Converge and BSides Detroit talks and slides

I had a great time at Converge and BSides Detroit.

This was my third attempt at going and I'm happy I finally got the opportunity to do so. The last two years I've had to cancel my plans due to life reasons. I did two talks this year. One at Converge and one at BSides. Both are linked below along with the slides for both talks.

How to kick start an application security program - Converge Detroit

I've given this talk at three other BSides prior to Converge. I feel like this is my best presentation of the talk so far. I will be giving it again at ShowMeCon in June.

Slides

 

The AppSec Starter Kit - BSides Detroit

This was my first time giving this talk. I thought it went well for it's first attempt. It still needs polish. It will probably be a while before I give this talk again at a security conference. I made this talk to present at developer conferences. It hasn't been picked up, yet. I'm hopeful it will for some talks later this year.

Slides

This blog post first appeared on Exploring Information Security.

BSides Knoxville - May 5, 2017

I love BSides events. It's the simplest idea that has a tremendous impact on the information security. A lot of work goes into each BSides event and there are over 200 of them worldwide. I've been to two this year already in Huntsville and Indianapolis. It was my first time attending each of those conferences (one of the perks of moving to Nashville). I had an outstanding time at both. I was afforded the opportunity to speak and make some new connections with people in the industry. I will be attending Nashville next weekend and speaking at two more next month. Detroit and Knoxville.

What I love about BSides is that each one is unique. Huntsville is in rocket city. It is one of the simplest and well run conferences you can go to. The area is a lot like Augusta. Not much around, but a lot of really smart people. Indianapolis is similar in nature and a quite possibly the most laid back. It's located at a culinary school and I ate pastries all day. Nashville feeds its attendees with catered (YES CATERED!) barbecue from Martin's BBQ. I'd put the lunch up against any conference anywhere. I will be heading to Detroit next month for that BSides which coincides with Converge Detroit. I've bailed on the organizers two years in a row due to life changing events. Not this year, though! Flight and hotel are booked. 

Knoxville is another new conference for me this year. It's already turning out to be quite the unique experience for me. I am speaking at the event. Which is a bit of an outlier for me. I've submitted to three different conferences in Tennessee and BSides Knoxville is the only one that accepted my submission. It's fulfilling that dream and my dream to have a walk up song.

I'm a big baseball fan. My dream of coming out to a walk up song in professional baseball died a long time ago. In my adulthood, I've thought about what walk up song I would choose if I were given the opportunity. That day has arrived! Along with my presentation acceptance email were instructions on sending in my preferred walk up song. I only get 20 seconds, but that's all I need.

I started thinking about all my favorite songs. There were too many to make a choice from. I decided to take to Twitter to ask for suggestions. I got some really great responses. I also took the question to ColaSec a security user group in Columbia, SC. My talk is on kick starting an application security program, so I took the question to the development team I work with. I got some really weird and interesting response. I had about 20 potential songs, so I made a survey. From there I picked the top three and created a Twitter poll.

If you have Twitter I'd love for you to vote and share. I like all three songs in the poll, so I will absolutely use the poll winner for my walk up song. If you're going to BSides Knoxville I would highly recommend planning your schedule. It helps the organizers place talks in rooms and time slots. From talking to several organizers of security conferences scheduling is one of the most frustrating things. This will make scheduling easier for the organizers of Knoxville. They're putting on an awesome conference at a ridiculously good price. It's the least you can do.

If Knoxville is in your plans May 5, 2017, hit me up on Twitter and let me know you're attending. Or walk up and say "Hi!" (I don't Twitter at conferences anymore). I'm really excited for the conference and hope to see you there.

This post first appeared on Exploring Information Security.

Impressions from Bsides Nashville 2015

For the second year in a row, I traveled to Nashville this past weekend for it's local BSides security conference and like last year it was a wonderful conference to be apart of.

I took my camera again this year and I will have pictures from the conference before the end of the month is out. I've got school to wrap-up and several other things going on the next couple weeks. Time is very much at a premium for me right now, but I wanted to take a quick moment to highlight a couple of good things that happened at the conference.

First, I met several wonderful people this year, including: Amanda, Tim, Brett, Shelby, Frank, esSOBi, Adrian, and many many others. I also got to interact a little more with Lauren and Geoff and the rest of the BSides Nashville organizers this year, which was a treat. Putting together a security conference is a lot of work and they did a very good job again this year. I am already looking forward to next year.

The talks were again fantastic, though I didn't get to sit in as many as I did last year. A green track was added to the conference this year and it was completely packed for all the talks. There is a lot of interest in information security right now and there was proof in that track. I hope more security conferences, and in particular BSides, take note and start catering talks and content to people just starting out in security.

The one talk that stuck out to me the most was Johnny Xmas' "That's NOT my RJ45 Jack!: IRL Networking for Humans." The description is in the link and the talk is embedded below so I won't get into what makes the talk great. You'll just have to watch it. The one thing I will say is that this talk isn't just for security professionals. It's for professionals in general.

Watch it!

Almost forgot, the food was amazing again this year!

This post first appeared on Exploring Information Security.

BSides Nashville video project

I will be traveling to Nashville, TN, to attend BSides this weekend. For the second year in a row I will be running around the conference taking pictures. I'll also be shooting video this year, as part of my final project for a cinematography course I'm doing.

The idea is that I want to show hackers in a more positive light via a documentary style. The project is only required to be a few minutes long, so I won't need a ton of footage. I would like to setup some interviews before hand with some people to ask them what the term, "hacker" means to them. I also want to setup some interactions to shoot highlight some of the words people use in their interview. For example, words like family or community, I can use shots of people hugging, high-fiving, etc. Curiosity and a desire to learn I can use lock picking and shots of people in talks.

This is going to be a very fluid thing so I'd love to get the interviews done, then move onto getting shots of the conference. If anyone would be willing to help me with either item, I would very much appreciate it. Email me at timothy.deblock[at]gmail[dot]com.

This post first appeared on Exploring Information Security.

Impressions from BSides Augusta

Simply awesome!

What a great BSides event. Not only was it a short drive for me, but the event itself was top notch, all at the fantastic price of free. I can't gush enough about how great of an event this was. Excellent talks, great location and wonderful people. I volunteered for the event and you can read my experience from that as well as a rant about how awesome volunteering is by clicking <------- this link.

I love that this BSides decided to go with a blue team and a red team track. It helped define some of the talks that might not have been apparent in the title or in the abstract. Full disclosure: I'm a blue team guy and thus spent most of the day in the blue track. I hear there were some fantastic red team talks like Tim Tomes', The Adobe Guide to Keyless Decryption:

But there were also some fantastic blue team talks like Tim Crothers', Techniques for Fast Windows Investigations:

Or Chris Campbell's, Using Microsoft's Incident Response Language:

What I loved in particular about this talk was the Chris spent the majority of his talk going over actual code and techniques, which is not something I see a lot of talks doing. If you're interested in PowerShell, have it up while you're watching this talk.

There's also Chris Sanders' talk Defeating Cognitive Bias and Developing Analytic Technique which kicked off the blue team track:

Finally, Mark Baggett closed out BSides Augusta with his awesome talk Crazy Sexy Hacking:

These talks were the ones that impacted me the most. Everyone is going to get something different out of each talk. I would recommend you check out all the talks at the BSides Augusta YouTube channel. I don't think you'll be disappointed.

One other awesome thing happened at BSides Augusta in that the local media showed up announced and took footage of the event as well as conducted interviews with some of the organizers of the event. This is not just a good thing for BSides Augusta, but the infosec community as a whole.

We must present ourselves to the world as professionals and BSides Augusta did that very well. I look forward to more BSides, especially at Augusta.

 This post first appeared on Exploring Information Security.

Volunteering at BSides Augusta

This past weekend I got an opportunity to volunteer for my first BSides event and I did it at BSides Augusta, which is the closest BSides event to me (approximately an hour away). When I initially signed up to volunteer I was happy to find that I was put on a waiting list. It's pretty awesome that an event that doesn't cost anything and relies heavily on it's organizers and volunteers didn't initially need my services.That changes A few weeks later when I was notified that I would in fact be needed.

I left the house just before 6 a.m. this past Saturday to make it to volunteer orientation at 7 a.m. I showed up and was instantly put to work setting up signs and making sure everything was prepared for the blue team track speakers. BSides participant registration quickly followed and soon after that we were off.

After the initial setup we were free to go to any talks and roam around wherever we wanted to. If someone needed a volunteer they would come find us. I was assigned the duties of helping out the blue track team room, but another volunteer expressed interest in helping out in the room as well, so I ended up splitting time with him. He took the morning sessions and I ended up with the afternoon sessions. This gave me the opportunity to spend my morning walking/running between the blue and red team talks.

When I was working in the blue team room I made sure the speakers got the microphone and computer setup and helped with anything else the track organizer needed. After the conference was over, the signs that were put up in the morning were taken down and I ended up walking around making sure everything was collected that needed to be collected

The great things about most security conferences is that they're recorded and BSides Augusta was no different. At this event they were able to acquire the services of Adrian Crenshaw AKA Irongeek to record all the talks. So you really don't need to go for the talks. Instead you can go for the opportunity to make a connection with other security professionals and volunteering, as it turns out, is an excellent way to make those connections.

Doug Burks ran the blue team track and Mark Baggett ran the red team track. Doug is the creator of Security Onion, which is Linux based network security monitoring tool.  Mark is the owner of In Depth Defense, an author and former Chief Information Security Officer (CISO). Both are SANs instructors and I got to work with both of them and even chat with them a little bit. Well, I didn't chat with Mark a whole lot, but he did mention that he had seen my tweets before (WHAAAA???).

Those were two of the many people I got to meet this past weekend. I also got to meet Joanne Sexton (the volunteer coordinator and assistant professor at Georgia Regents University), Lawrence, Phil, Chad, Warren, Don and many others working and participating in the event. Because I got assigned to help out with one of the talk rooms I also got to interact with several of the speakers such as Chris Sanders, Chris Sistrunk, Mike Reeves, Tim Crothers, Chris Campbell and Jeff Murri. All of these guys have a wealth of knowledge and experience within the information security community. I'm not exactly besties with any of them, but I have made a connection and I am following and being followed by several of them on Twitter now.

By the way, Twitter is fantastic for events like this. Not only do you make connections but you can help promote the event and the infosec community by tweeting about some of the cool things happening there. I had over 50 interactions with people via tweets, mentions, retweets and favorites during and hours after the event. If you're an infosec professional (or in any profession, really) you should be on Twitter. You don't have to tweet anything, but there's a lot of smart people you can follow. If you do tweet you can start making a connection with the people you do follow.

Volunteering is something very near and dear to my heart. This was my fourth BSides event, but the first in an official volunteer capacity. The previous two BSides I participated in, Nashville and Ashville, I volunteered my photography "expertise." Those two events benefited me in allowing me to refine my photography skills as well as make connections with the event coordinators. I am currently helping Ed Rojas (BSides Nashville event organizer) with starting up a new security podcast as well as interning this Spring with BSides Nashville. When you volunteer you get just as much as you give.

Up until recently I've been volunteering at my church for the past three years. Every other Sunday morning I would get up and be at church by 7 a.m. I would then spend the next five and half hours helping produce three services. Through that I've been able to gain WordPress, mac and sound design experience, but I've also made connections with other volunteers, musicians and sound engineers. In fact that music for most of my podcasts comes from the sound engineer I was working under as a volunteer. The fence in my backyard was built by another volunteer who runs his own business.

Volunteering is a wonderful thing: You not only give back to a community or a cause, but you also get back just as much if not more. Don't be just a consumer of your hobbies or profession, be a producer. And if your hobby or profession is information security give back to a BSides event near you. You won't regret it.

This post first appeared on Exploring Information Security.

Terrifying 'Hacker Summercamp' links August 7, 2014

BSides Las Vegas - Incidents happen, react and learn from them - Dan Raywood - IT Security Guru

Adam Shostack opened the BSides Las Vegas conference with a talk titled "Beyond good and evil." The gist of the talk is to be more open about incidents that occur within the organization. The idea is that the transparency will not only benefit the breached but also those looking to learn from a breach.

Black Hat 2014 and Media Fud - Bill Brenner - Liquidmatrix

Read this and you'll understand why I the word 'terrifying' led the title of this post.

CIA Insider: U.S. Should Buy All Security Exploits, Then Disclose Them - Kim Zetter - WIRED

In the opening keynote at Black Hat, Dan Greer suggested, among other things, that the U.S. government buy up all the zero-day vulnerabilities and release them to the public. This would allow companies to close a lot of vulnerabilities in their software and applications. I like the idea, I just don't think we'll ever see it happen.

This post first appeared on Exploring Information Security.