My First ShmooCon – This Time It’s Personal

There are many security cons you can attend. Only one is Shmoo.

In our security community, Shmoo is beloved. Testament to that is how people will go out of their way to attend. The ticket sales tell the story. Two rounds were sold out in mere seconds. Say F5 and everyone knows which con you mean. Yet, no one wants to increase the number of attendees, because then it wouldn’t be Shmoo. This is as far from the hacker throngs at DefCon as it gets. Nor is it the suited industry version, like RSA. Steve Ragan or @SteveD3 put it best: Shmoo is family.

This is a con where hackers come to play. You can set up the actual network on the night before things get started. There’s a massive wireless CTF; a crypto challenge; Hack Fortress; locks to pick; the Tour de ShmooCon contest. You can even win a prize by hacking the barcode.  Because we learn when we play.

Lobbycon at Shmoo is legendary.  A who’s who of InfoSec stand shoulder to shoulder in hoodies with beer. Or Bourbon. Or shine. I loved having my fellow Canuck and very Infosec mentor, Lee Brotherston @synackpse, as my intrepid guide. I got to meet Dave Kennedy – yes, one of the nicest and most knowledgeable members of our community – amidst those mysterious Friday night fire alarms. I was also thrilled to meet the fabulous Katie Moussouris @K8em0 in her Karaoke attire.

But there is nothing like that moment when you actually meet a friend you’ve only known online. For me that was Sarah Clarke @s_clarke22 @infospectives, who came all the way from Britain.  You can read her witty account of ShmooCon here on her blog Infospectives, and I highly recommend reading her regularly.  And then there is the joy of reconnecting with those you already know, like @fl3uryz, @theSweetKat, @snoww, @mzbat and so many more. ❤ to you all. For me, one of the best rewards came when introducing extraordinary people to each other, and facilitating those conversations that would spark ideas, launch projects, and encourage change. This is why we Shmoo.



With so many great moments to share, here are some of my favourites:

  • Playing Cards Against Humanity with @da_667. You haven’t lived til you do
  • Being swung around the dance floor by @bigendiansmalls – who knew!
  • Having Georgia Weidman @georgiaweidman sign my copy of her Pentesting book
  • Meeting up with @maliciouslink and enjoying a great lockpick session.
  • Saturday night Lobbycon pizza from a mysterious benefactor
  • Enjoying the creative force who is Tarah Wheeler Von Vlack @tarah at play
  • A wonderful celebration of Rance @revrance, filling the lobby with his spirit and our voices

At con, there is no bedtime. I’ll have memories that last a lifetime from staying up to listen and learn from @ihackedwhat, @ussjoin, @steveD3 and @viss.  Oh the things you can do with Windows XP.

There were, of course, outstanding talks.  Fire Talks are always great, and the line-up this year featured a good mix of new voices and heavy hitters. First timer Wendy Knox Everette @wendyck came to win, but I have to admit my bias for @da_667’s gift for storytelling.

Jesse Irwin shared her distinctive wit and wisdom on bringing non-tech users in. I caught an excellent panel discussion, “You Ain’t Seen Nothing Yet: New Paradigms for Policy, Regulation, and Community Engagement” addressing some of the hot-button issues we all love to hate when it comes to government and cyber.  Kristin Paget brought her creative brilliance to preventing RFID tags from being read in “Be Free, Little GuardBunny”.  And “Attack on Titans: A Survey of New Attacks Against Big Data and Machine Learning” by Andrew Ruef and Rock Stevens explored another attack vector on our ever-increasing and vulnerable data.

I’m truly grateful I got to see Andrew Kallat @lerg’s talk, “Online No One Knows Your Dead”.  I love the rapid fire banter between Andrew and Jerry on their Defensive Security podcast, but this talk was different. It addressed the unimaginable issues of putting our digital affairs in order when we’re overcome by grief and loss. There were hard lessons offered through the poignant retelling of a real-life story. Thank you to Beth for being both brave and generous enough to share her experience.

Something I heard mentioned often was “Imposter Syndrome.  The term was created in 1978 by clinical psychologists Dr. Pauline Clance and Suzanne Imes, “referring to high-achieving individuals marked by an inability to internalize their accomplishments and a persistent fear of being exposed as a fraud.” Ironically, a good many of us feel just this way. I know I do – I’m no hacker. I don’t have a comp sci degree, or any tech degree. But as we exchanged stories over drinks in Lobbycon, it was reassuring to learn I wasn’t alone in my convoluted path to InfoSec. The truth is that the diversity of our backgrounds and experiences is what makes our community so strong and vibrant. We all belong here; we all have a meaningful contribution to make.


And that led to the Saturday night community building sessions. We pulled up more chairs as people joined, to talk openly about diversity, gender issues, learning styles. How to make first-timers and those new to InfoSec feel welcome. Here are some of the great ideas by an enthusiastic group of great people:

  • Create opportunities, like scholarships, to help more people get to these cons
  • Have ice-breaker events to help n00bs meet more of the community faster
  • Have a welcome/orientation event for con first-timers so they don’t feel overwhelmed and miss things.

In the end, it isn’t about the actual events like parties and talks so much as it is the overall experience and what we come away with. What matters is how Shmoo, and other smaller cons, are more personal; they encourage us to open up and share in a very relaxed and welcoming environment. Shmoo feels like family. For some of us, however, our families haven’t been there. Support and acceptance enable us to pursue our aspirations and to be confident in ourselves.  In my experience, InfoSec is a haven, and a home, because this community takes care of its own.  And that made this con very personal for me. Thanks to the kindness and generosity of good friends, I was able to attend Shmoo. You know I’ll be paying it forward, finding ways to bring people here, to learn, grow, and share with family. A reverent ‘Thank You’ to Heidi and Bruce Potter, and to their fantastic team who made it happen. Shmoo all the things!

BSidesTO: Bringing IT Home

In my first year of security cons, and sharing them with the world, it means a lot to pen this tribute to BSidesTO, the one in my hometown. Hitting its stride in its third year, tickets sold out in advance, there was an excellent roster of speakers, and I was thrilled to be selected.

Let me start with kudos and congratulations to the small but powerful organizing team who put together a terrific event and made themselves readily available.  The venue was packed with an appreciative audience of over 160 security folk who engaged each of the speakers in lively question and answer sessions following their talks.  And yes, there was such a thing as a free lunch, which was served up with smiles by the BSidesTO team. They even arranged a movie to end the session, for those not already engaged in the post-con convos. If anything went awry, it wasn’t evident.


Given that our space was full to bursting, and that Toronto is Canada’s largest city, and one of the largest cities in North America, I think it’s time we had a major hacker con, along the lines of ShmooCon, GrrCon, or DerbyCon. Because it isn’t a corporate event, BSides has that potential, and has established itself as a much-loved, homegrown series of security cons that started in the US and have been spreading because of the community they build and the innovation and exploration they encourage.  It’s where the security community shares their hacks to learn, to improve, and to make the world a safer place. I really look forward to participating again next year, and to getting involved.


Unfortunately, that isn’t always how hacking is perceived. This past year brought us the short-sighted Wassenaar agreement, which would penalize those who hack to protect, and several governments working to ban encryption. But someone has to scrutinize the ever-growing devices added to the Internet of Things; to dissect the code that builds the websites we are all accessing. Decision makers need us to give them regular reminders that hackers watch over all the connections we make, and that they serve as our early warning security system.

Which is why having a local BSides really matters – it fosters the free exchange of ideas and supports this community in their varied approaches to security. Because as the impact of breaches continues to increase, and average users discover the extent of their vulnerability online, the world needs to know that hackers are here – for good.

Friday Fun: InfoSec Geek Speak

geekkspeakFind yourself mystified by all the acronyms and terms you hear when anything tech comes up? You don’t want to speak it – you just wish you knew what the heck it meant. No problem. In today’s Friday Fun installment, I’ll get you up to speed. Thanks to the fine folks at Raytheon, (sponsors of this excellent endeavour, the National Collegiate Cyber Defense Competition NCCDC) I can share this glossary of terms.  And consider yourself just that much more up to speed on your own safety and security!

InfoSec Geek Speak Glossary

@ — Symbol chosen by Ray Tomlinson, a Raytheon BBN Technologies engineer who sent the first Internet email, to separate the names of users and their networks in addresses.

Advanced Persistent Threat — A group, such as a government or a criminal organization, with the expertise, resources and intent to target a specific entity. An APT uses multiple methods to break into a network, avoid detection and harvest valuable information over a long period of time.


Air gap — To physically separate or isolate a secure network from other unsecured systems or networks.

Back door — A hidden entry to a computer, network or software that bypasses security measures.

Blackhat — A criminal hacker who breaches security for malicious reasons or personal gain.

Blue Team — A group defending a computer system from mock attackers, usually as part of a controlled exercise. During the Raytheon National Collegiate Cyber Defense Competition the blue teams are made up of students.

Bot — A program that automates a simple action. Bots infect computers and secretly perform activities under the control of a remote administrator.

Botnet — A collection of computers infected by bots.botnets

Bot master or herder —Someone who controls a botnet.

DoS Attack — A Denial-of-Service attack disrupts a website, server, or network resource – often by flooding it with more requests than it can handle.

DDoS Attack — A Distributed Denial of Service Attack is a DoS attack using a multitude of machines. Hackers often control one “master” machine to orchestrate the actions of “zombie” machines.

End-point Security — Security measures that protect a network from potential vulnerabilities posed by laptops and other mobile devices that access the network remotely.

Fuzzing — Automated input of invalid, unexpected or random data to a computer program. “Shocking” a computer in this way can reveal vulnerabilities.

Honeypot — A trap set to detect intruders. A honeypot usually simulates a real network but is actually isolated and monitored so it can give advance warning of an intrusion.

honeypot1  honeypot2

Insider threat – A threat posed by employees, contractors, business associates or other people who have inside access to a computer system. Raytheon is the No. 1 insider threat solution provider, protecting hundreds of thousands of endpoints.

Malware —Software designed to hijack, damage, destroy or steal information from a device or system. Variations include spyware, adware, rootkits, viruses, keyloggers, and more.

Patching —The process of updating software.

Pentest — Short for penetration testing, or trying to hack into a system to identify weaknesses.

Phishing — Tricking someone into giving away personal information by imitating legitimate companies, organizations, or people online. The “ph” derives from phreaking, or “phone freaking” — hijacking telephone lines. Spearphishing focuses on a particular target.


Pwned — Pronounced like owned with a “p” at the beginning, pwned means to defeat security measures. Derives from the word “own,” or dominate.

Red Team — A group of cybersecurity professionals authorized to simulate an attack. A “blue team” of students will face a red team at the Raytheon National Collegiate Cyber Defense Competition.

Social Engineering —Manipulating people into sharing private information.

White Team — A group responsible for refereeing an engagement between a red team of mock attackers and a blue team of cyber defenders.

Whitelist — The opposite of a blacklist, a whitelist is a list of people, groups or software OK’d for system access.

Zombie — An infected device that is used to perform malicious tasks under remote control. Botnets of zombie computers are often used to spread e-mail spam and launch denial-of-service (DoS) attacks.
Thanks for reading and remember … “You Own Your Own Security!”

DRP: What Have I Got to Lose


It happens when you least expect it, when the timing is bad, when it’s the last thing you’re prepared to deal with. That’s why it’s a disaster. But the real disaster is that so few companies are ready with a plan to get them through one.

Most Don’t Have One

As per research done by Symantec in a study from 2011, 57% of small to medium businesses didn’t have a Disaster Recovery Plan (DRP). Those numbers don’t appear to be improving. From an article in February 2015, roughly 60% of businesses in Canada did not have a plan in place to address security incidents like hack attacks, breaches or system failures. This information comes from 2 online surveys done by analyst firm IDC Canada for Cisco, comprising 2000 Canadians and 498 Canadian businesses.

Questions addressed security preparedness, and topics like security policies, recent cyber attacks, and familiarity with mobile and cloud-based applications. The result? Per Cisco “many Canadian businesses operate without any security strategy for their networks and are ‘woefully unprepared’”.


It’s like jumping without a net. Per CRA, a managed IT solutions firm in NYC, the average cost per day of IT downtime can amount to as much as $12,500. Many smaller businesses fail to recover from the financial losses they sustain, and go out of business within a year. As stated by Tom Richer, CRA Chief Sales & Marketing Officer:

SMBs that do not have a disaster recovery plan are taking an unnecessary risk. Not recovering quickly from a disaster or outage could mean the loss of many clients and revenue

So Why Not?

If we know the risks are growing and the costs of downtime are perilously high, why do so few companies have a plan in place? Below are the results from a recent survey done by Continuity Central. The numbers speak for themselves:

  • Lack of budget, funds and resources: 35.6 percent
  • Lack of top management commitment, buy-in and support: 16.4 percent
  • Lack of business unit support: 6.6 percent
  • The low priority given to BCM compared to other deliverables. 5.3 percent
  • Organizational apathy towards BCM: 4.9 percent
  • Staffing difficulties (loss of business continuity staff and difficulties in recruiting staff with appropriate qualifications): 4.8 percent
  • Lack of time available for business continuity staff to manage all their tasks: 3.5 percent

Simply put, lack of preparedness equals a perceived lack of funds and an ongoing lack of buy-in. We are looking at the formula for disaster.

drive crash

What Are You Waiting For?

Last year gave us

  • Mass data breaches: illustrating how Point of Sale malware is increasingly pervasive, continuing to feed our valuable information into the coffers of cybercriminals across the globe
  • The Sony Hack: how disgruntled employees can become destructive forces we don’t anticipate
  • Ransomware: cybercrime knows how to hold us hostage, and we pay regardless
  • Natural disasters: global warming or not, tornadoes, hurricanes, massive blizzards shut down cities and businesses every year

Putting a Disaster Recovery Plan in place is a lot easier than cleaning up the aftermath of a disaster. There are many approaches and templates to work from (I would love to help you with that – just ask!) but the best approach is to take the proverbial bull by the horns and get to work on your plan. Because the old adage holds true: failure to plan is a plan to fail. Don’t let it be yours.

(currently featured on the JIG Technologies corporate site)

Back It Up, Back It UP!

(A cautionary tale and my little take on “Shake It Off” by Taylor Swift)

I left it too late
Got nothing on my plate
That’s what my disk drive says mmm-mmm
That’s what my disk drive says mmm-mmm

Now my files are all gone (sob)crash3
And I know something is wrong
At least that’s what the server says mmm-mmm
That’s what the server says mmm-mmm

So I keep losing
All the work that I was doing
It’s like I got this hole
In my drives
And it’s not gonna be alright

‘Cause the data’s gone away, way, way, way, waybash
And now it’s way too late, late, late, late, late
Baby, I’m just gonna cry, cry, cry, cry, cry
I shoulda backed it up, backed it up
Shellshock is gonna bash, bash, bash, bash, bash
And the hackers gonna hack, hack, hack, hack, hack
Baby, I’m just gonna cry, cry, cry, cry, cry
I shoulda backed it up, backed it up

When we got hacked todayransomware
By Ransomware – won’t pay
That’s what they say don’t do mmm-mmm
That’s what they say don’t do mmm-mmm

Get the backups- Let’s restore! (backup and restore)
Is this all- why aren’t there more? (why, why aren’t there more?)
So I tell them I don’t know, mmm-mmm
I tell them I don’t know, mmm-mmm

And we are losing
The work that we’ve been doing
It’s like we got this hole
In the drives
And it’s not gonna be alright

‘Cause the data’s gone away, way, way, way, waysonypictureshack-640x1136
And now it’s way too late, late, late, late, late
Baby, I’m just gonna cry, cry, cry, cry, cry
I shoulda backed it up, backed it up
Our site is getting hacked, hacked, hacked, hacked, hacked
Our accounts are getting jacked, jacked, jacked, jacked, jacked
Baby, I’m just gonna cry, cry, cry, cry, cry
I shoulda backed it up, backed it up

Back it up, I’ll back it up
I, I’m gonna back it up, back it up
I, I’m gonna back it up, back it up
I, I’m gonna back it up, back it up

Yeah ohhhh!!!!

Yeah the price we had to pay, pay, pay, pay, paydrive crash
But today’s a different day, day, day, day, day
Baby, I’m just gonna save, save, save, save, save
Now I back it up, I back it up
If the hard drive’s gonna crash, crash, crash, crash, crash
Or tornadoes gonna smash, smash, smash, smash, smash
Baby, I’m not gonna cry, cry, cry, cry, cry
Cause I back it up, I BACK IT UP!

You know what you gotta do – go do it!

Security Patches: One Step Forward, Two Steps Back


Security breaches, mass DDoS attacks, ransomware mutations. No question about it – the challenges to information security are constant and ever-changing. Over the past twelve months, InfoSec has had to deal with threats not only of a greater magnitude in complexity but also in sheer volume. So in our concerted, and at times hasty, efforts to keep up with all that’s out there, are we leaving ourselves exposed? Do we need to double-back and cover our tracks?

Fact is, there is a lot to keep up with, even for security super-heroes. Given the nature of the beast, we’re always looking forward, trying to keep up or gain a little ground to ready ourselves for the next challenge. But what about those “backdoors” we just closed?

malware3Cleaning up after mass events like ShellShock/Bashbug and Heartbleed isn’t straightforward. Sadly, one patch does not fit all when there are multiple iterations of operating systems and devices. And the truth is – there just aren’t enough good people or hours in a day to comb through all the stuff out there to find and fix what’s at risk, much as we want to. Much as we need to. What happens next is inevitable. The adversary takes advantage, finds the hole, and builds exploits that we then must find and shut down in a series of blocks and tackles.

Here’s a recent case in point: Shellshock and QNAP. Shellshock doesn’t just impact servers. It impacts devices connecting to these servers through the internet: wireless access points, routers, smart fridges, video cams, webcams, even light bulbs. You can patch a server. It’s not so easy to patch a fridge. The real challenge has been to identify and patch all those different exposed devices. QNAP makes network attached storage devices that are popular world-wide. And therefore ideal targets for Shellshock exploits.

While QNAP did issue a firmware patch in October, Shellshock worm exploits were detailed later in December. The worm targeted a particular CGI script, /cgi-bin/authLogin.cgi, which could then be accessed without authentication. That would allow attackers to launch a shell script that could in future download more malware. Essentially, keeping the backdoor open.cgi backdoor

One of the interesting things noted about this worm, per Kaspersky’s detailed write up, was that the script it made then downloaded and installed QNAP’s Shellshock patch. Yes! But in a move that was strictly territorial to keep other opportunistic attackers out.

Kaspersky advised that

“IT staff responsible for these devices security should apply patches themselves, or a worm will do it. At a price”

I’ve followed up with QNAP, and nothing else has been issued. The onus is on the users to identify and patch their products. Need I say more?

It’s easy to lose track when the tyranny of the urgent sets our agendas for us. And it’s hard to be proactive when you’re busy fighting fires. But the fact is we need to keep watching those backdoors – because they don’t always shut completely.

This post was featured on DarkMatters, the security blog by Norse Corp

The lead illustration is an actual screencapture of Shellshock malware by, a whitehat security research workgroup