Unfortunately, I arrived late to the Security B-Sides Delaware conference, to my first conference no less. Long story. Anyway, it was great to see so many smart people presenting information. They had two conference rooms and a main auditorium. Some of the presenters were Jason Ross, Marcus Carey, Dave Marcus, Scott Hazel, Michael “theprez98” Schearer and “Grecs”. For those who could not attend, they have been posting video of the conference online. I saw a couple of people tweet (hxxp://www.ustream.tv/channel/security- ... re-track-1
), (hxxp://www.ustream.tv/channel/security- ... are-track2
) and (hxxp://www.vimeo.com/16585113
The four talks I got to see were Lockpicking, Pwn an ISP in 10 Minutes, Intro to ShoNuff and Social Engineering for Non-Penetration Testers. I have always thought about how important it is to have physical security and the lockpicking class proved it. Dr. Robert Tran spoke on the basic locks such as tumblers and wafers and how to unlock them. It should not be that simple to unlock these. If you guys are curious, his group’s site is (hxxp://toool.us
). You can actually buy tool sets on their site. Very cool. He used rakers, half diamond, and hook tools. You see it on TV all the time, but it was incredible to see it in person. He explained it is all about light pressure. Oh, and before I forget two rules: don’t try to pick a lock that you don’t own and don’t pick a lock that you rely on! I am glad he said that, I was ready to try to lockpick my front door the minute I could. It would really suck to have to replace my door lock because I got overzealous. =-)
Next, SHODAN!! The speaker was “theprez98” and he talked about the Shodan Search Engine (hxxp://www.shodanhq.com
). It is not your Google search engine. It gives info such as the IP address, hostname, port numbers, and OS versions of devices on the Internet. It is very powerful. He did a demonstration of how easily you can search for a Cisco device that has no protection and allows “level 15” permission over the device. It was scary stuff and definitely worth a look of his video.
Next up, ShoNuff! We didn’t get to see a demonstration of ShoNuff due to some technical difficulties but Jason Ross still gave us the overview of it. The site is (hxxp://whoisthemaster.org:8080/
). It basically does a super WHOIS of an organization. It provides the network IP address range of the company and even ties to Shodan using the new API of Shodan. It seems to me it is invaluable when you are doing passive recon work for a penetration test. It is amazing that this started from curiosity and the scarcity of the IPv4 addresses available.
Lastly, I sat in on the social engineering demonstration by Scott Hazel. He basically answered the question, “How do I practice social engineering when I am not doing a penetration test and I don’t want to get shot?” It is a very good question. I mean how do you get skills on social engineering so that you can be asked to do a penetration test? He gave some answers I would not have thought of such as watching TV shows on mute just so you can read nonverbal communication. It makes sense right and it is simple. Also, try listening! Again, sounds simple but how many of us actually do it. You can start by just listening to your wife, girlfriend, kids, friends and co-workers. You will score points with the wife/gf at least. =-). Finally, to get to that “layer 8” connection is to talk to people. Just converse with strangers and see how much you can learn about people. He gave some anecdotal examples when he described that you should be “the fail”. It was hilarious. Basically, you can get loads of information from people simple by stating things that are incorrect. Someone will always be there to try to correct you with information that they should be give.
I think the conference was a success. It was informative, exciting and inspiring. I would definitely recommend looking at their videos if you could not attend. I am hoping this is the start of more great conferences to come.