What I Learned at BayThreat 2013

Dec 9, 2013
Kenna Security

Share with Your Network

BayThreat, an annual bay area information security conference, was this past weekend. As in years past it was top notch and well organized. The conference returned to it’s old home, the Hacker Dojo, for this fourth incarnation.

Some highlights (in no particular order):

  • Nick Sullivan spoke on white box cryptography, and the lack of a current open source implementation. White box cryptography attempts to address situations where the attacker has already compromised a host, but you want to prevent them from making use of encryption keys. Nick outlined some techniques, caveats and examples of current implementations. He then announced the Open WhiteBox project, which aims to release an open source implementation of this style of crypto.
  • Allison Miller discussed using operations management paradigms to create risk models. Using (don’t call it big) data to find leading risk indicators allows you to focus on the variables that matter. She also covered using feedback loops to improve and adjust your model over time, keeping you responsive to new threats.
  • Scott Roberts explained how GitHub uses Hubot to manage many aspects of operations, including security. Having the company exist in a series chatrooms allows everyone to be involved in responding to security incidents, something Scott compared to pair programming. GitHub has given Hubot a central role in management and is easily extensible, allowing others to customize it for their needs.
  • Finally, Nathan McCauley from Square presented on the challenges of deploying hardware cryptographic devices on the cheap. Square allows merchants to accept payments via a small hardware device that plugs into a smartphone or tablet. Creating such a device brought  interesting challenges such as: no random number generator, only 256 bytes of memory, low power and overseas production. The talk covered how Square addressed these during the design of their solution.

I also presented on surviving an application DoS attack. BayThreat did not disappoint, and I’ll definitely be returning next year. If you would like to know more about BayThreat and these subjects, check out their website at http://www.baythreat.org/.

Read the Latest Content

Research Reports

Prioritization to Prediction Volume 5: In Search of Assets at Risk

The fifth volume of the P2P series explores the vulnerability risk landscape by looking at how enterprises often view vulnerabilities.

5 Things Every CIO Should Know About Vulnerability Management

If you view vulnerability management (VM) as just a small part of your operation, it might be time to take another look.  Managing vulnerabilities is...



Get Started Using the Exploit Prediction Scoring System (EPSS).

Cyentia Institute’s Chief Data Scientist and Founder Jay Jacobs gives tips on how to get started using the Exploit Prediction Scoring System (EPSS). You...

© 2022 Kenna Security. All Rights Reserved. Privacy Policy.