44CON -- London — After a two-year break, information security conference 44CON returned to London, where passionate security evangelists were joined by architects and managers from leading technology companies to enjoy a two-day festival of cybersecurity research from global headliners. From Sept. 15 to 16, people came to meet, do business, talk, and learn, with the 44CON crew providing fun, great food, and cybersecurity-themed entertainment.
It was a bit like the Babylon 5 of the UK infosec community.
I asked Adrian Mahieu, the founder of 44CON and the driving force behind the conference's resurrection, what motivated him to start up again post-COVID.
"I wanted to make a conference that I'd like to go to, with some serious, in-depth technical talks [and] a few interesting sponsors that are not the usual suspects you'll see at other technical security conferences," he said. "But most interesting for me is getting people talking and learning from each other."
This focus was apparent even in simple aspects, such as the way conference organizers devoted a large communal area to tabled seating, allowing attendees to share coffee, enjoy some excellent food, or just have impromptu birds-of-a-feather sessions. People at all stages of their cybersecurity careers were present, from eager recent graduates making connections to industry leaders talent-spotting and team-building, as well as a good number of people who justify the descriptor "expert."
Multiple industry sectors were represented, including broadcast entertainment and cloud service providers. "I tell vendors that all they need to bring is a backdrop for their exhibitors table," Mahieu explained. "I don't want those big palatial booths taking up the communal space. I want everyone to feel free to talk together!"
The evening's entertainment included a security communications wargame designed and hosted by innovative game developers Stone Paper Scissors. Threat Condition simulated the problems and issues that ensue after a reputationally damaging cyberattack and highlighted the consequential organizational and communication challenges. SPS designed what I think may be the best tabletop disaster-recovery scenario wargame I have ever seen.
One thing that differentiates 44CON from other conferences is its COVID-19 precautions. 44CON installed high-powered air purifiers throughout the venue to provide clean, breathable air for attendees.
Chatham House Chats
Discussions were held under the Chatham House rule, allowing people to speak and share their research freely. In that capacity, I was able to have an in-depth conversation with one of the world's cloud security experts. We discussed the type of events he sees and which ones are the "fire-alarm" events.
"Identity is always first," he said. "Our CIRT responds in minutes to a credential leak on a public source-code repository."
When considering identity-first security, the joiners, movers, and leavers problem gets writ large, as all the cloud service provider sees is a token.
"We're faced with a choice when tuning the token lifetime — too short, and the user experience becomes sucky with overly frequent login challenges; too long, and the token becomes vulnerable in such cases as endpoint theft," he said.
Risk-assessing every transaction from the endpoint is possible. But given the breadth of activity for any cloud service user, this quickly crashes into security's scalability barrier.
Always curious about how the insider problem is evolving, I took the opportunity to ask how leading cloud service providers are addressing traditionally tricky problems, such as data loss prevention, and how that migrates in a cloud environment. Many security practitioners still have trouble converting their legacy mindsets into a cloud-native one.
My security expert was eager to illustrate: "We see a common problem where a business application user will exfiltrate information to personal AWS buckets. This means that the cloud log is in their personal bucket, and the business has no visibility of it. However, there is a simple answer — we advise business customers to create a service-aware policy that limits bucket access to corporation-owned buckets."
What this means is that many security practitioners are still limited to legacy thinking and architectural models, a key indicator of which is when practitioners try to filter based on IP address, basically trying to re-create their traditional data center in a cloud service environment. Cloud instances are ephemeral by nature, allowing savvy architects and devs to create and destroy instances on demand. IP addresses just don't matter in this context.
Participating and Presenting
Capture-the-flag (CTF) events are a staple for many cybersecurity conferences, but 44CON had its own spin. This year's CTF was organized by Trace Labs, a Canadian not-for-profit organization that partners with law enforcement agencies to leverage the power of crowdsourced OSINT collection to assist in ongoing missing persons investigations. Instead of hurling their exploit kits at a target, contestants were invited to "use their powers for good" and take real missing persons cases and hunt for missing pieces of open source intelligence, or flags. The more flags a team finds, the more points they get, all the while helping to make the missing-persons database more complete.
And saving the best for last — the talks! Headlined by James Forshaw of Google Project Zero, superb presentations allowed all of us to learn about the latest in vulnerabilities and exploitation, whether you are a red or blue teamer. Erlend Andreas Gjære, co-founder and CEO of security training adviser Secure Practice, talked about the need for a human touch in cybersecurity, and the mysterious stranger identified only as "cybergibbons" explained how he took control of cruise ships, oil rigs, and other merchant navy vessels in a talk called "I'm the captain now!"
Last but not least was an inspiring talk by Thinkst founder and CEO Haroon Meer, who closed the conference by exhorting attendees to unleash their innovation and create security products that the world needs. Meer observed how many of the products currently on the market are snake oil, peddled by people who you wouldn't leave alone in your home with your grandmother. He also pointed out that the path to a profitable software-as-a-security business is simply to find something that 1,000 people will want to use — possibly the best advice to budding entrepreneurs since Ron Gula's five-slide pitch deck.