We are always spoilt in April with not only Infosec, but 44Cafe and BSides London too – and this year was another corker.
Traditionally, April is the month of the ‘unholy trinity': 44Cafe, BSides London and Infosec. As you might expect, I was at all three again this year, although I have to say I'm finding 44Cafe and BSides to be far more valuable from a learning perspective, although of course Infosec is a great opportunity to see the latest and greatest product offerings, meet up with people and, most importantly, replenish your stock of pens, t-shirts and assorted marketing tat.
The sun shines on the righteous, it would seem, as both 44Cafe and BSides had beautiful weather (although SC's Dan Raywood avoided the sunstroke that prevented his 44Con appearance last year). 44Cafe had a fair bit of vendor-sponsored competition in the guise of thinly veiled drinking sessions, but still gathered a healthy crowd for the afternoon talks. The first was by WickedClown – well known to 44Con regulars as the friendliest scary biker you could ever hope to meet – who revealed how to use a malicious Remote Terminal Services server to bypass corporate security barriers without the use of exploits or malware. This was a great ‘why didn't I think of that?'-style talk, and shows that you don't always need to be knee-deep in x86 assembly to get through defences.
44Con co-founder Steve Lord gave a hugely entertaining presentation, ‘How I met your motherboard', explaining that he'd picked apart a certain vendor's remote support controller, fitted to thousands of servers accessible via the internet. This is the sort of functionality often left with default settings and forgotten about – and as Lord demonstrated, even if you do change the defaults, the security is laughable. In traditional fashion, it included a drinking game: take a sip every time you cringe and down it every time you see an administrator compromise. Four pints were required for those playing.
We also had a talk from Neil Kettle about his experiences following a 44Con 2011 discussion on Trusteer Rapport, and its somewhat less than helpful attitude to responsible disclosure and its Orwellian distortion of language.
The next day was an early start as I'd foolishly volunteered again to help out at BSides and been given the job of running the registration desk. What could be easier, you might think, with the handy Eventbrite app to register people, a handful of tablet computers and a selection of 3G comms kit?
At this point, we found out that we'd managed to find a venue with the best RF shielding in London outside of MoD Whitehall, with the 3G signal vanishing like a salesman's promises as soon as we walked through the door. Fortunately, being of a paranoid nature, I had the ‘plan B' hardcopy to fall back on, and with occasional jaunts out to the sunshine to sync up with Eventbrite, my unflappable volunteers did a great job of registering nearly 500 attendees within a couple of hours.
The highlight of BSides was the ‘rookie track'. This scheme paired up new speakers with an experienced infosec mentor during the talk preparation and on the day itself. The rookie talks were only 15 minutes long, but the few I managed to sneak in to were superb and, more importantly, were encouraging new presenters into the conference circuit.
There were plenty of good regular talks too. SC Awards winners and nominees were well represented, with David Rook presenting an entertaining tale of his experiences in application security, and Javvad Malik telling attendees how to build a personal security brand. Other topics included HTML5 risks, separating APT hype from reality, social engineering, and techniques for improving the efficiency of penetration testing.
If you didn't get to 44Cafe and BSides London, you missed out on a great range of technical content, friendly discussions and the chance to meet a great bunch of security people. If you're in London for Infosec next year, be sure to add both to your diary (and see www.44con.com for tickets to this year's 44Con).