Adventures at THOTCON and Lone Star PHP
Phew! It was a long weekend for this guy. While I'm sure other folks have conference war stories to rival anything I can dish out, four flights, three talks, and two conferences in about three days has me still recuperating. From Chicago for THOTCON to Dallas for Lone Star PHP, I had a fantastic time meeting Duo Security fans and soon-to-be fans.
###THOTCON 0x5 My "weekend" started by heading out to Chicago for THOTCON. This event has the notoriety of being one of the premier technology events each year in Chicago, popping up at a location that is a secret until just before the event. With a heavy influence of Trustwave's SpiderLabs employees (current and former), THOTCON typically has one of the best conference lineups each year by putting a heavy emphasis on technical talks and quality speakers. While this was my first year at the event, it very quickly made it on my "must attend again" list. With so many security events every year, that list doesn't have much room to grow but that's just how good it was.
My first presentation was part of I am the Cavalry's two-hour block of talks. During my slot, I was discussing the realities of the Internet of Things (IoT) as it pertains to both consumers and security researchers. We're at a tipping point in regards to the pervasiveness of IoT devices and the risks that everyone is facing by having many of these cool new devices come to market without any security expertise reviewing their design and implementation. I also reviewed some of efforts that Zach Lanier and I have been focusing on as of late with our initiative, BuildItSecure.ly. If you'd like to learn more about what's going on with IoT security, you can check out the slide deck that Zach and I presented during BSides San Francisco this past February, The Internet of Things: We've Got to Chat.
My second (and main) talk at THOTCON covered the research I had previously released on the IP camera, IZON. While this talk has gotten some mileage, I am constantly elated when people comment that it has inspired them to do their own IoT device research. While my research certainly shows how wrong things can go with IoT security, it's less about the individual device and more about thinking through the attack surfaces that exist in a complex ecosystem of embedded hardware, mobile applications, cloud services, and third-party software. As consumers, it's critical to remember that while a device may function well and be a quality product aesthetically, there's often still room for improvement when it comes to security implementation.
Among the other talks at THOTCON, I especially enjoyed Dan Mayer's iOS pen testing presentation that covers his tool, idb. Also, Jonathan Claudius and Laura Guay released research at THOTCON pertaining to privilege escalation of SSL VPN users on Cisco ASAs that has been making news in the past few days. If you're curious to learn more, here's a video of the exploit in action!
Aside from presentations, I had a chance to give out about a dozen Duo Security t-shirts to some of our amazing customers. If you're ever attending an event we'll be at, get in touch via Twitter or otherwise and we may just bring you a shirt :) If you've been under a rock like I had been and never made it to THOTCON, prepare yourself for a one-day event that will rival just about any three day conference both in terms of content and attendee awesomeness. I had a great time and look forward to seeing Chicago again next year at a location TBD!
###Lone Star PHP While Chicago was having beautiful weather, I really was in for a treat when I flew into Dallas. After a rough Michigan winter, having a sunny, 90-degree day in beautiful Addison, Texas was very much welcomed. Amusingly enough, despite the fact that I wrote PHP code in a variety of contexts for over a decade, I've never actually been to a PHP-centric conference so I felt like both a charlatan and without much of a clue. It turns out that wasn't a problem because figuring out this place had some of the friendliest attendees ever, I had an amazing day at the event.
For this presentation, titled, "It's Vulnerable, Now What?: Three Diverse Tales of Woe and Remediation", I was reaching deep into my slide deck repository for a talk that I hadn't presented since 2011. Why that doesn't suck is because while the age may be showing from the ugly deck theme, it is still actually applicable 3 years later. From discussing coordinated disclosure, to how to request a CVE, to learning basics on some vulnerabilities classes, the talk seemed to resonate quite well with attendees. While many talks discuss SQL injection at such events, very few talk about unserialize and null-byte attacks against PHP. Granted, I did update the deck a bit for this audience, but the overall themes and guidance have stayed the same.
It's worth mentioning that my talk was one of four regarding security, including the keynote from our friend Snipe. While PHP is no stranger to security issues, it's very promising to see such a focus on the topic at a major conference for the language.
Duo Security was proud to be a sponsor of the event this year and my only regret is that I couldn't be in attendance both days due to the overlap with THOTCON. I do hope next year that if you're a PHP developer, you make it out yourself and learn not just about the newest trends in the community, but get to network with some seriously smart engineers and people who are just as passionate about security as anyone you'd meet at a hacker con.
###No Rest for the Wicked I'll be headed out to present at Penguicon, GLSEC, and the Security of Things Forum over the next week so if you're planning to come, be sure to let us know and say hello at the event! While we can't make it to every event (that would kill us), please let us know if you're in charge of any cool events (security, development, or otherwise) that you think we should be at. We'll always try to make it!