• If you are citizen of an European Union member nation, you may not use this service unless you are at least 16 years old.

  • You already know Dokkio is an AI-powered assistant to organize & manage your digital files & messages. Very soon, Dokkio will support Outlook as well as One Drive. Check it out today!

View
 

BSidesSanFranciscoTalks01

(Related Pages :: BSidesSanFrancisco || BSidesSanFranciscoGoons)

 

Call For Presenters (CFP)

 

Please list your presentation for BSidesSanFrancisco below (and an external link to outside material if appropriate.)  Once we have a list of presentations we will vote and decide on the finalists by popular demand.  Post your vote with:

 

I vote for "<TOPIC>" by @<NAME> #BSidesSF http://bit.ly/BSidesSFtalks

 

Do you want to be a speaker?  Have your friends send their vote on Twitter to @SecurityBSides.  You may vote for more than one talk, but you may not vote for your own talk. The most votes gets added to the list.

 

Talks

 

Please update with your: name, contact information (email, twitter, website), presentation title, and short description.  Please leave use the example text as a template.  Simply copy and paste it into a new entry, then edit it to fit your talk.   

 

  • Name: HD Moore, http://www.digitaloffense.net/
  • Title: Network Time Bandits
  • Abstract: This talk will explore the results of a recent research project, showcasing the power of private databases and their global reach.

 

  • Name: Erin Jacobs, http://www.secsocial.com and Panel (JJ http://securityuncorked.com, Andrew Hay, http://www.andrewhay.ca
  • Title: Unicorns, Clubhouses, and Ruffled Feathers: Women in Security 
  • Abstract: Fewer women enter the Computer Science field today then they did in 1980, and this is reflected in the makeup of the security industry. Why is this? Why does it matter? How does it impact the industry, and how does it challenge individual women in the field? What can we do as a community to welcome women into the field, and keep those who do enter it from burning out? Panelists will share the diverse stories that have shaped their careers, and their advice for navigating our male dominated sector and nurturing diverse growth.

 

  • Name: Panel Discussion: Joshua Corman http://www.the451group.com , Jack Daniel (@jack_daniel) http://blog.uncommonsensesecurity.com/, Anton Chuvakin (@anton_chuvakin) http://www.chuvakin.org/, Andy Ellis (@CSOAndy) http://www.csoandy.com/, a surprise guest
  • Title: The Great Compliance Debate: No Child Left Behind or The Polio Vaccine 
  • Abstract: Love it or hate it, Compliance is the #1 driver of spending in Security. We have come to fear the auditor more than the attacker. Paved with good intentions, where does this road lead? We know we've raised the bar, but at what costs? Have we distracted the industry from evolutions in technology and Advanced Persistent Threats like Aurora. Avoiding tired arguments, this passionate panel brings spirited, adult debate to this central issue in our industry. What is and isn't working - and for which parties? What are the unintended consequences? How can we be more deliberate about the role compliance can and cannot play in the future? 

 

  • Name: Stacy Thayer, Ph.D. @stacythayer, http://www.sourceconference.compiese auto import
  • Title: How to Design and Develop Your Own Security Event
  • Abstract: Have you ever wanted to run your own security conference, BSides, or event, but the idea of managing speakers, sponsors, and volunteers, negotiating with venues, creating a budget, and the general notion of organizing an event seem overwhelming? What are the pros and cons of single vs multiple tracks, lightning talks, barcamp style, and other designs? How do you get organizations to sponsor your event? How do security events differ from other industries? What makes someone a good speaker? How do you identify a good abstract vs a bad one?  Stacy Thayer, Founder and Executive Director of SOURCE Conference shares her experiences with designing and developing a security event.

 

  • Names: Will Gragido and John Pirc, http://www.cassandrasecurity.com
  • Title: Advanced Persistent Threats (Shining the Light on the Industries' Best Kept Secret)
  • Abstract: The following lecture will cover very advanced techniques and trade craft of subversive multi-vector threat's (SMT's) and advanced persistent threats (APTs) by two of the world's leading experts in this specific field.  It is important to understand that APT's have a long history and though typically not talked about unless you are dealing with Governments, Defense Industrial Base (DIB), research organizations and global financials are all too real.  The techniques and tradecraft associated are so mature and diverse, they literally go undetected.  Today’s Internet is far more complex, dynamic and diverse than ever before.   Because of this fast-paced evolution within the threat landscape these types of attacks (as we predicted in a recent lecture at ToorCon in October 2009 in San Diego, Ca), have swiftly become mainstream.  The telemetry of the attack surface knows no bounds and includes any mediums necessary for the completing their operational charter and missions.   In most instances, these attacks are sponsored by nation state and sub-national entities either politically or economically motivated.  During our discussion, we will address the history and psychology of these cyber actors as it relates to APTs and while advancing in an in-depth discussion on SMT's, crypto-virology, asymmetric forms of information gathering, recent use cases and next generation countermeasures for detecting and defending these types of attacks.  Lastly, as we predicted last fall on the rise of the APT's into the mainstream, we will also leave you with yet another prediction of what to expect in the coming year. 

 

  • Name: Andrew Hay, http://www.andrewhay.ca
  • Title: My Life on the Infosec D-List
  • Abstract: People new to information security often find themselves wondering how to make a name for themselves in the industry. Andrew Hay has lived most of his career on the D-list but has worked hard to increase his status in the hopes of someday landing that coveted A-list position. Through this talk we'll discuss how to expand your circle of influence, how to build your personal brand, and how to move up from the dreaded Infosec D-List. (might need to change this a bit but you get the general idea).

 

  • Name: Sean-Paul Correll, http://twitter.com/lithium; http://www.pandalabs.com
  • Title: Playing with Fire – Live Demonstration of Today’s Most Dangerous Malware
  • Abstract: We hear about new malware strains and the potential threat they pose every day, but most of us have not witnessed their pervasiveness or the damage they do firsthand. It’s rare that we actually click on the malicious links or download the malware to see what harm they inflict on our computers and networks. Watch as I infect a computer with today’s most dangerous viruses, Trojans and other attacks including pay-per-click fraudware, banking Trojans, and rootkits in real-time. During this demonstration, I will also explain which particular strains and attack techniques are particularly effective and why. 

 

 

  • Name: Mike Murray and Mike Bailey,http://madsecinc.com/ /  http://www.episteme.ca / http://www.skeptikal.org
  • Title: Social Penetration
  • Abstract: Advanced exploitation on social networks.  Not a social engineering talk, nor a talk about technological exploitation: the combination of exploits against people and technology all in one place. 

 

  • Name: Kevin Riggins, http://www.infosecramblings.com
  • Title: Discussion: What Makes a Good Risk Management Practice?
  • Abstract: All of our organizations have to manage risk, specifically information security risk. What does it mean to do that well? What are the moving parts that make up a good risk management practice? This discussion/panel/talk will not focus on assessment methodologies or frameworks. It will also not focus on the "information security program." We will spend some time focusing on the other moving parts of a risk management practice. Engagement with our business partners, how we bring it all together, how we can manage the inputs and outputs of the risk management process, etc. It will be an opportunity for those interested to share and learn from each other.

 

  • Name: Nick Owen http://www.wikidsystems.com Tyler Reguly www.computerdefense.org, et al TBD
  • Title: Think Before You Bank: An Interactive Panel on the Pitfalls of Online Banking
  • Abstract: From problems with SSL to Phishing, User Trust to Malware, online attackers are making a killing off online banking. This panel will discuss and debate the current state of affairs in online banking. The latest attacks, from their sophistication to their techniques may be up for discussion, as well as the steps that banks have taken to eliminate these issues. Just how risky is it to do your banking online? We'll let you be the judge of that but our advice is simple, 'Be afraid... be very afraid'.

 

  • Name: Brett Hardin, http://spotthevuln.com
  • Title: Security? Who cares!
  • Abstract: In the beginning, people inherently distrusted the Internet, however, Social Networking has changed this. People now enter information without even thinking of how it will affect them. This presentation will explain the shift in trust, with real-life examples, and what we as the security community need to do to change.

 

  • Name: Gal Shpantzer, http://shpantzer.blogspot.com
  • Title: Hacking the Sales Cycle
  • Abstract: If you're an influencer, technical evaluator, or have actual purchasing authority in your organization, you probably deal with salespeople all the time.  Sorry, it just comes with the territory:  You have some sort of access to money and the vendors want a piece of the action.  This talk will help you deal with sales people more effectively by explaining how they think, how they're (mis)managed, and most importantly, how they're compensated.  While technology doesn't create security by itself, it's hard to do security without some commercial tools and services (and salespeople...).  So when you do have to buy something, you'll learn how to get the most out of the purchasing power you do have by hacking the sales cycle.  This talk will give you real-world, simple takeaways that will help you get real value out of your hard-earned budget! 

 

  • Name: Nick Owen, http://www.wikidsystems.com
  • Title: Secure your s**t with two-factor authentication 
  • Abstract: Is your root password 5 characters? Is your Wordpress admin password f***.wordpress?  This talk will describe in simple detail how to add two-factor authentication to various remote access systems, Apache, content management systems, VPNs with discussions of protocol options.  The talk will focus on open source solutions for your personal network, but the same lessons can benefit enterprises.

 

  • Name: Raffael Marty, http://www.secviz.org
  • Title: Visualization Reloaded
  • Abstract: I will give an update on the security visualization space. What are the tools and technologies that are being used today?  What are some new trends?  How can we make use of them to more efficiently analyze security incidents. I will also touch upon the economics of log files. It turns out that all we have been doing so far is analyze infrastructure logs (IDSs, firewalls, operating systems). However, the real gold is in the application logs. I will show how we can leverage logging standards and visualization techniques to get tangible busines value.

 

  • Name: Marisa Fagan, http://www.erratasec.blogspot.com
  • Title: SDL Light: A practical Secure Development Lifecycle for the rest of us
  • Abstract: Many companies are using an ad hoc software development strategy that uses as few resources as possible. Only when there is a security incident can these organizations justify change to management. We recommend a stripped down version of the classic Secure Development Lifecycle called "SDL Light" that recognizes the haste involved in a first release. It begins after the software is released and becomes compromised. SDL Light has two main advantages: Fast response and barebones resource requirements. The process uniquely manages this by heavily focusing on templates for testing and Errata's list of "20 Most Common Bugs" which identifies most security problems found in software. This process leverages the decades of combined research and on-site experience of the Errata Security pentesting team without the resource drain of housing a team of "Security Experts."

 

  • Name: Panel Discussion:  Michael Santarcangelo, http://www.securitycatalyst.com & JJ (Jennifer Jabbusch), http://www.securityuncorked.com & Marisa Fagan, http://www.erratasec.com
  • Title: So What's the Alternative? A group discussion of the security solutions replacing password authentication
  • Abstract: One of the biggest criticisms employees have with their organization's security policy is the password policy. Consumers are reluctant to use different passwords for every website they use. Password resetting administration requires resources. So, what's the alternative? This panel discussion will weigh the pros and cons of the current and future solutions that are replacing passwords to authenticate users. 

 

  • Name: David Barnett, http://www.orbitz.com and http://www.blue-lava.net
  • Title: How really to prepare for a credit card compromise (PCI) forensics investigation: A ex-QIRA speaks out
  • Abstract: Reviewing cases ranging in size from your neighborhood bar to the massive TJX case, an ex-QIRA will discuss the dirty inside secrets of the card associations and QSA's.  Reviewing lessons learned from dozens of past forensic cases,  this presentation will highlight how to prepare for a PCI mandated forensics investigation including;  what steps should be taken to limit fines and fees, how to ensure you have proper legal representation, how to limit the scope of the investigation, and what questions to ask before deciding on who will conduct the forensic investigation.

 

  • Name: Vikram Phatak, http://www.nsslabs.com
  • Title: Being Inbred Isn't Just a Problem for Hillbillies.  Groupthink and the InfoSec Industry
  • Abstract: Attacks are getting more aggressive, yet defenses have lagged behind.  The Google / Aurora attack wasn't very sophisticated, nor was it new.  Yet the multi-billion dollar AV industry was caught unprepared.  If hackers in Russia, China, and elsewhere can uncover new vulnerabilities, why hasn't the InfoSec Industry been able to find them first?  What are vendors not doing that they should be?  And why not?  NSS Labs will share our technical research findings, along with a breakdown of where the biggest InfoSec product weaknesses are and how the next big attack will leverage those weaknesses.

 

  • Name: Alex Hutton, http://www.newschoolsecurity.com
  • Title: Risk Management - Time to blow it up and start over?
  • Abstract: Now that the industry is trying to formalize the concept of risk management into neat little compartments like standards (ISO 27005/31000), certifications (CRISC) and products (GRC) guess what?  We're doing it wrong.  Fundamentally wrong.  This talk will discuss why all this current risk management stuff is goofy and what sort of alternatives we have that might help us understand our ability to protect, our tendancy towards failure, and how to match that up with what management will stomach. 

 

  • Name: Gunter Ollmann, http://blog.damballa.com/
  • Title: Your computer is worth 30 cents
  • Abstract: 

    In case you haven’t noticed, there’s a war going on. Malware vendors, SEO consultants, exploit pack developers, content delivery specialists and botnet masters are battling for control of your computer. They’re not battling you or the security systems you’ve deployed – they won that war quite some time ago. No, they’re battling each other over who gets to own your computer – and consequently who gets to make money from it.

    The botnet ecosystem is evolving at a rapid pace. Specialized services have come to fill every niche of the hacking world. The frontline is rarely the mechanical process of exploitation and infection – instead it lies with innovative 24x7 support and heldpdesk ticketing systems – quality of service is the competitive edge. How much is your computer worth to them? The price point is dropping day-by-day, but 30 cents is a pretty average trade value. Why is it so low? Because your computer is only part of the ecosystem – and a commodity one at that.

 

  • Name: Wes Brown, http://www.ioactive.com/

  • Title: So You Want to Analyze Malware?
  • Abstract: With malware on the rise, it is has become difficult for analysts to make informed decisions quickly whether to spend time and money on a more rigorous manual review. To help combat this, I will discuss how to build and use an automated malware pipeline, which organizes and characterizes thousands of pieces of malware.  After discussing tools and techniques for building a pipeline, I will give a demonstration of how the pipeline actually handles various malware samples.  The audience will be walked through the stages, step by step, and will learn how the process works. 

 

  • Name: Christian Heinrich, http://cmlh.id.au
  • Title: Payment Application - Don't Secure Sh!t (PA-DSS)
  • Abstract: Considering a majority of PCI related presentations focus on the "benefit" and "increase" to "security" are delivered by consultants and vendors whose sole agenda is their financial benefit in implementing PCI-DSS, the failures and their root causes within the lesser known Payment Application Data Security Standard (PA-DSS) will be explored.

 

  • Name: Tim Keanini, @tkeanini
  • Title: Computing Risk without Numbers:  A Semantic Approach to Risk Metrics
  • Abstract: Scoring methods are highly reliant on mathematics but what do the numbers really mean?  W3C semantic standards allow us to create a more direct meaning-based model.  Through set theory and description logics, we can compute classification and ranking through ontological-based reasoning.  This method finally addresses the multiple viewpoints and perspectives often found within a large enterprise.

 

Comments (0)

You don't have permission to comment on this page.