Bruce Schneier is an internationally renowned security technologist, called a "security guru" by The Economist. He is the author of 12 books -- including Liars and Outliers: Enabling the Trust Society Needs to Survive -- as well as hundreds of articles, essays, and academic papers. His influential newsletter "Crypto-Gram" and blog "Schneier on Security" are read by over 250,000 people. Schneier is a fellow at the Berkman Center for Internet and Society at Harvard Law School, a program fellow at the New America Foundation's Open Technology Institute, a board member of the Electronic Frontier Foundation, and an Advisory Board member of the Electronic Privacy Information Center. He is also the Chief Technology Officer of Co3 Systems, Inc.
New Zealand-born Justine has worked in the information security industry for over 15 years. In early 2013 she joined Dow Jones in New York City, where she manages its cyber security and identity programs. In this role Justine helps evolve the company’s product line, which includes the Wall Street Journal and DJX, by drawing from a diverse background spanning computer science, information security and the performing arts.
At SOURCE Boston, Justine will bring a fresh perspective to security risk management and innovation during a period of intense technology and media industry transformation. Changing perceptions and the way security is managed within such an environment comes with significant challenges but also presents opportunity, including investment in scalable solutions, cloud migration, and managing the cultural and functional transformation of information security’s traditional role as gate-keeper to an environment of distributed risk and developer empowerment.
Dr. Andrea M. Matwyshyn is an academic studying technology innovation and its legal implications, particularly corporate information security regulation and commercial and consumer privacy. She is currently appointed as the Senior Policy Advisor and Academic in Residence at the U.S. Federal Trade Commission. In addition to her role at the FTC, she is an assistant professor in the Legal Studies and Business Ethics Department in the Wharton School, an affiliate of the Center for Technology, Innovation and Competition at the University of Pennsylvania Law School, and a faculty affiliate of the Center for Internet and Society at Stanford Law School. She also serves as an member of the board of advisors to the European Union Network of Excellence in Internet Science (EINS) and sits on the board of NYU's CRISSP's INSPIRE program. She has testified in front of Congress on issues of information security regulation and is frequently quoted by both U.S. and international media for her expertise on information technology law and policy. She regularly speaks at both law and major information security conferences. Prior to entering academia, Andrea practiced law as a corporate and securities attorney, representing both Fortune 500 and startup clients in technology transactions. She holds a BA, MA in international relations, JD with honors and PhD in developmental psychology from Northwestern University.
How to Implement New Security Features and Fix Broken Stuff with Feature Flags and A/B Tests Kenneth Lee (@kennysan) Product Security Engineer, Etsy Inc
Defenders always run into a wall when it comes to rolling out security features or fixes that have the potential to break everything--but feature flags can change that. Feature flags are a powerful ramp-up methodology to allow developers (or security folks) to enable or disable site functionality. We'll dive into ways to ramp up new security functionality and fix complex bugs using feature flags with specific examples from etsy's bug bounty. We'll also touch upon the topic of A/B testing, and explore a real world security feature development scenario involving A/B testing to add full-site ssl to a website.
Kenneth is a senior product security engineer at Etsy.com, working on everything from managing the bug bounty program to shattering the site with new vulnerabilities. Previously, Kenneth worked at FactSet Research Systems preventing The Hackers from stealing financial data. He went to Columbia and got an MS in computer science focusing on computer security. Between sweet hacks, Kenneth enjoys drinking tea and force feeding Etsy's operations team with Japanese chocolates.
LIBRARY | Tuesday 1:00pm-1:45pm
Setup for Failure: Defeating SecureBoot John Butterworth (@jwbutterworth3) Security Researcher Corey Kallenberg Sam Cornwell, Senior Cyber Security Engineer The MITRE Corporation
In our previous "Defeating Signed BIOS Enforcement" talk, we discussed how some vendors' BIOS protections can be bypassed by an attacker who can get into SMM. In this talk we with discuss a new security issue that also leads to the bypass of access controls on an SPI flash chip. This can lead to the attacker reflashing the BIOS with embedded malicious code, defeating UEFI Secure Boot, or bricking the system. We will also discuss how we have been working with vendors to remediate these attacks, and what you can do to help protect yourself.
Corey Kallenberg is a security researcher currently employed by The MITRE Corporation. Corey specializes in low level system development, vulnerability discovery and exploitation, and rootkit analysis. Corey’s current focus is on BIOS/UEFI security. Corey has previously presented his research at DEFCON, Blackhat USA, IEEE S&P and NoSuchCon.
John Butterworth is a security researcher at The MITRE Corporation who specializes in low level system security. He is applying his electrical engineering background and firmware engineering background to investigate UEFI/BIOS security.
Sam Cornwell has been working on projects such as Checkmate, a kernel and userspace memory integrity verification & timing-based attestation tool, Copernicus 1, and numerous other private security sensors designed to combat sophisticated threats since 2011.
SHUBERT | Tuesday 1:00pm-1:45pm
Diablo Security: What Can Infosec Learn from Video Games? Dwayne Melancon (@thatdwayne) Chief Technology Officer, Tripwire, Inc.
Adventure games make it easy for us to understand how our skills, weapons, and countermeasures match up to the threats we expect to face. In this session, I'll discuss models and lessons learned from video games that can be applied to infosec to help you better prepare for adversaries and learn from lost battles. After all, why shouldn't your day job be fun and make you feel more like a hero?
Dwayne Melancon, CISA is Tripwire's Chief Technology Officer. In this role, he works with enterprises around the world to help them objectively implement and manage information security in a way that is firmly aligned with the priorities of their businesses. His current passion is helping organizations connect security's value to the business and establishing metrics and methods to enable objective decisions and informed action in information security.
WASHINGTON | Tuesday 2:00pm-2:45pm
Hybrid Analysis Mapping: Making Security and Development Tools Play Nice Together Dan Cornell (@danielcornell) CTO, Denim Group
Developers want to write code and security testers want to break it. The problem is security testers need to know more about code to do better testing and developers need to be able to quickly address problems found by testers. This presentation looks at both groups and their toolsets and explores ways they can help each other out. Using open source examples built on OWASP ZAP, ThreadFix and Eclipse, the presentation walks through the process of seeding web applications scans with knowledge gleaned from code analysis as well as the mapping of dynamic scan results to specific line of code.
Dan Cornell has over fifteen years of experience architecting, developing and securing web-based software systems. As CTO of Denim Group, he leads the organization's technology team overseeing methodology development and project execution for Denim Group's customers. He also heads the Denim Group application security research team, investigating the application of secure coding and development techniques to the improvement of web based software development methodologies.
LIBRARY | Tuesday 2:00pm-2:45pm
Measuring Security Outcomes: From Data to Insight for Third Party Risk Management Stephen Boyer (@swboyer) CTO, BitSight Technologies
Organizations struggle with how to measure and manage the risks introduced through third-party relationships. In this presentation BitSight will articulate weaknesses in current approaches, demonstrate several examples the of types of data BitSight analyzes, discuss the implications for third party risk management, and examine the performance of companies in the S&P 500 as a benchmark for the cyber health of the US economy.
In 2011, Stephen cofounded BitSight Technologies, where he currently serves as CTO. BitSight provides evidence based ratings of security effectiveness to help organizations manage their security risk. Previously, Stephen was President & Cofounder of Saperix. He also led R&D programs at MIT Lincoln Laboratory, and he designed, developed, and tested products at Caldera Systems. He holds a Bachelors in Computer Science from BYU and Master of Science in Engineering and Management from MIT.
SHUBERT | Tuesday 2:00pm-2:45pm
Top 50 Hacker Groups of the World Christopher Ahlberg (@cahlberg) CEO and Co-founder, Recorded Future, Inc.
The future of warfare is information warfare, in fact in modern war the power of information dominance outweighs kinetic outcomes. In this new world, non-state hacker groups can play a key role - be it SEA, QCF, RedHack, etc. Hacker groups operate in networks and to disrupt these networks we need to understand and characterize them. Interestingly, the web balances being the platform to create attacks for these groups and being the source of information to prevent attacks. Hacker groups leave traces.
Some are intentional, announcing future operations, some are non-intentional. The web/internet provides a remarkable arena to collect and organize data on these actors - ranging from their identity, associations, affiliations, objectives, intentions, and technical traces. We will characterize a large set of hacker groups and use a series of analytic techniques to so - network analysis, temporal finger printing, intention mapping, source analysis, temporal overlaps/pattern matching, clustering of operations/groups/intentions, target analysis, as well as geopolitical context analysis.
Dr. Christopher Ahlberg is the CEO of Recorded Future, Inc. and Chairman of Hult International Business School. He also advises a series of start up companies.
WASHINGTON | Tuesday 3:30pm-4:15pm
Meta Cognition and Critical Thinking in Open Source Intelligence (OSINT)
Benjamin Brown Akamai
When gathering open source data and transforming it into actionable intelligence, it is critical to recognize that humans are not objective observers. Conscious and unconscious assumptions drive analysts' choices about which data to analyze and how much importance to ascribe to each resource. Furthermore, analysts' personal conceptual frameworks about reality and how the world works can undermine the process of objectively translating data into intelligence. These implicit assumptions, otherwise known as cognitive biases, can lead to missed data, skewed intelligence, illogical conclusions, and poor decision making. In this presentation I will illustrate cognitive biases relevant to OSINT and what can be done about them.
LIBRARY | Tuesday 3:30pm-4:15pm
Offensive Defense through Attacker Mimicry Stephan Chenette (@StephanChenette) Founder and CTO, AttackIQ
Defending against attackers relies on the fact that you understand their techniques, tools and procedures. In this presentation I'll walk through common post-exploitation techniques used by various attack groups. Many of todays enterprise and small business simply assume defensive products are a one size fits all solution to detecting and stopping attackers through every phase of an attack. The reality is that each network, and each critical resource that needs to be protected needs thorough planning around security architecture. In order to do that, you need to understand attacker tools, techniques and procedures once they've gained access, because it's not only about penetrating the network. They may have won the battle by breaking in, but they haven't won the war. There are multiple opportunities to introduce a killchain to mitigate a successful attack. I'll walk through some basic post exploitation techniques and we'll talk about technological mitigations that can help any company build a kill chain.
Stephan Chenette is the Founder of AttackIQ (http://www.attackiq.com), most recently Stephan was the Director of Research and Development at IOActive where he conducted ongoing research to support internal and external security initiatives within the IOActive research team. Chenete has been in involved in security research for the last 10 years
SHUBERT | Tuesday 3:30pm-4:15pm
Bit, Bit, Coin: What Virtual Money Can Tell Us About Hacking Allison Miller (@selenakyle) Senior Director, Business Operations, Electronic Arts
Virtual currencies. Are they a way to move money, or make money? In this session we'll review what these instruments, and other alternative payment mechanisms, can tell us about building and manipulating economic & social systems.
Allison Miller is @selenakyle. Allison has over 10 years of experience in designing, building and deploying real -time threat detection and prevention systems - in payments, financial services, and other large scale online service environments.
WASHINGTON | Tuesday 4:30pm-5:15pm
iOS App Reversing; a Practical Approach Patrick Wardle Director of Research, Synack
Does your favorite iOS app compromise your security or privacy? Seemingly every week, a new vulnerability is discovered that jeopardizes mobile users. From social apps such as SnapChat or Tinder, to mobile banking apps such as CitiMobile, it seems bugs are everywhere.
Patrick Wardle is the Director of Research at Synack, where he leads cyber R&D efforts. Currently, his focus is on the emerging threats of OS X and mobile malware. In addition, Patrick is an experienced vulnerability and exploitation analyst, and has found exploitable 0days in major operating systems and popular client applications. In his limited spare time he writes iOS apps for fun (and hopefully one day, for profit).
LIBRARY | Tuesday 4:30pm-5:15pm
Mackerel: A Progressive School of Cryptographic Thought Justin Troutman (@justintroutman) Cryptographer
Mackerel is a cryptographic app design and development framework based on the premise that real-world cryptography is not about cryptography at all; it's about products. Because it's about products, it's about people, and the need for a holistic product design and development process that respects the roles of the people involved (cryptographers, developers, and consumers) by only asking them to make decisions that lie within their respective areas of understanding, and of which they understand the consequences. With user experience as a core focus, Mackerel aims to inspire products that consumers want, while affording them the cryptographic benefits they need.
Justin Troutman is a cryptographer with research interests in authentication encryption, HUMINT and SIGINT techniques, and optimizing the user experience of cryptographic products. He has worked with entities such as Microsoft, Google, Duke University, IEEE, and USENIX.
SHUBERT | Tuesday 4:30pm-5:15pm
Risk, Audit, and Compliance for Hackers & Defenders John Nye (@johnenye) Director of Technology Risk Solutions, ProcessUnity
Your work is where the security rubber meets the road - vulnerabilities and exploits, input validation and hardening. But your boss uses boring terms like risks, controls, standards, and audit. Fixing vulns reduces risk but enterprise security is a function of consistency and velocity of process - the realm of audit.
John Nye is Director of Technology Risk Solutions for ProcessUnity, a GRC software firm. During his nearly two -decade career as a risk management professional, John has worked in a variety of consulting and management roles, specializing in information security, business continuity, corporate risk, internal audit, and compliance. He thinks all consultants should try their hand at security operations at least once during their careers.
WASHINGTON | Wednesday 11:00am-11:45am
Case study: how to build an application security metrics program Jared Pfost (@jaredpfost) VP Products & Delivery, Caliber Security Partners
We'll share a case study constructing and piloting a metrics program for secure software development in a healthcare IT company. We'll provide examples to help answer:
Why measure security in development?
What do we measure and when?
What does success look like?
What's different in agile vs waterfall?
We'll provide examples how to communicate performance data, incorporate feedback loops, and ultimately help leadership improve their cost-benefit decisions on security investments. The result of the session will be a set of specific tasks to measure security and a process to decide if you should do them.
Jared Pfost has been learning and advancing the security field for 19 years. Jared's career combines working in IT Security teams and consulting with designing and shipping security software in startups and at Microsoft. Jared is a self -proclaimed process nut and has demonstrated you don't need unlimited resources to run a measurable, accountable, and effective security shop.
LIBRARY | Wednesday 11:00am-11:45am
Trapping Hacks With Ensnare Scott Behrens (@helloarbit) Andy Hoernecke (@ahoernecke) Senior Application Security Engineers, Netflix
Several methods exist for protecting applications from attackers outside of secure coding practices. Most of these, however, require piling on extra layers of security in the form of web application firewalls (WAFs), web server modules, or complex middleware. In this talk we discuss a different approach: self-defending applications. Instead of relying on adding devices and middleware layers (which potentially introduce additional network latency and points of failures) we focus on teaching an application to fend for itself.
Scott Behrens and Andy Hoernecke are both security evangelists at Netflix focusing on application security engineering as part of the Cloud Security team. Scott loves security research and has previously spoken at DEF CON, Derbycon, Shakacon, and a handful of other security conferences. Prior to Netflix, Andy built the application security program for a Fortune 100 retailer, and taught web application security to grad students at DePaul University.
SHUBERT | Wednesday 11:00am-11:45am
Hacking The US Trademark System: A Cautionary Tale Paul Asadoorian (@securityweekly) Founder & CEO, Security Weekly, Inc.
While many have enjoyed listening to our podcasts for the past 8 years, what you may not know is that during that time, in some shape, form or fashion, we were fighting a trademark battle. We learned a great deal during this time, and were astonished as to how easily the US trademark system could be manipulated. This talk is a cautionary tale, exploring the ins and outs of everything from the domain name game to filing for a US trademark.
Paul Asadoorian is the founder of PaulDotCom (http://pauldotcom.com), an organization responsible for publishing award-winning Podcasts, Blogs and Videos on the topics of information security and hacking. Paul's day job as the "Product Evangelist" for Tenable Network Security,
WASHINGTON | Wednesday 1:30pm-2:15pm
Security Testing WITHOUT an Army of Ninjas Andrea Doherty Product Security Office, EMC
How do you do security testing if you don't have an army of ninjas? Hire one of the few available? Train an existing, uninterested, full-time quality engineer, using development-focused and penetration-tester-focused courses and materials like SANS, OWASP, and CAPEC? Automated scanning or penetration testing, which both require expertise for interpreting results, removing false positives, and offer limited coverage?
Andrea Doherty has been a security champion, security architect, and security advisor for the past 19 years. She specified, designed and built security applications for 13 years at RSA – the Security Division of EMC, and spent the last year working for the EMC Product Security Office leading the SDL Enablement Team, which produces guidance, methodologies, and tools on best practices for applying all phases of the application security development lifecycle for product teams across EMC. She is also an Application Security Advisor for a major EMC Business Unit. Andrea represented RSA in the IETF KEYPROV Working Group, and was editor of RFC6063.
LIBRARY | Wednesday 1:30pm-2:15pm
Ripped from the Headlines: What the news tells us about Information Security Incidents Kevin Thompson (@bfist) & Suzanne Widup Risk & Intelligence Researchers, Verizon
Take a scientific look at information security incidents reported in public news sources. This talk introduces the VERIS Community Database (VCDB), a research project aimed at gathering news articles about information security incidents, extracting data, and serving as a public repository of breach data suitable for analysis and research. We will discuss how to apply the methodology of the Data Breach Investigations Report (DBIR) to public data to answer research questions, and how this view of information security incidents differs from the DBIR.
Kevin Thompson (@bfist) is a Risk and Intelligence Researcher with the Verizon RISK Team and one of the authors of the Data Breach Investigations Report. Kevin has worked in health care, higher ed, and defense and has 17 years of IT experience. He is a member of the Society of Risk Analysts, and the Society of Information Risk Analysts and holds various security certifications.
SHUBERT | Wednesday 1:30pm-2:15pm Delivering Security at Big Data Scale Davi Ottenheimer (@daviottenheimer) Senior Director of Trust, EMC
We are meant to measure and manage data with more precision than ever before using Big Data. But companies are getting Hadoopy often with little or no consideration of security. Are we taking on too much risk too fast? This session explains how best to handle the looming Big Data risk in any environment. Better predictions and more intelligent decisions are expected from our biggest data sets, yet do we really trust systems we secure the least? And do we really know why "learning" machines continue to make amusing and sometimes tragic mistakes? Infosec is in this game but with Big Data we appear to be waiting on the sidelines. What have we done about emerging vulnerabilities and threats to Hadoop as it leaves many of our traditional data paradigms behind? This presentation, based on the upcoming book "Realities of Big Data Security" takes the audience through an overview of the hardest problem areas and into our best solutions for challenges here today.
Davi Ottenheimer, EMC Senior Director of Trust, has more than nineteen years' experience managing global security operations and assessments, including a decade of leading incident response and digital forensics.
WASHINGTON | Wednesday 2:30pm-3:15pm
Speed Networking Bob Rudis (@hrbrmstr), IT Risk Director, Liberty Mutual Rob Cheyne (@rcheyne), CEO, Big Brain Security, Inc.
The SOURCE conference attracts some amazing people. How would you like to meet them? Come to this session for a fun and light-hearted way to connect with your fellow SOURCE attendees. You will get a chance to connect one on one with your fellow infosec professionals, learn about each other, and maybe even a little bit about yourself. Following the widely known speed networking format, and a maybe few twists here and there, this interactive session allows you to quickly meet new friends and contacts.
Just show up with a willingness to play along, and we'll help you make the networking easy!
SHUBERT | Wednesday 2:30pm-3:15pm
Hiring/Recruitment Workshop Hosted By Mark Knowlton, Sr. Technical Recruiter, Akamai Mark Cucinelli, Senior Talent Advisor, TJX Jen Ellis, Director of Global Communications, Rapid7
Do you find it challenging to figure out how to present yourself in the best possible light when applying for a job or during an interview? How do you cut through the noise and get the attention of the hiring manager? Interviewing for a new job can be especially challenging when it's something you don't do very often.
In this interactive workshop, you will learn what interviewers are really looking for, as well as tips and techniques to get noticed from three people who have interviewed thousands of people. The panel will present their insights, and then will open up the session to an interactive Q&A session.
Come prepared with your tough questions to get the most out of the session.
WASHINGTON | Wednesday 4:00pm-4:45pm
Reality Checking Your Security Testing Program Darren P Meyer (@DarrenPMeyer) Senior Security Researcher, Veracode, Inc.
Your Application Security Testing Program was probably built for compliance; and around tools, processes, and assumptions based on traditional development models. Now you're moving more and more toward Agile, DevOps, or the like -- and you have problems.
Darren P Meyer is an AppSec professional with a passion for closing the gaps between development, operations, business, and security. His background in software development has informed his security experience, which includes building a security testing program for a Fortune 50 retailer, and security instruction at dozens of organizations around the world.
LIBRARY | Wednesday 4:00pm-4:45pm
Information-sharing tools, taxonomies, and trust: Babel or better? Trey Darley (@treyka), Douglas Wilson, John Wunder, Stephen Brannon
There has been a fury of activity over the past year around defining information-sharing protocols. In true Darwinian fashion, as with most standards processes, there is a confusing array of rapidly-evolving, partially-overlapping formats. STIX, CybOX, TAXII, MAEC, OpenIOC, IODEF, VERIS, CIF - the alphabet soup just goes on and on. The purpose of this panel will be to shed light on the current format and tooling landscape, discuss real-world applications, and try to forecast where this space is headed in the coming 18-24 months.
Trey Darley is a Senior Security Strategist with Splunk's Security Practice. A jack-of-all-trades, he has been leading Splunk's efforts to facilitate and utilize information-sharing methodologies. In his copious spare time he serves on the BruCON organizing committee and haunts EU policy-making circles around Brussels.
Douglas Wilson is the manager of the Mandiant Threat Indicators team, a part of the Threat Intelligence business unit. Doug's team primarily works on developing and refining techniques for improving threat indicator quality and coverage, as well as working on innovative threat intelligence automation efforts. Doug is based out of Washington DC. He has over 14 years of experience in a variety of Information Security and Technology positions, including having previously focused in Incident Response and Multi-tiered Application Architecture. Doug is also the unofficial spokesperson for the open threat information sharing standard, OpenIOC (http://openioc.org). Doug has spoken on various Infosec topics at events including FIRST, GFIRST, DoD Cybercrime, NIST IT-SAC, Suits and Spooks, Shmoocon, and many other local events in the Washington DC Metropolitan area.
John Wunder is a Lead Information Security Engineer at the MITRE Corporation, a research lab that acts as a technical advisor for the U.S. federal government. He is a lead member of the STIX project, an effort to develop a common language to enhance sharing and analysis of cybersecurity threat information in both industry and government. He has been in the software and security field for ten years and has a Master’s of Information Assurance from Northeastern University.
Stephen K. Brannon is a Principal in the Verizon Cyber Intelligence Center (VCIC). He is a contributing author of the Verizon Data Breach Investigations Report that uses the VERIS framework to study security incidents and drive evidence-based risk management. In the new VCIC, Mr. Brannon focuses on threat intelligence gathering, analysis, and sharing using a variety of formats that are the subject of this panel. Before working at Verizon, he was a Cybercrime Analyst in the Cybercrime Lab of the Computer Crime and Intellectual Property Section (CCIPS), U.S. Department of Justice, in Washington, DC. He practiced digital forensics, online investigations, and conducted research in the field. Before working at the Department of Justice, Mr. Brannon worked at the FBI leading a team responsible for computer security incident response and vulnerability assessment. He has received degrees from Georgetown University and the University of Virginia as well as professional certifications.
SHUBERT | Wednesday 4:00pm-4:45pm
The Privileged User Discussion: Security Enforcer or Threat? Michael Crouse Director, Insider Threat Strategies, Raytheon
At the core of the privileged user problem is this dichotomy: With greater access to a company's computer assets comes greater security risk. The privileged user can be a company's security enforcer but also its greatest security risk. Put another way, if a privileged user wants to do bad things, their elevated access to the company network - and all the information that entails -- makes it easier for them. Further, because of the access they maintain to their organization's most confidential information, they become high value targets to corporate "hacktivists" and persistent adversaries eager to penetrate a company's defenses.
Michael Crouse oversees the execution of existing federal and commercial cyber audits/anti -malware requirements programs while identifying new, global growth opportunities within the Department of Defense (DoD)/Intelligence Community (IC) and the private sector. He works closely with top government decision-makers and lends key influence in helping them develop new network security policies, specifically with regard to audit requirements and the detection and mitigation of insider threats.
WASHINGTON | Wednesday 5:00pm-5:30pm [TURBO]
URL Scheme Security on iOS Guillaume K. Ross (@gepeto42) Information Security Consultant
Have you ever clicked a phone number in Safari to get the phone app to call that store you were searching for? In iOS, this interaction between apps happens via URL schemes, which are available to Apple applications as well as third party applications.
Guillaume is an Information Security consultant with a background in IT. He can typically be found in the Montréal area, helping companies from big to too big with their information security programs. He is focused mostly on enterprise security, Cloud security and IT infrastructure security. None of this is relevant to his talk at SOURCE Boston 2014, where only his credentials as an Apple geek are useful.
LIBRARY | Wednesday 5:00pm-5:30pm [TURBO]
How to Save the Environment, or Why Nobody Takes Your Security Advice Daniel Crowley (@dan_crowley) Senior Security Consultant, Trustwave
Some security advice is bad, not because it doesn't fix the problem it's aimed at fixing, but because following the advice isn't actually reasonable. This talk will demonstrate through various pieces of advice on how to reduce your environmental impact how perfectly effective solutions to security problems can be mostly to completely useless in the real world.
Daniel (aka "unicornFurnace") is a Senior Security Consultant for Trustwave's SpiderLabs team. Daniel denies all allegations regarding unicorn smuggling and questions your character for even suggesting it. Daniel has developed configurable testbeds such as SQLol and XMLmao for training and research regarding specific vulnerabilities. Daniel enjoys climbing large rocks. Daniel has been working in the information security industry since 2004 and is a frequent speaker at conferences including Black Hat, DEF CON, Shmoocon, and SOURCE.
SHUBERT | Wednesday 5:00pm-5:30pm [TURBO]
Aligning Threats and Allies through Stories J Wolfgang Goerlich (@jwgoerlich) VP of Consulting, VioPoint
Successful defense occurs when the interests of a security team's stakeholders intersect with the attackers actions. This session provides a three-part management methodology to enable defense-in-depth through effective stakeholder and threat management. Internally, the method models the political power of our target audience, the audience coverage of our message, the timing, and the benefits used to influence our audience. Externally, the method models the attacker's objectives, tactics, techniques, and mitigating controls. Using this story-driven security methodology, we can identify what our allies need, identify what our attackers want, and build business cases to satisfy one while thwarting the other.
J Wolfgang Goerlich supports information security initiatives in the healthcare, education, financial services, and energy verticals. As Vice President of Consulting Services for VioPoint, Wolfgang leads an information security team specializing in managed services and penetration testing.
WASHINGTON | Thursday 11:00am-11:45am
Introducing idb - Simplified Blackbox iOS App Pentesting Daniel A. Mayer (@DanlAMayer) Security Consultant, Matasano Security
In this talk, we review common classes of iOS mobile application flaws as seen in real-world applications. Moreover, to assist the community in assessing security risks of mobile apps, we introduce a new tool called 'idb' and show how it can be used to efficiently test for a range of iOS app flaws. In order to illustrate how apps commonly fail at safeguarding sensitive data, each vulnerability class is first introduced and discussed. We then demonstrate how idb can be used to uncover these flaws from a black-box perspective and provide guidance on how to mitigate each flaw.
Daniel is a consultant with Matasano Security. His experience includes penetration testing, cryptographic protocol analysis and design, security research, and system and network administration.
LIBRARY | Thursday 11:00am-11:45am
Too Many Fallen: #SecBurnOut Pt3 "Prevention & Introspection" Madeline Wallach
Enough. Over the last few years, too many of our own have fallen. Len, Aaron, Barnaby and countless others… How many of our best and brightest – our family - have been lost to suicide, to drug overdose, to depression…? How many of us self-medicate, feel empty or think about getting out of this industry? It is time to dig deeper. We know the outcomes – now we'll shift the focus to contributors and try to get in front of it.
In 2012 we asked, "Do we have a problem with Stress & BurnOut in IT Security with our with the Maslach Burnout Inventory study?" In 2013, Amber Baldet educated us on Suicide Intervention. This year, we'll tackle a question that's been asked since we started. "Are there any unique contributors within our community and demographic?"
To this end, we've invited Madeline Wallach, Counseling Psychology and Arts Therapies (an expert in profoundly gifted children and adults) to help us answer what might be special about our community. Through guided discussion, we will profile some common characteristics of the profoundly gifted, including "Isolation" and "Uneven Development", but more importantly, what can be done to improve and overcome these patterns.
Madeline Wallach MA in Counseling Psychology and Arts Therapies, with a specialty in working with children and adults who are extremely gifted and/or creative in any or many domains.
SHUBERT | Thursday 11:00am-11:50am
5,500 hackers + Your code = ??? Casey Ellis (@caseyjohnellis) CEO of Bugcrowd Inc.
There's an asymmetry in the way we approach security today... The threat takes the form of lots of hackers, with lots of different skill-sets and diverse motivations - And the majority of them aren't being paid by the hour to attack your stuff. Contrast this with the paid by the hour consultants and in-house resources. It's not that the good guys aren't smart, it's that the model is fundamentally disadvantaged. Crowdsourcing security testing through bug bounty programs engages a crowd of "good guys who think like bad guys" and economically incentivizes them the same way the bad guys are. Casey likes solving problems. He's the Founder and CEO of Bugcrowd, a company which provides a platform to manage bug bounty programs. He's also an Aussie who has difficulty with words that end with "er".
WASHINGTON | Thursday 1:30pm-2:15pm
Marauder or Scanning your DNSDB for Fun and Profit Dhia Mahjoub (@DhiaLite) Security Researcher, OpenDNS
Passive DNS (DNSDB) is nowadays a fundamental investigative tool that helps security researchers, malware analysts, and incident responders correlate between numerous indicators to identify attacks and track malicious activities on the internet. It is built by consolidating the authoritative DNS traffic into a persistent indexed historical database. In this talk, we present "Marauder", a novel threat detection system applied on our DNSDB as well as on the live streaming authoritative DNS traffic. The system allows for a rapid, parallel scanning of suspicious hotspots in the IP space and discovers new malicious domains and IPs. We will describe various attack domains detected by this system, such as trojan CnCs, Exploit kit domains, botnets, etc.
Senior security researcher at OpenDNS, Dhia Mahjoub works on research and development problems involving DNS, security, big data analysis, and networks. Dhia holds a PhD in Computer Science from Southern Methodist University, Dallas with a specialty in graph theory applied on Wireless Sensor Networks. He has a background in Computer Networks and wrote sniffers and port scanners among other things. Dhia presented at BSides NOLA, APWG eCrime, BSides Raleigh, BotConf, BSides San Francisco, ISOI 13 and will be talking at the upcoming BSides NOLA. He is also member of the non-profit security research group MalwareMustDie helping track botnets and other malicious sources on the Internet.
LIBRARY | Thursday 1:30pm-2:15pm
The Cavalry Isn't Coming; It Falls To Us: How you can help! Joshua Corman (@joshcorman), CTO, Sonatype Beau Woods (@beauwoods), Independent Consultant Jen Ellis, Director of Global Communications, Rapid7
What should be clear after Andrea's keynote is: The time is now for us to step up and take a leadership role in our shared futures. It won't be easy, but we are up for the challenge.
Our dependence on technology is growing faster than our ability to secure it. We looked high and low for the "adults in the room", but what's become clear is: The Cavalry Isn't Coming. It Falls to us. It falls to you… At DEFCON, we sent the clarion call and many of you have answered. Our mission: To ensure technologies with the potential to impact public safety and human life are worthy of our trust. This session will provide updates on our safety initiatives in four areas: (Automotive, Medical Devices, Home #IoT, and Public Infrastructure) - as well as our Mainstream Media & Public Policy initiatives. More importantly, we will show you where we're going and how you can help!
Our growing ranks have found renewed purpose and tangible victories in our early experimentation. So can you… It's time.
Immediately following the cavalry session, Mark Stanislav and Zach Lanier will outline BuildItSecure.ly and their efforts, lessons learned, and ways you can help with our "Home / Internet of Things" quadrant.
SHUBERT | Thursday 1:30pm-2:15pm
Painting a company red and blue Ian Amit (@iiamit) Director of Services, IOActive
Getting real and cutting the FUD out of red team. This talk will enable the audience to not only determine how a red team would benefit their organization, but also allow them to maximize such benefit across the organization (yes, not just in IT security)
Ian self-describes himself as a hacker, red teamer, researcher, entrepreneur, bad developer, cat herder.
WASHINGTON | Thursday 2:30pm-3:15pm
IT Security Risk Assessment:Measuring What Matters Reed Augliere Senior Technical Architect, IT Security, TJX
Classical IT risk assessment typically requires measuring everything from application threats and vulnerabilities to the valuation of business assets. In small-to-medium sized companies this may be feasible, but in large to very-large organizations it is often difficult to prioritize the remediation of application vulnerabilities on the basis of business ass et valuations alone. This topic examines the reasons for this disconnect and suggests where IT security risk assessment can add the most value.
LIBRARY | Thursday 2:30pm-3:15pm
The Internet of Things: We've Got to Chat Mark Stanislav (@markstanislav), Security Evangelist Zach Lanier (@quine), Security Researcher Duo Security
Similar to the explosive growth of cloud computing, the "Internet of Things" (IoT) has reached a tipping point where a serious look at the nexus of convenience versus security needs to take place. The cost, size, and complexity of chipsets that allow for Internet-enabled devices have all dramatically shrunk, making the barrier to entry into the IoT market negligible. With Kickstarter and Indiegogo helping to enable entrepreneurs to have their ideas come to market quicker than ever, the IoT expansion is happening faster than most consumers (or security professionals) realize.
Mark Stanislav is the Security Evangelist for Duo Security, an Ann Arbor, Michigan-based startup focused on twofactor authentication and mobile security. Mark has worked within small business, academia, startup, and corporate environments, primarily focused on Linux architecture, information security, and web application development. Mark earned his Bachelor of Science Degree in Networking & IT Administration and his Master of Science Degree in Technology Studies, focused on Information Assurance, both from Eastern Michigan University.
Zach Lanier is a Senior Security Researcher at Duo Security. He has been "doing security" since 2001. In 2009, he started focusing more on mobile and embedded device security, from apps, to platforms (especially Android); to mobile network and carrier security. He has presented at various public and private industry conferences, such as BlackHat, CanSecWest, DEFCON, ShmooCon, and more. He is also a co-author of the recently published "Android Hacker's Handbook"
SHUBERT | Thursday 2:30pm-3:15pm
Applied Security Metrics: Building the Financial Services Threat Report Andrew Jaquith (@arj), CTO, SilverSky
Every six months, SilverSky releases its Financial Services Threat report, an in-depth analysis of likely and confirmed compromises in nearly 1,000 financial services customers. Although many security companies release "threat reports," SilverSky's is unique because it analyzes what has actually happened, rather than what "could" happen. In this interactive talk, SilverSky CTO Andrew Jaquith discusses the most recent results (released February 2014), the approach he takes in creating the report, metrics strategies, methodology challenges. To close, he will solicit ideas from the audience about questions that could be solved in the future.