At the end of last week, I attended the 5th annual Securi-Tay infosec conference (Securi-Tay V as it’s called). The conference is entirely student run by members of Abertay’s Ethical Hacking Society. Here’s a recap from the talks I attended over the 2 day event.
NCC Keynote: iOS Forensics by Derek Price
This talk touched on the hot topic of the Apple vs FBI case, detailing the problems and methods of extracting data from an acquired iOS device. Despite being an Apple fangirl, I don’t know so much about the forensics of their devices or the secure enclave e.g. I wasn’t aware that on iOS 8, the encryption key is tied to the passcode the user has chosen.
Sorry, We’re Cash Only by Henri Watson
Card payments are ubiquitous nowadays and this talk explored the complexities behind them. Initially, I thought the it might just focus on contactless payments, but instead it provided a full history, which was interesting. I learned a lot about how various types of card payments work e.g. signature vs PIN, and the differences in various regions of the world. Slides are available here.
Teach your brain to regenerate passwords instead of remembering them! by Grigorios Fragkos
Remembering passwords is difficult, especially when you work in computing (so. many. logins.). This talk discussed a different approach to choosing passwords, changing the way you think about them e.g. think about what pops into your head when you first visit a website. You might not want to tie your password to a particular image on the site, after all, site designs are updated frequently. It was also suggested that users might want to have different levels of passwords e.g. perhaps a stronger password for online banking vs a weaker password for a site you’re just getting information from.
To add to the discussion around passwords, the following link was posted on Twitter afterwards. An attempt to quantify the strength of passwords- https://blogs.dropbox.com/tech/2012/04/zxcvbn-realistic-password-strength-estimation/
AppCL LSM – A Linux kernel security module to implement application oriented access controls by James Johnson
I’ll admit I’m still largely a newbie when it comes to Linux so quite a bit of this talk went over my head. Nonetheless I learned something about access controls and the Linux Security Module. The presented noted he hadn’t really done much in C before- I was impressed by how much he has achieved in a relatively short time.
Infosec awareness, training and education – forget the tech, focus on the people! by Graham McKay
I’m all for the training and education of users (hence the research I’m conducting). This talk explored different ways to impart information to users, helping them stay safe online. Information was delivered to users via the use of clear, easy to understand company polices, and short, 3 minute videos explaining cyber security terms. This isn’t something I can integrate into my work but it was an interesting approach.
Tenable Keynote: 8 security lessons from 8bit games
Final talk of day one. I missed a few bits of this talk but it focussed on gamifying the reduction of security risks in the infrastructure of a company. It was nicely explained and I loved the throwbacks to retro games.
Red Team DevOps by Tim Brown
First talk of the Saturday. This one looked at the testing infrastructure Portcullis has developed to recreate threat models.
DLL Hijacking: The Eighth Circle of Dependency Hell by Keith Learmonth
This was the final talk I saw. Keith explained just how easy it can be to run a malicious DLL on Windows. Windows was my primary OS up until 2010 however, DLL bugs have existed in almost every version of Windows. If Windows can’t find the DLL in it’s correct location, it then looks in the current directory. Of course if you place a malicious DLL in the current directory, you have a problem… (I think the demo was done on XP).
* * * * *
Unfortunately, I missed out on the last 2 talks of the conference (had to head home). Many of the talks were recorded and should be available online at some point, if anyone wants to have a look. Keep an eye on the @AbertayHackers twitter account and the https://securi-tay.co.uk/. A big well done to the students for organising another great event. Here’s to next year.