Back in February, I attended the Securi-tay IV infosec conference, run by the students from Abertay’s Ethical Hacking Society. It included fantastic talks, great networking opportunities, and a chance to catch up with people I hadn’t seen for a while. A good day all round. The students deserve a huge well done for arranging and managing the event.
I thought I’d give a brief overview of the talks I attended on the day.
The Five Stages of Security Grief by Gavin Millard (Tenable)
This talk was based on the Kϋbler-Ross model of grief (denial, anger, bargaining, depression and acceptance) and how it applies to the world of computer security. Due to security issues, companies will spend $76.9 billion on the topic in 2015 alone. It was mentioned that education is the key to moving on from denial- this was an interesting point as my research is currently focussed around educating users about security issues.
Virtual Terminals and POS Security; How I Had the Chance to Become a Billionaire by Dr Greg Fragkos
This was perhaps one of my favourite talks at the conference and a lot of people were talking about it afterwards! The talk essentially explained just how easy it could be to abuse POS terminals. Obviously, much of the vital information was redacted from the talk (such as specific keypress combinations needed) but the theory alone was terrifying!
Robbing Banks and Other Fun Tales by Freaky Clown
An interesting talk on how to use penetration testing techniques and social engineering to get into buildings. He made it sound so simple and I’m amazed at the places he managed to get into without being questioned. Great talk!
We Don’t Take Kindly to Your Types Around Here by Graham Sutherland
The software developer in me had been looking forward to this talk. Serialization is a concept that I’ve been discussing in one of my classes this semester and, this talk covered some of the security issues involved when serializing/deserializing objects in languages such as PHP, C# and Java. The talk has made we want to write a few test programs to see if I can replicate some of the flaws in Java.
Guest to Root- How to Hack Your Own Career Path and Stand Out by Javvad Malik
I’d heard of Javvad via Twitter and knew he had published many infosec videos, so I was looking forward to his talk. He focussed on how to get noticed in the security industry, and how to prevent yourself from just blending in as just another “faceless” employee. A very engaging talk.
Social Security by Dr Jessica Barker
Jessica’s talk sounded like one which might fit in with my research- I was right! The talk concentrated on various aspects of infosec, leaning towards the sociological/psychological side. It largely confirmed what I’ve concluded from my work- the biggest security flaw nowadays is humans! Many people simply suggest that users are stupid, which is a form of victim blaming. Instead, it depends on how you teach the user about security- if you make a user feel stupid during this process, they will shut down. Users must be encouraged to see why the topic of security matters to them.
Abusing Blu-ray Players- Stephen Tomkinson (NCC Group)
This talk considered a security issue I hadn’t really thought about: how to circumvent the sandboxed system of a device like a blu-ray player. Stephen demonstrated a number of ways in which he bypassed the security measures the player had implemented, so an attack could begin. If you want to read a little bit more on the subject, Security Week wrote an article about the research- http://www.securityweek.com/attackers-can-use-blu-ray-discs-breach-networks-researcher.
If these talks sound interesting, a selection of them were filmed and will be available to watch on YouTube shortly. They will be available from https://www.youtube.com/user/AbertayHackers