Security Conference “ShmooCon 2011” January 28-30th

Check out the annual hacker convention ShmooCon 2011, this January 28th through 30th.

ShmooCon is an annual east coast hacker convention hell-bent on offering three days of an interesting atmosphere for demonstrating technology exploitation, inventive software and hardware solutions, and open discussions of critical infosec issues.  The first day is a single track of speed talks called One Track Mind.  The next two days bring three tracks:  Build It, Break It and Bring It On.

Scheduled events include:

  • Barcodes Shmarcodes
  • Ghost in the Shellcode
  • Lockpick Village
  • ShmooCon Labs
  • Firetalks 

Adrian Crenshaw (aka Irongeek) mentioned in a tweet today that he might have the ShmooCon Firetalks available live on his site.

FireTalks are 15-minute presentations meant to be an alternative to longer traditional session formats. Similar to 5-minute lightening talks the purpose is to skip the background material and make a point by explaining it as quick as possible. The FireTalks will take place Friday and Saturday nights starting at 8:00 PM. Come enjoy both up in coming infosec leaders as well as seasoned speakers challenge the 15-minute format in an relaxed alternative conference environment.

And just in case you weren’t able to get a ticket (Come on they were available for 5 minutes!), the track streams will be available at Ustream.

Check it out!

“Zero Day” – New Novel by Microsoft Guru Mark Russinovich

Mark Russinovich, a senior Microsoft technical employee and creator of the ever popular Sysinternals admin and diagnostic programs has turned to writing fiction. His new book “Zero Day” is a tale of fighting Osama Bin Laden and cyber terrorism in present day times. According to his website:

An airliner’s controls abruptly fail mid-flight over the Atlantic. An oil tanker runs aground in Japan when its navigational system suddenly stops dead. Hospitals everywhere have to abandon their computer

databases when patients die after being administered incorrect dosages of their medicine. In the Midwest, a nuclear power plant nearly becomes the next Chernobyl when its cooling systems malfunction.

At first, these random computer failures seem like unrelated events. But Jeff Aiken, a former government analyst who quit in disgust after witnessing the gross errors that led up to 9/11, thinks otherwise. Jeff fears a more serious attack targeting the United States computer infrastructure is already under way. And as other menacing computer malfunctions pop up around the world, some with deadly results, he realizes that there isn’t much time if he hopes to prevent an international catastrophe.

Publisher’s Weekly gives “Zero Day” a mediocre review on Amazon.com. Claiming that there is not a lot of action and the heroes (Jeff and his love interest Daryl) spend too much time at the keyboard.

Well, seeming most cyberwars will be fought sitting down, I am not sure what people are expecting. And how many writers have recommendations from Bill Gates and White House Cyber Security Coordinator Howard A. Schmidt? 

Zero Day will be out in March. For more information check out Mark’s Zero Day site, or Amazon.com.

Upcoming Computer Security Seminars for 1/25/11

A couple interesting sounding computer security webinars are being presented today (Information from presenters sites):

Top Tips for Defending Against Database Threats in 2011
Please join us for our annual 2011 Database Security Top Threats and Tips webinar and learn more about the current threat climate and top tips for protecting sensitive information in the database.
2:00 pm – 3:00 pm EST By Application Security. 
Get the latest tips and trends to:

 

  • Defend against the latest cyber espionage methods including both insider and outsider attacks
  • Effectively manage separation of duties
  • Patch documented vulnerabilities
  • Protect against the latest SQL injections
  • Defend against social engineering attacks
  • Manage database security in the cloud
  • Protect against database rootkits and infection kits

Windows 7 Migrations and PC Lockdown with Privilege Management
Date: Tuesday, January 25, 2011 at 2PM EST
Speaker: Greg Shields, MVP and Windows Platform Expert, Concentrated Technology 

With the Windows XP sunset date fast approaching, plans for Windows 7 migrations are in full swing, prompting most organizations to also re-assess their approach to PC lockdown. With the advanced privilege management capabilities, enterprises have an alternative to the “all or nothing” approach to least privileges – because an “all or nothing” methodology prohibits organizations from meeting compliance, security and desktop operations goals. To ensure compliance enforcement, you’ll also need to consider compliance validation reporting and privileged account activity auditing.

Other Upcoming Security Seminars:

Data Security Simplified: Reducing Risk, Costs and PCI Scope with E3™ End-to-End Encryption

Upcoming SANS.org Webcasts:

January 27, 2011:
Analyst Webcast: A Real-Time Approach to Continuous Monitoring
Sponsored By: NetWitness, Splunk

January 28, 2011:
              Ninja Developers: Penetration Testing and Your SDLC

January 31, 2011:
              From Exposure to Closure – The life and times of an exploitable Vulnerability An Industrial Control Systems View 

February 01, 2011:
Analyst Webcast: Remote Administration and Security Compliance
Sponsored By: Netop
 
February 02, 2011:
Tool Talk: Pre-flight Checklists & Seatbelts for Your Applications Trip to the Cloud
Sponsored By: Veracode
 
February 03, 2011:
Improve firewall security odds: Prevent misconfigurations and compliance concerns by automating firewall audits.
Sponsored By: Skybox Security, Inc.
 
February 09, 2011:
Internet Storm Center Threat UpdateISC Webcast
Sponsored By:
 
February 11, 2011:
Proactive Compliance for PCI-DSS
Sponsored By: NitroSecurity

February 24, 2011:
             Continuous Monitoring: NOT Harder Than It Looks
             Sponsored By: Tripwire, Inc.

Why the Cloud is a Security Nightmare

And why you will embrace it

Many large software companies are offering “Cloud” services now. Amazon, Google and Microsoft are just a few of the big name ones. The benefits are obvious, lower IT costs, access to more apps, improved availability and disaster recovery. But just how secure is cloud computing?

When you host your own network, you know the security policies and procedures you use to protect your data. But what about trusting someone else with your mission critical data? Is it a good idea?

A Harris Poll from last year showed that many Americans do not trust the Cloud:

“One of the main issues people have with cloud computing is security. Four in five online Americans (81 percent) agree that they are concerned about securing the service. Only one-quarter (25 percent) say they would trust this service for files with personal information, while three in five (62 percent) would not. Over half (58 perent) disagree with the concept that files stored online are safer than files stored locally on a hard drive and 57 percent of online Americans would not trust that their files are safe online.”

In a Poll of about 14,000 last month when asked “Would you trust an online hard drive?” over 88% said no.

And then there have been data breaches. The large software companies have been under constant barrage by hackers and the hackers have been successful. Google, Yahoo and many other companies were targeted in “Operation Aurora”.  

During the attack hackers stole a program from Google that controls access to most of their programs:

The stolen password system was called Gaia, a reference to the Greek goddess of earth, according to the Times. Besides e-mail, Gaia also governed access to the online services that Google sells to businesses, government agencies and schools.

It just makes sense that with companies moving to the cloud, that hackers will focus more of their attention to attacking it. And if they can compromise cloud based systems, chances are they will have access to the data of multiple corporations instead of just one.

And hackers will leverage the power of the cloud themselves to attack government and enterprise encrypted systems. Recently, it was shown that WPA encryption could be cracked using the computing power of the cloud.

Hackers have been successful in attacking the cloud. In May of last year, the Treasury Department shut down 4 cloud hosted sites, “The hosting company used by BEP had an intrusion and as a result of that intrusion, numerous websites (BEP and non-BEP) were affected.

And just recently a Chinese Trojan was detected that disables cloud based anti-virus.

With all of these concerns about the cloud, why would so many companies be moving to embrace it?

Speed and price is the answer.

According to the recent IT World article titled “The straight talk on IT’s new directions”, the times are changing:

The simple truth is that the focus on the back office — IT’s traditional domain — is over. Companies are tired of paying for what they view as plumbing. Any consideration in the executive suite about the back office and infrastructure is all about making do and cost-cutting. Virtualization and private clouds are investments meant to accomplish this reduction — they’re not new gold mines to enrich IT’s importance.

As a majority of manufacturing jobs have left American shores for cheaper labor costs in China, the same mentality is true with IT. We have seen continuous cut backs across the nation in IT staffing. IT workers once considered mission critical are now considered to be overhead. The draw to the cloud is clear for executives, why keep full time hardware and staff onsite when you can just outsource for a fraction of the cost?

Also, with the cloud, you can have access to powerful systems that many companies could not afford otherwise. Scientists and engineers will enjoy the added power at their disposal. Last year a record was set in Mathematics by using the cloud. Even NASA has its own Cloud Computing platform.

There are great security risks in the cloud. But the speed and cost savings are just too tempting. Soon, cloud computing will be the norm and not the exception. So to borrow a quote from Naval history, with cloud computing it seems to be “Damn the torpedoes, full speed ahead!”