Spaniards in the Black Hat ASIA

Posted on March 31, 2014 by Simon Roses

I’m back from Black Hat ASIA 2014 in Singapore, where I had the pleasure of giving a talk on the security of cross-platform mobile technologies for developing mobile apps. The last Black Hat ASIA was in 2008 and the last time in Singapore was in 2003, time flies!

srf_bhasia2014_1

In the event there were several Spaniards such as Jose Miguel Esparza with its workshop on PDF analysis, Leonardo Nve with DNS attacks and finally Alberto García Illera and Javier Vázquez Vidal on hacking cars.

The event took place at the amazing Marina Bay Sands hotel (I recommend you to google it), and it was a success with around 1000 attendees. At the speaker dinner the organization took us to a Chinese restaurant where we could taste different specialties and drink red wine from the la Rioja (Argentina ;) ; then, as it could not be otherwise, we explored Singapore nightlife!

srf_bhasia2014_2

My talk was the first on the first day of the event and was a great success, a roomful of people even standing (no chairs for everyone) and many questions, somewhat atypical in the Asian culture, so I would like to thank all attendees!!

My first time in Singapore but it certainly won’t be the last, perhaps next year 

My presentation available on VULNEX website.

— Simon Roses Femerling

Posted in Conference, Pentest, Technology | Tagged , , , , , , | Leave a comment

The need to evolve defensive security to offensive security

Posted on March 24, 2014 by Simon Roses

This morning I saw a job offer from Facebook looking for offensive security engineers and I thought it would be a wonderful opportunity to explore this idea and its application in corporate security.

Traditionally information security in enterprises has a defensive role based on different products (firewall, anti-virus, IDS, etc.). But when week after week we read in the media as businesses of all sizes are attacked and owned, something is wrong here!

Internet and its dangers have evolved but corporate security has not: too many companies follow decades old security schemes to protect their information.

As Nation-States develop not only their defensive capabilities but also their offensive capabilities, businesses should also enhance their offensive capabilities, not to attack other companies but to assess their own security effectively.

It is impossible that security consultants / pentesters with a limited time are able to truly verify the security of a company, which unfortunately is the model that most companies follow. No one presses the doctor when operating or the plumber when fixing a problem, but we press all the time security consultants to obtain compressive results in a short space of time.

It is necessary that corporate security evolves with offensive staff who truly understand the attackers (attacker mindset), who are capable of attacking systems and applications and have some freedom to do this in the company. These individuals are who can raise security to the next level.

Their objective is to constantly attack the company using actual techniques to discover the weak points and strengthen them, analyze malware identified in the company and even set traps to the attackers (honeypots). We should not confuse with Counter-Hacking, the idea that if we are attacked we must respond by attacking. No company should use its offensive capabilities to counter attack as this can unleash all kind of problems (legal and ethical). We must only use offensive capabilities internally to improve security, period.

Companies that do not evolve their security to a defensive and offensive model and enhance not only the technology but also its processes and people (the famous pyramid: people, processes, and technologies) are doomed to be owned for lifetime.

Has your company offensive security capabilities? How are they used?

— Simon Roses Femerling

Posted in Pentest, Security | Tagged , , , | 2 Comments

VULNEX Award and RSA USA speaker experience!

Posted on March 5, 2014 by Simon Roses

February has been both very interesting and busy! On February 17th I had the pleasure of collecting the first award of VULNEX by Spanish security magazine Red Seguridad for IT Innovation for our collaboration with DARPA (Defense Advanced Research Projects Agency of the Department of Defense, USA) which produced BinSecSweeper, a technology that allows us to verify the security posture of any binary.

You can find a great chronicle of the event here and below I am including a photo of the trophy :)

Trofeo_VULNEX

On 24-28 February I did attend for the first time the legendary RSA USA conference in San Francisco, in which I participated with a talk on security in software development and using BinSecSweeper to assess binaries entitled: “Writing Secure Software is hard, but at least add mitigations!“. I take this opportunity to thank attendees for the good feedback, I’m glad that so many liked my presentation! And of course also thank the organization for a great event.

RSA

The presentation is already available on VULNEX website.

BinSecSweeper_RSAUSA2014_1
BinSecSweeper_RSAUSA2014_2

It was my first time at RSA USA but certainly won’t be the last! In my opinion a must-attend event for all cybersecurity professionals.

Until next year!

— Simon Roses Femerling

Posted in Conference, Privacy, Security, Technology | Tagged , , , , , | Leave a comment