KeriBlog

Cars, Security & a Peek into my Life

This is SecTor 2012 – Canada’s Premiere Security Conference

SecTor: Illuminating the Black Art of Security.

Above is the vendor area, and below is the lunch keynote, the talk I was most looking forward to.

Meet Charlie Miller, one of the world’s best hackers, and, leading expert in a personal favourite topic, NFC.

NFCNear Field Communication. You likely haven’t heard much about NFC yet, but you will.

Think of those ads on TV, where you put your phone next to your buddy’s, and photo gets beamed over wirelessly. That’s NFC. Charlie has figured out how to use NFC to hack your phone; here he is in action (green shirt).

He brushes close to the victim’s phone, and tada – Charlie can now access and download all the photos, contacts, files, make it call and text… and nothing AT ALL appears on the victim’s phone that would alert him this is happening.

Andorid users: you are, as always, the most susceptible to this attack. Best defense – check ‘yes I want to approve each NFC connection before it happens’.

He also said this, which is so true:

 This is what hacking looks like.

And this.

Not all all like that famous Swordfish movie scene, eh.

Above is a contest called, ‘Capture the Flag’; there’s one at most conferences.

I saw a basketball playing robots.

And a lockpick village.

I’ll show you what using those tools looks like on video sometime. Like hacking, it is not at all like in the movies.

Went upstairs for a sunlight break.

SecTor is happening again today, click here for detials.

If you’re intersted in getting into information security, this is your opportunity. It’s a friendly, and resource-rich environment, in an fast-growing industry that has an almost 100% employment rate.

Thanks for a great time, SecTor, and congratulations on your 6th and largest year  to date!

 

 

I'm at SecTor Today

SecTor – Canada’s premiere information security conference

For a sense of what my day will be like, read my posts, This is BlackHat Security Conference 2012 and Apple’s First Ever Talk at Black Hat,

Hi SecTor, nice to meet you.  I blog about security for the end-user, 

think of the housewives of Idaho.

You might enjoy my ‘DefCon 19 Interview Series‘, and click here for all security blog stuff in one place.

See you at the conference!

Keri

 

 

It's Not a Wet Paint Sign, It's a Breach

That sign… no details, no company name, that’s probably Microsoft Paint and a clipart janitor.

What a fast, cheap, and effective way to keep open an electronically-secured door, for as long as needed.  This door stayed open for 36 hours.

(also: never feel bad about stopping people from tail-gating you into a secure building)

 

Talking with Telus About Security

Last week, Telus invited me to to an information security talk at Reasearch House, one of North America’s largest data-collection facitilities.

I said yes, without fully understanding what I was walking into; check this out:

Sooo, basically I sit in this comfortable chair, on the good side of one-way-glass, and straight-up get to stare and people-watch, while they talk about my favourite topic?  Yesssss.

These are senior-level Security and IT decision makers, from 6 large Canadian organizations, that I know you know.

Security is a difficult discussion for companies to have publicly, because when you point out your vulnerabilities, it opens the door to potential attacks.

That’s why I’ve blurred out their names and faces (learn how to edit a photo you’re posting online here)

These are the kind of guys who protect the company’s information, and yours.  They’re not a help desk, and every phone call they receive is a, “it’s the end of the world” call. Maybe bring them doughnuts sometimes.

Today’s topic was BYOD – Bring Your Own Device.  

Example: your personal cel phone, (not supplied by your employer),
is allowed to send and receive corporate email,
and connect to the corporate network

AKA: Bring Your Own Disaster

EMPLOYEES

BYOD is a bigger deal than you may realize.  Thousands of devices, that are probably less-than-secure, connecting to the corporate network and WiFi.  That’s now at least 3 more operating systems to accommodate, manage, and secure. Even worse, now confidential company information is walking around in someone’s pocket, going to the bar, you have a lock on your phone, right.

Mobiles are not immune to malware and virus’.  One click on something stupid in social media land, and the virus comes in through your phone, out to the company network, and off it goes spreading bad news.

(One day, you’ll connect through a VPN. We’ll get into VPNs here soon)

EMPLOYERS

Maybe re-visit your employee-exit policies and procedures.  I feel this might be a hole that needs plugging.

Even if you are parting on friendly terms, you still must immediately address the large amount of sensitive information on their personal device(s), and what those devices have access to.

I talked about this in my Autonet.ca article, “Toyota Secure Website Hacked”:

“If he was fired Thursday, and he used his passwords to enter the site at midnight, that would make it seven hours during which his credentials weren’t changed. That is not best practice for employee termination; account access should be immediately disabled upon notification of termination.”

And to terminated employees: don’t be offended when they do this, it’s best. You don’t want the responsibility of owning that information, especially on a mobile device.

If you take only one thing from this post:

Much of your company’s security comes down to you, the end user / employee / weakest link.  I know practicing good security can be annoying and slow things down, but there’s more resting on your shoulders than you may realize.

And thanks for having me Telus, this was so neat.