Perimeter
10/7/2011
04:11 PM
John H. Sawyer
John H. Sawyer
Commentary
50%
50%

DerbyCon Fosters Community -- Videos Available Online

DerbyCon's successful first year reminds us of what the security community is all about: sharing and learning from others, promoting new ideas, and advancing the art of security

After spending this past weekend in Louisville, I've finally experienced one of the best conferences I've ever been to: DerbyCon. I'll admit that my conference experience has been limited to DefCon, Black Hat, ShmooCon, B-Sides Las Vegas, and SANS -- all of which have their pros and cons -- but I think they serve as a good sampling of what's out there.

What I've found is that security conferences, no matter how awesome their content, are often hindered by the sheer number of people (and attitudes) in attendance and the overwhelming choice of (good and bad) content. DerbyCon had a great mix of both, including a refreshing sense of a community striving to change the broken security industry for the better.

As a first-year conference, DerbyCon came out swinging with a great lineup of speakers, including Dave Kennedy, Jayson Street, Chris Nickerson, Carlos Perez, and Chris Gates. While I was disappointed with some of the content, most of it lived up to the hype, and everyone I talked to had a couple of favorites that they really enjoyed, like Gates and Rob Fuller's "The Dirty Little Secrets They Didn’t Teach You In Pentesting Class," and Kevin Johnson and Tom Eston's "Desktop Betrayal: Exploiting Clients Through The Features They Demand."

In addition to the talks, there was a capture-the-flag competition, a lock-picking and hardware hacking area, and a "hacker" movie marathon. The vendor area had several tables with groups like No Starch Press, Pwnie Express, Hackers for Charity, and Hak5 with things to sell or items to auction to help promote a good cause.

One thing I picked up while there was a USB Rubber Ducky from Hak5. The quickest and simplest explanation is that it is a hardware-based attack device that acts like a USB HID device (i.e., USB keyboard). Plug it into a target machine, and it will inject keystrokes to change system settings, open a backdoor, or shovel a command shell back out to an attacker's machine. It's an interesting attack device that will likely have its own blog entry here once I've had more time to play with it.

I want to thank Dave (Rel1k) Kennedy, Adrian (Irongeek) Crenshaw, the other organizers, and volunteers for making DerbyCon a great success. My friends and I have already made plans to meet up again for DerbyCon 2.0. See you there.

Check out the videos from the DerbyCon presentations here, thanks to Irongeek.

John Sawyer is a Senior Security Analyst with InGuardians. The views and opinions expressed in this blog are his own and do not represent the views and opinions of his employer. He can be reached at johnhsawyer@gmail.com and found on Twitter @johnhsawyer.

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Dark Reading, January 2015
To find and fix exploits aimed directly at your business, stop waiting for alerts and become a proactive hunter.
Flash Poll
Title Partner’s Role in Perimeter Security
Title Partner’s Role in Perimeter Security
Considering how prevalent third-party attacks are, we need to ask hard questions about how partners and suppliers are safeguarding systems and data.
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2013-7402
Published: 2014-12-17
Multiple unspecified vulnerabilities in request.c in c-icap 0.2.x allow remote attackers to cause a denial of service (crash) via a crafted ICAP request.

CVE-2014-5437
Published: 2014-12-17
Multiple cross-site request forgery (CSRF) vulnerabilities in ARRIS Touchstone TG862G/CT Telephony Gateway with firmware 7.6.59S.CT and earlier allow remote attackers to hijack the authentication of administrators for requests that (1) enable remote management via a request to remote_management.php,...

CVE-2014-5438
Published: 2014-12-17
Cross-site scripting (XSS) vulnerability in ARRIS Touchstone TG862G/CT Telephony Gateway with firmware 7.6.59S.CT and earlier allows remote authenticated users to inject arbitrary web script or HTML via the computer_name parameter to connected_devices_computers_edit.php.

CVE-2014-7170
Published: 2014-12-17
Race condition in Puppet Server 0.2.0 allows local users to obtain sensitive information by accessing it in between package installation or upgrade and the start of the service.

CVE-2014-7285
Published: 2014-12-17
The management console on the Symantec Web Gateway (SWG) appliance before 5.2.2 allows remote authenticated users to execute arbitrary OS commands by injecting command strings into unspecified PHP scripts.

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Join us Wednesday, Dec. 17 at 1 p.m. Eastern Time to hear what employers are really looking for in a chief information security officer -- it may not be what you think.