Archive for March, 2009
Monday, March 30th, 2009
Whew! It’s been a busy couple of months for me. I’m always curious as to how I get so much on my plate. A quick recap of some of the stuff I’ve been working on / or have coming in the near future:
1) HITB Dubai is almost here! I’ve been selected to give two talks at HITB in Dubai. Although I’ve spent a significant amount of time in various parts of the Middle East, but I’ve never actually been to Dubai. Dhillon is always an EXCELLENT host and I’m looking forward to seeing the sights . As for the talks I’ll be giving in Dubai, the first (Biting the Hand that Feeds You – Reloaded) is an extension of a talk Nate McFeters and I gave at Defcon 15. It involves a lot of interesting application design scenarios that introduce security weaknesses in modern day web applications. It’s a very interesting collection of Content Ownership issues, some funky ways to abuse web application sessions, and a demo of some attacks against modern day web applications including Twitter and Facebook (respective security teams have already notified). For the second talk (Cross Domain Leakiness), I’ll be co-presenting with Chris Evans from Google. Chris is a super sharp guy and we’ll be talking about some interesting browser bugs we’ve discovered, as well as some techniques to bypass SSL protection mechanisms. I’m also looking forward to seeing Nitesh Dhanjani’s talk (Psychotronica). I’ve seen a sneak preview of the talk and it’s a very powerful illustration of how we can piece together people’s lives like jigsaw puzzles, learning more about them then they probably know about themselves!
2) Jeff Carr put out the second paper in the Grey Goose Series (first paper here, second paper here). Contact Jeff directly if you are interested in getting a GOVT only version of the papers. Jeff has assembled a crack team of intelligence specialists (many of which wish to remain anonymous), pulling together an impressive cyber intelligence capability that probably rivals some state sponsored intelligence agencies. The team is small enough to allow for lighting fast action without bureaucracy, but just large enough to bring an impressive intelligence eye to modern day problems. Jeff focuses on analysis related to politically motivated events around the world. I’m proud to be a part of the Grey Goose team, it is exciting work and perfectly in line with my background. Jeff and I will be traveling to Estonia in June to speak at the Conference on Cyber Warfare hosted by the NATO Cooperative Cyber Defence Centre of Excellence. We’ll be presenting a talk entitled “Sun Tzu was a Hacker” where we’ll break down the various tactics and operations associated with a real work attack against State servers. We’ll tie the various pieces back to traditional tactics/warfare via concepts of Maneuver Warfare and Marine Corps Doctrinal Publication – 1 (Warfighting).
3) My studies as an MBA student continue. Once I finish this semester, I’ll have two classes left. I’m currently taking a Finance class which is planting all sorts of great ideas on how to valuate risk associated with information systems. I think it’s great that Security Researchers are seeing the value of bugs in both monetary instruments and non monetary instruments (press, notoriety…etc). I see things like the No More Free Bugs (NMFB) campaign as financial declarations that a Security Researchers’ time/efforts/intelligence/creativity/determination is worth > $0.00. It will be interesting to see how the next generation of security researchers/hackers will view the disclosure/NMFB paradigm and whether places like iDefense and TippingPoint will rise to “power” (if they haven’t already) as vulnerability brokers. Maybe one day, we’ll track vulnerability worth via stock ticker, trying to game when to sell. I’m also interested to see whether web application bugs will ever have financial value that can be easily monetized. How much is a Gmail XSS or CSRF worth? Are there ways to monetize?
4) I’m co-authoring a book… more on this later
5) I’ve started a really cool project at work that will consume lots of time…
6) Oh yeah…. I have a ~3 month old baby girl that demands all my free time J
Where does the time go?!?!