With InfoSecurity (I had a great time) almost done for another year (more later), Wednesday was BSidesLondon day.
Riding into town on the tube (I got a seat!) I reflected on years gone by – the first BSidesLondon was the first conference I ever attended – and how things had changed.
Gone were the nerves of yesteryear and the nagging thought that I was crazy going to an event where I didn’t know a single person (thanks to Jav, Andy and Suggy for making me feel welcome that day), replaced instead with a feeling of excitement, knowing how many friends, new and old alike, would be there.
So, to cut a boring journey short, I arrived at West Brompton and made my way to a venue I was familiar with, having attended the 44CON Cyber Security event at the end of April.
Unlike previous years where I’d always attended talks on the main tracks, I decided to spend most of my time on the Rookie track, primarily because Neha Thethi (BH Consulting), Sarah Clarke and Richard De Vere (met the previous day) were all taking the plunge and losing their respective conference virginities.
After sharing a quick hello with Jenny Radcliffe and Pinky Barker, it was time for the first talk by James Burns who made some good points about how Blue Teams often fail to succeed.
Moving on, James highlighted how Blue Team success was often not deemed to be newsworthy and how there was a perception that team members had embarked upon a career that was in some ways ‘not cool’ or ‘sexy enough’.
But it’s not all bad – he also pointed out how Blue Team members could be a good fit when crossing over to Red Teams and how a sharing of knowledge, information and work could help both defensive and offensive teams to upskill quicker.
James also made the point that a motivated, mature team can speed development of staff and add value to their organisation, though their role is still, in his opinion, undervalued by the community at large.
Next up, Neha Thethi.
I was especially interested in Neha’s talk, given that she works with Brian Honan, and I have to say she did very well indeed… from what I could hear.
Offering a more technical piece – on forensics, including the methodology and the challenges one could face – than many others on the Rookie track, the fact that I was near the door (a constant source of annoyance all day) did not help as the constant banging prevented me from following her properly.
Fortunately, Sarah Clarke was up front and she confirmed that Neha was most excellent. Well done Neha (ably assisted by Wendy Nather).
After a quick break Sarah Clarke was on. Following on from her mini-speaking debut at IP EXPO, Sarah self-assuredly demonstrated her growing list of skills by delivering an excellent talk accompanied by She-Ra(?), Status Quo and FUD slides in combination with a video only she could have found.
Taking an alternative look at how security ‘wants’ often outstrip security ‘needs,’ her penultimate slide left us all wondering if it was TEA (trust, empowerment and accountability) that we were looking for.
As time flew by I was suddenly faced with a choice – Stephen Bonner (who is always superb) or take a break and stick with the Rookie track to catch Richard De Vere.
Crossing my fingers, I took a chance and passed on “OpSec vs Attribution – the Hollywood view” in the hopes that Stephen repeats at the RANT Conference next month.
So, after waiting until midday, it was finally time to see Richard De Vere’s talk about real social engineers.
Given the title, Richard’s presentation wasn’t quite what I was expecting but that’s not a bad thing – he was very good indeed.
After a quick exploration of his background, ex-plumber Richard explained how he became a social engineer – employing his antisocial personality disorder traits to his advantage – not to exploit or manipulate people, but to make them safer.
After mentioning how he used his skills to walk equipment out of a bank he then veered off into 419 scam territory, explaining the thinking of those behind such phishing scams.
While many of us may think the perpetrators of such crime are just after our cash, Richard explained how many West Africans are actually brought up to believe that the western world “stole their money,” and so the retrieval of funds from gullible foreigners was actually in some ways a noble profession.
Using ‘Sakawa’ or ‘Ju Ju,’ the people behind many of the phishing emails hitting our inboxes are, according to Richard, mixing internet crime with black magic in order to accomplish their aims.
Many rituals and dead chickens later, the more successful scammers achieve money and, with it, power that then leads them to assert their authority in the African nations they come from.
A problem that’s not likely to go away any time soon, Richard says we can expect to see these guys develop their relationship skills further in the future as they sharpen their tactics with the implementation of more and more social engineering.
Overall, I thought Richard’s talk was the best of the day, even if it wasn’t quite what I thought it was going to be.
After a break for lunch, during which an interesting conversation developed between a young lad looking for blue pills (I won’t embarrass the enabled courtier by mentioning his Twitter handle) and a medical sales professional (thanks for blagging me a coffee on Tuesday and the subsequent messages you sent me), it was time to go and see one of the big boys.
Unfortunately, none were around so I had to settle for Javvad Malik instead.
Kicking off with an excruciatingly bad video (the Hoff in Kung Fury), the self-styled legend then began to entertain with an insight into his security background.
Back in ’99 the fresh-faced future security star was employed in security operations as the hoo-ha about the Y2K bug began building.
After single-handedly saving the world from that potential disaster, he went on to work in an environment many of you will likely be familiar with – policies, policies and more policies.
Using the same monkey analogy as Thom Langford (he may have also bashed some AV companies at this point but I cannot remember which ones!), Javvad explained how passwords were routinely changed every 90 days, not so much for any particular reason, but just because.
In a world of chocolates and asking your colleagues if they’d been working out, the policy was king whilst its inflexibility was almost as legendary as our man himself.
Javvad then went on to talk about his early experiences with auditors – something that seems to have left him with a deep feeling of distrust – and how his life was changed following a conversation with the blue pill guy about the “audit box.”
Say no more.
Running out of time, Javvad then branched off into other areas, including separation of duties, privilege identity management (post-it notes, pens, envelopes, sellotape and passwords) and his experience of using scripts and how that bagged him a certificate of recognition.
He then finished off with an interactive exercise in which he got the audience to declare their acceptance of risk – there was of course a business vs. security message in there.
How much of what he said was true I don’t know, but it was entertaining!
As the day drew to a close it was time for my last trip to the Rookie track for a presentation on ethical disclosure and reporting.
The speaker was Aiden Mitchell, a name I’ve not previously come across, but many people I spoke to during the day had told me he was a rising star so I went to check him out.
Aiden told us how “Responsible, open and ethical disclosure leads to more secure services and applications for everyone. Failure to support, respect, and encourage security researchers creates distrust and helps to fuel the market for the sale of vulnerabilities to unethical, though not always criminals, interests” as he bashed the role played by certain “3 letter agencies”.
I admire his stance but, based on conversations held outside the room, I have a feeling that his views on, for example, corporate scanning of internal email, may hold him back in the future.
While it would be good to think that Aiden could bring about change on his own, it isn’t going to happen – we either need to see many more people like him or massive change at the top end of organisations.
That said, he has his own ethics and I say good luck to him.
Following Aiden’s talk I retired upstairs to chill out a bit and listen to Chris Boyd talk about corporate writing.
I have to say that Chris came across as a very accomplished speaker (as expected) and I was really enjoying the workshop (despite not getting a Mars Bar) until I had to leave early to get to the Security Bloggers meetup over at Olympia.
Overall, I thoroughly enjoyed BSidesLondon yet again (I’ve been every year) and the Ilec Centre was a great venue. The food wasn’t as good as years gone by but everything else was better.
Having spent a considerable amount of time on the Rookie track it is clear that there are many up and coming speakers who will undoubtedly go on to bigger and better things.
Good luck to them all.