It was an overcast day, the train was virtually empty, people on their phones, chatting and going about their business. Looking around, I started to think about all things security.
On the wall, there was a poster that said that you could have in train wi-fi access. People generally trust them, how easy would it be to pretend to be that access point and get lots of people to connect.
Shoulder surf someone that's on WhatsApp? They're too busy talking with each other to really think about what information they're given out.
It makes you think...
Why was I thinking this?
I was going to a security conference/meetup. It was the first one that I knew of that was being held in Cardiff. The people responsible were Bsides Cymru.
Security BSides (commonly referred to as BSides) is a series of loosely affiliated information security conferences
This was the first one that they've held in Wales. So I was lucky enough to grab a ticket.
It was a day filled with numerous talks, Technical Villages and Sponsors.
I couldn't be there all day so I ended up arriving at midday. So my focus was on making sure that I saw the sponsors and the technical villages as I tend to learn by doing. That, and I wanted to people watch.
Talking about people, it was nice to see some people from diverse backgrounds and there were a lot more women present than I expected. (Only due to my experience in working in IT/Tech). It was nice.
So after wandering around the various halls and tracks and looking a little lost. ( I would fail at Social Engineering - "You lost Mate?...Er...no")
I found myself talking to the sponsors. I felt that my place was a weird one, almost an outlier. I wasn't a student and I wasn't fully in the world of Information Security. I'm just an experienced QA who has the skills to communicate with all levels, has experience testing APIs and Web Apps, some mobile experience and have recently got interested in Application/Web Security and Penetration Testing. It might not be true, I just had that spidey sense feeling.
What I really appreciated was the Mr Robot Capture the Flag . Looking at the times that were on the leaderboard, it made me feel stupid - but not in a bad way. It was a good self awareness exercise in that I knew that I have a long way to go in terms of knowledge. However, as I said to one of the people that ran the stall, I feel like I'm in the good period of learning. Everything is new, shiny and I get a good satisfaction when I get a new concept.
I let them know that I had no chance, but they kindly gave me a five minute introduction to Metasploit and Kali. It was appreciated and I learnt alot.
After completely missing the Lock picking village when I first got into the event, I found it and got a crash course in lock picking. Tried to get the feel of the 1 pin and I got it. Managed to unlock. 2 pin, I just couldn't get the feel of the second pin to find the sticky point. I guess more practice is needed.
I also stopped by the Car Hacking Village and despite most of the terminology being over my head, I did appreciate the knowledge and what you can do with cars if the owner is not careful. A lot of information is held within the Infotainment systems.
Networking - I didn't network as much as I wanted to, but it is hard at an event like that, especially when I'm trying to ensure that I take everything in. However, I did meet mRr3boot(@UK_Daniel_Card) and Security Nihilist (@a8n_pub). So, for me that is a win. Next time I go to an event, I can network with more people. It's a gradual process.
So, I enjoyed the event, loved the swag that we got, the food was excellent and the weather, despite being rainy held out enough to be decent.
I hope that as it gets bigger, that they do the following:
- Have more sponsors to visit
- Continue with the tracks and if you missed them, put them on YouTube (which they have)
- The biggest change/introduction that I would love to see for someone like me is to have interactive workshops (like the lock picking) on various topics.
- New to OSINT, here's a workshop where you can use tools and methods to find information
- New to CTF, here's a CTF of different levels (I realise that there are tons on the net)
- Interested in Mobile Hacking - Here's how to reverse engineer a mobile phone and the information to look out for.
You get the idea, I think that it would be very popular.
Anyway, I've rambled on long enough. Let me know what you think and I look forward to attending next years event.