| Name: Dave Marcus (@DaveMarcus) Title: The Need for Hackers, Hackerspaces and Hacktivism Abstract: Technology is more pervasive than ever before. Digital threats like identity theft, targeted attacks, so-called APTs, malware reach new highs daily. At the same time there are more potential threats to digital/privacy rights and basic human rights than ever before as well. Why is this? Not enough hackers, hackerspaces and Hacktivism. That is why. To be a hacker is to take nothing for granted. It is to take technology or ideas in new directions if only to challenge the assumptions the original answer was based on. Hackerspaces are places that hackers gather to explore these ideas and to take on these challenges. Whether it is a coding problem, a lock to pick, an arduino micro-controller to design and build or any variety of intellectually challenging projects, hackers ask “why?” and hackerspaces create communities for these questions to take shape in. Likewise, Hacktivism allows citizens to use technology to bring about changes in or awareness to human rights issues globally. Hacktivism is much more than Anonymous and Wikileaks. It is a movement, from the mid 1980’s, that can potentially make the world a better place by bringing to light abuses to human rights on a global scale and advocating for and pushing for changes in policy. In today’s world with the issues we face globally, it is more important to ask fundamental questions and challenge assumptions than ever before. Hacking, hackerspaces and Hacktivism can play key roles here. This session will hopefully make attendees think and even provoke them a bit. Bio: Dave Marcus currently serves as Director of Security Research for McAfee® Labs, focusing on bringing McAfee’s extensive security research and global threat intelligence to McAfee’s customers and the greater security community. His current focus at McAfee Labs includes advanced research, media, and thought leadership responsibilities including social media technology engagement and research. |
| Name: Michael Dahn Title: Breaking the Fear Cycle: How to be Disruptive in an Uncertain World Abstract: The global economy has shaken trust in not only corporations but entire countries. In these uncertain times it seems best to hold on to those tried and true methods. To not change; to not innovate; and most importantly - to not fail. Warren Buffet said, "Americans are in a cycle of fear which leads to people not wanting to spend and not wanting to make investments, and that leads to more fear. We'll break out of it. It takes time." In order to escape the hamster wheel of pain we need to break the fear cycle. We need to first know that there is another way, an easier way, a more efficient way, to achieve our goals. Change does not come from following the pack but from breaking away. There is always a possibility of stumbling and finding a dead end, but this session will teach you how to find a better solution faster with a higher rate of success. The keys to being disruptive and successful include understanding the changes happening in the industry around you and leveraging those to catapult your company and your career into the direction you want to go. This session will explore disruptive methods and approaches by example of Plato's Allegory of the Cave. By examining the reflections that changes in the world around us we can better predict the diction your industry, your company, and your career should be going. Bio: Organizer or @SecurityBSides events dealing with colaborative design and community management. Director at a Big 4 Consultancy handling threat and vulnerability management. |
| Name: Amol Sarwate (@amolsarwate) Title: SCADA Security - Why is it so hard? Abstract: This talk will help those implementing security measures for SCADA systems. It will present the technical challenges faced by organizations that have SCADA or control systems installations, provide examples of security controls for SCADA systems, and offer an open-source tool to help identify and inventory SCADA systems. It will begin by introducing SCADA systems under the hood and will go into depth about SCADA protocols like MODBUS and DNP3 at the packet level. The second half of the talk will focus on real world examples of successful and not-so-successful implementations of security controls with SCADA systems. This will include examples of what some large organizations have done, and a discussion about why SCADA security cannot be deciphered just by tools or technical solution. The presenter will also announce an open source tool whic is due to be released later in October that will help identify SCADA systems.This session should be helpful for anyone who has tried to implement security measures for their SCADA systems. It should also be helpful for security vendors and SCADA vendors who are all part of SCADA security.. Bio: Amol heads Qualys' team of security engineers who manage vulnerability research. His team tracks emerging threats and develop new vulnerability signatures for Qualys' vulnerability management service. Amol is a veteran of the security industry and has devoted his career to protecting, securing and educating the community from security threats. At Network Associates, he contributed in the development of security products like CyberCop Scanner and Gauntlet Firewall. At Hitachi Semiconductor, Amol managed a team that developed device drivers for RISC processor based boards. |
| Name: Gene Kim Title: Why Infosec Is Helping IT Fail… And How To Fix It Abstract: All too often, infosec burdens the business and IT organization by disrupting fast flow of features, operational stability and endless compliance projects. When this happens, the business suffers, especially when scarce project resources and capital are needlessly consumed. In this talk, I present my 10 years of research of high performing IT organizations, which is the basis of my upcoming book “When IT Fails: The Novel.” Bio: Since 1999, Gene Kim has been studying and benchmarking high performing IT operations and information security organizations. When he was the CTO/founder of Tripwire, he wrote the “Visible Ops Handbook,” which codified how these organizations transformed from “good to great,” which has sold over 200K copies to date. |
| Name: Gabriel Negreira Barbosa Title: Operating System Security for Specific Purpose Devices Abstract: Specific purpose devices, such as wireless access points and firewalls, are everywhere and provide the most different functionalities with a wide variety of hardware/software configurations. There are lots of work related to hardening techniques, but they usually focus on general purpose systems. This presentation will discuss important points related to operating system security for specific purpose systems. Among the topics are boot sequence modifications to improve the authenticity of the software in execution, kernel modifications to turn exploitation attempts into a non-reliable task and cryptography mechanisms to help protecting information. The concepts behind each of the discussed point will be explained and illustrated with Linux. The speaker experience in real-life systems with very specific hardware security design will also be shared. Bio: Gabriel Negreira Barbosa is a security researcher of the Qualys Vulnerability & Malware Research Labs (VMRL). He is also a PhD student at Instituto Tecnológico de Aeronáutica (ITA), where he achieved an Msc and worked in security projects for the brazilian government and Microsoft Brazil. |
| Name: Matias Brutti (@freedomcoder) & Mike Ridpath (@ridpath) Title: Covert Calling: Secrets of Social Engineering Revealed! Abstract: What could possibly be worse than making a cold call? Socially engineering someone through a phone line can have the same effect as talking to a chat-bot if you don’t know what you’re doing. You’ve got to be sly, intuitive, and able to turn on a dime. Mike Ridpath and Matias Brutti will take you through the ins and outs of getting away with the information you want. By taking a look at the psychology and sociology behind socially engineering in a cold call, they’ll let you in on the secrets of what ruses work with men versus women, play a few (sanitized) successful calls, and share techniques and tactics that have worked for them on over 100 engagements. Bio: Matias Brutti is a Senior Security Consultant at IOActive, where he deploys his deep experience in enterprise-level application and network assessment/consultation. At IOActive he performs penetration testing, identifies system vulnerabilities, and designs custom security solutions for clients in software development, telecommunications, financial services, and professional services. Mr. Brutti has performed security assessments and PCI DSS security support services for companies in the Fortune 100, and has five years' experience working on all manner of compliance projects. Mike Ridpath is a Security Consultant with IOActive, where he works directly with platinum-level clients to deliver time-sensitive, mission-critical engagements that assess the security of networks and applications including both physical and social engineering penetration tests. In addition to finishing his Masters degree in Information Security, Ridpath has discovered numerous previously unknown software security vulnerabilities while on engagements. Prior to working atIOActive, Ridpath was in senior management as a product developer and on governing boards for multiple training and process improvement companies, where he worked with risk analysis and various process improvement methodologies. He most recently presented talks at Black Hat USA 2011, ToorCon Seattle 2011 and played on the winning Capture the Flag team at Defcon 2010. |
| Name: Brenda Larcom Title: Driving Secure Development Using a Threat Model Abstract: Most secure development life cycles advocate creating a threat model at design time and updating it as development progresses. Following this advice alone, you will do unnecessary work and receive substantially less benefit than your threat model could provide. Instead, start your threat model at requirements time and use it to select and configure all remaining application-specific secure development activities. Depending on your situation, this could allow you to: * Skip or absorb some typically recommended analysis steps (e.g. risk assessment) * Look only for what matters during other analysis (e.g. code review and security testing) * Build your application more safely (e.g. centralizing the things that would most help the application's security, protecting 3rd party components) Attendees will learn what to put into a threat model when, what to get out of a threat model when, and how a threat model should control and feed information to other secure development practices. Those using Agile development styles will particularly benefit, since a threat model-driven secure development lifecycle is phase-agnostic. Bio: Brenda Larcom is a founder and lead developer of the Trike threat modeling methodology and tool (http://www.octotrike.org) as well as a senior security associate at Stach & Liu (http://www.stachliu.com). She has paranoia, systems thinking, >15 years of security experience at a variety of employers, and interest in requirements, architecture, and development life cycles. |
| Name: Jeff Bryner/@p0wnlabs Title: Security *IS* a Game: Using the Blender Game Engine for Security Visualizations Abstract: SecViz.org is a great resource for security visualizations but most suffer from a lack of interactivity. Completing kinectasploit for DEFCON19 made me realize the utility of game engines for interacting with security tools and security information. The session will start with a recap/encore performance of kinectasploit (http://p0wnlabs.com/defcon19 ) using gestures to drive a first person shooter 3D game environment to gain meterpreter sessions on victim VMs. Then using the same technology I'll walk through a couple scenes using standard corporate security data in a 3D, kinect-driven environment made possible by the blender game engine. Attendees will take away real code they can use to integrate kinect into the blender game engine, working scenes using standard corporate security data and hopefully an urge to expand the code to include additional scenes/data that they feel are useful. Let the security visualization revolution begin! (Demo Gods be willing). Bio: Jeff Bryner has 20 years of experience developing integrated systems, performing forensics and incident response and ultimately fixing security issues to enable business. He writes for the SANS forensic blog, has spoken at RSA on SCADA security issues, DEFCON 18 on the google toolbar, DEFCON19 on kinectasploit and runs p0wnlabs.com just for fun. |
| Name: Postmodern (@postmodern_mod3) Title: Your Scanners are making you Tools Abstract: As the demand for Security increases, Scanners are increasing in popularity. Scanners are being used to help automate pentests, map networks and perform compliance audits. However, is the Security community becoming too dependent on Scanners? This talk will show that sometimes it's easier to write a couple lines of code, than always relying on Scanners or automated Framework. The talk introduces Ronin, a Ruby Environment/Platform which helps Security Researchers write and share custom code. Attendees will see live demos of Ronin performing tasks that other Scanners or Frameworks cannot. Bio: Postmodern writes code and fights people on Twitter. He eats Rubies for breakfast and spits out bug reports by lunch. Once he flipped out and wrote an entire web-app deployment tool in two days. CS:BS, OSS, LOL:INT, ︻╦╤─ ... |
| Name: Logan Kleier (@PortlandInfoSec) Title: Level Up: How Security Isn’t Like Playing A Video Game Abstract: Security professionals look to “level up” their organization’s security posture whenever possible. This presentation how the City of Portland used the SANS Top 20 Critical Security Controls to prioritize its security investments and avoid the need to constantly level up its security. The presentation discusses strategies that enabled the City of Portland to achieve a balance between the need for better security on one hand and the increasing cost and complexity necessary to achieve ever higher levels of control. Attendees will take away the following: 1) an understanding of the strengths and weaknesses of SANS Top 20 Critical Controls 2) a framework to evaluate security investments as it relates to the improvements in an organization’s SANS Top 20 controls posture. This framework includes a discussion of organizational motivation factors (those factors that drive an organization to invest in new technologies) and 3) City of Portland’s progress on various SANS Top 20 controls and organizational reasons behind this progress. . Bio: Logan is the information security officer for the City of Portland. Prior to this, he worked the U.S. GAO and a number of other organizations in various product management roles. |
| Name: Raid Title: Memory Disclosure and You Abstract: Memory Disclosure and You is a talk aiming to discuss the relevance of a bug class often miscategorized or ignored by the security masses. Memory disclosure has always been useful to attackers, and in modern times has become paramount in attacking software hardened by protection schemes. This talk gives an introduction to memory disclosure, and covers a brief history of it's use by attackers. The content then moves into how memory disclosure bugs can be found and exploited, as well as how other traditional memory corruption bugs can be leveraged for memory disclosure to further aid in their exploitation. Provided code examples will cover a variety of scenarios. The attendees will walk away with an understanding of the bug class, and real world examples to solidify the concept. Attendees will also leave with an understanding of the flawed ideology which has resulted in so many protection schemes being defeated by memory disclosure. This understanding, in conjunction with the presented code artifacts, will empower the attendees to be able to identify, for either remediation or exploitation, the presence and impact of memory disclosure. Bio: Raid is a security researcher originally based out of Portland Oregon, and has long been affiliated with the Portland hacking group "sophsec". His focus in recent years has been on the exploitation of software vulnerabilities, with emphasis placed on bypassing memory protection mechanisms. He currently resides in New York City, but has long awaited the day to speak at, and attend, a Portland conference. |
