I spoke at the inaugural ArchC0n in St. Louis this Saturday. The main reason I chose to go to this IT security event was they had Richard Bejtlich, Bruce Schneier and Charlie Miller as keynotes. Quite a haul for the first run. Here are some of the items that I wrote down:

  • Richard Bejtlich’s talk had an interesting factoid. When Mandiant goes in and looks at compromised networks they often find multiple, unrelated attackers who have compromised the organization’s systems. The record so far is seven independent attackers on the same network.
  • Kyle Wilhoit gave the IT version of Malware Incubation, although it showed how he used it to learn more about Havex. He will give the ICS version at S4xJapan next month. Kyle is working on an incubation system he calls ChickenHawk. I can see a lot of applications for having a malware incubation environment for researchers and asset owners. More about this as an S4xJapan preview, but suffice it to say this is a highly interesting project.
  • Liam Randall of Critical Stack talked about using Bro to identify and react to attacks on ICS. He is just scratching the surface of what is possible here, and as a Bro-master he should be able to do some great things with that platform. We are hoping to see him at OTDay S4x15, and are considering if this should be one of the deep dive classes on the Friday of S4 week.
  • Charlie Miller gave a funny but depressing talk on 2007 vs 2014, and how difficult it is to tell them apart from a cyber security standpoint. I did leave with a positive feeling about the impact Digital Bond Labs can make finding and fixing vulns before they get deployed. Also had a chance to talk with Charlie about his car hacking … that is an expensive and difficult to create and maintain test environment.
  • Bruce Schneier had, as usual, a couple of thought provoking data points. One was from a TED talk, skip to 10:50. In brief, you have $1000. You can keep it or flip a coin for double or nothing (heads=$2000, tails=$0), about 75% play it safe and keep the $1000. Test 2 is you owe $1000. You can pay the $1000 or flip a coin (heads= you owe $2000, tails=you owe $0). 75% take the risk and flip the coin because they have a chance to loss $0. This is called Loss Aversion, and it could be related to why people choose not to spend money on security. If they spend $0, then they have not lost anything and there is a chance they will not get hacked or compromised.