We had to put the RFID antenna experiments on hold last week to work on the FMH project. We wanted to simulate the JBOSS exploit, and make sure we could pull the pcaps for forensic analysis before Daniel went out of town. We ran into some trouble while spinning up a Kali instance on the NUC; the hard drive was full. We needed to delete some old instances in order to make room for the new ones.
I spent the second half of the week at two conferences: Converge and BSides Detroit. There was a wide range of topics covered, from the security implications of the new MySQL 5.7 release, to developing security training programs for employees of large firms, and even tips for folk like me who have a Bachelor of Science in Information Assurance, and are now looking for the next steps. There were also many vendors there, including big international technology firms and smaller, local security companies, along with multiple ‘Capture The Flag’ (CTF) competitions.
A few brief conference highlights
MySQL 5.7 Security
Dave Stokes’ talk on the latest MySQL 5.7 release was full of useful information about the new features in this update. Database managers have a lot more control over user passwords now, including banning certain password, password rotation, and even connecting with external authentication mechanisms like PAM, LDAP, Kerberos, etc. The database no longer uses mysql.user.password, and now uses authentication_hash instead. Also to improve security, MySQL will create a key pair for you if you don’t already have one, and you want to use SSL. Also, MySQL can now use TLS v1.1 and v1.2 (!). There is a new root password generated on every MySQL installation. Usernames can now be 32 characters instead of 16 characters.
Dave Stokes is a Community Manager for Oracle, and his slides can be found here.
AppSec Awareness: A Blue Print for Security Culture Change
Chris Romeo gave a very interesting talk about security culture in large companies. As the Chief Security Advocate at Cisco Systems, he helped create the security training for Cisco employees. The training was very effective, and also looked fun. It was gamified; and you get a different color belt with each security training module you complete. The belt colors level up similar to karate belt colors. Chris believes the program’s success is partly due to the gamification, along with a clear end-point, and a fun theme that people enjoyed. Also, the training was not mandatory. Chris believes that opt-in training is much more effective than required training.
Now, Chris Romeo helps run SecurityJourney.com. A recording of Chris Romeo’s talk can be viewed here.
Learning Security the Hard Way: Going from Student to Professional
Benjamin Carroll works in Cyber Security Operations at Consumers Energy, but not long ago he and I were competing against each other at the Michigan Collegiate Cyber Defense Network (CCDN) competition. His team from Baker College usually won, but he had some really insightful critiques of the competition, and of Information Security classes in general. After gaining some industry experience, his main complaint about CCDN was the competition. Teams wouldn’t dream of sharing playbooks, but that is exactly what is necessary to be successful in cyber security, Ben argues. More often than not, similar businesses experience similar malware campaigns, and sharing information about these attacks is beneficial for everyone. Ben also discussed the different types of degrees we receive in Information Security. Most schools tend to lean either toward the science side, or to the business/policy side. His advice is to figure out which degree you’ve got, and work on your own to make up the difference.
Benjamin Carroll’s talk can be found here.
I also competed in the CTF 313, helping my team come in 4th place. I mostly helped with data analysis, parsing log files on the command line, and using Python to parse JSON objects. I also enjoyed trying the physical lock and history challenges. I connected with security folks from Cisco, CBI, and Tenable, and even got to enjoy dinner with a team from Cisco. I was invited to GrrCon, MiSec, and ArbSec, which should be good ways to get more involved with the local information security community. I really enjoyed both Converge and Bsides Detroit, and I am looking forward to attending again next year.