Cатсн²² (in)sесuяitу / ChrisJohnRiley

Because we're damned if we do, and we're damned if we don't!

Tag Archives: Conference

ITWeb Security Summit

It’s been a while since I last posted… between a trip to the UK (for BSides London) and a few days in bed with con-flu, it’s been a busy few weeks.

I’m flying out to South Africa this weekend to take part in the ITWeb Security Summit in Johannesburg. There are a lot of great speakers talking, and I was honoured to be asked to present some of my SAP research as part of the “Enterprise Resource Planning” track.

This will be the last time I’ll be presenting this material, so hopefully it will go down well. This research has been ongoing for the last year or so, and it was time to move my focus off onto some other projects I’ve got running. Plus, nobody likes to see research that’s old and busted. The information I’ll be presenting is “out there” for the community, so I’m happy to cover it one last time before I put it to bed. So much hacking, so little time 😉

If you’re attending the conference please come up and say hi… I only bite on request!

DEEPSEC 2011: Quick Roundup

Well it’s been a few days since Deepsec 2011 finished, and I thought it was about time I wrote something about the actual conference.

Day 1

The first day started off with the usual 6am start to get to Vienna in time for registration. I arrived a few minutes late for the keynote, but quickly got into the swing of things. The keynote (How Terrorists Encrypt) was a discussion of how terrorist organisations (mostly Al Qaeda and connected cells) use encryption to communicate. Although you’d expect terrorists to have the basics of OPSEC down to a fine art by now, the presentation read more like a catalogue of failures and basic lack of skills/information. Instances such as the BA IT Expert, Rajib Karim and his refusal to use the Mujahideen Secrets tool (front-end for PGP/GPG?) in favour of a simple alphabetic replacement cipher.

The talk was definitely eye-opening on how badly the terrorists seem to be using encryption in general. However it does raise the question, are we only catching the stupid ones? Perhaps the better prepared are using encryption and simply staying below the radar!

I wrote a number of blog posts on the other talks from Day 1 :

Day 1 ended with a discussion by Morgan on the changing face of the infocalypse. Definitely worth catching on video once it’s released.

Day 2

The second day of the conference started off with a presentation on Identity X.0, OAuth, OpenID and general security issues surrounding user-centric Identity technologies. An interesting overview of implementation issues.

As with day 1 I wrote a number of blog posts for talks on day 2 :

After lunch I took some time to watch Kizz MyAnthia’s presentation on Bond Tech and had a long chat with him about Mobile Phone hacking and some issues he had getting his “toys” through UK Border Security.

Unfortunately the second SAP talk of the conference (Rootkits and Trojans on your SAP landscape) met with a slight issue as the presenters laptop fell on the floor as the talk began. Although he managed to complete the talk the demos weren’t possible due to data corruption. This was a pity as the content of the presentation itself was almost 100% the same as a presentation he gave in 2010. The demos would have been the saving grace here I think. Still, that’s life!

The final presentation of the conference was by Tom Mackenzie discussing some of the issues surround vulnerability research and coordination with vendors. The presentation touched on some interesting points and posed some open-ended questions, as well as showing some interesting examples of when things work and when they don’t!

Day 2 finished off with a late night party at Metalab… good music, club mate and good company. Oh and I once again lost to Kyrah at table football! One day I will prevail, oh yes, I will 😀


Overall I’d give Deepsec a 7/10 for a solid conference, with friendly people and good presentations. It will definitely be on my recommended list once I get around to writing one 😉

The Good

Nice mix of presentations

Great location / organisation

The Bad

No way to leave feedback for individual speakers

No lightning talks

The Ugly

At least 1 talk based on 12 month old research / vulnerabilities

Security Forum Hagenberg 2012 – CFP

The Security Forum is a yearly meeting held at Hagenberg University (this year it takes place on the 18th-19th April). Alongside presentations on the 18th, there are also a number of workshops being held the day after.

Earlier this year I had the pleasure of attending my first Security Forum event at Hagenberg University. As my girlfriend went to Hagenberg it’s one of the first places I got to really spend any time when coming to Austria, so I guess it’ll always have a special place in my heart. It wasn’t until after my Girlfriend graduated that I learnt about the Security Forum, and I’ve been trying to get to visit ever since.

The highlight (for me anyway) of last years event, was Claudio Criscone’s presentation on virtualization security. It was certainly eye-opening how badly some of these systems were configured and what you can do with an exposed admin interface. It’s a hard act to follow, but I hope for some equally good presentations at the 2012 edition.

With that in mind, the Call For Papers is now open (PDF –> EN DE) so get your papers in…

If you’re thinking of attending the conference, please let me know… always good to meet new people and see old friends!

Getting all SOAPy in Cali…

It’s not often that you get the chance to visit a country like Colombia… and even rarer that you get the chance to be part of something big like the birth of a conference. So, when I got the call that a new conference was starting up in Cali, Colombia I jumped at the chance to be a part of something special.

Over the past few months SecurityZone has gone from this far off dream, into a solid reality… What started of as a vision has really taken shape, and it’s better than even we could have hoped for! Plans are in place, tickets are booked and the list of amazing speakers and trainers just keeps getting better and better.

I knew I’d be proud to be part of SecurityZone, but now I realise that I’m lucky to be counted amongst the big name presenters flying out. I just hope my small contribution to the conference can match up to what I know will be amazing content from people like Ian Amit, Chris Nickerson, Wim Remes, Stefan Friedl, Dave Kennedy and a whole handful more!

As if that wasn’t already enough, SecurityZone is a great chance to see a part of the world that I might never see otherwise, and I intend to make the most of that chance… I hope you do too.

Hope to see you there!

Oh yeah, on a side note… Ian Amit and Chris Nickerson are running what can only be described as a once in a lifetime chance as they run a red-team testing workshop. I’d love to be a fly on the wall in that one 😉 <hint hint>