We are looking for sponsors to make this event possible.

Please join us in thanking the following sponsors

Location

Lodging Information: http://g.co/maps/j4rvg

SCHEDULE

Saturday, September 7

ABSTRACTS

How I Stopped Worrying and Learned to Love BYOD: "Marketing Guy:  ""Tweeting from the pub using my work Twitter account seemed like a good idea at the time.""

IT Guy:  ""How could our customer data be stolen? No one knows my iPhone pin except me.""

Sales Gal:  ""After I send off this email to sales, I'm going to download Angry Chinese Birds.  It's free!""

It's becoming more and more common for staff to bring their own devices to work, and blending their personal data with sensitive organizational data.  What could possibly go wrong?  Lack of user education concerning both physical and cyber threats to mobile devices and the sensitive data stored within them is creating an epidemic of embarrassment to organizations.  This presentation will highlight the dangers of an untrained staff bringing their own devices to work and the steps that could be taken to mitigate the risk of lost data, compromised devices, and embarrassing Twitter posts. "

Your Software vs. The World: Application attacks are on the rise. Companies and consumers are constantly targeted resulting in breaches, denial-of-service, defacing, and theft; with vulnerable software the prevailing root cause. This interactive talk highlights the impact of insecure software and the make-or-break role developers play. The audience will leave with a better understanding of the issue and real-world guidance on improving the security of their applications.

Digital Energy - BPT: There is a great deal of conversation today regarding APT and critical infrastructure networks for ICS/SCADA, smart grid networks and service providers.  The basic persistent threat (BPT) issues are being ignored in many cases. How can the APT be mitigated when the BPT issues have not been resolved?  Typically, the technical capability to mitigate BPT many of the APT risks already exist in the installed HW/SW but proper attention to trust relationships, integration and interdependencies are overlooked. Close attention should be given to the often overlooked network vulnerabilities in the network architecture and protocols that enable BPT. In this presentation common network BPT issues that are often discovered during security consulting engagements will be discussed. BPT network architecture mitigations including separation of services for control, management and data traffic as well as securing and monitoring trust relationships and interdependencies will be covered.

Corporate Intelligence for the Spy-Curious: This presentation addresses corporate intelligence from a decidedly low tech perspective. In a world of hyper-tech the focus is often on digital security, but many corporate intelligence experts still employ old-school, hard-core espionage techniques to amazing effect. We'll briefly discuss several methods commonly used in the corp. intel. Community. From Dumpster diving to classified ads, from cocktail parties to covert surveillance, we'll give you a peak into the world of corporate spies.

Buy Viagra!: Are you part of the booming online pharmaceutical business or would like to be? This talk revolves around the interesting web command and control processes used by members of one or more pharma affiliate organizations, as uncovered by Sword&Shield on an actual intrusion case. And how your web sites could be compromised in this very same way and you don't even know it!

Exploit Development for Mere Mortals: This presentation is 50 minutes of live demos – Joe will walk through the basics of exploitation starting from basics of stack overflows, then SEH overwrites, egg hunters, heap spray, and ROP. For people interested in the subject of exploitation here is a chance to finally get an introduction to it from a guy that won’t put you to sleep.

Your cell phone is out to get you! OpSec for Mobile Phones: Our phones are quite possibly the most important devices we have. We carry them with us at all times, we keep them next to us when we sleep. Stored on them are incredibly intimate details about our lives, but what are we doing to protect that data? In this talk we will talk about ways of protecting the data on your phone.. We will discuss the myriad of different ways that you can be tracked and identified through your phone. We will discuss ways of protecting them from overzealous law enforcement officials and what a malicious apps can really do. This talk will be mainly focused on Android and include some of the security tools that are available for the android operating system.

Let's Go CSRF'n Now!: In a discussion focused on Cross Site Request Forgery (CSRF), explorer the trust vulnerability and walk through a demonstration of the exploit in action. Understand how these attacks happen and what they look like from the perspective of both victim AND attacker. Walk away with a grasp on the security implications of this weakness as well as understanding why the attack is possible and what steps should be done to prevent it. This session is a 45 minute demo with a 15 minute Q&A after. It is an advanced technical session intended for technicians, engineers, and developers with interest in web application security.

SPEAKER BIO

Joe McCray (@j0emccray) is an Air Force Veteran and has been in security for over 10 years. Joe has been involved in over 150 very high level pentesting assessments and has some major hacking accomplishments that he can share with his classes. His extensive experience and deep knowledge, mixed with his comedic style has lead Joe to be one of the most highly sought after speaking experts in the industry. Joe makes speaking appearances and gives seminars at major events in the security community such as Black Hat, DefCon, BruCon, Hacker Halted and more. Joe is the recipient of the 2009 EC-Council Instructor Circle of Excellence Award and the 2010 EC-Council Instructor of the Year Award. Joe is the founder and CEO of http://strategicsec.com an IT Security consulting firm that provides in-depth technical security assessments of your network, web application, and regulatory compliance gap analysis.

Kevin Poniatowski spent the first ten years of his career learning and implementing insecure coding techniques while developing software for two Department of Defense contractors.  His thirst for knowledge and understanding of application security convinced him to escape his cubicle prison six years ago.  He has since spent his time atoning for every buffer and heap overflow vulnerability he has written by traveling the world spreading the good word of secure coding as an application security instructor and Director of Instructor led Services for Safelight Security. In his spare time, he visits local open mike stand up comedy nights to inflict his sense of humor upon unfortunate audiences.

Chris Haggard manages an Application Security team in Memphis, TN. He and his team are responsible for driving the secure development and implementation of applications and systems across the global enterprise. He is an advocate of educating developers, enabling secure systems development and evaluating the effectiveness of security assurance activities. His prior experience includes software development and security consulting positions as well as computer operations, development and security in the U.S. Air Force. He holds CISSP, GSSP, and ITIL certifications.

Paul Coggin (@PaulCoggin) is an Internetwork Consulting Solutions Architect with Dynetics in Huntsville, Alabama. Paul is responsible for designing and building broadband multi-service networks supporting Smart Grid, MPLS, VoIP, and IPTV for service providers, leading cyber security research efforts, in addition to performing network security architecture assessments and penetration tests for enterprises, utilities and service providers. Paul is a Cisco Systems Certified Instructor # 32230 and a Certified EC-Council Instructor. He has a BS in Mathematics, MS in Computer Information Systems. In addition he holds a wide array of certifications, including CEH, ECSA, CPTS, CISSP, CCNA SPOPS, CCNP, CCDP, CCIP, CCSP, and CCNP-Voice.

Josh Scott (@scottjosh) is an InfoSec enthusiast from the Dallas, TX area. I am a Husband, Father, InfoSec Enthusiast, Privacy Advocate, and Programmer. When I'm not spending time with my wife and daughters I am organizing CryptoParties in Dallas to teach people how to protect themselves from unwanted surveillance and invasions of privacy. 

Matt Smith is Principal Security Analyst at Sword&Shield Enterprise Security

Phil Grimes (@grap3_ap3) is an Information Security Professional with experience in providing application security assessments and penetration testing services to organizations ranging from small businesses, financial institutions, e-commerce, telecommunications, manufacturing, education and government agencies, as well as international corporations. Phil started learning networking and Internet security as a hobby with AOL in 1996, developing his technical skill set independently until joining the MicroSolved Team in 2009. After leaving MicroSolved in 2012, vulnerability research and exploit development became a main focus of attention. Phil’s experience in application security, penetration testing, mobile/SmartPhone security, and social engineering have proven successful in assessments for high profile customers both domestically and around the globe. An accomplished speaker and presenter, Phil has engaged on various topics for MSI’s “State of the Threat” webinars, CUISPA conferences, and at the Central Ohio ISSA InfoSec Summit in addition to various other speaking appearances to a wide range of audiences.

Hal Humphreys is a nerd, an entrepreneur, an investigator, a former research analyst and a valuation specialist. He's a writer, a pub radio producer, and an educator. He's a founding partner at Storyboard EMP, LLC, education media publishers.
Hal founded [FIND] Investigations as a professional investigator. He's a former real estate appraiser. He's a fly fisherman, hiker, and food lover.
His professional expertise: tech/education/creative startups, product development, old-school marketing, business intelligence, deep research, background investigations.

Terry Burgin CIV CISSP, GSLC, GSNA, Sec+ is a Navy Certification Agent at Naval Support Activity Mid-South in Millington, TN

Organizers

Volunteers

Please contact bsidesmemphis <at> gmail <dot> com if you are interested in a volunteer opportunity. Thank you.

CPEs

                      Please print this form and ask any of BSidesMemphis organizers to sign it if you need proof of attendance for your CPE (Continuing Professional Education) credits.

Please use the tag #BSidesMemphis for content related to this event