OMNOMNOM: A Newbie Chick's Take on InfoSec

hello I'm going to preface this by saying this is my first presentation ever slow me down if I start going like 50 miles a minute speech wise um because that just means that I'm supremely nervous so my talk fabulous oh no no it's my take on infosec and maybe maybe I can actually make this work nope kind of it's not going to work the way i want it to see i'm having difficulties now but i'll drive ourselves yeah it's good I got it so this is me not the picture that's my cat me nude yes she's wonderful but I am April April m jones because there are so many April Jones's doesn't matter if i

give you my middle name or not you will not find me on google being or any of your favorite search engines a lot of April Jones's in the world it's great to have that anonymity I am I stated a newbie and InfoSec i have actually technically only been in infosec for eight and a half months I've been kind of peripherally for two years two and a half something like that I am obligated to tell you that I work for Microsoft nothing in this talk in any way shape or form is anything related to make microsoft to start with or represents the reviews or stances of microsoft as a company but i'm obligated to tell you that

so i have a question for you all why those of you who remember why does the Linux installation correlate to pizza and beer anybody anybody one your servers no no it correlates it is relevant to it initially no I wasn't well okay since nobody nobody quite gets it all right it initially it was because linux installations took so long that you just make it a party order some pizza get some beer bring friends over cuz it just took that long to install Linux so this this portion the end food was something I first noticed when I went to my first b-sides ever and that was besides Augusta was it 2006 2000 16 2014 I'm sitting there and I don't understand

the jargon right I'm just sitting there and I'm just like in these talks because my significant others there and he's the one who's in infosec and everything like that I'm listening to these talks and most of the jargon is going true and I'm realizing I'm getting hungry and I start to tune in to what I'm hearing I start noticing I'm hearing a lot of food being talked about but they're not talking about food they're talking about various portions of info SEC so and that's because everything everything in life revolves around food put in infosec it's like ten times worse so because I was hearing about hashes and salting the hashes and security onion and onion salt and I'm going i have

these things in my kitchen at home so and some of them some of the things that i was hearing talked about were things that I could make deliciousness so I some of so I started writing it down pulled out my trusty little notebook which I got in my backpack at current and started just writing it down like okay so they're talking about this and this and this and this and this is food this is all food or food related okay alright so when I was creating this talk i was like all right well i know there's other things so I tossed in a few of the normal computery goodness just to round it out to say well it's not just infosec it

just happens to be mostly infosec so and the funniest part about this was after the the talk that we were in that I started hearing all these things instead I racking my brain and made my list I turned to Tori and I go info sex related food all about food and I started pointing out I showed him a list and he's like I've never thought of it that way you're right so but i'm i'm hoping to do to share with you hear some of the things that have come to mind for me and to ask you guys to shift your method of thinking about infosec and to bring some of perhaps your own realizations to the rainbow

table

cookies and apples oh my so I'll start with this wonderful deliciousness it's been around for ages now probably as long as some of you have been alive so who wants a cookie who wants apples I've got cookies and apples legitimate cookies legitimate apples right over here please come take there's a talk after mine so you have another hour plus a rest of my talk before lunch and I will make you hungry please feel free I got apples for the people who may be fun gluten-free or are trying to be healthy yes please the I will state bad cops because of the feet Charleston farmers market is going on the apples came from the farmers market purchase this morning please feel

free there I think Rome apples and Jonna gold apples if I remember it so you're welcome

so wait what you see on the screen and what you hear me talking about right now are completely different from what they actually are cookies I've been around since I know since we first started doing websites far as I'm aware for started visiting websites there are those delicious things that especially nowadays you get notifications hey this website uses cookies is that okay well yeah my browser is hungry and tells my computer give it a cookie it's it I mean dose don't feed my mouse that's all I ask a Macintosh you don't hear you here max but it used to be Macintosh and it was it's the original of apples systems you know Macintosh to Eve's Apple to ease

and there are different like Macintosh types of systems and I remember some of those with the giant five inch floppy disks yeah who remembers floppy disks of any size awesome awesome and then of course Apple is the opposite side from mine of one of the big tech companies that we all owe our souls 2 and and lots and lots of money so we'll go it let's start with breakfast who had breakfast this morning awesome awesome those of you who didn't and normally do you will might even you didn't grab a cookie or an apple you might want to you will be hungry by the end of this so where should we start getting an infosec right would breakfast

hashes salting the hash is the first thing I thought of when hashes were hash browns I know a lot of other people immediately thought something else when they heard hashes but this was the first thing that popped into my mind first thing and then of course you want to salt the hash you need a little bit of flavor to the hash browns right salted it then it makes delicious that is not what it really is um hashes I had to look these things up I'm sad to say like I said I am a newbie in infosec but I did my research to the best of my ability instead of giving you quoted things I kind of generalize it

for the best I could hashes collected collection of keys and variables that I'm values that for you truly use for passwords and it just kind of mixes them up a little when you salt it adds some more stuff to it garb garbage and jargon that gets understood by whatever you're putting your password into but it makes it more difficult for those with questionable morals to get a hold of them so so well in the culinary sense too much salt is bad it's not necessarily bad in infosec so we will continue let's go to the next bit all right so who has onions and onion salt in your kitchen who has no clue what they've got in

their kitchen i [Laughter] have millions i have onion salt they use both and if i don't she does so i got us was it I got to thinking about this it was like because they were talking scared young and I'm like onion that's all I heard was onion not security I just heard onions like onions made me think of Shrek actually onions onions huggers have layers because onions have layers and I'm just like and then you watch him eat that thing and it was like they used to they usually Elgin's you Scott get eaten by like fruit but but this isn't really what we're talking about an infosec is it must be security onion which is a distribution

of linux has a whole lot of different things in it and we must also be talking about onion salt which was created written by mike reeves for salt as salt for the security onion distribution of linux so

apparently a onion salt I had last I saw it was updated here it is the 20th of January 2015 that was the last update that I saw on the security of onion website so i don't know if they're still updating it or or what hopefully they are because it looked like it was really cool so you hungry yet ready for the main course mmm pulled pork nope pulled pork well you're in the south man who doesn't like barbecue and we are in South Carolina where barbecue is pork you're not in the Midwest words beef it's okay but wait so what it really is right dated program it's what snork uses for rule management I think the guy who was doing the talk

when he talked about pulled pork I immediately thought of you know what you put into a crackpot and you leave it there for hours and hours and you come at it with your Forks and pull it apart and no and then you mentioned snort and I'm like that doesn't jive with pulled pork in my head [Laughter] this is true it's not supposed to be snorting at that point if it's shorting at that point then something's wrong and your crock-pot is messed up or someone missed a few steps but and I'm not gonna lie I think this is my favorite snort picture that I have come across on the interwebs at all ever so this one the next one I misheard this

I missed heard this or i misremembered it and i thought a sliced salami I even wrote down sliced salami know when I went looking for it i discovered its salami slicing which is a form of attack that people use to get it uses like little bits of information you will see the movie hackers oh that's such a small number those of you who have not seen movie hackers go watch it it is a perfect example of salami slicing perfect example the attack that's in there I mean in fact some of the things that I found that were when I was researching it and found that I had it named wrong actually referenced the movie hackers a reference a few other

movies but hackers was in there it's like yeah cuz I like yes acid burn keep going for deliciousness how about some fruit I mean we've got some apples right so how about there's other other fruit pineapples wait a minute what do you mean that pineapples aren't fruit when it comes to infosec do we mean oh oh right right it's also a networking thing but I didn't figure that I needed actual text on this slide to explain pineapples because pretty sure that that picture kind of speaks for itself for a little bit when I first heard about pineapples I'd never seen one and I'm like why did they call it pineapple and then I saw one away okay I get it

now I get it well we're getting in the fruit must mean it's about time for dessert you all ready for dessert here we go who does not like some fresh homemade raspberry pie especially with my ice cream delicious delicious The Dispatch the type that dick maybe it's not homemade maybe it's from a store but you can't tell because it's that good wait a min we're still talking infosec right must mean that raspberry PI's are not actual pies I'm still hungry but now there's those lovely little tiny devices that keep getting tighter and tinier and tinier as they go along have linux various linux distributions on them got i actually inherited towards old wine because he got a new one I have yet to

play with mine but his is actually smaller than the one that he had initially and pretty suddenly raspberry PI's you need a big slice of right why are they so small so that you can tick them in their pocket and take them with you so you go do whatever infosec that you need to do be it black hat or white hat then you've got something right there travel as well very versatile device I do have two special mentions this was all that I had at that point at this point that was made me think food my special mentions our golden ticket which is not really it's I can only tell you realistically off the top of my head what

what they are what they made me think of a herd golden ticket the first thing that popped in my head has seen their so Willy Wonka and the Chocolate Factory both the original movie I haven't seen a new one with with the yeah Johnny Depp obviously haven't seen it I can't remember same but the old one with Gene Wilder that made you question his sanity but those chocolate bars you unwrap and if you had that golden ticket that was your way into his factory to check it out and they're still tape up here so that's my ma you think chocolate and then rainbow tables which jeff blay story with this one too you have to

have somewhere to eat your delicious infosec don't you so yes I I looked up the rainbow tables because I had gotten this question in my interview for the position i currently have microsoft and I knew the answer but I couldn't like pull it from the ether right then and there so instead of just going I don't know or I know but I can't remember I said that's where unicorns go to eat their food right my interviewer made me repeat it because she couldn't believe that she heard that I repeated it as she died laughing so score one for humor but yet is a I know now that name to answer is that it's the list of

various passwords that can be used for nefarious purposes or otherwise or otherwise so it's a it's up to a certain length and you know it's a list it go through just hammer away at and it can be used to reverse to reverse hashes remember breakfast reverse hashes so

at this time if you have any questions which I don't you do but you have any questions where maybe you're hungry there's still some apples still some cookies we have questioners okay you prefer pineapple lemon or strawberry strawberry ooh that's a good question how'd he get you did you know okay no no I drove a short drive well there's other people other people in the vehicle who drive

so question question sorry what what what made you decide to get that I I was pulled here kicking screaming almost pitbull kicking and screaming secondhand paranoia just kind of natural progression I was already an IT significant others in infosec and has been for years you started dragging me to these the b-sides once we moved out here to actually Charlotte and it just kind of happened it's kind of like me being an IT it just kind of happened um have you heard of beef I had not heard of beef that's where because under u21 excellence O'Keefe is a browser execution framework that you can use in a pen test like look up social engineering attack where let's

say in this case you get a user to go to a site that's been booked and then once they visit the site and they get booked then now you can kind of control their access and environment kind of get access it's basically a JavaScript yeah like super common so there's a lot of good things like you can have pop-ups show up that says they have an update which is not an update it might be a payload or something like that I know what you're talking about I work in the incident response so the malware's work that in your next off I could I could i'll have to write it down it like i said i've got my little notebook

so um did anyone else think of any other food-related you said I'd be dead be that's true yeah don't remember laughing write it down are there any other truly someone's come across something else that I didn't come across even if it's just computery goodness related we'll take that too maybe guess we're lucky we it's true gentle kiwi wine I knew inside of that Thank You Jerry sure he has a HTTP server yeah we have to I'm gonna have to job done sure actually pull that notebook out we draw things down

you guys thought I was joking about this that

you're an idea the list started on the back of this there's notebook oh yeah I did write down but didn't put in here cuz it was it was you know I talked about the hash is insulting the hashes put the past the hash attack oh yeah I'm sitting you're like yeah you mentioned that and I didn't even think of that one I should have these linux

are good good and if you get sick you have crackers see you balance and if you want that's a nippy woman

any others no I appreciate you listening thank you very much thank you [Applause]