Meeting: DefCon 16 recap

please come on Tuesday, October 14th, at 4pm, to The Brass Ring (701 EastWashington, Madison) to hear David Russell talk about what he saw at the DefCon 16.

Depending on who is present, I imagine that the talk will turn into ageneral discussion covering the intersection of findings and theaudience's interests.

As before, you can find the group in the raised area, above the pooltables. If you know someone who might be interested, please forward.

Visualization tak at HEP

or, at the UW High Energy Physics meeting room. 7:30pm, Tuesday, 30th Sept. 2008.

The conference room is on the fourth floor in room 4274, next to the department office. Enter the building on the north side (near Sterling hall) and simply head up to the fourth floor -- the conference room is the sixth door on the right. University parking is available near Chamberlin Hall, but it might be simpler to park downtown and walk. Wireless access will be provided.
(taken from http://www.madisonlinux.org/Meetings)

surprise presentation alert: data visualization

This is not a regular MadSec meeting, but more of a chance event. The presenter will be visiting town, and it did not take much to make him agree to give his spiel.

The time and date are not yet scheduled, but will be around Sept 28th-30th.
The topic is visualizing data. At this point, I do not know much more.

Metrics: Sept 23rd

If all goes well, the meeting tomorrow should include a presentation on metrics, answering question of "what, how, and why".

Again, the meeting is at The Brass Ring, 4pm. When you walk in, go to the left, and up to a 2nd level, or a gallery of sorts.

Given the bizarre problems I had with notifications, I might grab people who show up there, and get a table outside. It will be quite obvious and easy to find, I think...
http://www.thebrassringmadison.com/

--
Marcin Antkiewicz

Meeting - Brass Ring, Tuesday, Sept 23rd, 4pm

Hi all,

after a short break, I would like to invite you to Brass Ring, in about two weeks for a new and improved MadSec meeting. The major part of the improvement plan are presentations, and I will deliver the first one, which (if all goes well) will cover selection and use of metrics in IT in general, and security in particular.

Time is a bit of an experiment, based on the feedback I got. I will count votes against it, so drop me a line if late night is a much better fit.

Brass Ring should offer reasonably secluded and quiet venue, but that theory needs some testing. I will likely be testing it on the 16th, along with assorted local IT types. Feel free to drop by if you feel like it (just confirm first please).

http://www.thebrassringmadison.com/

Meeting survey

Please help me in scheduling the meeting, and fill out a short survey.

Next meeting soon

I am scouting downtown area for a suitable meeting venue. Ideas? It needs to be reasonably quiet, have tables, not require reservations.

While Angelic was ideal, they are closed-for-good this time.

BTW: go to UW's Lockdown 2008. The selection of topics and speakers is well worth $100. I would be there but UWEBC's IT Security Peer Group meeting holds it's monthly meeting at the same time (topic: Identity Management: Assurance, Provisioning, Directories). Choices.. Choices.. Choices..

Status update

I am extremely busy lately, and did not have time for beer&talk. In addition to my time issues, it seems that Thursday is less than ideal for quite a few folks.

I will try again, when my calendar calms down, I will try to find a new time slot for the meeting.

MadSec 04849, Apr 14, 2007, 7pm

Hi All,

I would like to announce that the next Beer&Security gathering is scheduled for
Thursday, Apr 14 (or whatever the thursday happens to be), at Angelic (322 W
Johnson St).

AV/Malware reading list

Vendor/Relevant blogs will provide "situation awareness", and the sandbox/checksum sites will let you know what is that you have found, that looks like something bad, but your local AV says "All good".

While file names are good, but checksums are better. No checksum utility is included with windows, but there are many available (binaries).

Vendors
* McAfee
http://www.avertlabs.com/research/blog/index.php
* The Big Yellow
http://www.symantec.com/enterprise/security_response/weblog/
* F-Secure
http://www.f-secure.com/weblog/
* Sophos
http://www.sophos.com/security/blog
* TrendLabs
http://blog.trendmicro.com/

Relevant Sites
* WormBlog
http://www.wormblog.com/
* MS Anti-Malware team blog
http://blogs.technet.com/antimalware/
* VirusList
http://www.viruslist.com/en/weblog
* Virus Bulletin
http://www.virusbtn.com/news/index
* Dancho Danchev
http://ddanchev.blogspot.com

* Cool post about the state of AV
http://ddanchev.blogspot.com/2006/01/why-relying-on-virus-signatures-simply.html
* Avira, the not-so-anti-but-much-virus
http://www.virusbtn.com/news/2008/01_21.xml

From the "What't that malware?" dpt:
* Virus total
http://www.virustotal.com/
* Norman SandBox
http://www.norman.com/microsites/nsic/
* Bit9
http://fileadvisor.bit9.com/services/search.aspx
* File Checksum Integrity Verifier (md5/SHA1)
http://support.microsoft.com/kb/841290

MadSec 04849, Apr 03, 2007, 7pm

I would like to announce that the next Beer&Security gathering is scheduled for
Thursday, Apr 03 (or whatever the thursday happens to be), at Angelic (322 W Johnson
St).

MadSec 61171, March 20, 2007, 7pm, Angelic

Same deal, same place, same time.

MadSec 62240 - 7pm, Thursday, Feb 7

Thursday sounds like good time to meet again.

Place, time without change, please RSVP (marcina gmail.com) so I know how many might show up.

As a bonus, here is a visual explanation of a new code quality metric: WTFs/min.
http://www.osnews.com/images/comics/wtfm.jpg

Re: MadSec 24513 - 7pm, Thursday, Feb 7

Meeting was good, but in a small circle. People reported getting stuck in some snow for some reason... BTW, the waitress, Natasha, is recognizing us now.

Conversation topics that I still remember:

• my order of Idaho Nachos

• Coverity was added to Fortify and Ounce Labs as a maker of known good static analysis software

• enjoyable rantfest about OpenSSL and Kerberos not living up to their potential (complexity, tansitive trust issues, reference implementation serving as production UIs, misuse of one in places where the other would serve better)
  

• Splunk is super cool. Someone is using it to find, in days worth of logs from very busy servers, specific information (users who changed certain field to a value larger than X), all that in a minute or two.
  

• we were musing on the speed or rainbow table generation on the UW Condor grid. Eyes went round.

• perl.org "compromise" and other JavaScript malice.

• more? I think we spoke about SAS 70 and audits in general, but that was later in the evening, and my memory is failing.

See you next thursday!

The Grinch that Stole Security

‘Twas the night before audit and all through the NOC
not a packet was moving, oh what a crock!

The firewall was tuned with precision and care,
in hope that no kiddies or hackers were there.

The router was patched and all up to date
from many an evening with the admin up late.
The power’s still on, no breakers were tripped.
The boss is still screaming, “let’s get this one nipped!”
Back in the office I heard such a clatter
I dashed right in to see what was the matter.

“It’s gone, it’s gone”, the CISO did bellow.
All up in arms was this laid back fellow.
“What is all gone”, I asked in a flash.
“Come look, come see”, he yelled as he dashed.
I ran as I followed this sad little man.
“Look! See, it’s all gone, from the network, the LAN.”
There is no security guarding our stuff!
We’ve got to fix this, but it’ll be tough.

I searched and I searched. I looked high and low.
I couldn’t find security, where did it go?

Then I had a great thought on this troublesome night.
I knew who had done this, and he wanted a fight.
The Grinch had been here and now security was gone.
It’s probably back at his big lofty throne.

I made a great trek from my office to his.
I stood and considered, but didn’t go whiz.
There he would sit behind the C on the door.
Beneath him, our security, crushed on the floor.
Slowly I opened the great wooden gate.
The smell of sulphur had grown stronger of late.

The flames they did lick his cloven black heels.
His flesh, it boiled off in great sooty peels.
“Why did you do it?”, I asked with no tact.
“Our security is gone, now our servers are hacked!”
Policies, procedures, and plans on the floor.
“We don’t need them”, he said in a gruff roar.
“What do we have that a hacker would take?
“There is nothing good here, but a great big damned lake.”

“Just ‘cause we’re small doesn’t mean that we’re bad.
Security’s a necessity, not some new fangled fad!
Here we have bandwidth, and data and lives.
That’s something to protect like a bee does its hive.
Security is good, it keeps business flowing.
For what you have done, you really aren’t knowing.
The network has stopped ‘cause the hackers were in.
Our data is gone, and your actions, a sin.”

Suddenly, a tumble, a thud, and a flop.
I awoke from the floor onto which I did drop.
“It’s all a dream”, I said with delight.
But, such a dream, that gave me a fright.
The Grinch may be real, but his actions were fake.
Nothing was wrong at the city by the lake.

The auditors came down my hallway with glee.
The had come to behold the glory of me!
Never had they seen a ship quite this tight.
For according to them, everything was right!
They shook hands and left, out the front door they flew.
“Happy audit!”, they said, and “good job to you!”

I wish it was mine, the source is: CSO Blogs.

MadSec 24513 - 7pm, Thursday, Feb 7

Next meeting - Thursday, Feb 7, 7pm at the Angelic .

MadSEC 45699 - 7pm, Thursday, 24 Jan 2008

Yes, I am posting this notice 3 hours after we have meet.

1) The collective has decided that the current meeting numbering scheme is deficient.

In order to satisfy all requirements (new, interesting, secure), from now on I will number the meetings after 2 bytes present in a certain memory location on one of my machines:

dd if=/dev/random bs=1 count=2 2>/dev/null | od -N2 -tu2 | awk '{ print $2 }'

At least it's confusing.

2) I missed about half of the conversations. _My take_ on the ones I remember:

• complex issue with tracking unauthorized system use (public) by a rogue employee.

• cross site scripting and request forgery (hey, use site specific browser like WebRunner), input validation, preventing session theft.

• 2 factor (RSA style) are still cool, especially once systems get compromised, and the need for strong auth is freshly apparent.

• there is no good, reliable, fast, awesome clustered file system. gfs just does not cut it. Something about dedicated NFS appliances (I mean APPLIANCES) that I've missed.

• Splunk, esp. version 3 is awesome, and saves our hides.

• something about shooting to proteins

• Patricia tries are awesome for working with network traffic (there was a lot of context to this discussion that will remain offline).

• neat things can be done with iRules on F5s. What's the logic behind embedding TCL in network devices (IOS, F5)? I have "Building Network Management Tools with Tcl/Tk" on my shelf, I know the history, but let's move on.

• Security Data Visualization and managing humans have new temporary homes.

That was fun. We should do those more often. /me kicking self

01/25/2008 - an addendum from Will:

First, there's the Spolsky article on SLAs and uptime[1]. Then there's test-driven development proponent and Python hacker Grig Gheorghiu thoughts[2] on the matter, with a nice plug for Twill[3]. If you haven't used it, Twill is a super cool scripting language for interacting with web pages.

Lastly, I mentioned Bluearc[4] as a possible vendor for high performance NFS stuff. I don't have direct experience with Bluearc, but BNL, FNAL and Purdue swear by them.

[1] http://www.joelonsoftware.com/items/2008/01/22.html
[2] http://agiletesting.blogspot.com/2008/01/joel-on-checklists.html
[3] http://twill.idyll.org/
[4] http://bluearc.com/