Round 2 of European travel for me this year has just wrapped up with talks in Brussels for Techorama (which incidentally, was sensational!) followed by a private event for a multinational information services company in Barcelona doing my usual Hack Yourself First workshop . But it’s time for the next one already so it’s back to Europe again and then after catching my breath at home for a couple of week, time for some US travel for the first time this year. Let me share where I’m off to, where you can catch me and where I still have some time to come see some folks.
"Hack Yourself First" – The Workshop
When I was over in Europe in Jan and Feb, I did this two-day workshop seven times almost back to back with six of the events being in the UK. These are usually private workshops in that an organisation such as a financial institution or e-commerce site gets me in to take their developers through today’s top online risks where they get to exploit things like SQL injection first hand. Most importantly though, they learn the defensive patterns so we close the loop of "here’s how you attack" by then doing "here’s how you defend". I find this gets builders endorsed in the value of security in ways that simply teaching them defensive mechanisms never would.
The next workshop I have coming up is in London on June 13 and 14 and it’s being put on by the folks at Learning Connexions .
It’s about the same cost as many conferences except it’s designed to be small enough so that I get a heap of one on one time with everyone in the group. We’re usually looking at around 20 people and I see everyone from testers to obviously developers to security pros. There’s a much more comprehensive overview of what I do in the workshops page on my site so go and check that out if you’d like more info.
In the lead-up to this next trip, I’ll be publishing some more videos that’ll give you a good sense of what we do at these events. I recently recorded Understanding CSRF, the video tutorial edition and I’ll do another similar one on content security policies shortly.
I’m really looking forward to this event, I thoroughly enjoyed my time in London in Jan and I’ve been promised better weather in June so I’m quite excited! The Jan trip got completely overbooked and I do need to cut back a bit on long trips, but the London event is definitely happening and you can register for it now .
A lot of stuff got hacked since my last trip…
I always talk a lot about current events when I run these workshops, in part because they’re enormously relevant in terms of understanding what’s happening in the real world and in part because they’re just fascinating stories. I was just thinking about the incidents that had occurred in the three months since my last UK visit and I realised there were some absolute zingers – and that’s just the ones I spent time analysing! For example:
There was the Philippines Electoral Commission hack which not only exposed more than half the entire nation’s population – more than half of 100M people! – but also exposed data such as passport numbers and biometric fingerprint info used in their elections. Oddly, they actually encrypted first and last names but then they didn’t encrypt email addresses which frequently contain… first and last name. SQL injection was the root cause of that one – it’s the vulnerability that just keeps on giving.
Then there was the Lifeboat incident which not only exposed over 7 million members’ email addresses and MD5 passwords (incidentally, one of the workshop exercises is cracking MD5 hashes which is ridiculously easy), but then they also decided keep the incident hidden from the public. There’s some really interesting discussions to be had around the ethics of security not just as professionals working for organisations entrusted with customer data, but as individuals who may come across the sorts of weaknesses that brought Lifeboat undone.
The one that really hit the news big time was the Nissan LEAF vulnerability which exposed owners to the risk of any person in any location being able to turn their climate control on or off and track their driving habits. The particularly relevant thing about this event is that the vulnerability was discovered by someone in one of my workshops during that Europe trip. This was a guy whose total experience with this class of risk was the one hour exercise we did looking at how mobile apps talk to API back ends.
Perhaps the headline I least expected to see myself in this year (or ever) was the one from just a couple of days ago: Another Day, Another Hack: Is Your Fisting Site Updating Its Forum Software? Yes, that is what it sounds like and no, don’t Google it if it’s an unfamiliar term! Verifying that incident after someone had sent me the data was easy because the site had multiple enumeration risks, that is I could simply ask it if an email address exists on the site and it would give me a very clear "yes or no" answer courtesy of the password reset page. People often don’t think of this as a vulnerability and for a site like, say, Stack Overflow it barely matters. But when it comes to disclosing something as personal as people’s sexual proclivities, you probably don’t want to make that a publicly discoverable thing.
There were many, many more incidents I got involved in over the last few months and many more again beyond that. These were just a few that really stuck out at me in terms of their significance and because all of them had major security flaws that only take a couple of days of training to get on top of.
USA in July
Just as a quick addendum to this, I’ll be stateside in July for a private workshop and I’m presently trying to maximise the travel time with another couple of events. If you’re working with an org that’d like me to come visit, hit me up via one of the channels onthe contact page.