When we last left our intrepid hero, he was embarking on an quest to become an information security thought leader. A year has passed; let’s see how he’s doing! Enjoy.

I created this video for an internal Veracode video contest. It’s intended to poke fun at the abundance of “thought leaders” we have in our industry. I shared it on Twitter yesterday but thought I would post here on the blog as well. A handful of people have asked if it’s meant to satirize any particular person — sorry to disappoint, it’s just a composite. Enjoy!

I had a great time at the SOURCE Boston conference last week. Veracode was a sponsor and a few Veracoders participated as advisory members or volunteers. I had the pleasure, along with Chris Eng, of presiding over the application security track. I think all the talks were of high quality but still a few stood out for me:

Dino Dai Zovi on Mac OS Xploitation. Dino showed how to exploit a quicktime heap overflow. He got the built in iSight camera to take a picture of his victim and send it to him just …

Welcome, come on in, have a seat. There is a cold beer in the fridge, help yourself!

I may be new to the team, but I’m (reasonably) old to the game. My name is Tyler Shields and I’m the latest addition to the Veracode research team. I started at Veracode in September 2008 as a Senior Security Researcher and have been immediately thrown into the fire. Working for a fast paced, highly energetic company like Veracode, keeps you busy and challenges you every day. I plan to blog on the most interesting pieces of my work with Veracode and hope that …

Last week, during the OWASP AppSec 2008 Conference, the people behind the ubiquitous CISSP certification announced their latest creation — the Certified Software Security Lifecycle Professional (CSSLP). In front of a captive audience waiting for a 42″ plasma TV to be raffled, the Executive Director of (ISC)2 outlined this new certification designed to appeal to application security professionals. To his credit, Mr. Tipton stated very clearly that the CSSLP is not intended to measure one’s technical skillset. Unfortunately, it’s inevitable that employers will treat it as such.

You can read all the details on their …

Assuming the mailbox hack is not an elaborate ruse, how did they do it?

Almost as bad as the Sprint PCS password reset fiasco that made the news in April, here is the Yahoo Mail password reset screen:

As you can see, you need to know the user’s birthday, country of residence, and postal code. Not difficult information to dig up in Palin’s case, as shown here. After you enter this information correctly, you are asked to type in the alternate e-mail address that’s associated with …

Earlier today, the US District Court dealt a victory to the MBTA hackers and the EFF, lifting the injunction issued on August 9th to prevent the three MIT students from presenting their findings at DEFCON 16. In summary:

The lawsuit claimed that the students’ planned presentation would violate the Computer Fraud and Abuse Act (CFAA) by enabling others to defraud the MBTA of transit fares. A different federal judge, meeting in a special Saturday session, ordered the trio not to disclose for ten days any information that could be used by others to get free subway rides.

“The judge …

Another BlackHat has come and gone. As usual, it was a very busy week juggling customer meetings, recruiting, conference planning, vendor parties, and, oh yes, the actual BlackHat presentations. I had a fantastic time catching up with old friends and finally getting the opportunity to meet more of the Security Twits and others in the security community. I didn’t submit a talk this year, but nevertheless, fake Dan Kaminsky was still excited to see me.

My favorite talk, as expected, was the Sotirov/Dowd talk on …

Three French journalists have been booted for life from Black Hat and Defcon for compromising the Black Hat press room wired network and grabbing the credentials for at least one reporter. Their goal was to publicize the risks to reporters especially current given the massive reporter presence in Bejing for the Olympics. This risk is certainly real and it is a shame that these journalists had to compromise and embarass one of their own and potentially run afoul of US Federal wiretap laws.

Sniffing, or monitoring all …

Here’s the rest of my list:

10:00-11:00 FX, Developments in Cisco IOS Forensics.

11:15-12:30 Oliver Friedrichs, Threats to the 2008 Presidential Election (and more).

13:45-15:00 Option 1: Scott Stender, Concurrency Attacks in Web Applications. Option 2: Travis Goodspeed, Side-channel Timing Attacks on MSP430 Microcontroller Firmware.

15:15-16:30 Option 1: Alexander Sotirov and Mark Dowd, How To Impress Girls With Browser Memory Protection Bypasses. Option 2: Karsten Nohl, Mifare – Little Security, Despite Obscurity. This is one of the toughest time slots as you also have McFeters/Carter/Heasman and Grossman/Evans in the lineup. Choices, choices.

16:45-18:00 Option …

Well, it’s almost BlackHat time. Here are my picks so far for Day 1. As you can see, I still haven’t narrowed it down completely.

11:15-12:30 Option 1: Dan Kaminsky, “DNS Goodness”. On one hand, the DNS vulnerability is already public; on the other hand, the talk will probably still be interesting even if the 0day hype is missing. Option 2: Nate Lawson, “Highway to Hell: Hacking Toll Systems”. My formal education and early work was in Electrical Engineering, so I’m always interested in hardware talks. I haven’t touched a soldering iron in years …

This post is a response to Alan Shimel’s Topic of Interest #2 for the Security Bloggers Network.

So what motivates me to attend BlackHat? The #1 reason for me is networking — meeting new people and catching up with old friends and colleagues. Despite our best intentions, we are all busy and our networks are constantly expanding, making it increasingly difficult to stay in touch with old friends in the industry. Twitter and other forms of microblogging help you chip away at the communication gaps; you get a glimpse into peoples’ lives but it’s no replacement …

From the Burlington Free Press, a story about a local hacking competition set up as a spectator event.

Their competition, tantalizingly called a “digital combat exercise,” was supposed to give onlookers a rare opportunity to watch a computer hacking job in progress, complete with play-by-play.

It didn’t work out that way, though, thanks to — what else? — some sort of technical glitch that obstructed efforts to monitor what the competitors were doing. So for the few non-techie spectators who showed up, the business of hacking was still as opaque and mysterious at the end of the 1 1/2-hour exercise as …

I spent the weekend in Berlin attending a conference called PH-Neutral, run primarily by the Phenoelit crew. This was the first European security conference I’ve attended and I found it quite different from any North American security gathering I’ve been to, such as BlackHat, CanSecWest, SOURCE Boston, BlueHat, or RSA. Everything was far more casual and laid back, which is something I had heard about European conferences but hadn’t experienced until now (even EUSecWest is held in a club whereas CanSecWest is in a Marriott).

Recently an executive at HP claimed that his company now employs 9 out of the top 11 security people due to HP’s acquisition of SPI Dynamics:

“Nine out of the world’s top 11 security hackers came to HP through the SPI Dynamics acquisition, he boasts, although it’s not immediately clear who ranked those top 11.”
- Mark Potts, CTO of Software, Hewlett-Packard

Now eWeek has produced a list of the 15 most influential people in security today. Here is the quick non-multimedia version:

1. Tavis Ormandy, Google Security Team
2. Ivan Krstic, One Laptop Per Child
3. Chris Paget, IOActive
4. Bunnie Huang, Bunnie Studios
5. Michal Zalewski, Google
6. Window Snyder
7. The …
   
   » Read the blog post in full here