This was my first BSides event in Portland… but definitely not my last. The 9th Portland BSides (https://bsidespdx.org/) event was hosted last weekend (Friday, Oct 25th and Saturday, Oct 26th) at the Oregon Convention Center in Portland. Joe Fitz (@securelyfitz) and a large list of volunteers and friends put together an amazing event and I want to start of saying “Thanks!”. As Joe provided in the welcoming remarks, this event was the largest as they had expanded the size of the rooms and it was still crowded and still hot… but it was a great experience.
For those not familiar with the BSides, they are a series of community driven security events that spawned out of the large number of amazing security researchers that were unable to get into the Black Hat Security Conference due to the overwhelming number of presentations submitted. The BSides were established to provide a community-driven framework for building events for and by information security community members (https://securitybsides.com) and there are now more than 100 events in dozens of countries. In addition to amazing speakers and presentations, they usually host other security focused events such as lock picking villages, CTF events, and much more. Portland hosted a data recovery event, a quiz show, and a contest called “Whose Slide Is It Anyway?” where contestants gave lightening talks between 5 and 7 minutes with the aid of a slide deck randomly selected that they had never seen as well as workshops and after hours events. They even asked that attendees bring backpacks as part of their BSidesPDX Backpack Drive for Foster Youth.
Anyways, it was a quick 3 hour drive down to Portland from Seattle and I was eager to get there on Friday morning and start a great weekend of learning.
The opening keynote was presented by Eva Galperin (@evacide) who is the Director of Cybersecurity for the EFF (Electronics Frontier Foundation) and she told us about the EFF and why it is so important. She talked about the need for Privacy and Security n the real world for real people; journalists, people in oppressive countries, marginalized populations, etc… where they need a safe way to make their voices heard. She talked about training journalists how to be safe and protect their privacy. She talked about how the EFF has worked to raise awareness to the way that governments use malware to spy on people. She told us to “kill our heroes…” which is not to be taken literally, but that hero’s come in all kinds of forms… and we should learn from them and know them. After this opening presentation, I attended one of the workshops, “How to Rock your BSides Presentation!” by Olivia Stella. Olivia guided about a dozen of us through the challenges of responding to CFP, what to do when selected, how to prepare once your event comes up and left us with a lot of tools to make it easier. I have set a goal to present at a BSides next year… and now I am prepared. After a quick lunch, I was back at the event listening to Eric Goldstrom talk about a program that he has developed at Cambia Health Solutions that he calls Interactive Threat Defense that combines the key aspects of an Incident Response program, Threat Intelligence and Red Teaming to develop an approach to proactive, data driven, hands on approach to risk identification and security control validation. We then heard from Greg Stromire who presented a great discussion on the use of WebAuthn (https://www.w3.org/TR/webauthn/). WebAuthn is a new standard that allows for the creation and use of strong, attested, scoped, public key-based credentials by web applications for the purpose of strongly authenticating users. Greg offered how WebAuthn is ready for use in 2FA solutions and provided that it addresses a lot of the issues in single factor authentication strongly enough that it could be used on it’s own. Moving into the last hour, I saw Olivia Stella present “Airplane Mode: Cybersecurity @ 30,000+ Feet” and Alexei Kojenov present “[In]secure deserialization and how [not] to do it. After watching Jessica Ferguson (@c0verfire) give a great presentation on Airline security at the 2019 Seattle BSides, I was excited to see more about airline security and how these teams work together (competitors sharing information; what a novel concept) and Olivia provided some great dialog on just that. It’s gonna be a while before I get a chance to hack on a plane, but maybe Boeing or someone could do like Tesla did (https://www.zdnet.com/article/tesla-car-hacked-at-pwn2own-contest/) and provide a plane for security research at some point in the future (or maybe not). Alexli showed us how serialization and deserialization can be the death of us in how ubiquitous it is and how easy it is.
Saturday rolled around quickly with another great opening keynote, this time with Amber Case (@caseorganic) who talked about the interaction between humans and computers and how our relationship with information is changing the way that cultures think, act and understand their worlds. Amber talked about calm technology, the ideas that technology, rather than panicking us, would help us focus on the things that are really important to us”. She has spent countless hours understanding the research that the great minds at Xerox PARC did in the 90s and bringing it all together at www.calmtech.com to share with the rest of us. At the end of the day, we should be looking for ways to use our technology to enhance our lives, not overwhelm us with noise, light, and action that does not help us. The Saturday presentations were a bit more geeky than Friday and they were really interesting. I started the morning listening to Malcolm Heath talk about attacking Serverless Architectures. As Malcolm pointed out… the cloud has brought a lot of change to the way that organizations compute, but they have to be aware that it is not a ‘set it and forget it’ type service and that organizations really do need to understand what goes on in their cloud environment; compute, storage, database and serverless because ignorance is not bliss. Will Peteroy and Alex Sirr talked about how Gigamon has developed an approach to leveraging intern programs and on-the-job training to increase the effectiveness of your existing team and to create a great pipeline to engage new team members. Having had several great interns work for me at PACCAR, Group Health and Kaiser Permanente… I agree that interns are great opportunities just waiting for a chance to show up. Alex Ivkin (@alexivkinx) donned a pirate hat and had his six shooters (well, space guns… but just as dangerous) to talk about the world of Kubernetes and how Kubernetes is dangerous in the hands of the inexperienced or naive developer… in that a lot of the risk is present just by using default settings and not understanding how to deploy and configure containers securely. After a quick lunch it was back to the afternoon sessions including Dave Greer talking about SNAPTRAP, a modular open source deception framework designed to orchestrate deception tactics in endpoint workstations. While deception tactics are not new (honeypots, tripwires, etc.) using them in the end user compute space is a new discussion as that usually is where “something bad” starts on the network. Franklin Harding talked about how it is becoming increasingly harder for developers to actually introduce vulnerabilities as the newer languages and technologies have learned from the past mistakes and make it harder to actually introduce insecure code… basically they have to try. As he provided, “the lazy path needs to be the secure path. When that is true, developers will choose the secure path incidentally.”. Now I think part of the challenge is getting developers to move to these new technologies… I mean, I know organizations that have 15 to 20 different languages in use and multiple development, delivery and integration frameworks. No code left behind they say. Kevin Froman gave an interesting discussion on improving anonymous networking and talked about a framework that he is working on. He talked about how these anonymous networking technologies like VPN and TOR are being used by more casual individuals but that they have a lot of shortcomings and in general fail at fulfilling both key security and usability requirements. Closing out the day was Robert Moore from NCC Group sharing stories from the field of physical breach events. Overt social engineering and covert physical security breaches are something that doesn’t get the same attention as the cool “hacking” but is still a key factor in the compromise fo Fortune 500 companies, even with their sophisticated cyber security programs. Robert shared some great stories as well as his love for energy drinks and left us all laughing at some of the situations he has encountered.
Overall… it was a great two days of learning from and meeting other security professionals. I saw a few people I knew and met a few more people that I hope to meet again in the future. BSidesPDX will be 10 next year… and I can’t wait to help celebrate the event and learn with all the others that come together to make this such a great event.