Geeks in Charleston, West Virginia at Hack3rCon 2012

Hack3rCon 2012 – October 20-21st in Charleston, West Virginia

Hack3rCon comes to Charleston, West Virginia, an event not to be missed if you’d like to learn about internet security. Keynote speaker Larry Pesce talks about hacking, survival tips, learn about next generation web reconnaissance, hardware hacking tools, spear phishing and more.

On site workshops offer how to build a Glitch Keylogger, how to pick a lock, and an advanced phishing tactic workshops.

In the hardware hacking village, there are key impression contests, finding the MacGyver in you, and a special viewing of REBOOT. Also on hand is an vendor exhibition hall, to view to new and exciting technology gadgets.

(reported by Joe Oliver)

Key impressioning is probably the first lesson for a freshman hacker.  Those who are not even computer people, can experience hacking by these great game.  People who are doing this said it’s very fun.  They call it computer-less hacking, and to do this, all they need is some hardware equipment that anyone can buy from Lowe’s.

(reported by MD Rahman)

(photo credit Kate Long)

Martin Bos, a founding member of the information security event, speaks on email spear phishing attacks and security in the private sector. He said opening a simple email can compromise an organization, and potentially expose it to a complete breakdown of  their internet security.

“Once an attack is successful, hackers can harvest passwords and even set themselves up as administrators,” Bos said. To combat this, he and colleagues at Accuvant Labs conduct simulated attack tests where risk is accessed and steps to increased security are recommended. The cost for this service may be as little as $10K for small companies, or as much at $.5 million for large corporations.

(reported by Marta Tankersley)

‘Hackers for Charity’ is a not-for-profit organization, whose aim is to provide IT training to deprived communities around the world.  They are currently undertaking project in Africa, especially Uganda.  They accept donations from individuals and organizations.  Donations can be made through their website, HackersForCharity.org 

(reported by Kweku Agyiri)

The Hackercon conference is organized by 304Geeks, an online community of about 200 West Virginians (area code 304). Charlestonian Rob Dixon, security analyst for Colorado-based Acccuvant, set up 304Geeks about five years ago to help West Virginia security consultants find each other.

Few West Virginia companies hire security consultants outside federal agencies, Dixon said. Accuvant is one of the world’s largest private information security firms, so “I live in a place I love, and go anywhere to work,” he said. A few West Virginia companies recently hired Accuvant to simulate computer attacks, but “no way are we going to tell you who.”

(reported by Kate Long)

Hack3rCon continues until Sunday evening.  It’s a friendly environment if you’re interested in getting into the information security industry, one with an almost 100% employment rate, this opportunity should not be missed.

 

 

 

Talking with Telus About Security

Last week, Telus invited me to to an information security talk at Reasearch House, one of North America’s largest data-collection facitilities.

I said yes, without fully understanding what I was walking into; check this out:

Sooo, basically I sit in this comfortable chair, on the good side of one-way-glass, and straight-up get to stare and people-watch, while they talk about my favourite topic?  Yesssss.

These are senior-level Security and IT decision makers, from 6 large Canadian organizations, that I know you know.

Security is a difficult discussion for companies to have publicly, because when you point out your vulnerabilities, it opens the door to potential attacks.

That’s why I’ve blurred out their names and faces (learn how to edit a photo you’re posting online here)

These are the kind of guys who protect the company’s information, and yours.  They’re not a help desk, and every phone call they receive is a, “it’s the end of the world” call. Maybe bring them doughnuts sometimes.

Today’s topic was BYOD – Bring Your Own Device.  

Example: your personal cel phone, (not supplied by your employer),
is allowed to send and receive corporate email,
and connect to the corporate network

AKA: Bring Your Own Disaster

EMPLOYEES

BYOD is a bigger deal than you may realize.  Thousands of devices, that are probably less-than-secure, connecting to the corporate network and WiFi.  That’s now at least 3 more operating systems to accommodate, manage, and secure. Even worse, now confidential company information is walking around in someone’s pocket, going to the bar, you have a lock on your phone, right.

Mobiles are not immune to malware and virus’.  One click on something stupid in social media land, and the virus comes in through your phone, out to the company network, and off it goes spreading bad news.

(One day, you’ll connect through a VPN. We’ll get into VPNs here soon)

EMPLOYERS

Maybe re-visit your employee-exit policies and procedures.  I feel this might be a hole that needs plugging.

Even if you are parting on friendly terms, you still must immediately address the large amount of sensitive information on their personal device(s), and what those devices have access to.

I talked about this in my Autonet.ca article, “Toyota Secure Website Hacked”:

“If he was fired Thursday, and he used his passwords to enter the site at midnight, that would make it seven hours during which his credentials weren’t changed. That is not best practice for employee termination; account access should be immediately disabled upon notification of termination.”

And to terminated employees: don’t be offended when they do this, it’s best. You don’t want the responsibility of owning that information, especially on a mobile device.

If you take only one thing from this post:

Much of your company’s security comes down to you, the end user / employee / weakest link.  I know practicing good security can be annoying and slow things down, but there’s more resting on your shoulders than you may realize.

And thanks for having me Telus, this was so neat.

 

DefCon 19 Interview Series – Johnny Long

Johnny Long is the founder of Hackers for Charity, author, speaker, an early pioneer in the field of Google hacking, one of the world’s best Social Engineers, and likely does more good than you.

Did you know you can hack things using Google searches? Neat eh. We’ll get into that.

Johnny on Twitter

Hackers for Charity

DefCon 19 Interview Series – Dave Kennedy

Dave Kennedy is CEO of TrustedSec, a former CSO for a Fortune 100 company, founder of DerbyCon, author of ‘Metasploit: A Penetration Testers Guide’, creator of ‘The Social Engineer Toolkit’, and excellent hugger.

Dave on Twitter

DerbyCon