SOURCE Boston 2015
May 25-28, 2015
Marriott Courtyard
Boston, MA, USA
CFP Status: OPEN
SOURCE Dublin 2015
Trinity College
Dublin, Ireland
SOURCE Seattle 2015
Bell Harbor Maritime Museum
Seattle, WA, USA
SOURCE Boston 2011 - Speakers And Publications




Application Security
Seaport Ballroom AB


Plaza Ballroom A

Special Sessions
Liberty Room


Registration Opens

8:50am - 9:00am


9:00am - 9:50am

James Beeson, CISO, General Electric PDFPDF

10:00am - 10:50pm

GreyHat Ruby: Ruby for Reverse Engineers, Vulnerability Researchers, and HackersPDFPDF

Stephen Ridley

Among the Blind, The Squinter Rules PDFPDF

Wim Remes

Cyber[Crime|War] - Connecting the Dots PDFPDF

Iftach Ian Amit


11:00am - 11:50am

Bringing Sexy Back: Defensive Measures That Actually WorkPDFPDF

Paul Asadoorian

Building Security Integrity Across the Software Supply ChainPDF

Donna Durkin

On The Use of Prediction Markets in Information SecurityPDFPDF

Dan Geer, Alex Hutton, Greg Shannon


12:00pm - 1:30pm

Lunch/Networking Time

1:30pm - 2:20pm

Secure Development Lifecycle in the Mobile World

Marc French
Iron Mountain PDF

Tokenization - We've Secretly Replaced the Sensitive Information Usually Served with Meaningless DataPDFPDF

Ken Smith

What The Post-PC Era Means for Enterprise SecurityPDF

Andrew Jaquith


When Prevention Fails, The Tough Get Responding

Michael J. Graven Mandiant PDF

2:30pm- 3:20pm

The Exploit Intelligence ProjectPDF

Dan Guido
iSEC Partners

The 2011 Verizon Data Breach Investigations Report: Exploring the DataPDF

Alex Hutton

Panel: Will we EVER be securePDF


3:20pm - 4:00pm


4:00pm - 4:50pm

Security Toolbox - Managing security risk in Agile developmentPDFPDF

Matthew Coles
Izar Tarandach

Incursion - From Internet To SCADA, Critical Systems Compromise Case Studies in Pictures

Val Smith, Attack Research
Chris, SecureDNA

Getting Stuff Done: How to work with the rest of the businessPDF

Andy Ellis




5:00pm - 5:30pm

Further down the EXIF hole: A Picture Is Worth a Privacy FailPDF

Ben Jackson
Larry Pesce

Lock-picking Skills

Schuyler Towne

Flagship Lounge


Selling Security Without Selling Your Soul

Aaron Cohen
MAD Security


5:30pm - 8:30pm

Security Start-up Spolight & Evening with Entrepreneurs Session

Info Sec Mentors Worksho and Social




Application Security
Seaport Ballroom A

Seaport Ball Room B

Plaza Ballroom A

Special Sessions

8:00am - 9:00am

Breakfast Session with Josh Corman, The 451 Group
I love the smell of FUD in the morning... Smells like...

9:00am - 9:50am


Hugh Njemanze, CTO, ArcsightPDF

10:00am - 10:50am

Fuel forPwnage: Exploit KitsPDFPDF

Vicente Diaz & Jorge Mieres
Kaspersky Lab

Secure Development for iOSPDFPDF

David Thiel
iSEC Partners



Across the Desk: Different Perspectives on InfoSec Hiring and Interviewing

Lenny Zeltser, Savvis
Lee Kushner, LJ Kushner & Associates


11:00am - 11:50am

Jack of all FormatsPDFPDF

Dan Crowley

Security Convergence - Gold Mines and PitfallsPDFPDF

Ryan Jones


Nailing down security regulationsPDFPDF

David Snead
W. David Snead, P.C.


Career Development Workshop

Lenny Zeltser, Savvis
Lee Kushner, LJ Kushner & Associate

12:00pm - 1:30pm


1:30pm - 2:20pm

Dino Dai Zovi KeynotePDF

2:30pm - 3:20pm

Reverse Engineering Flash Files with SWFREtoolsPDFPDF

Sebastian Porst


The Real Cost of Software RemediationPDFPDF

Dan Cornell
Denim Group


Panel Discussion: Higher Education's ability to conduct relevant research and to effectively teach information securityPDF


3:20pm - 3:40pm


3:40pm - 4:30pm

Attacking Oracle Web Applications with Metasploit PDFPDF

Chris Gates

Reversing ObfuscationPDFPDF

Adam Meyers

SRA International

Panel Discussion: The Ethics of Botnet Migitation

Navigating the Security Industry Student Session

4:40pm - 5:30pm

Improving Application Security - Vulnerability Response in the ISV WorldPDFPDF

Susan Kaufman,
Nazira Omuralieva

Network Stream Hacking with MalloryPDFPDF

Raj Umadas,
Jeremy Allen
Intrepidus Group

Streamline Incident Types for Efficient Incident Response PDFPDF

Predrag Zivic & Mike Lecky
Canadian Tire

Web App Student Session

5:30pm- 7:00pm

Exhibitor Reception

Student Social




Application Security
Seaport Ballroom A

Seaport Ball Room B


8:00am - 9:00am


9:00am - 9:50am

Building a Rube Goldberg Application Security ProgramPDF

Wendy Nather
451 Group

Tinker, Tailor, Soldier, A-GPS: How Cost Turns Security Devices Into Weapons PDFPDF

Don Bailey
iSEC Partners

Building Bridges: Forcing Hackers and Business to "Hug it Out"PDFPDF

Chris Nickerson, Lares Consulting
Andrew Hay, 451 Group

10:00am - 10:50am

Fireshark v2 - An Analysis Toolkit for Malicious Web SitesPDFPDF

Stephan Chenette

Not Quite ZigBee; or, How to Sniff a Strange RadioPDF

Travis Goodspeed
Radiant Machines

How to Isotope Tag a Ghost (or, Methods of Instrumenting Indirect Threats & Impacts)PDF

Allison Miller

10:50am - 11:10pm


11:10am - 12:00pm

Adding another level of hell to reverse engineeringPDFPDF

Ben Agre

You Got That SIEM. Now What Do You Do?PDFPDF

Anton Chuvakin
Security Warrior Consulting


12:10pm - 12:50pm

Speed DebatesPDF

1:00pm - 1:50pm

Panel: PTES: PenTest Execution Standard PDFPDF

2:00pm - 2:30pm

Raffle Draw & Closing Remarks

2:30pm - 3:00pm

SOURCE Feedback Session



James Beeson - Chief Information Security Officer for GE Capital

James Beeson has spent 14 years with General Electric. He began as a Technical Services Manager in GE Capital, Vendor Financial Services, moved into Information Security in 2000 with responsibility for Mid-Market Finance, and is now responsible for Information Security and Data Protection globally at GE Capital (Commercial Lending and Leasing, Real Estate Financing, Energy Financial Services, and Capital Aviation Services), a group of businesses that generates more than $31 Billion per year in Revenue, providing over $2.5 Billion per year in Net Income and managing over $360 Billion in assets. Prior to that his work at GE, James worked at Trinity Industries, Inc (a Fortune 500 Dallas based manufacturing company) for 8 years in a variety of IT leadership positions.

James is actively involved in the (ISSA) Information Systems Security Association and (ISACA) Information Systems Audit and Control Association, which work to drive standards, improvements, and networking in security and risk management globally. He also participates in Infragard to improve communications between the public and private sectors related to protecting our critical infrastructure. He was Co-Chair of the CISO Executive Summit in Dallas in 2010, participates as Keynote Speaker at security events across the country, and is frequently a guest speaker for radio and video broadcasts. James also works closely with the SINET (Security Innovation Network) to promote public and private sector collaboration and increase the awareness of innovative emerging companies. He has an MBA from Southern Methodist University with a Finance emphasis and a BBA with a major in Management and Leadership. He is certified in Risk and Information Systems Control (CRISC), and also Six Sigma Quality certified.


Hugh Njemanze, CISSP - Chief Technology Officer and Executive Vice President of Research and Development, ArcSight (An HP Company)


Hugh S. Njemanze co-founded ArcSight in May 2000 (acquired by HP in October 2010) and has served as its Chief Technology Officer and Executive Vice President of Research & Development since March 2002. In 2010 Mr Njemanze received the prestigious award of Ernst & Young Software Entrepreneur of the year, Northern California. From 1993 to 2000, Mr. Njemanze served in various positions at Verity, Inc., a provider of knowledge retrieval software products, most recently as its Chief Technology Officer. Mr Njemanze also held R&D positions at Apple Computer from 1988-1993 and Hewlett Packard from 1982-1987. He holds a B.S. in computer science from Purdue University.


Dino Dai Zovi, Trail of Bits, LLC

Dino Dai Zovi, currently an independent security consultant and researcher, has been working in information security for over 9 years with experience in red teaming, penetration testing, software security, and information security management. Mr. Dai Zovi is also a regular speaker at information security conferences having presented his independent research on memory corruption exploitation techniques, 802.11 wireless client attacks, and Intel VT-x virtualization rootkits over the last 10 years at conferences around the world including DEFCON, BlackHat, and CanSecWest. He is a co-author of the books "The Mac Hacker's Handbook" (Wiley, 2009) and "The Art of Software Security Testing" (Addison-Wesley, 2006). In 2008, eWEEK named him one of the 15 Most Influential People in Security. He is perhaps best known in the information security and Mac communities for winning the first PWN2OWN contest at CanSecWest 2007. For more information, go to


Mr. Peiter “Mudge” Zatko, DARPA

Peiter Zatko

Mudge joined I2O with the mission of changing how the government approaches cyber programs, and to act as an ambassador to hacker-spaces, maker-labs, and other non-standard pools of talent. Peiter "Mudge" Zatko is perhaps best known as the hacker who told the U.S. Senate that he could take down the Internet in 30 minutes (BGP). He has testified to the United States Senate Committee on Government Affairs as a subject-matter expert in regard to the security of government systems, and to the House and Senate Joint Judiciary Oversight Committee as a subject-matter expert on cyber crime.Prior to taking a public service position as a program manager at DARPA, he worked for BBN Technologies as a Technical Director for their National Intelligence Research and Applications division.

Mudge has published in various refereed journals (such as ACM, CORE/CQRE, USENIX Security journal, etc.). He has taught offensive cyber warfare techniques and tactics courses at various Department of Defense entities and was recently a visiting Scientist at Carnegie Melon University. As the leader of the hacker think tank known as "The L0pht", Mudge is the inventor of L0phtCrack, an industry-standard Microsoft password auditing tool, and several other well-received software security solutions. Mudge was recognized by the National Security Council, Executive Office of the President, as a vital contributor to the success of the President's Scholarship for Service Program. He was also recognized as contributing to the CIA's critical national security mission and is an honorary plank owner of the USS McCampbell (DDG-85).

His goal remains constant: "Make a dent in the universe."



On The Use of Prediction Markets in Information Security
Dan Geer, In-q-tel
Alex Hutton, Verizon
Greg Shannon, Carnegie Mellon University

A tool created to help establish beliefs as probabilities, prediction markets are speculative markets created for the purpose of understand the probability of future events. Not widely used in Information Security, Prediction Markets may have benefits to our industry. Dan Geer, Alex Hutton and Greg Shannon will give a background around what prediction markets are, how they can be used by the information security industry as a whole, and how security departments and professionals can use them as a tool to help defend their environments.

Dan Geer
Dan is a computer security analyst and risk management specialist and currently the chief information security officer for In-Q-Tel.

Alex Hutton
Alex is a principal for Research & Intelligence with the Verizon Business RISK Team.

Greg Shannon
Dr. Greg Shannon is the chief scientist for the CERT® Program at Carnegie Mellon University’s Software Engineering Institute. In this role, he works to establish and enhance the program’s research visibility, initiatives, strategies, and policies.


What The Post-PC Era Means for Enterprise Security
Andrew Jaquith, Chief Technology Officer, Perimeter E-Security


By the end of 2012, the number of smartphones and tablets sold will eclipse PCs globally, dramatically shifting the center of the computing universe to the mobile sphere. These new Post-PC devices resemble PCs, but the security concerns are very different. In this presentation, Perimeter E-Security CTO (and former Forrester and Yankee Group Analyst) Andrew Jaquith describes key enterprise mobility adoption trends and what it means. He outlines four landmines that enterprises must avoid, and recommends five mobile security services IT staffs must provide to their employees and customers today.

Andrew Jaquith brings 20 years of IT and information security experience to Perimeter, most recently as a senior analyst with Forrester Research, where he led team coverage for data, endpoint and mobile security topics. Prior to joining Forrester, he was senior analyst with Yankee Group. Before Yankee, he co-founded @stake, which Symantec acquired in 2004. Before @stake, he held positions at Cambridge Technology Partners and FedEx. He has a BA from Yale.

When Prevention Fails, The Tough Get Responding
Michael J. Graven, Director, Mandiant


You can’t prevent everything. When an attacker successfully evades the best prevention and detection techniques, you need to respond. And it will happen. I’ll discuss how the best organizations respond to incidents. What tools do they use? How do they use them? What doesn’t work? Network detection or host-based detection?

Then we’ll put it into the context of the latest targeted threats. Responding to mass malware is different from responding to the Advanced Persistent Threat (and we know the APT, from over five years of responding to it.) I’ll tell you how to succeed at targeted remediation without losing your mind.

Michael J. Graven is a Director at MANDIANT. Like all MANDIANT consultants, he chases network bad guys through Fortune 500 companies, governments, and financial institutions. Michael earned degrees at Northwestern University and Stanford University. He has worked on internetworks and system security since 1989, working in environments as large as AT&T and Netscape to as small as twenty-person startups. He is a native Californian and a snowboarder,  but he does not surf.

Nailing down security regulations
David Snead, Attorney & Counselor, W. David Snead, P.C.(@wdsneadpc)


This seminar uses a case study developed by David Snead to communicate real world strategies to address the legal implications of distributed computing security issues regardless of your status as a user, provider, or supplier. Avoiding theoretical analyses of the law, or long forays into esoteric legal issues, Snead will present:

A matrix companies can use to evaluate their legal / security risks

Easy to understand explanations combined with smart contract examples for any business owner

How to address transnational security issues

Attendees will leave this presentation with a tool kit and questions they can use immediately in their business to understand and compartmentalize legal risks associated with future distributed computing security issues.

David Snead is an attorney in private practice in Washington. His practice focuses exclusively on representing companies and other entities active in the Internet infrastructure. He has industry specific expertise in third party liability, security, telecommunications and distributed computing issues. In his 17 years in this area, he has represented companies both in-house and as outside counsel, and has clients in over 20 countries.


The Exploit Intelligence Project
Dan Guido, Security Consultant, iSEC Partners (@dguido)

In 2011, mass malware is still the most common source of compromise on corporate networks. Bots like Zeus, Gozi, and Clampi successfully infect devices despite organizations carefully managing disclosed vulnerabilities and subscribing to detailed analysis of the latest malware families. Existing efforts at malware prevention focus broadly on vulnerabilities and their impact yet ignore the means by which they are exploited and the motivations, opportunities and capabilities of attackers, which has allowed this problem to become worse year-after-year.

In this talk, I introduce an intelligence-driven approach to malware defense, focusing on attacker's capabilities and methods, with data collected from the most popular crimeware packs currently deployed in-the-wild. This analysis identifies the means by which exploits are developed and selected for inclusion in crimeware packs, identifies defenses that are outside the capability of malware exploit writers to bypass, and helps attendees evaluate not just the exploitability, but the probability of a vulnerability being exploited. This study shows that, until crimeware packs substantially advance in sophistication, only a few simple defensive tactics are required to protect users from such opportunistic threats.

Dan Guido is a Security Consultant at iSEC Partners, where he specializes in incident response, application security, and penetration testing. Before joining iSEC, Dan worked for the Federal Reserve System's incident response team where he developed and ran a threat intelligence program to report on current trends in cybercrime, threats to payment systems, and nation-state cyber espionage activities. In addition to his work at iSEC, Dan is an adjunct faculty member at NYU:Poly where he teaches a graduate computer science course in penetration testing and vulnerability analysis.


Building Bridges: Forcing Hackers and Business to "Hug it Out"
Andrew Hay, Senior Analyst, 451 Group (@andrewsmhay) & Chris Nickerson, CEO, Lares Consulting (@indi303)


Hackers and business decision makers rarely see eye-to-eye. There has historically been a great chasm separating the views of business decision makers who pay the bills and the in-the-trenches security practitioners who perform the work. This epic battle has taken a toll on the security of many environments as businesses focus on operations and "hackers" focus on the symptomatic issues directly in front of them. This talk serves to open the dialogue between both groups in an attempt to find some common ground and understanding. Beginning with raising the "hackers" awareness to business concerns and how business guides the path to security, we hope to bring a fresh perspective on how to position their concerns. This alone may build a bridge and allow them to receive the support they have always craved. After we address this daunting task, we will turn light to the business aspect. In this section, we will give the business professionals a unique view into the mind of a security professional. Yes, the ones who throw a fit because a screen shot of some black and green screen with text on it is "bad." We will give you a behind the scene connection explaining why they are reacting the way they are and how having that emotion is a massive benefit to the business (and not just a cost). At the end of the day, the business and the hacker have the same goals; we all want to secure the business. We may have different drivers and motivators but a common goal exists. We will extend the olive branch to both sides and hope that this talk will inspire others to do the same.

Andrew Hay, Senior Analyst, The 451 Group
Andrew is a Senior Security Analyst and veteran information security practitioner with more than 10 years of experience related to SIEM, vulnerability assessment, penetration testing, forensics, and incident response.

Chris Nickerson, CEO, Lares Consulting
Chris leads a team of security consultants who conduct security risk assessments, application testing and vulnerability assessments, policy design, social engineering, in addition to penetration, Red Team, and regulatory compliance testing.

Fuel for pwnage: Exploit kits
Vicente Diaz, Senior Malware Analyst, Kaspersky Lab (@trompi) & Jorges Mieres, Senior Malware Analyst, Kaspersky Lab (@jorgemieres)


When the ratio of infected boxes reaches 70% in certain areas is time to ask how is that possible. Exploit kits are the answer of the underground market to this demand. For some years this kind of products have been used in almost every single malicious campaign in order to increase the number of victims. This talk is the result of an exhaustive analysis of most of available kits in the underground market, regardless being public or private. Not only technical aspects and evolution is studied, but their market ratio, the reasons of their success, their use in different famous malicious campaigns and social and economic aspects of these products in the underground market. The exploits used are another interesting factor: in 2011 there are kits still sucessfully exploiting vulnerabilities patched in 2006! On the other hand, there are kits using much more advanced techniques, such as ROP.

Jorge and Vicente are both Senior malware analysts in the Global Research and Analysis Team at Kaspersky Lab. Established in 2008, the Global Research and Analysis Team is an integral part of the R&D department of Kaspersky Lab and provides leadership in anti-threat intelligence, research and innovation, internally and externally. The team supports global and local PR and marketing efforts and conducts incident response during malware-related incidents.

Tinker, Tailor, Soldier, A-GPS: How Cost Turns Security Devices Into Weapons
Don A. Bailey, Security Consultant, iSEC Partners, Inc. (@donandrewbailey)


Recently, a spotlight has been focused on location information and how accessible it is via attacks against smart phones and the global GSM network. But, what about devices whose intent is solely to track an individual or a physical asset? How can these devices be attacked and impersonated? The presenter will reveal how common consumer focused assisted GPS (A-GPS) devices can be manipulated into sending a malicious individual location data and subscriber related information, bypassing the manufacturer's security controls. Techniques will demonstrate how to forge location requests. Since these devices are often used to protect vehicles and uncover theft of shipments, an attacker can impersonate the real route of a commercial vehicle while in reality driving in another direction. Finally, the presenter will demonstrate methods used to hunt these devices on the telephone network, making almost any A-GPS device vulnerable to exploitation. Tools for each demonstration will be made available.

Don A. Bailey is a Security Consultant with iSEC Partners, Inc. Recently, Don has presented research at several international security conferences discussing topics such as stealth root-kit design, zero-day technology, DECT, GSM, and embedded security. Most recently, Don spoke at Blackhat Abu Dhabi and ToorCon San Diego regarding vulnerabilities in the global telephone network. Additionally, Don was invited to lecture at government organized conferences on building risk management programs with a small budget.

Getting Stuff Done: How to work with the rest of the business
Andy Ellis, Senior Director of Information Security, Akamai


This interactive workshop will give you tools for better communicating with the rest of the business, and demonstrate successful (and unsuccessful!) influencing styles. Explore techniques from Chicken Little ("OMG! The sky is falling!") through Nostradamus ("If we do this, our names will live in infamy unto the 90th generation!") to Used Car Salesman ("Look at all these blinky lights! Give me more budget!").

Businesses take risks every day. If you don't succeed at informing that decision, you're not being effective.

Andy Ellis is responsible for overseeing the security architecture of Akamai's massive, globally distributed network; setting the strategic security direction of its offerings; and managing the Information Security organization. A graduate of MIT and a former US Air Force officer, Andy is a noted speaker and the author of Protecting a Better Internet, a blog focused on key issues facing the information security industry. He also sits on the Board of Advisors of HacKid.

Cyber[Crime|War] - Connecting the Dots (@iiamit)
Iftach Ian Amit


CyberWar has been a controversial topic in the past few years. Some say the the mere term is an error. CyberCrime on the other hand has been a major source of concern, as lack of jurisdiction and law enforcement have made it one of organizaed crime's best sources of income. In this talk we will explore the uncharted waters between CyberCrime and CyberWarfare, while mapping out the key players (mostly on the state side) and how past events can be linked to the use of syndicated CyberCrime organization when carrying out attacks on the opposition. We will discuss the connections between standard warfare (kinetic) and how modern campaigns use cybersecurity to its advantage and as an integral part of it.

Iftach Ian Amit brings over a decade of experience in the security industry to his role as VP Consulting at Security Art. Prior roles included managing security research at leading web-security firms, managing an IPS startup, and various technology and business roles.

So You Got That SIEM. Now What Do You Do?
Anton Chuvakin, Principal, Security Warrior Consulting (@anton_chuvakin)


Many organization that acquired Security Information and Event Management (SIEM) tools and even simpler log management tools have realized that they are not ready to use many of the advanced correlation features, despite promises that "they are easy to use" and "totally intuitive."
So, what should you do to achieve success with SIEM? What logs should you collect? Correlate? Review? How do you use log management as a step before SIEM? What process absolutely must be built before SIEM purchase becomes successful?
At this presentation, you will learn from the experience of those who did not have the benefit of learning from other's mistakes. Also, learn a few tips on how to "operationalize" that SIEM purchase you've made. And laugh at some hilarious stories of "SIEM FAIL" of course! As a bonus track, how to revive a FAILED SIEM deployment you inherited at your new job will be discussed.

Dr. Anton Chuvakin is a recognized security expert in the field of log management, SIEM and PCI DSS compliance. He is an author of books "Security Warrior" and "PCI Compliance." Currently he runs his consulting practice focused on SIEM, log management as well as compliance.


Further down the EXIF hole: Privacy failure via smartphone photographs
Ben Jackson, Co-Founder, Mayhemic Labs (@innismir)
Larry Pesce, Senior Security Consultant, NWN Corporation (@haxorthematrix)


How hard is it to gather information about people via the GPS metadata in their images available via social media? It turns out the answer is "not very." Come see just how far the rabbit hole goes with EXIF data how easy it is to amass a sizable database of people using these services -- and what geographic information has been encoded on their public photos. This presentation will cover the basics of how and why this research was done, why sharing such information is bad, and our attempts at public outreach via Plus, we'll highlight various instances of privacy fail: we'll show how this data can lead to stalking, finding of cheating spouses and celebrities, robbery via craigslist, and how to hide in the bushes outside of the house of that girl you found on that dating site once.

Ben spends his time enjoying being a husband, dad, and messing around with anything that has a button on it. He was the author for "Asterisk Hacking" from Syngress and dislikes writing about himself in the third person.

Larry is a Senior Security Consultant with NWN Corporation in Waltham, MA. He also diverts a significant portion of his attention co-hosting the PaulDotCom Security Weekly podcast. Larry also authored "Linksys WRT54G Ultimate Hacking" from Syngress.

Network Stream Hacking with Mallory
Rajendra Umadas, Consultant, The Intrepidus Group (@d1ab106)
Jeremy Allen,Principal Consultant, The Intrepidus Group (@bitexploder)


Mallory employs the same techniques many governments use to spy on their citizens surreptitiously and transparently, reading private email and SSL encrypted traffic. Leveraging these capabilities we use Mallory, a transparent MiTM proxy, to find bugs in client and server applications of all types. More specifically, Mallory is a tool capable of intercepting, pausing, and editing any TCP based network stream, SSL encrypted or not. During the summer of 2010, at BlackHat, Intrepidus Group released Mallory: A Transparent TCP/UDP proxy to help perform assessments against mobile devices and other hard to reach targets. We have been hard at work making Mallory better and easier to use! We present to you, the latest release of Mallory: A Transparent TCP/UDP Proxy. The first version of Mallory was an advanced tool, but it came with something of a catch. The catch was that it required a bit of work on the set up side, including knowledge of firewalls, NATs, and routing tables. NO MORE! The latest release of Mallory, with its new and improved GUI, in memory cert generation, dynamic protocol configuration, and a more readable code base is available. Simply start Mallory, follow the easy to read directions in the GUI, and like magic, all those network bits are yours for the mangling. But wait, there's more (yes, we just wrote that). As a part of our testing work, we often fuzz our testing targets. We are now releasing a simple mutational fuzzer "protocol". If you ever find yourself with nothing to do on a rain soaked Sunday evening, huddle up under the glow of your favorite LCD display and fire up Mallory with the fuzzer running and watch the *0day fall from the sky, all from the comfort of a GUI and setup designed to make it easy to get started. Mallory also has a host of other features, such as SSH MITM, HTTP and HTTPS protocol decoding, HTTP Plugins and HTTP session hijacking via a Google Chrome browser addon (and other features we regularly use during testing). *NOTE: You still have to find something fun to fuzz and run it through the fuzzer in a structured manner.

Rajendra Umadas is a Consultant with the Intrepidus Group. Rajendra spends much of his time tearing apart mobile applications across a number of different platforms. In his spare time, Raj can often be found tinkering on his 370z.

Jeremy Allen is a Principal Consultant with the Intrepidus Group. Jeremy is responsible for mobile application assessments and threat modeling. He spoke at BlackHat Vegas 2010 and has implemented and given talks on mobile application testing tools.

Selling Security Without Selling Your Soul
Aaron Cohen, Managing Partner, MAD Security (@aaronco)


Most people don't "get" security, and it's hard to convince them of what they need...manager, executive, boss or client prospect. We constantly try to persuade people with our ideas, sometimes they take it, but usually they leave it. Whether or not someone buys security has nothing to do with whether they need it or not, it has to do with whether they think they need it, and that is our job as a sales professional. The sky can only fall so many times, which is why it is imperative to learn to sell security without selling your soul. In this talk with will discuss and show real world examples as to how to be effective in different sales scenarios, which is important for those that want to win business, consulting gigs, project funding and in some cases keep your job.

Founder of The Hacker Academy and Managing Partner of MAD Security, Aaron has developed growth strategies in the private and public sector for a variety of companies including a leading IT training company and assisted in successfully growing the business of an international software firm. Focused on information security, he has over ten solid years of sales and business development consulting experience. Aaron has been featured in forms of media including interviews on CNBC.

Adding Another Level of Hell to Reverse Engineering
Ben Agre, Bintern, Raytheon SI (@sboxkid)


There is an arms race between reverse engineers and people who want to obfuscate code. The state of the art packers currently are creating small virtual machines to run their code on, or small amounts of junk code and some opaque predicates. In this talk we take the predicates one step further and one step back at the same time. I propose not only reasoning about the program, but being willing to change the programs state in a way which it will not alter the execution of the program. Adding cleanup code inside of the junk code blocks after the opaque predicates, such that it can clean up the given flags, such that if a reverser were to remove the code, it would fundamentally alter the program. During this talk all of these items will be discussed as well as the state of packers/cryptors.

Ben Agre has been playing with computers ever since he was hacked at a young age and wondered what the hell happened. He currently works at Raytheon SI, where he reverses malware. He’s played in Defcon CTF, and enjoys hardening binaries.

Higher Education's ability to effectively research and teach information security

Moderator: Kees Leune, Information Security Officer, and Adjust Professior, Adelphi University (@leune)

Dan Guido, Security Consultant, iSec Partners & Adjuct Faculty, NYU Poly (@dguido)

David Mortman, Director of Security and Operations at C3, LLC and Contributing Analyst at Securosis(@mortman)

Andy Ellis, Senior Director of Information Security and Chief Security Architect ,Akamai. (@csoandy)

Rob Cheyne, Chief Executive Officer, Safelight Security Advisors (@rcheyne)


For ages, society has relied on institutes of higher education to conduct state-of-the art research, and to teach its students. However, in the present, that expectation, that may no longer be a realistic expectation.
Some information security practitioners believe that the field changes so rapidly that even those who live and breathe its fabric daily have a hard time keeping up with current affairs, and that academia is falling behind and that it is at risk of becoming irrelevant and/or obsolete. Others believe that an excessive focus on developing skills that can be applied immediately is irrelevant, and that higher education should instead focus on developing and fostering knowledge and inquisitiveness.

This panel will address questions like:
- Is there a role for higher education in information security research?
- Is information security mature enough to be teachable?
- What skill set should information security faculty possess?

This panel brings people with a large variety of backgrounds to the table. Some of us have been raised in academia, others may not even have a college degree. All of us work in the field, and have clear opinions about how well Higher Education contributes to the state-of-the-art of information security. The panel is moderated by Dr. Kees Leune, CISO at Adelphi University.

Secure Application Development on iOS
David Thiel, Principal Security Consultant, iSEC Partners


The Cocoa Touch API has received relatively little security attention. Since the iPhone's release, much has been made of jailbreaking techniques and the OS itself, but there is scant information available for developers and pentesters on how to securely write or test iOS applications. In fact, all those who have possessed such knowledge are dead or insane. Since security risks to mobile devices now heavily include the risk posed by poorly coded or malevolent third-party software, this is something that will need to change -- a number of companies have already been called out in the press for severe flaws in their iOS applications.

Drawing on real-world experience with insecure iOS applications both pre-release and post-disclosure, this talk aims to fill this audient void. Background is provided on Objective-C/Cocoa and their quirks, characteristics and proper use of Apple-provided security APIs, and common pitfalls in iOS application design.

David Thiel is a Principal Security Consultant with iSEC Partners, Inc. He has over 15 years of computer security experience, auditing and designing security infrastructure for numerous Fortune 100 companies. Areas of expertise are mobile platforms, web application penetration testing, fuzzing, UNIX, and MacOS X. He has presented research and security topics at Black Hat USA, Black Hat EU, DEFCON, PacSec, MOBICASE and Syscan, and is a co-author of Mobile Application Security from McGraw Hill.

Tokenization: We've secretly replaced your sensitive information with meaningless data
Kenneth Smith (@ken5m1th)


Tokenization has become increasingly popular as a method to protect sensitive data at rest and to also reduce the scope of security requirements such as PCI DSS. Many solutions now integrate directly with web applications offering the capability to tokenize the data before it ever reaches internal corporate systems. If done correctly, this can be a big win for your organization. In this talk we will dicsuss the different types of tokenization solutions; the strengths and weaknesses of each; seeing through the marketing hype and vendor claims; where tokenization makes sense and where it doesn’t; and how to avoid some common mistakes that could greatly reduce the effectiveness of a solution. We’ll also cover some specific examples of reducing the scope of PCI DSS.

Ken Smith is an Enterprise Information Security Consultant with 15 years of experience. As a consultant, and former QSA, Ken has an extensive background in protecting information and a deep understanding of the intent of PCI DSS. Ken has helped many organizations in the area of strategic planning, assessment, remediation plan development, and security program design..


Panel Discussion: The Ethics of Botnet Mitigation


Today's countermeasures against botnets are mostly defensive: DDoS attacks are dealt with by null-routing malicious traffic, and we try to contain spreading bots with reactive measures. While the technical means for more offensive approaches exist, the legal situation is often unclear when it comes to using them in operation. Taking over an international botnet in order to disinfect the drones without permission of the infected victims is the classic example where an action may be technically possible but restricted by laws. On the other hand, from an ethical viewpoint omission comes along with responsibility, too. In this panel discussion, we will brainstorm some real world botnet scenarios and review the limitations of countermeasures. We will further summarize the main questions and outline important thoughts for ethical decision making in this political discussion.

Tillmann Werner

Tillmann works as a Senior Virus Analyst in Kaspersky Lab's Global Research and Analysis Team. His duties include dealing with the analysis of new threats and prototype software detection tools for the company. Prior to joining Kaspersky Lab, Tillmann worked as an Incident Handler for the German Federal Office for Information Security and also as a Research Assistant at the University of Bonn, where he specialized in malware analysis, honeypot technologies and containment strategies for large-scale attacks. As a member of the Honeynet Project, Tillmann is actively involved with the global IT security community and is a regular speaker on the international conference circuit. Tillmann holds a Diploma in Information Technology from the Mannheim University of Cooperative Education and a Diploma in Computer Science from the University of Bonn.

Jeff Williams

Jeff Williams is a senior member of the Microsoft Malware Protection Center (MMPC). The MMPC is Microsoft's Center of Excellence for malware research and response. Jeff's team is responsible for vulnerability analysis and the creation of IPS signatures, the release of the Malicious Software Removal Tool to more than 600 million computers each month, the analysis of telemetry from all of Microsoft's anti-malware products and the creation of the semi-annual Security Intelligence Reports. Jeff also represents the MMPC to industry and consults with other groups at Microsoft such as the Digital Crimes Unit, Trustworthy Computing and the Microsoft Security Response Center.

Eileen Monsma

Eileen Monsma, MSc, is a researcher embedded with the preeminent National High Tech Crime Unit (NHTCU) of the Netherlands' Police Agency. The NHTCU aims to investigate and prevent organized High Tech Crime and primarily works on international cases while applying innovative strategies.

Dave Dittrich

Dave Dittrich is a Senior Security Engineer and Researcher at the Applied Physics Laboratory at the University of Washington. He is also a member of the Honeynet Project and Seattle's "Agora" comptuer security group. Dave is most widely known for his research into Distributed Denial of Service (DDoS) attack tools and host/network forensics. He has presented talks and courses at dozens of computer security conferences, workshops, and government/private organizations world wide, contributed articles and chapters to several magazines and books, and co-authored the first complete book on DDoS, titled "Internet Denial of Service: Attack and Defense Mechanisms."


Ryan Naraine

Ryan Naraine is a Security Evangelist in Kaspersky Lab's Global Research & Analysis Team. Ryan has extensive experience in computer security user education. He specializes in operating system and third-party application vulnerabilities, zero-day attacks, social engineering and social networking threats, and issues related to responsible vulnerability disclosure. He has monitored security and hacker attack trends for over 10 years, writing for eWEEK magazine and ZDNet's Zero Day blog. Before joining Kaspersky Lab's research team, Ryan created and edited, Kaspersky Lab's security news service.

Across the Desk: Different Perspectives on InfoSec Hiring and Interviewing
Lenny Zeltser, Security Consulting Director,Savvis & Faculty Member, SANS Institute (@lennyzeltser) & Lee Kushner, President, LJ Kushner & Associates (@ljkush)


Landing the perfect security job and finding the right candidate takes more than merely matching the person’s skills to the job requirements. The hiring manager and the candidate explore each other’s traits and persuade each other of the right fit during email, phone and in-person interactions. Succeeding at these discussions and getting the upper hand requires understanding your negotiation objectives and the other party’s tactics.

This session investigates the perspectives of both sides of the hiring process: the candidate and the employer. Lenny Zeltser and Lee Kushner will alternate between the viewpoints to clarify how each side views topics such as: the resume’s role, the job’s appeal, career advancement, interview communications and compensation. Providing insight into the hiring process, they’ll dispel some of the myths of how it really works. Attendees will come away as more effective interviewers and interviewees, as pursue to build their teams and attain career goals.

Lee Kushner is the President of LJ Kushner and Associates, an executive search firm dedicated to the information security industry and its professionals. He is the co-founder of, a website providing career advice and research for the infosec community.

Lenny Zeltser is a seasoned security professional and author. He leads the security consulting practice at Savvis and is also a senior faculty member at SANS Institute. He is quite active on and

Career Workshop
Lenny Zeltser, Security Consulting Director,Savvis & Faculty Member, SANS Institute (@lennyzeltser) & Lee Kushner, President, LJ Kushner & Associates (@ljkush)
The Career Workshop at SOURCE will provide you, the SOURCE attendee with the opportunity to ask your any information security career related question that you would like to ask and have answered. The basis of the session will be to enable attendees with a platform to address questions regarding career planning, interviewing, position selection, the selection of career investments, compensation and negotiation. The session will allow all attendees to learn from each other, in a setting that encourages discussion, experience sharing, and knowledge transfer


Security Toolbox - Managing security risk in Agile development
Matthew Coles, Principal Software Security Engineer & Izar Tarandach, Principal Software Security Engingeer, RSA, The Security Division of EMC

Product development itself is challenging, and trying to build in product security in an Agile model adds a level of complexity that puts many developers and testers well outside their comfort zones. We propose a framework for secure Agile development which reduces the need for dedicated security subject matter expertise and gives Agile teams better management of security risk, through the creation of a "Security Toolbox". A Security Toolbox incorporates security subject matter expertise such as secure architecture, secure design patterns and security tests that need to be executed, providing a complete and self-contained subset of requirements generated from the inclusion of particular objects or resources, together with controls and metrics which enable Scrum Masters and Product Owners to meet organizational policies and industry compliance initiatives.

Matthew Coles is a Principal Software Security Engineer in the EMC Product Security Office with 12+ years of experience across disciplines of software engineering. His current focus is on rolling out secure software development guidance and support to product engineering teams within EMC. Izar Tarandach is a Principal Software Security Engineer in the EMC Product Security Office with 20 years of experience beating Unix into submission.


The Real Cost of Software Remediation
Dan Cornell, CTO, Denim Group (@danielcornell)


The security industry is beginning to release data that focuses on the prevalence of different types of vulnerabilities and incidents. However interesting, such data falls short of providing crucial information to aid organizations with their software remediation efforts. This presentation provides statistical data from 15 different web application remediation projects in order to provide real insight into the costs of remediating application-level vulnerabilities. The data addresses pressing questions, including how much time is spent on different phases of remediation projects (inception, planning and execution), and how much time is required to remediate different classes of vulnerabilities. Based on this data, analysis is also provided so organizations can make decisions about which vulnerabilities should be fixed and which should be left, how to schedule vulnerability remediation into software project schedules, and activities organizations should undertake in order to prevent the most costly vulnerabilities from occurring in the first place.

Denim Group CTO, Dan Cornell, has been developing and securing web-based software for over twelve years. He is the OWASP San Antonio chapter leader, a member of the OWASP Global Membership Committee, co-lead of the OWASP Open Review Project and has spoken internationally at conferences such as OWASP EU Summit and ROOTs in Norway.


Attacking Oracle Web Applications with Metasploit
Chris Gates, Sr. Security Consultant, Rapid7 (@carnal0wnage)


In 2009, Metasploit released a suite of auxiliary modules targeting oracle databases and attacking them via the TNS listener. This year lets beat up on...errr security test Oracle but do it over HTTP/HTTPS. Rather than relying on developers to write bad code lets see what we can do with default content and various unpatched Oracle middleware servers that you’ll commonly run into on penetration tests. We’ll show how to find and exploit some of the more useful content to include some modules for automating plsql exploitation activiies and we'll also re-implement the TNS attack against the isqlplus web portal with Metasploit auxiliary modules.

Chris Gates (CG/carnal0wnage) is currently a Sr Security Consultant for Rapid7 and is a member of the Metasploit Project and Attack Research. He enjoys business logic flaws, misconfigured databases and the occasional client-side attack. He has spoken at various other security conferences including Blackhat DC, BlackHat USA, Defcon, CSI 2009, Brucon, SOURCE Boston, Toorcon, Notacon, and Chicagocon. He is a regular security blogger and securitytwit @carnal0wnage

Not Quite ZigBee; or, How to Sniff a Strange Radio
Travis Goodspeed, Radiant Machines (@travisgoodspeed)


Though Wifi and Bluetooth are household names, and ZigBee is gaining popularity, most low-power radios are far less standardized. Given a device with a vendor-proprietary radio protocol, this lecture covers the methods by which a packet sniffer can be built. Examples include two brands of audience response clickers, ANT+ sports equipment, a wireless keyboard, and a hacker conference badge. Techniques include wiring development kits to a GoodFET, reconfiguring one radio to be compatible with another, and hooking a custom in-circuit-debugger into a chip to hijack its radio without having a prior copy of the configuration. The lecture concludes with a live demo of packet sniffing a wireless keyboard.

Travis Goodspeed is a Tennessean security researcher, the author of the first remote code execution exploit for a wireless sensor. At Source Boston in 2010, he presented a PRNG vulnerability that exposed private keys of smart electric meters.

Security Convergence - Gold Mines and Pitfalls
Ryan Jones, Physical Security and Social Engineering Practice Manager, Trustwave Spiderlabs (@lizborden)


Security convergence evolved from the realization that information-based assets are increasingly critical to organizations, and that there is a need for these assets to be protected physically as much as they are logically. However, this is not a simple plug and play solution and without proper planning and design, companies are opening themselves up for additional vulnerabilities and organizational problems. This speech will review the benefits of reaching "convergence", but also bring to light the financial, employee, and network and physical security issues that can arise from an implementation that is supposed to make security stronger.

Ryan Jones is a 15 year verteran of information security and is the Physical Security and Social Engineering Practice Manager for Trustwave SpiderLabs, the advanced security team at Trustwave focused on application security, incident response, penetration testing, physical security, and security research.


Bringing Sexy Back: Defensive Measures That Actually Work
Paul Asadoorian, Founder & CEO, PaulDotCom Enterprises

There is a plethora of information available on how to break into systems, steal information, and compromise users. As a penetration tester, I have performed testing on a regular basis that reveals severe security weaknesses in several organizations, and many of my peers have reported on the same. However, once you "own" the network and report on how you accomplished your goals, now what? Sure, we make defensive recommendations, but consistently it has been proven that security can be bypassed. Not enough focus is given to what works defensively. We have a lot of technology at our disposal: firewalls, intrusion detection, log correlation, but it provides little protection from today's threats and is often not implemented effectively. This talk will focus on taking an offensive look at defense. Applying techniques that are simple, yet break the mold of traditional defensive measures. We will explore setting up "traps" for attackers, slowing them down with simple scripts, using honeypots, planting bugs, and most importantly tying these methods to "enterprise security". This talk will also include real-world examples of the techniques in action from a live, heavily attacked site. Topics will include:

- Using wireless “attacks” on the attackers
- Implementing the Metasploit Decloak engine to find the attackers
- Setting traps to detect web application attacks
- Integrating results into your enterprise log management tool

The goal of this talk is to make defense “sexy”…

Paul Asadoorian is currently the Product Evangelist for Tenable Network Security, where he regularly uses vulnerability scanning and enterprise management products, showcasing them in blogs, podcasts, and videos. Paul is also the founder of PaulDotCom, an organization centered around the award winning PaulDotCom Security Weekly show that brings listeners/viewers the latest in security news, vulnerabilities, research, and interviews with the security industry's finest. Paul has a background in penetration testing, intrusion detection, and is the author of WRT54G Ultimate Hacking, a book dedicated to hacking Linksys routers.

Fireshark v2 - An Analysis Toolkit for Malicious Web Sites
Stephan Chenette, Principal Security Researcher, Websense (@stephanchenette)


Thousands of legitimate web sites serve malicious content to millions of visitors each and every day. Trying to piece all the data together to confirm any similarities between possible common patterns within these websites, such as re-directors that belong to the same IP, IP range, or ASN, and reconstructing the final deobfuscated code can be time-consuming and sometimes impossible given many of the freely available tools. I will present the second version of an open source web security research tool that I have written called Fireshark that is capable of visiting large collections of websites at a time, executing, storing and correlating the content, and from it identifying hundreds of malicious ecosystems.

Stephan Chenette is a Principal Security Researcher for Websense Security Labs working on exploit and malcode detection techniques. Mr. Chenette specializes in research tools and next generation emerging threats. He has released public analyses on various vulnerabilities and malware. Prior to joining Websense, Stephan was a security software engineer for 4 years working in research and product development at eEye Digital Security.

Improving Application Security - Vulnerability Response in the ISV World
Susan Kaufman, Principal Program Manager & Nazira Omuralieva, Senior Security Engineer, RSA, The Security Division of EMC

For most software vendors, it is not a matter of if, but a matter of when they will have to deal with software vulnerabilities. Many vendors do not have defined processes or have not identified the responsible parties within their organizations to handle these types of situations. This session is intended to assist software vendors in understanding the vulnerability response ecosystem, as well as the high-level processes, roles and responsibilities required to effectively manage their response to vulnerabilities. This presentation will focus on identifying the main focus areas of managing vulnerability response, including roles and responsibilities, sources of vulnerability reports, tips on creating your own response program, industry resources and review of real examples from EMC's experience - with a variety of interesting outcomes.

Susan Kaufman is the Principal Program Manager for EMC’s Product Security Response Center, where she manages the Vulnerability Response Program and coordinates reporting and metrics for the Security Development Lifecycle Program.

Nazira Omuralieva is the Senior Security Engineer for EMC’s Product Security Response Center, where she is the technical lead in diagnosis and remediation of product vulnerabilities and manages communication with external security contacts. She also consults on secure development practices within EMC product teams.

Building a Rube Goldberg Application Security Program
Wendy Nather, Senior Analyst, Enterprise Security Practice, The 451 Group (@451wendy)


Building an application security program looks great on paper, but the execution is sometimes worthy of its own reality TV show. Prioritizing applications, choosing tools, creating new processes, cajoling developers and QA staff, and appeasing management can all be challenging, even before you start looking at the wild, tangled mess that is legacy code. This is a case study of a two-year program, including false starts, funding changes, and a comedy of remediation errors that demonstrates how there isn't always such a thing as a "15-minute fix."

Wendy Nather is a Senior Analyst in the Enterprise Security Practice of the 451 Group, covering application security and security services. She previously served for five years as CISO of a state agency, and before that was Director of IT Security for the EMEA region of one of the largest Swiss banks. Wendy has been an invited speaker at various conferences and has some letters after her name.

Jack of all Formats
Daniel Crowley,(@dan_crowley)


File formats are not always rigidly defined, and determining how to process files is not always an easy task. Certain files can be valid examples of multiple formats simultaneously, and files with multiple extensions may not be handled as expected in certain circumstances. Learn how these multiple-format and multiple-extension files can be used to bypass filters, hide malware, and trick anti-virus systems.

Daniel works as a pen tester, trainer, and liaison. He spends most of his free time playing with Web-based technologies. Daniel enjoys rock climbing and travel, and makes a mean chili.

GreyHat Ruby: Ruby for Reverse Engineers, Vulnerability Researchers, and Hackers
Stephen Ridley (@s7ephen)


In this age of techno-fashionability, Ruby is often a buzz word on the lips of "technologists", "technology evangelists" and other digital yentas. For close to 7 years Python has been my personal language of choice for anything "above" C/C++/ASM and "below" .NET and Java. Imagine my surprise when I discovered that there are things that Ruby genuinely does better than Python (although there are still many that it doesn't ;-). This presentation is on the many ways that Ruby has matured and is actually now very useful to the Infosec Professional from day-to-day tasks to very niche research projects (such as building extensible fuzzing frameworks). The presentation will demonstrate common Python patterns for Infosec Professionals and their Ruby synonyms with considerable focus on specific tasks like writing fuzzers and aiding reverse engineering. As a case study I will be demonstrating Ruxxer2, a private fuzzing framework (written entirely in Ruby and C) that includes it's own "Domain Specific Language" for quickly and readibly modeling complex protocols. Amongst some of its features are advanced protocol visualizations and the ability to serve as the command and control center for cloud-based "fuzz farms". This includes automated fuzzing via the instrumentation of Linux, Windows, and OSX as well as full instrumentation of most major browsers (Firefox, Safari, and IE). In short: "Ruby is kinda cool now, and let me show you why...."

Stephen A. Ridley is an independent security researcher with more than 10 years of experience in software development, software security, and reverse engineering. Before becoming an independent contractor, Mr. Ridley served as Senior Researcher at Matasano. Prior to that: Senior Security Architect at McAfee, and before that he worked at a major U.S. Defense contractor supporting the U.S. intelligence communities. He has spoken about reverse engineering and software security at BlackHat, ReCon,EuSecWest, Syscan and others. Mr. Ridley currently lives in Manhattan and frequently guest lectures at New York area universities such as NYU and Rensselaer Polytechnic Institute.

In the land of the blind, the squinter rules
Wim Remes, Ernst & Young (@wimremes)


When preparing for a talk on security monitoring, I was fighting hard to add security visualization in the mix while keeping within my alloted timeslot. Most of the feedback I received afterwards was that there wasn't enough of that in the talk. Security visualization, put on the map by the likes of Raffael Marty who performed groundbreaking work with and the Davix LiveCD, is a subject that most people are interested in but few manage to master. In this talk I will touch on the basics of visualization techniques and dig deeper into the gathering of data to enable attendees to move beyond pie charts and bar graphs. Using mainly Davix and the Google Chart API, I will demonstrate how to make sense of the huge amount of data that comes at security analysts on a daily basis.

Wim Remes is an information security consultant currently working for EY in Belgium. With 13 years of experience in IT, most of those in various security roles, he has spent ample time in noisy server rooms and cosy board rooms. In the past decade Wim has been focusing on incident response and security monitoring. Wim has spoken at events like Excaliburcon 2009,FOSDEM 2010 and Source Barcelona 2010. He's a co-host of the Eurotrash podcast.

Streamline incident types for efficient security incident response
Predrag Zivic, Sr. Security Advisor & Mike Lecky, Manager Information Security Operations, Canadian Tire

Defining security and privacy incidents and incident detection using security tools has quickly become a conundrum of rules and events for security operations. Information Security Operation group has experienced the same issue and decided to streamline use of tools, optimize alerting and ensure efficient incident detection processes. Operational security group had implemented number for security tools that address log consolidation and correlation, configuration monitoring, file integrity monitoring, vulnerability scanning and intrusion detection and prevention. All these tools produced events, alerts and incidents. To streamline and align all tools few steps have been taken. This presentation will demonstrate this practical approach to structuring security and privacy incidents and improving incident response while meeting operational security goals. In addition, this presentation is intended to raise collaborative approach to building a database of incident detection rules that can be applied to any organization.

Predrag Zivic, CISSP, CISA, ISO is a senior security, compliance and risk advisor with 24 years of related experience. He advised managers, directors and VPs working for multi-billion Canadian and international companies.

Mike Lecky has over 25 years experience with a background designing HA systems in aerospace and consulting for CSE and NSA. He's a security professional with CISSP, CISA, CISM and PMP designations. Presently he manages security operations for the largest retailer in Canada.

Reverse Engineering Flash Files with SWFREtools
Sebastian Porst (@LambdaCube)

Event though Adobe products have been in the spotlight of security vulnerabilities in the last few years, there are barely any tools available for working with Adobe file formats. In 2010 I have already developed PDF Dissector, the most advanced PDF reverse engineering tool on the market. In 2011 I am trying to repeat this feat with SWFRETools, a collection of open source tools for security researchers to work with SWF files. The SWFREtools contain a complete SWF file parser for other researchers to build their analysis tools on, a GUI that allows one to view SWF files in ways that are useful for security researchers, a tool that tries to isolate the root cause of Flash Player crashes, and a debugger that hooks the Flash player to log what is going on. I will introduce these tools and explain how people can use them for Flash vulnerability analysis.

After finishing his Masters degree in Computer Science in 2007, Sebastian joined zynamics as lead developer of the reverse engineering tools IDE BinNavi, BinCrowd, and PDF Inspector. After four years of working at zynamics, Sebastian moved on to become a vulnerability researcher on a joint project between Microsoft and Adobe to improve the security of Adobe products. Sebastian has been a speaker at various conferences including CanSecWest, SOURCE Barcelona, RECon, and Hack in the Box.

Reversing Obfuscation
Adam Meyers, SRA International


Reverse code engineering of malware is an important step in adversary categorization that can lead to attribution and defensive tactics for mitigating and remediating an intrusion. Malware authors know this and thus try to make the reverser's job as difficult as possible. The malware author or adversary will use executable packers to slow down the reverser, and increasingly they use a variety of obfuscation techniques to hide key data from the reverser. This presentation will provide attendees with background into the art of obfuscation. Using live demonstrations of both dynamic and static analysis techniques attendees will become familiar with the various tricks implemented by malware authors to cover their tracks. Attendees will be introduced to some tools written for IDA Pro to help deobfuscate malware and assist in the cat and mouse game of reverse code engineering. The session will also demonstrate how to reverse malware to identify command and control encryption/obfuscation and apply that to packet captures to decipher what activities the adversary accomplished during the incursion to aid in remediation and mitigation.

Adam Meyers is the Director of Cyber Security Intelligence for the Offerings and Products Division of SRA International. Mr. Meyers serves as a senior subject matter expert for cyber threat and cyber security matters for a variety of SRA projects. Mr. Meyers provides both technical expertise at the tactical level and strategic guidance on overall security program objectives.

Incursion - From Internet To SCADA, Compromise Case Studies in Pictures
Val Smith, Attack Research & Chris, SecureDNA

We have gathered together a collection of screenshots from real world break ins, and used them to tell a story of compromise. These compromises show the progression of an attack originating externally on the Internet and ending at total compromise of SCADA systems, back end financial transaction processing, and mergers/acquisitions communications. This talk shows the mindset, methods, and actions taking from a real world attacker, rather than pen tester, perspective. The hope is to demonstrate what the 20% of attacks current security tools don't defend against look like, and why that 20% is what you should be worried about.

Val Smith has been involved in the computer security community and industry for over ten years. He specializes in computer compromise, reverse engineering and malware research.

Chris is a Security Consultant & Researcher with Secure DNA. He specializes in web based application security and has collaborated with top security researchers and companies. He performs static and dynamic security assessments of applications for organizations across the U.S. and Asia.

How to Isotope Tag a Ghost (or, Methods fo instrumenting indirect threats & impacts)
Allison Miller, PayPal

System owners have problems making effective decisions (investment, design, and operational) when it is so difficult to track back to "root cause" or "original vulnerability" or source of a particular threat. In some environments (like fraud), the feedback loop is clear, as liability/claim channels are all instrumented. But in most environments, especially shared or interconnected environments, feedback loops are ambiguous. In monitoring system performance, for example, an anomaly may or may not represent a security incident. Clients can be compromised and the host never knows. Credentials can be stolen without the masqueraded party ever alerted.

In this discussion we will review how other systems have tried to measure non-instrumented activity situations where impact issues are downstream of root cause/root compromise. Specifically we will review (publicly released) methods economists, government, law enforcement. & financial systems have implemented to measure 1) black market activity, 2) fraud, and 3) cash movement, and see if there are approaches there that could be adopted/adapted re: security issues & data.

Allison Miller manages PayPal's Account Risk & Security team, responsible for protecting PayPal customers from fraud. Allison has over 10 years of experience in risk management and security, and currently focuses on leveraging network graph data to improve fraud detection and designing risk controls for new accounts. Miller is active in the security community and presents research on fraud prevention and account security issues regularly to both industry and government audiences, including the ITWeb Security Summit, Black Hat Briefings, SOURCE Conferences (Boston, Barcelona), and RSA. Prior to joining PayPal, Miller was Director of Product and Technology Risk at Visa International.

Panel Topic: Will we EVER be secure?

Moderator: Rob Cheyne, Chief Executive Officer, Safelight Security (@rcheyne)
Panelist: Andrew Jaquith, Chief Technology Officer, Perimeter USA (@arj)
Panelist: David Mortman, Director of Security and Operations at C3, LLC and Contributing Analyst at Securosis(@mortman)
Panelist: Josh Abraham, Security Researcher, Rapid7
Panelist: Josh Corman, Security Analyst, 451 Group
Information security incidents are at an all-time high. We have solutions to many of the known problems, but they often don't get implemented quickly or effectively enough. The result is that many organizations lag far behind their attackers in terms of defense against attacks, both known & unknown.

While we must recognize that we have made significant improvements over the past 10 years, the attackers are still far ahead. This panel will explore the rate of adoption of information security best practices. Are we proceeding at the right pace? Are we sufficiently mitigating risk or are we taking too many short-cuts that are setting ourselves up for a future disaster? What should our vision be for the next 3-5 years to keep information safe and ensure that the knowledge gap between attackers and defenders doesn't become insurmountable? What should we be doing right now to get us there?

The panelists we have assembled are information security thought leaders from a variety of perspectives that represent critical points of view on this topic. This one is not to be missed.

Rob is the CEO of Safelight Security, a leading provider of both instructor-led and computer-based security training. He has 20 years of experience in the information technology field and has been working in information security since 1998. Rob was a co-founder of @stake, where he led and conducted secure architecture and design reviews, secure code reviews, application penetration tests, security assessments, and training for numerous Fortune 500 companies. In his current role at Safelight, he develops innovative methods for teaching information security, and has trained over 12,000 people so far. Rob regularly speaks at security conferences, and frequently presents to the Boston OWASP chapter on a variety of security topics. His specialties are application security architecture and information security training.

Andrew Jaquith brings 20 years of IT and information security experience to Perimeter, most recently as a senior analyst with Forrester Research, where he led team coverage for data, endpoint and mobile security topics. Prior to joining Forrester, he was senior analyst with Yankee Group. Before Yankee, he co-founded @stake, which Symantec acquired in 2004. Before @stake, he held positions at Cambridge Technology Partners and FedEx. He has a BA from Yale.

David Mortman

Joshua "Jabra" Abraham joined Rapid7 in 2006 as a Security Consultant. Josh has extensive IT Security and Auditing experience and worked as an enterprise risk assessment analyst for Hasbro Corporation. Josh specializes in penetration testing, web application security assessments, wireless security assessments, and custom code development. He has spoken at BlackHat, DefCon, ShmooCon, The SANS Pentest Summit, Infosec World, CSI, OWASP Conferences, LinuxWorld, Comdex and BLUG. In his spare time, he contributes code to open source security projects such as the BackTrack LiveCD, BeEF, Nikto, Fierce, and PBNJ. He is frequently quoted in the media regarding Microsoft Patch Tuesday and web application security by ComputerWorld, DarkReading and SC Magazine.

Joshua Corman is the Research Director of the 451 Group's enterprise security practice. Corman has more than a decade of experience with security and networking software, most recently serving as Principal Security Strategist for IBM Internet Security Systems. Corman's research cuts across sectors to the core challenges of the industry, and drives evolutionary strategies toward emerging technologies and shifting economics. Corman is a candid and highly coveted speaker and has spoken at leading industry events such as RSA, Interop, ISACA, and SANS. His efforts to educate and challenge the industry recently lead NetworkWorld magazine to recognize him as a top innovators of IT for 2009. Corman also serves on the Faculty for IANS and is a staunch advocate for CISOs everywhere. In 2010, Corman also co-founded – a value based initiative to raise awareness and usher in an era of secure digital infrastructure.

The 2011 Verizon Data Breach Investigations Report:  Exploring the Data

One of the most anticipated annual studies in the Information Security industry is the Verizon Data Breach Investigations Report (DBIR).
This year, the DBIR includes analysis of the data breaches worked by Verizon, the United States Secret Service, and the Netherlands High-Tech Crime Unit.  As a result, the 2011 DBIR will be one of the most comprehensive sets of data and analysis ever released.

In this session Alex Hutton, one of the authors for the DBIR, will present this year's data and analysis with the opportunity for questions and answers.

Building Security Integrity Across the Software Supply Chain, Donna Durkin, Computershare
An application security policy is a critical component of an organization's overall Information Management architecture. Whether you are developing software internally or leveraging outsourced code, open source or third-party libraries, it is critical to understand the security posture of your code across the software supply chain. This presentation will feature Computershare's two-fold security policy that integrated security in the SDLC while also leveraging an application security rating system to demonstrate software assurance across the software supply chain.

Secure Development Lifecycle in the Mobile World, Mark French, Iron Mountain
First waterfall, then Agile, now Mobile: is your secure development lifecycle struggling to keep up with the pace of new development? In this session, we will discuss the current challenges with implementing your SDL in this environment and walk through several recommendations to maximize the success of your program.

I love the smell of FUD in the morning... Smells like..." Birds of a Feather, Josh Corman, The 451 Group

BoF We live in FUD-tastic times. Nothing helps your hangover and activates the brain for a day of SOURCE awesome-sauce like a good dose of exposing FUD. We'll highlight some of the worst FUD in the last few months and talk about the role(s) FUD plays in our industry. If you don't come, Zombie Squirrel NextGen APTs will eat your kittens and your children (in the clouds).

Keep In Touch

Mailing List Sign-Up


Boston 2014 Sponsors

Session Videos Channel