[kcdc 2022] insider threat : what is social engineering

Speaker: Crux Conception @cruxconceptoin (pen name)

For more, see the table of contents

On walking in

  • He asked what talk was in the room and teased people about giving too much info
  • Also commented there is too much info (wifi password) on the badge

Social Engineering

  • Ability and talent to connect with emotion
  • Can be offline or online
  • We all do it. Ex: lying about what movie you want to see.
  • May earn trust
  • Goal is to do something or gain data
  • Highly evolving method
  • Teaching in college now

Examples

  • Anonymous test messages with links
  • Facebook messages asking where from

Exercises

  • Phishing – say have tickets but didn’t plan trip. Asks for employee id to confirm. Also gave up name by confirming it and said interested in going to Budapest (came from screensaver), – Called you so already know name.
  • Team building – where grow up, how many siblings and unique challenge from childhood. Think about how much you disclosed and if you held anything back.
  • Scenario where pen tester tries to get in building. Try to get someone to let you in. Most people say take to security or get security
  • Scenario – pen tester pretends changed auto pay info and asks for employee id
  • Companies have offices all over US. Try to get id number by calling Miami office and speak to receptionist then victium

Useful insider info

  • Knowing how much a company would pay to recover from an attack
  • Ids
  • Names
  • Departments

Attacks

  • Fill in the blanks
  • Spoof text message numbers
  • Israeli software to crack phone. Don’t even have to click link anymore. Get access to phone just by sending a SMS.
  • 40% of major companies reported industrial espionage incidents in 2016
  • Ex-employee stealing self driving car info from Apple. We focused too much on China. More African students in US than anywhere else.
  • Leaking is making info public. Info is power. Have goal.
  • Spilling is like leaking without intent.
  • Sharing info at conferences. Ex: where you work.
  • Russian and China trying to steal COVID vaccine research using malware and spear phishing
  • Twitter hack on Obama/Biden/Bezos.etc, Trying to get money. Got data from internal employees
  • Fake social media

Espionage

  • Steal sensitive data
  • Espionage is like a double life
  • Affects personality
  • Traits (thrill seeking, sense of entitlement, desire for power/control) are also found in politicians and CEOs
  • Helpful to be calm (see in tech a lot) and strong sense of responsibility
  • May have regrets after
  • Logical at the time
  • More life crises because more than one personality

Tips

  • When someone calls and says “is this Jeanne”, ask who it is rather than confirming
  • Be cautious when people ask you a lot of questions
  • No defense. Just try to avoid answering too many questions.
  • Be careful if they initiate call.
  • Think about info they should now. Ex: HR has employee id already

Human Traits

  • In psych, organized means have life together.
  • Psychopath – born that way. Sociopath – traumatic event started it

My take

Crux is an ex-cop. I like that they had someone from outside development for a different perspective than we usually get. He’s a good speaker and kept it interactive. The scenarios were fun to think about.

[kcdc 2022] getting started with site reliability engineering

Speaker: Shradha Khard

For more, see the table of contents

Notes

  • Site Reliability Engineering
  • Operations is a software problem.
  • SRE is what you get when you treat ops as software and staff it with software engineers
  • Software dev: idea -> strategy -> dev (design, code, test)-> ops(build, deploy, support) -> deliver (real world)
  • Ops – maintenance, system upgrades and isntalls, security, compliance, cost, support help desk escalations, vendor contracts
  • Conflict – dev wants new features, ops want to make sure doesn’t break

DevOps

  • SRE implements DevOps.
  • SRE is a substream
  • Ensures durable focus on engineering. Need to make sure product up and running. 50% time automate to make sure that happens
  • ex: augment S3 bucket
  • See how fast can make changes without violated SLO
  • Error budget – metric for how unreliable a system is allowed to be
  • Monitoring is not just logging in system. Need to alert and ticket too
  • Change management
  • Demand forecasting/capacity planning
  • Provisioning
  • Efficiency and Performance
  • SRE doesn’t replace DevOps people who deploy to cloud

Enabling SRE/How to Start

  • Centralized SFE team (core platform, networking)
  • Embedded (full team members of project team, teach devs how to manage, work with core team)
  • Need same skillset as dev to be SRE

Metrics

  • MTTR – mean time to recovery – how long to get system healthy again. Emergency response helps with this
  • Lead time to release or rollback
  • Improve monitoring to catch and detect issues earlier
  • Estabilish error budget to have budget based risk management

Service levels

  • SLA (service level agreement) – legal agreement. Often involves compensation if not
  • SLO (service level objective) – number which SLI should be before needing improvement
  • SLI (service level indicator) – metric over time. Quantitive measure – ex: throughput, latency, error rate, utlization
  • 3 nines (99.9%) – 10 mnutes per week, 8.8 hours per year
  • 4 nines – 1 minute per week, 52 minutes per yeaar
  • 5 nines – 6 seconds per week, 5 minutes per year

Incident Management

  • Goals: Restore service to normal and minimize business impact
  • Be able to get the people who can help solve it
  • Log of events so can see when started
  • Blameless post mortems

Books

  • Google book ”Seeking SRE”
  • Google book ”The Site Reliability Workbook”
  • Book: Implementing Service Level Objectives

My take

There was a lot of info, but easy to follow. It was great to see a structured intro vs that random things I’ve read online

[kcdc 2022] diving into debugging spring boot applications

Speaker Mark Heckler @mkheck

For more, see the table of contents

Notes

  • Developers don’t believe in magic
  • Most developers are bad at debugging. Or at least not as good as they could be
  • We got sloppy when we get used to thinking we know what’s happening
  • Important to isolate problem and not just symptoms

Code wakthru

  • @SpringBootApplication – meta-annotation. Enables the other scaning annotations
    • @SpringBootConfiguration
    • @EnableAutoConfiguration
    • @ComponentScan
  • Starter parent pom has dpendencies that have been tested together. Provided in dependency management so can choose what need
  • Proved @Component still creates a @Bean
  • SpringApplication.run returns a ConfigurableApplicationContext. We don’t typically use it directly, but can look into it.
  • ApplicationRunner (creates prop object from args) vs CommandLineRunner (has args as array). The later is slightly more efficient.
  • @Value lets you get a property

Overwriting name

  • application.properties with wrong key name. Typo causes code not to use the value
  • application.yaml – ignored; still uses application.properties because higher precedence

Actuator

  • Can expose a lot of info
  • By default, opens two endpoints, status and one other. If want actual info, allow by privilege.
  • Can expose everything via management.endpoints.webexposure.include=* (don’t do this in prod)
  • loalhost:8080/actuator – see endpoints
  • localhost:8080/actuator/env – see java version, list of beans, etc (so can see order)

Remote debugging

  • In IDE config, set -agentib:jdwp=transport=dt_socket,server.. (missed the end)

Container

  • Can set config in Docker fil.

Key point

You don’t know. You can suspect and hypothesize, but not assume.

My take

I like that Mark showed Spring source code to show what was happening. It took a long time to get to the first thing that went wrong (missing property).. (40 minutes in; another session was already applauding by then). Once he got to that part, I started learning stuff. Mark also seemed rushed for the end and that info went too fast for me. (Combo if it being new and I think he was going faster) Also, the using the audience members as names in the example was fun.