Converge Detroit Podcasts

Archive for the ‘Out and About’ Category

Converge Detroit Podcasts

Posted by

We did a few podcasts over the Converge Detroit conference. Check them out here:

IT in the D — Live Broadcast: Converge 2015 Security Conference. Ever had a conversation with a guy who compromised bank security … in Beirut? How about someone who’s managed to compromise physical security all over the world … just because scanning and getting into servers is too boringly easy? Know anything about a group that’s out there dedicated to teaching kids about computer security in a way they’ll actually want to learn? Read and listen on, friends … read and listen on.

Hurricane Labs InfoSec Podcast — Don’t Bother Trusting, Verify Everything. This podcast was recorded by the Hurricane Labs crew, and special guest Wolfgang Goerlich, at the 2015 Converge Conference. Topics of discussion (and witty banter) include: FBI anti-encryption rhetoric; the Hacking Team hack; Google’s social responsibility; and more. Converge and BSides Detroit were fantastic – if you didn’t get the chance to make it out this year, you can still view the video presentation recordings here: Converge 2015 Videos. Thanks to Wolf and all the sponsors, volunteers, speakers and everyone who made these conferences possible!

PVCSec — Live! At Converge Detroit. Ed & I enjoyed talking with a fantastic audience at Converge Detroit 2015 yesterday. Everyone was in fine voice. Ed & Paul embraced Converge Detroit’s invitation to podcast LIVE! from the event on the campus of Wayne State University in the Arsenal of Democracy, Detroit Michigan U.S. of A. Thanks again to the event, the sponsors, the volunteers, and of course all of those who attended. We had a blast and can’t wait for next year!

MiSec events in December

Posted by

The next two weeks are packed with MiSec goodness. I thought it best to do a roll-up blog post, rather than my normal Tweet shout-outs.

Concise Courses: Wednesday, December 11th, 12pm
FedRAMP: How the Feds Plan to Manage Cloud Security Risks
Presented by: Steven Fox (@securelexicon)
Online here:


North Oakland ISSA: Wednesday, December 11th, 6pm to 8pm
Practical Threat Modeling
Presented by: Wolfgang Goerlich (@jwgoerlich) and Mark “Belt” Kikta (@B31tf4c3)
Baker College
1500 University Drive
Auburn Hills MI 48326


OWASP Detroit: Thursday, December 12th, 7pm to 9 pm
Susie the Useful SOC Puppet: A blue-team bedtime story.
Presented by: Jeremy Nielson (@jeremynielson)
First Center Building
26911 Northwestern Highway
Southfield, MI 48033


RuCTFe: Saturday, December 14th, 5am to2 pm
Online Technologies Corporation (OTC) of Ann Arbor
5430 Data Court, Ann Arbor, MI 48108

Holiday dinner: Wednesday, December 18, from 7 pm to 10 pm
Rochester Mills Beer Co
400 Water Street
Rochester, MI 48307
Tickets here:

Whispering on the Wires Workshop

Posted by

I am giving my Whispering on the Wires Workshop for the Eastern Michigan University’s Information Assurance workshop series. This will be next Friday, April 5th, from 5 pm to 8 pm.



The Internet opened communications and enabled this flat world where everything is but one click away. These complex networks make possible rich exchanges of thoughts and ideas, goods and services. But there is, of course, a dark side. Not all communications are productive. Not all communications are visible. Some are destructive, hidden, invisible. Some messages are whispered in secret. In this session, we will delve into ways attackers can hide their traffic using steganography and covert channels.

Whispering on the Wires will be a hands-on workshop. Attendees will apply steganography to a variety of file formats, and open a variety of covert channels. Defensive measures will also be discussed and demonstrated. Every communications channel that has a dark side, a covert channel, and every dark side as a defense. Let’s explore these together.



Computer with Windows 7, 8, or Windows Server 2008 R2, 2012. Please have installed: Microsoft .Net Framework 4.0, PowerShell 3.0 installed, PowerShell Community Extensions, the latest WireShark, and your favorite hex editor.

Microsoft .Net Framework 4.0 –
PowerShell 3.0 –
PowerShell Community Extensions (PSCX) –
Wireshark –



This workshop is open to students, faculty, and the local information security community.

Friday, April 5th, 5:00 pm to 8:00 pm
Eastern Michigan University
Roosevelt Building
Ypsilanti, MI, USA 48197

Out and About: Great Lakes InfraGard Conference

Posted by

I am presenting a breakout session at this year’s Great Lakes InfraGard Conference. Hope to see you there.


Securing Financial Services Data Across The Cloud: A Case Study

We came from stock tickers, paper orders, armored vehicles, and guarded vaults. We moved to data bursts, virtual private networks, and protocols like Financial Information eXchange (FIX). While our objective remains the same, protect the organization and protect the financial transactions, our methods and technologies have radically shifted. Looking back is not going to protect us.

This session presents a case study on a financial services firm that modernized its secure data exchange. The story begins with the environment that was developed in the previous decade. We will then look at high-level threat modelling and architectural decisions. A security-focused architecture works at several layers and this talk will explore them in depth; including Internet connections, firewalls, perimeters, hardened operating systems, encryption, data integration, and data warehousing. The case study concludes with how the firm transformed the infrastructure, layer by layer, protocol by protocol, until we were left with a modern, efficient, and security-focused architecture. After all, nostalgia has no place in financial services data security.

Out and About: Incident Management with PowerShell

Posted by

Matt Johnson and I will be presenting on incident management and PowerShell at next month’s Motor City ISSA. This is part of the PoshSec initiative.


Incident Management with PowerShell

Have you seen the latest scare? The Java 0-day exploit that allows attackers to execute code on your computer? Now scares come and scares go. But let’s suppose for a moment your servers were infected using this exploit. How could your administrators detect the attack? How would you recover? Even better, what could have been done beforehand and how could you prevent this from happening again?

Incident Management, of course, is the security practice that seeks to answer these questions. In Windows server environments, PowerShell is the way Incident Management gets put into practice. This session will introduce InfoSec professionals and systems administrators to PowerShell’s security features. We will provide an overview of Incident Management and PowerShell. Then, using the Java 0-day exploit as a driver, we will walk through the lifecycle of an incident. The audience will leave with information on the policy and practice of managing security incidents in Windows with PowerShell.


J Wolfgang Goerlich is the information systems and security manager for a Michigan-based financial institution. He is responsible for managing the software development and network operations team. Wolfgang’s background is in architecting new systems, securing existing systems, and optimizing performance and recovery. With over a decade of experience, Mr. Goerlich has a solid understanding of both the IT infrastructure and the business it enables.

Matt Johnson is a Systems Analyst from the Metro Detroit area. As an avid technologist and tinkerer, he is always looking to understand and improve the world around him. Matt has a strong interest in automation and the use of PowerShell. Matt founded the SE Michigan PowerShell User Group and was a judge for the last two years for the Microsoft Scripting Games. He holds numerous certifications and writes a blog at You can follow him on twitter by following @mwjcomputing.


Motor City ISSA. February 21st, 2013. Livonia, MI.

Incog: past, present, and future

Posted by

I spent last summer tinkering with covert channels and steganography. It is one thing to read about a technique. It is quite another to build a tool that demonstrates a technique. To do the thing is to know the thing, as they say. It is like the art student who spend time duplicating the work of past masters.

And what did I duplicate? I started with the favorites: bitmap steganography and communication over ping packets. I did Windows-specific techniques such as NTFS ADS, shellcode injection via Kernel32.dll, mutexes, and RPC. I also replicated Dan Kaminsky’s Base32 over DNS. Then I tossed in a few evasion techniques like numbered sets and entropy masking.

Incog is the result of this summer of fun. Incog is a C# library and a collection of demos which illustrate these basic techniques. I released the full source code last fall at GrrCon. You can download Incog from GitHub.

If you would like to see me present on Incog, including my latest work with new channels and full PowerShell integration, I am up for consideration for Source Boston 2013.


Please vote here:

This year SOURCE Boston is opening up one session to voter choice. Please select the session you would like to see at SOURCE Boston 2013. Please only vote once (we will be checking) and vote for the session you would be the most interested in seeing. Voting will close on January 15th.

OPTION 5: Punch and Counter-punch with .Net Apps, J Wolfgang Goerlich, Alice wants to send a message to Bob. Not on our network, she won’t! Who are these people? Then Alice punches a hole in the OS to send the message using some .Net code. We punch back with Windows and .Net security configurations. Punch and counter-punch, breach and block, attack and defend, the attack goes on. With this as the back story, we will walk thru sample .Net apps and Windows configurations that defenders use and attackers abuse. Short on slides and long on demo, this presentation will step thru the latest in Microsoft .Net application security.

North Oakland ISSA and Motorcity ISSA

Posted by

I will be presenting at North Oakland ISSA on September 12th, and at Motor City ISSA September 20th.

Turtles all the way Down — .Net Software Security. Peel back the layers of abstraction, what do you find? Software. Feel through the fog of cloud computing and what is there? Software. What powers our devices? Handles our protocols? Drives our cars? What ties us all together? Software. Every layer of our technology stack is software. It is turtles all the way down. Few things are as germane to security as software security. We will delve into software security in this session. Using C# as an example, we will see how software in general breaks and how to protect Microsoft .Net in particular. So how do we protect software? Come find out.

North Oakland ISSA. September 12, 2012. Auburn Hills, MI.

Whispering on the Wires. The Internet opened communications and enabled this flat world where everything is but one click away. These complex networks make possible rich exchanges of thoughts and ideas, goods and services. But there is, of course, a dark side. Not all communications are productive. Not all communications are visible. Some are destructive, hidden, invisible. Some messages are whispered in secret. In this session, we will delve into ways attackers can hide their traffic using steganography and covert channels. Examples will be demonstrated and potential controls will be discussed.

Motor City ISSA. September 20, 2012. Livonia, MI.

BSidesCleveland 2012

Posted by

I went to BSides Cleveland last Friday. We put the word out to the #misec mailing list, and took a couple of carloads of Michigan IT/InfoSec pros down to Ohio. The conference was well run, the swag bags were well stocked, and everyone I spoke with enjoyed themselves. Below are some of the highlights.

Dave Kennedy (Rel1k) kicked off the conference. Dave has recently made the transition from Diebold’s CSO to CEO at TrustedSec. Dave demoed some advanced pentesting techniques using the Social-Engineer Toolkit (SET). Of note, did you see the news on the new scary attack that knows your OS? Yeah. That was Dave’s code being re-used. Whoops.

Next up was Bill Mathews (@billford) on cloud security. I have a reasonably sound understanding of cloud computing and cloud security. I went to Bill’s talk to get ideas on how to talk with non-infosec people about cloud concepts. Bill did not disappoint. He had a good talk, kept my interest, and provided a one page cheat sheet at the end. (These sheets are on their way to my team already.) You can see Bill’s slides and cheat sheet at Hurricane Labs.

I attended Jeff Kirsch’s talk next (@ghostnomad). As a haiku fan and long-time reader of Jeff’s blog, I really wanted to meet Jeff. He is also a hard guy to meet because I rarely see him at other conferences. Finally I had my chance! Moreover, I identified end-user training as a weakness in my security program and I am on the lookout for ways to improve. The “<? $People ?> Process Technology” talk was informative and helped steer me in the right direction.

Jeff joined us for lunch at the Winking Lizard Tavern. We got to talk secbiz, rail against auditors who don’t get it, rail against IT managers who don’t get it, and basically geek out on the business side of infosec. I rarely get to scratch the business itch and so this was a real treat.

After lunch, I gave an updated version of my Naked Boulder Rolling talk. How did this compare to the one I gave in June? Detroit was more fun and Cleveland was more satisfying. That is to say, I enjoyed the audience participation and humor while presenting in Detroit. The only problem was that it meant a good quarter of my talk was cut due to time. In Cleveland, I was able to present the material in full. I felt the overall message of the talk was conveyed more clearly. I fielded some good questions afterwards that have me thinking of making a new ITGRC deck.

With Matt Johnson’s incident talk fresh in my mind, I joined Mick Douglas’s talk on Automating Incident Response. Mick’s metaphor was building a sprinkler system to respond to the burning building that is the security breach. Add to that the research that shows how exponentially expensive a breach gets the longer it goes undetected, and Mick has a powerful argument. He wrapped up by demonstrating Python scripts that respond to incidents using network segmentation and throttling. Mick gave me a few ideas that I am going to try on my own network gear this coming week.

I sat in on a talk by James Siegel (@WolfFlight) next. James has been thinking about moving the security conversation beyond the echo chamber for some time. At BSides Detroit, he brought a hallway con discussion around the topic that led up to a podcast. It was decent for a first time presenter. James employed some humorous visuals featuring Looney Toons to provide a clear call to action: let’s educate non-technical folks.

I walked into the next session chanting “.net! .net! .net!” Some might argue that was because of all the free Bawls drinks. But, no, I was excited to see Bill Sempf‘s perspectives on application security. Bill walked us thru ASP.NET controls for the OWASP top ten, and touched upon using Back|Track for validation. The key insight from this talk was using Back|Track scripts to validate code as part of the build process. This dove-tails nicely with my philosophy of baking infosec into the work, and I am looking to explore the concept further in the next few months.

The conference wrapped up with a two hour after party, and then a three hour drive back home. I had a number of great conversations over those five hours, and spent yesterday collecting notes and pulling down content. BSides always leave me fired up to do more, learn more, and see more. BSides Cleveland once again proved why community conferences are so inspiring. All I can say is, when do we get to do it again?

Kudos Dave DeSimone and the Cleveland organizers, and thank you to sponsors: Diebold, Accuvant, FireEye, f5, Bit9, DerbyCon, Hurricane Labs, Neoisf, SecureState, Rapid7, and McAfee.

Update: The videos for all BSides Cleveland talks are now online:

BSides Detroit 12 by MiSec

Posted by

What a difference a year and a community make. I attended the first BSides Detroit last year and it was in stark contrast to Source Boston. I thought perhaps that was the nature of the local conferences. Then GrrCON opened my eyes to what was possible. I began to think of how we could raise the quality of BSides Detroit 12 to match events like Source and GrrCON. And I was invited to volunteer and ready to help organize the next event. Game on.

BSides Detroit 12 was every bit the event we set out to make it. 2 days, 2 tracks, 4 workshops, 32 speakers, all set to educate and engage some three hundred participants. The event was held in the GM Renaissance Center. We had climate controls, working audio/video, an evening reception, and we were every bit a full destination conference.

Being an organizer puts me in a tough spot. I typically write up a conference by calling out a few talks that I felt captured the gestalt of an event. How do I do that after spending six months podcasting with all the speakers? How do I feature some and leave others off, knowing each of the presenters as I do?

I tried a tack of thanking people who made this event. We had four organizers including myself, dozens of volunteers, sponsors, and many others who made this possible. My first few drafts resembled an Oscars Awards speech gone awry. While the tack does not work, the effort produced the real insight.

The #misec community is the main difference between last year and BSides Detroit 12. The podcast leading up to the event was organized by #misec regulars Chris J and Justin. Many of the talks were tested and tuned at #misec meet-ups. The three keynote speakers were all invites from #misec regulars, too, come to think of it. #misec led to some fantastic collaboration with GrrCON and BSides Chicago. And while some jokingly called this #misecon, we were out volunteering in force. This was our moment.

What difference does a community make? It makes for an event that is qualitatively and quantitatively better by any measure. It makes me awed and grateful for everyone’s efforts. It also makes me very hopeful for the future.

BSides Detroit 12 Event Coverage

Detroit Hackers Fly Under Radar. “After spending a little time at BSides, I’m thinking that, not only could Arne Duncan use Payne’s counsel, but there are probably a number of non-IT fields that could benefit from a hacker’s ethos and insight.”

Bsides Detroit – the day after (part 1) and the day after (part 2) by Keith Dixon (Tazdrumm3r). “Over all, Bsides was incredible and the organizers should be proud of what they accomplished. I know, I’m definitely going next year and can’t wait!”

BSides Detroit 2012 Wrap Up by Matt Johnson (mwjcomputing). “I had the honor to organize the #misec dinner the Thursday night before BSides Detroit. … I decided to volunteer this year. Being friends with a few of the organizers, I only felt like it was appropriate. After this weekend, I think I am insane.” Note Matt also has a great group photo of #misec guys threatening to hug me.

Be Inspired By Local Cons by Elizabeth Martin. “Each and every opportunity I have to interact with the many walks of life in the InfoSec community I am inspired to do more, collaborate more, listen more, contribute more, help more, etc.”

BSidesDetroit – ConBlu, first try at presenting, by Scott Thomas (Secureholio). “I loved the venue, it was well laid out, there was quite a bit to do in the conference center itself, as well as having the hotel right there. The different tracks in different rooms made it easy to have hallway-con, as well as two tracks, a teaching area, and a lock-pick village. I really loved the set-up and the Detroit team did a great job with putting it together.”

BSides Detroit 12 Sponsors

Stir Trek Reflections

Posted by

This was my first year attending the Stir Trek conference in Columbus OH. From the name and from the website, I was not quite sure what to expect. Whatever I was expecting, it certainly was not 900 people in a pristine theater multiplex. All the talks were in various theaters, with the marquees lit to match the tracks. There were several clever marketing tie-ins, too, like movie posters for the sponsors. The volunteers, the food, the sessions all were excellent. Three talks, in particular, struck me as very interesting.

David Giard (@davidgiard) gave a talk titled “Effective Data Visualization: The Ideas of Edward Tufte.” Tufte spent years analyzing and quantifying how data is visualized and displayed. Giard covered Tufte’s ideas, including concepts like the lie factor, data-ink ratio, and data density. The thing that struck me was how Giard was able to take twentieth century concepts and apply them to today’s latest problems in business intelligence. As a consultant, Giard has found many ways of spreading Tufte’s message and integrating effective data visualization within projects.

Mark Stanislav (@markstanislav) gave a talk on using the cloud for disaster recovery. A DR strategy is a perfect example of owning the base and renting the burst. Recovery environments are rarely needed, and often needed only for a short period of time. Mark’s case study featured a small business with an Internet streaming product. It’s common to see 99% uptime for smaller organizations, which means 3-4 days downtime per year. Mark’s solution had an annual operational cost of $1,184 and a per incident cost of $435. The recovery time was an hour. So for a total of $1,619 annually, the small business boosted their uptime to 99.99%. Quite impressive, and a good example of how companies can use cloud computing in lower risk areas to build competency.

It was a talk by Mike Amundsen (@mamund) that blew my mind. “It’s the future. I don’t have my jetpack. I don’t have my flying car. But at least I have a browser.” And with that, Mike walked thru developing, testing, debugging, and deploying apps directly from a web browser. The toolset was Cloud9 IDE, Node.js, CouchDB, Github, and Heroku. I remember how hard it was to get into software development as a kid, so I was simply amazed at how easy it is today. I definitely need to find a project to complete entirely on the cloud for the cloud. By the way, Mike has a book out that covers his process: Building Hypermedia APIs with HTML5 and Node.

All in all, it was a great time and I left itching to write some code, test some recovery strategies, and do some data visualizations. Thanks to all the volunteers, speakers, organizers, and sponsors.