SecTor 2013 Registration is Live!
Registration for our 2013 show is live. Standard rate is now in effect. Register now, tickets are limited!
2013 Call for Speakers OPEN!
The first round Call for Speakers is now OPEN! Submit your talk now for early consideration.
2012 Videos Posted!
The Sessions for SecTor 2012 are now available for viewing.
Security Testing - Areg Alimian
The volume, variants and sophistication of security attacks is increasing exponentially. As Internet traffic volume increases, high-powered security devices such as unified threat management (UTM) platforms are needed to protect the data center from malware, denial of service attacks and loss of confidential data. This presentation will discuss security threats, countermeasures and security testing that must include a normal traffic performance measurement.
In this session you will learn about security best-practices that you should follow when you are building enterprise SharePoint 2010 applications. You will particularly learn about claims authentication, sandboxed deployment, and SharePoint security model alongside the security holes that poorly written code can cause in your implementation.
Security When Nanoseconds Count - James Arlen
There's a brave new frontier for IT Security - a place where "best practices" does not even contemplate the inclusion of a firewall in the network. This frontier is found in the most unlikely of places, where it is presumed that IT Security is a mature practice. Banks, Financial Institutions and Insurance Companies. High Speed Trading, High Frequency Trading, Low Latency Trading, Algorithmic Trading -- all words for electronic trades committed in microseconds without the intervention of humans. There are no firewalls, everything is custom and none of it is secure. It's SkyNet for Money and it's happening now.
It's time for your annual, mandated penetration test. It may not be accurate, but who cares? You passed! Your boss has a "warm fuzzy"! But where is the business value in testing the perimeter if the perimeter is not the target? It's time we stopped kidding ourselves and started looking at testing that actually does some good. The bad guys aren't going try to exploit a web application and then stop because your boss decided that social engineering was deemed "out of scope". Join Kai Axford and his team of experts as they provide first-hand experience in explaining how to design and plan for a test that will actually work towards making you secure, not just compliant, and allow you to gain some true business value out of the exercise.
Walking on the Crocs back – when security measures fail - Travis R. Barlow
Mr. Barlow will discuss the current state of the nation in regards to security, and what happens when all of the shiny security tools, appliances, models and measures put in place fail in a bad way. Mr. Barlow will voice his personal and possibly controversial feelings on why today's security measures fail and what he believes will be the next new winning model that will emerge from the current ongoing security fiasco. Some aspects of this presentation are highly controversial as this is a no holds bars live honest review of some of the most tried, true, and trusted technologies and methods which will stir the audience and engage them in ways most presentations fail to.
The Search for Intelligent Life - Ed Bellis
For years businesses have been mining and culling data warehouses to measure every layer of their business right down to the clickstream information of their web sites. These business intelligence tools have helped organizations identify points of poor product performance, highlighting areas of current and potential future demand, key performance indicators, etc. In the information security field we still tend to look at our information in silos. Dedicated engineers solely focused on web application security, network security, compliance and so on, all while bemoaning a lack of support and information.
What if Information Security teams operated with the same insight as the product, marketing and business intelligence groups within their organization? Imagine if you had a data warehouse covering all of your applications, infrastructure, logs, vulnerability assessments, incidents, financial information, and meta data. What could you do with this readily available information?
By gathering and using both internal and public data, information security teams can utilize decision support systems allowing them to prioritize remediation efforts and react faster to issues. When looking through disparate data sources with a security lens, a security team can mine information that may expose threats through multiple vectors or paths.
In this talk, Ed will cover some of the many sources of security data publicly available and how to apply them to add context to your security data and tools to help make more intelligent decisions. Ed also points out a number of ways to repurpose information and tools your company is already using in order to glean a clearer view into your information security program and the threats that may effect it.
Near Field Communications (NFC) mobile security for those with No F'ing Clue - Corey Benninger and Max Sobell
As Near Field Communications (NFC) is integrated into our daily lives more and more (credit/debit cards and mobile payments, transit systems, ticketing systems), application developers should understand the risks of implementing NFC in mobile applications. This talk covers several current and proposed NFC implementations with case studies including attacks and mitigations, as well as the hardware basics behind NFC to better help developers and security testers understand the inherent strengths and limitations of NFC. The presentation will cover the ISO 14443 A and B standards, waveform modulation, and propagation across the RF channel. Demo attacks against NFC applications, including misdirecting FourSquare check-ins and malware which can intercept NFC intents to launch rogue applications, will be shown. Ensuring users' privacy becomes a key concern as more companies roll out NFC. We will show the data popular NFC enabled applications store including how it could be used to track when and where a device had been used. While the focus will primarily on Android based NFC applications, the security best practices apply in general for other NFC enabled devices such as products from RIM and Nokia. The presentation includes an in depth look at the NFC Data Exchange Format (NDEF) which is found across devices. Understanding and fuzzing this format can lead to parsers failing and crashing on malformed input as will be demonstrated against Android's Tags application.
Built What? Why The Bad Guys Do It Better - Sean Bodmer
For well over a decade cyber-crime has steadily risen at incredible rates across the world. How is this possible with so many law enforcement and security vendors out there trying to solve the problem? Over the past eleven years viruses and trojans have evolved into a never ending deluge of crimeware campaigns. How is this possible? Well let's talk about that. In this talk you will see first-hand how easy it is for criminals to setup a cyber-crime campaigns including their infrastructure, infection vectors, and building better tools. The goal of any bad guy is to evade detection, remain persistent, and generate revenue. Well let's talk about all of that and why these criminals become akin to the "The Six Million Dollar Man' and are very successful @ getting away with their actions.
FireShark - A Tool to Link the Malicious Web - Stephan Chenette
Thousands of legitimate web sites serve malicious content to millions of visitors each and every day. Trying to piece all the data together to confirm any similarities between possible common patterns within these websites, such as re-directors that belong to the same IP, IP range, or ASN, and reconstructing the final deobfuscated code can be time-consuming and sometimes impossible given many of the freely available tools. Stephan will present Fireshark, the second version of an open source web security research tool. This technology is capable of visiting large collections of websites at a time, executing, storing and correlating the content, and from it, identifying hundreds of malicious ecosystems.
Join Stephan as he uncovers, in real time, legitimate Canadian Web sites that have been infected, and the malicious eco-systems they are linked to.
Trust me, I am a cloud vendor! - Bruce Cowper
Ever woken up to a news story about a major Cloud issue and realized it didn't just happen to the other guy? Along with Cloud adoption, there is often a feeling of loss of control, especially when we see or experience issues such as outages, security breaches and information leakage. Ever more frequently service providers are being remembered for how they handled an incident versus what the incident actually was. With the consumerization of IT and drive towards everything being connected, the unexpected is bound to happen. This talk is illustrated throughout with many of the pivotal incidents that leave you with a raft of new questions to ask yourself and your service providers, especially when things go bump in the Cloud.
OSSAMS, Security Testing Automation and Reporting - Adrien de Beaupré
This presentation will discuss the options available to automate the conduct of vulnerability assessment and penetration testing engagements, and the reporting processes. The most important parts of running a security test are following a consistent methodology, utilizing the appropriate tools and their configuration, data management, getting accurate results, manual validation, and standardized reporting. The goal being to streamline and automate the parts of the process, where possible, and improved efficiency.
Change Happens: CISO Survival Through Adaptation - Jack Daniel, David Mortman, Gal Shpantzer,
Michael Smith and Stacy Thayer
The Chief Information Security Officer role is transitioning through unprecedented change in information technology, in both scope and pace. CISOs must learn to adapt in kind and support the four 'personas' of the CIO, where the I stands for Infrastructure, Integration, Intelligence and Innovation. This panel will address the trends and adaptation strategies necessary to position the role of the CISO with the emerging needs of the CIO: From cloud to compliance, virtualization to consumerization, mobility to regulatory.
Weaponizing The Smartphone: Deploying The Perfect WMD - Nicholas Donarski
The acceptance and integration of mobile phones, specifically smartphones, into our everyday life has allowed for these devices to penetrate deep into secure areas. The ability to have your phone along with you at any moment of the day feeds our needs for social media, email, business, and pleasure. This ability and access has allowed the use of smartphones to be bred into devices that rival other penetration testing hardware/software combinations.
Nicholas has developed and created an OS platform package that allows penetration testers and security professionals the ability to test both physical security and technical security without being constrained by computers, cords, or the image of suspicious behavior. The WMD platform package is based on Windows Mobile 6.5 Smartphones and is executed similar to a virtual machine. The WMD package is preloaded with many of the same applications and testing tools that are included with Backtrack 4, www.backtrack-linux.org, there is no affiliation between the two projects, only the similar desire to create a single source of the latest tools, applications, and techniques used by today's security professionals integrating today's latest technologies.
"Weaponizing The Smarphone: Deploying The Perfect WMD" will show the audience how to create a deployable package on a MicroSD card for use on the HTC Rhodium (AT&T Tilt2) or similar Windows Mobile 6.5 smartphone. Then using a test wireless AP, a windows server 2003 VM, and The loaded WMD Smartphone the audience will be presented with a live demonstration of some of the tools including NMap, Metasploit, and The Social Engineering Toolkit to exploit the Windows Server 2003 VM and gain administrative access.
The fundamental security flaw of accepting technology to perform only for what is was "made" for without the expectation of manipulation presented by "Weaponizing The Smartphone: Deploying The Perfect WMD" will help security professionals protect their environments while stimulating "out-of-the-box" thinking.
"Mapping The Penetration Tester's Mind" will present tools, methodologies, standards, and frameworks that are used during an active security engagement. This will give the attendees a broad understanding of how a penetration tester locates and determines what is a target, how vulnerabilities are located, what a penetration tester does to actively gain access, and how one small vulnerability can lead to complete infrastructure breach. Many participants understand the importance of having penetration testing performed, but do not understand what is actively done during the engagement. The presentation will provide a good base of information into the penetration tester's mindset and allow all participants an opportunity to have a deeper understanding of how to provide guidance to their clients for a successful assessment.
A recent IDC survey found that 52% of insider threats were perceived as accidental and 19% thought to be deliberate. Although 82% of CxOs said they did not know if incidents were deliberate or not, 62% were unclear of the source of their company's insider risk and could not accurately pinpoint or quantify the nature of the financial impact. The major challenges IS Managers face is to audit and immediately detect the potential abuse of internal administrative privilege and resources. Typically, breaches go undiscovered and uncontained for weeks or months in 75% of cases and the average time between a breach and the detection is 156 days according to Verizon 2010 Data Breach Report. Inside intruders use IT resources to commit fraud against an organization, steal intellectual property or in some cases national security espionage.
With Tripwire Enterprise and the integration of Tripwire Log Center which combines CHANGE AUDITING and LOG EVENT MANAGEMENT, we deliver an unprecedented level of Visibility, Intelligence and Automation to detect unapproved and unauthorized critical changes in real-time.
This dynamic presentation and demo will show you how Tripwire VIA can immediately correlate thousands of events of interests with changes of interest to immediately spot hidden intruders exploiting your resources.
Hackers think differently. They create new, innovative, and novel solutions to technical problems that are often deemed too difficult to solve. From Thomas Edison to Steve Wozniak to Richard Stallman, hackers have helped shape the world we live in. Corporations, on the other hand, are generally more rigid in their approaches to problem solving and are constrained by internal policies. In this session, Joe will share his view on how corporations should re-think their approach to security by incorporating hackers and the hacker mindset.
Finding Evil in Live Memory - Michael J. Graven
Live memory forensics is a fun (and effective) way to find an attacker's footprints on a machine. Michael will provide a brief introduction to the basics of memory forensics on Windows systems, then show how to use several free tools to investigate a running system (or a memory image) for indications that an attacker has compromised it - and not just strings, grep and awk either. Michael will show real structured data from the kernel that brings shenanigans to light in a way that can be used on one or thousands of machines.
He will also introduce and explain a new technology called MemD5, which allows for in-memory hashing of file object data. There are several uses of this technique, and I'll briefly cover which ones are win and fail. There will be a free tool you can use for this purpose, as well.
What is an APT without a sensationalist name? - Seth Hardy
Targeted malware attacks are particularly dangerous to NGOs and other organizations that take real-world risks while often having little if any IT security budget. In this talk, Seth will describe a variety of targeted malware attacks observed in the wild against human rights organizations, and the techniques (both social and technical) that they use to be successful. Seth will then look at the technical details of a data exfiltration network: what information is being stolen, how it is leaving your network, and where it is going. The talk will conclude with observations on how this kind of targeted malware differs from those used for financial gain, and steps that organizations can take to defend themselves, even with very limited resources.
Earth vs. The Giant Spider: Amazingly True Stories of Real Penetration Tests brings the SecTor audience the most massive collection of weird, downright bizarre, freaky, and altogether unlikely hacks ever seen in the wild. This talk will focus on those complex hacks found in real environments - some in very high end and important systems, that are unlikely but true. Through stories and demonstrations we will take the audience into a bizarre world where odd business logic flaws get you almost free food [including home shipping], forgotten PBX accounts are used to compromise large financial systems, and security systems are used to hack organizations. The SpiderLabs team delivered more than 2300 penetration tests last year, giving us access to a huge variety of systems and services, we've collected a compendium of coolest and oddest compromises from the previous year to present. Our goal is to show effective attacks and at the same time not the trivial ones that can be found by automated methods. By the end of this presentation we hope to have the audience thinking differently about systems and applications that organizations use every day, and how they may be used against them.
For the last few years computer forensic investigators have been singing the praises of Kristinn Gudjonsson's Log2timeline, a tool that has revived time based artifact analysis despite the use of tools like Vinnie Liu's Timestomp. This talk will take another look at time lines, but not for their temporal data. We'll see how even without the time stamps the data can help incident responders and forensic investigators to find malicious code. We'll look at a case study along the way and see how this technique was used in the real world to uncover backdoors and trojans despite the attacker's manipulation of time stamps. See the talk and learn why in this case telnet was more secure than SSH.
Online Espionage - Mikko Hypponen
Espionage is all about collecting information. Today, information is stored on computers and networks, making them potentially accesible from anywhere in the world. As a result, state-sponsored espionage is happening increasingly with computer attacks such as backdoors and remote trojans. Why was RSA Security hacked in spring 2011? How did they do it? Come and see.
Cubical Warfare, The next Arms Race - Jason Kendall
Cubical warfare is currently in an up raise. One Nerf gun can cause an arms race escalating beyond current weaponry either from common concept of High Performance Culture, to downright nastiness of co-workers.
My goal is to educate attendees to take normal run-of-the-mill soft dart weapons, and make them into weapons of mass pain. Topics being covered, Intro to Cube warfare, History of Nerf and maybe even a few compromising photos of Dave. :)
Incident Response Kung fu: Tree Style - Jason Kendall
Preparation, Identification, Containment, Eradication, Recovery and Follow-up are nice to say and do - but how does one actually investigate an incident. Jason has been working on a methodology for the past 4 years while being exposed to incidents in a high value institution. In an effort to continue fine tune, Jason wants to present a how-to and use the opportunity to discus, tweak and improve the methodology.
The Bizarre Business of Rogue Internet Pharmacies - Brian Krebs
Krebs's talk will focus on the bizarre business of rogue Internet pharmacies. Krebs has logged hundreds of hours of interviews with the proprietors of the two largest online pharmacies, and has access to more than four years' worth of data on who bought and sold drugs for these programs. Told through the eyes of the Founding Fathers of Rogue Pharma, this keynote will illustrate how the market for knockoff prescription drugs is intricately linked to almost every other aspect of modern cyber crime, from spam and malware to identity theft and credit card fraud.
A Replicant by Any Other Name: A Security Analysis of the BlackBerry PlayBook - Zach Lanier and Ben Nell
The BlackBerry PlayBook is Research In Motion's foray into a new mobile operating environment. Featuring TabletOS, built on the QNX RTOS and a user experience built predominately on the Adobe AIR platform, the PlayBook quickly stirred up critical reactions -- but also praise, having been certified for use by the U.S., Australian, and Russian governments. But what *is* the PlayBook? QNX? TabletOS? What, from a security perspective, makes it so special?
In this talk, we will present our objective security analysis of the BlackBerry PlayBook, exploring network and application attack surfaces, documented and observed security controls, and findings from our initial assessment. We will go on to discuss how existing application assessment methodologies can be applied to mobile applications designed to run on the PlayBook platform.
I'm Your MAC(b)Daddy - Grayson Lenik
The field of Computer Forensics moves more and more in the direction of rapid response and live system analysis every day. As breaches and attacks become more and more sophisticated the responders need to continually re-examine their arsenal for new tactics and faster ways to process large amounts of data. Timelines and super-timelines have been around for a number of years but new software and techniques brings them back into play for Incident Response and live analysis instead of static postmortem forensics. Add in identification of anti-forensics techniques and you gain a whole new view on forensic timelines.
Progression of a Hack - Ryan Linn
So you have a firewall, AV, IDS, patch management and more. Nobody is getting in. Somehow Fake-AV and malware still rear their ugly heads from time to time, but things feel pretty safe. Others in this same situation are still making the news. This talk will look at how a single foothold can lead to the opening story on the evening news. We will look at how a motivated attacker can compromise a patched Windows box, escalate privileges on a domain, and get to the data. As each demonstration shows the techniques, we'll talk about mitigation strategies and what steps you can take to avoid being a headline.
Be Ready for IPv6 Migration and Beyond! - Cricket Liu
2011 is the year that IPv6 really matters! Even if you do not need to deploy it immediately, you should begin planning for IPv6, including making sure your infrastructure and your ISP can support it. Join us as world IPv6 expert Cricket Liu, author of several books on DNS and IPv6 presents on a variety of IPv6 topics, including: • IPv6 basics • Setting up forward - and reverse-mapping with AAAA and PTR records • Running name servers over IPv6 • Registering and delegating to IPv6 • Special considerations and "gotchas" • Troubleshooting • DNS64 and NAT64
Web Browser Security Faceoff - Paul Mehta and Shawn Moyer
At no other point in the evolution of computing has user experience (as well as attack surface) been so defined by a single piece of software as it is today. Still, no authoritative picture of the true defensive capabilities of the three major web browsers has existed. A team of Accuvant Labs researchers have been hard at work finding real measures for web browser security, and would like to take this opportunity to share some of our initial insight. While there are still questions to be answered, we believe we've gained a better view than has previously existed.
Evolution of Digital Forensics - Jason Mical
No matter what anyone tells you, no investigation is complete or comprehensive if it only includes host-based forensic analysis. The fact is the host never has all of the relevant information, and there are way too many techniques for ensuring that no incriminating evidence is ever left on the disk. Because of this reality, it is essential that organizations act proactively and incorporate real network forensic tools and techniques into their investigative arsenal. This presentation will introduce some of the necessary techniques and will walk through a practical case study showing the power of a fully integrated investigative approach.
Building a GRC Strategy - Dave Millier
Dave Millier will talk about gathering information from various sources (security and system logs, reports, processes, people, etc), and turning it into meaningful reports and dashboards that can be used to track compliance of various standards and regulations, including PCI, CobiT, SOX, NERC CIP, and others. Rather than focusing on any particular technology, Dave will explain how companies can get more value out of the existing security tools in their organizations. He will show how to provide metrics that are meaningful, and how to build reports that are useful for C-Level executives, right down to the firewall administrators, and even end users.
Most malware uses HTTP/HTTPS to call home or install other parts of a malicious action. Since thousands and thousands of samples appear daily, it is almost impossible to create signatures to dectect all malicious activities.
Based on this problem, we started to analyze common headers and behaviors for malicious connections based on Spiderlabs research analysis and lot of packet captures from various sources. With that info, we scored each header in an HTTP request and based that score on the frequency that it appears, blacklisting, and a few other tricks.
Our goal with this initial presentation and PoC is to show that we can score HTTP headers as a way to find malicious activity in HTTP/HTTPS traffic.
Most of the material out there today on cloud security is all about how it is more/less secure then managing things internally and very little of the material focuses on the fundamental differences between internal vs external hosting. And while there has been some discussion of the actual issues (with a few notable exceptions) they tend to lack technical merit and instead cover broad brushstrokes. This talk will cover some of the very real technical differences between running a system internally on bare metal, internally on cloud or on an external cloud. As always, there will be baked goods and Canadian customs permitting, I'll be able to show off my baguette skills.
This presentation will be about the comparison of Flash USB Drives & Solid State Drives VS. Conventional Hard Drive for Data Recovery and Forensics. This presentation is also done with 3D ANIMATIONS that rival the History Channel! As we are all aware, solid state hard drives are going to overtake the hard drives soon rather than later. Scott is performing recoveries and rebuilds on Solid State Drives and will go over the comparisons to recovery on Standard Hard Drive Recoveries. Scott is going to discuss a few new items in data recovery that he is working on with rebuilding solid state drives and flash USB memory sticks for data recovery. He has be rebuilding flash drives by removing the chips and moving them to a new flash drive to recover the data. He will compare the processes we use with Hard Drives for recovery to Flash and SSD. Scott will take a look at the control chip for flash memory. A little known fact about flash memory is that flash memory is controlled by a chip that actually has a virtual OS. These are the topics Scott is going to cover from his experiences in running a successful data recovery company and doing training class for over 10 years. If you are interested in Data Recovery and what happens to the data on Solid State Drives, or just a better understanding of how the drive works, then this is something you don't want to miss!
Malware FreakShow - Nicholas J. Percoco and Jibran Ilyas
Well, there's malware on the interwebs. They're pwning all your systems, snatching your data up. So hide your cards, hide your docs, and hide your phone, 'cause they're pwning er'body out there! This may be the 3rd and final installment of the Malware Freak Show series, so we're pulling out all the stops. This year we'll highlight 4 new pieces of malware but the victims are you and the people you know. We will analyze and demo malware found in your place of employment, your watering hole, your friendly neighborhood grocer, and finally your mobile phone. The malware we are going to demo are very advanced pieces of software written by very skilled developers that are target your world's data. The complexity in their propagation, control channels, anti-forensic techniques and data exporting properties will be very interesting to anyone interested in this topic.
Targeted and Opportunistic Botnet Building - Gunter Ollmann
There's a general myth that botnet operators are opportunistic in their building strategy. In some older and sloppier cases they are but things have moved on. The ecosystem that supports botnet building is increasingly indistinguishable from legitimate Internet businesses – countless shades of gray – and most aspects of that business are well planned and targeted with commercial precision. As such, the targeted and opportunistic attack nomenclature is increasingly outdated – particularly when the attackers operate within a federated business model. How are some of the more successful botnet building enterprises distinguishing themselves? We've heard plenty of things about the popular malware kits such as Zeus, SpyEye and TLD3, but how do these translate in to the commercial botnet building industry? This talk will analyze the links between key malware construction tools, their authors relationship with the botnet builders and how their malicious payloads are in fact distributed using common federated delivery campaigns. We'll look to distinguishing between targeted and opportunistic attacks and show that the differentiation is often just a matter of perspective if you're missing some of the middle-men operators that help facilitate a successful attack.
IT Security Professionals have more threats to deal with today than at any previous point in history; and it is only going to get worse. There is more malware, more threats (spam, botnets, etc.) and more potential areas of risk as we expand our need to collaborate either socially or for business efficiency to achieve a competitive edge.
Additionally, more and more IT Security Professionals are starting to realize that some of the traditional methodologies for protecting and securing the infrastructure are no longer enough to protect what's really important and the lifeblood of any organization: their information - which continues to grow for most organizations at significant double digit rates.
Join Paul Pinkney – Director of Solutions Strategy as he shares Symantec's views on the recent activities in the threat landscape and how a properly planned and executed security strategy will help organizations effectively defend themselves in this ever changing world.
Sniper Forensics v3.0: Hunt - Chris Pogue
I am a sniper. I hunt malware. Specifically, I hunt malware that is committing a crime. Memory Dumpers, Key Loggers, and Network Sniffers are the enemy. The enemy can take on any form, he deploys stealth to hide from me. To know the enemy, I have to know HOW he works, not just what his goals are.
Sniper Forensics v3.0: Hunt will culminate the Sniper Forensics Trilogy. It will bring all of the elements of the previous two Sniper Forensics presentations to bear, and illustrate the hunt. From system preparation, to data gathering, to finally, identifying the primary target of many forensic investigators...malware.
Not only will this talk cover how to identify the most common types of criminal malware, but HOW to identify an infected host by WHAT it's doing, not by what has traditionally been known as "malware detection" by hash comparisons, keyword searches, or even just blind luck.
This final installment will equip the investigator with the methodology, the tools, and take them on the hunt for cyber criminals in three real world scenarios!
I am a sniper. I will find and eliminate my target.
Cybersecurity, the Law, and You - Bill Roth
This talk will cover how new US legislation and regulations are going to affect cyber security in the coming months. It will discuss, among other things, the new cresit card security specification, PCI DSS 2.0, the US Governments "Cyber 3" initiative, and cybersecurity legislation in front of the US Congress. It will also cover new tools which make keeping up with these rules/laws easier than ever before.
Everyone is fired up about the cloud. Per usual, that means most businesses are rushing headlong into the abyss with nary a concern of security or risk management. Yeah, we all know how this ends. And most practitioners don't even know what they don't know at this point. Mike will provide the unvarnished truth about the current state and the future of securing your information assets as they migrate to the cloud. Especially given how quickly cloud infrastructure is evolving. There are also considerations relative to coexisting with your on-premises data center infrastructure in a strange purgatory. You'll understand how data protection, risk assessment, identity, and monitoring change once you consider the SPI stack. Don't know what the SPI stack is? That's why you need to come to the session.
Binary Risk Analysis - Ben Sapiro
Security risk analysis techniques are either too complex to be understood by the business or too simple to provide repeatable and meaningful results. Without a proper understanding of the risk associated with security events, businesses are likely to misunderstand the risk that security professionals are working to control.
This talk will announce a new, peer reviewed, technique called Binary Risk Analysis. The technique is easy to use, enables quick structured conversations about risk and works with existing risk management frameworks. The technique will be released to the community under a creative commons license.
We in information security don't often call the fuzz when we get hacked. We fear that the cops would a) rush in, shut us down and mill about in the lobby for 15 days in blue windbreakers, drinking coffee and being suspicious, or b) not understand the nature or the specifics of the problem and therefore do nothing. From their perspective, the cops look at us as unstable, scary, untrustworthy, poorly-mannered and possibly akin to those identity thieves they've heard about. Yet the two groups work, generally, for the same purposes: to keep their constituents safe from criminals and threats. This talk will explore ways that infosec professionals can learn what law enforcement agencies - local, county, state and federal - need to get from us to help us, and ways that we can educate law enforcement on who we are, what we do, and what we can do to help them help us, and help others. It's a call to action. You in?
How to Survive DDoS: the Play at Home Game - Michael Smith
Michael Smith serves as Akamai's Security Evangelist and is the customer-facing ambassador from the Information Security Team, helping customers to understand both the internal security program and the unique security features and capabilities of the Akamai product portfolio and cloud-based solutions. Mr Smith fulfills a cross-functional role as a liaison between security, sales, product management, compliance, engineering, professional services, and marketing.
Prior to joining Akamai, Mr Smith served as an embedded security engineer, security officer for a managed service provider, and security assessment team lead. He is an adjunct professor for Carnegie Mellon University and teaches through the non-profit Potomac Forum.
Disc Detainer Locks - Schuyler Towne
This talk will explain disc detainer locks from their basic function to the highest security models. We will examine their emergence in various world markets, particularly their recent emergence in the North America. Schuyler will demonstrate known vulnerabilities from picking, to impressioning to low-cost key duplication. The goal of this talk is to introduce audience to this class of locks and provide them with a concrete base to consider the possible addition or exclusion of these locks to their own physical security solutions.
Think outside the enterprise security box - John Trollinger
The last decade has seen network security products become as standard as routing and switching. In an effort to differentiate themselves, vendors have pushed the "simplicity of deployment" marketing message, to sell more devices. In concert, the threat landscape has become more organized, more directed, and more sophisticated. So in this age of "do less with more", how can organizations ensure they are a step ahead of those which mean to do them harm? John Trollinger will speak to the current trends of both "markitecture" and threat landscape, and what organizations can do to ensure they are mitigating their risk, and protecting critical data and assets.
Information Security and Risk pertaining to smart phone and mobile devices - Nicholas (Nic) Wetton
The mobile worker population grew to 1 billion in 2010 and over 250 million smart phones and other innovative devices were shipped and connected to the internet. This phenomenon is forecasted to grow by 25% annually through to 2013. 44% of users (Forester) have bought their own devices and want to connect them to their employer's network, causing significant information security concerns. At the same time organizations are differentiating themselves in the marketplace by offering self services portals to their Customers. Increasingly, these portals are accessed via smart phones and other innovative devices. Organizations are striving to provide secure access for their Customers. This session will consider the business challenges of both requirements and consider how IBM has successfully met the employee demand and is helping Clients deliver the Customer requirements.
Wireless Hacking Techniques and Tips - Kent Woodruff
Wireless technology is exploding in popularity. Businesses are not only migrating to wireless networking, they are steadily integrating wireless technology and associated components into their wired infrastructure. The demand for wireless access to LANs is fueled by the growth of mobile computing devices and a desire by users for continual connections to the network without having to "plug in." This explosion has given momentum to a new generation of hackers who specialize in inventing and deploying innovative methods of hijacking wireless communications.
Hackers are armed with file2net, MDK3, Aircrack-ng, Karma, Karmetasploit, Jasager, JasagerPwn, Satanic AP, Scapy, sslstrip, Sidejacking, Firesheep, Interceptor and other new tools that are launching attacks on networks that a year ago were said to be unbreakable. Adding to the confusion is the increase in rogue wireless devices including stealth rogues, soft APs, wireless-enabled laptops and smartphones, and neighboring wireless networks that bleed over, combining hostile rogues with friendly or unconnected devices.
FACEROUTE: Mapping and Harvesting Social Media Sites - Rob VandenBrink
It is a common practice for Social Media sites such as Facebook, MySpace and LinkedIn to be used as components in background and security checks, both in law enforcement and as part of modern hiring practices. In most cases, our social media "shadow" is either a neutral or a positive influence in these processes. However, the online presence of our friends, connections, followers and the like may be another matter entirely. A "friend of a friend" on Facebook can be as much or more of an influence on your reputation as the same relationship in real life. As social media becomes as much a reality as the real world, our actions and the actions of our online associates cannot help but influence our eligibility for employment or security clearances.
In this session we will present a set of tools to explore your immediate "neighborhood" on various social sites, using radial and iterative methods for simple recon, and SPF (Shortest Path First) routing algorithms to map routes between target individuals. We will also show tools for harvesting word lists, which can be used for discovery of potential leaks of sensitive information, as well as for assembling password lists for penetration tests. All tools will be demonstrated live.
Bust a Cap in an Android App - Patrick Szeto and Maxim Veytsman
This talk will introduce the audience to the nuts and bolts of Android hacking. Patrick and Veytsman will demonstrate how to take apart an Android application and hunt for vulnerabilities. Topics covered include hunting for goodies in files stored on the device, reverse engineering applications, identifying broken crypto implementations and using remote debugging to execute code at will. They will discuss how to apply these techniques in the context of penetration testing and mobile malware analysis. Audience members are expected to be generally familiar with Android devices and Java.