CEIC2015 Las Vegas: Going Deep From Hour One

Posted in CEIC with tags , , on May 20, 2015 by datasecurityblog

CEIC2015, the Digital Forensics and Data Security Conference started off HOT in Las Vegas. It was a cold rainy day in Las Vegas on Monday..well, 75F. It’s not unusual to see temperatures in the 90s in the third week of May in Las Vegas.

Well-sheltered in Caesar’s Palace Las Vegas, CEIC sessions started Monday afternoon with deeply technical sessions on network forensics, mobile forensics, and a summit for Chief Information Security Officers. As with previous CEIC confabs, this conference has many members of law enforcement mixed with corporate digital forensicators.

On Tuesday, the first full day of the conference, there was unusual scheduling by the organizers. Typically, the Keynote address would kick off the day. But Tuesday started with more intensely technical and legal lectures bright and early 8am. The Keynote address started at 9.30. It was content focused, rather than using the glitz and show biz nonsense that drove RSA’s kick off Keynotes.

The vendor area is moderately sized, actually rather cozy. And, as a nice bonus, The CyberJungle notices that many CEOs and forensic researcher staffers were in their own booths. Again, a nice contrast with some recent conferences that staffed the booths with only marketing people.

Wednesday is thankfully Keynote-free. The focus is on learning the nuts and bolts of digital forensics. Those that are here to really learn won’t be disappointed.

RSA Conference 2015: Opening Keynotes, Tuesday April 21st 2015

Posted in RSA Conference on April 22, 2015 by datasecurityblog

The Opening Keynotes for RSA Conference 2015 seemed like a safe bet, if judged by the lines to get into the Keynote auditorium at Moscone Center in San Francisco. The CyberJungle showed up early, and encountered a massive line, of people, grabbing a “brown bag” breakfast of a ham and egg sandwich. So, we skipped that line, grabbed a bite nearby and came back to just see the keynotes.

Just at the moment it was our turn in line to enter, the security people said the room just hit capacity, and The CyberJungle had to view the keynotes in an overflow room filled with a massive video display.

While the technology in that room was great, the keynotes were a snore. Jane Lynch from Glee was doing a sing and dance number that was more appropriate for a G-rated MTV Music award performance, backup singers included.  Snore.

The opening Keynote by RSA Head Honcho Amit Yoran had some good nuggets about the transformation of security into everything around us (think Internet of Things, Smart Cars, etc), there was still a lot of marketing fluff over computer science substance.

‘Whit’ Diffie, one of the Godfather’s of crypto was in a panel, and didn’t dissapoint with his insights into the future of crypto.

Overall, The CyberJungle wishes for more substance and less sizzle in next year’s opening keynotes.

RSA Conference: Innvoation Sandbox

Posted in Uncategorized on April 21, 2015 by datasecurityblog

Day one of RSA Conference 2015 kicked off again this year with the Innovation Sandbox. Ten of the most interesting infosec startups are selected by a panel of infosec investors and experts. In a small gallery, ten firms get to present, show their wares, and network with researchers, investors, and customers.  The CyberJungle was at the very first Sandbox in 2008, and it was the highlight of that conference.

2015’s edition of the Sandbox didn’t disappoint.  Three of the standouts (in alphabetical order):

1. Bugcrowd‘s approach to crowdsourcing bug detection is worth looking out. Think Uber for infosec testing. We interviewed them on the show last year, and now they have grown to over 16,000 infosec pros providing services.

2. Cybereason has an interesting approach to anomaly detection

3. SentinalOne says their new approach to malware will replace anti-virus

Fashion in the age of total tracking?

Posted in DefCon with tags on August 4, 2013 by datasecurityblog

(Las Vegas NV, Def Con 21- ) The Cyberjungle encountered a veiled woman walking toward Sunday morning sessions. Her black lace veil looked so much like traditional mourning attire that we nearly didn’t approach her — and yet, this is Def Con. It took about a nanosecond to guess that the mourning was symbolic.

Veiled Woman Def Con

(Photo- SamStone, TheCyberjungle) Nameless def con attendee mourns the death of privacy while obscuring her face from the casino cams

It’s a multi-purpose costume, she said. As we suspected, she is mourning the large-scale loss of privacy that’s making all of us sad.  But she also noted the ubiquitous and unapologetic Las Vegas casino surveillance.  It does prompt a privacy-loving person to think of ways to obscure her face.

She and a friend who worked with her to design the hat-and-veil combination set out purposely to make physical safety a priority. The lace doesn’t prevent her from seeing what’s around her.  And hey, it’s pretty, if you care about that. (Some Def Con attendees don’t).

She did not give her name.  But says she may write about existing for three days as a veiled presence in a crowd.  It’s been an interesting experience, she said.

TED 2013: Google Glass Will Bring Info To You, Says Sergey Brin. Also Brings Discoverable Evidence To Litigation

Posted in TED with tags , , , , on February 27, 2013 by datasecurityblog

Sergey Brin, the Co-Founder of Google is at TED 2013 Conference in Long Beach California this week talking up the benefits of Google Glass. There’s been a lot of “gee whiz” news coverage recently about Google Glass — smart eyeglasses that figure out what you’re looking at, and then add to your experience by searching the web for relevant information about what you’re seeing.

This is a greatly simplified explanation, but imagine starting at an attractive stranger who’s seated on the other side of a cafe, and his or her Facebook page pops up in your field of vision. Google Glass represents the commercialization of augmented reality and wearable computers.

Augmented reality combines real world screen images enhanced with system data. In the case of Google Glass, the technology will be used first and foremost to hone advertising messages to your precise interests. Reports indicate that Google Glass can use 3G or 4G data streams from the user’s smart phone. Other reports point to the device also being WiFi enabled for network connectivity.

In legal terms, Google will make inferences about your frame of mind and your disposition toward people, places and things. Google will do this by tracking your eye movements, recording what you look at, and for how long. Part of the Google patent portfolio includes patents on tracking eye movements.

If you spend a lot of time gazing at sports cars, Google will infer an interest in high-performance automobiles and related products. If you regularly read Chinese menus, or street signs in a questionable neighborhood, or email messages, that data could be available to someone who wants to draw conclusions based on what you choose to put in front of your face. What can be inferred from detailed records of what you choose to look at?

If the “wearable computing device” is widely adopted, expect an avalanche of digital forensics and legal issues a few years down the road.  For instance, did you spend too much time looking at certain body parts on your co-worker? Will that information become admissible evidence in a sexual harassment action?

Who did you talk with and what was said?  Some casual conversations will become part of a permanent data trail, because the Google Glasses have audio equipment.

Google Glass and the devices and clouds they’re connected to will know more than ever about the user and his activities, and that moves us into uncharted civil and criminal legal territory.

Can intent be demonstrated through eye and head movement? If person #1 stares at person #2 for a long time, and then person #2 is found beaten and bloody, what was the intent of the staring?

Could a record of eye movements compound or mitigate liability? What does a surgeon see leading up to a sentinel event, or an airline pilot see before a crash?

In an auto accident case, did the driver see the pedestrian? Or was he looking at a blonde behind the wheel in the adjacent lane? Or a SatNave display, or the maintenance light on the dashboard? (Or a message being sent to him by his Google Glass?)

Will augmented reality glasses like Google Glass required, under contract or agreement? Would it be desirable to follow the eyes of a dockworker who loads and unloads valuable merchandise? Would recording a nurse’s field of vision provide valuable defense during litigation? Could Google Glass alert the employer when a staffer does a task that’s outside of the standard operating procedure?

All of this will be discoverable, and these are just some of the questions this new technology brings with it. Hold onto your hat, we are entering a new phase in law and jurisprudence.

by Ira Victor, G2700, GCFA, GPCI, GSEC, ISACA CGEIT CRISC. Ira Victor is a digital forensic analyst with Nevada-based Data Clone Labs.  He is a co-host of CyberJungle Radio, a contributor to HabeasHardDrive.com, and The SANS Computer Forensics Blog. He President of Sierra-Nevada InfraGard, and a member of The High Tech Crime Investigator’s Association (HTCIA). Follow Ira’s security and forensics tweets: @ira_victor.

Please support our sponsors, as they support The CyberJungle


SpectorSoft: IT professionals, Risk Officers, and HR staff have more worries than ever: insider theft, inappropriate communications, inefficient processes, employee investigations, and compliance requirements. These pressing issues demand a reliable, automated, advanced technology capable of showing user, department, and division activity no matter where the users are or what devices they are using. SPECTOR 360, the de facto corporate User Activity Monitoring solution, addresses these issues and meets this demand.

SPECTOR 360 monitors, captures, and analyzes ALL user and user group activity including: email sent and received, chat/IM/BBM, websites visited, applications/programs accessed, web searches, phone calls, file transfers, and data printed or saved to removable devices.

SPECTOR 360 features automated, remote installation of the Windows and Mac clients and requires no client installation on BlackBerry devices.

EXCLUSIVE: Super Stealthy Attack By-Passes Nearly All CyberDefences

Posted in SecurityBsides with tags , , , , on July 27, 2012 by datasecurityblog


One session room at SecurityBSides Las Vegas 2012 was cordoned off for unique presentations. For this session, the room was packed.  At virtually all technology conferences today, attendees are live tweeting, taking copious notes, snapping photos or videos of the demonstrations on the screen.  Yet, in this special area of  SecurityBSides Las Vegas, a tall, imposing security proctor in a bright red shirt with dark military style pants and a walkie-talkie stood up to made a special announcement: This is an “underground session.” There will be no recordings, no note-taking, no exceptions. All phones, computers, cameras, video must be turned off.  Any attendee seen taking notes, or using any device in any way during this talk can and will have it confiscated.

Following the talk, the speaker David Kennedy granted CyberJungle Radio an exclusive interview. David Kennedy. talked about a series of attack vectors that use python, encryption, and Java Applets that can fully control Windows, Mac and Linux users. These attacks can by-pass anti-virus, next generation firewalls, intrusion detection systems, sandboxing systems, and, as David Kennedy says in the clip below, bypass “…every single type of preventative technology out there…”  And, no this is not APT (“advanced persistent threat”), or some super high tech code.  You can read the complete story below, or download/listen to the segment:

You may stream the segment below, or click here to download the MP3 file. David Kennedy is a fast talker, and you will get a lot of information in this ~6min segment.

Listen to the conversation with David Kennedy via the flash player:

SecurityBSides Underground Session Continued:

As the no notes and device announcement was made, some members of the audience had a noticeable look of surprise and disbelief. Even in the world of security conferences where high level law enforcement and government officials speak, this was an unusual request. But SecurityBSides is an unusual, intimate security event,  “the digital underground’ is a constant theme throughout the event. Some attendees would rather not provide a name.  Just their Internet Relay Chat (IRC) “handles,” thank you very much.  This is very much the spirit that the “Hacker” Conference DefCon had about ten to twenty years ago. The hotel itself if off-off-off the Las Vegas Strip. On the wrong side of the Union Pacific Railroad tracks, literally. Under a freeway overpass.  The parking lot is dusty vacant lot with potholes big enough to hold a small casino. No gaming at this hotel, and no high-rollers pulling up in their Bugattis.

Following this announcement, a tall, T-shirt and jeans type stood up and began to address the audience.  David Kennedy is a penetration tester that works for entities trying to discover entry points into data that attackers could be using. His goal is to find them so the owners of the network can mitigate possible attacks. Penetration testers (pentesters) also provide useful information for digital forensics and incident response (DFIR) professionals.  Pentesters can and do use the same techniques that cybercriminals use to break into systems.  Like hiring a locksmith to secure your safe. By learning the techniques of pentesters, digital forensics and incident response (DFIR) professionals can better know where to look when incidents occur.

David Kennedy blew away a very skeptical, and hard to please, audience at Security BSides by uncovering these attacks.  There a few techniques that can be used to mitigate these attacks, but David Kennedy has never tested a firm that had any of these tactics deployed. The techniques he recommend may only help you after the attacker has partially penetrated the network. Think reactive, rather than proactive.  Again, instructive for DFIR professionals.

Here is the link mentioned in the segment.

We will have more coverage from on this and other news from BlackHat, SecurityBSides, and DefCon, on upcoming episodes of CyberJungleRadio.

PFIC2011 – Katana Forensics CEO: iOSGate Chills Research

Posted in PFIC, Uncategorized with tags , , on November 8, 2011 by datasecurityblog

Today, at the Paraben Forensic Innovator’s Conference in Park City Utah, the CEO of one of the leading providers of iOS forensics said that iOS Gate “puts a chill down researcher’s spines.”

Yesterday, the highly respected security researcher, Charlie Miller, released information about a major flaw that he discovered in iOS. iOS powers the iPad, iPhone, and iPod touch. Mr. Miller created an iOS application that can steal data from iOS devices. Apples claims that it’s developer program and approval process is designed, in part, to prevent malware iOS from being introduced into the iOS ecosystem. Charlie Miller’s malware app was approved by Apple, and was available for a short time in the iOS App Store. Following the announcement by Charlie Miller of the flaw in iOS, and the flaw in the Apple approval processes, Apple pulled the app.

But Apple didn’t stop there. Apple also kicked Charlie Miller out of the Apple developer program. At the Paraben Forensic Innovator’s Conference in Park City, Utah today, attendees were talking about the slap in the face to researchers this move by Apple represents.

The CyberJungle spoke with Sean Morrissey, CEO of Katana Forensics. Sean Morrissey gave a talk on new techniques for iOS forensic imaging at PFIC on Monday. Mr. Morrissey is concerned that Apple’s move could hinder the burgeoning iOS developer community. Until this breach, he said, it was conventional wisdom that only an jailbroken iOS device was open to the type of attack outlined my Mr. Miller. Now, one needs to factor these types of threats to all iOS devices. When asked by The CyberJungle if he thought attackers have already, or would tray exploit this attack, he said “absolutely.”

-Ira Victor, reporting from The Paraben Forensic Innovator’s Conference in Park City, Utah

PFIC 2011 coverage on The CyberJungle is sponsored by Spector 360 – Spector 360 will automatically capture all Internet and desktop activity on Windows, Mac OS, mobiles, and soon tablets. Visit Spector360.com to learn more.

CLICK HERE AND ENTER TO WIN AN iPOD2 from Spector360 and The CyberJungle.


Get every new post delivered to your Inbox.

Join 1,217 other followers