This is part 2 (day 2) of my review of Atlantic Security Conference (AtlSecCon) 2017. Click here for Part 1. A few items that I have been mentioned, and worth investigating ZAP, OSQuery, Komand and ThreatStack.
Opening Speaker on Day 2:
This was an interesting speech, it was titled "Move Fast and Fix Things" by Jen Andre. But basically the long and short of it was her explanation of how she was previously an entrepreneur and has assisted in startups previously, and how to start a proper security startup. The biggest takeaways are:
- Search for a scalable business model
- Start with a problem, not a technology
- Make it minimalistic and viable
- Know that your solution, and possibly your problem will evolve.
- Don't boil the ocean.
- Early Adopters are awesome, as they provide a crucial role in development.
- Startups != the only path to innovate in Security.
Speech 1:
This was a speech outlining some of the Security and Cryptography laws within EU/Canada/US. This was provided as non-legal advice, so take the rest explained here as the same:
- UK has the Snooper's Charter.
- US has the Burr-Feinstein Bill
- EU has the General Data Protection Regulation (GDRP)
- Canada has the PIPEDA Act and ISPs cannot collect users data without Lawful Access request. Bill C-13 known as the revenge bill is simply put that you cannot distribute unauthorized photos on internet and also with that definition of Data has changed from something that can be understood by PC and/or other devices. Also included, if you have a decryption key, you may be forced to give it.
- Discussion also came up with what happens if you forget your "Decryption key"
- Indirect access, such as US going into CDN, or CDN into US, if you do not agree with Border Crossing, they can explicitly deny you access.
Speech 2:
Websockets are going to change the Pentesting Community & HTTP/2 was the second speech of the day. Basically outlining how Websockets work, and how the are exploitable, and go under the radar of most of the UTM devices; It also has a lack of tools today that can be used for WebSocket testing. HTTP/2 was also covered where it is a new HTTP standard, with built in encryption and bi-directional & full duplex communication. QUIC was also mentioned.
Speech 3:
Barbarian's at the Gate(ways) was an interesting discussion around tools and items that was used against Akamai and similar cloud/CDN services, discussing LOIC/HOIC, Brobot, Mirai's hack and Boosters/Stressors. Also suggested reports such as State of the Internet Report (released by Akamai) to view new/interesting threats that may be coming out.
Speech 4:
This screenshot. That is all.
Speech 5:
How I stopped worrying and loved the cloud - This was a great speech outline some of the self-healing and containerization that can occur with Docker and similar container applications.
Closing Keynote:
Scam School's Brian Brushwood did the closing Keynote which sent the rest of the session over the top, explaining some Social Engineering tricks and recommending some books, "Psychology Influence of Persuasion". Social Engineering takeaways:
- 3 Keys:
- Liking
- Reciprocation
- Authority
- Whomever is asking the questions, controls the conversation.
- Social Proof is the simple concept that if someone believes that it is good, then the mass will also believe. (Fake Book, hits Apple's Top 10 eBooks.)
...Until next year.
Opening Speaker on Day 2:
This was an interesting speech, it was titled "Move Fast and Fix Things" by Jen Andre. But basically the long and short of it was her explanation of how she was previously an entrepreneur and has assisted in startups previously, and how to start a proper security startup. The biggest takeaways are:
- Search for a scalable business model
- Start with a problem, not a technology
- Make it minimalistic and viable
- Know that your solution, and possibly your problem will evolve.
- Don't boil the ocean.
- Early Adopters are awesome, as they provide a crucial role in development.
- Startups != the only path to innovate in Security.
Speech 1:
This was a speech outlining some of the Security and Cryptography laws within EU/Canada/US. This was provided as non-legal advice, so take the rest explained here as the same:
- UK has the Snooper's Charter.
- US has the Burr-Feinstein Bill
- EU has the General Data Protection Regulation (GDRP)
- Canada has the PIPEDA Act and ISPs cannot collect users data without Lawful Access request. Bill C-13 known as the revenge bill is simply put that you cannot distribute unauthorized photos on internet and also with that definition of Data has changed from something that can be understood by PC and/or other devices. Also included, if you have a decryption key, you may be forced to give it.
- Discussion also came up with what happens if you forget your "Decryption key"
- Indirect access, such as US going into CDN, or CDN into US, if you do not agree with Border Crossing, they can explicitly deny you access.
Speech 2:
Websockets are going to change the Pentesting Community & HTTP/2 was the second speech of the day. Basically outlining how Websockets work, and how the are exploitable, and go under the radar of most of the UTM devices; It also has a lack of tools today that can be used for WebSocket testing. HTTP/2 was also covered where it is a new HTTP standard, with built in encryption and bi-directional & full duplex communication. QUIC was also mentioned.
Speech 3:
Barbarian's at the Gate(ways) was an interesting discussion around tools and items that was used against Akamai and similar cloud/CDN services, discussing LOIC/HOIC, Brobot, Mirai's hack and Boosters/Stressors. Also suggested reports such as State of the Internet Report (released by Akamai) to view new/interesting threats that may be coming out.
Speech 4:
This screenshot. That is all.
Speech 5:
How I stopped worrying and loved the cloud - This was a great speech outline some of the self-healing and containerization that can occur with Docker and similar container applications.
Closing Keynote:
Scam School's Brian Brushwood did the closing Keynote which sent the rest of the session over the top, explaining some Social Engineering tricks and recommending some books, "Psychology Influence of Persuasion". Social Engineering takeaways:
- 3 Keys:
- Liking
- Reciprocation
- Authority
- Whomever is asking the questions, controls the conversation.
- Social Proof is the simple concept that if someone believes that it is good, then the mass will also believe. (Fake Book, hits Apple's Top 10 eBooks.)
...Until next year.
Comments
Post a Comment