Perimeter
10/7/2011
04:11 PM
John H. Sawyer
John H. Sawyer
Commentary
50%
50%

DerbyCon Fosters Community -- Videos Available Online

DerbyCon's successful first year reminds us of what the security community is all about: sharing and learning from others, promoting new ideas, and advancing the art of security

After spending this past weekend in Louisville, I've finally experienced one of the best conferences I've ever been to: DerbyCon. I'll admit that my conference experience has been limited to DefCon, Black Hat, ShmooCon, B-Sides Las Vegas, and SANS -- all of which have their pros and cons -- but I think they serve as a good sampling of what's out there.

What I've found is that security conferences, no matter how awesome their content, are often hindered by the sheer number of people (and attitudes) in attendance and the overwhelming choice of (good and bad) content. DerbyCon had a great mix of both, including a refreshing sense of a community striving to change the broken security industry for the better.

As a first-year conference, DerbyCon came out swinging with a great lineup of speakers, including Dave Kennedy, Jayson Street, Chris Nickerson, Carlos Perez, and Chris Gates. While I was disappointed with some of the content, most of it lived up to the hype, and everyone I talked to had a couple of favorites that they really enjoyed, like Gates and Rob Fuller's "The Dirty Little Secrets They Didn’t Teach You In Pentesting Class," and Kevin Johnson and Tom Eston's "Desktop Betrayal: Exploiting Clients Through The Features They Demand."

In addition to the talks, there was a capture-the-flag competition, a lock-picking and hardware hacking area, and a "hacker" movie marathon. The vendor area had several tables with groups like No Starch Press, Pwnie Express, Hackers for Charity, and Hak5 with things to sell or items to auction to help promote a good cause.

One thing I picked up while there was a USB Rubber Ducky from Hak5. The quickest and simplest explanation is that it is a hardware-based attack device that acts like a USB HID device (i.e., USB keyboard). Plug it into a target machine, and it will inject keystrokes to change system settings, open a backdoor, or shovel a command shell back out to an attacker's machine. It's an interesting attack device that will likely have its own blog entry here once I've had more time to play with it.

I want to thank Dave (Rel1k) Kennedy, Adrian (Irongeek) Crenshaw, the other organizers, and volunteers for making DerbyCon a great success. My friends and I have already made plans to meet up again for DerbyCon 2.0. See you there.

Check out the videos from the DerbyCon presentations here, thanks to Irongeek.

John Sawyer is a Senior Security Analyst with InGuardians. The views and opinions expressed in this blog are his own and do not represent the views and opinions of his employer. He can be reached at johnhsawyer@gmail.com and found on Twitter @johnhsawyer.

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Dark Reading Tech Digest, Dec. 19, 2014
Software-defined networking can be a net plus for security. The key: Work with the network team to implement gradually, test as you go, and take the opportunity to overhaul your security strategy.
Flash Poll
Title Partner’s Role in Perimeter Security
Title Partner’s Role in Perimeter Security
Considering how prevalent third-party attacks are, we need to ask hard questions about how partners and suppliers are safeguarding systems and data.
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2014-9676
Published: 2015-02-27
The seg_write_packet function in libavformat/segment.c in ffmpeg 2.1.4 and earlier does not free the correct memory location, which allows remote attackers to cause a denial of service ("invalid memory handler") and possibly execute arbitrary code via a crafted video that triggers a use after free.

CVE-2014-9682
Published: 2015-02-27
The dns-sync module before 0.1.1 for node.js allows context-dependent attackers to execute arbitrary commands via shell metacharacters in the first argument to the resolve API function.

CVE-2015-0655
Published: 2015-02-27
Cross-site scripting (XSS) vulnerability in Unified Web Interaction Manager in Cisco Unified Web and E-Mail Interaction Manager allows remote attackers to inject arbitrary web script or HTML via vectors related to a POST request, aka Bug ID CSCus74184.

CVE-2015-0884
Published: 2015-02-27
Unquoted Windows search path vulnerability in Toshiba Bluetooth Stack for Windows before 9.10.32(T) and Service Station before 2.2.14 allows local users to gain privileges via a Trojan horse application with a name composed of an initial substring of a path that contains a space character.

CVE-2015-0885
Published: 2015-02-27
checkpw 1.02 and earlier allows remote attackers to cause a denial of service (infinite loop) via a -- (dash dash) in a username.

Dark Reading Radio
Archived Dark Reading Radio
How can security professionals better engage with their peers, both in person and online? In this Dark Reading Radio show, we will talk to leaders at some of the security industry’s professional organizations about how security pros can get more involved – with their colleagues in the same industry, with their peers in other industries, and with the IT security community as a whole.