J Wolfgang Goerlich's thoughts on Information Security
Converge Detroit Podcasts

By wolfgang. 21 July 2015 15:43

We did a few podcasts over the Converge Detroit conference. Check them out here:

IT in the D -- Live Broadcast: Converge 2015 Security Conference. Ever had a conversation with a guy who compromised bank security ... in Beirut? How about someone who’s managed to compromise physical security all over the world ... just because scanning and getting into servers is too boringly easy? Know anything about a group that’s out there dedicated to teaching kids about computer security in a way they’ll actually want to learn? Read and listen on, friends ... read and listen on.

Hurricane Labs InfoSec Podcast -- Don’t Bother Trusting, Verify Everything. This podcast was recorded by the Hurricane Labs crew, and special guest Wolfgang Goerlich, at the 2015 Converge Conference. Topics of discussion (and witty banter) include: FBI anti-encryption rhetoric; the Hacking Team hack; Google's social responsibility; and more. Converge and BSides Detroit were fantastic - if you didn't get the chance to make it out this year, you can still view the video presentation recordings here: Converge 2015 Videos. Thanks to Wolf and all the sponsors, volunteers, speakers and everyone who made these conferences possible! 

PVCSec -- Live! At Converge Detroit. Ed & I enjoyed talking with a fantastic audience at Converge Detroit 2015 yesterday. Everyone was in fine voice. Ed & Paul embraced Converge Detroit’s invitation to podcast LIVE! from the event on the campus of Wayne State University in the Arsenal of Democracy, Detroit Michigan U.S. of A. Thanks again to the event, the sponsors, the volunteers, and of course all of those who attended. We had a blast and can’t wait for next year!


Out and About | Security

MiSec events in December

By wolfgang. 9 December 2013 07:44

The next two weeks are packed with MiSec goodness. I thought it best to do a roll-up blog post, rather than my normal Tweet shout-outs. 

Concise Courses: Wednesday, December 11th, 12pm
FedRAMP: How the Feds Plan to Manage Cloud Security Risks
Presented by: Steven Fox (@securelexicon)
Online here: http://www.concise-courses.com/cloud/20121212/

North Oakland ISSA: Wednesday, December 11th, 6pm to 8pm
Practical Threat Modeling
Presented by: Wolfgang Goerlich (@jwgoerlich) and Mark "Belt" Kikta (@B31tf4c3)
Baker College
1500 University Drive
Auburn Hills MI 48326 

OWASP Detroit: Thursday, December 12th, 7pm to 9 pm
Susie the Useful SOC Puppet: A blue-team bedtime story.
Presented by: Jeremy Nielson (@jeremynielson)
First Center Building
26911 Northwestern Highway
Southfield, MI 48033

RuCTFe: Saturday, December 14th, 5am to2 pm
Online Technologies Corporation (OTC) of Ann Arbor
5430 Data Court, Ann Arbor, MI 48108

Holiday dinner: Wednesday, December 18, from 7 pm to 10 pm
Rochester Mills Beer Co
400 Water Street
Rochester, MI 48307
Tickets here: http://www.eventbrite.com/e/misec-holiday-dinner-tickets-9635260323


Out and About

Whispering on the Wires Workshop

By wolfgang. 25 March 2013 10:47

I am giving my Whispering on the Wires Workshop for the Eastern Michigan University's Information Assurance workshop series. This will be next Friday, April 5th, from 5 pm to 8 pm.


The Internet opened communications and enabled this flat world where everything is but one click away. These complex networks make possible rich exchanges of thoughts and ideas, goods and services. But there is, of course, a dark side. Not all communications are productive. Not all communications are visible. Some are destructive, hidden, invisible. Some messages are whispered in secret. In this session, we will delve into ways attackers can hide their traffic using steganography and covert channels.

Whispering on the Wires will be a hands-on workshop. Attendees will apply steganography to a variety of file formats, and open a variety of covert channels. Defensive measures will also be discussed and demonstrated. Every communications channel that has a dark side, a covert channel, and every dark side as a defense. Let’s explore these together.


Computer with Windows 7, 8, or Windows Server 2008 R2, 2012. Please have installed: Microsoft .Net Framework 4.0, PowerShell 3.0 installed, PowerShell Community Extensions, the latest WireShark, and your favorite hex editor. 

PowerShell Community Extensions (PSCX) - http://pscx.codeplex.com/


This workshop is open to students, faculty, and the local information security community.

Friday, April 5th, 5:00 pm to 8:00 pm
Eastern Michigan University
Roosevelt Building
Ypsilanti, MI, USA 48197 


Out and About

Out and About: Great Lakes InfraGard Conference

By wolfgang. 25 February 2013 15:30

I am presenting a breakout session at this year's Great Lakes InfraGard Conference. Hope to see you there.

Securing Financial Services Data Across The Cloud: A Case Study

We came from stock tickers, paper orders, armored vehicles, and guarded vaults. We moved to data bursts, virtual private networks, and protocols like Financial Information eXchange (FIX). While our objective remains the same, protect the organization and protect the financial transactions, our methods and technologies have radically shifted. Looking back is not going to protect us.

This session presents a case study on a financial services firm that modernized its secure data exchange. The story begins with the environment that was developed in the previous decade. We will then look at high-level threat modelling and architectural decisions. A security-focused architecture works at several layers and this talk will explore them in depth; including Internet connections, firewalls, perimeters, hardened operating systems, encryption, data integration, and data warehousing. The case study concludes with how the firm transformed the infrastructure, layer by layer, protocol by protocol, until we were left with a modern, efficient, and security-focused architecture. After all, nostalgia has no place in financial services data security.


Out and About | Security

Incog: past, present, and future

By wolfgang. 10 January 2013 12:30

I spent last summer tinkering with covert channels and steganography. It is one thing to read about a technique. It is quite another to build a tool that demonstrates a technique. To do the thing is to know the thing, as they say. It is like the art student who spend time duplicating the work of past masters.

And what did I duplicate? I started with the favorites: bitmap steganography and communication over ping packets. I did Windows-specific techniques such as NTFS ADS, shellcode injection via Kernel32.dll, mutexes, and RPC. I also replicated Dan Kaminsky’s Base32 over DNS. Then I tossed in a few evasion techniques like numbered sets and entropy masking.

Incog is the result of this summer of fun. Incog is a C# library and a collection of demos which illustrate these basic techniques. I released the full source code last fall at GrrCon. You can download Incog from GitHub.

If you would like to see me present on Incog, including my latest work with new channels and full PowerShell integration, I am up for consideration for Source Boston 2013.

Please vote here: https://www.surveymonkey.com/s/SRCBOS13VS

This year SOURCE Boston is opening up one session to voter choice. Please select the session you would like to see at SOURCE Boston 2013. Please only vote once (we will be checking) and vote for the session you would be the most interested in seeing. Voting will close on January 15th.

OPTION 5: Punch and Counter-punch with .Net Apps, J Wolfgang Goerlich, Alice wants to send a message to Bob. Not on our network, she won’t! Who are these people? Then Alice punches a hole in the OS to send the message using some .Net code. We punch back with Windows and .Net security configurations. Punch and counter-punch, breach and block, attack and defend, the attack goes on. With this as the back story, we will walk thru sample .Net apps and Windows configurations that defenders use and attackers abuse. Short on slides and long on demo, this presentation will step thru the latest in Microsoft .Net application security.


Cryptography | Out and About | Security

North Oakland ISSA and Motorcity ISSA

By wolfgang. 18 August 2012 20:20

I will be presenting at North Oakland ISSA on September 12th, and at Motor City ISSA September 20th.

Turtles all the way Down -- .Net Software Security. Peel back the layers of abstraction, what do you find? Software. Feel through the fog of cloud computing and what is there? Software. What powers our devices? Handles our protocols? Drives our cars? What ties us all together? Software. Every layer of our technology stack is software. It is turtles all the way down. Few things are as germane to security as software security. We will delve into software security in this session. Using C# as an example, we will see how software in general breaks and how to protect Microsoft .Net in particular. So how do we protect software? Come find out.

North Oakland ISSA. September 12, 2012. Auburn Hills, MI.

Whispering on the Wires. The Internet opened communications and enabled this flat world where everything is but one click away. These complex networks make possible rich exchanges of thoughts and ideas, goods and services. But there is, of course, a dark side. Not all communications are productive. Not all communications are visible. Some are destructive, hidden, invisible. Some messages are whispered in secret. In this session, we will delve into ways attackers can hide their traffic using steganography and covert channels. Examples will be demonstrated and potential controls will be discussed.

Motor City ISSA. September 20, 2012. Livonia, MI.


Out and About

BSidesCleveland 2012

By wolfgang. 15 July 2012 10:37

I went to BSides Cleveland last Friday. We put the word out to the #misec mailing list, and took a couple of carloads of Michigan IT/InfoSec pros down to Ohio. The conference was well run, the swag bags were well stocked, and everyone I spoke with enjoyed themselves. Below are some of the highlights.

Dave Kennedy (Rel1k) kicked off the conference. Dave has recently made the transition from Diebold's CSO to CEO at TrustedSec. Dave demoed some advanced pentesting techniques using the Social-Engineer Toolkit (SET). Of note, did you see the news on the new scary attack that knows your OS? Yeah. That was Dave's code being re-used. Whoops.

Next up was Bill Mathews (@billford) on cloud security. I have a reasonably sound understanding of cloud computing and cloud security. I went to Bill's talk to get ideas on how to talk with non-infosec people about cloud concepts. Bill did not disappoint. He had a good talk, kept my interest, and provided a one page cheat sheet at the end. (These sheets are on their way to my team already.) You can see Bill's slides and cheat sheet at Hurricane Labs.

I attended Jeff Kirsch's talk next (@ghostnomad). As a haiku fan and long-time reader of Jeff's blog, I really wanted to meet Jeff. He is also a hard guy to meet because I rarely see him at other conferences. Finally I had my chance! Moreover, I identified end-user training as a weakness in my security program and I am on the lookout for ways to improve. The "<? $People ?> Process Technology" talk was informative and helped steer me in the right direction.

Jeff joined us for lunch at the Winking Lizard Tavern. We got to talk secbiz, rail against auditors who don't get it, rail against IT managers who don't get it, and basically geek out on the business side of infosec. I rarely get to scratch the business itch and so this was a real treat.

After lunch, I gave an updated version of my Naked Boulder Rolling talk. How did this compare to the one I gave in June? Detroit was more fun and Cleveland was more satisfying. That is to say, I enjoyed the audience participation and humor while presenting in Detroit. The only problem was that it meant a good quarter of my talk was cut due to time. In Cleveland, I was able to present the material in full. I felt the overall message of the talk was conveyed more clearly. I fielded some good questions afterwards that have me thinking of making a new ITGRC deck.

With Matt Johnson's incident talk fresh in my mind, I joined Mick Douglas's talk on Automating Incident Response. Mick's metaphor was building a sprinkler system to respond to the burning building that is the security breach. Add to that the research that shows how exponentially expensive a breach gets the longer it goes undetected, and Mick has a powerful argument. He wrapped up by demonstrating Python scripts that respond to incidents using network segmentation and throttling. Mick gave me a few ideas that I am going to try on my own network gear this coming week.

I sat in on a talk by James Siegel (@WolfFlight) next. James has been thinking about moving the security conversation beyond the echo chamber for some time. At BSides Detroit, he brought a hallway con discussion around the topic that led up to a podcast. It was decent for a first time presenter. James employed some humorous visuals featuring Looney Toons to provide a clear call to action: let's educate non-technical folks.

I walked into the next session chanting ".net! .net! .net!" Some might argue that was because of all the free Bawls drinks. But, no, I was excited to see Bill Sempf's perspectives on application security. Bill walked us thru ASP.NET controls for the OWASP top ten, and touched upon using Back|Track for validation. The key insight from this talk was using Back|Track scripts to validate code as part of the build process. This dove-tails nicely with my philosophy of baking infosec into the work, and I am looking to explore the concept further in the next few months.

The conference wrapped up with a two hour after party, and then a three hour drive back home. I had a number of great conversations over those five hours, and spent yesterday collecting notes and pulling down content. BSides always leave me fired up to do more, learn more, and see more. BSides Cleveland once again proved why community conferences are so inspiring. All I can say is, when do we get to do it again?

Kudos Dave DeSimone and the Cleveland organizers, and thank you to sponsors: Diebold, Accuvant, FireEye, f5, Bit9, DerbyCon, Hurricane Labs, Neoisf, SecureState, Rapid7, and McAfee.

Update: The videos for all BSides Cleveland talks are now online: http://www.irongeek.com/i.php?page=videos/bsidescleveland2012/mainlist


Out and About

BSides Detroit 12 by MiSec

By wolfgang. 4 June 2012 18:10

What a difference a year and a community make. I attended the first BSides Detroit last year and it was in stark contrast to Source Boston. I thought perhaps that was the nature of the local conferences. Then GrrCON opened my eyes to what was possible. I began to think of how we could raise the quality of BSides Detroit 12 to match events like Source and GrrCON. And I was invited to volunteer and ready to help organize the next event. Game on.

BSides Detroit 12 was every bit the event we set out to make it. 2 days, 2 tracks, 4 workshops, 32 speakers, all set to educate and engage some three hundred participants. The event was held in the GM Renaissance Center. We had climate controls, working audio/video, an evening reception, and we were every bit a full destination conference.

Being an organizer puts me in a tough spot. I typically write up a conference by calling out a few talks that I felt captured the gestalt of an event. How do I do that after spending six months podcasting with all the speakers? How do I feature some and leave others off, knowing each of the presenters as I do?

I tried a tack of thanking people who made this event. We had four organizers including myself, dozens of volunteers, sponsors, and many others who made this possible. My first few drafts resembled an Oscars Awards speech gone awry. While the tack does not work, the effort produced the real insight.

The #misec community is the main difference between last year and BSides Detroit 12. The podcast leading up to the event was organized by #misec regulars Chris J and Justin. Many of the talks were tested and tuned at #misec meet-ups. The three keynote speakers were all invites from #misec regulars, too, come to think of it. #misec led to some fantastic collaboration with GrrCON and BSides Chicago. And while some jokingly called this #misecon, we were out volunteering in force. This was our moment.

What difference does a community make? It makes for an event that is qualitatively and quantitatively better by any measure. It makes me awed and grateful for everyone's efforts. It also makes me very hopeful for the future.


BSides Detroit 12 Event Coverage

Detroit Hackers Fly Under Radar. "After spending a little time at BSides, I’m thinking that, not only could Arne Duncan use Payne’s counsel, but there are probably a number of non-IT fields that could benefit from a hacker’s ethos and insight."

Bsides Detroit - the day after (part 1) and the day after (part 2) by Keith Dixon (Tazdrumm3r). "Over all, Bsides was incredible and the organizers should be proud of what they accomplished. I know, I’m definitely going next year and can’t wait!"

BSides Detroit 2012 Wrap Up by Matt Johnson (mwjcomputing). "I had the honor to organize the #misec dinner the Thursday night before BSides Detroit. ... I decided to volunteer this year. Being friends with a few of the organizers, I only felt like it was appropriate. After this weekend, I think I am insane." Note Matt also has a great group photo of #misec guys threatening to hug me.

Be Inspired By Local Cons by Elizabeth Martin. "Each and every opportunity I have to interact with the many walks of life in the InfoSec community I am inspired to do more, collaborate more, listen more, contribute more, help more, etc."

BSidesDetroit - ConBlu, first try at presenting, by Scott Thomas (Secureholio). "I loved the venue, it was well laid out, there was quite a bit to do in the conference center itself, as well as having the hotel right there. The different tracks in different rooms made it easy to have hallway-con, as well as two tracks, a teaching area, and a lock-pick village. I really loved the set-up and the Detroit team did a great job with putting it together."

BSides Detroit 12 Sponsors


Out and About

Stir Trek Reflections

By wolfgang. 10 May 2012 07:07

This was my first year attending the Stir Trek conference in Columbus OH. From the name and from the website, I was not quite sure what to expect. Whatever I was expecting, it certainly was not 900 people in a pristine theater multiplex. All the talks were in various theaters, with the marquees lit to match the tracks. There were several clever marketing tie-ins, too, like movie posters for the sponsors. The volunteers, the food, the sessions all were excellent. Three talks, in particular, struck me as very interesting.

David Giard (@davidgiard) gave a talk titled "Effective Data Visualization: The Ideas of Edward Tufte." Tufte spent years analyzing and quantifying how data is visualized and displayed. Giard covered Tufte’s ideas, including concepts like the lie factor, data-ink ratio, and data density. The thing that struck me was how Giard was able to take twentieth century concepts and apply them to today’s latest problems in business intelligence. As a consultant, Giard has found many ways of spreading Tufte’s message and integrating effective data visualization within projects.

Mark Stanislav (@markstanislav) gave a talk on using the cloud for disaster recovery. A DR strategy is a perfect example of owning the base and renting the burst. Recovery environments are rarely needed, and often needed only for a short period of time. Mark’s case study featured a small business with an Internet streaming product. It’s common to see 99% uptime for smaller organizations, which means 3-4 days downtime per year. Mark’s solution had an annual operational cost of $1,184 and a per incident cost of $435. The recovery time was an hour. So for a total of $1,619 annually, the small business boosted their uptime to 99.99%. Quite impressive, and a good example of how companies can use cloud computing in lower risk areas to build competency.

It was a talk by Mike Amundsen (@mamund) that blew my mind. "It's the future. I don't have my jetpack. I don't have my flying car. But at least I have a browser." And with that, Mike walked thru developing, testing, debugging, and deploying apps directly from a web browser. The toolset was Cloud9 IDE, Node.js, CouchDB, Github, and Heroku. I remember how hard it was to get into software development as a kid, so I was simply amazed at how easy it is today. I definitely need to find a project to complete entirely on the cloud for the cloud. By the way, Mike has a book out that covers his process: Building Hypermedia APIs with HTML5 and Node.

All in all, it was a great time and I left itching to write some code, test some recovery strategies, and do some data visualizations. Thanks to all the volunteers, speakers, organizers, and sponsors.



Out and About

Out and About: GrrCon 2012

By wolfgang. 25 March 2012 09:25

September 27 and 28, I will be out in Grand Rapids for the GrrCon conference. I am working on a fun little project using .Net Framework to create covert channels, and then use the same tools along with OS controls to block and shutdown those channels. Come on out, visit with the Grand Rapids folks, and enjoy a great conference.

Punch and Counter-punch with .Net Apps
Presentation Abstract: Alice wants to send a message to Bob. Not on our network, she won’t! Who are these people? Then Alice punches a hole in the OS to send the message using some .Net code. We punch back with Windows and .Net security configurations. Punch and counter-punch, breach and block, attack and defend, the attack goes on. With this as the back story, we will walk thru sample .Net apps and Windows configurations that defenders use and attackers abuse. Short on slides and long on demo, this presentation will step thru the latest in .Net application security.


Out and About

    Log in