Links From My M-Conference DEFCON Presentation
Friday, October 04, 2024
I recently presented the following presentation at Manager-Tools.com's M-Conference 2024.:
"From The Dark Web To the Boardroom: Cybersecurity Strategies from 15 years of attending DEFCON" (PDF presentation download)
These are all the links I referenced in my presentation:
- https://www.technewsradio.com/2024/09/defcon-32-2024-notes-references.html
- https://media.defcon.org
- https://en.wikipedia.org/wiki/Sun_Tzu
- https://www.wired.com/story/russia-gru-unit-29155-hacker-team/
- https://www.infosecurity-magazine.com/news/malware-service-top-threat/
- https://www.helpnetsecurity.com/2024/02/02/ddos-attacks-h2-2023/
- https://www.nsa.gov/Podcast/
- https://stpetecatalyst.com/local-cybersecurity-firm-we-hired-a-north-korean-hacker/
- https://www.infosecurity-magazine.com/news/malware-service-top-threat/
- https://www.helpnetsecurity.com/2024/02/02/ddos-attacks-h2-2023/
- https://www.hivesystems.com/blog/are-your-passwords-in-the-green
- https://informationisbeautiful.net/visualizations/most-common-pin-codes/
- https://gizmodo.com/google-just-made-entering-passwords-on-desktop-a-thing-of-the-past-200050128
- https://www.aboutamazon.com/news/innovation-at-amazon/what-is-amazon-project-kuiper
- DEFCON Examples:
- https://www.blackhillsinfosec.
com/satellite-hacking/ - ZERO TRUST
- https://dodcio.defense.gov/Portals/0/Documents/Library/CS-Ref-Architecture.pdf
- https://dodcio.defense.gov/Portals/0/Documents/Library/(U)ZT_RA_v2.0(U)_Sep22.pdf
- https://dodcio.defense.gov/Portals/0/Documents/Library/ZeroTrustOverlays.pdf
- https://dodcio.defense.gov/Portals/0/Documents/Library/DoD-ZTStrategy.pdf
- https://www.bleepingcomputer.com/news/security/hackers-use-poc-exploits-in-attacks-22-minutes-after-release/
- CROWD STRIKE Updates/Patching Issues:
- https://www.wired.com/story/microsoft-windows-outage-crowdstrike-global-it-probems/
- https://www.reddit.com/r/crowdstrike/comments/1e6vmkf/bsod_error_in_latest_crowdstrike_update/?rdt=35791
- https://x.com/Xaaavier_8613/status/1814180533108400569
- https://krebsonsecurity.com/2024/07/global-microsoft-meltdown-tied-to-bad-crowstrike-update/
- https://www.wired.com/story/microsoft-crowdstrike-outage-cash/
- https://www.wired.com/story/hospitals-crowdstrike-microsoft-it-outage-meltdown/
- https://www.wired.com/story/crowdstrike-windows-outage-airport-travel-delays/
- https://www.wired.com/story/crowdstrike-outage-update-windows/
- https://www.crowdstrike.com/blog/falcon-update-for-windows-hosts-technical-details/
- https://owasp.org/www-project-top-ten/
- https://federalnewsnetwork.com/cybersecurity/2024/09/cisa-review-low-hanging-cyber-lapses-plague-critical-infrastructure/
- Bonus:
- AFCEA's "Cybersecurity in the Boardroom" resource (behind a soft paywall):
- Graphics:
- Backup Material
- https://arstechnica.com/security/2024/07/new-blast-radius-attack-breaks-30-year-old-protocol-used-in-networks-everywhere/
- https://krebsonsecurity.com/2024/08/local-networks-go-global-when-domain-names-collide/
- https://federalnewsnetwork.com/artificial-intelligence/2024/09/state-dept-looks-to-test-cyber-data-automation-project-by-years-end/
- https://informationsecuritybuzz.com/generative-ai-fuels-new-cyberattacks/
Let me know if you have any questions, comments, etc.
I am open to presenting this in other venues if you are interested. Just let me know!
Thoughts & Tips For September 2020
Tuesday, September 01, 2020
Photo by Steve Holden. MORE LIKE THIS!
CURRENT EVENTS
No big change for us on the COVD-19 front. We continue to be vigilant and focused: #wear_a_mask; #wash_your_hands, #social_distance, and #stay_home_if_sick. The good news is that Christy's school as been able to go back to teaching kids in person with a host of safe guards which is a blessing and an answer to prayer.
Tour de France 2020. Who doesn't want to watch 4 to 5 hours nearly every day during September seeing some of the best athletes in the world do what most people would consider completely impossible? I am all in. I am watching via NBC Sports via YouTube TV.
My candidate for President of the United States in 2020 is Jo Jorgensen (#letherspeak, #letherdebate). While I don't agree with everything she is advocating, she is in my humble opinion the best option for a President Of The United States who believes in and will fight for:
- right to life, liberty, & the pursuit of happiness
- right to keep & bear arms
- right to live where you choose & how you chose
- right to privacy
- right to worship how, when, & where you choose
- right to be treated equally under the law
OTHER THINGS THAT ARE GOING WELL
- The PodCraft Beer Show just had episode 7 and next week is episode 8. I have had some super spectacular craft beers that have blown my palette away. As a craft beer fan I have actually realized how much I've missed by not paying attention to the special releases that many breweries do and I had no clue how amazing they are.
- I am still playing D&D every week or so with friends from high school. It is frankly one of the best unattended consequences of COVID-19 for me.
- I am still loving my water-proof MP3 player -- AfterShokz Black Diamond Xtrainerz.
- We were able to camp at San Elijo State Beach in August which was awesome ...
EXPERIMENTING WITH MEDITATION
The book "10% Happier: How I Tamed the Voice in My Head, Reduced Stress Without Losing My Edge, and Found a Self-Help That Actually Works"
By: Dan Harris (#meditation) got me to do a little experiment over the last month since finishing the book. I've been doing five minutes of unguided meditation using the Apple iOS app Oak from Kevin Rose before I stretch in the morning. Nothing bad has happened (Ha Ha!) I actually now think a little "mind exercise" is a good thing. My monkey mind is strong! More updates as time goes on.
If you are interested in guided meditations, then the only examples I've had experience with are Mike Foster's Guided Meditations. The Oak app has them but I haven't used them before.
TECHNOLOGY, TIPS, & SUGGESTIONS
I have just started using this new Google Chrome browser feature for organizing tabs. So far it is an awesome new feature.
This what I've been listening to on Audible (you can try Audible for free for 30-days and get two free books if you want). Over the last month:
- "The Lions of Lucerne" by Brad Thor [Book #1 of The Scot Harvath Series] #fun
- "Path of the Assassin" by Brad Thor [Book #2 of The Scot Harvath Series] #fun
- "State of the Union" by Brad Thor [Book #3 of The Scot Harvath Series] #fun
- "Accelerate: Building and Scaling High Performing Technology Organizations" by Dr. Nicole Forsgren, Jez Humble, & Gene Kim #work
I am currently doing all my Audible listening on my cell phone Samsung Galaxy S10+.
I also managed to finish a few Kindle books (I am currently using a Kindle Paperwhite for nearly all my reading):
- "The David Rivers Series: Books 1-3 -- Greatest Enemy, Offer of Revenge & Dark Redemption" by Jason Kasper
- "Scars: John Dempsey Novella" by Brian Andrews & Jeffery Wilson #fun
- "American Operator" by Brian Andrews & Jeffery Wilson [Tier One #4] #fun
- "Red Spector" by Brian Andrews & Jeffery Wilson [Tier One #5] #fun
One of my "newer" (I've heard in the past that this isn't a word, but I still use it all the time) favorite bands is Lo Moon. They opened last year for several shows that the CHVRCHES did, and I'm super impressed with them. I recently bought their album Lo Moon on Amazon so I could load the MP3s on my AfterShokz Black Diamond Xtrainerz as I really wanted to listen to them while swimming. Other specific albums I listen to frequently while swimming are: CHVRCHES (Bones of What You Believe, Every Open Eye, Love Is Dead) and Maggie Rogers (Heard It In A Past Life). I will also drag a lot of 80s New Wave to a folder for 'random' mode listening.
Def Con (the yearly hacker conference I've been going to since #18) was completely virtual this year. A ton of solid cybersecurity content is readily available if you are interested.
QUOTE I'M THINKING ABOUT
"We are what we repeatedly do, therefore, excellence is not an act but a habit." - Aristotle
Rabbit Hole Of "Secure" Phones
Saturday, October 26, 2019
This article from Recode by Kara Swisher called "Former Trump economic adviser Gary Cohn’s next move: investing in a phone secure enough for the president: In a Recode Decode interview, he explains why he’s working to launch a new secure mobile phone aimed at government and corporate customers" got me wondering where the state of the possible was right now on secure phones.
I am pretty much following the recommendations for how to bring a phone to DEF CON -- like this one. I use to bring a burner phone, but I've found it less and less practical for me. DEF CON is in theory about as hostile of a Cyber environment as you can summit yourself, but getting targeted by a dedicated adversary is probably worse.
Some links I looked into:
- Who is Hector Hoyos via Tech Crunch
- Hovos Integrity main site
- Hovos Integrity phone site
- Green Hills Integrity Real Time OS (RTOS)
- Green Hills Integrity 179 safety-critical RTOS
- SecureOS
- Samsung's Business Security pages
- A list of "secure phones" (not sure how accurate this is but it seems detailed)
- Blackberry's offerings on secure phones
- Ano-phone
- Cipher phone
Thoughts & Tips For August 2018
Wednesday, August 01, 2018
Thrown For A Curve (Update)
See July update for my first report on my recent lower back injury with sciatica down my left leg. Things are improving, but I'm still having numbness on my left foot and periodic spasms & tightening on my calf and glute muscles. A review of my MRI with an orthopedic surgeon opened up the possibility of future surgery but that is still TBD.
Technology
I was able to move to Windows 10 on a new Dell tablet at work before the end of June 2018 deadline. All in all it is working great, and I like having Type-C connectors on my work tablet and my personal HP Chromebook 13G1. For instance the same power adapter can be used on both.
Thankful For
Our July camping trip to San Elijo State Beach was awesome, and I did my first Sprint Triathlon (400m swim, 15-km bike, and 5-km run). I really enjoyed the sprint triathlon format even with my "physical recovery" slowing me down. I'm already planning to do another one in September.
Future
I completed another Vital Smarts' 1-day Getting Things Done (GTD) class in July. I currently only have material available for two more classes -- one in August, and then one in September.
DEFCON is coming up in August. That should be fun.
We have another San Elijo State Beach camping trip planned for August.
Tips
I've been using some cream with Arnica on my sore muscles. It is really good.
Quote I'm Thinking About
"The enemy often tries to make us attempt and start many projects so that we will be overwhelmed with too many tasks, and therefore achieve nothing and leave everything unfinished. Sometimes he even suggests the wish to undertake some excellent work that he foresees we will never accomplish. This is to distract us from the prosecution of some less excellent work that we would have easily completed. He does not care how many plans and beginnings we make, provided nothing is finished." - St. Francis de Sales
How I Studied For & Passed The CISSP
Sunday, February 23, 2014
I got asked the other day at work on how I studied to pass the Certified Information System Security Professional (CISSP) back in Dec 2011. While I was relaying my experience, I made a few notes, and I figured it would be good to document the endeavor in a blog post.
I think my main advantage was that I was able to get access to SANS Management 414 class via their self-study content using training dollars from work [direct link for more info]. While expensive, the 'do it on your own time' offering was much better for me than going to a class (which can also be expensive).
One of the other key features that I liked about the self-study offering was there were seperate MP3s of all the sessions plus the online course review material. This allowed me to binge listen to the audio content during my daily exercise, drives in the car, and while on travel (which happend about 5 times during my prep time before the test). The only bad news about all this 'listening' is that when I have a CISSP related nightmare I still hear Dr. Eric Cole's voice.
The package included printed slides for all the material (sync'd online to the audio feed): [Domain 1 - Information Security Governance & Risk Management; Domain 2 - Access Controls; Domain 3 - Cryptography; Domain 4 - Physical Security; Domain 5 - Systems Architecture & Design; Domain 6 - Business Continuity & Disaster Recovery Planning; Domain 7 - Telecommunications & Network Security; Domain 8 - Application Security; Domain 9 - Operations Security; Domain 10 - Legal, Regulations, Compliance, & Investigation], and a copy of the following book - "CISSP Study Guide" by Eric Conrad, Seth Misenar, Joshua Feldman. Also included was a series of pre-tests both online and paper and then a full practice test that was online.
Other books I used for reference included:
- All-In-One CISSP Exam Guide by Shon Harris
- CISSP Exam Prep from SSI Logic
- CISSP in 21 Days by ML Srinivasan
Once I went through all the material one time via MP3/Slides, I then deteremined when there was a class about 16 weeks/4 mouths in the future and signed up for that one. I found it very useful to have a target date on the calendar to motivate me to block out time for studying. I then spent every Off-Friday from work and ~4 hours each Saturday and Sunday studying the material up to the test week. The test was on Tuesday and I pretty much studied full time Friday, Saturday, Sunday, and Monday before the test. If my math is correct that was about ~250 hours of studying (not including the MP3 material listening which I continued doing during my exercise, driving, etc times up to the test).
In addition to the study reference material above, I also took a great deal of practice tests. If there was a test I could take I took it. My prevous experience getting a Windows OS certification and Security+ was that there was a ton on of value in reviewing as many questions as possible. This turned into a a pretty detailed stats tracking on how I was doing and where I needed extra focus. Here is the "final" view of my spreadsheet tracker I setup in Google Docs:
The other thing I did that really helped was that any question I missed during any of the tests I took and turned it into a 3x5 study card. I also kept the cards organized by the 10 major topic areas of CISSP. This helped me really focus on studying the areas that needed the most work. By the end I'm pretty sure I had 400 cards, and on the day of the text all I did before the test was drill through those cards.
What about the actual test? Yes, it was very hard. Definitely the hardest test I've ever taken. I was the last one to leave taking up all but the last 5 minutes before the scheduled end time. I don't know how well I did other than I passed. And since that was the goal -- mission accomplished!
If you have any additional questions, comments, etc. then please let me know.
[Originally written on 2/24/2012 but updated 2/23/3014]
Tip - Subscribing to Twitter Accounts in Google Reader
Friday, September 07, 2012
NOTE: As of October 16, 2012 the official Twitter API turned off RSS options per this article. What I wrote here doesn't work anymore.
I personally like keeping track of some Twitter accounts (especially security related ones) using Google Reader. Unfortunately, I've found lately though that Twitter keeps messing with RSS urls, and getting subscribed without errors can be hit and miss.
Here is my understanding of the current format as of this posting ...
If you have a Twitter account like @johnswayer that you want to follow in Google Reader. Then take the following main URL (twitter.com/statuses/user_timeline/) and add <twittername>+.rss -- for example:
"https://twitter.com/statuses/user_timeline/" + "johnhsawyer.rss"
Becomes:
"https://twitter.com/statuses/user_timeline/johnhsawyer.rss"
And use that for the subscribe url. I usually use a text editor to this (Notepad+ on Windows or TextWrangler on Mac).
Did I get this right? Did Twitter change this already? Is there a better way? Leave a comment or send me email and I'll update this post.
Tech Tracking #001 - New News, Mobile, Video, Security, Books, Training, Etc
Saturday, November 13, 2010
Here are some new items I am tracking --
- MaximumPC has a good list of Microsoft Windows Phone 7 feature and tech stats
- Amazon’s cloud services continue to see improvements: new lower S3 storage pricing, increased HTTPS support, Mechanical Turk upgrades, etc.
- NVIDA has announced GeForce.com as their new home for latest drivers and other resources.
- If you use QuickBooks 2011, then you might want to check out a new book from O’Reilly.
- Zimbra Desktop 2.0 is out: open-source, multi-platform collaboration tool now with social media integration.
- ScotteVest has a new Expedition Jacket with 37 Pockets (it looks great for camping, hunting & hiking)
- Mac OS X v10.6.5 Security Update 2010-007 has a lot of fixes include ~55 just for Adobe Flash
- computertechnician.net is a site run by a non-profit to list “different degree & school options as well as career, job & salary information”
- The Winter Quarter for UCLA Extension's Computer Science & Information Systems courses and certificate programs starts 1/5/2010
- SANS On Demand's 2011 Course Catalog has been announced (video, hands-on exercises, test prep, etc)
- Dynamism has announced availability of the Sony Vaio Y Series laptop & the Viewsonic Viewpad 7 tablet
Safer Browsing with Google Chrome - No JavaScript (Unless Authorized)
Tuesday, August 17, 2010
One of the lessons learned from attending DEFCON#18 was that as a FireFox user that running NoScript was a highly recommended tool. Many of the presenters who were talking about Internet browser vulnerabilities mentioned NoScript as a defensive tool to help mitigate the risks they were discussing in their presentations.
While I still use Firefox with NoScript a lot, I have also been using Google's Chrome browser more and more running on Mac, Windows & Ubuntu. There is no NoScript version for Chrome but you can turn off by default JavaScript via:
- Options (aka Preferences)
- Under the Hood tab
- Privacy > Content Settings ... button
- JavaScript tab
- Do not allow any site to run JavaScript
- Close button
Once you have turned it off, there will be a 'no JavaScript icon' that will shows up in the Link Box on the far right-hand side of the box on the first site you hit with JavaScript:
You can now click on that icon and allow the specific sites you frequent and trust to be in a trusted list. And you'll need to reload the page to get the exception registered so that the page will display and function as the publisher expected. Here is what Hulu.com says if you go there without JavaScript turned on:
IMHO, this is better than running JavaScript on every site you go to by default. The best security practice is now to only allow JavaScript on sites you trust and know. Not perfect but better than the alternative.
P.S. If you use Chrome's Incognito feature with JavaScript turned off then there appears to be no way to go turn on JavaScript for specific sites in Incognito mode except for those already in your approved list.
Learn Some Hacker Skills Online from SANS & Paul Asadoorian
Saturday, February 21, 2009
Fellow FriendsInTech.com member Paul Asadoorian is presenting two upcoming SANS@Home courses:
- SEC553 Metasploit For Penetration Testers - Feb 23 & 25, 2009 from 7PM-10PM EST
- SEC517 Cutting-Edge Hacking Techniques - March 23 & 25, 2009 from 7PM-10PM EST
Metasploit is a fantastic tool for testing your network and applications. Come learn about all of its new features! You can use discount code "PaulDotCom" and save 20%!