It’s time for the Security Industry to grow up

It’s time for the Security Industry to grow up. Most of us have been drawn to the security industry because of the fun things we get to do. We like finding problems with security controls and love being paid to break into systems and networks. However, as much fun as those things are information security has become a very important part of businesses and industry. As more and more businesses digitize their business information and assets the more important information security becomes. Whether we like it or not information security is quickly becoming a critical part of the business process.

 In that light it is important for us as information security practitioners to learn more about business processes. I know that it feels great to get a shell on a box. However, that shell might not be attacking a critical business process and therefore is a potential waste of effort. By understanding the underling business processes of the company you are testing you can identify targets that are critical to the business as a whole.

 This approach however, requires an understanding of business processes. A great way to begin to understand general business processes is through education. I know that business classes can be uninteresting and even boring at times.  I will admit that during my education the business classes were the least interesting classes I took. I still can barely remember the content I went over even though I did very well in the class.  Recently I have realized my shortcoming in understanding business processes and have been going back over my business classes’ textbooks. If I take more of a “hackers” view at business processes I can begin to see critical places in the business process of where a successful attack could be critical to the business as a whole.

 There are many obvious targets such as high-level executives, payroll, and data warehousing. However, some targets could be just as critical. Imagine targeting the PR department and having the ability to send out press releases that could immediately damage the businesses’ reputation with their customers. All it takes is one factitious press release going viral and the company’s reputation could be irreparably damaged.

 By understanding the business process we as “security professionals” can begin to see these cracks in them and begin to design stopgaps to protect them. I still believe that the hacker mentality can thrive in a business environment. However, in order to do that we need to grow up, educate ourselves and take our rightful place in the business world.

I am writing this in hopes to spark a discussion on this topic. If you don't agree with me please feel free to let me know why. I am a firm believer in open, uncensored and frank discussions.

 

Posted via web from Ian's posterous

Western Tracking Institute Tracking Class

 

1 I spent last Saturday at an animal tracking class provided by the Western Tracking Institute. The instructors Rick, Lee and William were top notch and we were able to learn a lot about gaits and animal identification.  2 You have no idea how many ways a rabbit track can present itself. Our Tracking location was very interesting. We spent all day under the 805 and 56 merge underpasses and bridges. The first part of the day was spent under the big overpasses. The underpasses were a great place to see many different types of tracks. The substrate was very soft in places and that allowed us to analyze the gaits and tracks fairly easily. We saw raccoon, skunk, bobcat, deer, opossum and the ever present cottontail tracks.  3  4 The second part of the day was spent under the bridge in the muck. Luckily I brought a pair of rubber boots to keep all of the mud and water at bay. We found some really interesting tracks under the bridge including crawfish, deer, bobcat, a ton of raccoon tracks and a mystery track that no one could identify. In all it was a fun day of tracking even if you could barely hear each other talking over all of the traffic noise. I'm looking forward to the trailing workshop later on this summer and hope to get through the entire curriculum. In all it was a great experience and I highly reccommend taking any of the classses offered by the WTI.

1          
See the full gallery on posterous

 

Posted via web from Ian's posterous

Mini Golf

See the full gallery on posterous

Posted via web from Ian's posterous

Morning Light

Sunrise in San Diego

Posted via email from Ian's posterous

Defcon 17 PCAPs and CTF Game Binaries are now available

FINAL DEFCON 17 RANKING

Congratulations to VedaGodz on winning the DEFCON 17 CTF. Stats and more later -- here's the rankings:

1. VedaGodz
2. Routards
3. PLUS@postech
4. Shellphish
5. Sexy Pwndas
6. Song of Freedom
7. Sapheads
8. lollerskaterz dropping from roflcopters
9. WOWHACKER

Those of you that stayed around for the awards ceremony know that sk3wlofr00t had a slight conflict of interest making their contrived score irrelevant.

DDTEK HPUTM TECHNOLOGY ANNOUNCE

DDTEK is happy sunshine to presenet Hyper Parallel Universal Thret Management (HPUTM). Successful tests of HPUTM teknologee were made during the happened qualifications. These quantum predictive techonlogy using temporal acceleration of hardware constipated all attacks known, unknown, unknown known, known unkown, known known, and unknown unknown using hyper turing NP engine completion. Demonstration of HPUTM at Defcon CTF is the prove that DDTEK defense ever stands time and its tests. Techmology all other are not the comparison. The rainy doom spank ass of other monkey software triumphs over oall including poor ruinners Juniper, Sonicwall, Microsoft, Checkpoint.

Graphs all blockage shown for DDTEK HPUTM:

CTF Qualifications Complete! Top 9 plus sk3wl invite to Vegas!

Qualified teams:
1. sk3wlm4st3r (CONFIRMED! as sk3wl0fr00t)
2. Team Awesome (aka VedaGodz) (CONFIRMED!)
3. Sexy Pwndas (CONFIRMED!)
4. PLUS@postech (aka PLUS) (CONFIRMED!)
5. Shellphish (CONFIRMED!)
6. Song of Freedom (CONFIRMED!)
7. lollerskaterz dropping from roflcopters (CONFIRMED!)
X. Underminers (deadline expired)
8. Routards (CONFIRMED!)
9. WOWHACKER (CONFIRMED!)
10. Sapheads (CONFIRMED!)
alt. sutegoma (CONFIRMED!)
alt. CLiP (CANT PARTICIPATE)
alt. pebkac (unconfirmed)
alt. ACMEPharm (CONFIRMED!)

With final confirm that sk3wlm4st3r represents the champion of DC16 then WOWHACKER is 10 and Sapheads_ is number 1 alternate.

• Final Team Standings
• All Submitted Answers
• All Submitted Answers by Team
• All Submitted Answers by Challenge
• Correct Answers by Challenge
• Time to Solve by Challenge

Teams above need confirm there intent for playing in Vegas.

Use the email address your registered for qualifications.

Thanks for fun times weekend!

~ddtek cr3w

DEFCON 17 CTF Qualifier can starts

FOR IMMEDIATE RELEASE

5 JUNE 2009

DEFCON CTF QUALIFIER GO GO

Defense Diutinus Technologies Corp (ddtek) is pleased to starting the round of qualification for DEFON 17 CTF.

QUALS GAME: http://quals.ddtek.biz/quals/board.html

IRC: irc.oftc.net #ctfquals

DEFCON 17 CTF Qualifier announced dispite conficker

FOR IMMEDIATE RELEASE

1 APRIL 2009

DEFCON CTF QUALIFIER ANNOUNCED

Defense Diutinus Technologies Corp (ddtek) is pleased to announce the round of qualification for DEFON 17 CTF.

The competition will be held on 5-7 June - without a stop, participants can be located everywhere. All are to play, but only the 9 best groups will be invited to join us in Las Vegas for the annual DEFCON ninja square off. We also intend to honour the code of the former CTF host and automatically qualify last years champion, the sk3wl of r00t (although we sincerely hope them to participate in qualifications).

The qualification round will be in the style of game board, but answers need not be in the form of a question. Categories will require teams to demonstrate the superiority of hacking into a vast relm of security.

You must be registered for participate.

Registration site: CLOSED
Registration opens: 01.04.2009 00:00:00 UTC
Registration ends: 04.06.2009 00:00:00 UTC

Qualifications open: 05.06.2009 23:00:00 UTC
Qualifications ends: 07.06.2009 23:00:00 UTC

More information that will follow via your registered email address.

Bring all your l33t haxor skillz just leave your Kiddie toolz behind.

Vulc@n Difensiva Senior Engineer Diuntinus Defense Technologies, Inc.

DEFCON 17 CTF Organizer Is Chosen

Today announced that Dark Tangent DEFCON 17 CTF Organizer is chosen. We are a group give the a proposal 1.

Much exciting for us because of our company startup departure from stealth watch soon announce that the technology to the test of time against the current and future attacks. We look forward to our technology, demonstrat their superiority against the security work people and hackers during CTF quals.

We see those who are came before us and creat an experience that defaies all the concerned parties. KenShoto and Ghetto Hackers make beuatiful hard work for CTF over the years, CTF not have be the world cup security attack and defense.

via ddtek.biz

For those of you who are interested the pcaps and game binaries for the DEFCON 17 CTF are now available via bittorrent. Study up and get ready for next year's quals.

Posted via web from Ian's posterous

Tired of Getting Things Done? Me too. Less is more.

via zenhabits.net

Good post on how doing less can help you get more done.

Posted via web from Ian's posterous

Quote of the day (QOTD)

Watching Diners, Drive-ins and Dives I heard the quote of the day.  Chef Guy Fieri  said "That's not grease, those are tears from a flavor angel." <- Total Win! 

Posted via web from Ian's posterous