My first Information Security Conference – SOURCE Conference: Dublin 2014

I attended the two day SOURCE Conference at the Trinity College in Dublin last week (22-23 May), and have now officially stepped into the big bad (read awesome) world of Information Security with this being my first InfoSec conference. (Exciting times ahead!)

Launched in 2008 in Boston, Massachusetts (USA) the SOURCE Conference focuses on bridging the gap between technical excellence and business acumen within the security industry and; brings together students and professionals in an intimate and highly interactive environment.

There was an impressive line-up of speakers at SOURCE, with keynotes by Wim Remes and Felix ‘FX’ Lindner (in addition to the special effects created by a Cisco AP suddenly flaming out during his presentation!). The talks were fascinating and covered a variety of areas ranging from malware and botnets to big data and social media.

I want the next generation web here SPDY QUIC, a presentation by Matt Summers (NCC Group) was quite interesting. As the amusing title suggests, it highlighted the use of the next generation web protocols – SPDY and QUIC, which are designed to primarily reduce web page load latency and improve web security. Some of the major web players such as Twitter, Facebook, CloudFlare, WordPress, etc. already support SPDY. If you haven’t done it yet, go ahead and have a sneak peek at active sessions in your browser. For the Chrome browser, navigate to

  • chrome://net-internals/#spdy
  • chrome://net-internals/#quic

Another very interesting talk was Delivering Security at Big Data Scale by Davi Ottenheimer (EMC). The speaker proposed a new “IKEA” model to handle the looming Big Data risk in any environment. This model apparently follows the systematic treatment of illness in cows! IKEA suggests the following:-

  • Identify sickness ASAP
  • Keep adequate records
  • Evaluate daily sick
  • Adapt until noted improvement

One of the topics in the presentation that caught my attention was the use of intelligence to redefine control in context with systems such as traffic lights. Imagine how much time, money and fuel we would save in a world with intelligent vehicles and traffic lights, and perhaps eventually no traffic lights at all! On the subject of detecting attacks, the speaker talked about leveraging the insight of Dr. John Snow’s map-based spatial analysis and algorithm (Voronoi Diagram) to find the source of attackers, which he had discussed earlier in the RSA USA 2012 conference.

Moving away from Big Data and stepping into organizational security, we all worry about the main corporate security perimeter. But what about the extended perimeter and, the exposures and risks that arise from the supply chain for aspects such as code developed by offshore development centres or outsourced help desks? Do we have sufficient guidelines, policies or standards in place? Dave Lewis (Akamai Technologies) addressed this issue of Supply Chain: The Exposed Flank and cited personal war stories to help illustrate why we need to start paying attention to the problem.

If standards and policies make you yawn, how about the thought of spending a few dollars to create a massive javascript-driven browser botnet! White Hat team tested it and for mere pennies per thousand impressions (or browsers) and found that there are service providers who allow you to broadly distribute arbitrary javascript, even if malicious. This was discussed by Matt Johansen (White Hat) in his presentation, Million Browser Botnet, also demonstrated earlier at Las Vegas Black Hat 2013.

And of course, how can any security talk be complete without social networks! Brian Honan (BH Consulting) gave us numerous great pointers on How to Like Social Media Network Security. We’d like to think everyone out there would be more careful, at least with their credit cards, but obviously that isn’t the case since for them, it’s more important to show off that new card they just received! Front and Back! As Bruce Schneier says –

“The user’s going to pick dancing pigs over security every time.”

Other great talks at the conference included – From DNA sequence variation to .NET bits and bobs by Mathieu Letourneau, Andrei Saygo, Eoin Ward (Microsoft), Emulate VMs to avoid malware infections by Jordi Vazquez, iBanking – a botnet on Android by Stephen Doherty (Symantec), Do you really know what is going in and out of your network perimeter? by Darragh Delaney (NetFort) and Decoding of the Zeus Variants (Sophos).

One concern at InfoSec conferences often is the absence of women. Thankfully, a handful of us were present at this event! Also, thanks to Wim Remes for the special mention and to everyone else for making us feel a part of the InfoSec community! 🙂

As a newbie, I really enjoyed the SOURCE conference and made some great contacts. Look forward to the next one!

Highlights: Received a complimentary copy of Securing the Virtual Environment: How to Defend the Enterprise Against Attack from Davi Ottenheimer with an autograph.

Disappointments: Missed another autograph in the process, from the Bram Stoker medal winner – Channing Tatum, who was also at Trinity that day for his movie promotion. I guess we all have to make hard choices in life 😉

Be safe!

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.