CSI 2007 was the first time I’ve ever attended a CSI conference. I was actually a CSI member way back in the day when I was running my own consulting firm and needed as many business development avenues to explore as possible, but after closing my consultancy and going back to work for The Man(tm) I didn’t keep up my membership as I really wasn’t getting much out of the organization at that point. For some reason I had never attended any of their conferences. The CSI Annual Conference is billed as “The leading management, strategy and policy event for today’s security professionals”, so it’s a very different conference from what I’m used to. While I generally attend the more technical events, this one was targeted at an entirely different demographic. There was a lot of large enterprise and government presence, and I got plenty of scowls as people noticed my green hair, but in the end I believe I won most of them over…
The evening of my talk there was also a Capture the Flag game. Unfortunately I wasn’t aware of this until I ran into Dave Aitel that evening and he told me about it, or I would have had my laptop with me and been prepared to compete. This game was essentially a race through various goals with clues and hints along the way. The guy that won achieved the final goal at just under 2 hours. One potential vulnerability that I pointed out to the event organizers was that most of the information was given away to the audience in the observation room near the start of the competition, and had the competition not been 3 floors underground where there was no cellular signal, I could have easily relayed the information to Dave’s mobile via SMS or AIM or something. Had we had some other form of local wireless communication, cheating would have been trivial. Perhaps next time they’ll not give away so much information at the beginning to the audience…
Below are my thoughts on the couple of talks I was able to attend. Unfortunately I was only there for the one day that I was speaking and I was busy preparing to speak and recording a shorter version of my talk to actually attend many of them.
How to Prevent Classified Data from Leaving Your Networks
Alok Mittal, Sr. Mgr. Technology and Business Development, Cisco Systems
I checked out this talk because it’s very much inline with a research topic that I’ve been considering working on for a while now; Extrusion Prevention. I’ve done a lot of work in the past in the areas of Steganography and covert channels, so I’ve been considering delving into prevention of such things. There wasn’t a whole lot of technical information in the presentation, rather it was more aligned to managing risk of data theft and accidental loss, proper classification of data so that you can accurately determine that risk, and education of users on how to identify and accurately classify data as being sensitive. Not exactly what I was looking for but it was good to find out what people in the Enterprise are currently doing about extrusion and their general approach. Somewhat in-line with some preliminary research I’ve done into the subject,t here’s not a whole lot of technical solutions to the problem because it’s a rather hard problem to solve.
Techniques and Topics on How to Generate and Remember Passwords
Joseph W. Popinski III, CISSP, CISM, IE-Dynetics
I attended this talk for two reasons; to see if my recent research regarding Mnemonic Password Formulas was mentioned (it wasn’t), and because it was a Turbo-talk and I needed to attend something short since I was speaking the next hour. Some interesting methods for creation of passwords were presented that I hadn’t heard of myself, but the overwhelming theme of many of the methods seemed to focus more on length rather than complexity, although some of them obviously did include various types of complexity. While performing my research a couple years ago for my work in passwords, and supported by my own personal experience in the area of attacking passwords, the more common attack methods are shifting to intelligent guessing of passwords rather than brute force cracking, so while length still helps, it’s no longer the primary characteristic of your password that you should be concerned with. It was good that many of the technique examples that were presented used non-personal data, but the techniques themselves didn’t specifically exclude personal data. It’s my experience that when users have that choice, they’ll almost always use personal data which lends itself to attack by intelligent password guessing techniques.
Dustin D. Trammell, Security Researcher
Obviously, this was my talk. My presentation, VoIP Attacks!, is intended to be a “state of the industry” type talk, updated and presented around once a year or so. Considering the audience I tried to cut out a lot of the technical details, examples, and demos (my usual target audience likes proofs), and talk a lot more about each attack’s effect, impact, and threat metrics. A couple of times I saw some blank stares from the audience, but for the most part I think the majority of them followed the presentation fairly well. I haven’t yet seen the result of the feedback forms, but from what I heard initially I had one of the more widely attended talks and it was very well received. You can find the slide deck I used over at my personal site in HTML, PDF, or Flash.