User:Dkeeler/Notes:BSidesPDX2013: Difference between revisions
(Created page with "Notes from BSidesPDX 2013 === Brian Wilson: Reversing the Brain Drain (keynote) === Main takeaway point seems to be that companies are increasingly contracting out specialtie...") |
No edit summary |
||
| Line 1: | Line 1: | ||
Notes from BSidesPDX 2013 | Notes from [http://www.securitybsides.com/w/page/40113672/BsidesPDX BSidesPDX 2013] | ||
=== Brian Wilson: Reversing the Brain Drain (keynote) === | === Brian Wilson: Reversing the Brain Drain (keynote) === | ||
Latest revision as of 19:30, 30 September 2013
Notes from BSidesPDX 2013
Brian Wilson: Reversing the Brain Drain (keynote)
Main takeaway point seems to be that companies are increasingly contracting out specialties like setting up security systems or security spec compliance, whereas previously it had been done in-house. This is both expensive and results in nobody in-house knowing how their systems work. Gave some ideas for how to attract back talent that has gone into security consulting.
Jeff Forristal: Android Master Keys
Talked about the Android bugs that allowed tampered apks to verify as intact. Boiled down to two different implementations: one in Java that verified at install time and one in C that verified at run-time. In particular, one bug involved how the two implementations treated duplicate file entries differently. Takeaway point: having multiple implementations of the same functionality can be harmful, particularly where they differ.
Ken Westin: Catching Thieves and Pedophiles with Metadata
Spoke about scraping publicly-available images and building a database of the exif data. Camera serial numbers and even geolocation data is often present if not removed, so if images taken from stolen cameras are uploaded to the internet (which often happens automatically with camera-phones), they can be recovered. Also, with the database, images can be correlated, which is useful for identifying pedophiles.
Joe Fitzpatrick: Ultra Low-Cost USB Based Side Channel Power Supply
Started with an introduction to timing side-channel attacks (relevance to us: Lucky Thirteen attack). Moved on to implementing a power consumption-based attack against an implementation not vulnerable to a timing attack. Built a low-cost device to do so. This might be relevant to FFOS.
Mickey Shaktov and Toby Kohlenberg: UART THOU MAD
Showed how some common (mostly networking) devices have UART exposed, which can be used like a serial interface to dump debug information or gain an unauthenticated terminal. The takeaway here is that the network is untrusted.