Be a cybersecurity Kevin Bacon - *Image created with the help of ChatGPT*

How to become a Cybersecurity Kevin Bacon

February 21, 2024

The Six Degrees of Kevin Bacon proposes that anyone in the Hollywood film industry is linked to Kevin Bacon within six steps. I’ve somehow had the title applied to me by a few different people. A large part of that is the networking I’ve done in the industry. I’ve hung out and talked to a lot of people. I don’t know everyone in the industry but I have meet people for the first time and we’ve known similar people. In this post I want to cover the networking that may have put me in the same breadth as Mr. Bacon.

Attend Conferences

My very first conference when I got into security was BSides Charleston in 2013. I went down with a buddy to the conference and meet a few people. One of those people that stood out was Evan Davison who goes by the hacker name Pentestfail. He gave a great talk on defense in-depth (this is the same talk at a ISSA local chapter). Evan and I would cross paths multiple times over the next 10 years. We would volunteer and get to know each other at BSides Augusta and the Social Engineering Village at DEF CON.

It’s not just about attending conferences it’s about getting involved and interacting with people. That could be meeting and talking to people, participating in capture the flag competitions, volunteering, or speaking. If you’re nervous about meeting people volunteering is a great way to meet and interact with people.

At one point I was going to 8-10 conferences a year. Most conferences were one day events within a a five hour driving distance so it was only a day or two. Still that’s a lot and it’s not something I’d necessarily recommend as I did get burned out and decided to tone back the conference attendance to three in 2019. There was also the cost. My company did always cover travel. I got maybe one a year. The rest was on my dime but I will say it was worth it for the connections I was able to build within the community.

Going to events allows for shared learning and job opportunities. I’ve learned a lot from just talking to people in the hallway at conferences. It’s a safe space for sharing interesting stories that you wouldn’t hear otherwise. If you’re the type that has a hard time starting a conversation, ask questions. People love talking about themselves and sharing their insights into the industry. I’ve had entire conversations with people who never asked a question or knew my name but I knew a ton about them and got some really great security stories.

Volunteer at events

When I first started attending conferences I would volunteer. This forced me to meet people and as a bonus got me a free ticket into the conference. To get away from registration or door duty I started asking organizers if I could bring my camera and shoot pictures for them at the conference. This was great because I got to be more mobile and allowed me to meet and talk to a variety of people at the conference.

This also opened the door for invitations to work other conferences where my travel expenses were covered. If you have an interest see if it fits into helping out with a conference. I know several people volunteer just to do video for a conference. I’ve also seen people contribute by providing a quilt that was auctioned off. Find something you feel can contribute to the conference. Working the registration desk is also fine.

Volunteering helped me get a really great job in Nashville, TN. I had been traveling to BSides Nashville since it’s inception. There was an opening at a company one of the organizers was working at. I didn’t know that organizer really well but when they were asked about me for the position they responded that I showed up and did my job. Not necessarily a glowing endorsement but it helps and you never know who you’re going to interact with while volunteering.

Attend Local User Groups

Local user groups are great if you’re looking to network within your own city. If there’s not one I’d recommend starting one up. It’s definitely a lot of work but very rewarding. When people ask me my greatest accomplishment I often will tell them it’s starting a local user group in Columbia, South Carolina, that has 20-25 regular attendees. That’s massive for a local user group by the way. If you need guidance on starting a local user group there’s a couple podcasts for that.

How to Start a Successful CitySec Meetup - Part 1

How to Start a Successful CitySec Meetup - Part 2

Starting the local user group allowed me to meet a lot of people in town. You never know if you’ll meet your future employer or someone that starts their own company. I had both those experiences starting a user group. The first was switching to a different state department after meeting the South Carolina state CISO at a meetup and going to lunch with him.

The other is meeting Andrew Morris who is the founder of GreyNoise a company that’s starting to make waves in the cybersecurity community. I met him at a conference called Trends in 2015 where he told me about his idea for the company. I’ve had him on the podcast a couple of times to talk about being a pentester.

Start a blog or podcast

Speaking of podcasts, most people don’t know that I had a podcast prior to my security podcasts. I ran The Crawfish Boxes (TCB) podcast for the Houston Astros fan site on SB Nation. I gained some notoriety with the Houston Astros organization due to that podcast and blogging I did for TCB. It’s amazing how more accessible people become when you offer to interview them. I have a big leaguer or two in my cell phone and at one point had two baseball General Manager’s following me on Twitter.

I took the lessons and experience from covering baseball and brought it into the infosec community and it has really helped my career. I’ve gotten to meet and talk to a lot of great people in the field on my podcast. I’ve had a lot of success just reaching out and asking people if they’d be interested in talking about a topic they’re presenting on or have blogged about. There are people who never responded or responded and then stopped responding but more often than not I can get an interview set up with them.

One of the hardest things getting started is imposter syndrome, “Why would people want to listen or read me?” “Someone else is already doing what I would want to do.” I had those same thoughts but went ahead because I have my own unique perspective to offer. It’s still nerve-racking but the longer I did it the more I realized I have something to offer to the community. I love having a conversation with people and learning more about what they know. Which made podcasting a great fit.

Blogging, on the other hand, is the one I’ve struggled with. I was never good in English class and if I had concerns about podcasting and what people thought my writing is on a much higher level of imposter syndrome. But blogging isn’t about perfect English, it’s about sharing a unique viewpoint. English and grammar help but it’s more about the idea and finding my voice. Plus, the more I do it my writing is bound to improve, right? Right? AI is something I’m leveraging as an assistant. It’s not always great but it can help.

Summary

To be a Kevin Bacon you gotta get out there. Attend conferences and local user groups. You’ll get to meet a lot of really great people. If you struggle with talking to people volunteer. It can force you to meet people and show your willingness to contribute to the community. Start a blog or podcast or vlog. Putting yourself out there can help you grow as a professional and open up doors. If blogging or podcast aren’t your thing that’s okay. Identify what you’re interested in and see how that can fit into the community. There’s a lot of ways to contribute. Contributing to an open source project or participating in a capture the flag event can do similar things for your career. Find ways to get involved.

MISSECON thoughts and impressions

November 18, 2023

Prior to the pandemic misecCON (the conference formerly known as Converge/BSides Detroit) was the last conference in my schedule for the year. Post pandemic I’m happy to see it back because it’s such a great conference. The conference was moved out of Detroit to Lansing, Michigan. I really like the location. It has that DerbyCon type of feel with the hotel as it’s central location. There’s plenty of food and after conference options for people to explore and experience. This version was only one day so time exploring was limited but what I did get to explore was great.

The conference had over 170 people show up so it wasn’t overwhelming but plenty of good conversations with attendees and great presentations to attend. I also really enjoyed the capture the flag (CTF) and even hopped in with a team for a short period of time. The venue was in the Double Tree Hotel Lansing and I was very pleased with the accommodations and rooms at the hotel. For lunch I went to Weston’s Kewpee Sandwich Shop and had a burger that had been sold for the last 90 years. A burger that’s been sold for 90 years is quite delicious. I like to get away from the conference and have lunch with friends as a break from the conference. For the record, the conference provided lunch also looked delicious. Not all conference provide a solid lunch so that’s a huge plus for this conference.

The after party was also great. It was at a place called the Lansing Shuffle which used to be an old farmers’ market on the river. We had a small section of the vibrant scene which included music and plenty of food options. The food provided was very good and the open bar had lots of options.

The rebirth of the conference is encouraging. The location is fantastic and has opportunity for growth into a bigger space which I think it will. I’ve heard there are bigger plans for next year with additions like workshops and other activities. I can’t wait to come back again in 2024.

This blog post first appear on Exploring Information Security

Reflections on InfoSec Nashville 2023 and BSides Augusta

October 18, 2023

Recently I attended InfoSec Nashville and BSides Augusta.

InfoSec Nashville 2023

Despite calling Nashville home since 2016, I only recently attended my first ISSA InfoSec Nashville conference. My expectations were exceeded by the event, especially with the opening keynote delivered by Robert Herjavec from "Shark Tank." While I'm not a regular viewer of the show and was initially unfamiliar with Robert, his speech was captivating. As the owner of a security company, his journey from a war-torn country to Canada, and eventually to starring in a hit U.S. TV show, is nothing short of inspirational. He shared intriguing insights into the future of security, particularly the idea of eliminating tier 1, a concept I'm still mulling over since there will always be a need for an initial level of defense.

Unlike at most conferences, I attended several talks at this one. Besides the opening, I was present for the afternoon keynote and a few other sessions before delivering my own at the day's end. The afternoon keynote resonated with me deeply, advocating for the hiring of entry-level professionals. The industry's skewed focus on seeking senior-level experts, as evidenced by LinkedIn job postings and the concerning average security professional age of 35, signals an unsustainable top-heavy structure.

However, hiring at the entry level isn't a panacea. Management must prepare a structured plan for these newcomers. I've seen many organizations lack this foresight, opting for senior professionals in the hope of minimizing their need for involvement. That doesn’t mean all entry level people are the answer. Maintaining a balance is crucial since many young professionals seek mentorship, a dynamic hard to foster in an environment composed solely of entry-level individuals.

The sessions I attended were enlightening, one on vulnerability management at a healthcare company stood out. Having developed a similar program for a mid-sized business, it was fascinating to compare approaches and scales, particularly seeing a dedicated team in action as opposed to one juggling multiple responsibilities.

The conference was overall a rewarding experience. It provided opportunities to connect with a diverse group of professionals and rekindle ties with acquaintances around Nashville.

BSides Augusta

As alluded to earlier, my conference strategy usually involves a "HallwayCon" approach, prioritizing networking and learning through impromptu conversations. This tactic led me to attend just one planned talk, aside from my own, at BSides Augusta. This event is a highlight on my annual calendar, coinciding nicely with a family visit to Columbia, SC, after the proceedings. What sets it apart is not just its impressive scale—with pre-pandemic registrations hitting 1,200 and around 800 attendees this year—but its distinct blue team focus, a nod to Augusta, GA's status as home to the Army's Cyber Command.

At a past ISSA meetup, I was taken aback when I was told attendees included members from the NSA, CIA, and Cyber Command —a moment that made me suddenly conscious of the powered on phone in my pocket.

I was extremely satisfied with the reception of my talk, now available on YouTube. My final presentation of this presentation will be at misecCON next month, where I'll have a full hour—a luxury compared to the concise 20-25 minutes at Augusta. While, like any presenter, I appreciate more time, I also value the challenge of a shorter format. It compels me to condense my speech to only the most crucial points, and enhance the chance of my talk being accepted.

The conference was, as expected, impeccably organized, and I cherished the catch-ups and new connections made. I’m eagerly anticipating next year's gathering!

Edited with the help of ChatGPT

This blog post first appear on Exploring Information Security

Hacker Summercamp Fallout

August 15, 2023

Here’s some of the interesting things from Hacker Summercamp.

Lot’s of news articles on hacking AI because 2023 is the year of AI and it’s overshadowed every other topic (No, I’m not bitter my API talk has since been overshadowed by the dawn of the AI era).

NPR - What happens when thousands of hackers try to break AI chatbots - by Shannon Bond

TL;DR:

2000 people over three days participated
Google, Meta, and ChatGPT provided their AI
The outcomes from the contest are to strengthen guardrails, help policy makers, researchers, and the public understand how AI can go wrong

If you want the presentation slides from Black Hat they have them on their website.

There was of course some junk hacking. While it’s impractical, it is interesting research. This particular one is on hacking card-shuffling machines at casinos. Which I’m pretty sure they did in Ocean’s 13.

TL;DR:

Report came out about some controversy around a poker game. Report said machine couldn’t be hacked
Challenge accepted
USB + USB port = pwned

Check out the Red Signal list on Twitter created by Jason Lang to see more fallout.

Also signup for the Risky Biz Newsletters. There’s some good nuggets on Black Hat and DEFCON in the one from August 15, 2023.

This blog post first appear on Exploring Information Security

Hacker Summercamp is over; let the fallout commence

August 14, 2023

Hacker Summercamp is a week long period at the beginning of August where the security community converges in Las Vegas to discuss all things hacking. I’ll have a page up to go into more details. One of the outcomes of the period is new vulnerabilities and attacks techniques are released in presentations. Some of it will be what’s called, Junk Hacking, which is interesting hacking that is very narrowly defined and usually has a small attack surface. Other security research released could have a significant impact organizations.

I’ll be watching for new releases throughout this week and write them up here. If you see anything interesting drop in the comment section below. If you went, drop your experience in the comment section below.

This blog post first appear on Exploring Information Security

Information security is a journey not a destination

June 2, 2019

It’s actually two journeys or two parts.

Part one: Getting into Infosec

This is where the journey begins. Usually with a desire (or need) to get into the information security. Sometimes you didn’t even know you were on the path. Which was my case. I joined IT because it seemed interesting and did a pretty good job of paying the bills.

I’ve been thinking about this more, because I’m going through the hiring process for a junior level position. I’ve noticed a variety of backgrounds of people trying to get in. Some people are coming from the military, others college, and yet others from working in IT. The junior positions don’t require security experience, it does however require some kind of college or IT experience.

Another observation I have is that, the candidates that are sticking out are involved in the infosec community and taking advantage of the many free resources. There are conferences, forums, slack channels, podcasts, blog posts, capture the flag events, videos, VulnHub, Hack the Box, bug bounty programs, and much more. Being involved in those things is very important because once you get in…

Part two: Being in Infosec

You have to utilize all those resources to keep up with the field. It’s been called a cat and mouse game between attackers and defenders. Technology is in a constant state of advancement and enhancements and with it comes new security challenges. A few weeks ago four vulnerabilities got dropped over a four day period that required me to understand the vulnerability. I had to understand how it is exploited and how we can mitigate it. I used blog posts, podcasts, Twitter, Google, and reached out to some people.

That last one is particularly important. The others are found on Google. Getting to know people requires putting yourself out there. Overcoming nervousness and anxiety to meet some new people. The benefit is two fold: you can ping ideas off people and you’ll increase your chances of finding opportunities within infosec. The perfect first job in infosec is rare. By perfect I mean a place to grow and advance. Even if you find a good organization there may not be a chance to advance or move up.

Below are a some links to help look for conference and other events in the area. I like BSides events because they have a low bar to entry. Usually $10-30 bucks for a day of talks, networking opportunities, and food. If that’s too much volunteer. It’s a great way to help out the community (reflects well on a resume) and be in a position that requires interaction. I only interacted with a few people at my first event as an attendee. As I continued to go to events my interactions with different people and the same people increased. How quickly this happens depends on how many events are attended.

These events also don’t require you to be in the field. You can start building your knowledge and opportunities before you get into the field.

Resources

Meetup.com - Good place to find local user groups in your area

Infose-conferences.com - Pick your state and any adjacent state you’re willing to travel to

This blog post first appear on Exploring Information Security

ShowMeCon wrap-up and what's ahead

June 21, 2018

I know. I know. It's been two weeks since ShowMeCon. I've been busy! Within hours the neighbors wanted to hang out (I brought the St. Louis beer). The next day, I had a big case of the don't give a shits. I didn't get a podcast ready for that night's release.

I went to work Monday expecting to head home and work on some stuff (like get a podcast out). Instead I was informed the development team I work with was heading to Nashville Sounds game, because some people were in from out of town and I was invited. I went. Tuesday, I played soccer for two and half hours, because I like pain (I didn't regain full functionality of my legs until Saturday). Wednesday was a social night, because those same people were in town (yay!). I got home and got the podcast out, three days late. Thursday, I wrote about suicide. Friday, I wrote about password policy. Both very serious topics.

Things sort of got normal after that. I took the weekend to kind of dink around on stuff I wanted to do. Monday I got two of the four podcasts edited I needed to. I was invited over the neighbors Tuesday for beer and baseball. Finally, last night I got four podcasts scheduled. I'm heading to Asheville tomorrow for BSides Asheville (still looking for a ticket). Much beer (and maybe a podcast) will be involved. Tonight is the night for me to write something and hopefully get a little Overwatch in. Damn I've been busy. Didn't really realize that until writing it down.

Back to ShowMeCon. This was my third year and fantastic as always. It's the ideal security conference. The hackers think it's too businessy. The business people think it's two hackery. There are more women at this conference than any other security conference, I've been to combined. I love it!

I did my first ever podcast panel, which went really well for being the first time. They had a personal trainer there to talk about health and fitness. There were a lot of questions at the end. This might be something I need to write about. I do work at a wellness company after all!

During the conference I managed to get two interviews for the podcast recorded. I really like the idea of recording interviews at conferences. It's a much better vibe when the two people are in person. It flows better. There's the low rumble of the crowd. The low thud of doors smacking closed. It's fantastic. Those will be releasing over the next two weeks.

Now that ShowMeCon is over, I've been re-evaluating my desire and need for submitting to conferences. I've been speaking since 2015. It's a great challenge and a good career booster. Now that I'm at a company that I adore and in a role that continues to expand, I'm starting to wonder the value I'm getting out of submitting to conferences. I love sharing ideas and challenging myself to become a better speaker. The downside to speaking is that it takes time away from my family.

I have two kids still in the single digits. I'd like to spend more time with them. At one point I was slated to be at 12 conferences this year. With other obligations, conflicts, and one conference not happening this year, I'm down to eight. That's still quite a bit. I've presented at all five I've gone to this year. It's not just going to the conference that takes time. It's also the preparation leading up to the conference. I spend several hours putting the talk together. Then I spend the week leading up to the conference practicing the talk. This is on top of the weekly podcast I produce.

I spend a lot of time in the field. Because of my expanding role I'm spending more time at work now too. I'm trying to find that balance. I'd like to spend more time with my kids. I think that will be at the cost of the conferences I attend. If I do submit a talk, it'll be for a podcast panel. The preparation for that is much easier than a full blown talk. I'd like to say I'm cutting back on conferences, but I don't think it'll take much for me to go to a conference (someone asks). We'll see.

This blog post first appear on Exploring Information Security

Converge and BSides Detroit wrap-up

May 14, 2018

Last week, I headed to Detroit for a wonderful conference called Converge. It was quickly followed on Saturday by BSides. This is one of staple conferences every year. The crowd is great. The venue is top notch. The other speakers are fantastic. The organizers are awesome! And of course dueling coney dog restaurants.

This year I got the opportunity to both speak and put on a workshop. The topic is the one I've been peddling all year, Social Engineering for the Blue Team. The talk went well enough. I had to transfer slides to our new company template and I missed some notes. The workshop went really well. I got some great feedback and found some refinements that need to be made. I only had six people in the workshop. Which worked out well, because I had a lot of back and forth and contributions from the crowd. I look forward to doing it again in the future.

I recorded one podcast interview and then did another conference interview that will come out this week. I'm going to try and do more podcast interviews while I'm conferences. Before I wanted to enjoy the conference and not worry about audio equipment and recording. That's a bit selfish, because I think I can record in-person with people. This would ideally lead to some better quality interviews and content. Shout out to Jesse who told me that he liked the new format. Thanks Jesse!

I'm playing with the format a bit so, I think this can slide in nicely. I plan to record some impromptu interviews where I just hit the record button and go. I think for the over-the-internet interviews I'll use my old format. I'll tweak it a bit. Ditch the old opening where I have the interviewee listen in. Instead I'll record an intro for each episode. This will allow me to give impressions of the interview and any promotional things. Still experimenting.

The conference went really well. I caught up with some friends and made some new ones in the process. If you missed it this year, I highly encourage you to check it out next year.

This blog post first appear on Exploring Information Security

Speaking and workshop update

April 1, 2018

BSides Nashville

I got picked up to do my Social Engineering for the Blue Team topic as a 25 minute talk. It's the last talk in the green room. Maybe I'll take that opportunity to see how long I talk before everyone leaves. Because it's in the green room, I'm going to try and give the talk a new twist.

I'll be at the conference as the photographer again. I've also been asked to help out with the resume and interview workshop. If you need help with your resume or interviewing stop by the workshop. I'm going to start preparing interview questions next week, which might make a good blog post.

Converge and BSides Detroit

The signup for my Social Engineering for the Blue Team workshop is up. It will be a four-hour workshop. Be sure to check out the other workshops. They're all fantastic and I wish I could go to all of them.

I've also been picked up as a speaker for the conference and we're in negotiations to do an Exploring Information Security panel. A year after I said I'd never speak twice at the same conference, I am now speaking three times. It's going to be awesome!

ShowMeCon

I'm back at ShowMeCon for my third year. This year I'll be doing a panel for the conference. Converge and ShowMeCon will be my first time hosting panels. I want to get it right while also making it something worth attending. The basic idea is to allow the audience to ask questions of the panel. Similar to what I do with guests on the podcast. It'll be an interesting experience and something I can pitch to other conferences.

This blog post first appear on Exploring Information Security

Screen Shot 2018-03-14 at 9.12.57 PM.png

I went to BSides Indy, then killed my computer

March 14, 2018

I still makes mistakes with computers (This might be the reason why I'm starting to drift towards the human side of things). I went to BSides Indy this passed weekend and had a great time catching up with old friends and making new ones. Monday I got pictures loaded and vetted onto my computer. Then Tuesday, after a not so great day, I killed my computer. My CPU looks to be toast after I smothered it in thermal paste. Yes, I do mean smothered. I got it on three sides of the first row of pins and in the CPU cradle. I'm pretty sure the thing is done.

That's okay though because it was on its last legs. It was built in 2011 (with upgrades in 2016). Instead of shopping for parts, I decided to try out a company I've heard good things. I'm over being hands on with my computer (see thermal paste). The new computer will take some time to get here. After I get my computer I'll be able to process the pictures I took at BSides Indy.

We’re off and running at @indybsides! Some really great talks today.

A post shared by Timothy De Block (@timothydeblock) on Mar 10, 2018 at 6:25am PST

BSides Indy was wonderful. They have a new venue this year at Indiana University-Purdue University (IUPUI). It had a lot of space. In fact, people on YouTube were commenting on how people weren't showing up for talks. It was really just the angle and no one wanted to sit up front. With this in mind, I made sure people sat in seats that were in frame to make it look like my talk was the most popular.

Speaking of my talk, (slides) it went really well. It was probably my best first talk I've done so far. It was done so well that it will be the only version of that talk I give. Let me explain.

I have so much content for Social Engineering for the Blue Team, that I think I can make multiple talks on it and still not touch everything I want to touch. I think there's an opportunity here for me to have the same title and abstract and provide something different each time I present on the topic. This will be more work for me. It also means that I can work on content for ultimate goal of the idea, training and workshops.

This topic is something I'd love to give at conference as training (both paid and free). To do that I need to work out some of my ideas and present them to a crowd of people. I've gotten positive feedback for the BSides Indy talk. I am scheduled to do a remote talk for ColaSec. I've already adjusted the slides for the presentation.

After that I'm an alternate for BSides Nashville. I'll plan to have the slides worked by then as well. If they don't get re-worked then I'll present those at ShowMeCon. Before that though I have my workshop at Converge and BSides Detroit. That will have everything in it as I'm planning for an 8-hour workshop (not sure on exact length yet). I'm waiting to hear back from a couple conferences and I'm waiting for a couple more to open up.

Back to BSides Indy. It was one of my favorite events. It's very laid back. It's in a city great for families. My wife came with me and took the kids to the mall where the played blacklight putt-putt. Both my kids got hole-in-ones on the 18th hole. We checked out the kids museum the day following the conference. That place is freaking awesome. It's four levels of activities for children (and adults). I highly recommend the place.

#TeamButts @InfoSystir @TimothyDeBlock pic.twitter.com/BN8Po7smKx
— Snow 🤞 (@_sn0ww) March 11, 2018

In between pictures I sat down to help Team Butts with the CTF. I say help, but what I really mean is that I googled an ID number and found it was associated with the rick roll video. I was hoping there would be more web app stuff, alas there was none. Still Snow and Infosystir (with a shout out to Dave from Hak4kidz) carried the team to a first place victory. The two top placing teams got NetWars accounts. Those ended up going to students as the people from the top two teams didn't have as a big of a need for them.

That's what I love about the infosec community. We care about each other, the advancement of juniors, and the betterment of the community.

This blog post first appear on Exploring Information Security.

My Social Engineering Village (DEFCON) experience

August 3, 2017

This was my second time going to DEFCON. I was previously at DEFCON in the early 2000s. At the time information security was not my sole focus. I was serving in the Navy as an Electronics Technician. I did a little bit of everything.

Being stationed in San Diego, California, allowed me the opportunity to be dragged out to Las Vegas in August by a first class petty officer. At the time I had no idea what I was getting into. I just knew I was going to Vegas (baby!). I attended some talks and was fascinated by the capture the flag competition. The weirdest thing that happened to me was crashing at a hotel with on of the speakers my friend knew. I expected them to show up at some point in the wee hours. After waking up, I realized no one had come back to the hotel room we just stayed in. Odd.

You might think this sparked my desire to get into the field. Nope, I was more interested in playing black jack, hitting some slot machines, and taking in the complimentary drinks. It would be another eight years before I knew I wanted to get into infosec. After I got in I had no desire to go to BlackHat (too vendory) or back to DEFCON (been there done that). Instead I started hitting the smaller cons like BSides, CircleCityCon, ShowMeCon, and DerbyCon. Those conferences (much more affordable) satisfied my desire to contribute and network in the community.

That all changed in early May. While attending Converge and BSides Detroit my friend Dan asked if I wanted to go to DEFCON and volunteer at the Social Engineering Village. I was interested, but needed to check the logistics. After getting approval from my wife and manager, I started working on hotel and transportation. Last Tuesday I found myself in Las Vegas for the first time in over a decade. The TL;DR version is that I had a blast.

The crew running the Social Engineering Village (SE Village) are some of the most friendly people I've met in infosec. I not only got to know Chris Hadnagy and Michelle FIncher, but I also got to know their wonderful family and friends. They couldn't have been any more welcoming to a new person (I'm tearing up a little bit). I spent the entirety of DEFCON in the SE Village (HallCon was not an issue for me).

On Wednesday we grabbed a truck and loaded it up with everything needed for the village. We then started setting up and didn't finish until well into the evening. For dinner I had my first taste of Thai food (ever!). The next day Mission SE Impossible began.

Mission SE Impossible involved contestants picking their way out of hand and leg cuffs. Then they had to pick a door lock. After that they had to make their way through a laser field. The first dude (looked like military) literally jumped through the big hole we left at the top of the field. The hole was easily 4-5 feet off the ground. Unfortunately, he hit a laser and it didn't count. It was still cool to see him do it. Then they had to run through a micro-expression exercise. Finally, they picked another lock. They had 15 minutes to complete all these tasks. The guy that won did it in just over three minutes.

Friday and Saturday the village had the capture the flag (CTF) during the day and talks in the evening. I was exhausted by the end of both days. I showed up around 9 a.m. and didn't finish at the village until 9:30 p.m. that night. Most of that was on my feet helping with crowd control. Which by the way, if you're reading this and you were at the SE Village and you complied with any of our requests to move seats or move out of doorways, thank you. Most people complied with our request to push people around, which I appreciated.

Want to hear the @humanhacker talk about his favorite SE stories? Head to the #SEVillage. Emperors ballroom @defcon pic.twitter.com/OpBtYtDbrG
— Social-Engineer, Inc (@SocEngineerInc) July 27, 2017

The village was packed practically all weekend. DEFCON really needs to try and get them a bigger room next year. The first two days we had people packed into every seat and standable space and still had a line outside the door. Saturday was a different experience, because it came down that anyone in the room had to have a seat (did I mention they needed a bigger room). This moved any fire hazard from the room into the hallway, where people were lining up down to the end of the hall. A goon came in and asked if I could estimate wait time. I told him an hour plus, for anyone near the end of the line. Side note, the goons were very friendly and nothing like the jerks I had heard stories about the last few years. They were absolutely fantastic to work with.

Half the time I didn't know what was going on the room, because anyone that left we had to fill their spot in the room. This meant either pushing people down or directing someone to the vacated seat. What I did catch was awesome. The talks were talks. I don't have many takeaways, because I usually only got to listen to bits and pieces. Things did start winding down when talks got started and I was thankfully to be sitting down. The calls were easily the most interesting part of the village (and the most popular).

The SECTF (calls) consisted of contestants calling various video game companies. They would try to get points by getting the person on the phone to divulge bits of information. These were basic things like browser or third-party software information (think Flash version). The success of contestants seemed to hinge on how well they did their research. Leading up to the competition each contestant was given a target and about two weeks time to find as much information as they could. This allowed them to collect numbers to call and pretexts to put together. The ones who did better research got live people on the phone. The CTF was on a Friday and Saturday, which meant the contestants had to get creative with their numbers.

Here is the list of flags for the #SEVillage CTF pic.twitter.com/52YDMEsNZF
— Dylan Hailey (@TibitXimer) July 28, 2017

For about half of the contest we had the pleasure of listening to ringtones and voicemails. The other half varied. Some companies were very good about not divulging information. While others were more helpful. The winner of the competition, Chris Kirsch, got a couple people on the line who provided him with almost every flag. Each call started a new set of flags, so contestants could rack up points with multiple calls. He had individuals going to thismachine.info and had them reading from the website, which just allowed him to rack up point after point. We didn't have many people leaving the room during his calls. Our biggest challenge was keeping the laughter down from all the information he was getting (yes, there was potential for the other person on the line to hear the room). I walked up and down the aisle trying to help shush the room. I watched as the look of humor turned to anguish as Chris raked up points. It was epic. At the end he got a standing ovation from the room. The dude straight crushed the competition. During Q&A he mentioned that he spend 40-60 hours doing research, in a two week period. This was the highlight of the competition.

On Sunday, Chris and Michelle recorded a podcast with Tim Larkin. I didn't get to listen to it all. What I did get the opportunity to listen to was fantastic. Tim talked a lot about situational awareness. After that we packed up and I headed to the airport. I took with me a bunch of new swag and hugs from everyone who worked the SE Village. The experience is one of the highlights of my infosec career. I can't wait for next year!

This blog post first appeared on Exploring Information Security.

Converge and BSides Detroit talks and slides

May 21, 2017

I had a great time at Converge and BSides Detroit.

This was my third attempt at going and I'm happy I finally got the opportunity to do so. The last two years I've had to cancel my plans due to life reasons. I did two talks this year. One at Converge and one at BSides. Both are linked below along with the slides for both talks.

How to kick start an application security program - Converge Detroit

I've given this talk at three other BSides prior to Converge. I feel like this is my best presentation of the talk so far. I will be giving it again at ShowMeCon in June.

Slides

The AppSec Starter Kit - BSides Detroit

This was my first time giving this talk. I thought it went well for it's first attempt. It still needs polish. It will probably be a while before I give this talk again at a security conference. I made this talk to present at developer conferences. It hasn't been picked up, yet. I'm hopeful it will for some talks later this year.

Slides

This blog post first appeared on Exploring Information Security.

BSides Knoxville - May 5, 2017

April 14, 2017

Only 3 weeks left till #BSK2017, official poster finished and going to print, amazing design by Joshua Marc Levy at https://t.co/wy9Fng8DDd pic.twitter.com/rBFXS0Vlze
— BSidesKnoxville (@BSidesKnoxville) April 13, 2017

I love BSides events. It's the simplest idea that has a tremendous impact on the information security. A lot of work goes into each BSides event and there are over 200 of them worldwide. I've been to two this year already in Huntsville and Indianapolis. It was my first time attending each of those conferences (one of the perks of moving to Nashville). I had an outstanding time at both. I was afforded the opportunity to speak and make some new connections with people in the industry. I will be attending Nashville next weekend and speaking at two more next month. Detroit and Knoxville.

What I love about BSides is that each one is unique. Huntsville is in rocket city. It is one of the simplest and well run conferences you can go to. The area is a lot like Augusta. Not much around, but a lot of really smart people. Indianapolis is similar in nature and a quite possibly the most laid back. It's located at a culinary school and I ate pastries all day. Nashville feeds its attendees with catered (YES CATERED!) barbecue from Martin's BBQ. I'd put the lunch up against any conference anywhere. I will be heading to Detroit next month for that BSides which coincides with Converge Detroit. I've bailed on the organizers two years in a row due to life changing events. Not this year, though! Flight and hotel are booked.

Knoxville is another new conference for me this year. It's already turning out to be quite the unique experience for me. I am speaking at the event. Which is a bit of an outlier for me. I've submitted to three different conferences in Tennessee and BSides Knoxville is the only one that accepted my submission. It's fulfilling that dream and my dream to have a walk up song.

I'm a big baseball fan. My dream of coming out to a walk up song in professional baseball died a long time ago. In my adulthood, I've thought about what walk up song I would choose if I were given the opportunity. That day has arrived! Along with my presentation acceptance email were instructions on sending in my preferred walk up song. I only get 20 seconds, but that's all I need.

I started thinking about all my favorite songs. There were too many to make a choice from. I decided to take to Twitter to ask for suggestions. I got some really great responses. I also took the question to ColaSec a security user group in Columbia, SC. My talk is on kick starting an application security program, so I took the question to the development team I work with. I got some really weird and interesting response. I had about 20 potential songs, so I made a survey. From there I picked the top three and created a Twitter poll.

Final vote: What should my walk up song be for @BSidesKnoxville? Got some great suggestion. These are the top 3 based on survey.
— Timothy De Block (@TimothyDeBlock) April 14, 2017

If you have Twitter I'd love for you to vote and share. I like all three songs in the poll, so I will absolutely use the poll winner for my walk up song. If you're going to BSides Knoxville I would highly recommend planning your schedule. It helps the organizers place talks in rooms and time slots. From talking to several organizers of security conferences scheduling is one of the most frustrating things. This will make scheduling easier for the organizers of Knoxville. They're putting on an awesome conference at a ridiculously good price. It's the least you can do.

If Knoxville is in your plans May 5, 2017, hit me up on Twitter and let me know you're attending. Or walk up and say "Hi!" (I don't Twitter at conferences anymore). I'm really excited for the conference and hope to see you there.

This post first appeared on Exploring Information Security.

Back from vacation: Trends 2015, DerbyCon, and podcast

August 4, 2015

Trends 2015

October 28, 2015, IT-ology will be hosting Trends 2015, which will focus on:

"...the overall digital transformation taking place in society and the associated security issues that come along with it."

The ColaSec group has been asked to help with promoting and finding speakers for the event. The call for presenters is now open. Here are the details:

IT-oLogy presents Trends 2015

Cybersecurity 2020: The Impact of Digital Business on Security

CALL FOR PRESENTERS NOW OPEN

Form to submit: https://itchallenge.wufoo.com/forms/r1pd8o9s19cfxod

What is Trends?

An IT-oLogy (www.it-ology.org) hosted annual conference focusing on technology issues and topics that are “trending” nationally as well as regionally/locally. Basically, it heightens awareness around issues that will impact the future of IT-oLogy partners, the local and regional community, and South Carolina in a big way. The conference is kicked off by a presentation from a Gartner analyst.

2015 Topic:

This year’s topic is the overall digital transformation taking place in society (everything is becoming ‘digital’) and the associated security issues that come along with it.

2015 Date/Location:

Trends will take place Wednesday, October 28 fro 9:00 am to 4:30 pm EST at IT-oLogy, 1301 Gervais Street, Columbia, SC 29201.

Call for Speakers:

The 2015 Call for Speakers is now open. We’re looking for talks in the following areas:

Digital Transformation

A massive “digital transformation” is taking place in society and the pace is only accelerating. Industries, as well as organizations and individuals, are being impacted in ways never imagined. What are examples of this transformation? How is it having an impact? Why is it important?

Security, specific to the following areas:

C level/Executive – security issues impacting executives at all levels (decision makers). Those topics executives should be aware of and know about.
Technologists – issues impacting those at a hands-on technical level. Target audience here will be technologists.
Citizen 101 – issues impacting everyday citizens. Things they should be aware of. Examples might include a very basic overview of how to encrypt email and/or attachments (most don’t have a clue), why changing passwords often is a must-do (and how to keep up with all those passwords), and other like issues.

Do you have a presentation? We’d like to hear from you! Please fill out the form and Todd Lewis (todd.lewis@it-ology.org) will respond!

https://itchallenge.wufoo.com/forms/r1pd8o9s19cfxod

DerbyCon

While on vacation last week, I was surprised to receive an email from the organizers of DerbyCon informing me that my Blue Team Starter Kit talk was accepted. I was a bit surprised to have my talk accepted, then I was a little terrified to be speaking at one of the biggest and well known security conference in the US. Now I'm really excited to be speaking at the event and I look forward to the experience of not only speaking at DerbyCon but attending the conference as well.

Which leads to my next point. I need to figure out a place to stay. If anyone wants to split a room, get in touch. Also, I'll be driving to Louisville, KY, from Lexington, SC, anyone in between is more than welcome to contact me about a ride. I will be heading to the conference on the 24th of September.

Exploring Information Security

I will be working on getting the podcast feed setup for the Exploring Information Security podcast, so I can submit it to iTunes and begin releasing episodes next week. Feedback and suggestions for future episodes are welcome.

This post first appeared on Exploring Information Security.

CircleCityCon gallery is up and bonus GIFs

July 7, 2015

All the CircleCityCon pictures are now available on Flickr.

Below are some GIFs I made from the pictures I took.

DJ Rance giving CircleCityCon attendees something to bounce to.

Who's behind the mask?

@TimothyDeBlock @CircleCityCon @revrance hmmmmmmmmmm
— Eddie Mize (@EddieTheYeti) June 30, 2015

Here's the ladies of CircleCityCon having some fun during their "photo shoot."

This post first appeared on Exploring Information Security.

CircleCityCon impressions and pictures

July 2, 2015

In mid-June I traveled to Indianapolis, Indiana, to be the photographer for the security conference called CircleCityCon. Click the Gallery link below to see some of my favorite pictures from that conference.

CircleCityCon 2015

CircleCityCon Indianapolis, Indiana, June 12 - 14, 2015.

One of the things I noticed while processing pictures from the security conference were all the smiles people had. The conference was a blast and it appeared that everyone involved was having a pretty good time.

Chris Roberts AKA Sidragon AKA the dude who flew a play "sideways" kicked off the conference, followed by a Space Rogue opening keynote. From there, the conference featured three security talk tracks, and four to six training tracks. DJ Rance and DJ Cy-Fi and DJ Triptych provided some kickass sound for both Friday and Saturday after parties, which included walls lined with old arcade games. Duane & Brando rocked the stage Friday night and MC Frontalot got the hackers dancing Saturday night. There was also a capture the flag (CTF) competition, lock pick village, and activities for kids. It was a well rounded conference, that I would recommend to any security professional.

My favorite part of the conference came during closing ceremonies when announcing how much money they had made for the five charities they were supporting at the conference. I don't remember the exact amount the conference made, but at one point Micheal Smith AKA DrBearSec said they would contribute $200 more to a particular cause to round the total up to $1000. I absolutely loved that and that gesture reaffirmed that I was contributing to something special.

I had a fantastic time. I got to meet a lot of people I interact with online and I also got to meet some new people I hadn't interacted with online yet, but will be in the future. I hope everyone enjoys the pictures and I look forward to next year's conference.

This post first appeared on Exploring Information Security.

Heading to CircleCityCon

June 10, 2015

Early Thursday morning I will depart South Carolina and head North to Indianapolis, Indiana, for the three day security conference called Circle City Con. The conference is a three day event with training, speakers, and nightly entertainment that begins June 12, 2015, and ends June 14, 2015.
I am signed on as the photographer of the event to document with pictures all the fun things.

I would love to meetup with anyone going that I know, or even don't know. If you see me walking around the con stop me and say, "hi." Also, if anyone lives between South Carolina and Indiana and needs a ride, let me know. We might be able to work something out.

Check out what the lucky @CircleCityCon 2015 attendees will be getting at the event next weekend! pic.twitter.com/CUTnRkwS8G
— SyncStop (@SyncStop) June 4, 2015

This post first appeared on Exploring Information Security.

Impressions from BSides Augusta

September 16, 2014

Simply awesome!

What a great BSides event. Not only was it a short drive for me, but the event itself was top notch, all at the fantastic price of free. I can't gush enough about how great of an event this was. Excellent talks, great location and wonderful people. I volunteered for the event and you can read my experience from that as well as a rant about how awesome volunteering is by clicking <------- this link.

I love that this BSides decided to go with a blue team and a red team track. It helped define some of the talks that might not have been apparent in the title or in the abstract. Full disclosure: I'm a blue team guy and thus spent most of the day in the blue track. I hear there were some fantastic red team talks like Tim Tomes', The Adobe Guide to Keyless Decryption:

But there were also some fantastic blue team talks like Tim Crothers', Techniques for Fast Windows Investigations:

Or Chris Campbell's, Using Microsoft's Incident Response Language:

What I loved in particular about this talk was the Chris spent the majority of his talk going over actual code and techniques, which is not something I see a lot of talks doing. If you're interested in PowerShell, have it up while you're watching this talk.

There's also Chris Sanders' talk Defeating Cognitive Bias and Developing Analytic Technique which kicked off the blue team track:

Finally, Mark Baggett closed out BSides Augusta with his awesome talk Crazy Sexy Hacking:

These talks were the ones that impacted me the most. Everyone is going to get something different out of each talk. I would recommend you check out all the talks at the BSides Augusta YouTube channel. I don't think you'll be disappointed.

One other awesome thing happened at BSides Augusta in that the local media showed up announced and took footage of the event as well as conducted interviews with some of the organizers of the event. This is not just a good thing for BSides Augusta, but the infosec community as a whole.

We must present ourselves to the world as professionals and BSides Augusta did that very well. I look forward to more BSides, especially at Augusta.

This post first appeared on Exploring Information Security.

Exploring information security: How to organize an infosec conference

July 2, 2014

In the second edition of the Exploring Information Podcast (EIS) my infosec cohort Adam Twitty and I talk to Ed Rojas about how to put together an information security conference.

Ed Rojas (@EdgarR0jas) is a Master Consultant for HP Enterprise Security and the creator of Security Zone information security conference in Columbia and the organizer of the BSides Nashville security conference. I had the pleasure of attending BSides Nashville this year and got the opportunity to snap a few pictures. Ed was a very accommodating and passionate host for the event.

In this interview Ed talks about:

The first step to organizing a security conference
The time and effort it requires
How to pick the right date
The biggest challenges putting together an event
Some of the mistakes that were made
Where to host the event

Leave feedback and topic suggestions in the comment section.

This post first appeared on Exploring Information Security.

InfoSec links June 12, 2014

June 12, 2014

Striking similarities between a WoW raid team and an infosec team - Tripwire - The State of Security

If you’re not a gamer or hate World of Warcraft (WoW), then go ahead and pass on this article. It talks about how a WoW raid team has different roles, responsibilities and skill sets to make a successful raid run. Those same ideas and concepts can be applied to a infosec team which requires different roles, responsibilities and skill sets to accomplish its objective of securing the business. I primarily played a healer on my WoW raid teams and I think I could make a case I’ve done the same thing in information security.

Flash Poll: The Hunt For Cyber Talent - Marilyn Cohodas - Dark Reading

Information security professionals are at a premium right now. Companies are struggling to find not only security professionals, but the right security professionals with the right skillsets and at the right price to secure an environment. I’ve seen this within organizations. While it’s frustrating from a day to day operation standpoint, finding the right people and the right amount of people; I’m actually starting to see some personal career benefit.

InfoSec Conferences - Client Side Vs Server Side - Javvad Malik - J4vv4d

Javvad gives some great tips on going to security conference. If you’re in information security or trying to get into the field, one of the best things you can do for your career is attend security conference. They’re all over the place and take place throughout the year. In the last month I’ve been to two and in about a week and half I plan to go to another one. It’s a great place to learn and explore as well as make connections within the infosec community. Javvad’s final suggestion is to make content, which I’ve begun doing. You can check that stuff out in my photography section under media.

This post first appeared on Exploring Information Security.