SOURCE Boston 2014 Wrap Up
The Duo Security team is back from SOURCE Boston 2014 and ready to share new details about BuildItSecure.ly and clue you in to some of the awesome talks we caught. If we missed you while we were in town, we're sorry but we'll be back soon...
Door Number 1, 2, or 3? Either Way, You Win!
The real challenge at SOURCE Boston is attempting to pick which one of the three amazing talks during any given hour you're going to watch. While there's no shortage of great information security conferences to attend every year, the SOURCE organizers seem to really out do themselves each year in scheduling a line-up that rivals the best events in the world. To that end, here are just a few of the talks that we thoroughly enjoyed during the event.
Justine Aitel, Opening Keynote
Like any truly great keynote, Justine stood at the podium, without slides, and engaged the audience with thoughtful insights, primarily about the "age of participation" that we find ourselves in. Through her presentation, Justine reminded us that the information security industry (especially as it pertains to risk) has yet to really embrace the shift from the information age to the participatory one we are living in. A couple of main takeaways for me were:
- The information security community needs to interact outside of the "echo chamber" more often
- Spend more time supporting those improving upon weaknesses rather than just glorifying successes
- "Cyber" can be leveraged in communication with outsiders even if we may not like the term
- Crowd-sourcing vulnerability assessment is a great example of the "age of participation"
Stephan Chenette, "Offensive Defense through Attacker Mimicry"
What I really enjoyed about Stephan's talk was that he covered such a broad segment of the logic and realities behind attacker processes. Where similar talks may stay "in the weeds," Stephan gave a lot of context around how attackers are achieving success, as well as the shifts in thinking and actions required to take back some of that power.
Notably, Stephan focused a lot on the tactics, techniques, and processes (TTPs) of information security, emphasizing that we need to get past "I have a hash of this evil binary, therefore security" if we want to actually stand a chance against real attackers.
By providing reproducible attack scenarios and running them over and over, we can actually ensure we haven't introduced regressions in our security program, and further, are improving upon actual security. The risk of attackers being able to move laterally was a big focus and Stephan aptly noted that not enough time is being spent hardening the core of the network.
His point of view, much like ours at Duo Security, is that perimeter security is no longer a viable path in a world where so much decentralization as occurred.
Guillaume Ross, URL Scheme Security on iOS
I actually had the pleasure of bumping into Guillaume when we were both recently presenting in Nova Scotia at AtlSecCon just a few weeks ago. Having unfortunately missed his presentation last time, I made a point of attending at SOURCE and was not disappointed.
Guillaume's talk covered numerous CVEs that he had filed regarding vulnerabilities with iOS apps (and even iOS itself) with how URL schemes were handled. This neat class of vulnerability issues allows an attacker in many cases to execute iOS operations by simply having the target view a page with an inline iframe. Due to how iOS handles URL schemes, you can impact what the mobile phone does in such a way that privacy can be very easily lost.
One great example was CVE-2013-6835 which allowed for an inline iframe to force a user's phone to make a FaceTime audio call without even prompting the end user. Imagine the ability for an attacker to easily pair an IP address and maybe some PII details with your mobile phone's account.
BuildItSecure.ly Made Some Friends
One of the primary reasons that Zach Lanier and I were at SOURCE Boston this year was to present our talk, "The Internet of Things: We've Got to Chat" including updates since our initial announcement of BuildItSecure.ly at BSides San Francisco. Now that the event has come and gone, we'd love to note a couple exceptional details that we're very excited about:
- We've partnered with Postscapes and I Am the Cavalry to further expand our reach into IoT
- Dropcam and Pinoccio have become our first vendors to participate with the initiative
- Both IOActive and AttackIQ have come on board with security research assistance
BeaCon Rides Again
For those of you who only made it to SOURCE Boston, you may be saddened to hear that you missed out on another full day of information security conference action at this year's BeaCon. Our very own Zach Lanier is one of the principal people involved in this one day, tech-centric event that has followed SOURCE Boston numerous years previous. If you're wondering what BeaCon is like, check out their schedule from this year and make plans to stay an extra day in Boston next year.
We're Coming Back Soon!
On May 7th, some of the Duo Security team will be back in the Boston area as a sponsor and presenter for the Security of Things Forum. We're excited to be in Cambridge for this inaugural event being put together by our buddy Paul Roberts of the Security Ledger. Be sure to let us know if you'll be at the event, we'd love to meet up.