• Things I hearted Last Week

    Roundup for the week ending 29th April 2016.

    BAE systems published a write-up on the hack against the Bangladesh Bank SWIFT system.

    Hacked Firm Cares More About Its Users’ Security Than Its Image. Could this become a thing?

    Grab a coffee and set aside a few minutes to read this. A Leak Wounded This Company. Fighting the Feds Finished It Off

    Why cybercriminals attack healthcare more than any other industry

    Financial Service industry losing £1655m in invoice fraud.

    Watering Hole Attacks: Detecting End-User Compromise before the Damage is Done

    Beautiful people, dubbed the tinder for the elite and good looking (that rules me out then) suffered a breach. Claus Cramon Houmann tries to make sense of the pieces.

    Cloud flare blog claims that to date they’ve not seen a single DDoS attack launched against a threatened organisation.

    Examining the leaked passwords and PINs from Qatar National Bank

    Elle Armageddon follows up her first piece on Opec with OPSEC for Activists, Part 2: Packing for a Protest. Some great tips if you’re of the protesting type.

    I assume everyone has heard that the Verizon DBIR report for 2016 is out. I am grateful Verizon don’t put it behind a paywall or infowall. You can get it here.

    Former Tor dev helped FBI target Tor users. With enough money…

    I know a few people that have made this mistake… Hacking Slack accounts: As easy as searching GitHub

    New Fourth Wall report takes a look at Thycotic and its expanding horizons.

    Ever wondered how to define threat intelligence? No worries, I made a video.

    Finally, security expert and SensePost COO Daniel Cuthbert is an avid photographer and adventurer. He blogged about how he visited Chernobyl and Pripyat 10 years ago on the 20th anniversary of the accident. Some hauntingly beautiful pictures.

  • Heading to the Rocky Mountains

    One of the best kept secret conferences over the last decade has been the Rocky Mountain Information Security Conference (RMISC). At least, I assume it’s been a secret because I wasn’t aware of it earlier.

    The reason I’m so interested in the Rocky Mountain Information Security Conference is that this year they kindly invited me to be one of their global Ambassadors.

    So, in order to find out more, I got in touch with Robb Reck.

    Robb Reck is heading up the RMISC program committee. I’ve known Robb for a number of years. We both used to contribute regularly to InfosecIsland and we’ve met at conferences over the years. He tells me we met at RSA back in February, but I think he’s just trying to confuse me.

    robb reck
    Robb Reck

    I ask Robb to give me a bit of background to RMISC.

    “RMISC is organized jointly by the Denver ISSA and ISACA chapters. I am the president of ISSA Denver, and have been involved in running RMISC for the last four years. This year I am heading up the RMISC program committee. Previously I have helped run the sponsorship program.

    We are celebrating the 10th anniversary of the conference in 2016. It was founded with the goal to provide a regional conference with world-class talent, at a low cost.”

    “So would you consider 2016 to be the breakout year?” I ask.

    “Over the last few years we’ve seen the conference turn the corner and start to grow significantly. While we’ve been the largest security conference in Colorado since our inception, we’ve begun drawing some great names from all over the country. This year’s conference looks to be the best yet, with keynotes from big industry names including John McAfee, Chris Wysopal, Gene Spafford and Dave Cullinane.”

    I’m impressed by the proposed lineup. “Those names alone would bring in a crowd if you can get the word out.”

    “Yes, which is why in 2016 we have decided to partners throughout the world to spread the word about this conference that’s somewhat hidden in the Rocky Mountains. So we wanted to reach out to folks who are active in the security community throughout the rest of the world. We believe that these ambassadors can help us shape the conference to meet the needs of the largest security community, while spreading the word about the conference to their own networks.

    So we have partnered with you, Dave Lewis, Jack Daniel, Anthony Freed, Jayson Street, and Eddie ‘the yeti’ Mize. Attendees will have the chance to see the ambassadors in action in an opening keynote panel where we’ll get a bit of give and take between the group. It should be a fun session for attendees.”

    Feeling like I’d learnt enough about the conference I thought I’d move the discussion onto more important issues. “It’ll be my first time in Denver. Is there anything I should definitely see or do?”

    “We’re about an hour from the real mountains, so a drive up there to one of our mountain towns is a no-brainer. Visiting the 16th street mall is a nice touristy thing to do. The Coors brewery in Golden is one of my personal favorite attractions. We’ve got a little of everything in Colorado.”

    “So Robb, why call it the Rocky Mountain Information Security Conference? I mean, aren’t all mountains Rocky?”

    Robb smiles at me, “I will answer this question, and many others, over drinks after the conference. Is that an enticement to come, or what?”

    I think that is all the enticement I need.

    Before I hang up, Robb squeezes in the following words like the health warning at the end of an advert:
    “RMISC takes place between May 11th and 12th 2016 in Denver, CO and will have 8 tracks this year, featuring 32 sessions, ranging from highly technical, to management. Whether you’re an auditor looking for tips to do your job better, a security pro looking for the latest tactics, or a security executive looking to share and learn from peers, RMISC has something for you. Don’t miss the full and half day training sessions available on Wednesday. More information and Sign up is available at www.rmisc.org.”