Tangled Web

The SC Awards: How To Put Your Best Foot Forward

Key Information To Know:
 
Nomination entry fees:
Reader Trust Awards and Excellence Awards categories is $275 per entry and Professional Awards categories is $200 per entry.

Deadline for nominations:
The deadline for nominations is September 3. However, all nominations received after September 3 will incur a penalty of $115 per entry. Late entries will be accepted until September 10.
 
Finalists announced:
Finalists in each of the categories will be informed by the SC Magazine staff in the late October-early November timeframe and will be published in the January 2011 issue of SC Magazine.
 
The Awards Gala:
The winners will be announced at the 2011 SC Magazine Awards U.S. Gala, which will be held on February 15, 2011 in conjunction with the RSA Conference in San Francisco.

Tags: Awards Tips, PR Tips, RSA Conference 2011, SC Awards 2011, SC Magazine, security awards, Security PR, security public relations

By Tim Whitman on August 30, 2010 3:11 PM
Permalink | Comments (0) TrackBacks (0)

Intel-McAfee M&A: The Big Picture

We have just witnessed the largest security acquisition in history, as Intel has approved the purchase of McAfee for $7.68 billion. To provide some perspective, according to Updata Advisors, the IT security sector has drawn $25 billion in acquisitions since 2004. At first glance, it may not make sense that a hardware company is purchasing a software company. Why McAfee? Why now?

Security threats and vulnerabilities are constantly evolving, which makes it difficult for vendors to accurately predict where they should allocate resources in research and development. In fact, the trend over the past decade has been for many major players to ignore developing niche solutions, preferring to allow entrepreneurs and start-ups to battle over these spaces.

Eventually, emerging threats become mainstream and customers turn to the major vendors for solutions. However, as these vendors often chose to forego R&D into a solution, they must instead purchase it from another company via M&A.

Even in a down economy, we have seen how successful security companies remain. Cyber criminals are more active and increasingly sophisticated than ever before. Over the past two years, web-based attacks increased dramatically. As a result, companies have been forced to put resources into acquiring web-based security, such as Cisco’s acquisition of ScanSafe in 2009.

Today, the Intel-McAfee deal is about the future of computing, primarily cloud computing and virtualization. In this future, security will be embedded directly onto the hardware, possibly even the CPU, in order to realize the benefits of virtualization and cloud computing. When you combine multi-core chips with powerful virtualization and security software, security systems can actually run under the operating system.

As technology evolves, organizations looking to solve cloud computing and virtualization security problems will turn to major vendors. Judging from the Intel-McAfee deal, these vendors will attempt to solve these problems through M&A first and perhaps R&D second. With cloud computing and virtualization becoming ubiquitous, the trend is sure to continue. Who do you think is the next company to get acquired? Which companies need to step up to compete with Intel? Share your thoughts…

Tags: cloud computing, M&A, security vendors, virtualization

By Clinton Karr on August 20, 2010 1:58 PM
Permalink | Comments (0) TrackBacks (0)

The Internet Kill Switch Debate: Where Do You Stand?

Cybersecurity and cyber threats are part of our daily lives. Everyone has received some sort of malicious message or has (almost) clicked on a malicious site. Botnets are attacking banks and large corporations. Social engineering techniques are effectively stealing sensitive corporate information from employees who think they are doing good. It’s everywhere.

Most recently, vulnerabilities surrounding SCADA programs have played an increasing role in recognizing the potential dangers of utilizing the Internet for so many daily activities. Just think of Live Free or Die Hard…the fire sale attack. With so many things running on or controlled by the Internet, it’s no surprise people seem to lose sleep at night when they think of the panic that could be caused by someone taking advantage of core systems controlled over the Internet.

In the event of a national cybersecurity emergency, the Protecting Cyberspace as a National Asset Act (PCNAA) was proposed. This Act would enable the President to have authority over the Internet, essentially deciding which private sectors and government networks should be shut down in the event of a cyber attack. A recent amendment to the PCNAA states that the President cannot shut down a sector or network indefinitely, but rather can control it for 120 days, after which time Congressional approval is needed.

For some, this seems like a good idea in the making. For others, this could not be a worse idea.

The Good
Believe it or not, the President already has the authority to take over communications networks as needed, stated in the Communications Act, Section 706 (the Communications Act of 1934 was amended with the Telecommunications Act of 1996). Section 706, dubbed “War Emergency—Powers of the President,” enables the President to close any facility or station for wire communication and authorize the use of the facility or station by the federal government when presented with the threat of war. This can continue for up to six months after the threat expires, without Congressional approval.

With this existing authority in mind, Senator Joe Lieberman of Connecticut explained that his proposed PCNAA bill would enable the President to respond efficiently to the threat of a cyber attack in the 21st century with a precise defense. Additionally, according to a description of the PCNAA on Joe Lieberman’s website, the PCNAA would prevent the President from over-using the “broad authority” he has over communications networks in the current law.

The Bad
The initial proposal of this bill led many to believe it would enable the President to serve as some sort of “Internet overlord,” an idea that continues to cause discomfort and breed worry in the minds of many. As a post by Adam Cohen in TIME magazine points out:

“Imagine a President misusing this particular power: If the people are rising up against an unpopular Administration, the President could cool things down by shutting off a large swath of the Internet. He could target certain geographical regions (‘We’ve heard enough from New York and California for a while’). Or he could single out particular websites.”

But the biggest problem seems to be that no one really understands what the PCNAA would allow the President, and therefore the government, to do. As Cohen states, the Internet plays such an important role in our daily lives – be it expressing the freedom of speech or running a power grid – it’s a power that shouldn’t be handed over lightly.

The Poll
The Schwartz Security Practice recently conducted an informal poll across our security clients to gather their thoughts on the Internet kill switch debate. Not surprisingly, the majority of comments we received voted strongly against the existence of the Internet kill switch. Here are just a few thoughts:

Tom Kellermann, vice president of security awareness, Core Security Technologies, explained that “ISPs only currently voluntarily cooperate with shutting down malicious IP addresses and their C2s. There needs to be executive authority to thwart these technological attacks against the U.S. This is not a question of whether we should empower the government to turn off the internet, but instead, can the government civilize a hostile cyberspace?”

Paul Kocher, president and chief scientist, Cryptography Research, explained an Internet kill switch is not workable on either a technical or political level. He explained the equipment that drives the Internet is designed to be reliable, so creating a large-scale shut-down mechanism creates a host of problems. Some questions he proposed include:

• How would the shut-down messages be broadcast (e.g., presumably “killed” equipment would no longer be forwarding these messages)? How would you test whether it worked? What would you do about existing equipment that doesn’t implement the kill switch?
• How would you inform users about what’s happening? There isn’t any uniformly-supported method by which an ISP (or anyone else) can communicate with any network-connected device or end user. There isn’t a single language spoken by all users, and many embedded devices don’t even have a “user” in the normal sense of the word. Even if you created such a protocol, it’s not clear how you’d prevent the protocol from becoming abused or clogged with spam and advertisements.
• Focusing specifically on the political side, who would control the switch and make decisions about when to use it? I’d recommend the following experiment to anybody in government considering a kill switch mandate: Get 10 large government agencies together and let them pick one agency that will control the “kill switch” for the other nine. They’ll never agree.

Anup Ghosh, founder & chief scientist, Invincea, explained that cooperation in the wild between organized communities is much more prevalent than previously thought. “These communities and major telcos monitor botnets and DDoS attacks so that when a DDoS attack occurs, the telcos cooperate fully to push back on the ISP, registrar or Autonomous System (AS) that is providing service to the offending DDoS hosts. In many cases, they will now support botnet sinkhole efforts to completely take down botnets. In other words, the private sector, along with organizations that monitor these things, is actually working together now to address these issues. So in reality, the potential for abuse probably outweighs any perceived risk of private entities not cooperating.” This echoes thoughts Cohen shared in his TIME magazine post.

Scott Cosby, vice president of products and operations, Invincea, stated “cutting off the internet would have a devastating effect on our country’s ability to function for government, industry and individuals. It strikes me that a more effective approach would be to prepare key defense organizations to function ‘off the grid,’ essentially backup and contingency planning to handle responses to a cyber attack. Flipping that type of switch would do more harm than a targeted attack.”

So where do you stand? Leave your comments below.

Tags: botnets, cyber threat, cybersecurity, Internet kill switch, PCNAA, Protecting Cyberspace as a National Asset Act, SCADA programs, social engineering

By Kristin Forte Allaben on August 18, 2010 11:58 AM
Permalink | Comments (0) TrackBacks (0)

August Wednesday Wrap-Up: Patch Tuesday in a Nutshell

It’s that time of the month again and Microsoft really came out with a bang releasing a record-breaking number of patches, tying with June for the number of vulnerabilities targeted and also tying with October 2009 for the number of critical bulletins.

In the August 2010 Patch Tuesday release, Microsoft issued 14 bulletins targeting 34 vulnerabilities. Here’s a quick overview of the bulletins:

• Eight bulletins are labeled “Critical”
• Six bulletins are labeled “Important”
• 10 bulletins involve remote code execution
• 18 vulnerabilities have an exploitability index of 1.

And now a summary of the August Patches:

• Since the sheer volume of updates and vulnerabilities can be overwhelming, Schwartz client Qualys separated the updates into three groups, identified by vulnerability targets: end-users and Internet browsing, file format vulnerabilities and Windows OS.
• Of the six vulnerabilities targeting end-users and Internet browsing, all are ranked as critical, and four have an exploitability index of 1.
• Silverlight and other media file formats are a key target for hackers due to the increasing use of video, emphasizing the importance of these updates. In a Computerworld article, Silverlight was said to be installed on approximately 60 percent of PCs, whether users are aware of the installation or not.
• Accompanying the release of the August patches was an advisory that warns of a problem that could elevate user privileges on a PC. The problem affects Windows XP, Vista, Windows 7, Server 2003 and 2008, and impacts the Windows Service Isolation feature.

Reminder!
August is the first cycle of patches to come out after the end of XP SP2 support. It’s important to note that XP SP2 users will still find themselves at risk regarding these vulnerabilities, but now they will be unable to update their systems with the latest round of patches.

Activity Beyond the Patches
The last four weeks have been busy with improvements to the status of vulnerability disclosures within the industry, a topic that has been top of mind in the last few Wednesday Wrap-Up posts. Although many vendors have not agreed to a bug bounty program, new programs in place will force vendors to fix a bug sooner rather than later.

TippingPoint’s Zero Day Initiative is a great step forward for vulnerability disclosures as it gives a firm deadline as to when the vulnerabilities will need to be fixed. According to an article by Elinor Mills, TippingPoint will give vendors six months to fix a vulnerability. If it is not fixed in that timeframe, TippingPoint will release limited details on the vulnerability. Worth noting is that extensions can be granted, but they will be decided on a case-by-case basis.

Is this a trend?
What’s most interesting is that it appears Microsoft is falling into a light-month, heavy-month trend, releasing a few bulletins one month, then a record number of bulletins—targeting double-digit vulnerabilities—the next. There also seems to be potential for an increasing number of out-of-band patches as more vulnerabilities are identified.

It will be interesting to see if this trend continues, especially with the Coordinated Vulnerability Disclosure (CVD) program and Zero Day Initiative in place.

What do you think we can anticipate from Microsoft over the next four weeks?

Tags: Coordinated Vulnerability Disclosure, CVD, exploitability index, Microsoft vulnerabilities, Patch Tuesday, Qualys, record Patch Tuesday, vulnerability disclosures, Zero Day Initiative

By Kristin Forte Allaben on August 11, 2010 9:18 AM
Permalink | Comments (0) TrackBacks (0)

Black Hat 2010 Sessions - Day 2 Recap

Yesterday was the second and final day of Black Hat sessions and there were quite a few key topics that we’ve seen before.

Government
As the government continues to work toward implementing cloud solutions, there is continued discussion of cloud security, as well as cyber-warfare. We saw this in full force at RSA 2010, which we discussed in a previous post.

In his Black Hat keynote yesterday, former National Security Agency Director, retired Gen. Michael Hayden, addressed the need to define cyber-warfare since the term is loosely applied to anything relating to crime on the Internet. He explained the military traditionally operated in four domains: ground, air, water and space. Now, there is the introduction of the fifth domain: the Internet, the first man-made location for warfare. A clear definition of cyber-warfare will prove advantageous for us because it will enable the country to better understand what a cyberattack is and, therefore, know how to properly respond.

SSL
One of the biggest speaking points from Day 2 sessions revolved around weaknesses associated with SSL, which were highlighted in a number of sessions yesterday. In one session, two researchers highlighted the ability for hackers to take over a user’s account or take control of a website due to the way browsers implement HTTPS. Additionally, hackers are able to sniff around the edges of the encrypted information, picking up on clues to help them figure out what their targets are doing.

The session essentially highlighted that HTTPS alone will not stop bad things from happening due to the “breadcrumbs” left behind from secure browsing sessions that skilled hackers can easily follow.

Wallpaper
I remember the first time I wanted to change the wallpaper on my computer and my computer teacher (yeah, that’s true) was furious. I found myself, 30 minutes later, with a very basic understanding of the dangers of malicious downloadable content. Although it seems to be more common sense nowadays, downloading images and other content can still be a threat to users who believe they are using a secure application.

Take the mobile Android situation. A wallpaper application is said to be sending personal information from millions of Android users to a “mysterious Chinese website.” The finding was reported at Black Hat this week as part of the App Genome Project, a real-time database designed to keep mobile users safe by identifying security threats and providing insight into how applications tap into personal data.

There is also more discussion of bug bounty programs, malware-infected SEO terms and ATM vulnerabilities.

As a result of the sessions at Black Hat, we’re likely to see continued discussion regarding the importance of (and need for) a definition of cyber-warfare and, as expected, continued advancements in cloud security as more industries turn to the cloud.

Tags: App Genome Project, ATM vulnerabilities, Black Hat, cloud security, cyber-warfare, cyberattack, cyberwar, malware, SEO, SSL

By Kristin Forte Allaben on July 30, 2010 9:48 AM
Permalink | Comments (0) TrackBacks (0)

Black Hat 2010 Sessions - Day 2

The first day of sessions is complete and hackers and security professionals are preparing for the Day 2 sessions. But before we get into what to expect, let’s recap some of the high points from yesterday.

Barnaby Jack’s ATM vulnerability discussion was, as we expected, one of the main highlights from yesterday. His discussion explored some interesting ATM attacks, labeled as dangerous because they affect multiple types of ATMs. Over the course of his presentation, he addressed two types of ATM attacks, one physical and one remote, the latter considered more dangerous because attackers can silently gather account information from anyone who uses the ATM.

The remote attack, which he named “Dillinger,” exploits a vulnerability that exists within the remote monitoring authentication process. Unfortunately, most ATMs made by a certain manufacturer have this authentication process turned on by default. A rootkit can easily be installed once the vulnerability is exploited. For the purpose of his demonstration, Jack installed a rootkit named “Scrooge” enabling the machine to spit out cash.

Additional highlights from yesterday’s speaking sessions include discussion of payment for researchers who identify vulnerabilities. This is a big discussion point for researchers following Tavis Ormandy’s public disclosure of the Microsoft vulnerability not too long ago.

Just like every argument, there are always two sides to the story. Microsoft and Cisco addressed the situation yesterday stating that “bug bounty programs” are not the best strategy for improving internet security. Other panelists, however, explained they thought it was a nice way for a researcher to be rewarded for identifying a vulnerability. Quite frequently, a researcher is offered little more than a “thank you.”

To try to get everyone on the same page, Microsoft created a “coordinated vulnerability disclosure” with the goal of aligning the motives of researchers and vendors. Microsoft also announced its Microsoft Active Protections Program (MAPP) will include vulnerability information sharing from Adobe Systems Inc. to help better protect customers by alerting them to vulnerabilities before Microsoft releases its monthly patches.

Additional highlights from Day 1 sessions include:

• The security of access points within the enterprise called into question, particularly those still programmed as WEP instead of the more secure WPA.
• Department of Homeland Security prioritizing cybersecurity initiatives, although defining the scope and goals of these initiatives is proving to be more challenging and time consuming than expected.
• Increasing customization of malware to defeat layers of security in place and the increasing use of SEO to push out malware.
• Cell phones can indeed be hacked, especially those that utilize the GSM (Global System for Mobile Communications), the global standard for cell phone radios that was previously thought to be a “walled garden.”

With so much of the show’s anticipation met within the first day of speaking sessions, what can expect for Day 2? It is likely we’ll see continued discussion around vulnerability disclosure and Microsoft’s response to bug bounty programs, partnerships and other collaborations to ensure a common goal can be met when it comes to disclosing and fixing a vulnerability, and mobile device security and its impact on the enterprise network.

Check back in tomorrow for a recap of Day 2 sessions.

Tags: Adobe, ATM vulnerabilities, Barnaby Jack, Black Hat, enterprise security, malware, MAPP, Microsoft, SEO, WEP, WPA

By Kristin Forte Allaben on July 29, 2010 12:05 PM
Permalink | Comments (0) TrackBacks (0)

Black Hat 2010 Sessions - Day 1

Today is the first day of the 2010 Black Hat Conference speaking sessions. Among the line-up of anticipated talks surrounding wireless security (specifically that of WPA2), mobile device security and ATM vulnerabilities, there is a slew of additional sessions that are bound to make some noise.

One of the noise makers is likely to be the session exploring how to intercept cell phone calls. Some interesting rumors of lawsuits caused eyes and ears to turn toward AT&T, but the company cleared the air, saying it will not interfere with the demonstration.

Although often passed up for obtaining credit card information, counterfeit checks are not a thing of the past. Although you may find yourself having flashbacks to the movie “Catch Me If You Can,” a discussion on how Russian hackers obtained images of checks from a number of retailers and other businesses is a high-tech version of the old story. A quick summary: Russian hackers found a way to utilize technology to make this low-tech crime even more dangerous. They have not yet been caught.

There will also be exploration into weaknesses of SSL, used by websites to protect data. One session on this topic will explore how to attack storage mechanisms to tamper with a SSL session. Another SSL presentation will focus on results of a study that analyzed SSL use to document configuration errors, which weakened thousands of websites.

There will also be discussion surrounding web application security, particularly as it applies third-party code, which includes such items as widgets, applications and advertising modules, all of which are very popular on web applications. These applications are meant to provide additional functionality for the user, but security implications across a variety of industries—including healthcare and finance—could result in infected users.

SEO has been a topic of growing importance for many companies over the past few years. With this in mind, it only makes sense that hackers want to jump on the bandwagon and will utilize SEO to push out malware. Taking a look ahead to DefCon, researchers will show just how important SEO has become to the “malware pushers.”

Check back in tomorrow for a recap of the Day 1 sessions and what we can expect for Day 2.

Tags: ATM vulnerabilities, Black Hat, counterfeit checks, DefCon, malware, mobile security, SEO, weaknesses of SSL, web application security, WPA2

By Kristin Forte Allaben on July 28, 2010 9:09 AM
Permalink | Comments (0) TrackBacks (0)

Black Hat - Preparing for the Sessions

This year's Black Hat conference is considered to be the most popular to date, and tomorrow marks the first of two days of speaking sessions.

For those of you who participated in the Black Hat Challenge, you are aware that there are many sessions to choose from, and little time to see them all.

One of the most anticipated sessions is the Barnaby Jack ATM scams, which was mentioned in yesterday’s post.

But beyond ATM scams, there is a trend we’re seeing in sessions: mobile security. As I mentioned yesterday, IDC forecasted that the number of mobile workers will exceed one billion by the end of 2010. From a corporate perspective, enterprise network can be open to a number of vulnerabilities stemming from the use of a mobile device. From a consumer perspective, people can fall victim to various malware triggered by bugs in the device. For example, one of the anticipated Black Hat sessions will illustrate to attendees that the A5/1 encryption algorithm used by carriers such as T-Mobile and AT&T is weak and can be easily broken, something spies and security geeks alike have known for some time.

Jeff Moss, founder of Black Hat, explained that for many people, seeing is believing; unless people can literally see what’s possible when it comes to security threats and attacks, they won’t believe it. This specifically applies to corporate decision makers as they need to [visually] understand what is technically possible before they can make informed decisions regarding security.

But what it comes down to is this: no one can predict what the big news will be from Black Hat since there is always a wildcard, as Bob McMillan notes. With so many sessions in the queue and such an array of personalities in the same space, you can never quite tell what the news will be.

Tags: ATM scams, Barnaby Jack, Black Hat, encryption algorithm, mobile security, mobile workforce, security attack, security threat

By Kristin Forte Allaben on July 27, 2010 11:06 AM
Permalink | Comments (0) TrackBacks (0)

Black Hat 2010 - Anticipation Mounts

As speakers and hackers gather in Vegas for the 2010 Black Hat conference, there are many topics on people’s minds.

In much of the pre-show articles, there has been talk about cloud security, a topic that seems to resonate throughout security conferences this year (see previous post on RSA 2010). There is also discussion on wireless security, particularly as it pertains to mobile devices. This is most definitely an area of increasing importance as IDC forecasted that the mobile workforce would exceed one billion by the end of 2010, potentially bringing to light new security implications for enterprise networks.

Most prominently over the last few days has been discussion of the vulnerability within WPA2, currently the strongest form of WiFi encryption and authentication. The vulnerability, identified as “Hole 196," lends itself to man-in-the-middle attacks.

We can also expect to hear about:

• login security issues with Twitter and Digg and timing attacks,
• DNS rebinding that uses “Jedi-mind tricks” to enable JavaScript-based malware to penetrate private home networks,
• VPN security and management issues regarding out-of-date software and configuration issues, and
• thoughts regarding a rewards system for researchers from Microsoft’s Security Response Center (MSRC).

It appears, however, that the most highly anticipated session surrounds Barnaby Jack’s research into ATM vulnerabilities. As some may recall, this talk was canceled last year due to pressure from ATM vendors. Similarly, this year, a session entitled “The Chinese Cyber Army: An Archaeological Study from 2001 to 2010” was canceled due to outside pressures.

On a fun note, Black Hat attendees will also be participating in the Pwnie Awards, which recognize extreme excellence and incompetence in the field of information security. Some categories include Best-Server-Side Bug, Best Client-Side Bug, Most Overhyped Bug and Lamest Vendor Response.

For those of you preparing to head out to Vegas later this week for the array of speaking sessions, take the Black Hat Challenge. What one session would you attend?

Tags: ATM vulnerabilities, Barnaby Jack, Black Hat USA 2010, cloud security, DNS rebinding, hackers, Hole 196, Microsoft Security Response Center, mobile workforce, VPN security

By Kristin Forte Allaben on July 26, 2010 9:49 AM
Permalink | Comments (0) TrackBacks (0)

Security B-Sides: The Next Power In Security Conferences?

At some point during Black Hat USA this year, you will inevitably run across an industry colleague, peer, friend or foe and ask them what they've been up to during the week and why you haven't seen them.  One answer that you may hear is, "Oh, I was over at B-Sides."

For those of you who are not familiar with "B-Sides", you soon will be.  Security B-Sides, as defined by the founders, "is a series of community-driven events built for and by information security community members.  The goal is to expand the spectrum of conversation beyond the traditional confines of space and time.  It creates opportunities for individuals to both present and participate in an intimate atmosphere that encourages collaboration. It is an intense event with discussions, demos, and interaction from participants. It is where conversations for the next-big-thing are happening."

Competition is born out of necessity
In it's second year and what is now known as Security B-Sides Las Vegas or BSidesLasVegas, B-Sides was born out of a number of rejections to the Call For Papers (CFP) for Black Hat USA 2009.  And as is described on the B-Sides Community Wiki, "A number of quality speakers were rejected, not due to lack of quality, but lack of space and time.  Any constrained system must operate within the bounds to which it has defined itself.  Conferences constrain themselves to the eight hours a day for however many days they run.  Our goal is to provide people with options by removing those barriers and providing more options for speakers, topics, and events."

Security B-Sides points out (scroll down to "What B-Sides Is Not!") that they do not compete with any other event and that, "The goal has and always will be to expand the spectrum of conversation and enable a greater variety of events.  Certainly one can take the business perspective and say that any and every security conference competes with each other, but this would ignore the fact that these events are FREE and simply offer people another alternative to everything else."

Make no mistake about it, free or otherwise, Security B-Sides does in fact compete with the conferences that it runs alongside.  Maybe the events are not currently competing for dollars and cents, but they are most certainly competing for time and the mind-share of attendees, be it security pros and industry influencers alike, including members of the media.

And while B-Sides was initially based on rejected sessions for Black Hat, one wonders if the time will come (if it has not already), where speakers may actually prefer to present at the B-Sides events as opposed to the other larger, more established conferences that are taking place concurrently. 

A bright future ahead for B-Sides
There is no question, as the fledgling player, B-Sides is doing the right thing by downplaying the competitive aspect and snuggling up to its competition.  However, just take a look at the infrastructure that B-Sides is building and tell me that they aren't poised to become a true competitor to some of these events.  More and more, this continues to look like a brilliant model that the B-Siders have built.  Go where the industry will already be.  Provide a different, unique and dare I say...better product.  The latter remains to be seen over time, but in the meantime, B-Sides appears to be here to stay and they are slowly stealing some of the spotlight from Black Hat and other conferences that they run alongside.

In 1997, Jeff Moss put in motion a vision for Black Hat when he staged the very first Black Hat Briefings.  Take a look at what the very first schedule looked like here.  There is no question that Black Hat has sure come a long way, adding Black Hat DC, Black Hat Europe, and the now defunct Black Hat Asia (2000-2008) and Black Hat Windows (2001-2004) events.  In its fourteenth year, the line-up of speakers and schedule of the Black Hat USA 2010 Briefings is drastically different than it was during its inaugural event.

Will B-Sides become the next power in security conferences and be spoken about along the same lines as Black Hat, RSA or others?  Time will tell.  In 2009, Security B-Sides embarked upon its journey with their very first event (now known as BSidesLasVegas01).  Check back with me in 2022 at BSidesLasVegas14 to see how far along they have come. 

In the spirit of our destination next week, I'd wager that we will see great things to come from B-Sides this year and in the future.  One thing is sure, the security industry is going to have one heck of a time in the desert next week.  Las Vegas, here we come!  Share your thoughts and experiences on the B-Sides events and help take this conversation to the next level by adding your comments.

Tags: B-Sides, Black Hat USA, Black Hat USA 2010, BSidesLasVegas, Security B-Sides, security conference

By Tim Whitman on July 23, 2010 9:06 AM
Permalink | Comments (0) TrackBacks (0)