Whose shoulders are these?
|How did we get here? Isaac Newton famously (and unorignally) said "If I have seen further, it is by standing on ye shoulders of giants". In the realm of information security, we all stand on the shoulders of giants- but we often do not know the stories underneath those shoulders. In this presentation we will explore some of the founding "giants" of infosec, both known and unknown- and learn some of what has changed, and what has not, since the early days of infosec.||Jack Daniel, Strategist for Tenable Network Security, has over 20 years’ experience in network and system administration and security, and has worked in a variety of practitioner and management positions. A technology community activist, he supports several information security and technology organizations. Jack is a co-founder of Security BSides, serves on the boards of three Security BSides non-profit corporations, and helps organize Security B-Sides events. Jack is a frequent speaker at technology and security events including Shmoocon, DEFCON, SecTor, RSA, and Security BSides. An early member of the information security community on Twitter, @jack_daniel is an active and vocal Twitter user. Jack is a CISSP, holds CCSK, and is a Microsoft MVP for Enterprise Security.|
PGP For The Web
|PGP is one of the most trusted and secure solutions for private communication. Despite being around for over 20 years, its use is far from common. Bringing PGP to a wider audience has recently become a hot topic. Offerings from startups, open source projects, and Google are in development. This talk is about the security challenges that need to be overcome in order to bring PGP to the web. Expect an analysis of the features and faults of the applications that work in this problem domain.||Daniel Reichert is a student at Oregon State University. His interests in computer science include cryptography, security, and privacy. He is the lead developer of the PGP Privly application.|
MozDef: The Mozilla Defense Platform
|Attackers have all the fun. With slick, integrated, real-time, open suites like metasploit, armitage, SET, and lair they quickly seek out targets, share exploits, gain footholds and usually win. The time has come for defense to get the same capabilities in an open-source platform dedicated to defense and based on modern technology.
To this end the operations security group at Mozilla has developed MozDef: The Mozilla Defense Platform to take on traditional SIEM functionality of event management, alerting and correlation and expand the real-time capabilities of the defender into automated defense and shared incident response.
This presentation will cover it's main features and functionality. Using as much live demo as possible, you will get a tour of MozDef and an open invitation to help contribute. Lets bolster defense for a change!
|Jeff Bryner ( @0x7eff ) is a 20+year infosec veteran/addict. Speaker at 3 DEF CONs, 3 Bsides, and 1 RSA (but he didn't mean it),|
he stands accused of re-writing everything in python, integrating security tools into 3D worlds with kinectasploit and taunting the
Demo Gods in every presentation.
Girl... Fault Interrupted
|GFCI's (Ground Fault Circuit Interrupts) are a practically unnoticeable part of our lives, except maybe for the occasional fumble around the Reset button on a hair dryer to get it to work.|
I re-discovered a way to melt and spark (sometimes explode) components that make up the GFCI mechanism for several off-the-shelf electro domestics wirelessly using specific RF frequencies. Magic smoke/spark demo included! Similarly, I'm able to trip other GFCI's (the type built-in to several apartment/home walls) creating either a temporary DoS on running electro domestics or permanent GFCI disablement. Directional antennas help increase the attack range from a few inches to a few yards in order to remote disable and/or trip GFCI's. The presentation includes a list of all vulnerable patents I've come across and all affected switch types (including AFCI's).
Electro domestics are probably not be the worst this vulnerability could potentially achieve, since GFCI's and solenoids are used on a diverse range of electronics and are sometimes required by code.
|Maggie Jauregui (@MagsJauregui) owns end-to-end Security Validation for the Wireless Product R&D group at Intel Corporation. She has around 3 years of security validation experience, specifically doing fuzzing, secure code review, and ad hoc penetration testing. At her previous job, Maggie owned DirectX Security Validation for the Graphics Driver Team at Intel Mexico after an internship in the 3D team doing Graphics Driver Sanity validation for the same group. Maggie studied her Bachelor in Computer Science at Tecnológico de Monterrey, Campus Guadalajara (2005-2010). Maggie's interests also include genetics, singing (lead female vocal of Agavers rock band), and modern/classic dancing.|
Microsoft Vulnerability Research: How to be a Finder as a Vendor
|Here at Microsoft, our people often find security issues in other vendors' products, fueling the need for a coordinated approach to working with those vendors to get those bugs fixed. Microsoft Vulnerability Research (MSVR) was created to help ensure that our company demonstrates the same management, in the role of a finder, that we'd like to see from other companies and researchers when reporting vulnerabilities. MSVR has played an important role working with internal bug hunters to fix many vulnerabilities in top software during the lifetime of this proactive program. After you know how we work, you how you can start a vulnerability coordination program at your company too.||Jeremy Brown is a developer / security researcher at Microsoft. He started off there with the Malware Protection Center, reversing patches, analyzing malware and exploits in the wild, before then moving on to Windows Security to make the next version of Windows even more secure than the last. His interests include things like kernel security, static code and binary analysis, fuzzing, vulnerability coordination and disclosure as well as bug hunting techniques.|
David Seidman is a Senior Security Program Manager Lead on the Microsoft Security Response Center team, where he manages Microsoft's response to normal and high-priority security incidents such as active attacks using an unpatched vulnerability. Prior to working at the MSRC, David managed development of Microsoft Office security updates and service packs. He holds a Bachelor's degree in Computer Science and a Master's in Cognitive and Neural Systems from Boston University. When not putting out fires on the internet, David enjoys triathlon, mountain climbing, Brazilian jiu jitsu and brewing his own beer.
Deconstructing the Circuit Board Sandwich
|Printed Circuit Boards (PCBs), used within nearly every electronic product in the world, are physical carriers for electronic components and provide conductive pathways between them. Created as a sandwich of alternating copper and insulating substrate layers, PCBs can reveal clues about system functionality based on layout heuristics or how components are interconnected. By accessing each individual copper layer of a PCB, one can clone the design, identify areas where new features/capabilities can be inserted, locate specific connections/interfaces, or derive how a product works by creating a schematic diagram.|
In this presentation, Joe examines a variety of inexpensive, home-based solutions and state-of-the-art technologies that can facilitate PCB reverse engineering through solder mask removal, delayering, and non-destructive imaging.
|Joe Grand (@joegrand), formerly known as Kingpin, is a computer engineer, hardware hacker, electronics designer, runner, daddy, honorary doctor, TV host, former member of L0pht Heavy Industries, and the proprietor of Grand Idea Studio (grandideastudio.com). He now lives in Portland.|
NSA Playset: PCIe
|Hardware hacks tend to focus on low-speed(jtag, uart) and|
external(network, usb) interfaces, and PCI Express is typically
neither. After a crash course in PCIe Architecture, I'll demonstrate a handful of hacks showing how pull PCIe outside of your system case and add PCIe slots to systems without them, including embedded platforms. I'll top it off with a demonstration of SLOTSCREAMER, an inexpensive device configured to access memory and IO, cross-platform and transparent to the OS - all by design with no 0-day needed. The open hardware and software framework that we will release will expand your NSA Playset with the ability to tinker with DMA attacks to read memory, bypass software and hardware security measures, and directly attack other hardware devices in the system.
Anyone who has installed a graphics card has all the hardware
experience necessary to enjoy this talk and start playing NSA at home!
|Joe FitzPatrick (@securelyfitz) has over a decade of experience in hardware debug, reverse engineering, and hardware security. Joe holds a master’s degree in Electrical Engineering with a focus on information security. Previously, he performed silicon debug and hardware penetration testing of desktop and server microprocessors, as well as security validation training for functional validators worldwide.|
|The world is entrusting more and more data to the small little cellular computers we carry around in our pockets. We think we are making informed decisions about mobile security & our circle of trust -- but are we?||Jeff Forristal has been a security technology professional in the security industry for over 15 years. His professional background includes all things security, spanning across software, hardware, operations/IT, and physical access control. Currently Jeff is the CTO of Bluebox Security, a mobile security helping organizations & end users keep their data safe in hostile/untrustable mobile environments.|