The Coalfire Blog

Welcome to the Coalfire Blog, a resource covering the most important issues in IT security and compliance. You'll also find information on Coalfire's insights into the unique cybersecurity issues that impact the industries we serve, including Cloud Service Providers, RetailFinancial Services, Healthcare, Higher Education, Payments, Government.

The Coalfire blog is written by the company's leadership team and our highly-credentialed security assessment experts.

The Coalfire Blog

My DEFCON social engineering talk and DerbyCon

September 11, 2012, Noah Beddome, Associate Assessor, Coalfire Labs

Bookmark and Share

Noah Beddome

This year has been a year of firsts for me and for Coalfire. I was recently hired to my first Information security job as a penetration tester for Coalfire Labs, the forensic and app/network testing side of Coalfire.  Many of the Coalfire Labs team attended DEFCON in Las Vegas in early August.. Not only was it my first visit to DEFCON as an attendee but this was my first time speaking at a conference. Because it seems to be a year of firsts, we at Coalfire Labs thought it would be a good idea to share a first time speaker’s experience and an attendee’s views on this year’s DEFCON.

At first impression DEFCON is intense, and it only becomes more so as you experience what it has to offer. The days are full of everything from talks on privacy rights to highly technical talks on the latest exploits, while evenings are packed with vendor and networking events. While there are a myriad of different topics to discuss I wanted to bring to your attention a few sessions. Below I have listed the three talks I felt were most worthy of highlighting and beneficial to review (linking to videos or slide decks, if available).

  • Owning One to Rule Them All - Dave Kennedy and Dave DeSimone
    This talk was great because it demonstrated a real integration between network administration knowledge and mastery of Metasploit. Dave leveraged Metasploit and PXE boot to compromise a massive amount of systems simultaneously.

  • Defeating PPTP VPNs and WPA2 Enterprise with MS-CHAPv2 - Moxie Marlinspike
    This talk made the list because it highlighted a flawed protocol that is still widely in use. In the talk Moxie explained how it is possible to break crack any PPTP password if you are able to capture a handshake.

  • An Inside Look Into Defense Industrial Base (DIB) Technical Security Controls (PDF) - James Kirk
    In this talk James discusses the lack of a strong certification process for defense contractors as well as an outright lack of sufficient Linux security controls being enforced for these contractors. This talk could have been titled “Why we need FISMA and FEDRAMP”

Thoughts on Social Engineering

In addition to the main track of DEFCON speakers there were a lot of great talks at Skytalks (the smaller, unrecorded venue). I had the opportunity to speak in a Skytalks Talk on social engineering and discussed:

  1. The idea that the manner in which many social engineers currently approach social engineering perpetuates a poor mentality. The focus recently among many subsets of the community is that social engineering is just telling a good lie or making a good counterfeit. The reason this sucks is because it relies on the victim consciously and critically interpreting external stimuli. The goal needs to be to cause an internal reaction in line with the nature of the target.

  2. I touched on several concepts that could help make social engineering attempts more effective. One of these concepts was “the RIP” , Reactionary Identity Preservation. This is when someone reacts to the compromise of their externally perceived Identity. This is exploitable because, the basis of human drives (excluding self-preservation) is closely tied to the exploration, definition, and preservation of our perceived identity. Simply put, we are what people think we are. And we don’t like when that is threatened. We can exploit this by using this to illicit predictable reactions to specific stimuli in a interaction.

A Takeaway for First Time Speakers
For other first time speakers (or seasoned speakers) I feel the single most important piece of advice I can give to first time speakers based on this experience is to rehearse and revise as much as possible. I spent several weeks writing, rehearsing and revising my presentation, and it was the level of comfort my many hours of practice gave me that allowed me to comfortably present and field questions.

Aside from the talks and events the thing that is really memorable for me as a first time attendee of DEFCON, was the atmosphere. DEFCON lacks the corporate restrictions of BlackHat, instead replacing the restrictions with a feeling of open collaboration and community that goes beyond industry and into shared passion for a field. The hallways were littered with groups huddling around power outlets trying to hack this year’s badges, while heated discussions about a variety of security topics were taking place in nearly every room. Overall it’s a great experience that I don’t think you can really get at any of the other cons and I would highly suggest attending.

See you at DerbyCon?
As a result of the Skytalks experience, I have been invited to speak on a similar session at DerbyCon, this September 2012 in Louisville, Ky. While it’s not Vegas, I’m looking forward to speaking with and learning from other security practitioners. If you’re going to DerbyCon, consider attending my session or reach out via the comments section below to meet up.


<< Go Back

Blog post currently doesn't have any comments.

Post Topics



Accounting Agency AICPA Assessment assessments ASV audit AWS AWS Certified Cloud Practitioner AWS Certs AWS Summit bitcoin Black Hat Black Hat 2017 blockchain Blueborne Breach BSides BSidesLV Burp BYOD California Consumer Privacy Act careers CCPA Chertoff CISO cloud CMMC CoalfireOne Compliance Covid-19 credit cards C-Store Culture Cyber cyber attacks Cyber Engineering cyber incident Cyber Risk cyber threats cyberchrime cyberinsurance cybersecurity danger Dangers Data DDoS DevOps DevSecOps DFARS DFARS 7012 diacap diarmf Digital Forensics DoD DRG DSS e-banking Education encryption engineering ePHI Equifax Europe EU-US Privacy Shield federal FedRAMP financial services FISMA Foglight forensics Gartner Report GDPR Google Cloud NEXT '18 government GRC hack hacker hacking Halloween Health Healthcare heartbleed Higher Education HIMSS HIPAA HITECH HITRUST HITRUST CSF Horror Incident Response interview IoT ISO IT JAB JSON keylogging Kubernetes Vulnerability labs LAN law firms leadership legal legislation merchant mobile NESA News NH-ISAC NIST NIST 800-171 NIST SP 800-171 NotPetya NRF NYCCR O365 OCR of P2PE PA DSS PA-DSS password passwords Payments PCI PCI DSS penetration Penetration Testing pentesting Petya/NotPetya PHI Phishing Phising policy POODLE PowerShell Presidential Executive Order Privacy program Ransomware Retail Risk RSA RSA 2019 Safe Harbor Scanning Scans scary security security. SOC SOC 2 social social engineering Spectre Splunk Spooky Spraying Attack SSAE State Stories Story test Testing theft Virtualization Visa vulnerability Vulnerability management web Wifi women XSS