Tickets

BayThreat is over for 2011! Follow us @BayThreat on Twitter to get the announcements for BayThreat 2012.
See ya next year!

2011 BayThreat Speakers

The Call For Papers for BayThreat is now closed. This is a running list of the presenters that will be speaking at BayThreat. There are two tracks, running two days each, plus an Activities track.

"Breaking Security"

Travis
Mike Ridpath & Matias Brutti
Nitesh Dhanjani
Jason Craig
Neel Mehta
Dave Maynor
Francis Brown
Luiz Eduardo
Billy Rios & Terry McCorkle
Garrett Gee & Peter Kim
Sam Bowne
Jason Calvert
Cory Scott
Kyle Osborn

"Building Security"

Paul Vixie
Michael Smith
Rafal Los
Ed Bellis
Gal Shpantzer
Gillis Jones
Rand Wacker
Alistair Crooks
Allison Miller
Adam Ely
Kevin Lawrence
Jennifer Mellone
Davi Ottenheimer
Jeong Wook Oh

Michael Smith
Title: "Zerging is for Chumps: The Rise of the Non-Volume Web Denial of Service"
Synopsis: From Anonymous's Operation Avenge Assange to organized crime running
protection rackets to the BitCoin Miner bot, there has been much press
about high-volume Distributed Denial of Service attacks. However, lurking
under the surface are other low-volume, "surgical" Denial of Service
attacks that are receiving active research and development. This talk
gives some of the history of non-volume attacks, an overview of Apache
server process management, some examples of recent tools, and building
defenses against them.

Bio: Michael Smith serves as Akamai’s Security Evangelist and is the customer-facing ambassador from the Information Security Team, helping customers to understand both the internal security program and the unique security features and capabilities of the Akamai product portfolio and cloud-based solutions. Mr Smith fulfils a cross-functional role as a liaison between security, sales, product management, compliance, engineering, professional services, and marketing.
Prior to joining Akamai, Mr Smith served as an embedded security engineer, security officer for a managed service provider, and security assessment team lead. He is an adjunct professor for Carnegie Mellon University and teaches through the non-profit Potomac Forum.

Rafal Los
Title: Making Measurable Gains - Contextualizing ‘Secure’ in a Business
Synopsis: What does ‘secure’ mean? Many security professionals work in information security for a large portion of their careers without ever being able to contextualize what they contribute to the businesses they work for - a crying shame. Being able to make sense of all the security-related process changes, widgets, technology and testing is critical to not only being successful at changing the mindset and culture of your business - but to actually making a lasting long-term impression. The only way to do this is to find ways to add business-context to security metrics - creating pseudo-business/security KPIs. This talk focuses not on how to ‘hack’ but how to effectively protect… and to make it relevant to your business so that it matters.

Bio: Rafal Los, Enterprise and Cloud Security Strategist for Hewlett-Packard Software, combines over a decade of deep technical expertise in information security and risk management with a critical business perspective. From technical research to building and implementing enterprise application security programs, Rafal has a proven track record with organizations of diverse sizes and verticals. He is a sought after speaker at both public and private information security and quality conferences, and has presented at events produced by OWASP, ISSA, SecTor, Black Hat, Defcon, and SANS and many others. Staying active and contributing to the community - he participates in OWASP, is a key liaison to the Cloud Security Alliance and other industry groups. His blog, Following the White Rabbit, with his unique perspective on enterprise security and cloud has amassed a following from his industry peers, business professionals, and even the media and can be found at http://hp.com/go/white-rabbit.
Prior to joining HP, Los defined what became the software security program and served as a security lead at a Global Fortune 100. Los also contributed to the global organization's security and risk-management strategy internally and with their customers. Rafal prides himself on being able to add a 'tint of corporate realism' to information security.
Rafal received his B. S. in Computer Information Systems from Concordia University, River Forest, Ill.

Gillis Jones

Alistair Crooks
Title: Key Management
Abstract: This talk examines the keys and certificates that we use in everyday communication, with ssh, openssl and gnupg; the similarity and differences of the keys are discussed, and an ssh key being used to gpg/pgp sign or encrypt will be demonstrated. Different key distribution methods (for these converged keys) are examined, from the more manual methods typically in use today to hkp servers, and this will be demonstrated using a simple hkp server to distribute public keys to client machines. Various issues are then explored relating to revocation, key usage and data resilience.

Bio: Alistair Crooks is the founder of pkgsrc, and has been a NetBSD core
member for 12 years; he was President of the NetBSD Foundation for 6
years. He has written various pieces of software, including netpgp,
audit-packages, and the user management software in NetBSD and
OpenBSD; he was the systems and storage paranoid at Yahoo!, Director
of Engineering at Wasabi Systems, and IT Environments Manager at Visa
Europe, and is currently security-officer@NetBSD.org. He lives in
Cupertino, California, with his wife, children, mountain bike and
slippers.

Adam Ely
Title: Exploiting Management For Fun and Profit
Synopsis: We speak geek and the rest of the world hears Charlie Brown's teacher. Exploit management by applying key business principles to gain total domination over budget, relationships, and strategy.

Bio: Adam Ely is the Director, Security and Compliance at TiVo where he leads security strategy and operations. In addition, he serves as an advisor to security technology companies advising on enterprise risk, market opportunities, and security management strategy. Adam is the author of the forthcoming McGraw-Hill book, Information Security Business & Strategy Essentials, to be released in 2012 and a contributing author for Dark Reading and InformationWeek where he writes about information security management, enterprise risk, industry trends, and security strategy.

Previously, Adam was with The Walt Disney Company where he was responsible for security operations and application security for the Walt Disney Internet Group encompassing all Walt Disney owned web and mobile applications such as Disney.com, ABC.com, and ESPN.com.

Adam is a CISSP, CISA, NSA IAM, and MCSE. Adam has an MBA from Florida State University.

Travis H
Title: "Web App Crypto - A Study in Failure"
Synopsis: Seldom in cryptography do we have any unconditional proofs of the
difficulty of defeating our cryptosystems. Furthermore, we are often
defeated not by the attacks we anticipated, but the vectors we did not
know about. Like fire and safety engineers, we learn from the
mistakes of the past in order to avoid similar mistakes in the future.
This presentation is a summary of the mistakes that web app developers
have made in implementing crypytosystems, so that we do not repeat
them.

Bio: Travis H is the founder of the Bay Area Hacker's Association (BAHA), a
former member of Austin Hacker's Association, and has been employed
doing security or cryptography for financial institutions, top 50 web
sites, e-commerce hosting companies, web software companies, and other
organizations. He has been part of the largest security monitoring
operation in the world, part of the security team for the most widely
used piece of software in the world, and helped design an intrusion
detection system. He has written a book on security which is free
online. He's also a bit uncomfortable tooting his own horn for he is
keenly aware of his own ignorance, so speaks in the third person when
doing so.

Ed Bellis
Title: From Shaman To Scientist: A Use Case In Data Driven Security
Synopsis:

Bio: Ed Bellis is the CEO of HoneyApps Inc, a vulnerability management Software as a Service that centralizes, correlates, prioritizes and automates the entire stack of security vulnerabilities and remediation workflow. Prior to HoneyApps, Ed served as the Chief Information Security Officer for Orbitz, the well known online travel agency where he built and led the information security program and personnel for over 6 years. Ed has over 18 years experience in information security and technology.
He is a frequent speaker at information security events across North America and Europe. Past talks have included venues such as IANS Security Forum, SaaScon, AppSec DC, BlackHat, CSO Perspectives, MIS Institute, and several others. Additionally, Ed is a contributing author to the book Beautiful Security by O’Reilly and a blogger on CSO Online.

Mike Ridpath & Matias Brutti
Title: Social Engineering PenTest - Using the Dreaded Telephone
Abstract: What could possibly be worse than making a cold call? Socially engineering someone through a phone line can have the same effect as talking to a chat-bot if you don't know what you're doing. You've got to be sly, intuitive, and able to turn on a dime. Mike Ridpath and Matias Brutti will take you through the ins and outs of getting all the information you want. They'll let you in on the secrets of what ruses work with men versus women, they'll play a few (sanitized) successful calls, and share techniques and tactics that have worked for them on over 100 engagements.

Bio: About Mike Ridpath
Mike Ridpath has worked at IOActive for only two years, but during that time his talent has lead to his becoming an experienced security consultant, working with platinum-level clients on network, physical and application penetration tests, PCI compliance, and general consulting engagements. Prior to IOActive, Ridpath was in senior management as a product developer and on governing boards for multiple training and process improvement companies, where he worked with risk analysis and various process improvement methodologies. He has recently presented at Black Hat USA, ToorCon Seattle, BSides Portland, and the WSCPA of Seattle.

About Matias Brutti
Matias Brutti is a Senior Security Consultant at IOActive, where he uses his deep experience in enterprise-level application and network assessment/consultation. At IOActive he performs network, web application and client-side penetration testing, identifies system vulnerabilities, and designs custom security solutions for clients in software development, telecommunications, financial services, and profesional services. Mr. Brutti has performed security assessments and PCI DSS security support services for companies in the Fortune 100, and has five years' experience working on all manner of compliance projects. He most recently presented talks at ToorCon Seattle, BSides Portland, BlueHat and at the WSCPA of Seattle.

Daniel Peck
Title: Analyzing Social Networks for Security Data: A brief overview of my findings and thoughts on building your own toolkit
Abstract: Obviously social networks are popular. This popularity (and explosive growth rate) coupled with the accessible APIs and environments that foster a false sense of trust make it easy to spammers and scammers to exploit users, but it also gives those with the right tools access to a massive amount of data. We will discuss the scale and history of malicious activity on social media, show some interesting findings, and talk about building your own analysis toolkit for social media.

Bio: Daniel Peck is a Research Scientist for Barracuda Labs. With experience attacking and defending critical systems of all sorts, from power plants to major financial institutions, he develops new attack strategies that are implemented as protection in Barracuda Networks product and service lines. Notable research includes Caffeine Monkey, a tool for behavioral analysis of malicious javascript and exploiting network card vulnerabilities in control system field devices.

Garrett Gee & Peter Kim
Title: Doppleganger Domains
Synopsis: Domain typosquatting is commonly used to spread malware to users whom accidentally misspell a legitimate domain in their web browser. A new twist to domain typosquatting is applying the same human element issue to email and other network based services.

How many people would notice that they sent an email to the wrong place? What type of data could one passively gather from emails missent to the wrong domain? Would someone ever attempt to authenticate to the wrong machine?

In this presentation we will cover two email attack vectors that stem from Doppelganger Domains, show real world examples of what can type of data can be leaked and discuss how you can protect your company in the future.

Bio: Garrett Gee has been in the information security industry for the last 14 years, and is an active member of the community. He is an OWASP chapter leader, and has authored several tools. In 2001 he developed the first bootable live cd for penetration testing and forensics called PLAC. He has appeared on several news venues such as 60 Minutes, ABC News, and The Washington Post.
http://GodaiGroup.net
http://InfosecEvents.net
http://GarrettGee.com

Peter Kim has been in the information security industry for 7 years, working in the utility, financial, and government sectors. He currently works as a security consultant to monitor, correlate, and track malicious attackers/attacks happening in the wild. In his free time, he teaches network security classes at a local college.

Gal Shpantzer
Title: Security Outliers: Infosec Lessons from BUD/S Lite AKA One time, at SEAL Camp...
Synopsis:

Bio: Gal Shpantzer is a trusted advisor to CSOs of Fortune 500 corporations, technology startups, large universities and non-profits/NGOs. Gal has been involved in multiple SANS Institute projects, including co-editing the SANS Newsbites from 2002-2008, revising the E-Warfare course and presenting SANS@Night talks on cyberstalking, CAPTCHAs and endpoint security. In 2009, Gal founded the privacy subgroup of the NIST Smart Grid cybersecurity task group, resulting in the privacy chapter of NIST IR 7628. He is a co-author of the Managing Mobile Device Security chapter in the 6th ed. Vol 4 of the Information Security Management Handbook (2010). Most recently Gal collaborated with Dr. Christophe Veltsos (@DrInfosec) to present the Security Outliers project at RSA, CSI and other conferences. He is particularly proud of his ongoing contributions to productive snark in the community, including the Shpantzer Coma Scale of Vendor Lameness and FUD (SCSoVLF), #TSAsongs and ridiculous themes for most excellent conferences such as BSides, DojoCon and Baythreat. Gal is involved in the Infosec Burnout research project and will be co-presenting on this topic at RSA 2012.

Cory Scott
Title: Ruby for Pentesters: BayThreat Edition
Synopsis: It has been said that the Ruby programming language is the hammer for most security assessment nails. In my talk, we will review what you can do with Ruby on your next research project or penetration testing, including: accelerated binary and protocol analysis, quick crypto implementations, extending Burp Suite with Buby, building scriptable debuggers with Ragweed and hit tracers with Nerve, and deal with pesky Java applications using JRuby. We'll finish up by adding Redis in the mix and show how you can manage test cases and results from within your Ruby code.

Bio: Cory Scott is a director at Matasano Security, an independent security research and development firm that works with vendors and enterprises to pinpoint and eradicate security flaws, using penetration testing, reverse engineering, and source code review. Prior to joining Matasano, he was the Vice President of Technical Security Assessment at ABN AMRO / Royal Bank of Scotland. He also has held technical management positions at @stake and Symantec. He has presented at Blackhat Briefings, USENIX, OWASP and SANS.

Nitesh Dhanjani
Title: Apple iOS Application Attacks and Countermeasures
Synopsis:
It is clear that Apple's iOS operating system has taken the enterprise by storm. The business and consumer adoption of iPhones and iPads is skyrocketing. We are increasingly relying upon the security of applications designed for the iOS platform to secure our confidential information, including our location data, financial information, and social details.

As such, this talk will cover the emerging attacks relevant to the application layer in iOS, including the following:

- Protocol handler attacks and countermeasures.

- Push notification abuse cases and best practices.

- Data protection capabilities in iOS and secure coding.

- iOS5 updates, including a deep dive to securely leveraging the iCloud platform.

Bio: Nitesh Dhanjani is Chief Executive Troublemaker at a large consulting company. On a daily basis, Nitesh is busy unthinking with the ultimate goal of preserving his intellectual capacity (or what is left of it now). Besides work, he likes to engage in various topics in the wonderful world of Science, including information security.

Nitesh is the author of "Hacking: The Next Generation" (O'Reilly), "Network Security Tools: Writing, Hacking, and Modifying Security Tools" (O'Reilly), and "HackNotes:Linux and Unix Security" (Osborne McGraw-Hill). He is also a contributing author to "Hacking Exposed 4" (Osborne McGraw-Hill) and "HackNotes:Network Security" (Osborne McGraw-Hill).

Prior to his current job, Nitesh was Senior Director of Application Security and Assessments at a major credit bureau where he spearheaded brand new security efforts into enhancing the enterprise SDLC, created a process for performing source code security reviews & Threat Modeling, and managed the Attack & Penetration team.

Nitesh holds both a Bachelor's and Master's degree in Computer Science from Purdue University.

Jason Craig
Title: (Junk) email of Doom: How the software your infosec & legal team requires you to run will give up your secret sauce. Alternate title: How I would have popped RSA and most of the Fortune 500.
Abstract: Vendors sell (and organizations buy) crappy software. Some of these
are security solutions. These can end up compromising your
organizations in ways one doesn't normally anticipate.
Big companies have unique problems that require unique
solutions. They sue and they get sued and the cost of e-discovery can
be quite high on both sides of the suit. Software is purchased and
implemented by companies to save money and time and provide
semi-automated solutions in this space. I'll show how, through a
combination of design and implementation problems, this software can
compromise a company with a single junk email through it's rich array
of poorly written and configured features.

Bio: Jason has spent the last ten years as an e-janitor and rant collector
in organizations and companies that most people have heard of.
He likes beer, late apexes and situational awareness.

Sam Bowne
Title: Whitehat Vigilante: Cold Calls
Abstract:Outlaw hackers often dump lists of vulnerable websites on Pastebin and other public repositories. Many companies are unaware of their security problems, and also unaware that they are now publicly exposed. And in many cases, the organizations at risk are high-level government sites or law enforcement agencies, entrusted with confidential data which can do great harm if it is exposed.

What is the best response to this dangerous situation? One option is to simply do nothing, and let them get hacked. But I prefer to take direct action and attempt to help these people. After a small pilot study I did alone, I gave this "Cold Calls" project to my CISSP students as a class project, with excellent results. Many security problems have been resolved, and none of the companies we contacted have complained at all.

I will present our techniques, our results, and recommendations for others who may want to do similar actions. The key is careful, polite communication.

Bio: Sam Bowne has been teaching computer networking and security classes at CCSF since 2000. He has given talks at DEFCON and Toorcon on Ethical Hacking, and taught classes and seminars at many other schools and teaching conferences. He has a B.S. in Physics from Edinboro University of Pennsylvania and a Ph.D. in Physics from University of Illinois, Urbana-Champaign. His Industry Certifications are: Certified Ethical Hacker, Microsoft: MCP, MCDST, MCTS: Vista; Network+, Security+, Certified Fiber Optic Technician, HE IPv6 Guru, CCENT.

Davi Ottenheimer
Title: Sharpening the Axe: How to Chop Down a Cloud
Abstract: My title is in reference to President Abraham Lincoln who was said to have once quipped: "If I had eight hours to chop down a tree, I'd spend six hours sharpening my axe." The runner-up quote from Lincoln was "If this is coffee, please bring me some tea; but if this is tea, please bring me some coffee" …but I couldn't figure out how to make it into a full presentation, let alone a title.

Perhaps "if this is cloud, please bring me on-premise; but if this is on-premise, please bring me cloud"? The axe title works fine, though, and also is in reference to Theseus' paradox, sometimes known as the Ship of Theseus or my grandfather's axe, which seems appropriate given this year's badge.

The presentation is based on some of the material you will find in my new book soon to be published by Wiley on security in virtual environments.

Bio: Davi Ottenheimer, President of security consulting firm flyingpenguin, has more than sixteen years experience managing global security operations and assessments, including a decade of leading incident response and digital forensics. He is a recognized expert in compliance and a qualified PCI DSS and PA-DSS assessor and a former Board Member for the Payment Card Industry Security Alliance and the Silicon Valley chapters of ISACA and OWASP. A frequent public speaker at international conferences he also has been quoted or written articles on security, risk management and compliance for publications including Bank Info Security, Network World, Red Herring, Chain Store Age and SC Magazine. Davi was formerly Director of Compliance for an industry-leading SIEM company. Prior roles include manager of global communications security for Barclays Global Investors and a dedicated paranoid at Yahoo! -- responsibile for mobile, broadband and digital home security.

Luiz Eduardo
Title: Mobile Snitch
Abstract: Throughout the years, we got more people getting more (and multiple) mobile devices. A combination of the nature of mobile WiFi device operations along with the lack of user awareness (or attention), could lead someone not only to know what device you use, where've you been (and possible where you're heading to), where you work, etc. WiFi devices vary in the way they behave, and, this will be discussed as well.

Bio:Luiz Eduardo, Head of Trustwave's SpiderLabs for Latin American and Caribbean Countries

With almost 20 years of experience, throughout his career he has worked with possibly all types of networking technologies on the enterprise and service provider sectors and the security involved in these technologies, specially 802.11 WiFi. He has also created the Incident Response practices at two networking hardware vendors. Luiz is the creator and co-founder of the y0u Sh0t the Sheriff and Silver Bullet security conferences held in Brazil and has worked on the wireless infrastructure of Blackhat, DefCon, Computer Chaos Congress and Shmoocon. As a public speaker, he has given presentations on diverse infosec topics at worldwide on conferences such as DEF CON, FIRST, H2HC, HitB Malaysia, Layerone, ShmooCon, BlueHat, THOTCON, ToorCon and others. Luiz currently holds many certifications in the information security field.

Billy Rios & Terry McCorkle
Title: Attacking the “Human” side of SCADA (an analysis of HMI Security)
Abstract: Human Machine Interface (HMI) are the user interfaces that take the complicated data returned by SCADA systems and translates that data into information a human being can understand and work with. These human interfaces offer an excellent gateway to finding and attacking SCADA systems. Join us as we describe some of the HMI vulnerabilities we’ve discovered and discuss attack methodologies involving HMI.

Bio: Billy Rios is the Time 2006 Person of the Year. He travels the world saving babies and helping old ladies cross the street. When he's not travelling the world, he works for Google where he helps with Product Security.

Terry is currently a member of the Boeing Red Team. He also helps run the Blacklodge Research hackerspace in Redmond, WA. Terry was previously a finalist in the World’s Strongest Man competition, but was eliminated when he threw a Keg so high, it struck a small aircraft killing all aboard. The sport has never been the same since his departure.

Allison Miller
Title: A Million Mousetraps: Using Big Data and Little Loops to Build Better Defenses
Abstract:

Bio: Allison Miller manages the Security and Risk Management team at Tagged, the leading social network for meeting new people. Allison has over 10 years of experience in designing, building and deploying real-time threat detection and prevention systems. Miller is active in the security community and presents research on fraud prevention and account security issues regularly to both industry and government audiences, including the ITWeb Security Summit, Black Hat Briefings, SOURCE Conferences (Boston, Barcelona, Seattle), USENIX/Metricon, and RSA. Prior to joining Tagged, Miller led PayPal's Account Risk & Security team and was Director of Product & Technology Risk at Visa International.

Dave Maynor
Title: An Afternoon with Dave and Master Chief: Pentesting from Grunts to the Covenant Armada
Abstract:

Bio: David Maynor is a founder of Errata Security and serves as the Chief Technical Officer. Mr. Maynor is responsible for day-to-day technical decisions of Errata Security and also employs a strong background in reverse engineering and exploit development to produce Hacker Eye View reports. Mr. Maynor has previously been the Senior Researcher for Secureworks and a research engineer with the ISS Xforce R&D team where his primary responsibilities included reverse engineering high risk applications, researching new evasion techniques for security tools, and researching new threats before they become widespread. Before ISS, Maynor spent the 3 years at Georgia Institute of Technology (GaTech), with the last two years as a part of the information security group as an application developer to help make the sheer size and magnitude of security incidents on campus manageable. Before that, Maynor contracted with a variety of different companies in a widespread of industries ranging from digital development to protection of top 25 websites to security consulting and penetration testing to online banking and ISPs.

Jason Calvert
Title: Flash Flooding: The Prevalence of Flash Vulnerabilities on the Web
Abstract: This presentation will discuss the prevalence of flash related vulnerabilities on the web today and the common misconceptions of the flash security model while showcasing two new tools that help explore the boundaries of the cross domain policy structure. I will also demonstrate an 0-day in a common Flash module and the remediation process to ensure your web application doesn’t become part of the statistics.

Bio: Jason Calvert is an Application Security Engineer with over 3 years of experience at WhiteHat Security’s Threat Research Center. He is currently responsible for R&D of Web application security testing techniques and Web application security assessment for WhiteHat clients. Jason has also been recognized twice by Google in their Security Hall of Fame for his Web application testing research. Mr. Calvert received a BS in Network Information Security from Saint Cloud State University in Minnesota and currently resides in the San Francisco Bay Area.

Kyle Osborn
Title: The Hidden XSS - Attacking Desktop and Mobile Applications
Abstract: Cross Site Scripting is most generally known as a website or browser vulnerability. But with today’s dynamic desktop and mobile environment, it’s not uncommon for applications to contain a mishmosh of technologies. Since user friendly interfaces are very important (we have degrees in UI development!), HTML & JavaScript are being utilized as a medium to deliver this function of the app. Fortunately for attackers, this also opens up the same web vulnerabilities that a browser allows. Using demos from popular applications across multiple operating systems as examples, we’ll go over how an attacker can own you, desktop and mobile, using an everyday web vulnerability, Cross Site Scripting. Topics include discovering XSS vulnerabilities in applications, writing the exploits, and post exploitation (what can we do??)

Bio: Kyle Osborn is a penetration tester at AppSec Consulting, where he
specializesin web application security, network penetration, and
physical assesments. He also plays a bad guy at the Western Regional
Collegiate Cyber Defense Competition. Osborn has development a CTF,
with his team, for the United States Cyber Challenge “Cyber Camps”,
where a number of campers competed in. He has also spoken at other
conventions, including BlackHat USA, DefCon & BSidesLV, DerbyCon and
Toorcon.

Kevin Lawrence
Title: Putting Your Logs on a Diet
Abstract: Cut the fat from your logs and make adjustments to maximize their impact without expensive investment in even more tools. There are creative ways to adjust your log configurations beyond the default settings to get more meaningful data that leads to actionable results. Less, often means more when you are trying to identify potential security incidents. Three key areas for focus include: targeting what you want to log, identifying incidents within those logs, and how to correlate multiple log sources to help paint the big picture. This presentation assumes that the organization is both already logging for standard access and system logs and that there are appropriate staff to interpret and guide response.

Bio: Kevin W. Lawrence is a Senior Security Associate for Stach & Liu in the Enterprise Security practice. Prior to Stach & Liu, Kevin worked for Fortune 50 companies including Honeywell and IBM. Kevin has spent over eight years designing, implementing, and responding to various cyber security controls. Key experience includes the establishment of Security Operation Centers, network defense controls, incident detection/response, and executive reporting.

Jennifer Mellone
Title: What Lurks Outside Your Door?
Abstract: We have all heard about threats, but what do we actually see outside the firewall? Sensors, a forensic capture device, and a security information event manager can provide a window to this world. In this talk, we walk through a sample event workflow, and discuss other findings. These findings show that there is smoking gun proof that when threats come a-callin’, they are welcomed, resulting in illicit activities.

Bio: Jennifer Mellone has 15 years of network engineering experience and over 8 years of information security experience. Her experience spans the commercial and aerospace/defense industries. She currently works for AppSec Consulting as a Senior Security Consultant. She is also a Commanding Officer in the Navy Reserve, leading and managing a team of 38 people, and is a veteran of Operation Enduring Freedom in Afghanistan.

Jeong Wook Oh
Title: AVM Inception: How we can use AVM instrumenting in a beneficial way
Abstract: AVM Inception: How we can use AVM instrumenting in a beneficial way
During the last few years, we have seen multiple instances of Adobe Flash related 0-day outbreaks. This paper examines the idea of using Flash Virtual Machine Instrumentation techniques in order to research Adobe Flash vulnerabilities. Adobe Flash ActionScript has its own instruction set and virtual machine. The virtual machine is called AVM (ActionScript Virtual Machine).
Research into AVM related vulnerabilities is limited by the fact that it generates JIT (Just-In-Time) code, and malware abuses of these vulnerabilities are complicated by the execution flow. By introducing a binary instrumentation technique to Flash AVM bytecode, we can make the virtual machine act in a way that we intend. This is important because from in-the-wild sample code, we can create our own controlled version of the same exploit in a short time. This modified file can be used for vulnerability research.
Binary instrumentation was traditionally an area for native code examination. But it is also possible to apply the same technique to bytecode that uses a virtual machine. We are surrounded by many types of virtual machines these days. One of them is AVM - and the truth is that AVM has been one of the largest targets for exploitation over the last few years. It has been prone to multiple vulnerabilities including CVE-2011-0611 and CVE-2011-0609. Because the issue covers both the bytecode and native world, the actual analysis of the vulnerability can take a long time compared to more traditional vulnerabilities.
We developed bytecode instrumentation (in this case AVM bytecode instrumentation) to solve this challenging problem. What the analysts see from the crash dumps or debug traces are the dynamically generated code. Even though it’s not impossible to debug the problem tracing this dynamically generated JIT code, it would be much quicker if we knew what was really happening at the bytecode level.
We examine a number of different techniques in this area. Including:
• Injecting validation or debugging instructions into AVM bytecode to debug AVM issues efficiently.
• Injecting routines to dump dynamically loaded Flash files.
• Using this technique to de-obfuscate highly obfuscated AVM bytecode.
• Putting heap spraying or JIT spraying detection logic inside AVM bytecode.

Many things are possible with this approach - all of these are helpful when analyzing and determining the maliciousness of Adobe Flash files. This approach is also very useful when analyzing unknown Adobe Flash vulnerabilities (aka 0-days).
We talk about the technical aspects of this approach and illustrate the techniques using case studies from the wild. This analysis also presents a clear picture of what is actually happening with broken AVM code.

First we are going to show the basic concept on VM and bytecode. We will explain what the flash VM related security issues are and what the challenges for the analysts and researchers. After that we will present traditional native world approach, and will finally show the concept of AVM instrumenting. We will show the actual examples of malwares and the application of instrumentation technique. There will be story for all the barriers and methods to overcome them during the designing and implementing bytecode instrumentation.

You can get the knowledge of what the basic concepts on AVM related security issues. The attendees will get to know there can other approach in analyzing this special class of vulnerabilities. Instead of struggling with traditional approach, they are given with new concept. This technology is not limited only to AVM, basically you can apply same instrumentation technology to any VM-based binaries.

Bio: Jeong Wook Oh works for Microsoft Malware Protection Center handling vulnerability-centric cases. Usually he handles post-mortem cases, but he also contributes to Microsoft Vulnerability Research (MSVR) program. Before MMPC, he worked for eEye Digital Security as a product develop engineer and for WebSense as a security researcher. He’s the creator of DarunGrim project (http://darungrim.org). The tool is a open-source patch analysis tool which can be used to analyze vendor patch without source code. He’s now mostly interested in binary instrumentation technologies and emulation stuff.

Paul Vixie
Title: Building DNS Firewalls with RPZ
Abstract: A DNS Firewall can help you control what domain names, IP addresses, and name
servers are allowed to function on your network. You can build such a firewall
using DNS Response Policy Zones (RPZ), which is an open and vendor-neutral
standard for the interchange of DNS Firewall configuration information. DNS
RPZ is a standard feature of BIND9 as of 9.8.1, and is expected to be
supported by other (non-BIND) name servers soon. In this talk, Paul Vixie will
explain what a DNS firewall is and how to use DNS RPZ to create one for your
own network.

Bio: Paul Vixie is the founder and chairman of Internet Systems Consortium (ISC), a non-profit public benefit company headquartered in Redwood City, California.
ISC is the home of BIND and the F-root name server.

Rand Wacker
Title: Why the Cloud Changes Everything
Abstract: Take a look around, you might be surprised who is running servers in the cloud; you might be even more surprised about what they are running. Unfortunately, these people rarely if ever thought to tell the security teams, and that means big problems for us all. Securing servers in the cloud is different, very different, than in a traditional data center, but all the same risks are there. Lets start by understanding who is using the cloud, why it is so different, and what works and doesn't work from our typical security toolbox. Then lets try to solve some of those problems and come up with some best practices to help us and those we work with do what they need…securely.

Bio: Rand Wacker is VP of Product for CloudPassage, the leading provider of security for servers running in public and private clouds. Rand has been involved with security projects all his career, starting with designing the first online voting system to be used at the University of California while he was a student. Prior to CloudPassage, Mr. Wacker was Director of Product Management for Cisco's Security Technology Business Unit where he worked on market-leading products in Firewall, Intrusion Prevention, Content Security, and Compliance.

Mr. Wacker came to Cisco through the acquisition of IronPort Systems where he was responsible for product management, strategic marketing, and security threat analysis. He has held engineering, marketing, and strategy roles at Sendmail, Amazon, and Oracle. Rand holds a BS in Electrical Engineering and Computer Science from the University of California, Berkeley and an MBA from the Haas School of Business, also at Berkeley.

Francis Brown
Title: Pulp Google Hacking – The Next Generation Search Engine Hacking Arsenal
Abstract:
Last year’s Lord of the Bing presentation stabbed Google Hacking in the heart with a syringe full of adrenaline and injected life back into a dying art form. New attack tools and modern defensive techniques redefined the way people thought about Google Hacking. Among these were the first ever Bing Hacking tool and the Google/Bing Hacking Alert RSS feeds, which have grown to become the world’s single largest repository of live vulnerabilities on the web. And it was only the beginning…
This year, we once again tear down the basic assumptions about what Google/Bing Hacking is and the extent to which it can be exploited to target organizations and even governments. In our secret underground laboratory, we’ve been busy creating an entirely new arsenal of Diggity Hacking tools.

Just a few highlights of the new tools are:
* BaiduDiggity – first ever Baidu hacking tool, which targets vulnerabilities disclosed by China’s dominant search engine. DEMO: Live targeting of vulnerabilities in Chinese government websites exposed via Baidu.
* DroidDiggity – fully functional GoogleDiggity and BingDiggity application for Android phones.
* GoogleCodeSearchDiggity – identifying vulnerabilities in open source code projects hosted by Google Code, MS CodePlex, SourceForge, and more. The tool comes with over 40 default searches that identify SQL injection, cross-site scripting (XSS), insecure remote and local file includes, hard-coded passwords, and much more.
* FlashDiggity – automated Google searching/downloading/decompiling/analysis of SWF files to identify Flash vulnerabilities and info disclosures.
* SHODAN Hacking Alerts – new live vulnerability RSS feeds based on results from the popular SHODAN hacking search engine.
* MalwareDiggity and MalwareDiggity Alerts – leveraging Bing API and the Google SafeBrowsing API together to provide an answer to a simple question, “Am I being used as a platform to distribute malware to people who visit my website?”
* AlertDiggity – Windows systray application that filters the results of the various Google/Bing/Shodan Hacking Alerts RSS feeds and notifies the user if any new alerts match a domain belong to them.
* DiggityDLP – Data loss prevention tool that leverages Google/Bing to identify exposures of sensitive info (e.g. SSNs, credit card numbers, etc.) via common document formats such as .doc, .xls, and .pdf. Also utilizes Google APIs for searching across Google Docs/Spreadsheets for data leaks.

That is just a taste of the new tools that will be explored in this DEMO rich presentation. So come ready to engage us as we re-define Google Hacking once again. WARNING: For safety, you should be in good health and free from high blood pressure, heart, back or neck problems, motion sickness, or other conditions that could be aggravated by this adventure.

Bio: Francis Brown, CISA, CISSP, MCSE, is a Managing Partner at Stach & Liu, a security consulting firm providing IT security services to the Fortune 500 and global financial institutions as well as U.S. and foreign governments. Before joining Stach & Liu, Francis served as an IT Security Specialist with the Global Risk Assessment team of Honeywell International where he performed network and application penetration testing, product security evaluations, incident response, and risk assessments of critical infrastructure. Prior to that, Francis was a consultant with the Ernst & Young Advanced Security Centers and conducted network, application, wireless, and remote access penetration tests for Fortune 500 clients.
Francis has presented his research at leading conferences such as Black Hat USA, DEFCON, InfoSec World, ToorCon, and HackCon and has been cited in numerous industry and academic publications.
Francis holds a Bachelor of Science and Engineering from the University of Pennsylvania with a major in Computer Science and Engineering and a minor in Psychology. While at Penn, Francis taught operating system implementation, C programming, and participated in DARPA-funded research into advanced intrusion prevention system techniques.