I just came back from Amsterdam where I presented my keynote "Security Chasm" at Hack In The Box 2010 conference European debut. Both the keynote and the entire conference were a lot of fun - but then again WTH do expect from an event in Amsterdam? Below are my notes from the event.
It is worthwhile to note that I was the first speaker of the first day, which put some extra responsibility onto my shoulders. The main theme of my speech was that we have essentially two "securities" - one where people do paper risk assessments, "align strategy" and “enable business” and another where people actually deal with consequences of intrusions and other burning technical issues. You can read some notes from the audience here (and here) and live tweeting here.
Next I went to Fyodor Yarochkin presentation on Russian cybercrime called “From Russia with Love 2.0.” While lots of people speak about Russian cybercrime, Fyodor’s take was interesting and new (at least to me). First, did you know that most Russian malicious hackers face no ethical challenges - they think of what they do simply as "making money online?"
For example, Fyodor reported that people were asking on one of the forums "Is it legal to Google for card numbers and then use them?" :-) Along the same line, he does not think many of them are “professionals” - but simply people making some money on the side off “stupid rich foreigners” [A.C. – we are talking about you, dear merchants ignoring PCI DSS… :-)].
Despite all that, he did describe a lot of interesting bits of criminal infrastructure such as eBay-like site for selling stolen Skype accounts with online feedbacks (for assuring stolen account reliability, ya know) and “conversion services” for transferring money, say from WebMoney to PayPal.
The speaker also mentioned that the rumors of Russian political hackers are “greatly exaggerated” - by far the most are in it for the money (and, yes, you can hire some to further your political goals like blowing away Twitter for $80/day, but it doesn’t make them “political hackers”).
Another curious resource he highlighted was a complete tutorial for “making money online” - where to start if you are a complete amateur, barely know computers, but want to make money. Another fun bit was that he described how much DoS costs have fallen…
Now, the other part of his presentation was a description of his research tool for automatic intelligence gathering and analysis, complete with text mining, jargon conversion and language translation.
Another worthwhile speech that I would like to highlight was the second keynote by Mark Curphey - who “left” security a while back. It was so visual and hard to summarize that I probably won't do it justice here - just check his deck.
It was about his “10 Crazy Ideas to Improve Security” such as “#2 stop human pattern matching” (ha, I wish we knew how to do that :-)) and “#3 community statistical analysis for security.” Audience comments are here.
Also, I went to the presentation by the author of Maltego analysis tool. I have long been curious about the capabilities of this tool, and it seems like v3 will come with even more magic such as “named entity recognition ” (NER) which allows the tool to extract names of people and countries out of the analysis. And it might tell you who wins the 2010 FIFA World Cup … and be wrong about it :-)
As far as fun hallway conversation is concerned, I had a couple of very fun chats: one with Rop Gonggrijp about climate change and geopolitics and one with Mark Curphey on using agile for security (and security in agile software development)
BTW, if you’d like to invite me to speak at your conference, please do so, but keep in kind that flying around and speaking does not pay the bills :-)
Cross-posted from Security Warrior