Full Schedule Will Be Posted Soon!
Marcus J. Carey
Making Our Profession More Professional
If Information Security professionals are going to be taken seriously by the organizations we serve, we need to become more professional. There are many ways of achieving this goal, but it's going to take culture change within our community. This talk will define this problem and offer some solutions on how to work toward solving this problem.
Bill Gardner is an Assistant Professor at Marshall University, where he teaches in the Digital Forensic and Information Assurance Program. He is also President and Principal Security Consultant at BlackRock Consulting, and the Information Security Chair at the Appalachian Institute of Digital Evidence. Prior to joining the faculty at Marshall, Bill co-founded the 304Geek and Hack3rCon. Bill is the coauthor of "Building an Information Security Awareness Program: Defending Against Social Engineering and Technical Threats" with Valerie Thomas, which was published in August.
Building a Better Security Analyst Using Cognitive Psychology
The information security industry and the vendors that support it have placed emphasis on the tools we use to investigate security breaches. However, we rarely win or lose battles in the trenches because of the tools we buy, instead, our result is typically determined by the tools we are born with and nurture over time. While machines are ideal for collecting data and finding anomalies, there is no tool better for connecting the dots than the human mind. Of course, the human mind is not without its own limitations and challenges we must overcome. In this presentation, I'll discuss how cognitive psychology can be applied to the investigative process. This will include an overview of perception and cognition, the theory of multiple intelligences, the real benefits of positive and negative reinforcement, the effects of cognitive biases, and how structured analytic techniques can be used to approach investigations. This presentation should provide practical, real-world advice you can start using immediately to become, or help build, a better analyst.
Chris Sanders is an information security consultant, author, and researcher originally from Mayfield, Kentucky, now living in Charleston, SC. Chris is the leader of a detection and intelligence team at Mandiant, a division of FireEye, where he leads a small group tasked with effectively using network threat intelligence to catch adversaries. He has extensive experience supporting multiple government and military agencies, as well as several Fortune 500 companies. In multiple roles with the US Department of Defense, Chris significantly helped to further to role of the Computer Network Defense Service Provider (CNDSP) model, and helped to create several NSM and intelligence tools currently being used to defend the interests of the nation. Chris has authored several books and articles, including the international best seller "Practical Packet Analysis" form No Starch Press, currently in its second edition in 7 languages, and "Applied Network Security Monitoring" from Syngress. Chris currently holds multiple industry certifications, including the SANS GSE and CISSP distinctions, as well as a BS in Telecommunications and an MS in Homeland Security. He is currently pursuing a PhD in Cognitive Psychology in an attempt to enhance the field of security investigative technique through a better understanding of the human thought process.
Shall We Play a Game: Better Living Through Wargames
Application and platform security can be seen as "black arts" in the technical space. This can lead to paralysis in attempts to learn about them. What's not often understood, is that 'security' isn't a different set of skills, but a mindset through which existing skills can be expanded and applied. This talk will explore how war games and Capture-The-Flag challenges can be used to shift the perspective of technical professionals. By playing these games, developers and administrators can see their programs and systems through the eyes of their adversary. Through playing, they become exposed to common attack methods, and realize that their "non-security skills" are the same ones that will lead them to the next level. Those skills when applied with this new knowledge will lead to stronger systems and more secure applications.
James Powell is a senior software engineer at Lancope where he spends his days writing Python, tuning security events, and hardening Linux platforms. He spends his free time playing online wargames and CTF challenges.
Removing the FUD from Threat Intelligence
Threat Intelligence is all the rave. Every sales team says they haveit, and every company thinks they need it. The companies claiming to have TI already may have been sold nothing more than a feed of suspicious IP addresses. To contribute to the confusion, there are widely varying definitions of what TI actually means. Because it issuch an immature field, having TI often means going beyond vendor solutions to build your own. If your lucky enough to have good TI, your company still needs adaptive defense capabilities to take full advantage of it. The next generation of cyber defense involves making effective and timely decisions based on as much data as possible and that is at the heart of TI. Join this talk as we cut through the FUD to understand what it really means to have an effective Threat Intelligence program.
Russ Pierce (@r3ssn8) is a geek by affiliation, mathematician by education, and security engineer by trade. He has 19 years experience in corporate America working for Fortune 50-500 Telecommunications and Financial Services companies. He is currently a VP at a Financial Institution where he works on the Cyber Security and Threat Intelligence Team. Russ is a proud father dedicated to empowering the next generation and building a safer cyber tomorrow. He strongly believes in knowledge sharing and living life to the fullest.
Social Engineering is BS, Call it What it is
We continue to use the term "Social Engineer" to make it sexy and make it "h@x0r". the fact that manipulation of people has happened for eternity and it isn't limited to info sec. Lets briefly look at the history books, then delve into the physiology of manipulation and as I am not a smart man, let's keep it simple with stuff we can use later today to reduce our bar tabs.
Dave is a Red Teamer for a large international bank. Dave has been in the security/penetration testing field for over 8 years with particular interests in physical security and social engineering, and a previous 8 in network architecture/engineering.
Fuzzing....What? Why? How? Genetics?
Software testers, engineers, security researchers, and miscreants uncover software defects through a variety of methods, and fuzzing is arguably the most popular. Since the 1980's, this technique has found numerous, severe vulnerabilities in operating systems, network protocols, file editors and viewers, office applications, and especially web browsers. Testing an application with randomly generated data has proven to be an efficient, effective strategy. However, as applications mature and companies adopt secure software development practices, fuzz testing must adapt and incorporate new strategies. This presentation introduces a feedback fuzzing strategy using genetic algorithms to guide negative test case generation. It will provide a quick introduction to file fuzzing and genetic algorithms then describe how to combine those concepts with static and dynamic program analysis to create a feedback fuzzer. Since employing dynamic program analysis can greatly increase runtime, the presentation will conclude by describing how to combat this issue with a distributed fuzzing architecture using a message queueing system (AMQP) and a NoSQL datastore (Mongodb).
Roger Seagle Jr. is a technical leader in the Advanced Security Initiatives Group (ASIG) at Cisco where he assesses the security posture of Cisco products and advises product teams on patching and mitigating vulnerabilities. In this role, Roger audits embedded systems and web applications, configures and monitors internal production servers, and serves as a technical advisor. More recently, he has contributed to a big data analytic system for detecting malicious traffic and network compromises and prototyped a system for continuous security assessment of virtual assets. Roger holds a PhD and MS degree in Computer Science from the University of Tennessee, Knoxville in Computer Science as well as a BS in Computer Science from Wake Forest University. He currently resides in Knoxville, TN where he enjoys hiking in the Blue Ridge mountains with his wife, son, and hound dog.
The Art of Post-Infection Response and Mitigation
In this day and age, we are all [mostly] fully aware how far signature-based antivirus detections go... not very far at all in regard to actual real-time protection. Users will get infected, there are no longer any IF statements in this equation. My focus is the gray area of post-infection and the many different aspects of end-user and incident response frustration that occur after malware has penetrated and done its dirty work to a single system , network, or organization. I will also be covering various malware removal and mitigation techniques, tools of the trade, and general response and prevention guidelines in case this happens to you, and it will.
Caleb (aka chill) is a malware analyst, practicing dirty whitehat, and frequent contributor to the information security community both online and at technology security events including recent talks at BSides Tampa 2015 and CarolinaCon 11 where he shares information and best practices about how to respond, mitigate, and plan for malware breaches. He also founded and currently manages the CarolinaCon Shootout, in its 6th successful year of operation at the CarolinaCon security conference.
On Defending Against Doxxing
Doxxing is the Internet-based practice of researching and broadcasting personally identifiable information about an individual. It is also a scourge on our internet lives that can quickly boil over into the physical realm. Often wielded as a weapon of hate or manipulation and a tactic for intimidation doxxing easily leads to real-world threats of violence, financial harm, sexual assault, career damage, or even murder. Examples of these impacts can be seen surrounding the recent events of 'GamerGate' through the targeting of Anita Sarkeesian, Felicia Day, Tara Long, and Brianna Wu. Doxxing also often leads to another tragic outcome; that of targets for hate being misidentified leading to unaffiliated individuals becoming the subjects of attack. Occurrences of this can be found in such online sagas as Anonymous vs. Scientology, the Amanda Todd case, and the incorrect fingering of Sunil Tripathi as the Boston Bomber. Given the real world impacts of being doxxed what can we do to protect ourselves, our friends, and our loved ones? In this talk I will highlight common methods employed by doxxers as well as methods to safeguard the information they seek. I will move from the easy wins and low-hanging fruit, with an eye for practicality, to the more complex and long-term defenses employed by professionals.
Benjamin Brown currently works on systems safety, adversarial resilience, and threat intelligence at Akamai Technologies. He has experience in the non-profit, academic, and corporate worlds as well as degrees in both Anthropology and International Studies. Research interests include novel and side-channel attack vectors, radio systems, the psychology and anthropology of information security, metacognitive techniques, threat actor profiling, intelligence analysis, and thinking about security as an ecology of complex systems.
Coulda', Shoulda', Woulda' - Prepping for Zero-days and Other Surprises
Heartbleed... ShellShock... Poodles, oh my! It seems like every few months there's a new catchy name for a shiney new zero-day vulnerability. How are you to defend against these? In this talk we will review some of these big vulnerabilities and discuss how their associated risk correlates to typical security assessment findings. Journey through the eyes of a penetration tester to discover how addressing some of the low-hanging fruit in your organization can help prepare for the next zero-day.
Jason is a professional penetration tester and programmer. He is known for his open source role as the author of the Burp CO2 extension (http://burpco2.com), and also has contributing roles in the Samurai WTF, Laudanum, and MobiSec projects. Jason currently works as a senior security consultant for Secure Ideas where he focuses on penetration testing, security architecture, and training.
Bypassing Two-Factor Authentication with Android RATs
With some financial institutions implementing two-factor authentication, miscreants were observed utilizing mobile Remote Access Trojans (RATs) to capture these SMS PINs for account takeover. This presentation will explore recent campaigns that have used mobile RATs to defeat two-factor systems, the challenges for mitigating this new breed of user attacks, and the vulnerabilities of these cybercrime kits.
Paul Burbage is an avid network security enthusiast with over fifteen years of experience. He currently works as a threat researcher / malware analyst at PhishLabs in Charleston, SC.
All the Looks without the Price Tag: A Case Study of Device Security for Knock-Off Android Phones
Mobile devices are a part of almost everyone's day-to-day life. These handheld supercomputers help to make our lives convenient and "connected," but usually for a hefty price. A brand new flagship device from an electronics giant such as Samsung, HTC, or Motorola can run up a price tag of over five hundred dollars (if purchased without a contract). On the other end of the spectrum, knock-off devices that look suspiciously like their flagship counterparts can be purchased from online e-commerce sites such as eBay for only a fraction of the price. These phones are cheaper than their flagship counterparts are, but are they actually safe to use? This talk will discuss common operating system and application weaknesses on Android devices, and share the results of security testing performed on several knock-off Android devices purchased from predominately far eastern sources.
Jake Valletta is a senior consultant at Mandiant in New York. His areas of interest include mobile security, application security, penetration testing, and incident response. When not performing incident response and forensic services for fortune 500 and fortune 100 companies, he is improving and developing mobile testing tools or researching the AOSP project (or maybe just enjoying a craft beer). In his free time, he maintains a website and blog dedicated to mobile security and research called "The Cobra Den."
More Speakers Will Be Announced Soon!