! The word on the net is they have sold 400 tickets.

But really you have to hear Wolf Interviewed this week. Wolf and Ray Davidson talk to this week’s guest, Mark Manning. His talk is on Jacking the Juke. What does that mean? Listen and find out. Here’s a hint: Ray’s got a strong background in RF.

Abstract: You’re sitting in a bar with your friends having an interesting discussion about an abstract security topic when suddenly Bon Jovi starts blasting from the jukebox with 10 screaming girls that distract you. You’re saying to yourself, “Self, I’d really like to turn that music off or at least the volume down.” Well you’re in luck because that jukebox is connected to the Internet, has a mobile app, and uses an RF remote control that transmits over shared ISM frequencies. All of which are fun to hack on. This talk will discuss some of the issues with a popular jukebox system and some of the things you can do. The presentation includes mobile hacking, network exploits, and an introduction to hardware hacking for pen testers all wrapped up in an old school hacking story line.

This episode is cross-posted at Rats and Rogues.


BSides Detroit 12 Interviews 22

This week Wolf and Leonard talk to Larry McDonald about his workshop. Larry will be putting on the BSidesDetroit Forensics Challenge.

This episode is cross-posted at Rats and Rogues.


BSides Detroit 12 Interviews 21

This week Chris and Wolfgang talk to Dave Kennedy. Normally people only ask him about SET and social engineering. While we did talk about those things, we were really interested in his Key Note talk about Penetration Testing Execution Standard (PTES). It’s about changing the industry.

Abstract: The Penetration Testing Execution Standard (PTES) was just released in its first draft form at DerbyCon 2011. Since then, there has been an overwhelming amount of input placed on changing the way the industry does Penetration Testing. This talk will cover what defines a penetration test, what they are used for, and how you can change the industry for the better.

This episode is cross-posted at Rats and Rogues.

BSides Detroit 12 Interviews 20

This week, Wolfgang and Chris talk to Mark Lenigan (@niteshad). Mark’s talk is called: Cyberwar: How I Learned to Stop Worrying and Fight the F.U.D. It’s a rebuttal to Richard Clark’s Cyberwar: The Next Threat to National Security and What to Do About It. Mark had some very insightful things to say.

From there, Mark talked about the other thing he’s doing for Bsides Detroit. He’s planning a Range Trip for Friday morning. Security Geeks with Guns. He talked about letting them know you’re a novice and the rules of the gun he lives by, more strict than the NRAs. Check it out, it’ll be worth the time.

Abstract: Richard A. Clarke bills himself as an expert on “cyberwar” (his prefer- red term for strategic and tactical use of network resources in a conflict) due to his service as an advisor to four Presidents on matters of national security. However, his treatment of this topic in his book _CYBERWAR: The Next Threat to National Security and What to Do About It_ is riddled with technical flaws, dubious assumptions, and ultimately potentially poor advice for our national defense of military, civil government and private sector networks and infrastructure. This talk will explore his ideas of risk from a more technical perspective, to give a more realistic evaluation of the risks of “cyberwar.” Examples drawn from real-world case studies, such as Fermi II Nuclear Power Plant and the Hubble Space Telescope (similar in design to military reconnaissance satellites) will be used to assess risk and critique Clarke’s ideas and conclusions.

This episode is cross-posted at Rats and Rogues.

BSides Detroit 12 Interviews 19

So after talking with Jen Fox, for episode 018, and learning of The Moscow Rules… Wolfgang and Chris decided to play spy. They found a burlap sack and snuck up behind Scott Thomas.

The next thing he knew, he was in the mobile podcast booth (Wolfgang’s car under the El) outside Bsides-Chicago. Scott is going to tell us about Dealing with InfoSec Flameout. This time it’s not the job that’s burning you out, it’s the studying outside of work while trying to break that InfoSec job mold. This started as a blog post and became larger than he thought.

Abstract. Burnout has many causes and is experienced by people at different stages of their career. This talk will start with exploring burnout in the infosec community and move to providing methods, including using social engineering techniques, to combat and eventually overcome burnout. It will cover examples of burnouts that the speakers have experienced and real life examples of how the speakers have dealt with burnout.

This episode is cross-posted at Rats and Rogues.

BSides Detroit 12 Interviews 18

While Wolfgang and Chris were at BSides Chicago,they found Jen Fox and got her in to a special mobile podcast booth under the El (Wolfgang’s car). Jen’s talk is on The Moscow Rules and how we should apply those rules to our work in InfoSec. What are The Moscow rules? You’ll have to listen and find out.

Abstract: Ever worked at a company with poor relations between IT and business? Ever been on the team that comes in for the second or third try at a failed project? Ever been a consultant or contractor at a company that is suspicious of outsiders? If you answered yes to any of these questions, this talk is for you. The Moscow Rules are said to be the rules used by spies operating in Russia during the Cold War to protect their lives and their missions. This talk adapts the Moscow Rules for the IT professional who needs to have ongoing interactions with the “other side” (business). Providing secure environments for our companies and clients depends upon our abilities as infosec professionals to work effectively with the people in our environments as well as the technology. In order to accomplish our infosec missions, we need to enhance our toolkit to include rapport building and consulting tradecraft.

This episode is cross-posted at Rats and Rogues.

BSides Detroit 12 Interviews 17

This week Josh Little is back as a host. Wolfgang and Josh talk to Prutha Parikh from Qualys, doing a technical talk. Last year Prutha found CVE-2011-4317, Apache Reverse Proxy Rewrite.

Abstract. This talk will discuss the Apache Reverse Proxy vulnerability (CVE-2011-4317) that I discovered while developing vulnerability signatures for Apache. Depending on the reverse proxy configuration, the vulnerability allows access to internal systems from the Internet.The presentation will start with discussion on reverse and forward proxies and look at some older reverse proxy vulnerabilities and patches. It will go into the thought process behind bypassing the latest patch to discover a new vulnerability to remotely gain access to the internal network. It will also describe the tools, techniques and ideas that went behind discovering the new variant of the vulnerability and constructing a proof of concept to exploit the issue. Along with exploring the root cause of the issue, it also talks about the issue from an attacker’s perspective and finally recommends protection mechanisms against the attack. The talk will also give the audience a peek into the process of vulnerability signature creation and discovering new vulnerabilities.I exercised responsible disclosure of the vulnerability to Apache and after the patch was released, I went public with my findings in a blog post. I will also share a standalone tool that will help system administrators identify the vulnerability in their environment.

This episode is cross-posted at Rats and Rogues.

BSides Detroit 12 Interviews 16

Week 16, hard to believe BSides Detroit is four weeks out. Don’t forget checkout the BSides Detroit page for the location. Get your tickets now!

This week Wolfgang and Chris talk to a guy from a Galaxy Far Far Away, from a Long Time Ago. Kellman Meghu. Kellman’s talk is “How NOT to do security: Lessons learned from the Galactic Empire.”

It is geeky, there is security gold in there. Lots of fun. He also likes to have conversations about it after the talk.

Abstract: An analysis of the strengths and weaknesses of the Galactic Empire security policy. This presentation seeks to conduct a post-mortem on the data security policy implemented during the events that led to the destruction of critical technology needed by the Empire for continued operational efficiencies. A history of the company, as well as a detailed look at the events that followed, provides a great working analysis that can be applied to your policy in hopes of avoiding the same fate. Learning from past mistakes, let’s ensure we are not doomed to repeat them, and potentially, suffer a similar fate.

This episode is cross-posted at Rats and Rogues.

BSides Detroit 12 Interviews 15

This week Chris and Wolfgang talk to Leonard Isham. Leonard is security practitioner and social engineer that travels 100%. He’s taken Leonard’s talk is about negotiating, during the hiring process. While they may not budge on the amount they’re willing to pay you, they may give you other perks. From Leonard’s point of view, we leave too much on the table because we don’t ask for it.

Abstract: Career 101: How to Unlock Achievements and Level Up. This isn’t magic or some scientific formula that you can purchase. It isn’t even an infomercial. It’s social engineering and there are steps that can be taken to increase your odds; build a proven track record moving forward in your career goals and the critical negotiation process.

This episode is cross-posted at Rats and Rogues.