Sangria, tapas and hackers: SOURCE Barcelona 2010

I am writing this report sitting in an airplane on the tarmac of the Barcelona airport waiting for the traffic controller to give us the green light for departure.

There are transport union strikes in France at the moment, which influences all the traffic around these parts of the Europe. My colleague Mirko, Help Net Security’ Editor in Chief, planned to fly to Brussels to attend BruCON, but because they have just cancelled his flight we won’t be streaming any BruCON videos this year.

We spent four fantastic days in Barcelona attending our first SOURCE Conference. Apart from the one in Barcelona, there are two more affiliated SOURCE conferences that will be held throughout the year: the “original” one in Boston and the one they will be premiering mid June next year in Seattle.

Stacy Thayer and her team of staffers and local volunteers run a terrific event based on the classic two-tracks formula – one more technical and the other one focusing on business of security.

What I really like about SOURCE is that it caters to a group of some 80 people, which makes it very easy to meet with and talk to every participant and speaker. The majority of the attendees and lecturers are well known in the information security community – they are speakers at major industry events or influential researchers you are definitely familiar with via their blogs or Twitter streams.

The best way to describe the SOURCE crowd is as one big family and this is surely one of the reasons of the success of this event. People spend whole days together – sharing the rented apartments, attending the event, enjoying tapas and sangr?­a in the evenings.

Stacy Thayer – the alpha and omega of the conference – chose Barcelona because she really liked the vibrant nature of the city and its beautiful architecture, and because there weren’t any security events held in this city. Although, the conference will be getting some competition this year as – after years of doing the show in Amsterdam – Black Hat switched locations and will now be held in Barcelona, too.

SOURCE Conference is held at the MNAC (Museu Nacional d’Art De Catalunya), an astonishingly beautiful building located just north of Pla?§a d’Espanya, on the hills of Montjuïc. The conference venue is located in the west part of the giant hall and it consists of two smaller auditoriums – one per track.

Over 70 talks were submitted to the organizing board and about 22 of them passed the selection. The selected speakers were a global bunch of security geeks.

The event started at 10 am – one hour later than the usual start of the Boston event or the 2009 Barcelona event. Stacy mentioned this was a result of the attendee feedback from the past year and I am all for it – Barcelona lives and breathes a bit differently, and it is not unusual to go to a dinner at around 10 pm.

This year’s SOURCE in Barcelona was opened by PriceWaterhouseCoopers’ information security honcho William Beer with a presentation based on a report commissioned by the UK Government Technology Strategy Board. Mr. Beer discussed the drivers that will have the influence on shaping up the state of information security until 2020 and beyond.

I have attended eight lectures, so I’ll share some information on them. The keynote was followed by a joint presentation by Verizon Business’ Alex Hutton and Paypal’s Allison Miller, in which they shared their experience on simple, but effective approaches to threat modeling.

Brian Honan from Ireland delivered a speech on setting up a CSIRT, during which he walked us through a scenario of organizing a CERT. We recently did a Q&A with Brian on this topic, so I was really interested in hearing more details. My hat off to him and his team, it was certainly tough to set everything up – especially because they have no government backing. Setting it up was a formidable task, but running daily operations on a volunteer basis is awe-inspiring.

Jayson Street, author of “Dissecting the hack: The F0rb1dd3n Network” and co-founder of ExcaliburCon – the first information security (hacking) event to be held in China, gave a dynamic speech on social engineering.

His take on it was a combination of historical pre-social engineering “attacks” including Egypt’s Amenhotep III and the popular Trojan horse story, to practical variations on the methods he is using right now. He also shared some general views on what should social engineering focus on in different parts of the world. As a side note – we did a couple of videos with Jason during the event, so expect them to go online within the next couple of weeks.

The first day ended with a presentation by Barnaby Jack on “jackpotting” of ATM machines. He managed to hack some ATM machines and practically turned them into personal cash dispensers. I missed the presentation when he had it during Black Hat, so it was nice to see it now. At Black Hat, he managed to get the machines transported to the conference venue (about nine hours of driving), but in Barcelona we used the powers of live streaming to witness the effects of his hack.

He was running the code remotely from Barcelona and we had the video feed to show the results from the United States’ East coast. As a side note – in Las Vegas, he didn’t have the statistics for the number of this type of vulnerable ATMs in the U.S.A., but now he shared the figures – Tranax (the manufacturer of the ATMs in question) has a share of about 30% of around 450,000 ATMs in the United States.

The second day started with a three-hour long panel on anti-virus testing methods and procedures. On the first day we talked with the panel moderator David Sancho and had planned some good questions for the panel, but unfortunately we just found out that the flight to BruCON was canceled so we had to spend the time checking for alternatives and possible workarounds.

Andrew Hay and Chris Nickerson spent 45 minutes entertaining the attendees with a very interesting take on creating a dialogue between tech people (hackers) and the decision makers. They touched a number of scenarios we come across often and each took his side and discussed it from either a hacker (Chris) or business (Andrew) perspective. This was surely one of the best speeches at SOURCE Barcelona.

Moving back to the security and tech auditorium, I attended the Bruce Oliveira and Jibran Ilyas talk, where these Trustwave guys shared their views on the black hats they come across in their line of work (penetration testing and forensics). A heated debate started during the talk about whether these particular black hats were, in fact, just script kiddies.

The final lecture of this year’s Barcelona event was held by two local “boys” – Vicente Diaz and David Barroso from S21Sec. They did a thorough analysis of the popular underground forum Carders.cc – from its golden days after a competing forum went offline, until its demise after the server was broken into and all the information it contained shared via RapidShare.

As far as I’m concerned, the speakers were interesting, the possibilities for networking were great, the atmosphere was relaxed, and I can’t wait for the 2011 event!