So this year I had the opportunity to present on two topics, Building an Open Source Threat Intelligence Program and Information Security from a Criminal Perspective. The opportunity to share was amazing and I appreciate all the feedback and questions I've received. We also had the opportunity to hear Frank Abagnale speak and tell the story behind the movie. If you ever get the opportunity to hear him speak, please do.
In addition to rambling on, being able to sit in on some killer tracks presented this year, most enjoyable was the panel discussion on Vendor Management (lively topic), Web Application Pen Testing by James Edge (@jedge_com) POS RAM Scraping by Charles Burke (@cburkeinga) walked through how easy it was to build an application that collected credit cards. Watching the live demo of just how easy it is, I believe opened some eyes.
I also had the privileged to train the next round of Certified in Risk and Information Systems Control (CRISC) professionals which covered a two day review. This class was absolutely awesome to teach, share and overall engage with. It is always great to hear someone say "Before I sat for the class, I was just going to sit for my CPE's -- now I want to take the exam".
What I was unable to do was ensure that I got the presentations to the appropriate folks, this is in part due to the fact that the presentations were highly animated and rather large in file size. I'm currently working on getting the presentations converted into something smaller that folks can download directly.
Additionally, the following will take you to the content of this years Geek Week 2014 Conference Presentations Available for Download for those of you who attended.
So I made it back to Columbus Ohio, for a day before I was back on the road (or rather in the air) heading back to a client site in Rochester Minnesota. FYI, all this stories that Garrison Keeler shares about Lake Wobegon - absolutely true. If you want to know what it's like here, I urge you to check out http://prairiehome.org and listen to their weekly podcasts Listen to the complete show.
So, upon arrival to the Twin Cities (no direct connect flight from Columbus to Rochester) and while I was waiting on my partner to arrive, I noticed something that got me all giggling like mad - another instance of PCI Security Theatre (sigh). 250XP if anyone can tell me what is wrong with these pictures?
Alright, times up folks. For those of you following along with the PCI craze, that should be your retailers, hospitality, service providers, basically anyone that TAKES A CREDIT CARD, PCI DSS in requirement 9.1.2 Restrict physical access to publicly accessible network jacks. Now, I don't know how this complies with the requirement, and if someone could share that with me, I would greatly appreciate it. But from my observation of this particular instance (and it could be that it is the ONLY one like this anywhere and I just happened to stumble upon it by the luck of the Irish) of this being deployed in such a fashion. Next time I have a three hour layover in MSP, I'll have to do some wandering around and taking a look.
So what can one do with physical access? One might put something like this into play, not to saying ANYONE would ever do this:
This little box, costing a few dollars from your local Mendards/Home Depot/Lowes, sits on the wire between the device and the network drop and can listen passively without being discovered logically. This means, outside of a quick unplug and plug of the network cable, one could sit and capture details all day long. With a couple of quick additions (Thank you Raspberry Pi & Teensy) you could install a the drop and then remotely access via wifi or cellular. But no one would EVER do something like that right? I need to head off to the lab and see what I can do.
What I was unable to do was ensure that I got the presentations to the appropriate folks, this is in part due to the fact that the presentations were highly animated and rather large in file size. I'm currently working on getting the presentations converted into something smaller that folks can download directly.
Additionally, the following will take you to the content of this years Geek Week 2014 Conference Presentations Available for Download for those of you who attended.
So I made it back to Columbus Ohio, for a day before I was back on the road (or rather in the air) heading back to a client site in Rochester Minnesota. FYI, all this stories that Garrison Keeler shares about Lake Wobegon - absolutely true. If you want to know what it's like here, I urge you to check out http://prairiehome.org and listen to their weekly podcasts Listen to the complete show.
So, upon arrival to the Twin Cities (no direct connect flight from Columbus to Rochester) and while I was waiting on my partner to arrive, I noticed something that got me all giggling like mad - another instance of PCI Security Theatre (sigh). 250XP if anyone can tell me what is wrong with these pictures?
Alright, times up folks. For those of you following along with the PCI craze, that should be your retailers, hospitality, service providers, basically anyone that TAKES A CREDIT CARD, PCI DSS in requirement 9.1.2 Restrict physical access to publicly accessible network jacks. Now, I don't know how this complies with the requirement, and if someone could share that with me, I would greatly appreciate it. But from my observation of this particular instance (and it could be that it is the ONLY one like this anywhere and I just happened to stumble upon it by the luck of the Irish) of this being deployed in such a fashion. Next time I have a three hour layover in MSP, I'll have to do some wandering around and taking a look.
So what can one do with physical access? One might put something like this into play, not to saying ANYONE would ever do this:
This little box, costing a few dollars from your local Mendards/Home Depot/Lowes, sits on the wire between the device and the network drop and can listen passively without being discovered logically. This means, outside of a quick unplug and plug of the network cable, one could sit and capture details all day long. With a couple of quick additions (Thank you Raspberry Pi & Teensy) you could install a the drop and then remotely access via wifi or cellular. But no one would EVER do something like that right? I need to head off to the lab and see what I can do.
No comments:
Post a Comment