I returned this past weekend from SOURCE Boston, where I presented the new features and architecture of Fireshark v2.

I have had the opportunity to speak at many conferences before, but this was my first time doing so in my university town of Boston (Northeastern), and my first time speaking at SOURCE. SOURCE has conference locations in Seattle, Barcelona, and Boston, and attempts to bring security experts together to create a very positive mix of business needs and technology expertise. Boston is a bustling city with a number of technology companies and top universities. The location alone is worth the visit.

That aside, I was impressed with some of the presentations I saw. Here are a few worth mentioning, which are available online at http://www.sourceconference.com/boston/speakers_2011.asp:
 

• On The Use of Prediction Markets in Information Security - Dan Geer, Alex Hutton, Greg Shannon
• The Exploit Intelligence Project - Dan Guido, iSEC Partners (great talk!) 
• Incursion - From Internet To SCADA, Critical Systems Compromise Case Studies in Pictures - Val Smith, Attack Research, and Chris, SecureDNA 
• Fuel for pwnage: Exploit kits - Vicente Diaz and Jorge Mieres, Kaspersky Lab
• Reverse Engineering Flash Files with SWFREtools - Sebastian Porst (Flash analysis tool released!)
• Reversing Obfuscation - Adam Meyers, SRA International
• Streamline Incident Types for Efficient Incident Response - Predrag Zivic and Mike Lecky, Canadian Tire (really interesting talk on identify tracking)
• Network Stream Hacking with Mallory - Raj Umadas, Jeremy Allen, The Intrepidus Group (Mallory is a tool worth checking out!)
• Adding another level of hell to reverse engineering - Ben Agre, Raytheon (Something as reverse engineers that we'll have to become acustomed to more and more: used junk code!)

and finally...

My presentation: Fireshark v2 - An Analysis Toolkit for Malicious Web Sites - Stephan Chenette, Principal Security Researcher, Websense Labs (to be publicly available on or before May 5)

(Figure 1: Stephan Chenette introducing Fireshark v2, an analysis tool kit for malicious websites)

I want to thank Stacy Thayer,  SOURCE founder, the SOURCE advisory board and all attendees.

(Figure 2: SOURCE founder, Stacy Thayer)

Although not an exhaustive list of upcoming security conferences, here are a few of the conferences taking place this summer and into 2011 that we recommend. Many of our researchers are speaking at these conferences, so plan on seeing some of their talks. They will give you a glimpse into various research projects being worked on inside our labs.

   -- this symbol indicates that we'll be speaking at the conference

June

EUSecWest

When: Jun 16 – 17, 2010
Where: Leidseplein, Amsterdam, Netherlands

Presentation: DarunGrim - A Tool for Binary Diffing and Automatic Vulnerabilities Pattern Matching
Websense Security Labs Researcher: Jeongwook (Matt) Oh

SyScan Singapore

When: Jun 17 – 18, 2010
Where: Singapore

Presentation: An RIA Security Solution - Flash and PDF Threat Handler
Websense Security Labs Researchers: Ulysses Wang & Hermes Lei Li

July

RECon

When: Jul 9 – 11, 2010
Where: DoubleTree Plaza Montreal, Montreal, Canada

Presentation: Using Fireshark to analyze a malicious Web attack
Websense Security Labs Researcher: Stephan Chenette

The Next HOPE

When: Jul 16 – 18, 2010
Where: Hotel Pennsylvania, New York, NY, USA

BlackHat USA

When: Jul 24 – 29, 2010
Where: Caesars Palace, Las Vegas, Nevada, USA

Presentation: ExploitSpotting: Locating Vulnerabilities Out Of Vendor Patches Automatically
Websense Security Labs Researcher: Jeongwook (Matt) Oh

BSides Las Vegas

When: Jul 28 – 29, 2010
Where: Las Vegas, Nevada, USA

DEFCON 18

When: Jul 29 – Aug 1, 2010
Where: Riviera, Las Vegas, Nevada, USA

Presentation: ExploitSpotting: Locating Vulnerabilities Out Of Vendor Patches Automatically
Websense Security Labs Researcher: Jeongwook (Matt) Oh

August

SyScan Taipei

When: Aug 19 – 20, 2010
Where: Taipei, Taiwan

September

SOURCE Barcelona

When: Sep 21 – 22, 2010
Where: Museu Nacional D’art de Catalunya, Barcelona, Spain

BRUCON 2010

When: Sep 24 – 25, 2010
Where: The Surfhouse, Brussels, Belgium

Presentation: Fireshark - Linking the Malicious Web (NG)
Websense Security Labs Researcher: Stephan Chenette

SyScan Vietnam

When: Sep 25 – 26, 2010
Where: Ho Chi Minh City, Vietnam

Virus Bulletin

When: September 29 - October, 1 2010
Where: Vancouver, BC, Canada

Presentation: P0isoning the social web
Websense CTO: Dan Hubbard

Presentation: Categorizing the entire web with autonomous system numbers
Websense CTO: Dan Hubbard & Websense Security Labs Researcher: Saeed Abu-Nimeh

October

MaLWARE 2010

When: October 20-21, 2010
Where: Grand Hotel De La Reine, Nancy, France

November

PACSEC

When: November 10-11, 2010
Where: Aoyama Diamond Hall in Tokyo, Japan

December

RUXCON 2010

When: Dec 4 – 5, 2010
Where: Royal Melbourne Institute of Technology (RMIT), Melbourne, Australia

Dan Hubbard, myself, our awesome event managers, and the rest of the Websense crew have arrived home after attending and presenting at RSA 2010 in San Francisco. It was another successful year as the conference was very well attended and the presentations were quite informative.

Figure 1: Stephan Chenette's FireShark RSA Talk

Figure 2: Dan Hubbards's Threats to Cloud Computing RSA Talk

I presented the details of a Web security Firefox plugin that I will soon be releasing open sourced called FireShark. The plugin helps in visualizing various Web attacks such as mass URL injection attacks like Gumblar, Beladen, or Nine-ball. I have to personally thank Wladimir Palant, who you should know from his development effort on a plugin called AdBlock plus. Wladimir was instrumental in offering tips to Firefox plugin writing. Thanks Wladimir!

Essentially FireShark is a local plugin that, when used in a clustering architecture, can become a very powerful mechanism in visualizing the malicious Web. In my presentation, I shared several real-life scenarios of compromised Web sites. On one occasion, FireShark mapped out one particular malicious community that later, when operation b49 was exposed, uncovered that many of the hosts involved were also Waledac spamming domains. FireShark made it easy to see that these domains were responsible for acting as control points, redirecting users from legitimate compromised Web sites to landing pages serving rogue antivirus. More so, FireShark's post processing mechanism could conduct analysis on compromised machines, intermediary machines and the final landing pages, so that not one piece of information was left unknown. This includes the original source code, the de-obfuscated source code (final DOM view), and any window prompt or malware that the user is optionally asked to download and install. This is useful for one Web site, but FireShark does this for millions of sites every day. By correlating all the data, FireShark is able to take the normalized data and link various previously assumed unrelated attacks.

Figure 3: A Web site that was compromised and part of a small malicious community, graphed with GraphViz from FireShark output

Figure 4: Stephan Chenette (me) speaking at RSA

I sat down with Rob Lemos in an interview while at RSA; so if you're interested in knowing more about FireShark until it's released, you can read the article here.

Days before my presentation, Dan Hubbard co-presented with researchers from ZScaler outlining some of the current top cloud computing threats. Dan's presentation as well as all presentations given at the Cloud Security Alliance conference at RSA can be found here.

Here are a few images of the conference. If you were there, you know that our Websense booth was not easy to miss; it was probably the largest and most impressive booth I've ever seen.

Principal Security Researcher: Stephan Chenette