Saturday, February 19, 2011
I've talked with Professor Tor Helleseth, and he's got a budget to sponsor another password conference. IF we do it, we'll have to do it before end of June 2011, according to budgets, grants etc. I've been asked to provide some suggestions for main topics that we can include in a CFP. I would like to know your opinion.
I learned at lot about organizing a security conference. :-) If we do this again, I will make arrangements for a "official" conference hotel, preferably with a discount package. Especially for foreign participants I will also try to arrange, or at least get some reasonable info for sightseeing before or after the conference. And I PROMISE; I will provide maps with the exact location of the University building for the conference. ;-)
Anyway; the important stuff:
In order to progress from Passwords^10 (which got a 4.6/5 overall rating!), I've been thinking about the following areas, in addition to those that got covered last time:
1. "Best practice", real-life war/success stories on using various hash algorithms (This F-Secure blog post is an interesting reference: http://www.f-secure.com/weblog/archives/00002095.html)
2. Self-reset password solutions. People do forget their passwords. How do you handle that?
3. Out-of-Band password authentication : does it work? risks? SMS? Voice? Snail mail?
A few entries for my own wishlist of talks I'd like to see:
1. Using statistical analysis to improve password guessing attacks (Matt Weir? ;-))
2. Hybrid Rainbow Tables - evolution beyond length 8 (FreeRainbowTables - Quel?)
3. Howard Smith from Oracle - Ethics part two: responsible disclosure (yes, seriously!)
4. Passware : "First we'll take Firewire - then we'll take PCMCIA/Expresscard" (reference: http://arstechnica.com/tech-policy/news/2011/02/black-ops-how-hbgary-wrote-backdoors-and-rootkits-for-the-government.ars)
5. Elcomsoft : Evolution of EDPR and EPPB (naturally) - Andrey: some of the iOS backup stuff we've discussed so far. Working on a blog post + PPT on deploying iTunes/iPhone "securely" with ActiveSync in an organisation.
6. Already talked to Kirsi Helkala - her "3 simple words" was kinda cool - I'd like to see more statistics! :-)
7. KoreLogic: *anything*: I'm interested. :-)
8. PCI-DSS: passwords and encryption (covering latest version of PCI-DSS)
9: HIDDN hardware AES encryption, protected by smart cards. Would love to ask you questions on your products.
10. The ultimate John the Ripper walkthrough
11. Pass-the-Hash / Pass-the-Ticket (Kerberos) attacks - do, detect, block (?), improve. TrueSec in Sweden; you are most welcome. :-)
12. CSO of PlentyofFish or anyone else who got compromised : what happened, what to do, lessons learned?
13. The researchers who compared 2 lists of compromised services and found password reuse to be more than a myth.
14. Anyone who studies human nature behavior, patterns etc: why do we choose simple passwords? Why do we forget them? (Psychologists wanted...)
I'd like to hear your opinion. :-)
Posted by securitynirvana