SOURCE Boston 2015
May 25-28, 2015
Marriott Courtyard
Boston, MA, USA
CFP Status: OPEN
SOURCE Dublin 2015
Trinity College
Dublin, Ireland
SOURCE Seattle 2015
Bell Harbor Maritime Museum
Seattle, WA, USA
SOURCE Boston 2012 - Conference Agenda

Tuesday, April 17


Application Security


Security & Technology


Business & Security


Special Sessions




Opening Remarks


Keynote - Josh Corman & Jericho PDFPDF


ColdFusion for Penetration Testers
Chris Gates PDF
Lares Consulting

 What Permissions Does Your Database User REALLY Need?
Dan Cornell
 Denim Group (SLIDES)PDF

Games We Play: Defenses and Disincentives
Allison Miller



Reverse Engineering Mobile Applications

Adam MeyersPDF

 Inside The Duqu Command And Control Servers
Costin Raiu &
Vitaly Kamluk
Kaspersky Lab PDF

Microsoft’s Response Process: 10 Years of Hard Knock Learning
 David Seidman &  Jeremy Tinder

3:50PM-4:30PM Free Time
4:30PM-5:20PM Successful application security programs in an uncertain landscape
Shyama Rose
SCAP for Everyone: A case study in transforming configurations
 Matthew Coles & Dan Reddy
RSA, the Security Division of EMC
SexyDefense - Maximizing the home-field advantage
Iftach Ian Amit
 Security Art  PDF


 Discussion Group
Secure Outsourcing Success: Best Practices for Minimizing Data Risk

Ilker Taskaya
Axis Technology, LLC

 Discussion Group
Using capture-the-flag to enhance teaching and training

Kees Leune
Adelphi University PDFPDF

 Discussion Group
Perspectives of How to Develop a Winning Career in Infosec
 Roy Wattanasin


Wednesday, April 18


Application Security


Security & Technology


Business & Security


Special Sessions


Opening Remarks


Keynote - Dan GeerPDF


Covering your *aaS - Cloud Security Case Studies for SaaS, PaaS, and IaaS
Jeremy Westerman

Finding the weak link in Windows binaries
Ollie Whitehouse

Privacy at the Border: A Guide for Traveling with Devices
Marcia Hofmann & Seth Schoen
Electronic Frontier Foundation PDF



 The SAP Platform's Brain: Attacks to SAP Solution Manager
Mariano Nunez Di Croce & Juan Pablo Perez Etchegoyen
 Onapsis, Inc 

Lessons Of Static Binary Analysis
Christien Rioux
Veracode PDFPDF

 Your PCI Assessor: Best Friend or Worst Enemy? You Choose…,
Michelle Klinger
 EMC Corporation & Martin Fisher, WellStar Health System PDF





Android Modding for the Security Practitioner
Dan Rosenberg

PLC/SCADA Vulnerabilities in Correctional Facilities
Teague Newman, Tiffany Rad, Battelle Institute, & John Strauch, Strauchs LLC

Achievement Unlocked : Designing a compelling security awareness program
Bob Rudis
Liberty Mutual

All aboard the Pwnie Express
Pwnie Express 


 Mobile Snitch - Devices telling the world about you
Luiz Eduardo & Rodrigo Montoro

 Watchtowers of the Internet: Analysis of Outbound Malware Communication
Stephan Chenette & Armin Buescher
Websense PDFPDF

 No Victims: How to Measure & Communicate Risk
Jared Pfost
Third DefensePDF



Free Time


Voight-Kampff'ing The BlackBerry PlayBook
Zach Lanier, Veracode

Fakebook: Attackers' use of Fake Profiles and Apps
 Daniel Peck
Barracuda Networks
Hacking and the Big Bad: legal guide to marginal activities
David Snead
W. David Snead, P.C.PDF

Scalable, High Performance Packet Capture on Commodity Hardware using Linux 3.2
Chetan Loke

Incident Detection: MacGyver Style
Ben Jackson
Mayhemic Labs PDF

Discussion Group
(ends at 5:40pm)
De-constructing the Cost of a Data Breach
 Patrick FlorerPDF
Risk Centric Security, Inc. 



Exhibitor Reception - Sponsored by Microsoft

8:00PM-11:00PM Rapid7 Hosted Party

Thursday, April 19


Application Security


Security & Technology


Business & Security


Special Sessions

9:00AM-9:50AM Spyometrics: Privacy Preservation when YOU are the Password
Noah Schiffman
Lessons of the Kobayashi Maru: If You're Not Cheating, You're Not Trying
James CarolandPDFPDF
Cyber Liability Insurance: Who pays when your data goes missing?
Jake Kouns
Markel Corporation


Advanced SQL Injection with SQLol: The Configurable SQLi Testbed
Daniel Crowley PDF

 How Not to Redo Hard Work during Security Response
 Karthik Raman &  Manish Pali
 Adobe Systems, IncPDF

 How To Rob An Online Bank And Get Away With It
Mitja KolsekPDF
ACROS Security 



Free Time


Celebrating Bad Crypto: Lightweight Formal Methods for Making Use of DRM, Obscurity, and Other Useless Techniques
Brian Sniffen, Principal Architect, Akamai TechnologiesPDF

 Vulnerabilities of Control Systems in Drinking Water Utilities
Infrastructure Security Labs

Pay Attention to Privacy Or Else...? 
Jim Rennie





Mobile Exploit Intelligence Project
Dan Guido, Co-Founder & CEO, Trail of Bits & Mike Arpaia, iSEC PartnersPDF

Behind The Scenes: Pwning Satellite/Cable TV
Bruno Oliveira
Trustwave's SpiderLabs

 Media Hype in the Information Security Industry
Space Rogue



Speed Debates

3:30PM–4:20PM Now What? Discussion

Closing Activities





Day 1 Keynote - Joshua Corman & Jericho

Check out Vanity Fair article - "the two offer what may be the most clear-eyed analysis of the Anonymous phenomenon available anywhere"

TITLE: Anonymous 20/20 : The Beginning is Near

To understand what Anonymous might become by 2020 requires we have clear-eyed 20/20 vision as to where they have been, what they are today, and what is driving their evolution. While few of us have even come to grips with the implications of 2011, it is time to confront the issues.

Anonymous is now a house-hold name. Even with moral infighting, splinter groups, and a potentially devastating brand problem, the group shows no signs of slowing. With over a hundred arrests world-wide, the phenomenon is unlikely to go away. In short, some form of Anonymous is here to stay.

Collectively, we must figure out how to adapt to them morally and practically. If Anonymous evolves as we've explained in our "Building a Better Anonymous" series, society must be ready to handle the good, the bad, and the ugly of these subsequent manifestations. Every action has reaction, so we must be conscientious and deliberate about how we adapt to the age of Anonymous. Our keynote will begin to address these issues and start the overdue dialogue that is crucial to citizens, InfoSec, law enforcement, and government

Jericho has been poking about the hacker/security scene for 18 years (for real), building valuable skills such as skepticism and anger management. As a hacker-turned-security mouthpiece, he has a great perspective to offer unsolicited opinion on just about any security topic. A long-time advocate of advancing the field, sometimes by any means necessary, he thinks the idea of 'forward thinking' is quaint (we're supposed to be thinking that way all the time). No degree, no certifications, just the willingness to say things most of the industry is thinking but unwilling to say themselves. He remains a champion of security industry integrity and small misunderstood creatures.

Joshua Corman is the Director of Security Intelligence for Akamai Technologies and has more than a decade of experience with security and networking software.  Most recently he served as Research Director for Enterprise Security at The 451 Group following his time as Principal Security Strategist for IBM Internet Security Systems. Mr. Corman’s research cuts across sectors to the core security challenges plaguing the IT industry, and helps to drive evolutionary strategies toward emerging technologies and shifting economics. His research and education efforts won him the title of Top Influencer of IT by NetworkWold magazine in 2009.

Mr. Corman is a candid and highly-coveted speaker with engagements at leading industry events such as RSA, DEFCON, Interop, ISACA, and SANS.  As a staunch advocate for CISOs, Corman also serves as a Fellow with the Ponemon Institute, on the Faculty for IANS, and co-founded Rugged Software – a value-based initiative to raise awareness and usher in an era of secure digital infrastructure. Corman received his bachelor’s degree in philosophy, graduating Phi Beta Kappa and summa cum laude, from the University of New Hampshire. He resides with his wife and two daughters in New Hampshire.

Corman can be found on twitter @joshcorman and on his blog at


Day 2 Keynote - Dan Geer

Dr. Daniel Earl Geer Jr., Sc.D. serves as Chief Information Security Officer at In-Q-Tel. Dr. Geer serves as Principal of Geer Risk Services as well as an entrepreneur, author, scientist, consultant, teacher and architect. He has been a Member of Application Scoring and Responsible Disclosure Focus Team at Veracode Inc. since April 2007. He served as the Chief Scientist Emeritus and Vice President of Verdasys Inc. He served as the Chief Scientist of Verdasys Inc. He served as the Chief Technology Officer of @stake Inc. Prior to @stake, he served as Vice President and Senior Strategist at CertCo. Dr. Geer also served as Director of Engineering at Open Market, Inc. and as Chief Scientist and Vice President of Veritas (formerly, OpenVision Technologies).

Dr. Geer is an expert in computer security and has been recognized as a pioneer in the space for his insight into the critical issues that plague the security industry. He has been featured in publications such as Network World, Search Security and InfoWorld. A renowned expert in the field of network security, Dr. Geer has testified before the House Science and Sub- Committee on Technology regarding public policy in the age of electronic commerce. Dr. Geer has testified before Congress on multiple occasions and has served in formal advisory roles for the Federal Trade Commission, the National Science Foundation, the Treasury Department, the National Research Council, the Commonwealth of Massachusetts, the Department of Defense, the National Institute of Justice and the Institute for Information Infrastructure Protection. He served as President of USENIX, the advanced computing systems association.

Dr. Geer holds a Sc.D. in Biostatistics from the Harvard School of Public Health and a S.B. in Electrical Engineering and Computer Science from MIT.

Speaker Sessions

Mobile Exploit Intelligence Project, Dan Guido, Co-Founder & CEO, Trail of Bits, LLC (@dguido) & Mike Arpaia, Security Consultant, iSEC Partners, (@mikearpaia)

AudioClick here to listen to a podcast about this topic

As organizations look to deploy larger numbers of mobile devices this year, there is widespread disagreement over which platforms are more secure, what mobile security measures are effective, and what the greatest risks of these platforms are. At the same time, the mobile malware community is developing rapidly and several successful attacks have been executed against iOS and Android. In this talk, we demonstrate an intelligence-driven approach to mobile defense, focused on attacker capabilities and methods, with data collected from past remote attacks against Android and iOS. This analysis identifies the means by which exploits are developed and distributed in attacks, separates defenses that work from defenses that don't, and provides analytical tools that attendees can use to objectively evaluate the exploitability of mobile platforms. Finally, we use this empirical data on attacker capabilities to make projections on where mobile malware is headed in the near to long term.

Dan Guido leads the strategic vision for Trail of Bits products and services and manages its day-to-day operations. His most recent research applied intelligence-driven defense to mass malware and demonstrated that, contrary to popular belief, only a very small number of vulnerabilities are used in such massive exploitation campaigns.

Mike Arpaia is a security consultant and researcher at iSEC Partners. Mike's current research interests include mobile device security, cloud infrastructure security and secure protocols.

Covering your *aaS - Cloud Security Case Studies for SaaS, PaaS, and IaaS, Jeremy Westerman

Cloud Security is often treated as a single topic, but in practice it differs widely between SaaS (such as Google Apps), PaaS (such as Amazon's S3 storage as a service) and IaaS (such as Verizon Terramark and VMware vCloud). In this session we look at real-world case studies of these different styles of Cloud deployments, examining the security considerations, and see exactly what security policies were applied. We also discuss technologies such as SAML, API Keys, and OAuth which were used in these solutions.

Jeremy Westerman is the Director of Product Management, Vordel, Inc. and responsible for the inbound product management functions.  Prior to Vordel, Jeremy held product management and marketing positions at TIBCO Software and BEA Systems for BPMS, SOA and EAI products.


Games We Play: Defenses and Disincentives, Allison Miller, Director, Security & Risk, Tagged (@selenakyle)

Practitioners of information security often look to the models and tools provided by economics in order to explain the types of controls that are most effective at limiting the impact of security exposures, ideally deterring attacks completely. For example, the idea that attackers are economically rational is attractive; our resources are limited so we seek to add controls (friction) where they will be most useful, i.e. making an attack "cost" more than the utility an attacker gets out of launching a successful exploit. 

In this session we'll discuss how the application of economic theories has been playing out in the real world, and which ideas are the most important to consider when implementing security controls into a system. In particular we'll discuss some principles of game theory, behavioral economics, and design of incentive structures.

Allison Miller manages the Security and Risk Management team at Tagged, the leading social network for meeting new people. Allison has over 10 years of experience in designing, building and deploying real-time threat detection and prevention systems. Miller is active in the security community and presents research on fraud prevention and account security issues regularly to both industry and government audiences, including the ITWeb Security Summit, Black Hat Briefings, SOURCE Conferences (Boston, Barcelona, Seattle), USENIX/Metricon, and RSA. Prior to joining Tagged, Miller led PayPal's Account Risk & Security team and was Director of Product & Technology Risk at Visa International.

Finding the weak link in Windows binaries, Ollie Whitehouse. Co-Owner Recx Ltd

With the advent of generic memory corruption mitigations in Microsoft Windows and Microsoft Visual Studio means it can be a chore when looking where to spend your effort yet ensuring successful exploitation of any discovered bugs. This talk will discuss how to identify binaries that provide the highest possible likely return on investment. Alternatively for those not interested in exploitation but in risk this talk will show how to identify issues with Windows binaries that are of interest to independent software vendors or end user organizations who want to gain a base level of assurance that SDLC best practices have been followed yet source and debug symbols are not available.

Ollie Whitehouse is Co-Owner at Recx Ltd a niche security consultancy in the United Kingdom. Prior to Recx Ollie was Manager for Security Research & Assessment in EMEA for Research In Motion's Security Research Group for four years. He is a frequently published author of research on the security of mobile telecommunication networks, mobile devices, and Bluetooth. In addition, he has discovered numerous security vulnerabilities in a wide range of desktop and server applications including Microsoft's Windows Vista.

ColdFusion for Penetration Testers, Chris Gates, Lares Consulting

ColdFusion is one of those technologies where organizations are either ColdFusion shops or they won't touch it on a bet. Similarly, I find that pentesters have either been exposed to it and have a few tricks to attack it or not. Aside from common web application issues, ColdFusion can also be attacked on the network level and many times used to obtain remote access on the host. This talk will cover what is ColdFusion, common ColdFusion issues, finding useful ColdFusion URLs, identifying specific ColdFusion version and components, and verifying if common vulnerabilities are present in the ColdFusion server you are targeting. If access to the ColdFusion administrative interface can be obtained, you can perform post exploitation activities that will typically yield you remote access to the operating system supporting the ColdFusion install.

Chris joined LARES in 2011 as a Partner & Principal Security Consultant. Chris has extensive experience in network and web application penetration testing as well as other Information Operations experience working as an operator for a DoD Red Team and other Full Scope penetration testing teams (regular pentesting teams too). Chris holds a BS in Computer Science and Geospatial Information Science from the United States Military Academy at West Point and holds his... one cares anyway. In the past, he has spoken at the United States Military Academy, BlackHat, DefCon, Toorcon, Brucon, Troopers, SOURCE Boston, OWASP AppSec DC, ChicagoCon, NotaCon, and CSI. He is a regular blogger and is also a regular contributor to the Metasploit and wXf Projects.

All aboard the Pwnie Express!

Grep, Awk, and Alias discuss the varied uses of the Pwn Plug penetration testing drop box and Pwn Phone mobile pwnification unit. The team will share some of the exciting new features, favorite use cases, success stories, and technical walk-throughs.


Voight-Kampff'ing The BlackBerry PlayBook, Zach Lanier,Veracode & Ben Nell

The Blackberry Playbook is RIM's first (rushed-to-market) jump into the tablet market. By all accounts, this technological investment is laying the groundwork for the next generation of RIM's popular (and reputably secure) BlackBerry handset. With TabletOS, built on QNX and a user experience built predominately on the Adobe AIR platform, the PlayBook quickly caught our eye as a viable platform to research and attack. So, that's just what we did. In this talk, we'll present our top-to-bottom attack analysis of the BlackBerry Playbook, from the OS, up to the apps, and all the glue in between.

Zach Lanier is a Security Researcher with Veracode. Prior to joining Veracode, Zach served as Principal Consultant with the Intrepidus Group, Senior Network Security Analyst at Harvard Business School, and Security Assessment Practice Manager at Rapid7. Zach likes Android, vegan food, and cats (but not as food).

Reverse Engineering Mobile Applications
, Adam Meyers, Security Researcher (@adam_Cyber)

As organizations adopt mobile computing devices to support their mission, the adversaries are beginning to change their tools, techniques, and procedures to take advantage of the evolving attack surface. This presentation will explore attack vectors for popular mobile computing devices such as Android, iOS, and RIM. We will explore malware examples culled from the real world and begin to understand how to dynamically and statically analyze the samples to extract intelligence. This presentation will demonstrate analytic tools and techniques to allow the Computer Network Defender to begin to tackle the emerging threat of mobile malware. In addition, topics will be covered including acquiring data, counter measures/mitigations, and network defense tools which can aid in defending the mobile threatscape.

Adam Meyers is the Director of Intelligence for CrowdStrike, in this role he oversees the team's daily activity, and provides direction and strategic vision for the company's intelligence collection, reverse engineering, and analysis efforts. He also serves as a senior security researcher, who focuses on reverse engineering targeted malware threats, mobile malware and related technologies. Previously he was the Director, Cyber Security Intelligence with the National Products and Offerings Division of SRA International. In that role Mr. Meyers served as a senior subject matter expert for cyber threat and cyber security matters for a variety of SRA projects. Mr. Meyers provided both technical expertise at the tactical level and strategic
guidance on overall security program objectives. Mr. Meyers also acted as the product manager for SRA Cyberlock, a dynamic malware analysis platform.


Advanced SQL Injection with SQLol: The Configurable SQLi Testbed, Daniel Crowley, Application Security Consultant, Trustwave-Spiderlabs (@dan_crowley)

SQL Injection is a very dangerous vulnerability, and in nearly every imaginable scenario, data extraction is possible through a variety of techniques. Before SQLol, vulnerability testbeds for SQL injection flaws allowed only for basic blind and informed SQL injection scenarios, requiring advanced SQL injection exploitation to be learned in real-world testing or on privately created testbeds. This workshop will teach you how to perform SQL injection attacks using SQLol, from basic to exotic. Come learn how to use SQLol to recreate real-world SQLi scenarios, learn new techniques, become acquainted with automated SQL injection tools, or even develop new techniques for exploiting SQL injection flaws.

Daniel is an Application Security Consultant for Trustwave's SpiderLabs team. He has been working in information security for over seven years and has been focused on penetration testing. Daniel is particularly interested in vulnerabilities caused by failure to account for little known or undocumented properties of the platforms on which applications run. He especially enjoys playing around with Web apps and physical security. Daniel is also a rock climber and makes a mean chili.

Spyometrics: Privacy Preservation when YOU are the Password, Noah Schiffman, Security Researcher

The convergence of pervasive computing, social networking, location based services, and biometric security, seek to enhance the digital usability of our environment. Biometric authentication creates a new layer of critical and irrevocable personally identifiable information (PII). Developments in biometric systems, advances in sensors, and improved recognition algorithms make it possible to remotely capture and collect human traits-- a means of biometric surveillance. The constant acquisition, aggregation, and multi-modal fusion of personal data create numerous vulnerabilities to personal privacy. When combined with dataveillance, threats against re-identification, inferential linkage analysis, and deductive disclosure have become more consequential. A rising number of organizations are faced with adopting Privacy Enhancing Technologies (PET) for securely managing biometric information. This presentation will address current biometric systems, their vulnerabilities, and the security challenges posed with their deployment. In addition, it will discuss the importance of private information retrieval and PET implementations for biometric system integration.

With 20+ years of industry experience, Noah Schiffman is a former hacker turned security consultant, specializing in pen-testing, threat assessment, and security integration. With degrees in cognitive psychology and mechanical engineering, he has worked on designing authentication/access control systems and improving security usability. After receiving a doctorate in medicine, his research and development have encompassed biometric technologies and medical device security. He is currently an independent consultant and the CSO of a defense contractor.


Mobile Snitch - Devices telling the world about you, Luiz  Eduardo, Director, SpiderLabs LAC, Trustwave (@effffn) & Rodrigo Montoro, Security Researcher, Trustwave's SpiderLabs, (@spookerlabs)

AudioClick here to listen to a podcast about this topic

In the past few years, we have not only seen a significant growth in use of mobile devices, but also it is not uncommon to see people using more than one mobile device at the same time.  The combination of the nature of mobile WiFi device operations along with the lack of user awareness, could lead someone not only to know things about your life (where've you been, where do you work) but even who you are.  This presentation will cover the proof-of-concept for Mobile Snitch, which will automatically gather information about these devices once in the same network with the goal to pinpoint who that person in that network (or room, coffee shop, etc) is, based on the use of certain protocols and device operation/ configuration.

Luiz Eduardo has 20 years of experience in network security, especially WiFi. He has designed the wireless infrastructure and spoken at top-level security conferences around the globe. At Trustwave Luiz leads SpiderLabs in the LAC region.

Rodrigo "Sp0oKeR" Montoro has 13 years of experience deploying security softwares (firewalls, IDS, IPS, HIDS, SIEM). At Trustwave, Rodrigo works in the SpiderLabs Research division where he focuses on IDS/IPS/Modsecurity rules and new detection research (PDFScore & HTTP Header Hunter).


The SAP Platform's Brain: Attacks to SAP Solution Manager, Mariano Nunez Di Croce, CEO, (@marianonunezdc) & Juan Pablo Perez Etchegoyen, CTO, Onapsis, Inc

Global Fortune 1000 companies, large governmental organizations and defense entities have something in common: they rely on SAP platforms to run their business-critical processes. In this scenario, cyber-criminals looking to perform espionage, sabotage or financial fraud attacks know that these systems are keeping the business crown jewels.   In all SAP implementations there is a special system, which acts as the "brain" of the platform: the SAP Solution Manager. Using proprietary interfaces and protocols, the Solution Manager connects to and manages all the "satellite" SAP systems of the implementation (ERP, CRM, etc). Therefore, if an attacker compromises the SolMan, the game is over.  This talk presents novel attack vectors that a malicious hacker may abuse to break into the SAP Solution Manager, which would result in a total compromise of the SAP implementation, and what you need to do in order to mitigate these threats in your organization.

Mariano Nunez Di Croce is the CEO at Onapsis. He is a renowned reseacher in the ERP & SAP security fields, being the first to present on security threats to SAP platforms. He has lectured at conferences such as BlackHat and RSA, and featured by the media.

Juan Pablo Perez Etchegoyen is the CTO at Onapsis. He leads the innovative ERP security research at the Onapsis Research Labs and presented at BlackHat, HITB and Ekoparty.


Android Modding for the Security Practitioner, Dan Rosenberg, Senior Security Consultant, VSR (@djrbliss)

After getting involved in the Android rooting scene, I observed that there is a disconnect between the community interested in "modding" (modifying) their devices and those looking at Android from a security practitioner's perspective. In this talk, I will provide technical details on many key concepts in the modding world, including rooting, locked/unlocked bootloaders, S-ON/S-OFF, fastboot, ROM flashing, and various other techniques. We'll look at real examples of vulnerabilities and exploits used to root and unlock Android phones, and I'll share several techniques that I contributed to the modding community. There will be an emphasis on what we as security practitioners can learn from the modding community, what they can learn from us, and how Android modding affects both the hobbyist user and enterprise Android deployment.

Dan is a security consultant and vulnerability researcher at VSR, where he performs application and network penetration testing, conducts code reviews, and identifies vulnerabilities in third-party software. His current research interests include exploit development, kernel hardening, and mobile security.


Behind The Scenes: Pwning Satellite/Cable TV,  Bruno Oliveira, Security Consultant, Trustwave's SpiderLabs, (mphx2)
For several years, in countries like Brazil, satellite and cable TV services were not accessible to much of the population, mostly due to high cost. In the past few years, however, several "alternative options" have been released onto the (black) market. New "low cost providers" are basically a jumble of homemade and hacked hardware, which makes them quite interesting from a technical perspective. These alternative vendors even provide firmware updates, support, and make up a surprisingly large portion of the market. Hacks against these systems range from gaining more channels on cable TVs (to extend "basic" plans, for example) to faking authentication on satellite TV systems.  This presentation will cover how satellite/cable TV systems work, how their security controls are being circumvented, and how people are obtaining the equipment necessary.

Bruno Oliveira is a member of Trustwave's SpiderLabs - the advanced security team focused on penetration testing, incident response, and application security where conducts penetration tests in the premier clients. Over 10 years having fun with security always focused on offensive tasks, trying to figure out different/other/more beautiful ways to attack systems, part of these studies/works became talks at some security conferences like BlackHat, DEFCON, Toorcon, SOURCE, HITB, YSTS and H2HC.

PLC/SCADA Vulnerabilities in Correctional Facilities, Teague Newman, (@teaguenewman ), Network Security Consultant , Tiffany Rad, Security Researcher, Battelle Institute, ( @tiffanyrad),  John Strauchs, Principle, Strauchs LLC,(@strauchs)

Many prisons and jails use SCADA systems with PLCs to open and close doors. Using original and publicly available exploits along with evaluating vulnerabilities in electronic and physical security designs, Newman, Rad and Strauchs have discovered significant vulnerabilities in PLCs used in correctional facilities by being able to remotely flip the switches to “open” or “locked closed” on cell doors and gates. This talk will evaluate and demo SCADA systems and PLC vulnerabilities in correctional and government secured facilities while recommending solutions.

Tiffany Rad BS, MA, MBA, JD
Professor at University of Southern Maine, Security Researcher at Battelle Institute

John Strauchs M.A., C.P.P.
Physical Security Expert

Teague Newman
Penetration Tester, Security Researcher


Watchtowers of the Internet: Analysis of Outbound Malware Communication, Stephan Chenette, Principal Security Researcher, (@StephanChenette) & Armin Buescher, Security Researcher

With advanced malware, targeted attacks, and advanced persistent threats, it’s not IF but WHEN a persistant attacker will penetrate your network and install malware on your company’s network and desktop computers.  To get the full picture of the threat landscape created by malware, our malware sandbox lab runs over 30,000 malware samples a day. Network traffic is subsequently analyzed using heuristics and machine learning techniques to statistically score any outbound communication and identify command & control, back-channel, worm-like and other types of traffic used by malware. 
Our talk will focus on the setup of the lab, major malware families as well as outlier malware, and the statistics we have generated to give our audience an exposure like never before into the details of malicious outbound communication.  We will provide several tips, based on our analysis to help you create a safer and more secure network.

Stephan Chenette is a principal security researcher at Websense Security Labs, specializing in research tools and next generation emerging threats. In this role, he identifies and implements exploit and malcode detection techniques.

Armin Buescher is a Security Researcher and Software Engineer experienced in strategic development of detection/prevention technologies and analysis tools. Graduated as Dipl.-Inf. (MSc) with thesis on Client Honeypot systems. Interested in academic research work and published author of security research papers.


Inside the Duqu Command and Control Servers, Costin Raiu, Director, Global Research & Analysis Team, Kaspersky Lab, and Vitaly Kamluk, Chief Malware Expert, Global Research & Analysis Team, Kaspersky Lab

When the Stuxnet worm was initially discovered in June 2010, it looked like yet another piece of computer malware aimed at causing damage to infected computers. However, as security companies took Stuxnet apart, there was a startling discovery that this was a one-of-a-kind cyber-weapon. In particular, Stuxnet contained a number of sub-routines designed to compromise a very specific industrial system which, according to an ISIS report (*1), was "the IR-1 centrifuges at the Fuel Enrichment Plant (FEP) at Natanz" in Iran.

By September 2011, when the Duqu Trojan was discovered by the Hungarian research lab CrySyS, it became obvious that this new malware was related to Stuxnet and might actually be the work of the same attackers. The similarities were striking and ongoing analysis shows that Stuxnet and Duqu were all aimed at the same target -- Iran's nuclear power program. Millions of dollars have been invested in the development of Stuxnet and it did its job successfully -- destroying a large batch of IR-1 centrifuges. The purpose of Duqu, which for sure had a comparable financing to Stuxnet, is more hazy.

From the forensics analysis we have done at Kaspersky, we can say the targets for Duqu can be split into three categories:

  1. Certificate authorities / cryptographic providers
  2. Industrial equipment providers and shipping networks
  3. Research institutes and power-related organizations

Stuxnet and Duqu represent the high-end of cyber weapons and the first public confirmation of an emerging cyber war. Although the identity of the attackers remains unknown, several researchers have pointed out to U.S. and Israel as the most likely parents.

To steal information, Duqu relied on a solid C&C infrastructure based on hacked CentOS Linux servers. We got the chance to analyze not one, but multiple Duqu command and control servers. In this presentation we will show:

  1. How the attackers used the command and control servers
  2. Which servers were used – India, Belgium, Netherlands, Vietnam, etc…
  3. How the servers were hacked (the OpenSSH 4.3 0-day exploit?)
  4. Mistakes done by the Duqu hackers
  5. Unsolved mysteries related to Duqu

Costin joined Kaspersky Lab in 2000 as a leading Antivirus Researcher. Prior to becoming Director of the Global Research & Analysis Team in 2010, Costin was Head of the Romanian R&D group, overseeing research efforts in the EEMEA region. Costin specializes in malicious websites, browser security and exploits, e-banking malware, enterprise-level security and Web 2.0 threats. Costin also has a particular interest in encryption and advanced mathematics. Costin is based in Romania.

Costin has extensive experience in antivirus technologies and security research. He is a member of the Virus Bulletin Technical Advisory Board and a reporter for the Wildlist Organization International. Prior to joining Kaspersky Lab, Costin worked for GeCad as one of their Chief Researchers and as a Data Security Expert with the RAV antivirus developers group.

Vitaly joined Kaspersky Lab in 2005 as an Infrastructure Services Developer for the Antivirus lab. In 2008, he was appointed to the position of Senior Antivirus Expert before becoming Director of the EEMEA Research Center in 2009. Vitaly spent a year working in Japan as a Chief Malware Expert, leading a group of local researchers. He specializes in threats focusing on global network infrastructures, malware reverse engineering and cybercrime investigations.

Prior to joining Kaspersky Lab, Vitaly worked as a software developer and system administrator.

Vitaly is a graduate of the Belarussian State University.


Privacy at the Border: A Guide for Traveling with Devices, Marcia Hofmann, Senior Staff Attorney & Seth Schoen, Senior Staff Technologist, Electronic Frontier Foundation

A series of unfortunate court decisions allows border agents to search travelers' laptops, mobile phones, and other digital devices without limitation at the United States border. These searches are relatively rare, but they could become more routine as sophisticated computer forensics becomes cheaper. How can international travelers protect themselves when they enter the United States?  Seth Schoen and Marcia Hofmann of the Electronic Frontier Foundation will will provide a clear, up-to-date, and thorough overview of this issue for all travelers to the U.S. as published in their recent white paper, "Defending Privacy at the U.S. Border: A Guide for Travelers Carrying Digital Devices." This presentation combines legal and technical perspectives, discussing the legal situation international travelers face when entering or leaving the United States, as well as various ways travelers can safeguard electronic devices and digital information at the border.

Marcia Hofmann is a senior staff attorney at the Electronic Frontier Foundation, where she works on a broad range of digital civil liberties issues including computer security, electronic privacy, and free expression.

Seth Schoen is a Senior Staff Technologist at the Electronic Frontier Foundation, where he helps other technologists understand the civil liberties implications of their work, EFF staff better understand the technology related to EFF's work, and the public understand what technology really does.


Fakebook: Attackers' use of Fake Profiles and Apps, Daniel Peck, Security Researcher (ramblinpeck), Barracuda Networks

Likes, News feeds and Apps have helped lead Facebook to its social network dominance and now attackers are harnessing those same features to efficiently scale their efforts. These fake profiles and apps give a long-lived path to continuously present malicious links and malware. These fake profiles are also dangerous because researchers have shown how friending malicious accounts can lead to account takeover using Facebook's trusted friend account recovery. We have conducted a five-month analysis involving several thousand fake profiles to determine features and patterns that distinguish them from real users and have created a feature-based heuristic engine to distinguish real users from fake profiles. In this talk, we discuss the scale and nature of these fake account networks. Show why the security community should care about it by showing the risks that they create. Lastly we present approaches to detecting fake profiles using a feature-based approach, highlight some unexpected features.
Peck is a research scientist and data junkie at Barracuda Networks, he is currently focused on studying uses of social networks as a medium for attacks. Previous research includes comparing content and non content based systems to identify malicious accounts on twitter/facebook, exploiting programmable logic controllers, and identifying/classifying malicious javascript with the tool he co-authored, CaffeineMonkey. Peck has a Bachelors of Science in Computer Science from the Georgia Institute of Technology.


Lessons of the Kobayashi Maru: If You're Not Cheating, You're Not Trying, James Caroland

Every day security professionals face off against adversaries who do not play by the rules. However, at every turn in life we are taught to never... ever... cheat. Traditional information security education and training programs further compound the problem by forcing students to behave in a flawlessly ethical manner else face expulsion and castigation. In our work, we have been teaching people to cheat. As the Kobayashi Maru taught us, it is only by stepping outside the rules of the game that we can truly succeed against no-win scenarios, and today much of information security is a no-win scenario. This talk will cover how to foster creativity and cultivate an adversary mindset through carefully structured classroom cheating exercises. I'll cover dozens of techniques and show you the best of the students' work from writing answers on ceiling tiles to engraving answers on a watch to creating a false book cover for Little Brother X. I'll also cover the underlying security principles, lessons, and countermeasures that we learned in the process. You'll leave the talk with a better appreciation for the importance of "cheating."

James Caroland is a Navy Information Warfare Officer, member of the US Cyber Command, and an adjunct Associate Professor in University of Maryland University College's Cybersecurity Program.


What Permissions Does Your Database User REALLY Need? Dan Cornell, CTO and Principle, Denim Group (@danielcornell)

Attaching web applications to databases as “sa” or “root” might be easy but it is also a horrible idea. This presentation provides a methodology as well as tools to create fine-grained database user permissions based on application-specific requirements. The negative impact of permissive database user account permissions is demonstrated alongside the potential benefits of constrained database user access. Tools for the automated creation of security-role-specific MySQL user permission policies will be demonstrated and these will be used as a model for making “least privilege” database accounts a standard practice in web application deployment.

Dan Cornell has over twelve years of experience architecting, developing and securing web-based software systems. As a Principal of Denim Group, he leads the organization's technology team overseeing methodology development and project execution for Denim Group's customers. He also heads the Denim Group application security research team, investigating the application of secure coding and development techniques to the improvement of web based software development methodologies.


Successful Application Security Programs in an Uncertain Landscape, Shyama Rose, Security Program Manager, Veracode

AudioClick here to listen to a podcast about this topic

It is not news that threats in the application security landscape are changing rapidly. The security focus in the enterprise is evolving along with it. But secure development methodologies haven’t kept up. Large enterprises with rapidly evolving development practices often pay little to no attention to security at all. And when they do, they find that standardized frameworks are antiquated, processes are too heavy handed, and do not fit the enterprise. So they create light-touch, ineffective programs so as not to overload the business.

This presentation fills the gap between over-burdensome antiquated and light-touch ineffective programs by showing how to effectively design and apply strategic programs for complex organizations.

Shyama Rose is a Security Program Manager at Veracode where she employs a holistic, threat-focused approach to design and apply security programs for complex organizations in the Fortune 100. She authored the Center for Internet Security's Microsoft IIS 5.0/6.0 and Microsoft Office 2007 Security Guidance Benchmarks as well as contributed to the Microsoft SharePoint Server Guidance Benchmark. This Spring, she will be lecturing on Security Program Management in NYU Poly's Application Security course.


Cyber Liability Insurance: Who pays when your data goes missing? Jake Kouns, Director, Cyber Security and Technology Risks Underwriting, Markel Corporation

No matter the security controls that may or may not be in place, data breaches continue to occur at an alarming rate. Regardless what you believe the costs are per record for a data breach, the bottom line is no one can deny the potentially devastating financial impacts to an organization. Yet, most information security professionals seem more willing to buy insurance for their latest and greatest tech gadget rather than truly consider purchasing Cyber Liability insurance to transfer a portion of their risk. This session will provide a behind the scenes look into Cyber Liability insurance and help you better make the decision if this coverage is right for your organization.

Mr. Kouns is responsible for the Enterprise Information Security Program for Markel as well as the management of their Cyber Liability insurance products. He has broad responsible for all aspects of the products including the development of underwriting guidelines, pricing, risk analysis, claims oversight, training & marketing initiatives as well as risk management services for policy holders. Mr. Kouns is also the co-founder, CEO of the Open Security Foundation.


Microsoft’s Response Process: 10 Years of Hard Knock Learning, David Seidman, Senior Security Program Manager, Microsoft (@msftsecresponse) &   Jeremy Tinder, Security Program Manager, Microsoft

The Microsoft Security Response Center has been reacting to security vulnerabilities and incidents for more than 10 years, and we’ve learned a few things along the way. In this presentation, we’ll pull back the curtain and walk you through the formal processes and informal guidelines that we use to handle hundreds of vulnerability reports every year, and we’ll help you apply these lessons to your own organization. When you leave this presentation, you’ll have a better understanding of Microsoft’s decision-making process and you’ll be able to greatly improve your organization’s own response processes. You’ll also learn how your organization can add capabilities as you grow. This content is focused on responding to software vulnerabilities in software developed by your organization. If you write code, the day will eventually come when you need to respond to a security issue. Learn from our experience and get your response right the first time!

David Seidman is a Senior Security Program Manager on the Microsoft Security Response Center Software Security Incident Response team. Prior to working at the MSRC, David managed development of Microsoft Office security updates and service packs.

Jeremy Tinder is a Security Program Manager at the Microsoft Security Response Center. Prior to working at the MSRC, Jeremy was an independent security consultant teaching ethical hacking classes between helping businesses secure their networks.


Media Hype in the Information Security Industry,  Space Rogue, Threat Intelligence Manager, Trustwave, (@spacerog)

Media will often report 'hacks' that either never actually happened or have extremely flimsy evidence. These 'hacks' became major news stories through media hype while the reality is seldom reported at the same level. This talk will closely examine several examples of such stories and closely compare the hype with the reality. Close attention will be paid to the media’s role in presenting these stories and how the stories morphed from purely circumstantial to quoted facts. We will examine the structure of a hyped story so that it can be easily identified and discuss methods to combat the hype.

Space Rogue is widely sought after for his unique views and perceptions of the information security industry, he has testified before Congress and has been quoted in numerous media outlets.  Space Rogue was an early member of the security research think tank L0pht Heavy Industries and helped co-found the Internet security consultancy @Stake. He created the widely popular Hacker News Network, which, not once but twice, became a major resource for information security news.


How To Rob An Online Bank And Get Away With It, Mitja Kolsek, CEO, ACROS Security, (@mkolsek)

Let’s face it: Online robbers can only steal so much from individual banking customers. The more ambitious ones must therefore upgrade their modus operandi to directly target the banks, where they can take as much as they want in a single swing.  This presentation will reveal future attacks against online banks. We’ll show how e-bank robbers of tomorrow will approach their targets, hide their reconnaissance work and attacks, cloak their identities and retrieve the stolen funds. As a bonus, you will see how a frequent error in online banking applications allows users to make serious profits on simple automated operations – without ever breaking the law.  The attacks presented will be a mix of surprising triviality and devious cleverness, leaving the audience slightly worried about the fragility and vulnerability of today’s financial systems.  Bank robbers are kindly asked not to attend.

In over 13 years of security addiction, Mitja has perforated an array of business-critical products, computer systems and protocols by leading software vendors, searching for atypical vulnerabilities and effective ways of fixing them. His passion is security research, discovering new types of security problems, such as “session fixation”, and new twists on the known ones, such as “binary planting”.

No Victims: How to Measure & Communicate Risk, Jared Pfost, CEO, Third Defense, (@jaredpfost)

No Victims Allowed. We’re not talking about consumers, we’re talking about security pros who think business leaders don’t understand infosec risk or provide sufficient resources to manage it. This session presents a case study on techniques how security pros can avoid feeling sorry for themselves: measuring and communicating risk. We’ve been working on identifying a population of outcome based metrics that matter to business owners by reducing incidents and provide visibility into actual vs. expected operational performance. We’ll share examples how to communicate risk priorities to drive spending decisions. We’ll show examples of communicating single event risks e.g. sqli to dump records, and multiple event scenarios e.g. social engineering -> custom malware -> access management -> data egress. The result is executive leadership who understands expected outcomes of their spending decisions and a security team who takes pride having facilitated an evidence-based risk decision.

Jared brings 17 years of infosec experience to Third Defense, which he co-founded on the belief that effective management is the key to manage risk, not more technology. Jared's career combines working in IT Security teams and consulting with designing and shipping software across startups, banking, and technology. Jared is a self-proclaimed process nut and has demonstrated you don't need unlimited resources to run a measurable, accountable, and effective security shop.


Achievement Unlocked : Designing a compelling security awareness program, Bob Rudis, Director, Enterprise Information Security & Compliance, Liberty Mutual (@hrbrmstr)

Security professionals can be heard saying "security is everyone's responsibility", yet they often expect users to go through the equivalent of an automobile manual and 1950's drivers' education course to learn what they need to do their part in securing the business. On the other extreme, many organizations have an actual policy-level requirement for workers to undergo yearly training, but a 15-minute CBT and canned quiz will hardly provide the necessary tools and fundamentals for staff to help co-defend the business.  This talk will demonstrate – via practical, proven examples – what can be done to create a security awareness program that is creative, compelling, continuous & customized to reach all levels of the organization.  It will also introduce topics including how to use 'gamification' to foster a competitive learning atmosphere and how to most effectively use internal social media to build an "always on" awareness atmosphere

Never far from his 'shield' avatar or Twitter client, Bob has over 20 years of experience building solutions for & defending Fortune 100 enterprises across a wide spectrum of industry sectors. When not quantifying risk and keeping QSAs at bay, Bob can be found hacking out culinary creations in the kitchen, cranking out miles on his bike or finding more things to control & measure with his Arduino.


Lessons Of Static Binary Analysis, Christien Rioux, Chief Scientist, Veracode (@dildog)

Ever wanted to know more about how static binary analysis works? It's complicated. Ever want to know how C++ language elements are automatically transformed? The high-level overview of how machines analyze code for security flaws is just the beginning. In this talk we'll be delving into the gritty details of the modeling process.

Christien Rioux, co-founder and chief scientist of Veracode, is responsible for the technical vision and design of Veracode's advanced security technology. Working with the engineering team, his primary role is the design of new algorithms and security analysis techniques.


Pay Attention to Privacy Or Else...?   Jim Rennie, Sr. Compliance Analyst , TRUSTe, (@falconred)

While everyone rightly pays attention to online security, tech companies have been ignoring the growing drum-beat coming from regulators. Company after company is being subjected to fines, audits, and increased government scrutiny by the FTC because they fail to protect users' privacy.  This talk will cover the well-known cases of Google, Twitter, and Facebook, as well as lesser-known companies who have incurred the FTC's wrath. If that's not enough, wait until you hear about what the EU is up to.  The number of these regulatory actions and settlements will only increase in 2012. Learn from the mistakes of others and don't let it happen to you and your company!  It's time to stop being worried only about security, and start paying attention to privacy.

Jim Rennie is an attorney, with experience in privacy law, criminal defense, and software development. He currently does things like research EU data privacy protection regulations and analyze mobile app data flows. He has spoken at many conferences over the years about the intersection of law and technology.


Your PCI Assessor: Best Friend or Worst Enemy? You Choose…, Michelle Klinger, Sr. Consultant, EMC Corporation (@diami03) & Martin Fisher, Director of Information Security, WellStar Health System (@armorguy)

Click here to listen to a podcast about this topic

This is not a talk about how having to undergo a PCI assessment sucks. No more PCI horror stories about how horrible QSAs are, how dumb checklist security is, and how users are the utter bane of our infosec existence. This talk will discuss the right and wrong way to go about undergoing a PCI assessment because you have to go through it. The discussion will include perspective from a CISO & former QSA on the do’s and don’ts when deciding what to do when you have to have a PCI assessment performed.  So – if you want to come to a talk that simply rags on PCI/compliance you’ll need to see a different track. If you have “resigned yourself to your fate” and are trying to find ways to make the best of the situation you find yourself in – this is the talk for you.

Michelle Klinger is a Sr. Consultant for EMC Consulting with over 10 years of IT experience. Security experience includes review and creation of security policies, performing security assessments, and security process improvement

Martin Fisher is the Director of Information Security for a large Atlanta area healthcare system. He has over 20 years of experience in the information technology space with the last 7 years focused on information security.


SexyDefense - Maximizing the home-field advantage, Iftach Ian Amit, VP of Consulting, Security Art (@iiamit)

Offensive talks are easy, I know. But the goal of offensive security at the end of the day is to make us better defenders. And that's hard.  Usually after the pentesters (or worst - red team) leaves, there's a whole lot of mess of vulnerabilities, exposures, threats, risks and wounded egos. Now comes the money time - can you fix this so your security posture will actually be better the next time these guys come around?  This talk focuses mainly on what should be done (note - no what should be BOUGHT - you probably have most of what you need already in place and you just don't know it yet).  Methodically, defensively, decisively. Just like the red-team can play ball cross-court, so should you!

With over a decade of experience in the information security industry, Iftach Ian Amit brings a mixture of software development, OS, network and Web security expertise as Vice President Consulting to the top-tier security consulting firm Security-Art. Prior to Security-Art, Ian held senior management roles at security companies Aladdin and Finjan. Ian has also held leadership roles as founder and CTO of a security startup in the IDS/IPS arena, and a director at Datavantage. Ian is also a founding member of the PTES, and the founder of the local DefCon group in Tel-Aviv, Israel.


Vulnerabilities of Control Systems in Drinking Water Utilities, John McNabb, Principal, Infrastructure Security Labs (@Number0006)

The control systems of public drinking water utilities are vulnerable to attack by malicious hackers. This has been shown through several penetration tests and studies, and recently gained national attention by the purported (but non-existent) attack on an Illinois public drinking water utility in November, 2011. This talk will examine the vectors of attack on the IT systems of a drinking water utility, their vulnerabilities, proposed defensive measures, and potential consequences of an attack. The control systems, including the programmable logic controllers (PLC’s) and the human machine interface (HMI), will be described. The talk will discuss the many institutional, cultural, and financial obstacles to ensuring that the national public drinking water infrastructure is adequately protected from cyber-attacks. The current threat environment of the national drinking water infrastructure will be discussed along with existing programs to address those threats and finally a discussion of what more needs to be done.

John McNabb is Principal of InfraSec Labs, where he conducts research on the security of the drinking water infrastructure. He has presented papers on that subject at Defcon and Black Hat. He was an elected Water Commissioner for a small drinking water utility for 13 years. John has published several papers on drinking water infrastructure and recently wrote a chapter on drinking water security for the book, Weapons of Mass Destruction and Terrorism, 2nd Ed.


Hacking and the Big Bad: legal guide to marginal activities, David Snead, Attorney + Counselor, W. David Snead, P.C. (@wdsneadpc)

Security is about boundaries. Good security practices push these boundaries. This talk begins with an analysis of how boundary pushers whose motives, good, bad and debatable, create law. Based on this analysis, those engaged in a thoughtful security practice can get essential guidance on how to structure their relationships with groups and employees who claim to enhance the security of their business. Attendees will receive real world guidance on how to structure contracts, work with those whose past activities might disqualify them for jury duty, and dealing with third parties who view your activities as security problems themselves.

David Snead is an attorney in private practice in Washington. His practice focuses exclusively on representing companies and other entities active in the internet infrastructure. In his 17 years in this area, he has represented these companies both in-house and as outside counsel. He has clients in over 20 countries.

SCAP for Everyone: A case study in transforming configurations, Matthew Coles, Principal Software Security Engineer  & Dan Reddy, Senior Consulting Product Manager, RSA, the Security Division of EMC

How can a customer understand the configuration of products as they are configured to run on major technology platforms? How can products (applications or appliances) leverage and provide machine readable security configuration information? This session will begin with a brief introduction to the Security Content Automation Protocol (SCAP) set of standards and highlight key benefits for ISVs adopting SCAP. A case study will be presented to show how to transform elements of a prose security configuration guide into machine readable content for the NIST Checklist Program, and the lessons learned in completing this effort.

Matthew Coles is a Security Engineer in the EMC Product Security Office driving security practices enabling secure products, and is active in SAFECode and CWE/SANS Top 25 Most Dangerous Errors.

Dan Reddy is a Sr. Consulting Product Manager in the EMC Product Security Office. He focuses on integrity of EMC products within the software supply chain. Dan is active in SAFECode and the Open Group Trusted Technology Forum.  Both are active in SCAP related initiatives.


How Not to Redo Hard Work during Security Response, Karthik Raman, Security Researcher,  Adobe Systems, Inc. (@heykart) &  Manish Pali, Sr. Lead Software Quality Engineer, ETG Adobe Indi(@manish_pali)

Responsibly disclosed vulnerabilities are treated with less public interest than zero-days but in fact outnumber them manifold. The presenters will cover the technical aspects of triaging relevant responsibly disclosed vulnerabilities in Adobe Reader and Flash Player. While triaging zero-day vulnerabilities can be challenging, responsibly disclosed vulnerabilities present their own challenges: (1) They are much more frequent, (2) not all of them are unpatched, i.e., a report could cover a vulnerability that was recently fixed, but in which case the reporter did not use the latest patch, and (3) they need to be analyzed in depth with respect to generating vulnerability information for partners in the Microsoft Active Protections Program (MAPP). We will share Adobe’s approach to addressing these three challenges. We will review examples of vulnerability analyses for MAPP; examine how this seeded a solution for challenge #2; and finally, introduce our automation solution to challenge #1.

Karthik Raman is a security researcher on the Adobe Product Security Incident Response Team (PSIRT) where he focuses on vulnerability analysis and technical collaboration with industry partners. Karthik was a research scientist at McAfee Labs earlier.

Manish Pali is part of Adobe Acrobat team and is responsible for triaging security incidents for Acrobat/Reader. He is an automation expert and his other responsibilities include quality activities related to Sandbox Reader.

Discussion Groups/Workshops

Secure Outsourcing Success: Best Practices for Minimizing Data Risk, Ilker Taskaya, Director of Security Strategy, Axis Technology, LLC (@axistechllc)

"Outsourcing" is a business strategy that can mean cost savings and increased productivity. However, with it comes many data security risks, especially when you factor in off-shoring scenarios between countries, cloud computing, complex technology environments, legacy systems, and then the myriad of state, federal and international laws that are constantly changing.

7 steps at the core of this discussion are:

1- Understanding the risk: I will use real case-studies that illustrate how to mitigate data threats
2- Data masking: Securing data in non-production environments in contrast to methods such as encryption, and DLP
3- Solving problems: Referential Integrity across different database platforms, files, mainframe, etc.
4- Navigating data- sharing safely between different applications, environments, both on and off-shore
5- Third party consultants: Important factors
6- Show results: Address ISOs, auditors, regulators, and sponsors
7- Maintaining flow between data security and evolving non-production database environments accessed by outsourced resources and vendors

Ilker Taskaya is the Director of Security Strategy & Product Manager for DMsuite, a web application data masking product, at Axis Technology, LLC. He manages the data masking product team at Axis, including services delivery and product development. Prior to this, Mr. Taskaya was a consultant in data warehousing for clients in financial services, insurance, and health care.

Celebrating Bad Crypto: Lightweight Formal Methods for Making Use of DRM, Obscurity, and Other Useless Techniques, Brian Sniffen, Principal Architect, Akamai Technologies

Internet-scale companies face a variety of adversaries. When defending From a world of attackers, they can justify defense in breadth: different techniques against different adversaries. Existing analysis techniques awkwardly handle questions about a distribution of
adversaries against an evolving series of protocols. For example, many media companies have chosen to use strong crypto for some secrets, but very weak DRM for others. Businesses put their financial systems behind a good firewall, but the source code walks around on every developer's laptop. These are Bad Crypto: the wisdom of our elders tells us to avoid security through obscurity, obey Kerckhoff's law---but we don't.

We'll show how to extend traditional formal methods of security (information-theoretic and computational analysis) to model these choices. We'll sketch out how and when Bad Crypto can be good. You can use this to make better decisions about how to compromise on
traditional security features without losing many battles to the adversary.

Brian Sniffen is Principal Architect for Information Security at Akamai Technologies. His research interests include programming languages and formal methods of information security.

De-constructing the Cost of a Data Breach, Patrick Florer, Co-founder and CTO, Risk Centric Security, Inc., (@pmflorer)

Decontructing the cost of a data breach - an analysis and discussion of the many factors to be considered when talking about data breaches

What is a breach?
What are data?
What costs are we talking about?
Whose costs are we talking about?
How do we estimate costs / impact?
Putting it all together.
Areas for future research

Patrick Florer has worked in Information Technology for 32 years. During 17 of these years, he worked concurrently in Evidence-based Medicine. Since 2007, he has focused exclusively on information security and risk. He cofounded and currently serves as CTO of Risk Centric Security, Inc.


Perspectives of How to Develop a Winning Career in Infosec, Roy Wattanasin (@wr0), Information Security Officer, MITM

As practitioners, how do we become more successful in our careers in information security? In this highly interactive discussion group setting, bring your questions and comments! Learn more ways to become more successful in your career. This session will be geared toward both new information security professionals as well as seasoned professionals. Everyone will learn something from this discussion group session.

Roy Wattanasin is a senior information security professional working in healthcare. He spends most of his time on leading and developing an organization's information security program, working on incident response, vulnerability detection, special security projects, regulatory efforts and performing malware and forensic analysis. He enjoys teaching at Brandeis University and speaking at security conferences, educational institutions and meetups. He can be reached at


Using capture-the-flag to enhance teaching and training, Kees Leune, Information Security Officer, Adelphi University.

Kees Leune is a passionate Information Security Officer, Husband, Father, Strategist, Professor, Mentor, Blogger, Adviser, Consultant, Speaker and occasional developer. Originally from the Netherlands, he now lives and works in New York.



Scalable, high performance packet capture on commodity hardware using linux 3.2, Chetan Loke, Principal Engineer

A large number of network security professionals and system administrators often use tcpdump/libpcap style tools to debug/analyze/diagnose network issues.  Note: Even commercial appliances use similar capture models. However, they also use more fancy hardware in their appliances. Regardless, this packet capture domain can be roughly broken down into 2 components: data delivery and data computation. This talk focuses on Linux kernel’s latest feature that speeds up data delivery(in fact with low CPU consumption) to user-space applications. Data computation can then be parallelized on multiple CPUs, post packet delivery.

Chetan Loke has interests in developing next-generation/open/scalable IO stacks. He has architecture experience in designing SAN operating-systems, device-drivers/firmware/ASIC. He was the lead developer of Emulex’s high performance SR-IOV FC HBA’s. His recent linux kernel contribution was the high performance packet-capture model as part of kernel 3.2. His hobbies include advocating consumption of all-natural/organic food, listening trance/techno(music) and of course hacking linux. He holds a MS degree in Computer Science from Northeastern University, Boston, MA.


Incident Detection: MacGyver Style, Ben Jackson, Grand Poobah, Mayhemic Labs (@innismir)

Despite the budget cuts and layoffs during this economic downturn, the mongol hordes are still beating on the castle's electronic gate. Security Teams are being asked to do more with less and it's time to rise up and meet the challenge head on. This presentation will discuss ways to leverage existing infrastructure in order to better detect security incidents, simple ways to detect network anomalies, and show what can be done with some logs, spare time, duct tape, a multitool, and some chewing gum.

Ben spends his time enjoying being a husband, dad, and messing around with anything that has a button on it. He was the author for "Asterisk Hacking" from Syngress and has spoken at various conferences, and has appeared on various media outlets discussing security and privacy. Ben strongly dislikes writing about himself in the third person.



Keep In Touch

Mailing List Sign-Up


Boston 2014 Sponsors

Session Videos Channel