Thoughts from DerbyCon VIII “Evolution”

DerbyCon VIII Evolution

So I’m sitting here in the airport on my way back home from DerbyCon. I’m in town for ~24 hours before I have to head back out on the road to Omaha and St. Louis for a few days. After such a great time at DerbyCon, I’ve decided to try my hand a little more with blogging and deriving some original content. The hardest part about this whole thing is PRODUCING ORIGINAL CONTENT.

So anyways, I decided to jot some notes down about the conference, please feel free to let me know your thoughts as well.

Rolling Solo

I could write multi-volume books on my experiences with hotel rooms (that’s not a bad idea TBH). Needless to say I’ve tried tweaking things to get the best experience at the lowest price.  This time I tried rooming solo. It was an extra cost, but I justified it with booking a hotel about a half a mile from the Marriott where the conference was being held at. The room was perfectly fine. It felt a little…isolated. I think it would have been better had I booked a solo room AT the Marriott instead of off-site. That way I could re-charge back in the room without having to make a trip out of it. I tried to do that, but the hotel was booked up well in advance. I recommend booking your hotel rooms ASAP. Some hotel chains allow you to book a room up to a full year out. Their cancellation policies allow you to cancel up to 24-48 hours prior. If you’re even considering attending a conference in the future, I’d recommend trying to lock in a room if you can.

Additional Packing Items

  • Allergy Medication.
    • I’m not sure why, but I had multiple violent allergy attacks this last week. It sucked. I always keep a bottle of Afrin with for a nasal emergency, but this required significantly more heavy artillery. 🙂 DayQuil Severe, Muscinex D,  were life-savers but OMG so freaking expensive! I know they were much cheaper at Wallgreens’ or CVS, but when I’m sick, I’ll pay out the root to feel better. Next time, just pack the meds in advance.
    • Ear Plugs.
      • I have ear plugs, but I only keep them in my toiletry bag. I’d recommend moving the ear plugs from the toiletry bag to the EDC back. For me going forward, ear-plugs will be mandatory for all live music.
    • Hand Sanitizer
      • A lot of networking goes down in the halls of DerbyCon. Lots of hand-shaking, awkward hugs, fist-bumbs, etc. Lots of opportunity for germ exposure. Again, I had hand sanitizer and wet-wipes in my toiletry bag, but not in my EDC.
    • More Cash
      • I tend to do most of my spending with credit cards and don’t carry a lot of cash on me. However, for future conferences, I recommend taking a lot of fives and singles. People like bartenders, merch vendors, and artists often can’t take credit as easily.

Scooters

I’ve heard bad things about the electric scooters “littering America’s Downtown”.  Honestly, I thought they were fantastic! Although this is by no means the only answer to the Last Mile challenge, It’s definitely a fun option!

Bird Scooter

  • Pros:
    • It was cheap! Most times riding from the hotel to the convention, it cost me about $1.50 per ride. At the very end of the conference, I had to ride the scooter from the venue to the hotel, back to the Marriott, then back to the hotel on a single fare. Total $8.00. I really liked how I could lock the scooter, go inside and do whatever I needed to do (pick up an AC adapter in my case), and not lose your scooter.
    • It’s FAST. It really made a difference getting from point A to point B. I was less tired and I was able to stay longer because I knew I didn’t have to walk as far.
  • Cons:
    • They were hard to find and in high demand.  I wasn’t really happy that i had to walk several blocks away in the wrong direction in order to find a scooter. No one wants to see those scooters littered everywhere, but at the same time, if you can’t find a ride, you are out of luck
    • It’s FAST! I know I said it before, but those scoots have some speed to them. I did fine steering the scooter, but the concrete was extremely rough and bumpy. I wouldn’t trust my parents or my kids on one of these things. I felt more comfortable riding on the sidewalks even though I believe you’re supposed to ride on the streets with them. Either way, I don’t think the general public (myself included) is fully versed in how to ride these things.

See More Talks!

I’m very lucky in that I have an amazing job that I love. One of my most favorite things to do is speak and work InfoSec conferences.   The drawback to this is that I don’t often get to attend the conferences. I’m too busy working. Instead, I’m working the booth, meeting with clients, taking a webex in the hallway, or something else keeping me from learning.  My goal for this DerbyCon was to see as many talks as I could. Between the printed materials and the Hacker Tracker App, I was able to always know where I was headed next. One thing that i REALLY liked about DerbyCon was that I didn’t have to wait in line like you do at Defcon. I think there was one session (Sean Metcalf’s talk) that was filled to capacity and they were turning people away. Outside of that one talk, it was really nice to know you could see any talk you wanted to without having to miss the previous session waiting in line. Next year I’ll see more talks.

See Less Talks!

I didn’t get the full DerbyCon experience. I don’t see how anyone could. There’s just too much to see and do. I wanted to participate in the Lockpicking village, the multiple CTF’s, chill and learn with the Vendors, but I was too busy enjoying the amazing talks. I missed out on Hacker Jeopardy and Who’s Slide is it Anyway. There were so many things to see and do, but things like the body’s need for sleep or food because too much to overcome. Next year, I’ll watch the talks on IronGeek.com and hang out and do more activities.

Overall, there’s no one correct way to do one of these security conventions. Do what works for you. I’ll continue to tweak my experience till it works for me. Hopefully you picked up a few tricks to help you as well.

Soylent and St. Louis.

So funny thing happened today. I’m in St. Louis visiting a couple of big clients for work. One of my Account Executives tried Soylent at my recommendation. Turned out it wasn’t for him. He had 5 brand-new bags of powder he didn’t intend to use, so he gave them to me. Score! More for me!
So I know what you’re thinking…this guy had an issue with TSA. Yes, but it got a little bit more complicated. So I already knew that TSA would flag the bag, so I had a small side-bag, detached with JUST the Soylent to help move this inevitable process along. I fly an insane amount for work, so “this isn’t my first rodeo”. Plus I was running a little behind and wanted to ensure I caught my flight home.
Everything’s going exactly as I expected until I see the testing device flash red and start making noises. Tested positive for explosives or something. I wasn’t entirely sure what it tested positive for. At that point, the TSA employee became much more assertive and by the book. Yeah, Soylent created a “Security Incident” at the airport.
I know my story sounded fishy. I can just imagine the TSA agents not believing my story of “I got these bags of powder from a coworker”. To be perfectly honest, it was pretty chill after that. I know I had nothing to hide. I was totally chill, let the TSA do their thing. I got the full pat-down, a detailed search of ALL my bags. I was carrying a TON of computer equipment with me so I know it was a lot of work for the TSA folks. They were all very professional. I know they’re just hard working folks trying to make a dollar, so why give them grief? (This is a happy story so please take the TSA-hating elsewhere. Thanks.)
The Eye-in-the-Sky was directing the agents as to what to do next. I was told I had to open the bags and inspect the powder first, then the TSA agent. He was apologizing to me the whole time because we had to break the seal of the bags. I told him it didn’t really matter, because they were a gift and didn’t cost me anything. “Still, this is your personal property, I feel bad we’re having to do this”.

I started to stress a little when time started to drag. I was already cutting the time closer than I wanted to. We finally got the ALL CLEAR from the Eye-in-the-Sky. I reconstituted myself and my belongings and hauled-ass across the airport to the gate home. Luckily, the flight was slightly delayed and hadn’t boarded yet. I made my flight.

I must say, this was an interesting experience. Everyone was very polite, professional, and courteous. It was not the horrible experience I was anticipating. I think there are some obvious lessons learned here for the next frequent-flying Soylent drinker. 🙂

TLDR: Moving bags of powder through TSA check-points is probably not a good idea.

Post-Tour Cool-Down

I survived the crazy 10 day, 6 city, 6 speaking engagement whirl-wind. Honestly, it really wasn’t that bad. I got to hang out with some really cool people. I got to see some really neat places, and I got to learn a bunch of crazy new things. You pick up a lot when you hang out at 6 different security conferences in rapid succession.

Here’s the PDF from the
LIVE HACKING DEMOS Presentation

One of the unfortunate things I struggle with is keeping a good work/home life balance. It’s a struggle I think I’ll honestly have to deal with my entire life. I tend to excel in one area of my life and drop the ball in others. I still struggle with this as I do have a tend to be pretty stubborn and I don’t accept failure in myself.  When I see this happening in other people, I tell them to check their priorities and to prioritize family over work. I tend to neglect my own advise. When that happens, I come back to this commencement speech from Shonda Rhimes. She’s a very strong and power-player in Hollywood. Her words in her commencement speech really struck a chord with me.

“Wherever you see me succeeding in one area of my life, that almost certainly means I’m failing in another area of my life.”

With all that said, I’m going to cut back a little on the travel, prioritize myself and my family and work on a few pet projects I’ve been thinking about. Looking forward to it.

April Showers Bring May InfoSec Talks!

Missed seeing me talk in Des Moines this month? Don’t worry!  May is shaping up to be a heck of a month for awesome speaking engagements!

5/8/18 – St. Louis Tech Summit – Insider Threat – St. Louis, MO
5/9/18 – Secure World – Insider Threat – Kansas City, MO
5/10/18 – Omaha Tech Summit – Insider Threat – Omaha, NE
5/11-12/18 – BSides Denver – Hacking Demos – Denver, CO
5/14/18 – Central Ohio Infosec Conference – Hacking Demos – Columbus, OH
5/15/18 – San Antonio ISSA – Hacking Demos – San Antonio, TX

I’m really looking forward to hitting the road again and meeting everyone on this wild and crazy journey. Hopefully I’ll see you at one of these events! Pretty sure this will be me afterwards.

Questions to Ask BEFORE a Public Speaking Engagement

Event/Audience Details

  • Date & time
  • Address and location
  • Name of the event.
  • Description of event.
  • Event agenda.
  • Talk duration (30/60 min?)
  • What the client want the speech to achieve
  • Who will introduce me?
    • Can I send them an intro or will they provide it?
  • If more information is needed, who is my point person? (get contact info)
  • How many people will be there?
    • Age
    • background
    • gender
    • occupation
    • etc
  • What’s their attitude toward my topic?
  • Will I be expected to mingle and socialize with audience before or after I speak?

Technical/Logistical Details

  • Will there be a podium? Is it solid or see-through (lucite/plexi-glass/etc)
  • Will there be a screen and projector? What video input (VGA, HDMI, etc)
  • How many video inputs are available (typical answer is 1)
  • Will I have a microphone?
    • What type? (lape, hand-help, attached to podium, mic-stand, etc)
  • May I arrive early to walk the stage and get comfortable about the equipment and venue?
  • Who is in charge of making sure things go smoothly before and during my speech (get contact info)

NTXISSA March 2018 Monthly Meeting – The Hackers Toolkit

I’m excited to announce that I’ll be speaking at the March 2018 North Texas ISSA chapter meeting. I’m planning on presenting the “Hacker Carpet Bomb” aka “Hacker’s Bag of Tricks” aka “Hackers Tooklit” presentation. This talk consists of nothing but live demos. Anyone who’s done IT presentations can tell you, live demos are dangerous. They rarely go right. Having a talk that consists of nothing but live demos is straight up insane. I’ve done this talk a handful of times. Not once has it ever gone perfectly, but that’s also the charm behind it. Exploits, even in perfect environments, sometimes fail. That’s part of it.  Here’s the demo’s I’m planning to present

Between now and then I need to find a device I can destroy on stage. If you have something you don’t mind literally going up in smoke, please let me know.

So please come out March 15th at 11:00AM. I’m sure it’ll be a fun and eye-opening event.

https://ntxissa.org/event/ntxissa-march-2018-monthly-meeting/

 

 

Q&A on SQL Injection ‘ or 1=1; —

from XKCD

Every once in a while I get an email from either a friend, client, mentor, etc that I really want to share with the community as a whole. Typically after I respond to the email, I try and get permission from the second party and include it on my blog (which I’m still fairly sure nobody actually reads).  Anyways, this was a really good question about SQL injection, so enjoy!

Hey Andy, I’ve got a question. In my courses I’ve been learning SQL. I’m trying to also look at it with a security perspective in defending from SQL injection attacks. Do you know of any good ways to actually practice or solid resources to learn. I’m half tempted to start running some queries on shoddy looking websites, but I really I wouldn’t do that. I’ve seen some Youtube videos and some stuff on W3, but thought I’d ask you what you think. How big of a vulnerability is SQL injection or how big of a priority is it to businesses now?

First off, I’m honored anyone emails me asking for my thoughts or opinions on a topic, so thank you. SQL injection has been an issue since it was first discussed around 1998 on Phrack.

Take a look at the OWASP Top 10 – 2017 (most recent copy at the time of writing this). The ten most critical web application security risks demonstrate that SQL Injection has been the top dog risks for quite some time. Things like cross-site-scripting, and cross-site forgery are up-and coming risks, but SQL Injection is king.

As for running queries or something like SQLmap against any website, I strongly recommend you do NOT giving away free pen-tests. That’s a quick way to get in trouble with the feds. What you want to do is test in your home-lab or find a purposely vulnerable site to hone your SQL injection skills. There’s a lot of blog posts out there already covering this content so check out this article about 40+ Intentionally Vulnerable Websites to (legally) practice your Hacking Skills. Additionally, if you’re looking to focus specifically on SQL injection, you should also check out Hack.me. They have a whole section specifically focused on SQL injection. Also, I’d be remiss if I didn’t bring up Metasploitable too. This is an amazing VM that is purposely vulnerable in many different ways. I haven’t checked personally, but I’d be shocked if there wasn’t a SQL injection vuln somewhere on there. Recently Rapid7 released Metasploitable 3. The setup is a pain. I’d recommend you check out the Metasploitable 2 VM first before embarking on MS3

Now the second question about how big of a priority is it to businesses is a very interesting question. I think it all depends on the business and the vertical. There are many exceptions to this, but many businesses that do not develop applications or websites, in my opinion, do not prioritize SQL injection as a viable risk to their organization. To them, the risk solely lies on the developer of the service, website, or software. They think they’re covered. To take this type of stance is foolish and irresponsible. Patches roll out monthly, if not more, remediating vulnerabilities in production code all the time. The vendor shares partial responsibility, but the client holds the majority of the risk relative to data breach. Solutions such as Web Application Firewalls do a good job in preventing and detection of SQL injections, however this is not enough. I’m personally fond of aggressive least privilege as well as heuristic behavior monitoring, risk-based policies, masking of sensitive information, and regular auditing of use and access…but yeah, that’s just me. 😉

Other industries and verticals that have more at stake with application development tend to rightfully prioritize SQL injection more so than others. To which degree however ranges from extremely aggressive to hardly not at all. The goal here is not to detect and respond but to prevent altogether. Several defence strategies would be to have multiple DB users and demonstrate the concept of Least Privilege. Also you would want to implement aggressive input validation and escaping all user-supplied input. If you’d like to know more, I strongly recommend you check out the OWASP recommendations for SQL prevention cheat sheet.

Oh yeah, be sure to check out Bobby-Tables.com. It’s a great resource for learning more and how to prevent SQL Injection.

A Blast from the Past

This weekend, I took the wife and kids to my parents house to visit. They’re in the middle of a large home remodel. As part of the remodel, the construction crew had knocked down a wall in one of the bedrooms and found a small altoid tin stashed in the wall. My parents had no idea what to make of the contents. Simply a piece of paper with some notes scribbled on it. My father (bless his heart) asked me if it had something to do with drugs (LOL). He told me the story and asked me what the paper was all about. I took the box, opened it up and smelled it (just in case…). I opened the note and was instantly hit with a wave of 90’s IT nostalgia. Back before the internet, parents had no real idea what sort of trouble someone could get into with simply a computer and a modem. This was my BBS list! At the time, you had to be 18 years old to sign up and participate on Bulletin Board Systems. This was my 13-year-old boy attempt to create a fake persona and keep my late night shenanigans with my friends hidden from my parents. It’s funny to look back at a time before the Internet had taken over daily life. A time before you could summon a car or a bag of groceries to your door with a flick of your finger. It’s nice to look back and see phone number before the requirement to add the area code.

This took me back to a really cool point of my life when I would logon at 12:01am right when the timers to all the doors would reset. I would wait for my friend Lu to logon and we’d play Legend of the Red Dragon till 2-3am. I remember once, a bunch of people (whom some I still keep in touch with) all met at the Parks Mall to hang out. It was probably one of the first times I realized it was okay to be a bit geeky and to be yourself. There’s other folks out there just like me!

I wonder if any of these still exist. I guess it’s time to find out.

Rainmaker’s Book Recommendations

So before sobering up and leaving Dallas Hackers last night, I did a quick (and inebriated) firetalk on some of the books I’ve read recently and my thoughts. I will update this blog post with a summary of each book and my thoughts on them. However I wanted to get this post up before I hop this flight to Tel Aviv, Israel for a week. Here’s the list. Enjoy!

Read more “Rainmaker’s Book Recommendations”