Sophos Cloud Optix
BSides is now over and what a great conference it was. Community oriented events like BSides are a great opportunity to take advantage of the wealth of information available in your community and build relationships at the same time.
I wasn’t able to attend all of the talks, but I did start out my Friday by sitting in on Georgia Weidman’s talk “Bypassing Android Security”. She explained the permissions system in Android OS in detail and pointed out the myriad of ways a clever developer can bypass many of these controls.
One of the more surprising aspects is that you can read from the SD Card of an Android device without declaring your intentions. Essentially anything stored on your SD Card can be accessed by any application without your knowledge.
Next I had the privilege of running a training session on cloud security. I had a great audience who peppered me with some very informed questions.
I explained the security challenges associated with the different types of clouds that are out there and explained how tools for log analysis, firewalling, IDS/IPS, encryption and more should be used to safeguard data in the cloud.
Next up was Dave Maloney with his talk “Don’t pick the lock, steal the key”. The focus of Maloney’s talk was the many ways tools like FileZilla insecurely store passwords, allowing penetration testers and criminals a far easier way to laterally compromise systems in networked environments.
Amir “Zenofex” Etemadieh presented “Attacking the GoogleTV” explaining how he and his team figured out to “root” GoogleTV devices.
Etemadieh demonstrated the techniques and methods used to crack open the GoogleTV platform, very useful information for people looking to get into embedded device hacking.
Michael Gough, one of the BSides Texas organizers, was up next sharing his experience discovering vulnerable door access control systems and working with the vendors to remediate the flaws he and his cohorts discovered.
The talk was titled “Card Key Exploitation – Let’s go Schwimming” and showed how physical security manufacturers and installation crews seem to have forgotten that electronic security is as important as the physical locks it controls.
Sean Cordero and Daniel Blander presented “From the Help Desk to the Boardroom: How to move to the top of a security organization” to wrap up the conference.
They provided a lot of practical advice on the importance of understanding the business needs of your organization and how to translate important security initiatives into projects management can better understand.
They argued that to move up in your ogranization as a security professional you must align your goals with mainline business objectives and have realistic goals that are aligned with the risk tolerance of your company.
BSides was a lot of fun and I highly recommend engaging with others in your local communities, whether that be through BSides, ISSA, OWASP or any other gatherings related to security in your community.