KeyNotes -

top

Keynotes: To Be Announced - TBA

To Be Announced

top

Moving to the new security model in SharePoint 2010: claims-based authentication - Reza Alirezaei

Having the right security model in place is critical to the protection of your SharePoint farm and and its content. Thankfully, Microsoft has added a new security model to SharePoint 2010 named claims based authentication which makes all this a lot easier to setup , manage and program against. In this session we will take a look at how you can focus on real business problems by leverging the authentication plumbing that's been already built for you. We will setup an the existing SharePoint web authentication to use a claims provider and walk you through both the developer and administrator experience.

top

SCADA and ICS for Security Experts: How to avoid cyberdouchery - James Arlen

The traditional security industry has somehow decided that they are the white knights who are going to save everyone from the horror of insecure powergrids, pipelines, chemical plants, and cookie factories. Suddenly, every consultant is an expert and every product fixes SCADA. And because they don't know what the hell they're talking about -- 'fake it till ya make it' doesn't work -- they're making all of us look stupid.

top

Zorro in Arkham - Christopher Boyd

What happens when the bad guys fight back? With the introduction of blogs, security became more personal - however, it also became more dangerous. In an environment where we’re encouraged to not only write about bad files but also bad people, direct interaction is often inevitable. As a result, malicious individuals who perform bad deeds online are only ever one blog entry away from putting a security researcher in the crosshairs. For six months, I came under sustained attack from at least three groups of trolls, social engineers and script kiddies who had one thing in common: wanting to gain access to my personal information, networks and contacts then use that data to force me offline through a combination of real world and digital attacks. This presentation will show you how to defend yourself, steps companies can take to make their researchers safer and what can go wrong if you don't address this particular threat. It's not a case of if they'll come for you, but when...

top

SDL Light: A practical Secure Development Lifecycle for the rest of us - Marisa Fagan

Security companies are beginning to attack the problem of software vulnerabilities at the source, the development process. Secure coding programs like Microsoft SDL, OWASP SAMM, and BSIMM save the organization money and time by taking the bugs out at the beginning, and avoid costly incident response nightmares. Chris Wysopal, CTO at Veracode, says "Many of these methodologies are fairly new. Many development organizations don't have the process rigor or the resources to do anything more formal than use one tool or service as part of the development lifecycle." A survey done by Errata during RSA shows there is a great demand in the industry for making these secure coding programs more affordable and less resource intensive.

top

Mastering Trust: Hacking People, Networks, Software, and Ideas. - Pete Herzog

Why can't we make the right decision all the time? Our sense of trust is broken. Lies, deceit, fraud, and insinuations make up a large part of crime for a reason. We are bad at trust. It's in our biology. It's why we sometimes make the wrong friends, date the wrong people, buy the wrong car, and do things that in retrospect were really really dumb. Now consider the fact that trust makes up the majority of security decisions from who you let in to what you connect to and you see we have a very big problem. This talk shows you how we are broken, how to analyze and test trusts, how the ISECOM trust metrics work, how they are used to replace risk assessments in many organizations, and how they can help you make better overall decisions.

top

CLOUDINOMICON: Idempotent Infrastructure, Survivable Systems & Bringing Sexy Back to Information Centricity - Chris Hoff

Mass-market, low-cost, commodity infrastructure-as-a-Service Cloud Computing providers abstract away compute, network and storage and deliver hyper-scaleable capabilities.

This "abstraction distraction" has brought us to the point where the sanctity and security of the applications and information transiting them are dependent upon security models and expertise rooted in survivable distributed systems, at layers where many security professionals have no visibility.

The fundamental re-architecture of the infostructure, metastructure and infrastructure constructs in this new world forces us back to the design elements of building survivable systems focusing on information centricity -- protecting the stuff that matters most in the first place.

The problem is that we're unprepared for what this means and most practitioners and vendors focused on the walled garden, perimeterized models of typical DMZ architecture are at a loss as to how to apply security in a disintermediated and distributed sets of automated, loosely-coupled resources.

We're going to cover the most salient points relating to how IaaS Cloud architecture shifts how, where and who architects, deploys and manages security in this "new world order" and what your options are in making sustainable security design decisions.

top

400 Apps in 40 Days - Sahba Kazerooni and Jason Lam

You are an information security practitioner who finds them self responsible for the security of their organization’s data. From an application perspective you are most likely looking at hundreds, if not thousands, of internet-facing domains. How do you prioritize one over another? How do you do this on-time and on-budget? This presentation aims to provide answers to these classic challenges. Sahba Kazerooni and Jason Lam will present a real-world case study where the requirement is simple: Reduce the risk to an organization from all external-facing applications. The discussion is interwoven with lessons of attack surface discovery, risk analysis and application assessment methodology.

top

Into the Black: Explorations in DPRK - Mike Kemp

North Korea scares people. Allegedly DPRK has a super l33t squad of killer haxor ninjas that regularly engage in hit an run hacks against the Defense department, South Korea, or anyone else who pisses of the Glorious Leader. DPRK also has no real Internet infrastructure to speak of (as dictators don't like unrestricted information), although it does have a number of IP blocks (unused?). This talk examines some of the myths about DPRK, and some of their existing and emerging technologies. This talk also examines some of the available infrastructure associated with DPRK (funnily enough some of which is in South Korea and Japan) and explores the potential technical threats posed by a pernicious regime, as well as exposing some of the huge gaps in logic that have led to the world potentially engaging in chicken little syndrome when it comes to DPRK. No 0days will be demonstrated, however this talk will discuss some new information that hasn't yet been made public, and will hopefully call time on the whole 'cyberwar' sideshow.

top

What's Old Is New Again: An Overview of Mobile Application Security - Zach Lanier and Mike Zusman

The ever-increasing prevalence of mobile devices brings with it a slew of security problems. Applications running directly on mobile devices (and web apps optimized for mobile clients) are ripe for the picking even by unsophisticated attackers. The attack classes that once applied to traditional network-facing, fat client, and web applications are now valid for mobile apps, as well. Insecure authentication and access control; home-grown crypto; and memory management problems are just some of the issues resurfacing on this new frontier. This presentation will discuss the security of some of the most popular applications running on mainstream mobile platforms such as Android, iPhone, Blackberry, and Windows Mobile.

top

Into the Rabbit-Hole - Rafal Los

Since the caveman first fashioned a spear humans have been using tools to make them more efficient and effective. Unfortunately, today's analysts often misunderstand the role tools play testing web applications. While tools can be quite good at mapping a web application's attack surface there is still much human analysis that must be done to find the elusive defects that lie just below the surface. That human analysis is daunting and irregular ... until now.

The answer is an execution-flow-based approach to application security testing. By first understanding application logic and execution flow it is possible to completely map a web application's attack surface, and therefore fully test the application. Along the way we will cover understanding the principles of application-flow analysis, application process mapping and building execution-flow diagrams (EFDs) which together form a complete picture of the web application and allow an analyst to do a thorough job. This talk focuses on how to get the whole picture of the application by mapping logic and execution flow of the application and uncovering potentially critical defects.

top

Beyond Exploits: Real World Penetration Testing - HD Moore

This presentation focused on abusing design flaws, configuration errors, and information leaks to gain access to typical environments. The open source Metasploit Framework will be used as a demonstration platform to illustrate how low-risk information leaks can be combined to gain administrative access to a target network.

top

Securing your network with open-source technologies and standard protocols: Tips & Tricks - Nick Owen

We continually are asked “Does your product work with VPN X?”. This is the wrong question. The right question is whether any product on your network supports the authentication protocol you have chosen as a standard. Once you decide on a standard, the world opens up to you. Specifically, the world of open source software. After briefly discussing authentication protocols I will demonstrate how easy it is to protect various software packages and remote access solutions with two-factor authentication, such as SSH, Apache, OpenVPN, FreeNX, etc. Many people are simply not aware of the open-source remote access solutions available and still more are not aware of how to integrate them into a network. This talk seeks to rectify that.

top

Sniper Forensics v2.0 - Target Acquisition - Christopher Pogue

Last year at SecTor, Christopher debuted "Sniper Forensics", which illustrates how to use live analysis techniques to improve the efficiency and accuracy of forensic investigations. Since then Sniper Forensics has been given at two other computer security conferences! Now, Sniper Forensics v2.0 Target Acquisition will cover the most asked questions asked by the audience members from Sniper Forensics. Where do I begin? What questions do I ask? How do I know when I have a target? How do I integrate my findings into my report? How do I use Sniper Forensics to run my investigation? These questions and others will be addressed!

top

Pentesting IPhone Apps - Subu Ramanathan

As most of today’s service oriented applications are starting to support clients on mobile devices such as the iPhone, security analysts are required to extend their existing arsenal of pentesting-fu. This tutorial will give existing pentesters a quick technical insight into assessing SOA application clients on the iPhone.

top

Web Application Payloads - Andrés Pablo Riancho

This talk will introduce attendees to the subject and show a working implementation of Web Application Payloads that uses the "system calls" exposed by vulnerable Web Applications to collect information from, and gain access to the remote Web server. The Web application payloads implementation was developed as a part of the w3af framework, an open source Web application attack and audit framework developed by contributors around the world since 2007 and lead by Andrés Riancho (the speaker) since its conception.

top

Smashing the stats for fun and profit v.2010 - Ben Sapiro

“Smashing the stats for fun and profit v.2010” (or how to convince your boss to spend properly on security)

We all know that security vulnerabilities need to be fixed but it can be hard to convince your employer that you deserve a budget so you can do your job properly.

Using research from the 2010 Canada wide security survey, we'll explore (FUD and vendor Free) the following topics:

• Do people still forget about application security?
• Which approaches work in getting the business to understand security issues?
• How much should you spend on security?
• What’s the right way to identify security problems in your environment so they get fixed

The talk will cover the all new 2010 survey data together with unique content for SECTOR attendees.

top

Exploiting Computational Slack in Protocol Grammars - Len Sassaman

Language-theoretic security uses the principles of formal language theory, computability theory, and formal semantics to evaluate the security properties of computational protocols. In its ideal form, it is used to build and verify secure systems; however, the same techniques software architects use to prevent entire classes of attacks against a language-theoretically secure protocol also enable attackers to systematically discover attacks against non-LT-secure protocols, particularly those deployed in dynamic environments with multiple implementations of the same specifications.

We will discuss the fundamentals of language-theoretic security, then explain how we applied these principles to the analysis of X.509, leading to our recent multiple vulnerability break of the Internet certificate authority infrastructure. We will also outline steps for realizing the security potential of LTS-aware protocol stacks compatible with the existing Internet infrastructure.

top