SOURCE Boston 2015
May 25-28, 2015
Marriott Courtyard
Boston, MA, USA
CFP Status: OPEN
SOURCE Dublin 2015
Trinity College
Dublin, Ireland
SOURCE Seattle 2015
Bell Harbor Maritime Museum
Seattle, WA, USA
SOURCE Barcelona 2010 - Speakers And Publications

Tuesday, September 21, 2010

Security & Technology Security & Business
10:00am - 10:50am Keynote -William Beer, PricewaterhouseCoopers LLP
11:00am - 11:50am SCCP hacking, Attacking the SS7 & SIGTRAN
Applications One Step Further and Mapping the Phone System
Philippe Langlois, P1 Security
Applied Threat Modeling -- Live
Allison Miller, Paypal
Alex Hutton, Verizon Business
12:00pm - 12:50pm Security Sucks
Chris Brown, Netwitness
Implementing a CSIRT - Lessons Learnt from Setting Up the Irish CERT
Brian Honan

1:00pm - 2:00pm LUNCH
2:00pm - 2:50pm ERP Security: Myths, Problems, Solutions
Alexandr Polyakov
Ilya Medvedovskiy, Digital Security
Security in the SDLC: It Doesn't Have to be Painful
Matt Bartoldus, Gotham Digital Science

3:00pm - 3:50pm Passwords in Corporate Networks
Simon Roses Femerling, Microsoft
3:50pm - 4:20pm COFFEE BREAK
4:20pm - 5:10pm Jackpotting Automated Teller Machines
Barnaby Jack, IOActive
8:30pm Barcelona Bar Crawl - Meet at Shoko at 8:30pm

Wednesday, September 22, 2010

Security & Technology Security & Business
10:00am - 10:50am Smart Grid Security
Josh Pennell, IOActive
Anti-Virus Dicussion Session Part 1
11:00am - 11:50am Balancing the Pwn Trade Deficit
Val Smith
Anti-Virus Discussion Session Part 2
12:00pm - 12:50pm Security in Agile PLC - Practical navigational aid for speed boats
Vishal Asthana, Symantec
Building Bridges: Forcing Hackers and Business to "Hug it Out"
Andrew Hay, 451 Group
Chris Nickerson, Lares Security

1:00pm -2:00pm LUNCH
2:00pm -2:50pm If Black Hats always win, why is Albert Gonzalez in prison?
Bruno Oliveira &, Jibran Ilyas, Trustwave

Anonymity, Privacy, and Circumvention with Tor in the Real World
Sebastian Hahn
3:00pm -3:50pm Cyber[Crime|War] - Connecting the Dots (Spain)
Iftach Ian Amit

Leveraging Social Networking While Mitigating Risks
Nick Copeland, Systems Engineer, Fidelis Security Systems
4:00pm - 4:50pm Hacking SAP BusinessObjects
Josh Abraham, Rapid7
Will Vandevanter, Rapid7
10 Things Youre Doing Wrong With SIEM
Wim Remes, Ernst & Young
5:00pm - 5:50pm, the Rise and Fall of an Underground Forum
Vicente Diaz and David Barroso
5:50pm - 6:15pm Closing Remarks and Feedback Session


Director, PricewaterhouseCoopers

Revolution or Evolution: Information Security 2020

This presentation will be based on a report commissioned by the UK Government's Technology Strategy Board and jointly prepared with PricewaterhouseCoopers LLP (UK).
The presentation will set out the drivers that will shape the future Information Security environment to 2020 and beyond. It will help to inform business leaders and security professionals alike, and sets out potential future scenarios and issues around information security, allowing the participant to draw implications and conclusions that apply to them. The presentation focuses on the commercial aspects of Information Security, but remains cognizant of trends in cyber security and warfare for military and intelligence applications. It primarily covers trends in the UK Information Security market, but the implications are relevant globally.

William leads PwCs OneSecurity Practice and has over twenty years of broad international experience at multinational IT companies. He has extensive experience of working in IT services, security environments and with complex security technologies. William has focused extensively on Information Security including security intelligence services, managed security services, data compromise and computer crime. Additional areas that he specialises in include information security incident management, security architecture, security compliance and security awareness.

Particular areas of expertise include

" Knowledge of security and technical concepts and their application in practical business situations;
" Ability to quickly assimilate and evaluate new information and understand new technical and security concepts;
" Extensive practical experience in the design and assessment of IT infrastructure;
" Extensive experience in workshops and training facilitation and
" Works closely with the Information Security Forum, ENISA, the IISP, CPNI and the UK Office of Cyber Security to improve the understanding of Information Security in the market.

William has supervised many security and technology engagements including:

" Conducting risk and security assessments of Internet banking sites at several large European and Middle Eastern financial institutions. This included an assessment of the clients risk assessment approach and implementation of specialised fraud monitoring services;
" Worked with IT, Security and leadership teams to develop and deliver specialised security presentations for senior management at their respective organisations;
" Conducting and project management of an organisational assessment and security audit for a large multinational clients Security Operations Centre;
" Holding workshops for multiple clients to discuss future security trends and their impact on strategy and business.
SCCP hacking, Attacking the SS7 & SIGTRAN Applications One Step Further and Mapping the Phone System, Philippe Langlois, P1 Security
Attacking the SS7 network was fun, but there's a world beyond pure SS7: the phone system applications themselves, and most notably what transforms phone numbers into telecom addresses (also known as Point Codes, DPCs and OPCs; Subsystem Numbers, SSNs and other various fun.), and that's called Global Title Translation. Few people actually realize that the numbers they are punching on their phone are actually the same digits that are used for this critical translation function, and translate these into the mythical DPCs, SSNs and IMSIs. More and more data is now going through the phone network, creating more entry point for regular attacks to happen: injections, overflow, DoS by overloading capacities. And we have an ally: the mobile part is opening up, thanks to involuntary support from Motorola, Apple and Android. We'll study all the entry points and the recent progresses in the Telecom security attacks.

10 things you're doing wrong with SIEM, Wim Remes
As a consumer of information security products you have probably acquired one SIEM product or the other (please consult the latest Magic Quadrant to know if you bought the right stuff). Either because you were pushed to do so by regulatory requirements (internal or external) or because somebody very smart came up with the idea to do so. If this has happened, the odds are that you are getting far from the return you expected from that solution. This is not because the product doesn't work, but in most cases because it's not the right product, it is not watching the right stuff or you forgot the people factor. According to many, in 2010 SIEM is dead. It isn't. There are 10 things we've been doing very wrong with SIEM. After this presentation, you'll be enabled to right what was wrong and finally enjoy your SIEM to the fullest.

Wim Remes is an information security consultant working for Ernst and Young in Belgium with a particular interest in intrusion detection, attack prevention and security monitoring


1. Please tell us a bit about your topic (something a bit more than what is on the abstract) and why people should attend your session. Are there any pre-requisites for the session? Who should attend?
SIEM and Log Management solutions (and especially implementations thereof) are prime examples of what's going wrong in our industry. Companies have installed these products for 3 main reasons : because they had to (compliance to this or that regulation being the main driver), because somebody told them they needed it (why they believed that, is another story) or because they were ready for it. The latter demography is particularly small in this business. That leaves the majority of customers with a solution that doesn't do what they need, does something completely different or that they pay way too much for while it does a metric ton of stuff they don't need (but is cool to have if you need it in 5 years or so). On the other hand, SIEM and LM solutions require work. They are not a bunch of flashy blue leds blinking in a server rack protecting you from evil. While there's a lot of intelligence in most solutions, you still have a fair amount of work to do to triage events, provide context, find and filter false positives, collect new data sources, create, implement and tune use cases and follow-up incidents. And lastly, a lot of people forgot to tie the solutions into their Incident Response processes. The SIEM/LM solutions ended up in the hands of "the network team" because "they were managing the firewalls and IDSs already anyway". Either we can sit back and see another technology die or we can try to do things right. This talk will be for those that choose the latter option.

2. Why did you select this particular topic?
Ever since I started in IT (about 13 years ago) logs have been the bane of my existence. In a lot of situations they were the only trustworthy source of information I had available to analyze what had happened and as long as I can remember I've tried to make sense of them and motivate people to USE them. Even now that we have technology at hand that should enable us to handle them and make sense of them, we fail. Instead of asking why, I choose to analyze why and while at it I try to formulate answers. Instead of being pessimistic about a specific trend, let's see what we can do to make things better.

3. What are the major takeaways?
Attendees will learn to make the difference between log management, SIEM and everything in between. The information provided during this talk will enable them to choose the product that meets their needs and they will get some useful guidance to implement it. Surely, there is not a single good way to do this and I have no cookbook available either but I'll bring the pots and pans that'll enable us to cook a decent meal.

4. What other sessions are you looking forward to?
I'm particularly looking forward to the ATM talk by Barnaby Jack as I'm totally broke and looking for ways to influence my cash flow. Then again, I might choose to do that while staying out of jail as a bonus, so I'm looking forward to the talk of Erin Jacobs and Mike Murray as well. Then there's the talks by good friends like Jayson Street, Brian Honan, Chris Nickerson & Andrew Hay and Ian Iftach Amit which I always enjoy. Honestly, by looking at the schedule, Source Barcelona seems to be one of the conference where I'll be spending a lot of the time in sessions. I might even be peeking at the live stream of Amrit Williams' talk while doing my own.

5. Anything else you would like to tell us about your session?
I think my answer to question one says it all. Now come and let's make this work in Barcelona!

If Black Hats always win, why is Albert Gonzalez in prison? Bruno Oliveira & Jibran Ilyas, Trustwave
The severity and impact of the attacks have made many big companies to acquire the services of Penetration Testers. This talk will discuss the differences between Black Hat vs. Penetration Tester along with interesting analysis of both entities by a Forensics Investigator. The attack and detection techniques by the three players in Information Security world will educate the audience on real world cases and break some ancient myths of the InfoSec fraternity, especially about Black Hats. The thought that Black Hats always win is used more so because of its convenience. This talk will try to demystify Black Hats (via demonstrations) and highlight the success stories of InfoSec World in catching the Black Hats as contributed first hand by the Presenters.

Bruno Goncalves de Oliveira is a Security Consultant at Trustwave's Spiderlabs in the Network Penetration Test Team. He is a member of Trustwave's SpiderLabs - the advanced security team focused on penetration testing, incident response, and application security where conducts penetration tests in the premier clients, holds some certs and a title of computer engineer by Universidade Norte do Paraná. Over 10 years working / studying / having fun with security always focused on offensive tasks, the main focus of his works is based on network security and penetration tests, trying to figure out different/other/more beautiful ways to attack systems, part of these studies/works became talks at some security conferences like DEF CON 18 (USA) HITBSecConf 2009 (Malaysia), Toorcon X (USA), YSTS 2.0/3.0 and H2HC IV/IV (Brazil)

Jibran Ilyas is a Senior Forensic Investigator at Trustwave's SpiderLabs. He is a member of Trustwave's SpiderLabs - the advanced security team focused on penetration testing, incident response, and application security. He has investigated some of nations largest data breaches and is a regular contributor for published security alerts through his research. He has 7 years experience and has done security research in the area of computer memory artifacts. Jibran has presented talks at security conferences (DEFCON, SecTor) in the area of Computer Forensics and Cyber Crime. Jibran is also a regular guest lecturer at DePaul and Northwestern University. Prior to joining SpiderLabs, Jibran was part of Trustwave's SOC where he helped Fortune 500 clients with their Security Architectures and deployments. Jibran holds a Bachelors of Science degree from Depaul University and Masters degree in Information Technology Management from Northwestern University.

SOURCE Interview for If Black Hats always win, why is Albert Gonzalez in prison? Bruno Oliveira & Jibran Ilyas, Trustwave

1. Please tell us a bit about your topic (something a bit more than what is on the abstract) and why people should attend your session. Are there any pre-requisites for the session? Who should attend?
Jibran: In our talk, we will be busting the common myths about Black Hats, Penetration Testers and Forensic Analysts. Since Bruno is a professional Penetration Tester and I work as a Forensic Investigator for Spiderlabs, Bruno keeps telling me that he can get away with simulation attacks on my box. Having great pride and confidence in modern day forensic techniques, I keep telling him that hed be surprised to see how many digital artifacts hed leave on my box. In essence, our talk demystifies attacks and their detection as it includes several real life success stories via Digital Forensics.
The only pre-requisites for this talk are to have expressions, be it facial expressions or vocal expressions ?. We would love to have an engaged and responsive audience while we give away the first hand knowledge of real world attacks, their detection via Digital Forensics and subsequently, the arrests.
This talk is meant for all audiences as it boasts the logic in investigations more than the technical skills.

2. Why did you select this particular topic?
Bruno: Since Jibran and I work in the same company but cover different sides of security, we thought it would be interesting to give our audiences a taste of penetration tests, Black Hat attacks and Digital Forensics concurrently. We will be educating the audiences on how similar or different Black Hat attacks are from Penetration Testers and how Jibrans side of work see those attacks from an investigative stand point.

3. What are the major takeaways?
Jibran: We always hear the phrases, Black Hats always win and Penetration Testers use automated tools. The major takeaways of this talk are to 1) Explain how professional Penetration Testers go about their engagements with a goal in mind and how little of automated tools are used in successful intrusions and 2) Show why Black Hats are not all that after all ? Our biggest discovery in hundreds of forensic investigations is that Black Hats are humans too and they too make mistakes, in fact plenty of amusing mistakes and sometimes, they are costly enough to put them behind bars. We will show how the evolving world of Digital Forensic, the partnerships with Law Enforcement and the Community support (security conferences, social networks, etc.) are really giving a boost to the good guys and how we can make it even better.

4. What other sessions are you looking forward to?
Bruno: I want to see about Social Engineering by Jayson Street; he always has good ideas, Jackpotting Automated Teller Machines and Hacking SAP by Rapid7 folks.
Jibran: I am looking forward to plenty of talks. In no order of preference: Security Sucks by Chris Brown, Security Industry Career talk by Erin Jacobs, ATM Talk by Barnaby Jack, The Hug it out talk by Andrew Hay and Chris Nickerson,. CyberWar talk by Iftach Ian Amit, talk by Vicente Diaz and David Barroso and the two that I am going to have a really tough time deciding between i.e. Balancing the Pwn Trade Deficit talk by Val Smith and Jayson Streets talk on Social Engineering.

5. Anything else you would like to tell us about your session?
Bruno: Our session will demystify our work via demonstrations in an effort to explain how Black Hats are not GODs.
Jibran: Join us in busting some myths and learn how the improving landscape of Penetration Testing & Incident Response is helping gain intelligence on Black Hats and contributes in subsequent arrests.

PC Hypervisors; Own the OS, Amrit Williams, BigFix (recently acquired by IBM)
The current state of Information security is a never-ending game of continuously reacting and responding to new threats, operational failures, and crappy products. The ability to abstract security and systems management outside of the operating system will revolutionize the method and efficiencies of IT security and management. In this presentation the speaker will provide an overview of type-1 bare metal PC hypervisors and methods to leverage this new computing model to provide better visibility and control of the operating environment without relying on the integrity of the operating system itself. The audience will learn:
- The different methods of client based virtualization - A deep dive into type-1 PC hypervisors
- How to converge endpoint security and PCLM tools with PC hypervisors
- How this convergence can significantly improve methods for maintaining the health and security of computing devices
- And most importantly, how to pimp slap the OS and make it the bitch it deserves to be

Amrit Williams has over 18 years of experience in information technology, security, and risk management and is currently the Chief Technology Officer of BigFix (recently acquired by IBM). Amrit has held a variety of engineering, management and consulting positions prior to joining BigFix. Most recently, Williams was a research director at Gartner, Inc.

Security in the SDLC: IT Doesn't Have To Be Painful! Matt Bartoldus, Gotham Digital Science
Why do organizations fail so miserably at Application Security? Even after investing millions into Information Security programs? Organizations are addressing application security through initiatives from hiring their first 'Security Person' to investing in large time and resource intensive projects. Great! So how come security breaches through applications are still on the rise and showing no signs of abatement? Is the security industry failing? This talk will focus on what the speaker has experienced over the past few years while working with his clients to integrate information security practices into IT processes. This includes large Global Top 100 to medium domestic UK companies. The focus will be around some of the different approaches that were taken and the things that worked and the things that failed miserably. In the end, the audience will be able to take away real world experiences for consideration. The talk will start by discussing some of the more interesting angles the speaker has seen when presenting the business case for a security integration project investment. This includes stepping outside of the traditional security professional arguments and adopting the viewpoint from other parts of an organization. The speaker will then discuss the age old IT consultant's mantra of People, Process and Technology and where security practices fits in. The focus will be on process and people rather than technology. Building upon a business case and the theories around people and processes, we will discuss how to move forward with integrating information security practices into the SDLC. Lastly, we'll talk about the 'gotchas', the pitfalls, traps, and other 'bad things' from perceptions to internal politics. These are discussed in a light-hearted manner through example experiences and 'war stories.' The speaker hopes they will be considered at the beginning of a security initiative or project part of project risk and critical success Factors!

Matt Bartoldus is an information security professional with over 11 years of experience managing and delivering information security projects. Service delivery experience spans the scope of IT audit; security penetration and vulnerability assessments; regulatory compliance and information security governance consulting; policy and standard development; and security business transformation.

1. Please tell us a bit about your topic (something a bit more than what is on the abstract) and why people should attend your session. Are there any pre-requisites for the session? Who should attend?

My session will focus just as much on security process initiatives that did not work as it will on recommended practices. This session will be of interest to anyone who will be leading a security initiative or project that involves working with other areas of an organization & especially within IT! Implementing security practices in to an existing Software Development Lifecycle will involve multiple areas within an organization; even when these areas are in their own silos!

I also intend to present the primary reason I believe that security process integration initiatives such as Security in the SDLC fail.

2. Why did you select this particular topic?
After years of working with clients on various information security projects and initiatives, I chose this topic as a way to vent!

Seriously, I chose this topic in order to share with other security professionals some of the common things that I have found to work and not work.

3. What are the major takeaways?
Delegates will take away items to consider while leading an information security project that involves cooperation from other areas of the organization. These considerations can help shape project risks, dependencies and success factors.

4. What other sessions are you looking forward to?
The Social Geeks Old and New Methods for Career Enhancement in the Security Industry, Erin Jacobs, IOActive & Mike Murray
Building Bridges: Forcing Hackers and Business to "Hug it Out" Andrew Hay, 451 Group & Chris Nickerson, Lares Security
Anonymity, Privacy, and Circumvention with Tor in the Real World
Black Hats always win, why is Albert Gonzalez in prison? Bruno Oliveira & Jibran Ilyas, Trustwave

Building Bridges: Forcing Hackers and Business to "Hug it Out" Andrew Hay, 451 Group & Chris Nickerson, Lares Security
Hackers and business decision makers rarely see eye-to-eye. There has historically been a great chasm separating the views of business decision makers who pay the bills and the in-the-trenches security practitioners who perform the work. This epic battle has taken a toll on the security of many environments as businesses focus on operations and "hackers" focus on the symptomatic issues directly in front of them. This talk serves to open the dialogue between both groups in an attempt to find some common ground and understanding. Beginning with raising the "hackers" awareness to business concerns and how business guides the path to security, we hope to bring a fresh perspective on how to position their concerns. This alone may build a bridge and allow them to receive the support they have always craved. After we address this daunting task, we will turn light to the business aspect. In this section, we will give the business professionals a unique view into the mind of a security professional. Yes, the ones who throw a fit because a screen shot of some black and green screen with text on it is "bad." We will give you a behind the scene connection explaining why they are reacting the way they are and how having that emotion is a massive benefit to the business (and not just a cost). At the end of the day, the business and the hacker have the same goals; we all want to secure the business. We may have different drivers and motivators but a common goal exists. We will extend the olive branch to both sides and hope that this talk will inspire others to do the same.

Andrew Hay is a Senior Security Analyst with The 451 Group's Enterprise Security Practice. He is a veteran information security practitioner with more than 10 years of experience related to endpoint security, log management, vulnerability assessment, penetration testing, forensics, incident response and enterprise security information management (ESIM).

Anonymity, Privacy, and Circumvention with Tor in the Real World, Sebastian Hahn
The Tor network is the largest and well known anonymity network ever deployed.How does it work? Who uses it, where do they use it, and why do they use it? This talk will give a quick introduction to the Tor network, it will include real life examples of people using Tor to safeguard their use of the internet, and it will cover some of the current challenges facing the Tor network. If you've ever wondered about country-wide firewalls (both the technology and the social support behind them), geographically anonymous hosting, or practical privacy on the internet - this talk will be of interest.

Implementing a CSIRT - Lessons Learnt from Setting Up the Irish CERT, Brian Honan
After spending 4 years trying to convince the Irish Government to establish a national Computer Emergency Response Team with little or no progress, Brian Honan set up a not for profit company to offer CERT services to the Irish business community. However, faced with a very small budget Brian had to determine how best to implement the CERT without compromising the level of service provided to the target community. This talk will cover Brian's journey as he progressed from the initial conception to actually setting up IRISS-CERT, which is now Ireland's only non-commercial CERT. IRISS-CERT is now a recognised and fully functioning CERT managed by a group of volunteers from Ireland's information security community and provides services to over 300 members and deals with incidents on a daily basis. IRISS is now established as an independent, trusted and vendor neutral Computer Emergency Response Team providing services to businesses, organisations and citizens in the Irish Republic. The proposed paper will trace Brian'"s journey from recognising the lack of a CERT service in Ireland and the need to have one established to the current status with the project. Throughout the presentation Brian will highlight the key steps that he recognised as being crucial for anyone else to follow in establishing their own Incident Response Team (IRT), be that at a departmental, company, sector level or larger. The areas Brian will cover will include; - Establishing the requirements - Identifying the key stakeholders. - Building a case for the IRT - Engaging and getting stakeholder buy-in. - Identifying the clients your IRT will serve. - Identifying the main services - Raising Funds - Establishing the IRT - Delivering your IRT services. Brian will also provide an overview of the WARP service developed by the UKâ¬"s CPNI (Centre for Protection of National Infrastructure). The WARP service (Warning Advice and Reporting Point) is designed to provide a trusted environment where communities of users can discuss and share information relating to their computer security challenges. The WARP platform is what IRISS-CERT employs to provide its range of services to its constituency and provides a cost effective means to do so. At the end of the presentation attendees will have a clearer understanding of some of the hurdles and issues that need to be overcome in order to ensure the success of their Incident Response Team.

Brian founded and heads IRISS-CERT( which is Ireland's first CSIRT. He is a published author â¬SImplementing ISO 27001 in a Windows Environment⬝, a regular blogger, a contributor to a number of industry recognised publications and is also the European editor for the SANS Institute's NewsBites newsletter.


1. Please tell us a bit about your topic (something a bit more than what is on the abstract) and why people should attend your session. Are there any pre-requisites for the session? Who should attend?
Having spent a number of years dealing with the Irish government in trying to get a Computer Emergency Response Team set up in Ireland I realised that the quickest and most effective way to do this would be on my own initiative. However, the big challenge for me was that I had little, well practically, no budget and I also had to concentrate on my day time job. I needed to be able to set up the CERT service quickly, effectively and at an affordable cost, both in terms of money and time. During my research I had spent a lot of time looking at the WARP (Warning Advice and Reporting Point) solution was developed by the UK Government's Centre for the Protection of National Infrastructure (CPNI). I found the WARP solution covered nearly all of the requirements I had identified that the CERT for Ireland should provide. It also allowed me the facility to get the service up and running very quickly and with much less expense than originally planned.

2. Why did you select this particular topic?
It has been a project I have been working on for many years and feel very passionate about. Having made many mistakes along the road in setting up IRISS-CERT I hope to share my experiences with others who are taking the same journey and hopefully help them avoid those same mistakes.

3. What are the major takeaways?
I would see them as being;
- How to engage with key stakeholders in your CERT to ensure its success.
- What are some of the key challenges that you may face and how to overcome them.
- A better understanding of the WARP solution and how it could be used to set up a CERT quickly and effectively

4. What other sessions are you looking forward to?
This year's program is really excellent and there are a lot of great sessions to choose from, which is great but also challenging in trying to pick what sessions to be at. The only problem is that many of them are on at the same time so it will be an interesting challenge as I also try to master the art of bilocation. But what I am really looking to is meeting up with old friends and hopefully making some new ones too.

5. Anything else you would like to tell us about your session?
So anyone who has been involved in setting up a CERT or a CSIRT facility or in particular those who are looking to establish one should come and listen to the challenges I faced and how I overcame those.

The Social Geeks Old and New Methods for Career Enhancement in the Security Industry, Erin Jacobs, IOActive
One of the strangest things about the security industry is its relationship with socialization: the asocial nature of many of us are what lead us to spend inordinate amounts of time hacking on computers in the first place. Yet we have always turned out to conferences, local meetings and get together online to form some semblance of community. In this time where everyone is on social networks, there's a tendency to lose sight of the community (especially while we're spending all our time trying to save everyone from themselves) or to even claim that it's dead. This session is a trip down a sampling of past technologies (IRC, BBS's) that helped to create that community and how we can use the tools of today to perform the same tasks - creating useful bonds, powerful networks and personal branding to further your career and the enjoyment of your time in information security.

Erin Jacobs is an IOActive Director who specializes in managing and guaranteeing security of the enterprise infrastructure from a process and policy standpoint. Prior to joining IOActive, Jacobs won the 2010 CSO Magazine Compass Award for leadership excellence in her prior role as CSO for a large accounts receivable organization. She has been named on many industry and social-media Hot Lists to include the SC Magazine's 2010 Awards Five to Follow on Twitter. Erin has been featured in many on-line publication to include popular names such as TechTarget and CSO Magazine. Erin has been able to cultivate a widely recognized security moniker in social media of SecBarbie, and through the uses of web 2.0 has grown and fused a strong network of information security professionals addressing hot issues such as gender cultivation in information security, and career mentoring. Erin's information security musings can be found at Security Sociability (

ERP Security: Myths, Problems, Solutions, Alexandr Polyakov & Ilya Medvedovskiy
Business applications like ERP, CRM, SRM and others are one of the major topics within the field of computer security as these applications store business data and any vulnerability in these applications will cause a significant monetary loss. Nonetheless people still do not give much attention to the technical side of ERP Security. Platforms such as SAP, Oracle EBS, JD Edward's are the most widespread platforms used for the enterprise system management and the most critical data storage and we will talk about them in our examples. In the first part of this talk we will cover the common myths on ERP security like: ERP security is a vendor's problem. ERP is in the internal network and cannot be hacked from outside, ERP's are very complex and specific and hackers can't beat us, and of course â¬SERP is only about SOD, and dispel them. Then we will talk about the problems of ERP Security in common and divide them into different levels like Network, OS, Database, Application and Client sides and cover all these areas giving statistics and vulnerability examples and pentest examples with 0-days. We will cover the basic types and areas of software problems and review them in ERP
s. Finally, we will present the first version of annual statistics Business Application Vulnerability Statistics 2009, methodologies to assess ERP Systems and new tools to assess and control the security of ERP Systems in common and specifically for SAP systems.

Alexander Polyakov is a Director of Audit and Research at Digital Security company. His expertise covers enterprise applications and database security. He has found a lot of vulnerabilities in products of such vendors like SAP and Oracle, and has made a lot of projects focused on applications security in oil and gas, retail and banking sphere. He is author of a book named Oracle Security from the Eye of the Auditor. Attack and Defense [In Russian]. He is also the head of Digital Security Research Group (, Expert Council member of PCIDSS.RU association, QSA and PA-QSA Auditor and one of the contributors of Oracle with Metasploit project. Speaker in conferences: HITB, Troopers10, and many Russian conferences.

Ilya Medvedovsky has been engaged in network security research since 1994. In 1997 he wrote the first and still unique Russian bestseller under the title 'Attack through the Internet' dedicated to the issue of network security. He is the author of 3 popular books and of more than 50 published works that have become the result of his expertise in the information security area. Ilya Medvedovsky is the CEO of Digital Security and the head of PCIDSS.RU( english blog) association. .

1. Please tell us a bit about your topic (something a bit more than what is on the abstract) and why people should attend your session. Are there any pre-requisites for the session? Who should attend?
We are going to talk about ERP security problem. The biggest paradox that all sensitive information (including finance) are all in the ERP system. But who knows and who cares about security of ERP system. Almost nobody. That is why managers, CTOs and CISOs must pay serious attention to this problem.

2. Why did you select this particular topic?
Because we are involved in ERP security for last 4 years and its our main specialization. We collect many useful information to share with another people and to increase the awareness of business application security.

3. What are the major takeaways?
Latest attack methods and our research results in ERP security, security software for ERP vulnerability scanning, methodologies for ERP security assessment, important vulnerability statistics for the main ERP systems and etc

4. What other sessions are you looking forward to?
Hacking SAP BusinessObjects
Jackpotting Automated Teller Machines

5. Anything else you would like to tell us about your session?
We are working hard on couple of projects that will be presented on conference and described before. It will be new researches that wasnt presented anywhere yet. And yes we will present completely new security vulnerability scanner for SAP.

Security Sucks ,Chris Brown, Netwitness
Security sucks. Ask the CISOs and security managers within government agencies and banks that have known about advanced threats such as Operation Aurora for a long time, but have been forced to fund flawed behaviors, antiquated technologies, and narrow scope security projects focused on compliance versus better security operations. Ask the financial services and retail enterprises that have spent so much on PCI only to find that they were blindsided by the latest sophisticated attacks in spite of their compliance check mark. Compliance drives I/T security spending and perceptions of successful and complete security programs in many important organizations. Yet, the result often is a sub-optimized security posture rewarding the wrong behaviors and placing emphasis on low impact objectives. Security sucks, but it doesnt have to. Assuming that a) you are not happy with the current situation, and b) you believe that security compromises are inevitable but want to protect your organization, this session is for you. This interactive session will discuss: 1. Why security sucks: the compliance and platform-related death spiral of current security programs. 2. The importance of Operation Aurora and the Google China hack to advanced threat awareness at the C level, greater honesty about living in compromise to advanced persistent threats, and a movement away from compliance-driven security programs. 3. How to ensure that your CEO gets InfoSec news from the security organization, versus from the FBI or NSA regarding sophisticated attacks and compromises within your organization. 4. The minimum components of a sophisticated operational defensive security program in 2010. 5. How to make security suck a whole lot less and make your security team more successful.

"Stratagem 1 "Deceiving the heavens to cross the sea (Using the the 36 stratagems for Social Engineering), Jayson Street, Stratagem 1
There are new threats arising everyday. The problem is there has been a vulnerability in the system that has not been patched since the first computer was created Humans! As the network perimeter hardens and the controls on the desktop tightens. Hackers are going back to the basics and getting through the firewall by going through the front door. They are bypassing the IPS and IDS simply by bypassing the receptionist. We look at this topic with a different viewpoint. We look at the history of social engineering from Amenhotep 3 to Sinon of Greece as well as how the culture of the country you're in dictates the strategy to use. All this shown in an offbeat way showing how 1st century strategies can still be used to beak into 21st century networks.

Threat modeling as a practice was developed to improve design and implementation of system risk controls. However, modern techniques have developed a bad reputation with security/risk practitioners for several reasons: Frameworks are complicated (difficult to apply) Most companies/systems develop their own approach (inconsistent, not inter-operable) Relevant data is difficult to find (leaving exposure calculations unreasonably qualitative) In this presentation, we'll map-out event chains using actual data from incidents in order to get a bird's eye view into of the full attack path, from technical exploit to monetization (across systems and environments). Further, the speakers will demonstrate simple and pragmatic approaches for developing generic threat models, that 1) highlight the critical assets that will be targeted, and 2) clarify the most exposed links in the event chain requiring mitigation. We will also give examples to show how the output of simple threat models can be used within more sophisticated threat and risk assessment techniques, which drive additional insight into optimizing the design and investment into security/risk management capabilities.

Jayson is an author of "Dissecting the hack: The F0rb1dd3n Network" He also was the co-founder of ExcaliburCon China. He's a highly carbonated speaker who's partaken of Pizza from Beijing to Brazil. He was chosen as Time's persons of the year 2006.

Applied Threat Modeling -- Live, Allison Miller, Paypal &Alex Hutton, Verizon Business
Threat modeling as a practice was developed to improve design and implementation of system risk controls. However, modern techniques have developed a bad reputation with security/risk practitioners for several reasons: Frameworks are complicated (difficult to apply) Most companies/systems develop their own approach (inconsistent, not inter-operable) Relevant data is difficult to find (leaving exposure calculations unreasonably qualitative) In this presentation, we'll map-out event chains using actual data from incidents in order to get a bird's eye view into of the full attack path, from technical exploit to monetization (across systems and environments). Further, the speakers will demonstrate simple and pragmatic approaches for developing generic threat models, that 1) highlight the critical assets that will be targeted, and 2) clarify the most exposed links in the event chain requiring mitigation. We will also give examples to show how the output of simple threat models can be used within more sophisticated threat and risk assessment techniques, which drive additional insight into optimizing the design and investment into security/risk management capabilities.

Allison Miller is a Group Manager in Risk Management for PayPal. Allison focuses on leveraging data to improve fraud detection and customer account security. Alex Hutton is a Principal in Risk and Intelligence for Verizon Business. His work there includes contributions to the VERIS framework and Data Breach Investigations Reports.

Security in Agile PLC - Practical navigational aid for speed boats, Vishal Asthana, Symantec
The conventional software development lifecycle is like a ship where development requirements once agreed upon have little scope for changes at later stages. Furthermore, just as ships typically have electronic navigational devices to help pilots avoid dangerous coastlines, hazardous shoals and reefs, etc.; security requirements can help improve security assurance in each distinct phase of the development lifecycle. On the other hand, an agile development method is like a speed boat designed to handle rapid changes. Conventional software development lifecycle doesnt apply here. Also, just as speed boats cannot employ the same navigational devices used in ships due to size and structural restrictions, conventional security requirements cannot be applied as is in an agile development environment. In late 2009, we started looking at ways to transform the conventional security requirements into a granular task list which could be used in an agile environment used by multiple product teams at Symantec. Around that time, Microsoft came out with a list of security requirements that could be applied to each area of agile. In that list, requirements were classified into four categories namely: 1) Every sprint requirements 2) One time requirements 3) Bucket requirements comprised of three buckets 4) Security requirements for very risky code We looked at each requirement in the list and realized that the list was not suited for direct adaptation in Symantecs agile development environment due to the following reasons: 1) Quite a few of the requirements in existing categories could be better placed in other categories 2) Multiple requirements across given categories could be folded into a single base category 3) There was scope to add new categories with new requirements not in the original list 4) Requirements needed to be added to cover cross-platform scenarios i.e. non-Microsoft products Based on these observations, we decided to revamp the list which will be discussed in this talk. Few examples follow: 1) Multiple tasks were folded into a single base task in multiple instances. E.g. - a. In Every Sprint category, multiple compiler and linker requirements were folded into a single base task - Environment run-time and compiler requirements category. b. In Bucket A (Security Verification) category, verification tasks were analyzed, new ones added and all of them folded into a single base task - Conduct verification sprints (shorter in duration) corresponding to Security Verification bucket items -- At least thrice in a product's lifecycle (33%, 66%, 99%). 2) New category called psg2help created detailing tasks for which a product team would typically require assistance from product security group due to the advanced security concepts used to meet them. Attendees can employ a similar approach to come up with security requirements for their agile development environments or at the very least use our list as is.

Vishal is a CISSP with eight years of work experience (gathered in US and India) in various sub-domains of Information Security, currently working in the Application Security domain with Symantec as Software Security Analyst in their Product Security Group. Over a decade's experience in the IT industry.

1. Please tell us a bit about your topic (something a bit more than what is on the abstract) and why people should attend your session. Are there any pre-requisites for the session? Who should attend?
[Vishal] I have attempted to bring order to one aspect of the chaotic world of agile software development i.e. granulizing ever growing and increasingly complex
application security requirements.

Around the time I started this work, Microsoft came out with a requirements list in their Microsofts Security Dev. Lifecycle document. I reviewed each of the requirement and found that the list was lacking when applied to Symantecs product development environment. Result was an overhaul as explained in the abstract.

The granular requirements list is very practical due to which attendees can choose to use it as it is in their environments or tweak it to their needs. In other words, my work would have immediate practical use.

No hard and fast pre-requisites but the session would appeal most to two types of audience:
- Those who handle teams practicing agile.
- Those who handle teams currently on non-agile development methods but planning to transition to agile in the near future.

2. Why did you select this particular topic?
[Vishal] Increasingly, teams are moving to agile development method as its strength lies in it being an early feedback system thereby improving the overall quality of the finished product. Changes are incorporated in a dynamic fashion. Cycles/sprints are very short i.e. 2 to 4 weeks due to which teams find it difficult (if not impossible) to adhere to security requirements in a systematic manner.

This need fuelled my interest in the topic and resulted in the work Im going to present.

3. What are the major takeaways?
[Vishal] Two-fold:
1) Systematically adhering to security requirements is *actually* possible in agile development process and not an impossible task.
2) Attendees can put the work to immediate use.

4. What other sessions are you looking forward to?
[Vishal] Theres a very interesting mix of selected speakers. Personally, Im looking forward to hearing what they all have to say. :)

Leveraging Social Networking While Mitigating Risk, Nick Copeland, Fidelis Security Systems
Historically, risk management decisions may have supported preventing the use of social media historically, and for certain organizations perhaps that may still be the case today. However, I believe that many organizations now have the ability to mitigate many of these risks, enabling them to gain business value from the reach and collaboration provided. Below I've detailed the key areas I believe an organization should focus on to help address the above risks. To be clear, this is more than just applying technology to address risk. Technology alone cannot solve the problem. I am very proud of the fact that Fidelis took a leadership role in helping manage social networking use and content disclosure, releasing this functionality over a year ago. However, technology is just one aspect required, so this list also covers organizational policy issues and end user education and training. 1. Ensure existing employee codes of conduct polices cover social networking. 2. End user training on benefits, risks, policies, and organization goals on the use of social networking applications. 3. Create official profiles for the organization and key executives on the major social networking sites. 4. Ensure security solutions at the network and endpoint are inspecting communications to and from social networking sites, and that updates are applied in a timely manner. 5. Implement technical controls controlling how social networking can be used and what content can be posted.

With 25 years experience in networked systems Nick Copeland brings a wealth ofknowledge to the Fidelis Security Systems Systems Engineering team. Nick has worked with distributed network computers, routing and swithing companies, Netscreen/Juniper ASIC Firewalls, for Crossbeam Systems scalable security applications chassis with ntegrated CheckPoint firewalls, Trend Micro and Websense AV/URL filters, Imperva web application firewalls and other solutions. He is now with Fidelis Security driving international sales for the diverse technical aspects of data leakage and cyber security controls. Nick holds a BSc hons from the University of London in Computer Systems and Microelectronics.

Hacking SAP BusinessObjects, Josh Abraham, Rapid7 & Will Vandevanter, Rapid7
Business intelligence is a multi-billion dollar/euro industry. At the top of the product food chain is BusinessObjects. BusinessObjects is a very widely deployed business intelligence tool thats focus is in managing, querying, analyzing, and reporting on business data. It is used by government entities (e.g. U.S Air Force), telecom companies (e.g. Verizon), car manufacturers (e.g. Nissan), and beverage companies (e.g. Coors) to retain and control vast amounts of data. If you are a penetration tester chances are you have run into at least one BusinessObjects server during an engagement. Yet, very few vulnerabilities have been publically released and, to the best of the authors knowledge, no white papers have been released on attack methodologies for BusinessObjects itself. In this presentation we will present the entire lifecycle of attacking a BusinessObjects server from external and internal enumeration (e.g. Google dorks), fingerprinting techniques, account enumeration vulnerabilities, specific attack vectors for gaining access to accounts, privilege escalation vulnerabilities, and eventually full system compromise vulnerabilities that we have found during our research. Anyone defending or attacking an organization that has BusinessObjects deployed in their environment should attend this talk.

Joshua "Jabra" Abraham joined Rapid7 in 2006 as a Security Consultant. Josh has extensive IT Security and Auditing experience and worked as an enterprise risk assessment analyst for Hasbro Corporation. Josh specializes in penetration testing, web application security assessments, wireless security assessments, and custom code development. In the past, he has spoken at BlackHat, DefCon, ShmooCon, Infosec World, CSI, OWASP Conferences, and the SANS Pentest Summit. In his spare time, he contributes code to open source security projects such as the BackTrack LiveCD, BeEF, Nikto, Fierce, and PBNJ.

Second speaker Will Vandevanter (Security Researcher) Mr. Vandevanter joined Rapid7 in 2008. Will has IT Security experience with a focus in web application security and secure software engineering. Will specializes in penetration testing, web application security assessments, and secure code development. In the past Will has also worked on a few different Open Source security projects including porting SELinux to OpenMoko and other Linux based mobile platforms. Will holds a Bachelors Degree in Mathematics and Computer Science from McGill University and Masters Degree in Computer Science from James Madison University.

Passwords in Corporate Networks, Carric Dooley, Foundstone & Simon Roses Femerling, Microsoft
Passwords are the oldest and most common security mechanism for computer systems and still many companies fail to secure them today. For any given security assessment you can find all types of risks such as weak or blank passwords, forgotten administrators accounts, well-known accounts with default passwords and much more. This talk will present common mistakes on how companies manage passwords, how to find them and to abuse them based on the authors experience on performing security assessment for all types of companies both in the public and private sectors.
We will describe techniques and tools to help hunting for passwords in corporate networks in an easy and fast way.

Carric is currently living in the English countryside with his wife and 3 children (like Madonna). He has performed hundreds of assessments and penetration tests for enterprise clients all over the world since 1997, and is currently building a team in EMEA for Foundstone (a division of McAfee). He has been on staff for BlackHat, Defcon, Shmoocon, Toorcon, and Phreaknic, and co-presented at Defcon in 2008, in addition to presenting Microsoft Hack and Defend in Canada in 2009, and various local security organizations in Atlanta. Carric also teaches the Foundstone Ultimate Hacking series of classes(UH/UHE/Web/WiFi). He likes the mountains, weight lifting, drums, guitar; he speaks French, can be rude in German, Spanish, Norwegian, and Russian, and is currently vacillating between really making the effort to learn Irish, Japanese, or Norwegian.

Simon Roses Femerling works at ACE Services from Microsoft providing security services across Europe. Former PriceWaterhouseCoopers and @Stake. He has many years of security experience where he has authored and cooperated in several security Open Source projects and advisories as OWASP Pantera. Mr Roses is natural from Mallorca Island in the Mediterranean Sea. He holds a postgraduate in E-Commerce from Harvard University and a B.S. from Suffolk University at Boston, Massachusetts.

Jackpotting Automated Teller Machines, Barnaby Jack, IOActive
I've always liked the scene in Terminator 2 where John Connor walks up to an ATM, interfaces his Atari to the card reader and retrieves cash from the machine. I think I've got that kid beat. The most prevalent attacks on Automated Teller Machines typically involve the use of card skimmers, or the physical theft of the machines themselves. Rarely do we see any targeted attacks on the underlying software. I will demonstrate both local and remote attacks, and reveal an ATM rootkit. Finally, I will discuss protection mechanisms that ATM manufacturers can implement to safeguard against these attacks.

Barnaby Jack is the Director of Security Testing at IOActive, where he focuses on exploring new and emerging threats and recommending areas in which to concentrate IOActive's delivery efforts. Jack has over 10 years experience in the security research space and previously held research positions at Juniper Networks, eEye digital Security, and FoundStone. Over the course of his career, Jack has targeted everything from low-level Windows drivers to the exploitation of Automated Teller Machines. He has subsequently been credited with the discovery of numerous vulnerabilities and has published multiple papers on new exploitation methods and techniques.

Cyber[Crime|War] - Connecting the Dots, Iftach Ian Amit
CyberWar has been a controversial topic in the past few years. Some say the the mere term is an error. CyberCrime on the other hand has been a major source of concern, as lack of jurisdiction and law enforcement have made it one of organizaed crime's best sources of income. In this talk we will explore the uncharted waters between CyberCrime and CyberWarfare, while mapping out the key players (mostly on the state side) and how past events can be linked to the use of syndicated CyberCrime organization when carrying out attacks on the opposition. We will discuss the connections between standard warfare (kinetic) and how modern campaigns use cybersecurity to its advantage and as an integral part of it. **This talk will focus on Spain**

Iftach Ian Amit brings over a decade of experience in the security industry to Security & Innovation. Prior roles included managing security research at leading web-security firms, managing an IPS startup, and various technology/marketing roles.


1. Please tell us a bit about your topic (something a bit more than what is on the abstract) and why people should attend your session. Are there any pre-requisites for the session? Who should attend?
I'm covering the connections between cybercrime organizations, and state sponsored/endorsed cyberwar actions. This topic has been vying for my interest for quite some time, and after conducting thorough research into cybercrime operations (mostly business model, structure, communication and finances), I started to look into additional connections outside of the traditional ones. People should attend this session as there is not enough attention being put into how the politics of war online should be handled, and while we are trying to figure out how to handle online criminal activities that cross borders, we are still very far from figuring out a way to approach cyberwarfare. I would say that an optional pre-requisite is to check out my research from last year (presented at DefCon-17) which tells the story of the criminal operations and sets the stage for this new research.

2. Why did you select this particular topic?
I was intrigued by the motivations of cybercrime to be involved in conducting attacks and espionage on government and large business bodies "in the name of...", and wanted to figure out how past (and probably present) state sponsored cyber-actions are being carried out given the issues of attribution and deniability which the internet provides.

3. What are the major takeaways?
Realization that governments are still apt to use criminal (or less than totally legit) outlets to carry out some of their online activities when part of a conflict - much like they have been doing in the more traditional sense of "guns for hire", weapons trades, etc...
Additionally - solutions. How to approach resolving conflicts online, what measures can be takes, and most importantly, how political treaties could affect them (based on advancements in law-enforcement cooperation regarding online crime).

4. What other sessions are you looking forward to?
Brian Honan's session on implementing a CSIRT, the ATM session from Barnaby Jack, the SIEM session by Wim Remes, and Security Sucks by Chris Brown (only because I had a chance to already see Chris Nickerson and Andrew Hay's excellent "hug it out" talk!).

5. Anything else you would like to tell us about your session?
Approach with an open mind, a critical view and don't be afraid to speak out if you have additional/different/conflicting facts figures or assumptions!

Balancing the Pwn Trade Deficit, Val Smith
China has become a major player in the security community in recent years.From numerous news articles regarding government, military and commercial spying, to high profile cases such as the recent attack on Google, the tools, research and hacking groups coming out of China are are high on everyone's radar. This talk will provide an analysis of the Chinese hacking community, including its capabilities, goals, and cultural differences as well as similarities. A deep technical analysis and reverse engineering of prominent Chinese tools and techniques will be provided as well. We will highlight specifics such as binary obfuscators, encryption, and specific stealth techniques in order to round out an, up til now, spotty picture about this formidible member of the security community.

Val Smith has been involved in the computer security community and industry for over ten years. He currently works as a professional security researcher on a variety of problems in the security community. He specializes in penetration testing (over 40,000 machines assessed), reverse engineering and malware research. He has worked on the Metasploit Project development team as well as other vulnerability development efforts. Most recently Val Smith founded Attack Research[6] which is devoted to deep understanding of the mechanics of computer attack. Previously Val Smith founded a public, open source malware research project.

Securing the Smart Grid: The Journey Ahead, Josh Pennell, IOActive
With the push for more efficient energy distribution, the Smart Grid has quickly turned from the hottest buzz word to a global reality. While the Smart Grid delivers significant benefits, it is essential to secure this critical infrastructure.

In this presentation, Josh Pennell will discuss short- and long-term strategies for better securing the Smart Grid. After highlighting IOActive's research, Pennell will discuss design issues that need to be immediately resolved, including lack of authentication, encryption and authorization. Following this, he will discuss how IOActive has worked with government officials and utilities to develop long-term tactics for ensuring the security of the Smart Grid. One tactic Pennell will discuss is the need for utilities to develop a formalized Security Development Lifecycle (SDL), which would help create more secure products and save money. By conducting third party reviews, and with the cooperation of meter vendors, utilities and the government, Pennell will discuss how we can secure the Smart Grid and thrive from its many promised benefits.

About Joshua Pennell:
As IOActive's Founder and President, Joshua Pennell enjoys a proven, 12-year entrepreneurial track record of creating and maintaining a multimillion-dollar, customer-focused, independent global security services organization. Through Pennell's leadership, IOActive has emerged as one of the world's longest standing, highly technical boutique security consultancies with a history based on cutting-edge research and meritocratic governance.
Pennell serves on the advisory boards of Source, Vantos, and SiteScout. Pennell also is the Chairman of IOActive's advisory board, which includes such computer industry venerables as Steve Wozniak, Jim Reavis, and Jason Larsen. In years past, Pennell played an integral role in helping his team win Defcon's Capture the Flag competition for three consecutive years, followed by another three years of technically revolutionizing the competition before handing the game over to Kenshoto.

Keep In Touch

Mailing List Sign-Up


Barcelona 2011 Sponsors