| Time | Track 1 | Track 2 | Workshops |
| 9:15-10:15AM | A crisis of identity: Practical advice for tackling Identity Management in the Enterprise |
|
|
| 10:15-11:15 | Can you Hear me now??? Nope?!? Good. | Understanding Framework Vulnerabilities: Struts 2 A little "sumthin sumthin" for security code reviewers & pentesters. | Metasploit For Pentesters (2 Hours) |
| 11:15-12:15 | Analysis of the 2011 Social Engineering CTF | Enterprise Incident Response: More Than Just An APT Problem | |
| 12:15-1:00 | Lunch | ||
| 1:00-2:00 | Keynote - Ellen Cram Kowalczyk | ||
| 2:00-3:00 | My Socrates Note: A Case Study In Password Choice | Network anti-reconnaissance for fun and profit: Messing with Nmap | (2:30-3:30) Electronics for Admins |
| 3:00-4:00 | How Cryptography works or Choosing the Right Crypto for the Job | Hacking the Self-Promotion Game | |
| 4:00-5:00 | Quantum Datum: Information-Centric Security for Cloud Computing |
Smartphone Insecurity | |
Keynote
Ellen Cram Kowalczyk
Abstract:
It’s no mystery that online social engineering is a major problem. From emails from friends stuck in the UK, to fake anti-virus, to fake bank texts, people are being barraged with threats convincing enough to suck in even alert consumers. Businesses are seeing systems overtaken and secrets lost by spear phishing emails with attachments and links. People don’t know what to believe anymore.
It would be easy for us to throw up our hands and blame the user for making poor choices, but pointing fingers at and abandoning the fight might not be the best strategy.
In this talk I’ll explore the size of the social engineering problem and communication methods of reputable organizations that make it difficult for people to differentiate the real from the scam. I will also go over how technology, process, and culture change can be used to help people avoid social engineering attacks. Finally, I’ll explore the cutting edge of social engineering including automated target research, customization based on cultural attributes, and phone-based attacks.
Bio:
Ellen Cram Kowalczyk of Microsoft manages the Trustworthy Computing Security human interaction in security team. Ellen owns the company strategy around combatting social engineering, and is focused on both technical and non-technical solutions to protect our company, our customers, and the computing ecosystem. Her team also owns Usable Security, which helps our customers make the right security decisions, and Broad Street, which focuses on the causes of customer harm, such as how malware ends up on their machine. Prior to her current focus, Ellen ran the team that ensures all products meet the Security Development Lifecycle. Ellen came to Microsoft in 1998 as an API designer, has been focused on security since 2002. Ellen has a philosophy degree from the University of Washington, learning her technical skills on the job as a program manager and software developer. She is regularly socially engineered by her crafty 4 year old, Ella, and her dog.
Analysis of the 2011 Social Engineering Capture the Flag Contest
Eric Maxwell AKA Urbal
Abstract:
Urbal will present full analysis of the data collected during the 2011 Social Engineer Capture the Flag contest held at Defcon. Data includes an in-depth look at the contest, the targets, the attackers, and everything in between. Data analyzes how individual companies performed against the attacks, differences in industry defense, types of attacks, tools used, pretexts, attack vectors, and what could have been done to mitigate such attacks.
Bio:
Vetran code-slinger and member of White Hat Defense aka Social-Engineer.org
Smartphone Insecurity
Georgia Weidman
We will begin by discussing smartphones and their unique capabilities as well as risks. We will look at examples of common smartphone attacks from researchers as well as in the wild. We will then look at mitigating practices and what end users, companies that support smartphones in the workplace, and smartphone carriers can do to minimize risk without compromising functionality. We will then switch gears and revisit our attacks, but this time focus on attacks that stem from poor coding practices on the part of third party app developers for smartphones. We will then look at strong coding practices that developers should adopt to keep their apps free from these vulnerabilities.
My Socrates Note: A Case Study in Password Choice
Garret Picchioni, Barret Weisshaar, Mike Kelly
Abstract: While much has been made of user password choice in casual Internet use, little has been shown in mission critical organizational situations. We spent a year analyzing user password choices in corporate settings, and we're here to present our findings: are we actually compromising ourselves when it comes to defining what makes a "secure" password?
Garret Picchioni is a Security Analyst at Trustwave. He is a member of Trustwave's SpiderLabs - the advanced security team focused on penetration testing, incident response, and application security. He has presented at DEFCON and has spent the last 5 years in the information technology industry; focusing on desktop support, systems administration, and network administration but is now specializing in information security. Prior to Trustwave, Garret worked as a Network Engineering Intern for the Ridgetop Group and as a Systems Administrator for The University of Arizona. Garret is currently an Undergraduate Student at The University of Arizona.
Barrett Weisshaar is a Managing Consultant at Trustwave. He is a member of Trustwave's SpiderLabs - the advanced security team focused on penetration testing, incident response, and application security. He has been in the information technology field for nearly a decade and has specialized in information security for over 6 years. Prior to joining Trustwave, Barrett worked as a security consultant for Deloitte & Touche, focusing on retail security, penetration testing, and security architecture. Barrett holds a Bachelor's from the University of Notre Dame and an M.S. in Information Security from Carnegie Mellon University.
Mike Kelly is a Security Analyst at Trustwave. He is a member of Trustwave's SpiderLabs - the advanced security team focused on penetration testing, incident response, and application security. Over the past 3 years, he has written articles and tutorials for information security blogs, authored tutorial videos, and produced for a prominent information security podcast. Mike has spent the last 3 years focusing on network and web application penetration testing, wireless security, and creating complex virtual lab environments.
Enterprise Incident Response: More than just an APT Problem
Matthew Standart, MSIM, CISSP
The Information Security Threat Landscape continues to evolve and threats remain as vigilant
as ever. Although APT is a common topic amongst the media, corporations, and their respective
security groups, there are a variety of threats that an agile security organization deals with on a daily
basis. Organizing the right people, processes, and technologies to combat these threats can be a
daunting and difficult task within itself, and typically leads to many errors and waste along the way.
This presentation will cover a methodology by which an organization (small to large) can provide
robust incident monitoring and response services that is perceived as more than a cost-center.
Bio:
Matthew Standart currently is the Incident Response Manager for Honeywell Global Security.
Matthew has led many business process improvement efforts in the past; particularly in the areas
of incident response, computer forensics, and digital investigations. He has in-depth experience in a
wide variety of matters involving threats both internal and external to corporations in and outside
of the defense industry. Matthew holds a Master's degree in Information Management from Arizona
State University and a Bachelor's degree in Software Engineering from the University of Advancing
Technology.
Can you hear me now??? Nope?!? Good.
Drew Porter (RedShift)
Ever wanted to know how to communicate with someone and not be heard? As many know, the
internal cellular network uses SS7 and SIGTRAN to communicate via out-of-band signalling. What
many don't know is what can be done with this. CC-MSOBS (Covert Channel via Multi-Streaming Out
of Band Signalling) is a new form of covert communication which can be utilized by taking advantage
of the multi-streaming aspects of SCTP and the using it with the out-of-band signalling capabilities
of SIGTRAN. Come explore this developing covert channel as Drew Porter covers not only his idea
but also his current research on this new covert channel (AKA, someone is giving you his current
research on how to communicate so the government(s) cannot hear you)
Bio:
Drew Porter is a Network Security student at the University of Advancing Technology. During the
day Drew works as a Mobile Security Exploit Analyst for Cummings Engineering. At night, it has
been rumored that Drew becomes a Ginger Ninja who prays on the souls of helpless cell phones.
Spending the majority of his time researching cellular devices and the network through which they
communicate, Drew currently leads the OpenGSM project and is one of the founding officers of the
vulnerability research group, [Buffer]Overflow. Like most security professionals, Drew does his best
work after a few beers, and encourages you all to bring a few drinks to enjoy (He certainly will be
bringing some).
Hacking the Self-Promotion Game
Marisa Fagan
In the Information Security industry, those that get ahead have to do a lot of self-promotion to become well known for their personal brand. This talk will discuss three problems security professionals face when promoting themselves for their work and then we will explore how the site SECore.info cuts through the hassles to make organizing your brand easy.
Bio: Marisa Fagan is Errata Security's Security Project Manager, responsible for managing custom development lifecycles, as well as managing research and consulting engagements. Ms. Fagan has a BBA degree from Georgia State University focused on IT Project Management and Information Security. Ms. Fagan has presented her work at SummerCon 2009 in Atlanta, Georgia, at SecurityBSides 2009 in Las Vegas, NV & 2010 in San Francisco, CA, at SecTor 2010 in Toronto, Canada, and at DefCon 2010 in Las Vegas, NV. Additionally, Ms. Fagan is active in the information security community through the organization of the hacker con "BayThreat" in Mountain View, CA, through founding The InfoSecMentors Project, and contributing to SECore.info.
Understanding Framework Vulnerabilities: Struts 2: A little “sumthin sumthin” for security code reviewers and pentesters
Abraham Kang
Frameworks are used in almost every web application with little thought given to their security implications. The speaker will discuss the common security vulnerabilities discovered in the Struts 2 framework and how these problems arise. Topics examined will include: value shadowing, request binding of persistent objects, DOS attacks, blended server-side threats, file disclosure vulnerabilities, default stack vulnerabilities, exploiting objects on the stack, exposed methods, framework induced race conditions, and OGNL script execution.
Bio: Abraham Kang is Principal Security Researcher at HP Enterprise Security. He has 11+ years in information security.
Network anti-reconnaissance for fun and profit: Messing with Nmap
Dan "AltF4" Petro
Performing reconnaissance on a network is all too often simply given away to the attacker for free. Packet level inspection techniques like NIDS and firewalls are routinely evaded by Nmap. Network security tools therefore tend to ignore this problem and try to deny access to attackers(firewalls, NATs, DMZs, etc...) or detect intrusion payloads as they go by (NIDS, Antivirus, etc..). What we're missing is protection in the middle step: preventing and detecting reconnaissance.
Presented here is Nova, a new software tool for performing network anti-reconnaissance. It works by deploying a large array of thin virtual machines (modified honeyd) called the Haystack, which obfuscates the real network. It then uses machine learning techniques to analyze traffic and classify suspects, so that you don't have to go manually searching through mountains of log files like on your honeypot at home.
Come and see how you, too, can have fun messing with Nmap!
Bio: By day, Alt is a security researcher for DataSoft Corp, a small business in Scottsdale Arizona, where he focuses on developing open source tools for network security. He holds a M.S. in Information Assurance from Arizona State University where he studied network security and cryptographic protocols. By night, he is a rogue free software and privacy activist with a penchant for the dramatic. He is a lifelong hacker and regular member of the Phoenix 2600.
A crisis of identity: Practical advice for tackling Identity Management in the Enterprise
Christian Price
Do your users suffer from multiple identity syndrome? Are your business partners howling for the single-sign-on silver bullet? This talk will present an overview of the identity management space, disambiguate the component parts of an IDM ecosystem, present common pitfalls from experience and discuss implementation strategies.
Bio: Christian is an information Security Architect at a major specialty retailer and formerly was a consultant in SunGard Availability Services' Information Security consulting practice, a consultant with Strohl Systems in their Business Continuity and Disaster Recovery consulting practice, and was a member of the IT Risk Management team at Wells Fargo. Christian currently holds the CISSP, CISM, CISA GCIH and ITIL V3 Foundations certifications, and holds an MBA from University of Phoenix.
How Cryptography Works or Choosing The Right Crypto For The Right Job
Mike Danseglio
Abstract: Key sizes, algorithms, elliptic curves - they all make a difference in data protection. But few people understand enough about them to make informed decisions that balance security, usability, and performance. In this session Mike Danseglio dissects a few representative algorithms to show how they work, what the bit-strength actually means, and how it differs between algorithms, He'll explain how public-key and shared-secret-key play together in real-world scenarios and how to choose the right algo+keylength for IT application scenarios including PKI, IPSec, and Kerberos. If time permits, Mike will also demonstrate how Diffie-Hellman provides both strength and weakness to the entire framework.
Bio: Mike Danseglio has worked in the IT field for more than 20 years. He is an award-winning author, public speaker, and instructor on a variety of technology topics including security, virtualization, cloud computing, wireless and wired networking, and IT lifecycle processes. His security work has included protecting militaries, government agencies, and private industry around the world. Mike has developed and taught extensive security training on topics including cryptography, security technology, and attacks and countermeasures. Mike has published several books and numerous papers on computer security. These published works include Microsoft's own product security guides as well as security recommendations from the National Security Agency (NSA). You can find examples of his work and contact information at his website www.nextdirectiontech.com.
Quantum Datum: Information-Centric Security For Cloud Computing
Rich Mogull
As cloud computing transforms data center and application design, security boundaries collapse to the smallest possible component- the data. This session presents practical strategies for security data in the cloud today while illuminating emerging data security technologies and architectures currently in development that will impact our strategies for years to come.
Analyze how cloud computing is collapsing security boundaries to the data within their cloud initiatives.
• Apply rapid techniques to assess information risk for cloud computing.
• How to implement current technical and process control options for protecting data in cloud computing environments.
• Discriminate how specific security controls, including database security, DLP, encryption, and DRM work with cloud computing.
• Develop strategies to manage emerging technologies for securing information in the cloud over the next 5-7 years.