Conference Review: Nordic Sec Conf (NSC2013)

TL;DR; NSC is freaking amazing. Sell your house, kids or 0day, just get there

MWR’s Nils and Jon were presenting about how they pwned Chrome at NSC2013 and after looking at the schedule and knowing the Syndis guys would throw an awesome conference, I decided to tag along.

The Venue

NSC is held in Reykjavik, Iceland. I’d never been to Iceland before and this was part of the experience. Iceland is a staggeringly beautiful country and the blue lagoon is probably the most picturesque place I’ve had a beer. The food, people and scenery are all incredible. If (when) you go to NSC, do take some time to explore Iceland and renting a 4×4 is recommended too.

Picture-of-jeep

The Conference

The conference was at the Hilton and had some great speakers. Morning was filled with keynotes and management talks, lunchtime had a perspective talk and then the afternoon the technical talks divided into offensive and defensive. Particular highlights were:

  • Katie Moussouris – Economics of a bug bounty: Katie spoke about how by paying for vulns during the IE11 preview period, Microsoft shifted the peak of when vulns are reported to the Beta/Preview phase, rather than once released. As pushing out patches costs MS significant money in testing, this saves the company a large amount of money. During the IE11 preview period they had 18 bulletin class issues reported, as opposed to none reported during the IE10 preview period (when there was no bug bounty).
  • Zane Lackey – Attacker Driven Defence: A great talk on how to defend like an attacker and how Etsy manage their security internally. Some nice ideas and coupled well with the later talk by Etsy web app team. A key takeaway was that “Culture is the best security mechanism we have”. An example was spending less effort on educating people about not falling for phishing campaigns and more on rewarding people for reporting phishing campaigns to the security team, which allows them to respond.
  • Rich, Brandon, Zane – Asking To Get Owned: Thoughts on how pentesting shouldn’t just be a tick in the box but should be a thorough attack that mimics real attackers and provides defenders with understanding about what assets an attacker will go after on their network and why. Attackers will always be able to get past the perimeter and so what happens after that is arguably more important than just asking “will they get in?”
  • Jason Healey – 8 Conflicts That Changed Cyberspace: Nice overview of some key moments in hacking. Extra points for including the Cuckoo’s Egg.

Party

The conference party was one of the best I had been to. With a conference size of around 200, it was actually possible to meet new people and swap ideas over beer. The venue was an upsettingly trendy modern building filled with antique furniture and the evening was capped off by a set from Dr. Raid including burns such as “you couldn’t 0wn a box if you purchased it”.

CTF

The CTF finals were held at the stunning Reykjavik University and took the form of 9 contestants each with a VM having to both attack other’s VMs and defend their own for an hour. A few of our interns made it through to the final and one flew out for the competition. It was compère’d by Syndis’ Ymir who did a great job making hacking into a spectator sport. Congrats to all who played but particularly the winner Sölvi who had prepared some tidy ready-to-roll scripts ready that put him into a fairly unassailable lead within minutes.

PICTURE-OF-CTF

Conclusion

Amazing country, speakers, people, party and CTF. If I get to pick one conference for next year it’s going to be NSC unless someone finally launches BoraBoraCon.