Perimeter
10/7/2011
04:11 PM
John H. Sawyer
John H. Sawyer
Commentary
50%
50%

DerbyCon Fosters Community -- Videos Available Online

DerbyCon's successful first year reminds us of what the security community is all about: sharing and learning from others, promoting new ideas, and advancing the art of security

After spending this past weekend in Louisville, I've finally experienced one of the best conferences I've ever been to: DerbyCon. I'll admit that my conference experience has been limited to DefCon, Black Hat, ShmooCon, B-Sides Las Vegas, and SANS -- all of which have their pros and cons -- but I think they serve as a good sampling of what's out there.

What I've found is that security conferences, no matter how awesome their content, are often hindered by the sheer number of people (and attitudes) in attendance and the overwhelming choice of (good and bad) content. DerbyCon had a great mix of both, including a refreshing sense of a community striving to change the broken security industry for the better.

As a first-year conference, DerbyCon came out swinging with a great lineup of speakers, including Dave Kennedy, Jayson Street, Chris Nickerson, Carlos Perez, and Chris Gates. While I was disappointed with some of the content, most of it lived up to the hype, and everyone I talked to had a couple of favorites that they really enjoyed, like Gates and Rob Fuller's "The Dirty Little Secrets They Didn’t Teach You In Pentesting Class," and Kevin Johnson and Tom Eston's "Desktop Betrayal: Exploiting Clients Through The Features They Demand."

In addition to the talks, there was a capture-the-flag competition, a lock-picking and hardware hacking area, and a "hacker" movie marathon. The vendor area had several tables with groups like No Starch Press, Pwnie Express, Hackers for Charity, and Hak5 with things to sell or items to auction to help promote a good cause.

One thing I picked up while there was a USB Rubber Ducky from Hak5. The quickest and simplest explanation is that it is a hardware-based attack device that acts like a USB HID device (i.e., USB keyboard). Plug it into a target machine, and it will inject keystrokes to change system settings, open a backdoor, or shovel a command shell back out to an attacker's machine. It's an interesting attack device that will likely have its own blog entry here once I've had more time to play with it.

I want to thank Dave (Rel1k) Kennedy, Adrian (Irongeek) Crenshaw, the other organizers, and volunteers for making DerbyCon a great success. My friends and I have already made plans to meet up again for DerbyCon 2.0. See you there.

Check out the videos from the DerbyCon presentations here, thanks to Irongeek.

John Sawyer is a Senior Security Analyst with InGuardians. The views and opinions expressed in this blog are his own and do not represent the views and opinions of his employer. He can be reached at johnhsawyer@gmail.com and found on Twitter @johnhsawyer.

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Dark Reading Tech Digest, Dec. 19, 2014
Software-defined networking can be a net plus for security. The key: Work with the network team to implement gradually, test as you go, and take the opportunity to overhaul your security strategy.
Flash Poll
Title Partner’s Role in Perimeter Security
Title Partner’s Role in Perimeter Security
Considering how prevalent third-party attacks are, we need to ask hard questions about how partners and suppliers are safeguarding systems and data.
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2014-8893
Published: 2015-01-28
Multiple cross-site scripting (XSS) vulnerabilities in (1) mainpage.jsp and (2) GetImageServlet.img in IBM TRIRIGA Application Platform 3.2.1.x, 3.3.2 before 3.3.2.3, and 3.4.1 before 3.4.1.1 allow remote authenticated users to inject arbitrary web script or HTML via a crafted URL.

CVE-2014-8894
Published: 2015-01-28
Open redirect vulnerability in IBM TRIRIGA Application Platform 3.2.1.x, 3.3.2 before 3.3.2.3, and 3.4.1 before 3.4.1.1 allows remote authenticated users to redirect users to arbitrary web sites and conduct phishing attacks via the out parameter.

CVE-2014-8895
Published: 2015-01-28
IBM TRIRIGA Application Platform 3.2.1.x, 3.3.2 before 3.3.2.3, and 3.4.1 before 3.4.1.1 allows remote attackers to bypass intended access restrictions and read the image files of arbitrary users via a crafted URL.

CVE-2014-8917
Published: 2015-01-28
Multiple cross-site scripting (XSS) vulnerabilities in (1) dojox/form/resources/uploader.swf (aka upload.swf), (2) dojox/form/resources/fileuploader.swf (aka fileupload.swf), (3) dojox/av/resources/audio.swf, and (4) dojox/av/resources/video.swf in the IBM Dojo Toolkit, as used in IBM Social Media A...

CVE-2014-8920
Published: 2015-01-28
Buffer overflow in the Data Transfer Program in IBM i Access 5770-XE1 5R4, 6.1, and 7.1 on Windows allows local users to gain privileges via unspecified vectors.

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
If you’re a security professional, you’ve probably been asked many questions about the December attack on Sony. On Jan. 21 at 1pm eastern, you can join a special, one-hour Dark Reading Radio discussion devoted to the Sony hack and the issues that may arise from it.