Educational Security Videos Available

November 30, 2013

I’ve spent a lot of hours at home recently building up some continuing education credit hours with security convention videos. I learned a lot, but one key lesson is that there is an ocean of good and a small sea of great security-centric presentations available at no cost for anyone interested in the topic. There is tremendous diversity as well. Here are a few samples, and a set of links to larger collections of security convention presentations. We all have to find ways to stay relevant and to help the staff around us keep up as well.  Nothing replaces the kind of energy and valuable interaction that can result from participating in one or another of the many …cons available today.  In the context of ever-present spending constraints, though, consider integrating some of these excellent resources into your organization’s development planning:

There are some white hats attempting to build a globally-available list of ‘low hanging fruit’ vulnerabilities for literally all web sites on earth.
In “PunkSPIDER Open Source Fuzzing Project” the presenter explains how they do their work — a mix of web attacks and big data.
or a different version on this topic at:

JavaScript seems to be everywhere… Because at least some of it is executing on untrusted endpoints, it is crucial to resist abuse and protect ‘upstream’ infrastructure and data.
In “Javascript Static Security Analysis Made Easy with JSPrime” the presenter attempts to explain the scope of this challenge, and then demonstrates his open source static code security analyzer.

Encryption is something we are supposed to use, but not to write. Using commercial or well-tested open source crypto support libraries should satisfy, right?
Not so fast. In this presentation, “Crypto: You’re doing it wrong” the presenter demonstrates a range of techniques for decrypting both weakly and strongly encrypted cyphertext. I had never read about the approaches used by this individual, and they seem to be applicable across huge sections of our standard industry practices. This is an extremely interesting explanation of how key facets of cryptography work and how implementation details leave much encrypted content vulnerable to hostile decryption. Finally, the presenter outlines what we might do to resist his attacks.
Because it challenges so many deeply held assumptions, I strongly recommend this to anyone involved in software architecture or design.

Why do people click, or worse, type and then click?
In “Predicting Susceptibility to Socialbots on Twitter” the presenters explore how one might attempt to target people may be more likely to interact with profiles they don’t know on Twitter.
Their approach uses relatively standard statistical analysis against large collections of Twitter log data and establishes a foundation for future work on this topic. The presenters also offer advice about how we might best invest our training budgets to address some of what they found.
And later – corrected version – at:

If you are interested in the lowest-level details of great concern to hostile software security specialists, you might want to watch “OptiROP: The Art of Hunting ROP Gadgets.” It will walk you through one of the more productive paths used by malware artists — CPU machine code.

There are scores more…

“VoIP Wars: Return of the SIP”

“Abusing NoSQL Databases”

“TMI: How to attack SharePoint servers and tools to make it easier”

“I Can Hear You Now: Traffic Interception and Remote Mobile Phone Cloning with a Compromised CDMA Femtocell”

“Burning the Enterprise with BYOD”
or “Assessing the Risk of Unmanaged Devices”

“Evil DoS Attacks and Strong Defenses”

“iOS Reverse #=> iPWn Apps”
or “Attacking iOS Applications”
or “Your Droid Has No Clothes”

“Home Invasion 2.0 – Attacking Network-Controlled Consumer Devices”

“So You think Your Domain Controller is Secure?”

And see the full collections at:
BlackHat 2013 sessions:
Here is a BlackHat 2013 session listing:
(this is a big collection)

Defcon 2013 sessions:
Session listing:
(this is a big collection)

Derbycon 2013 Videos:
(this is a big collection)

Shmoocon 2013 sessions:
The file names include session titles.

BSides Deleware 2013 Videos:

Louisville Infosec 2013 Videos:

BSides Las Vegas 2013 Videos:

OISF 2013 Videos:

Hack3rcon 4 Videos:

BSides Rhode Island 2013:

Notacon 10 (2013) Videos:

AIDE 2013:
(AIDE==Appalachian Institute of Digital Evidence)

BSides Boston 2013 Videos:

ISSA Kentuckiana Web Pen-Testing Workshop:

Outerz0ne 9 (2013) Videos:

These are excellent resources.  We need to support the groups that organize these conventions, but we will never be able to participate in them all.  The fact that this huge pool of resources is available 24x7x365 enhanced their value.  Again, consider integrating some of them into your organization’s development planning.



%d bloggers like this: