KeyNotes -

top

Involuntary Case Studies in Data Security -  Mike Rothman

It is absolutely backwards, but while the bad guys constantly share details of their exploits, including techniques, when it comes to real incidents, actual defenders rarely talk about what worked, and what didn't. In this session, Mike Rothman will name names as he builds in-depth case studies based on publicly available information, some of which isn't overly public. He will combine these with the latest information from breach reports and other statistical sources to build a picture of how real breaches happen, which security controls really work, and which compliance checkboxes are a complete and total waste of time.

More To Be Announced

top

Sessions -

Microsoft’s cloud security strategy - Mohammad Akif

As the adoption and interest in cloud computing grows, technical and business decision-makers are trying to assess the risk associated with using the cloud infrastructure. Join Mohammad Akif, the National Security and Privacy Lead for Microsoft Canada to learn about the threat landscape for cloud computing and how the industry in general and Microsoft in particular plans to address these concerns.

top

Moving to the new security model in SharePoint 2010: claims-based authentication - Reza Alirezaei

Having the right security model in place is critical to the protection of your SharePoint farm and and its content. Thankfully, Microsoft has added a new security model to SharePoint 2010 named claims based authentication which makes all this a lot easier to setup , manage and program against. In this session we will take a look at how you can focus on real business problems by leverging the authentication plumbing that's been already built for you. We will setup an the existing SharePoint web authentication to use a claims provider and walk you through both the developer and administrator experience.

top

SCADA and ICS for Security Experts: How to avoid cyberdouchery - James Arlen

The traditional security industry has somehow decided that they are the white knights who are going to save everyone from the horror of insecure powergrids, pipelines, chemical plants, and cookie factories. Suddenly, every consultant is an expert and every product fixes SCADA. And because they don't know what the hell they're talking about -- 'fake it till ya make it' doesn't work -- they're making all of us look stupid.

top

Building the DEFCON network, making a sandbox for 10,000 hackers - David Bryan

David covers how the DEFCON network team builds a network from scratch, in three days with very little budget. How this network evolved, what worked for him, and what didn’t work over the last ten years. This network started as an idea, and after acquiring some kick butt hardware, has allowed them to support several thousand users concurrently. In addition David will cover the new WPA2 enterprise deployment, what worked, and what didn’t, and how the DEFCON team is going to make the Rio network rock!

top

Dissecting the Modern Threatscape: Malicious Insiders, Industrialized Hacking, and Advanced Persistent Threats
- Brian Contos

This is an intermediate to advanced level presentation that pulls from McAfee Labs research as well as real-life customers. This is original content designed to paint a clear picture of today’s threat landscape and through doing so illustrate the differences between insider threats, industrialized hackers, and APTs. Attacks are coming from all angles. In some cases they are very rudimentary; in others they are highly complex. Organizations must be able to protect themselves regardless, and do so in a way this is in parity with business operations, maintains employee and partner agility, and is manageable without the complexity of the solution being worse than the attack itself. Failure to address these three different attack types can result in everything from diminished brand loyalty, regulatory penalties, and lost revenue, to stolen intellectual property, economic competitive disadvantage, and military competitive disadvantage.

top

SDL Light: A practical Secure Development Lifecycle for the rest of us - Marisa Fagan

Security companies are beginning to attack the problem of software vulnerabilities at the source, the development process. Secure coding programs like Microsoft SDL, OWASP SAMM, and BSIMM save the organization money and time by taking the bugs out at the beginning, and avoid costly incident response nightmares. Chris Wysopal, CTO at Veracode, says "Many of these methodologies are fairly new. Many development organizations don't have the process rigor or the resources to do anything more formal than use one tool or service as part of the development lifecycle." A survey done by Errata during RSA shows there is a great demand in the industry for making these secure coding programs more affordable and less resource intensive.

top

Unidirectional Connectivity as a Security Enabler for SCADA and Remote Monitoring Applications - Lior Frenkel

Network segregation (also called “air-gapping”) is considered a foolproof method for protecting networks from external attacks or from data theft/leakage. Unfortunately, employing this method mandates users to forego all benefits of connectivity; hence this method is not acceptable today as a viable security means.

Unidirectional connectivity, hardware enforced over all layers of communications, is an interesting compromise between full connectivity and full segregation. Unidirectional Security Gateways are now becoming a viable option for securing SCADA and other industrial and critical networks.

The paper will review the existing security postures evident in SCADA networks and then introduce the concept of unidirectional connectivity. A detailed analysis of the advantages and limitations of unidirectional connectivity-based security solutions will be presented, containing resulting SCADA network architectures created when employing unidirectional connectivity security means. Additional analysis will be provided regarding the effects and requirements that unidirectional connectivity imposes on the methodology and use of SCADA applications employed on such networks. In addition, the paper will discuss compliance concerns with specific reference to NERC and NRC regulations.

top

Mastering Trust: Hacking People, Networks, Software, and Ideas. - Pete Herzog

Why can't we make the right decision all the time? Our sense of trust is broken. Lies, deceit, fraud, and insinuations make up a large part of crime for a reason. We are bad at trust. It's in our biology. It's why we sometimes make the wrong friends, date the wrong people, buy the wrong car, and do things that in retrospect were really really dumb. Now consider the fact that trust makes up the majority of security decisions from who you let in to what you connect to and you see we have a very big problem. This talk shows you how we are broken, how to analyze and test trusts, how the ISECOM trust metrics work, how they are used to replace risk assessments in many organizations, and how they can help you make better overall decisions.

top

CLOUDINOMICON: Idempotent Infrastructure, Survivable Systems & Bringing Sexy Back to Information Centricity - Chris Hoff

Mass-market, low-cost, commodity infrastructure-as-a-Service Cloud Computing providers abstract away compute, network and storage and deliver hyper-scaleable capabilities.

This "abstraction distraction" has brought us to the point where the sanctity and security of the applications and information transiting them are dependent upon security models and expertise rooted in survivable distributed systems, at layers where many security professionals have no visibility.

The fundamental re-architecture of the infostructure, metastructure and infrastructure constructs in this new world forces us back to the design elements of building survivable systems focusing on information centricity -- protecting the stuff that matters most in the first place.

The problem is that we're unprepared for what this means and most practitioners and vendors focused on the walled garden, perimeterized models of typical DMZ architecture are at a loss as to how to apply security in a disintermediated and distributed sets of automated, loosely-coupled resources.

We're going to cover the most salient points relating to how IaaS Cloud architecture shifts how, where and who architects, deploys and manages security in this "new world order" and what your options are in making sustainable security design decisions.

top

Malware Freakshow 2010 - Jibran Ilyas and Nicholas J. Percoco

We had a busy year. We investigated over 200 incidents in 24 different countries. We ended up collecting enough malware freaks [samples] to fill up Kunstkammer a few times over. Building upon last year's DEFCON talk, we want to dive deeper and bring you the most interesting samples from around the world - including one that made international headlines and the rest we're positive no one's ever seen before (outside of us and the kids who wrote them). This talk will bring you 4 new freaks and 4 new victims including: a Sports Bar in Miami, Online Adult Toy Store, US Defense Contractor, and an International VoiP Provider. The malware we are going to demo are very advanced pieces of software written by very skilled developers. The complexity in their propagation, control channels, anti-forensic techniques and data exporting properties will be very interesting to anyone interested in this topic.

top

How I Met Your Girlfriend - Samy Kamkar

How I Met Your Girlfriend: The discovery and execution of entirely new classes of Web attacks in order to meet your girlfriend. This includes entertaining and newly discovered attacks including PHP session prediction and random numbers (accurately guessing PHP session cookies), browser protocol confusion (turning a browser into an SMTP server), firewall and NAT penetration via Javascript (turning your router against you), extracting extremely accurate geolocation information from a Web browser (not using IP geolocation), and more.

top

400 Apps in 40 Days - Sahba Kazerooni and Jason Lam

You are an information security practitioner who finds them self responsible for the security of their organization’s data. From an application perspective you are most likely looking at hundreds, if not thousands, of internet-facing domains. How do you prioritize one over another? How do you do this on-time and on-budget? This presentation aims to provide answers to these classic challenges. Sahba Kazerooni and Jason Lam will present a real-world case study where the requirement is simple: Reduce the risk to an organization from all external-facing applications. The discussion is interwoven with lessons of attack surface discovery, risk analysis and application assessment methodology.

top

Into the Black: Explorations in DPRK - Mike Kemp

North Korea scares people. Allegedly DPRK has a super l33t squad of killer haxor ninjas that regularly engage in hit an run hacks against the Defense department, South Korea, or anyone else who pisses of the Glorious Leader. DPRK also has no real Internet infrastructure to speak of (as dictators don't like unrestricted information), although it does have a number of IP blocks (unused?). This talk examines some of the myths about DPRK, and some of their existing and emerging technologies. This talk also examines some of the available infrastructure associated with DPRK (funnily enough some of which is in South Korea and Japan) and explores the potential technical threats posed by a pernicious regime, as well as exposing some of the huge gaps in logic that have led to the world potentially engaging in chicken little syndrome when it comes to DPRK. No 0days will be demonstrated, however this talk will discuss some new information that hasn't yet been made public, and will hopefully call time on the whole 'cyberwar' sideshow.

top

What's Old Is New Again: An Overview of Mobile Application Security - Zach Lanier and Mike Zusman

The ever-increasing prevalence of mobile devices brings with it a slew of security problems. Applications running directly on mobile devices (and web apps optimized for mobile clients) are ripe for the picking even by unsophisticated attackers. The attack classes that once applied to traditional network-facing, fat client, and web applications are now valid for mobile apps, as well. Insecure authentication and access control; home-grown crypto; and memory management problems are just some of the issues resurfacing on this new frontier. This presentation will discuss the security of some of the most popular applications running on mainstream mobile platforms such as Android, iPhone, Blackberry, and Windows Mobile.

top

Into the Rabbit-Hole - Rafal Los

Since the caveman first fashioned a spear humans have been using tools to make them more efficient and effective. Unfortunately, today's analysts often misunderstand the role tools play testing web applications. While tools can be quite good at mapping a web application's attack surface there is still much human analysis that must be done to find the elusive defects that lie just below the surface. That human analysis is daunting and irregular ... until now.

The answer is an execution-flow-based approach to application security testing. By first understanding application logic and execution flow it is possible to completely map a web application's attack surface, and therefore fully test the application. Along the way we will cover understanding the principles of application-flow analysis, application process mapping and building execution-flow diagrams (EFDs) which together form a complete picture of the web application and allow an analyst to do a thorough job. This talk focuses on how to get the whole picture of the application by mapping logic and execution flow of the application and uncovering potentially critical defects.

top

Beyond Aurora's Veil: A Vulnerable Tale - Derek Manky

In 2009, the Conficker worm was dissected by researchers, and then fried by the spotlight on a worldwide stage. One year later, we saw the Aurora assaults similarly glow in the headlines. Defense was tense against these two nasties – yet, in each case, easily circumvented by two potent zero-day exploits that crept in from the digital depths. Derek Manky will provide case studies on the zero-days, along with live demonstrations.

Manky will go on to highlight drive-by attacks launched during Conficker's rise, which have provided growth to one of today's largest botnets – Bredolab. He will show sophisticated techniques and structure Bredolab has developed over the course of a year. Illuminating their shadows, Manky will unveil these threats in order to provide insight and provoke thought for a broader defense strategy, instead of using reactive tunnel-vision that is all too common.

top

Black Berry Security FUD Free - Adam Meyers

As mobile computing devices proliferate the enterprise more 'security' conscious people are raising flags about mobile device security. One device which is dominant in the enterprise mobile computing world is the ubiquitous Blackberry(TM), which has quite a bit of Fear Uncertainty and Doubt surrounding it and its security controls. Rumors about blackberry compromises and confusion about remote access toolkits for the Blackberry run amuck in many circles. This presentation aims to set the facts straight by going right to the source - literally - in an effort to dispel FUD about the device, we will look to Research In Motion (RIM) documentation, API, and SDK to enumerate the facts and squash the FUD. The presentation will also explore the Printed Circuit Boards (PCB) in several devices to examine the architecture and chip sets, and a disassembled operating system will be examined as well.

top

Beyond Exploits: Real World Penetration Testing - HD Moore

This presentation focused on abusing design flaws, configuration errors, and information leaks to gain access to typical environments. The open source Metasploit Framework will be used as a demonstration platform to illustrate how low-risk information leaks can be combined to gain administrative access to a target network.

top

Metasploit Pro – An HD Moore Production - HD Moore

Join Metasploit founder and Rapid7 CSO, HD Moore, to learn about Metasploit Pro, a new commercial penetration testing tool based on the open source Metasploit Framework. Metasploit Pro’s graphical user interface enables ethical hackers to quickly and easily launch simultaneous, sophisticated attacks against several targets. Metasploit Pro automates common tasks such as smart bruteforcing, evidence collection and reporting to speed up your pen testing assignments.

top

The Four Types of Lock - Deviant Ollam

Physical security is an oft-overlooked component of data and system security in the technology world. While numerous ratings and standards exist in order classify specific security hardware, many of these standards are ill-defined and poorly-understood. Do you know what makes a "hardened" or "contractor grade" lock special? What does the phrase "high security" signify on hardware packaging? As it turns out, many of these terms are just for show... but Deviant will walk you step-by-step through some distinct and easy-to-follow examples of how low-grade locks can fail as well as how to clearly identify quality equipment. Additionally, we will cover the more difficult matter of hardware purchase decisions at the highest levels... fine distinctions such as which locks belong on the CEO's office versus which ones to use on your server rooms. Every situation calls for something a bit different, and those differences add up when you're spending $100 or more per lock. Make your money count and keep your budget, and your data, secure.

top

Do you know how mature your Secure SDLC is? - Tatiana Outkina and Ben Sapiro

Traditional CMM allows evaluating maturity of many processes, but does it address security requirements to systems development and supporting processes? There is a growing interest in evaluating and reporting the processes security level, mainly due to evolving government and industry regulations. The talk will present ideas and an approach of how to the maturity of security in the development process.

top

Securing your network with open-source technologies and standard protocols: Tips & Tricks - Nick Owen

We continually are asked “Does your product work with VPN X?”. This is the wrong question. The right question is whether any product on your network supports the authentication protocol you have chosen as a standard. Once you decide on a standard, the world opens up to you. Specifically, the world of open source software. After briefly discussing authentication protocols I will demonstrate how easy it is to protect various software packages and remote access solutions with two-factor authentication, such as SSH, Apache, OpenVPN, FreeNX, etc. Many people are simply not aware of the open-source remote access solutions available and still more are not aware of how to integrate them into a network. This talk seeks to rectify that.

top

Inside the Malware Industry - Garry Pejski

Not much is known about the malware industry and how it makes money. This talk will break the silence and expose the shady techniques used to create and spread this software, all from the perspective of someone who worked there.

top

Culture Shift: Social Networking and Enterprise Environments (Security Risk vs Reward) - John W. Pirc

Social networking for most of us is becoming wrapped into our DNA. This is especially important for the next generation workforce. Additionally, the employees today and those of tomorrow will expect the capability to blog and social network with corporate assets and corporate bandwidth. Additionally, these technologies are being widely used for corporate marketing and communication. That’s why it’s important to look at all aspects of securing your infrastructure and more importantly, the people that drive your organization today. This involves educating people, corporate process and the right security technologies. The following session will cover the benefits and the security risks inherit with social networking across all business verticals.

top

Sniper Forensics v2.0 - Target Acquisition - Christopher Pogue

Last year at SecTor, Christopher debuted "Sniper Forensics", which illustrates how to use live analysis techniques to improve the efficiency and accuracy of forensic investigations. Since then Sniper Forensics has been given at two other computer security conferences! Now, Sniper Forensics v2.0 Target Acquisition will cover the most asked questions asked by the audience members from Sniper Forensics. Where do I begin? What questions do I ask? How do I know when I have a target? How do I integrate my findings into my report? How do I use Sniper Forensics to run my investigation? These questions and others will be addressed!

top

Pentesting IPhone Apps - Subu Ramanathan

As most of today’s service oriented applications are starting to support clients on mobile devices such as the iPhone, security analysts are required to extend their existing arsenal of pentesting-fu. This tutorial will give existing pentesters a quick technical insight into assessing SOA application clients on the iPhone.

top

Web Application Payloads - Andrés Pablo Riancho

This talk will introduce attendees to the subject and show a working implementation of Web Application Payloads that uses the "system calls" exposed by vulnerable Web Applications to collect information from, and gain access to the remote Web server. The Web application payloads implementation was developed as a part of the w3af framework, an open source Web application attack and audit framework developed by contributors around the world since 2007 and lead by Andrés Riancho (the speaker) since its conception.

top

Involuntary Case Studies in Data Security - Mike Rothman

It is absolutely backwards, but while the bad guys constantly share details of their exploits, including techniques, when it comes to real incidents, actual defenders rarely talk about what worked, and what didn't. In this session, Mike Rothman will name names as he builds in-depth case studies based on publicly available information, some of which isn't overly public. He will combine these with the latest information from breach reports and other statistical sources to build a picture of how real breaches happen, which security controls really work, and which compliance checkboxes are a complete and total waste of time.

Through these case studies you'll learn:

• From your peers through real-world examples of breaches, some of which haven't been publicly reported or widely discussed
•  What security controls can really protect you during an incident
•  How breaches happen and ways you can prevent breaches to your organization
•  How to prioritize your security efforts to be most prepared for preventing or worst case dealing with an incident

top

Smashing the stats for fun and profit v.2010 - Ben Sapiro

“Smashing the stats for fun and profit v.2010” (or how to convince your boss to spend properly on security)

We all know that security vulnerabilities need to be fixed but it can be hard to convince your employer that you deserve a budget so you can do your job properly.

Using research from the 2010 Canada wide security survey, we'll explore (FUD and vendor Free) the following topics:

• Do people still forget about application security?
• Which approaches work in getting the business to understand security issues?
• How much should you spend on security?
• What’s the right way to identify security problems in your environment so they get fixed

The talk will cover the all new 2010 survey data together with unique content for SECTOR attendees.

top

Language Theoretic Security: An Introduction - Len Sassaman and Meredith L. Patterson

Language-theoretic security uses the principles of formal language theory, computability theory, and formal semantics to evaluate the security properties of computational protocols. In its ideal form, it is used to build and verify secure systems; however, the same techniques software architects use to prevent entire classes of attacks against a language-theoretically secure protocol also enable attackers to systematically discover attacks against non-LT-secure protocols, particularly those deployed in dynamic environments with multiple implementations of the same specifications (such as communication between TCP stacks written by two different development teams, for instance).

We will discuss the fundamentals of language-theoretic security, then explain how we applied these principles to the analysis of X.509, leading to our recent multiple vulnerability break of the Internet certificate authority infrastructure. We will also outline steps for realizing the security potential of LTS-aware protocol stacks compatible with the existing Internet infrastructure.

top

Today’s Reality: Living in Compromise to Advanced Persistent Threats - Charlie Shields

Today's network advanced persistent threats by definition evade detection by perimeter defenses and current concepts for defense in depth - whether you know it or not. Most organizations have developed an over-reliance upon network-layer, perimeter focused solutions that require signatures or profile-based foreknowledge of a given technical threat. As proven through numerous security breaches over the last few years, most signature and log -based security solutions are already entirely obsolete by the very definition of focused adversary methods. Other architectures currently being deployed are based upon statistical analysis of netflows and other network-layer telemetry providing limited and incomplete network visibility.

This session focuses on the true nature and sources of today's difficult threats, and describes solution characteristics, both technology and operations-related, which are required to detect these invisible threats. Mr. Shields will demonstrate techniques that will enable your organization to detect and stop designer malware, zero-day attacks, and non-signature-based threats to improve overall network visibility, and to detect the leakage and exfiltration of valuable organizational data. The session will cover actual technical case studies from the commercial and public sector to illustrate more effective operational methods for monitoring enterprise infrastructures at the application and content/context layers by performing advanced analysis of full packet captures.

top

Distributed Denial of Service: War Stories from the Cloud Front - Michael Smith

Due to the rise of large-scale botnets, Distributed Denial of Service (DDoS) is making a resurgence, both in attacker capabilities and the impact on target organizations. This presentation is an overview of DDoS attacker capabilities and techniques, defenses against attacks, and lessons learned from responding to numerous DDoS attacks.

The session will cover a very brief description of the Akamai distributed network and a discussion of the history of Akamai's involvement with DDoS mitigation. The session will then dive into the following areas: threat capabilities and tactics, failure patterns during a DDoS attack, preparation prior to an attack, example timelines associated with the July 4th, 2009 attack, and the active response to an ongoing, targeted DDoS attack. Each area will focus on lessons learned that organizations can reproduce in their own environment.

top

Barcodes: Read it, Write it, Hack it - Michael Smith

Barcodes are everywhere and we’re seeing more and more of them, from the RealID specification to airline boarding passes to beer bottles. This presentation is designed to be a presentation and hands-on workshop for experimentation with barcode readers, writers, and techniques for hacking in that gray area between software, hardware, and the physical world. The presenter will bring software, tools, and a wide variety of examples including his world-famous QR temporary tattoos.

top

By The Time You've Finished Reading This Sentence, “You're Infected” - Eldon Sprickerhoff

This talk is intended to be a rapid-fire description of 25 tactics currently used by "the bad guys" so that malware STILL evades AV, web reputation filters and IDP systems and practically any defense thrown at it. Malicious content continues to be a thorn in the side of practically all Internet users. This talk will show the progression of obfuscation techniques, and offer insight into the new infiltration methods expected in the future - ripe with amusing real-world examples of tactics.

top