About Me

I ramble about a number of things - but travel experiences, movies and music feature prominently. See my label cloud for a better idea. All comnments and opinions on this blog are my own, and do not in any way reflect the opinions/position of my employer (past/current/future).

11 October 2010

ZaCon 2

Last year, a bunch of security techies (mostly from Sensepost it seems) banded together to form a technical security group, called ZaCon. In seemingly no time, they had organised a conference/get together - which I could not attend due to work commitments. ZaCon 2 was the newer, bigger conference event. It is not really a novel concept in many respects - a bunch of people get together (on the weekend off course), organise a venue and discuss their common interest for a day - and all for next to no cost (the organisers funded some of the equipment hires; the rest was either sponsored or non existent). It is the purest form of participation really - being there because it interests you.

As with all conferences; there was the mixture of the superbly interesting to be boring - but that is to be expected. With a strong technical focus; many of the talks focused on IT vulnerabilities - how they can be exploited and/or mitigated - from Google Apps to Java JAR files.

There were a number of highlights. On the attack front, Ivan Burke's talk on the usage of Google Apps to create features similar to botnets (though, as he willing admitted, he was not a good speaker) was a great example of how cloud computing facilities not only create security challenges with regards to confidentiality of data (stored in the cloud) but also create a platform for future security exploits. Jurgens van der Merwe's talk later about the use of Selenium expanded further the potential of attacking web based systems. In fact, a potential that wasn't explored in great detail - the combination of Selenium and cloud based services such as Amazon EC2 and Google Apps could create a significant assault on data confidentiality - through exploiting gaps in web based services. Also on the attack front; Daniel Cuthbert's talk on banking website security was a sobering reminder on vulnerabilities that are created by sheer incompetence as opposed to oversight.

Ross Simpson's talk on the use of jailbroken iPhones as a means to infiltrate wireless networks did not really explore major new ground - but was a very practical walk through on the power of smartphones and a new attack vector. Like the attack vector of cell phone cameras where normal cameras are not allowed; this is yet another attack vector that is easy to deploy and hard to mitigate against.

Ollie Whitehouse discussed the forming of UnCon 10 years ago (security community in the UK, and seemingly the idea that gave rise to ZaCon) via Skype - and was impressive not only in the content of the talk (I think there is a lot of things that ZaCon can "copy") but also the fact that the technology worked. Using two different computers (one to control the screen and the other to conduct the Skype call), each with its own 3G connectivity definitely helped in this regard.

The last talk, Barry Irwin's analysis on the propagation of Conficker was quite interesting - especially the patterns on the network traffic correlated to the spread of the virus. The fact that Conficker has gone quiet is itself a worry - and the correlation of Conficker to other viruses; including Stuxnet, could be interesting research.

Overall, it was a great event - and a great learning environment. I do think, however, that there is a need to shorten the number of speakers and instead open up the floor for a lot more debate and discussion. Congratulations to the organisers for a great event!

No comments: