Hey folks! Bsides Seattle 2020 is in the books, let’s recap some of the highlights.
If you’ve never attended a security conference, you’re really missing out! Loaded with content ranging from formal enterprise presentations to more interactive activities, cyber security cons are a jam-packed with industry expertise. Content-wise you’ll want to select on that lines up with your interests.
My first security con was RSA 2020 in San Francisco, which took place right before the pandemic really shut things down in earnest. With the diversity of content at these events, you really get to choose what you’re most interested in seeing or doing.
I kicked off the morning of Bsides Seattle 2020 with the keynote presentation by Juliet Okafor. This particular keynote focused on human empathy, encouraging security practitioners to develop solutions that are easy to use and emphasizing the critical role our end users play in the grand scheme of things. At this stage of my career, however, I am more excited about the technical nuances of how systems work rather than the GRC (governance, risk and compliance) topics that are typically presented in keynotes.
Following the keynote I found myself in a presentation titled “Airplane Mode: Cybersecurity @ 30,000+ Feet” where the presenter, Olivia Stella, drew attention to the reluctance of the airline industry to discuss cybersecurity due to the fear of divulging too many industry-specific practices. General security areas of airplanes were discussed without too great of detail, and numerous times the presenter drew attention to the ethical responsibilities of the industry. Hacking planes seems not only unethical, but uniquely dangerous, like the original sense of dread we all felt when the world found out that ICS computers could be hacked causing widescale core infrastructure shutdown (Hello Stuxnet!). So please don’t hack planes…but let’s talk about this thing called aviation security. We’re all adults here right?
When I was interrupted by a personal call, it was a stark reminder how different attending a con remotely feels. There’s a sense of low commitment attending an event like this while eating cereal in your pajamas, but there is also a unique “legacy” to this particular Bsides community. Most attendees in the Discord chat server seemed like regulars if not old friends, yearning for the old days of enjoying each other’s unmasked physical presence. Ah, the good ol’ days!
When I was back on the stream, the next presenter was battling the typical webinar issues we’ve all grown familiar with, such as a malfunctioning webcam and bandwidth issues. When things got rolling, the topic was “Cheap Shot: Hunting Low-Cost Attacker Infrastructure.” A somewhat technical talk about top level domain (TLD) filtering, presenter Elif Kaya drew attention to the security industry’s lack of attention to domain registrar reputation issues. This reminded me of so many standards we’re supposed to be following with our network technologies, but only do so at a mild best effort; for example, how many domains have fully implemented all the reputation protocols listed in MX Toolbox? This topic was a stark reminder of how much work needs to be done still to secure this beast of a technology called the internet.
During this whole time, there was a physical security track on lockpicking taking place all day. After fussing with the Bsides interface a while (thanks for the save JulietBravo!), I happily jumped into an in-progress presentation by the infamous Deviant Ollam: “What Gear Do Cover Entry Teams Take on the Road?”. Now, if you’ve never enjoyed the fine wine that is a Deviant Ollam conference presentation, go on YouTube now and buckle up for some wild and entertaining content on physical pentesting. In this one, Deviant unpacked various toolkits from his adventures in on-site physical security testing, including a highly entertaining box full of clothes to facilitate social engineering. Turns out a construction worker light slapped on the top of a late model Chevy can do wonders in earning the trust of unsuspecting front office employees!
I spent the next hour in a presentation by Microsoft about cloud application security, although the subject matter seemed directed at larger enterprises worried about their Azure access controls. I then pivoted over to the presentation by Coalfire about the infamous arrests in Iowa of two on-site pentesters. This one was a real treat as presenters Gary DeMercuiro and Justin Wynn shared their firsthand experiences getting locked up by the very state they were pentesting for. This was a lively Discord chat to be sure, and the idea of a “good samaritan” law protecting pentesters like Gary and Justin was discussed at length.
The closing ceremony was, well, unceremonious! Conference organizer Wham gave a brief thank you and highlighted some of the novelties and challenges of a remote-only conference before closing up the event. As attendees in chat said their goodbyes, there was a genuine sadness in the air that we couldn’t all meet up in person and really enjoy the day together.
Well, that sums up my Saturday with Bsides Seattle 2020. Shoutouts to Deviant Ollam and the Coalfire Team in particular for their fantastic presentations and lively discussion of the changes necessary to protect the profession of pentesting. At a security conference, you’ll never cram all the knowledge that presenters throw at you, but you’ll definitely find worthwhile things to care about, and hopefully forge some awesome new connections along the way.