ZOMG It’s OSINT HeavenSpeaker: “Tazz Tazz” (@GRC_Ninja) The first session I attended was presented by “Tazz Tazz” who discussed OSINT (open source intelligence) and posting personally identifiable information (PII) online. Tazz Tazz began by explaining the numerous times she’s encountered tweets of people’s credit card numbers – in many instances, they believe it cannot be used without the CVV code, which is not true. She also made it clear that OSINT is not open source Internet, the Dark Web, or conducted with a “magic button.” It’s also not something that requires expensive tools. Tazz Tazz walked us through an interesting case study of how she was able to find out a plethora of information on a certain user, stemming from a single post. After leveraging several websites (many of them being free to access) she was able to gather information on this person’s current and former employer, education, date of birth, home address, and much more.
I Forgot My PasswordSpeaker: Michal Spacek (@spazef0rze) This session was targeted towards applications looking to strengthen their password-reset mechanism. There are several ways to go about this, but many of them are fairly insecure. Michal made some good key points for these applications to consider, from basic to more mature practices. He said password resetting should be random 16+ bytes, should expire in 1 or 2 hours, be made usable only once and have the option to invalidate. Furthermore, the number of attempts that can be made from a single IP address and for one username should be limited. Michal also noted that it’s important to use the right messaging when alerting a user their passwords needs to be reset. Additionally, applications may want to think beyond a password-resetting email and give users the option for more security, such as disabling the account, sending a PGP email or an OTR message.
According to Adam, this common scamming method goes back to the mid-90s. “It used to be ‘script kiddies’ running visual basic scripts or attackers posing as AOL admins via IM and email,” he said.So, why phish when there are numerous other attack vectors? Because it works! People are gullible, we want to be helpful and we’re also “unpatchable.” In addition, phishing has a high return on investment. It’s much easier to target 10 – 20k people for the same effort as targeting 10, 20 or 30 through other attacks. Lastly, phishing bypasses all the perimeter controls.
Social Media In Incident Response ProgramSpeaker: JoEtta LeSueur (@SheRaRox) In this presentation, JoEtta discussed various strategies and tools to make social media an integral part of your company’s incident response. The first goal is to choose two social media apps that can be integrated to your IR program. Remember that monitoring these channels will require dedicated and trained, associates, and you’ll need to configure the use of these applications with corporate needs. The second goal will be to make sure these apps have a laser focus. Work closely with legal department and discuss whether these would be run on your network vs. the cloud. Think about if an unexpected outage were to occur, what would be your backup? JoEtta suggested a number of social media tools to help with monitoring, such as:
- Crowdmap – used to collaborate physical location
- Trendsmap – monitor hashtag trends physically
- Topsy – used for Twitter hashtag analytics
- Snaptrends – monitor and analytics on social media apps
- Tweetdeck – for scheduling tweets and monitor accounts
- IFTTT – for simple multiple account recipes
- Netvibes – use to set up and monitor several social applications
FAA, FTC, FCC – FU: How Three F’ing Agencies Are Shaping InfoSecSpeaker: Elizabeth Wharton (@LawyerLiz) The last talk was one of my personal favorites, presented by a very passionate Elizabeth Wharton. She discussed the three government agencies whose recent oversight and regulatory actions are slowly shaping the direction of information security research. Why have these agencies suddenly picked up the interest in cybersecurity? As Elizabeth explained, the answer is money, fame and political power – it’s all about big budgets. For example, after the FCC introduced net neutrality rules, they requested an additional 73 million in budget for the fiscal year of 2016. Until recently, these were overlooked agencies that didn’t take the headline approach. But now, these agencies are having hearings, promoting themselves and even gaining a large follower base online.