BsidesNOLA 2013 was a great success.  Find information about BSidesNOLA 2014 here!

 

Event details

 

When:

May 25, 2013

 

Where:

Hilton Garden Inn New Orleans Convention Center
1001 South Peters Street / New Orleans, LA 70130

Note: The venue is a 5-10 minute walk from the French Quarter

 

 

CFP

 

The CFP is now closed! Thanks to all who submitted!

 

CFP committee (besides the organizers):

 

Dion Blazakis          - @justdionysus

Dr. Golden Richard - @nolaforensix

Michael Ligh          - @iMHLv2

 

Sponsors

 

Sponsor Logos
	[Your Company's Logo Here!]

 

To request a sponsorship packet, please email bsidesnola [@] gmail.com.

 

Schedule

 

Day 1

 

	Track 1	Track 2	Track 3
9:15AM - 9:30AM	Opening Remarks  Joe Sylve (@jtsylve) Co-Founder, 504ENSICS Labs
9:30 AM - 10:30 AM	Keynote   Michael Murray (@mmurray) Securenomics - The Evolving Vulnerability Landscape and its Implications
10:30 AM- 11:30 AM	Elizabeth Schweinsberg / @bethlogic Week in the Life of a DFIR	Vassil Roussev Small Data Forensics--Making Sense of Data Fragments	Katrina  / @krodzon Sex, Drugs and Security Awareness
11:30 AM - 12:30 PM	Kyle Maxwell / @kylemaxwell Grabbing fresh "evil bits" with Maltrieve	Alissa Torres / @sibertor Sick Anti-Analysis Mechanisms in the Wild	Joshua R. Nicholson Closing the gap between incidnet handlers and security management
12:30 PM - 2:00 PM	LUNCH!!!	LUNCH!!!	LUNCH!!!
2:00 PM - 3:00 PM	Kristinn Gudjonsson / @el_killerdwarf  Plaso - reinventing the super timeline	Shannon Sistrunk / @shannonsistrunk Pulling Back the Curtain on Social Enginnering	Eric Irvin / @SecRunner Boss Hacking - how I sold your boss
3:00 PM - 4:00 PM	Andrew Case / @attrc Leveraging Memory Forensics during DFIR	Alexander Muentz Are your security devices insecure?	Golden G. Richard III / @nolaforensix Wild vs. Commercial Malware
4:00 PM - 5:00 PM	Sarah Edwards / @iamevltwin When Macs Get Hacked	Jimmy Wylie / @mayahustle & theAddict Reverse Engineering Workshop	Valerie Thomas & Harry Regan / @hacktress09 All Your Base Still Belong To Us: Physical Penetration Testing Tales From The Trenches
5:00 PM - 6:00 PM	@chort0 DFIR For Beginners		Dhia Mahjoub Discovering new malicious domains using DNS and Big Data
6:00 PM - 6:15 PM	Closing Remarks  Conference Organizers

 

 

Talk Abstracts

 

Securenomics - The Evolving Vulnerability Landscape and its Implications

 

While information security is a relatively new field (even within information technology), the field has important macro-trends that can inform a smart CISO on the likely future shifts in the threat and vulnerability landscape. Too often, an ignorance of those trends leaves many within our industry "fighting the last war"; always remaining one (or more) steps behind the attackers. Drawing on his experience both on the offensive and defensive side of security, MAD Security's Mike Murray will walk attendees through the patterns that drive change within the global vulnerability and threat landscape and provide new ways of approaching security investment to best allocate resources to protect against the threats of today.

 

Sex, Drugs and Security Awareness

 

Security behavior in users is a function of actual psychological behavior, and most information security professionals miss the actual psychological concepts behind what creates security awareness within organizations. Drawing on her background as a psychology researcher and specifically her work in addiction and human sexuality, manager of Security Behavior Design, and lead behavioral scientist for MAD Security Katrina Rodzon will show how legitimate psychology research shows the way to actually changing behavior within organizations.

 

Sick Anti-Analysis Mechanisms in the Wild

 

For those in the trenches of enterprise defense, it appears that malware authors as of late are deriving sick pleasure in mechanizing their end products with sophisticated self-defense and evasion capabilities. From "environmentally-aware" binaries to malware that defeats image acquisition, attackers have become increasingly more adapt at evading analysis. During this presentation, several of these anti-analysis techniques will be explored, preparing attendees for what they are likely to encounter with increasing frequency - malware that fights back.

 

Grabbing fresh "evil bits" with Maltrieve

 

When you're working on malware research or trying to get threat intel, sometimes you want the freshest "evil bits" you can get rather than grabbing large archives of older samples. Maltrieve is designed to help you do just that, by crawling sites that list bad URLs and grabbing the malware directly. We'll go over how Maltrieve works and what you can do with the results, including identifying previously-unknown samples, storing in repositories, and automated analysis to identify additional indicators of compromise (IOCs).

 

Are your security devices insecure?

 

Many of us allow IP capable security devices such as IP cameras, DVRs and access controls to be installed on our networks. Have you ever poked at one? During a recent client engagement, he noticed that devices designed to ensure security were themselves vulnerable to attack. It's possible to remotely disable the device, destroy evidence or use to attack other hosts. Examples of simple reverse engineering and evaluation will be done. Identities will be changed to protect the incompetent.

 

Plaso - reinventing the super timeline.

 

Timeline analysis has really grown in the past few years with new tools that can automate the correlation between multiple data sources into a single timeline. This analysis technique has provided the analyst with a completely new and unprecedented view of the data that lies on the drive. And with the introduction of the new log2timeline engine called plaso things are even changing more. The next generation of log2timeline produces more structured data with more features, which in turns opens up new ways of analyzing the massive dataset the tool extracts from any given drive. The goal of this presentation is to introduce the audience to timeline analysis in a practical way, showing how to use the tool in a simple malware intrusion investigation.

 

Social Aftermath - Responding to Social Pwnage

 

Many social engineering talks focus on the exploitation of trust relationship and the resulting compromise of corporate and personal assets. However, what happens after the pwnage is done?
This session opens with the aftermath of a successful social engineering engagement on a major automotive financing company.  Attendees will learn of the methodical analysis of the interactions which led to the compromise of customer information as well as employee and executive network credentials. The case study also illustrates how this organization was able to use the forensic analysis of social interactions to enhance its customer service business processes.  This information was also used to enhance employee engagement in protection information with associated touchpoints.  Most importantly, they transformed customer care to frustrate social engineers while enhancing the experience of their customers.

 

Securing OSI Layer 8

 

Does your company have OSI Layer 1 through 7 locked down successfully? Great, now what?  It is time to move on to OSI layer 8.  As security professionals we spend a lot of time worrying about APT, Malware, Hackers and Firewalls when our biggest security problems sit in front of our keyboards every day. I will share some hilarious war stories from inside the Missouri Capitol and show you some tools and tricks I use to help secure my users and my network so you can take them back and implement them on your network.

 

When Macs Get Hacked

 

Computer intrusions cases usually consist of a Windows boxes or a *nix system, if you are lucky. Mac intrusion cases are a rare breed. These cases have the potential to become more popular with the growing market share of Macintosh systems. Many companies and government entities use Macs as their preferred system. This presentation will introduce you to incident response and intrusion analysis of the Mac.

 

Boss Hacking - how I sold your boss

 

Ever wonder how security products are sold? In this presentation, I'll give-up the dirt on Gartner and magazine reviews, how RFP/RFI's are responded to, how we handle objections and how we get deals done. I'll also give you some ideas on how to actually get your goals accomplished without getting sold by some sleazy salesguy that you might not ever see again.

 

DFIR For Beginners

 

Who says defense isn't sexy? Incident Response is one of the fastest growing areas in security and it's a lot more interesting than configuring firewalls. While many mature companies already have established IR teams, most organizations still have no capability at all. It might seem daunting to enter the world of digital forensics, but if you start with a plan and take it step by step, it's not as hard as it sounds. This presentation will cover how I setup an IR team from scratch, what tools are available on a budget, lessons learned, and ideas for the future. I'll include short demos of tools, including LiME, Volatility, Cuckoobox, & Redline, and lots of references for participants to start their own research into DFIR.

 

Closing the gap between incidnet handlers and security management

 

Cyber Security incident handlers and forensic investigators are often disconnected from the Information Security management program that invokes them. They are highly intelligent and technically competent individuals that are great at finding and gathering evidence in the same manner as their law enforcement counterpart on the criminal investigation side. The difference between the two mainly focuses on the type of work it is. Most police detectives understand physical evidence elements such as fingerprints, DNA, blood splatter, witness testimony, criminal history, etc… They can easily understand and digest this information into actionable intelligence that will help with the investigation. Even the District Attorneys understand it and can reconstruct events based on it. However, the same cannot be said on the digital side of the house. Too often security managers in major corporations do not have a technical background. They have a business and/or risk management background or perspective. They are not going to understand terms like disk slack, metadata, running processes, exfiltration, ACLS, polymorphic, , NTFS vs. FAT, or any of those other seemingly esoteric terms. He/She needs information on the incident translated into actionable intelligence that the organization can react to and report up to senior management. The Information Security manager is responsible for coordinating a response with IT and other business lines to protect the company or restore services if need be.

In this presentation I hope to highlight some areas where technical support staff and management can help to streamline this process making the organization much more nimble and capable of reacting to security threats.

 

Wild vs. Commercial Malware

 

Modern malware is used extensively in computer crime and cyber-warfare and poses a serious threat to privacy and to our national infrastructure. The goals of malware are typically to gain access to privileged information, to provide backdoor functionality (to allow persistent, unauthorized access and control of a system), and to hide data or processes from scrutiny. Malware can employ a number of techniques to gain access to needed resources and to prevent detection, including hooking or modifying system calls, adding new system calls, inserting new kernel modules, and directly patching kernel code. Malware is increasingly stealthy, being both difficult to detect and to analyze, employing complex packing, anti-debugging, and anti-virtualization schemes.  Another form of malware, available at your local computer store, however, also deserves attention, because it poses potentially just as great a risk to individual privacy. This talk compares and contrasts "wild" and commercial, legal, off-the-shelf malware, highlighting real examples and recent casework.

 

All Your Base Still Belong To Us: Physical Penetration Testing Tales From The Trenches

 

Each year companies spend thousands of dollars on sophisticated security systems to ensure their secrets stay safe.  Physical security flaws can be found everywhere from razor wire fences to RFID cards, if you know where to look.  Join us for an hour of war stories, dos and don’ts of physical penetration testing, vulnerability trends and some prevention basics.

 

Small Data Forensics--Making Sense of Data Fragments

 

The vast majority of incident response/forensic efforts is focused on understanding (malware) code behavior. This talk focuses on tracking data, which is often necessary to evaluate the extent of a breach. Specifically, we will use a collection of (new and existing) open source tools that can identify, correlate, and classify pieces of binary data. These tools can aid in triage and quick understanding of the content of RAM and network captures, leftover HDD data, or partially corrupted files. We will also briefly present some relevant empirical studies (available as a while paper) that provide context for interpreting the tool output in various scenarios.

 

Pulling Back the Curtain on Social Enginnering

 

This talk will look at the the different theories behind Social Engineering, its applications to nonverbal communication and how it is applicable to everyday people and everyday interactions. It will also discuss how to recognize and diffuse social-engineering attacks. In this talk we will look at Social Engineering from a "social" standpoint not a "computer hacking" standpoint.  This talk will focus on the very real art of hacking the person, the use nonverbal attacks, and how to read body language. The community is becoming more aware that security includes humans, the most uncontrollable factor. Learning these tools can help control that factor.

 

Discovering new malicious domains using DNS and Big Data

 

DNS is a fundamental protocol of the Internet. A prevalent DNS-based technique known as fast flux is used by attackers to evade blacklisting and take-down of their malicious domains. Despite having been around for several years, fast flux is still common as it is used by botnets such as Kelihos, or current phishing, and malware delivery sites. This presentation will examine the algorithms and techniques we use at OpenDNS to discover large sets of new fast flux domains. These techniques are based on machine learning and graph algorithms and they leverage the power of big data technologies and large volumes of DNS traffic both recursive and authoritative.

 

 

Speaker Bios

 

Katrina Rodzon

 

Katrina Rodzon is a behavioral scientist for MAD Security. Her last 9 years have been spent studying psychology and ways to modify and study human behavior. From learning about the power of social pressure on group behavior to how subtle changes in reinforcement can drastically change individual behavior, Katrina has spent the better part of a decade learning how humans work and now applies that to security awareness. When she is not testing the effectiveness of different methods of training, she helps with every thing from curriculum development to security awareness video creation.

 

Alissa Torres

 

Alissa Torres is a Certified SANS Instructor and Incident Handler at Mandiant, finding evil on a daily basis.  She previously worked as a security researcher at KEYW Corporation, leading research and development initiatives in forensic and offensive methodologies and is co-founder of Torrora, LLC, a forensics consulting company.  Prior to KEYW, Alissa performed digital forensic investigations and incident response for a large contractor in the Defense Industrial Base.  Alissa began her career in information security as a Communications Officer in the United States Marine Corp and is a graduate of University of Virginia and University of Maryland.  As an accomplished instructor, Alissa has taught for various government agencies on topics to include digital forensics, incident response, and offensive methodologies and is a frequent speaker at industry conferences.  In addition to being a GIAC Certified Forensic Analyst (GCFA), she holds the GPEN, CISSP, EnCE, CFCE, MCT and CTT+.

 

Kyle Maxwell

 

Kyle Maxwell is a senior network security analyst for Verizon Business on the RISK Intel team, producing unclassified threat intelligence for private and public sector clients as well as supporting field investigators. He writes a blog on threat intelligence and network security at ThreatThoughts.com. Previously, he led the incident response team at Heartland Payment Systems and performed digital forensics for clients across the United States at several private investigation firms. Mr. Maxwell holds a degree in Mathematics from the University of Texas at Dallas.

 

Alexander Muentz

 

Alex is both an infosec professional and lawyer. He's cracked vendor devices to figure out how they stored evidence, done pen testing and written policy  for clients. vHe also gives legal advice to members of the infosec and hacker communities.  He's spoken at a few other conferences that you may have heard of. When he’s not trying to explain lawyer-y things to hackers or hacker-y things to lawyers, he teaches and tries to spend more time with his wife, cats and motorcycle.

 

Kristinn Gudjonsson

 

Kristinn Gudjonsson is a senior security engineer at Google, focused on forensics, incident response and tool development. Prior to joining Google he worked as a technical security manager at ArionBanki and before that as a security/incident response/forensics consultant at Skyggnir. Kristinn holds a M.Sc. degree in computer engineering from INT (Institut National des Telecommunications) in Paris as well as a B.Sc. degree in electrical and computer engineering from the University of Iceland.  Kristinn also holds several certifications such as GCIA, GCIH and GCFA Gold.  Kristinn is among other things the creator of the tool log2timeline, and now one of the core developers of the new backend engine of log2timeline called plaso.

 

Andrew Case

 

Memory analysis is the process of investigating the contents of volatile memory (RAM) in order to extract information that cannot be found using traditional disk forensics. Common examples of such data include application and disk encryption keys, network connections, running process information, runtime application state, and malware samples that inject code directly into memory and do not write to the disk. Forensics and incident response processes that do not include memory analysis will miss all of these evidence types, and when dealing with skilled attackers or strong disk encryption, memory can be the only source of relevant evidence.

During this talk, a number of common forensics and incident response scenarios that require memory analysis in order to be successfully completed will be discussed. These scenarios will include Windows computers infected with advanced malware and Android phones infected with malicious applications. To demonstrate how to perform these types of investigations, the Volatility memory analysis framework will be used. Volatility is an open source framework written in Python that allows for the analysis of volatile memory captures from Windows, Linux, and Mac computers as well Android devices. It is one of the most commonly used forensics tools and attendees of the talk will be able to immediately incorporate Volatility into their own forensics and incident response processes. Attendees will also leave with a clear understanding of the power of memory analysis and why it is rapidly becoming one of the most sought after skills in the IT security community.

 

 

Jimmy Wylie

 

When he's not taking your money on a pool table, Jimmy specializes in malware triage, deep-dive reverse engineering, and custom defensive tool development on enterprise networks. Having grown up and lived in New Orleans for 24 years, feel free to ask him which bars are best to grab tasty drinks and hear a rockin' show.

 

theAddict

 

Starting from crack-mes at the turn of the century, theAddict has been reverse-engineering binaries for the last 13 years. He now specializes in deep-dive Malware analysis and just can't seem to get enough of those sexy ones and zeroes. 

 

Sarah Edwards

 

Sarah is an experienced digital forensic examiner who has worked with various federal law enforcement agencies. She has performed a variety of investigations including criminal, counter‐intelligence, and counter‐terrorism. Sarah has a BS in Information Technology from Rochester Institute of Technology and a MS in Information Assurance from Capitol College. Sarah’s day job consists of working with federal law enforcement to investigate intrusion incidents. In her personal time she enjoys researching various topics in forensics.

 

Eric Irvin

 

I'm a security engineer for HP Enterprise Security.

 

chort

 

Corporate security, SecOps, and incident response by day, malware analysis by night. A veteran of the security industry in professional services, sales, and network security engineering. Other hobbies include: Ranting at vendors, advocating for privacy and equality, and drinking fine whiskey.

 

Golden G. Richard III

 

Golden G. Richard III is Professor of Computer Science and University Research Professor at the University of New Orleans, as well as a private digital forensics investigator.  He teaches courses in and does research in digital forensics, reverse engineering, malware analysis, and operating systems internals.  His first floppy drive cost $600 and required financing.

 

Valerie Thomas

 

Valerie Thomas is a Senior Information Security Consultant for Securicon. Throughout her years in information security she has gained expertise in penetration testing, vulnerability assessment, data loss prevention, and social engineering. She has performed engagements for private industries, non-profit organizations, and government agencies. She has taught social engineering techniques at multiple businesses, schools, and conferences.

 

Vassil Roussev

 

Vassil Roussev is an Associate Professor in Computer Science at the University of New Orleans, where he directs the Networking & Security Lab. His research and teaching are focused on cyber security and digital forensics, and he is the developer of a number of practical security tools.

 

Shannon Sistrunk

 

Shannon Sistrunk (from Marrero) has a B.A. in Speech Communication from Louisiana Tech University and a M.S. in Applied Communication from Mississippi College. Shannon won the Graduate research symposium at Mississippi College for her work on recognizing the expression of pain among the other universally accepted facial expressions. She is the owner of Bayou Communications LLC, specializing in training for corporate communication, nonverbal communication, social-engineering, and more.  Also...she really likes The Walking Dead.

 

Dhia Mahjoub

 

Security researcher at OpenDNS working on research and development problems involving DNS, security, big data, and networks.  Dhia earned his PhD in Computer Science from SMU with a specialty in graph theory. Previous development experience involved TCP/IP, protocol analyzers, and port scanners.

 

Joshua Nicholson

 

Joshua Nicholson is a Manager in the Information Security practice of Ernst & Young LLP. He has 20 years of IT experience and 11 years of Information Security engineering and management experience. Prior to joining Ernst & Young, Josh served for 7 years as V.P. Information Security Manager for a $20B commercial bank headquartered in New Orleans. His primary duties included program management, security architecture and engineering, firewall and network security operations, systems design, intrusion detection and prevention, incident response, penetration testing, vulnerability assessments, application and technology reviews, risk assessments, policies and procedures, process maturity, and technology guidelines and standards.

 

 

Planners

 

     Organizers:

• Vico Marziale - @vicomarziale
• Andrew Case  - @attrc
• Joe Sylve       - @jtsylve
• Diana Hellickson 

 

     Mentors:

• Chris Sistrunk - @chrissistrunk

 

Volunteers

 

• Registration Desk 1 -
• Registration Desk 2 -
• Breakfast                -

 

If you would like to fill any of the volunteer spots or just volunteer in general then please contact us.

 

Registration

 

Registration information can be found here: https://www.eventbrite.com/event/5259729994#

 

Task List

 

Tech

 

Wifi

Projector

Photo

Video

Audio

Streaming or Stickam or Skype or Ustream or Livestream

 

Non-tech

 

Coffee & Beignets   -

Beverages              -

Badges & Lanyards -

Venue                    -

A/V Equipment       -

T-Shirts                  -

 

 

 

Tags for flickr, twitter, blog, etc.

Please use the tag #BSidesNola for content related to this event