Category: Security

Categories
Conferences Security Tampa Bay

BSides Tampa 12: This coming weekend!

BSides Tampa 12, Tampa’s big cybersecurity conference, takes place this weekend at the University of South Florida!

BSides Tampa is one of Tampa Bay’s biggest tech conferences, with 1,900 attendees at last year’s event:

It’s worth checking out, even if cybersecurity isn’t your main focus. For starters, in today’s incredibly networked and AI-powered environment, security is everyone’s concern.

You’ll also learn a lot, whether it’s from one of presentations spread across seven tracks, the villages (the Social Engineering Adventure Village, the Lockpick Village, and the Network Security Village), the two Capture the Flag events, or the people you’ll meet.

Yours Truly, presenting at last year’s BSides Tampa. You can find out more about my presentation here.

BSides Tampa will take place over two days:

  • Friday, May 16: Training and workshops
  • Saturday, May 17: The main conference and post-conference happy hour

The tickets for the main conference are very reasonably priced:

  • General admission: $45
  • Students / active-duty military / veterans: $30

You can buy tickets to BSides Tampa here.

BSides’ history

BSides gets it name from “b-side,” the alternate side of a vinyl or cassette single, where the a-side has the primary content and the b-side is the bonus or additional content.

In 2009, the Black Hat conference in Las Vegas received way more presentation submissions than they could take on. The rejected presenters had very good presentations; there just wasn’t enough capacity for them. Those presenters, disappointed at not having their presentations accepted, banded together and made their own “b-side” conference in the spirit of Bender from Futurama.

That event was the first BSides, a small, hastily-assembled event that ran at a BSides organizer’s house at the same time as Black Hat on July 29 and 30, 2009.

Here are some photos:

Here’s the summary of that first BSides from the BSides history page:

It was a wild success: the talks were good, the party was better, and it was clear that the security community was excited at the idea of a conference that focused on conversations and personal interaction with peers. Those involved in the first event had a vision of rolling the idea out at a regional level, enabling local organizers to set up similar conferences in their own area.

In 2010, BSides took place again in Las Vegas, but there were also BSides conferences in Atlanta, Austin, Berlin, Boston, Dallas, Delaware, Denver, Kansas City, Ottawa,  and San Francisco. In 2011, it would expand to over 40 events, with Africa and Australia joining the list of continents that had a BSides conference.

Tampa had its first BSides on February 15, 2014, and it’s grown over the years to become one of the biggest Tampa Bay tech events of the year.

BSides Tampa is sponsored by the Tampa Bay chapter of (ISC)², which is clever and mathematically-correct shorthand for “International Information System Security Certification Consortium”. (ISC)² is a non-profit specializing in training and certifying information security professionals.

Join us at BSides Tampa this weekend!

Categories
Current Events Security

This is horrifying: U.S. Defense Secretary Orders Cyber Command to stand down from all planning to counter Russia

According to cybersecurity news site The Record (they’re pretty good; you should bookmark them), newly-appointed U.S. Defense Secretary (and former FOX News host, philanderer, and raging alcoholic with a track record that “falls short of military standards”) ordered U.S. Cyber Command to stand down from all planning against Russia last week.

This is the same Russia that brought us cybersecurity threats such as:

Here’s what CISA — the Cybersecurity and Infrastructure Security Agency — has to say about Russia. This is from their Russia Cyber Threat Overview and Advisories page, which was on their website at the time of writing, but it might not be for much longer:

Friends in the cybersecurity industry — prepare a lot of headaches in the near future.

Categories
Current Events Security

DOGE’s government org chart page seems to be hacked

At the time of writing, if you go to this URL at the (incredibly unserious) DOGE.GOV site…

https://doge.gov/workforce?orgId=7cd300eb-cf3f-47f5-90f1-9e66a8bc8d07

…you’ll see this:

According to 404 Media:

The doge.gov website that was spun up to track Elon Musk’s cuts to the federal government is insecure and pulls from a database that can be edited by anyone, according to two separate people who found the vulnerability and shared it with 404 Media. One coder added at least two database entries that are visible on the live site and say “this is a joke of a .gov site” and “THESE ‘EXPERTS’ LEFT THEIR DATABASE OPEN -roro.”

Not only do the DOGEbags lack forensic accountants, it seems that they’re short on people with even the most basic cybersecurity chops.

Coverage at the time of writing

Categories
Humor Security

When you fail a company phishing email test

In all my years, I’ve failed it only once. But I’m certain that actually experiencing that failure ensured that the lesson would “stick.”

I happened a few years back. I was being diligent and getting all my tax stuff ready to send to my accountant in early February, around the time when my then-employer was sending employees their primary tax document, the dreaded Form W-2. (For those of you outside the U.S., it’s the wage and tax document provided by your employer; for example, the Canadian equivalent is the “T4 Slip”.)

I was doing a search through my company inbox to find the download location for my W-2 information, having forgotten that it was available through Workday. One of the search results was one of those phishing email tests, disguised to look like an official email with a link to my tax info. Since I was reading the email as search results and not as email, I was not in my usual email security mindset, clicked the link in the email, and boom:

I got the usual “Your manager will be notified and you’ll have to undergo mandatory security re-education” message afterward. Surprisingly, my manager never brought it up, and I was never scheduled for the “Don’t do it again, dumbass” remedial course, but believe me: I learned my lesson that day.

Categories
Humor Security

Obscurity DOES have a role in security

Thanks to Ewan Sinclair for the find! Tap to view at full size.
Categories
Current Events Humor Security

“Tell Crowdstrike. I want them to know it was me.”

Thanks to Chris Laco for the find!

Categories
Presentations Security What I’m Up To

Video of my Bsides Tampa 2024 presentation, “xz made EZ”

Here it is — the video of my presentation, xz made EZ, which covers the security incident with the xz utils utility on Unix-y systems, which I gave at BSides Tampa 2024 on April 6th:

If you’d like them, here are the Google slides from the presentation.

Questions and answers

How did I land this presentation?

The details of the xz vulnerability were made public mere days before the BSides Tampa 2024 cybersecurity conference, and on a whim, I emailed the organizers and asked if I could do a lightning talk on the topic.

They quickly got back to me and let me know that they’d had a last-minute speaker cancellation and gave me a full slot in which to do my presentation.

The moral of the story? It never hurts to ask, and it can lead to opportunities!

What’s this xz thing, anyway?

Let me answer with this slide from my presentation:

xz is short for xz Utils, a compression utility that you’ll find in Unix-y operating systems, including:

  • Linux distributions
  • macOS

It’s usually used by Unix greybeards who generally use it in combination with tar.

What happened with xz?

xz was one of those open source projects that had a vulnerability best illustrated by this xkcd comic:

xz was like that project pointed out in the comic, except that the “random person” doing the maintaining was Lass Collin, a developer based in Finland, who was experiencing burnout. As a result, xz was languishing.

In what appeared to be a stroke of good fortune, a developer who went by the handle of “Jia Tan” on GitHub came to the rescue and started submitting patches to xz.

At about the same time, there were a number of complaints about xz’s lack of apparent maintenance. In hindsight, it looks like a clever two-pronged campaign:

  1. A group of people loudly clamoring for someone else to take the reins of the xz project, and
  2. A friendly developer who swoops in at the right time, making patches to the xz project…

…all while a burned-out Lasse Collin was facing a lot of stress.

On November 30, 2022, Lasse changed the email address for xz bug reports to an alias that redirected to both his email address as well as Jia Tan’s. At that point, Jia Tan, the apparently helpful developer who appeared at just the right time, was now an official co-maintainer.

Not long after, Lasse releases his last version of xz, and soon after Jia Tan, now the sole maintainer of the project, releases their own version.

With full control of the project, Jia Tan starts making changes — all the while, carefully disguising them — that create a “back door” within the xz application.

On any system that had Jia Tan’s tainted version of xz installed, an unauthorized user with the right private key could SSH into that system with root-level access. By becoming the maintainer of a trusted application used by many Linux versions, Jia Tan managed to create a vulnerability by what could have been one of the most devastating supply-chain attacks ever.