Another awesome six days of SANS security training in Sydney has wrapped up. I get to go home, lie on the floor facing down and sleep for 12 hours straight.

This SANS event was much less hectic than normal and the tranquility continued to the end of the week. Well, apart from the fire alarms, random practical jokes, Mentos attacks and not so covert “bring 709 to Oz” campaign.

Finding the venue, the Marriott Hotel, was easy, student signing up was a calm, well ordered affair and coffee flowed non-stop from the stocked machines. Like the three other volunteers, I was bedecked in the fetching new black SANS APAC polo shirt; black, it seems, really is this year’s black. Damian, Wouter, Craig and I glided around in the background dispatching books, bags, welcome packs and the new APAC SANS shirts to the students. Ray from Shearwater seamlessly sorted out the late or miss-registered and sent them on their way.

Ray was instrumental in the smooth, seamless running of the entire event, with the help of the trusty volunteers, of course. It’s a heck of a lot more work than you’d think looking in from the outside and keeping all those balls in the air is an art form. If only he was available for parties and holiday planning

Eric Cole, PhD kicked off the conference with an early morning welcome to SANS speech to a large, awake, amused and well caffeinated group at 8:15am.

The group then dispersed, after one more assault on the coffee machines, into the four classes, 401,501 542 and 560.

I was the very lucky work study volunteer for 501: Advanced Security Essentials – Enterprise Defender, and will empty my thoughts on the course to a latter blog posting.

Eric’s overview of the course and the intend audience is actual drew a couple of students from the 401 class.

Eric is one of those great speakers that immediately engages and draws along you, as he deftly weaves relevant stories and details into the technical material. As a teacher, he brings a huge amount of value to the material and comprehensively answers questions asked and then adds that little special bit extra.

One point to note, he tells bad jokes. Eric freely admits to this particular failing, some are so bad they are actually funny. Or perhaps that’s what a hearing a week of them is now making me think….

As for the other classes that ran, I heard and got enthusiastic, positive break time chatter from fellow students in those classes.

Steven Sims was a rock star to the 560 class, and the final day six course saw an epic battle between three groups. In the end, it was a nail biting race to the finish with one group only just beating the others two to complete the challenge. Two concerning, recurring events were Steve’s attempt at a British accent and magic trick with a coin.   The former was Harry Potter inspired, but came out sounding as if he’d just escaped from Mary Poppins. The latter magic coin trick twice nearly killed unsuspecting passers-by. Ask him for display of either talent. Actually, stop him and demand it. He’ll thank you for it, one day.

Mark Hofman took his merry band of fifty students through the 401. From chatting to a couple of his students, Mark kept the pace lively and the added local Australian knowledge to the material further adding to the course value and content.  I have an abiding respect for anyone teach that course, it has a huge and varied subject matter and try imparting that knowledge in six days is an epic task.

Johannes Ullrich’s SEC542: Web Application Pen Testing In-Depth group had a lot of fun, but I shall leave commentary to Damian as he spent the entire week under Johannes’ watchful eye.

Steven Sims’ 709: Developing Exploits for Penetration Testers and Security Researchers course reached new levels of awareness to the Australian crowd after his Night 1 evening talk (see below) and the subsequent “bring 709 to Oz” campaign waged by mysterious masked man. Let’s hope the tip point was reached to get Mr Sims excellent course these shores.

I was then I discovered that I’d been Mentos-ed, much to the amusement of all those around me. That clue should have been obvious really that my near empty SANS bag was bulging at the seams.  I even found some in my shoes. Those pesky SANS instructors!

Mint anyone?

SANS at Night

SANS’ somehow convinces the instructors to spend an hour after classes have finished to talk on a favoured topic. This is great for the students, and well worth hanging around for. In fact, I’d go as far as saying you miss out on some real gems of knowledge missing the guys.

This is, in a nut shell, what happened this time:

Night 1

Steve Sims – Advanced Penetration Testing: Compromising a Vulnerability through Discovery and Custom Exploitation

Mr Sims led a fast paced presentation on how to discover and exploit an application to a large crowd. This material was taken from his 709 course, so he skipped the very complex background explanations and details, which was lucky, as a number of the audience’s heads would have exploded if he had. Still, he squeezed an overview, basic concepts, finding vulnerability with fuzzing and then creating a working backdoor exploit. All compressed in to an hour and in a format that we could all follow, comprehend and even make you feel “perhaps I could do this stuff”.

Steven’s a funny, intense guy who has a driving passion for what he does. The kind of energy could get you over Everest, twice, and then still plenty to hit the town until 6 am.

Night 2

Johannes Ullrich’s Software Security Street Fighting Style

I’m not a developer, and the sole developer in the room of may have regret admitting he was one.  The talk premise was how to fix some of the more nagging issues with web coding today in some short, sharp fast and nifty ways. Johannes decisively crushed the common buffer over flows, cross site scripting and SQL injection issues in code with a few well place kick and punches of coding kung fu. While not being a coder, the tips and pointers made sense and could take the pain out of lot of developers’ lives from being harassed by people like me.

Night 3

Eric Cole’s Continuous Vulnerability Testing and Remediation: The 20 Critical Security Controls Perspective

Eric’s talk was remarkably thought provoking despite, in his own words, it wasn’t anything new or exciting, but just solid common sense and was being missed. The 20 points weren’t magic, new technology or even particularly clever, but just rung true. It was all about getting the IT basics right and making sure business and IT people clearly understood each other. This is one of those talks I wish I would have dragged my CIO and CFO to. I’m pretty sure I would have had to drag them both OUT of the presentation once it had ended.

It was one of those we need to work together to make IT work and be safe for the company. It re-enforced that fact the IT shouldn’t be alone to guard every aspect, but it something everyone need to be part of and management need to champion.

I hope the talk and its points become a SANS webcast and I will get my bosses to watch it.

Night 4

GIAC Program Overview

Eric covered the in an outs of the GIAC certification and STI Masters program to round 25 people. He took us through how SANS and GIAC work in conjunction. A number of questions came up which Eric answered. Basically if you do the course, do the exam –‘nuff said.

Night 5

Q209 GIAC Whitepaper Winner Zombie Profiling with SMTP Greylisting

A rather nervous Jeremy Koster faced a small crowd of 15 people to talk through his gold paper Zombie profiling with SMTP greylisting. It was a hot Friday night, and Day 5, so pretty much everyone was looking forward to getting outside that night. I felt it was a shame Jeremy didn’t get to speak to a larger audience, the content was excellent and the topic was surprisingly interesting. For his first time at public speaking he did a worthy job, a bit more practice and it would kill those nerves, giving that extra punch.

Jeremy outlined what he did, how he did it and what his conclusions were. His paper can explain it far better that I can, so have a read of it here. There is a huge potential to use his methods and conclusions for all sorts of related research.

Well, the was the short version of the six days.

We packed everyone off including, the luggage, in high spirits in to the bright, hot Australian sun on Saturday. Steve Sims, Eric Cole and Johannes Ullrich, those crazy fools, are off to London to teach 709, 401 and 503 respectively.