Logan Kleier Balancing Risk This presentation is about the effort to bringing sanity to risk and security discussions in any organization. Logan will talk about some steps taken to focus these risk discussions and integrate security operations within the City of Portland’s IT efforts. Participants will walk away with a sense of inner peace and $10 if they can identify all the celebrities in the presentation. |
Kenny McElroy Mutating metal to make our meter an automated penetrator Wait, that doesn't even make any sense at all. Well try this instead: Robots, security, paranoia. You know, all the usual stuff. (editors note: this talk is about lockpicking) |
Kenny McElroy Anonymizing your hacktop Can your computer be uniquely identified remotely? No matter how many times you wipe the drives? Regardless of what VM you happen to be running at the moment? Why do computers these days have so many unique serial numbers floating around in hardware? Lets take a tour of some very common components that deliver identity information to software. What does it take to alter or wipe these IDs? |
@securelyfitz Nikon recently released a consumer version of the same capability for a much lower price, but it's sadly crippled. This talk will go over the process of assessing and reversing the involved hardware and software, show what capabilities and limitations are technically induced or marketing induced, and propose how to easily build an inexpensive system to achieve the same feature set. |
@securelyfitz This talk will be a series of adventure stories about legitimate methods to buy stuff in stores for less by working the loopholes of discounts, coupons, rewards programs, and good old social engineering. The audience will hopefully learn one or two ways that they can incorporate social engineering practice in their regular shopping. Then, when you save money, it's like getting paid to social engineer! You'll be professionals in no time! |
Martin McKeay Where's the data at? It's easy to find dozens, or even hundreds, of news stories every day about compromises or vulnerabilities on the Internet. But where is that information actually coming from? Who's collecting the data, writing the reports and creating the information that's behind many of these stories? Join Martin McKeay to talk about dozens of the corporations and volunteer organizations that collect, collate and create the information that goes into many of the stories you read on a daily basis. Rather than waiting for the news to hit your twitter feed, find out who's making the news, where to find it before it comes to mainstream, and how you can become one of these people yourself. |
Sundar Krishnamurthy How to hack my Twitter So many apps allow cross-website integration and posting. With this demo, I will show how you can post nasty images and comments on my Twitter feed - without my Twitter password :) |
William Borskey Like any profession, tools are necessary in our line of work. This talk is not bashing people for using tools. Instead, I am proposing that there is too much of a reliance on the output of tools in penetration testing. And that an understanding of the underlying technologies is more important than knowing the latest tool that came out with a fancy GUI. This talk will be pretty short. I really will focus on something simple: the output of a tool we all use—nmap. Nmap is gereat, do not get me wrong. But solely relying on nmap output to plan your next move is not the greatest idea. The reason I say this is nmap interprets the results for you before you interpret its results. It places a layer of abstraction between you and the information you need to plan your next move. I would like to suggest not relying on just the output of a scan. I would like to propose say after you get an nmap scan sending the same type of packets using scapy and looking at the header fields in the returned packets or running tcpdump while the nmap scan runs and looking at the packets that replied to your scan. I would like to propose that far too many pentesters rely on unreliable output of tools rather than having a deep understanding of the protocols and systems they are testing. I will give short talk about the differences between tools and techniques, show some techniques to dig deeper and sum it all up with a story from an assessment I was on when I came up with this talk idea |
Ken Westin PWND BY DEVICES The devices we carry with us are snitches, we tell them everything, from our schedule, who our friends are, where we are and have been, along with photos and other evidence/information that can be used against us. Over the last few years Ken Westin has been using these device capabilities to enable stolen devices to phone home with information regarding their location, photos of thieves, location and other information ( http://gadgettrak.com/recoveries/ ).He has even built technology that scans photos we upload to the Internet extracting serial numbers so they can be traced back to the camera that took it as well as who is in possession of it. He will be presenting several real cases where stolen devices were turned into snitches, highlighting the technology used in each case as well as some larger crimes unveiled as a result. He will also cover how social media and other sources to gather additional evidence. To finish he will discuss his experience working with and training law enforcement and some of the technology being used by them for surveillance. |
Sergey Shekyan The talk includes couple of demos of WebSockets usage in civilian and hacking applications, and goes into details of protocol dissection and performance benefits that it may bring. Analysis of current WebSockets usage is performed and data showing not-so-widespread adoption is presented. Security aspects of WebSockets are discussed including few shortcomings of current implementations and browser related issues. Also, on the spotlight are the complications that may arise from WebSockets mixed usage with HTTP, as well as the problems that network protection infrastructures will face because of the masking of WebSockets data. It closes with recommendations for deploying WebSockets securely, applying security principles to web app design. |
James Shewmaker Making physical attacks remotely Everyone knows that physical attacks trump most infosec defenses. What happens when a pentester can make those physical attacks remotely? |
John Mailen An Adversary for All Occasions Operations Security (OPSEC) is simple little 5-step process for assessing risk of information that is not normally protected. Most business and individuals see the method and ignore the benefits. One wonders why someone would care. Let’s look at the basics and then have a little fun. What would a realistic adversary who was determined to gain information of a project do? Is there a monetized value to all information? There are reasons that one shouldn’t publish one’s personal life to the world because you just don’t know who might be watching. |
Steve Orrin We have dozens of papers, presentations and demos of the new and improved attacks against HTML5 applications and browsers. Whether you are looking at new attacks unique to the HTML5 spec/standard/implementations or significantly improved existing threats, we have to ask ourselves, how did we get here? Why are old holes showing up again, why are new exposures being introduced? And how does an HTML5 site differ from an HTML5 App (and what threats /risks do each involve)? This session talk will highlight some of the threat innovations of the past year and speak to the changes in the applications deployment, development trends and the Web that have led us here. We will also look at HTML5’s CSP (the catch all security protection spec). We will look at what its good at (simple XSS prevention), where it fails (Chained attacks, advanced XSS injection, all other attacks), and why we need to poke now. |
Jimmy Shah A beneficial side effect of these mobile attack graphs is the ability to overlay protection or mitigation methods. Not just scaring your audience but at a glance telling them how they can defend mobile attacks. |
Dirk Sigurdson Immobilized by Mobile Vulns in the NVD The National Vulnerability Database, run by NIST and sponsored by the Department of Homeland Security, contains a wealth of information about software vulnerabilities found in today’s ever-growing mobile device operating systems and applications. However, the inaccuracy and inconsistency of the database can cause challenges when determining whether vulnerabilities impact devices being assessed. We'll detail different kinds of mobile vulnerabilities and the type of flaws in the NVD that cause challenges, and what I did to fix them. |
Tim Morgan Squint at Gibberish No Longer: Introducing Bletchley Use of cryptography permeates today's computing infrastructures. While few programmers attempt to implement sophisticated cryptosystems, many unwittingly develop simple protocols in every day applications without adequate knowledge of how cryptographic primitives should be combined. While these problems are fairly common in implementations of custom single sign-on, password resets, CSRF tokens, and other challenge-response processes, the relative lack of published advisories and public exploit code indicates that pentesters and researchers aren't spending enough time analyzing these flaws. This talk introduces a new open source tool suite, "bletchley", and will describe several types of application encryption flaws encountered in the wild, breaking down the steps needed for black box cryptanalysis along the way. |
@wepIV Computer Network Exploitation actors have a variety of motivations, however, the one unifying trait is that exploiting information assets costs money. Attackers don't spend big money unless they think they're getting paid at the end of the day (nobody robs a bank that doesn't have any money). This talk will examine the costs of doing business as an attacker, income streams and will focus on what all this means to defenders as they examine the threats that they face. |
Christopher Tarnovsky Reverse Engineering to Subvert Smartcard Security Barriers Millions of global users trust smartcards to store passwords to critical personal and financial information. However, research by IOActives Christopher Tarnovsky, one of the leading experts in smartcard hacking techniques, has revealed startling conclusions about these devices – and the massive potential security risks they can present. Tarnovsky will present evidence that showcases multiple smartcard insecurities and share valuable insight into how companies and users can improve their security and protect themselves. |
Toby Kohlenberg and Mickey Shkatov Fun with Widgets We will be talking about our research into creating malicious gadgets, misappropriating legitimate gadgets and the sorts of flaws we have found in published gadgets. Gadgets are comprised of JS, CSS and HTML and are application that the Windows operating system has embedded by default. As a result there are a number of interesting attack vectors that are interesting to explore and take advantage of. |
Kees Cook Chrome OS Hardening A review of the security hardening techniques in the Chrome OS platform, ranging from compiler hardening and user-space confinement to verified boot and ring-0 isolation. |
Unattributed Underground Black Markets A whirlwind tour of the online underground economy. |
Mystery Guest |