SOURCE Boston 2015
May 25-28, 2015
Marriott Courtyard
Boston, MA, USA
CFP Status: OPEN
SOURCE Dublin 2015
Trinity College
Dublin, Ireland
SOURCE Seattle 2015
Bell Harbor Maritime Museum
Seattle, WA, USA
SOURCE Boston 2013 - Conference Agenda

Tuesday, April 16







Opening Remarks


Opening Keynote – Gene Kim Podcast


Games We Play:
Payoffs & Chaos Monkeys

Allison Miller Podcast
Electronic Arts

Rise In ATM Compromises
Luiz Eduardo Dos Santos
Ryan Linn

Inside the Black Hole Exploit Kit (BHEK)
Chester Wisniewski


Avoiding Android App Security Pitfalls
Zach Lanier
Accuvant Labs

Attacking Cloud Services with Source Code
Jonathan Claudius

Bring Your Own Device: Keeping it Simple and Effective
Andy Jaquith
Perimeter E-Security


Free Time


Strategic Analysis of the iOS Jailbreak Development Community

Dino Dai Zovi
Trail of Bits

JavaScript Pitfalls
Ming Chow Podcast
Tufts University

The Base Rate Fallacy: Information Security Needs to Understand This
Patrick Florer
Risk Centric Security


 Suicide Risk Assessment And Intervention Tactics
Amber Baldet Podcast

We See The Future And It's Not Pretty
Chris Wysopal

 Speed Networking
Hosted by Jonathan Cran

Wednesday, April 17





Opening Remarks


Keynote  - Dan Geer/Richard Thieme keynote


Theory and Application of Realistic Capture The Flag Competitions
Julian Cohen

Third Party Security Assurance: The Service Provider Perspective
John Nye
BitSight Technology

Insider Threat: Hunting for Authorized Evil Podcast
Tom Cross





Practical MitM Pentesting
Jonathan Cran
Pwnie Express

Distributed Security: Expanding the Toolkit for Institutional Resilience
Sam Curry & Sandy Carielli

Analysis of The BroBot DDOS Attack
Eric Kobrin


Hosted by Lee Kushner

Birds, bots and machines - Fraud in Twitter and how to detect it using Machine Learning Techniques
Vicente Diaz

Analyzing the Chemistry of Data
Wendy Nather
451 Group


Free Time


Adversarial Resilience at the Planetary Scale
Christian Ternus

"Cyber" Momentum: Understanding & Leveraging the National Cybersecurity Policy Debate
Jack Whitsitt

Hooked on Packets:
Reading Pcaps for D students

Ryan Linn & Mike Ryan


Big Data? Big Liability!
Jake Kouns

Punch and Counter-punch with .Net Apps
J Wolfgang Goerlich

"Hacking Back" is a Bad Idea
Steven Maske



Thursday, April 18





Opening Remarks


Keynote – Andy Ellis


Practical Exploitation of Embedded Systems
Andrea Barisani
Inverse Path

Kinetic Pwnage: Obliterating the Line Between Computers and the Physical World
Ed Skoudis
SANS Institute

No-Knowledge Crypto Attacks
Daniel Crowley
Trustwave Podcast




Data Analysis and Visualization for Security Professionals
Bob Rudis, Liberty Mutual & Jay Jacobs, Verizon

Protecting sensitive information on iOS devices
David Schuetz
Intrepidus Group

Adversarial Decision Making in Critical Infrastructure Cyberattacks
Aunshul Rege
Temple University


A Brief History of Physical Security
Schuyler Towne

Blitzing with your Defense
Ben Jackson
Mayhemic Labs

HTTP Header Hunting - A Behavioral Approach to Malware Detection
Rodrigo Montoro & Jonathan Claudius


Building Your Own Packet Capture Platform
Dragorn & Mike Ossman Podcast

Facilitating Fluffy Forensics (a.k.a. Considerations for Cloud Forensics)
Andrew Hay
Cloud Passage

Attacking NFC Mobile Wallets: Where Trust Breaks Down
Max Sobell
Intrepidus Group


Wait! Wait! Don't Pwn Me


Closing Remarks





Gene Kim

Gene is a multiple award winning CTO, researcher and author.  He was founder and CTO of Tripwire for 13 years. He has written three books, including “The Visible Ops Handbook” and “The Phoenix Project: A Novel About IT, DevOps, and Helping Your Business Win."  Gene is a huge fan of IT operations, and how it can enable developers to maximize throughput of features from “code complete” to “in production,” without causing chaos and disruption to the IT environment.  He has worked with some of the top Internet companies on improving deployment flow and increasing the rigor around IT operational processes. In 2007, ComputerWorld added Gene to the “40 Innovative IT People Under The Age Of 40” list, and was given the Outstanding Alumnus Award by the Department of Computer Sciences at Purdue University for achievement and leadership in the profession.


Fireside Chat with Dan Geer and Richard Thieme

Moderated by Josh Corman – Join us as we listen to industry luminaries, Dan Geer and Richard Thieme discuss industry trends

Dr. Daniel Earl Geer Jr., Sc.D. serves as Chief Information Security Officer at In-Q-Tel. Dr. Geer serves as Principal of Geer Risk Services as well as an entrepreneur, author, scientist, consultant, teacher and architect. He has been a Member of Application Scoring and Responsible Disclosure Focus Team at Veracode Inc. since April 2007. He served as the Chief Scientist Emeritus and Vice President of Verdasys Inc. He served as the Chief Scientist of Verdasys Inc. He served as the Chief Technology Officer of @stake Inc. Prior to @stake, he served as Vice President and Senior Strategist at CertCo. Dr. Geer also served as Director of Engineering at Open Market, Inc. and as Chief Scientist and Vice President of Veritas (formerly, OpenVision Technologies).

Dr. Geer is an expert in computer security and has been recognized as a pioneer in the space for his insight into the critical issues that plague the security industry. He has been featured in publications such as Network World, Search Security and InfoWorld. A renowned expert in the field of network security, Dr. Geer has testified before the House Science and Sub- Committee on Technology regarding public policy in the age of electronic commerce. Dr. Geer has testified before Congress on multiple occasions and has served in formal advisory roles for the Federal Trade Commission, the National Science Foundation, the Treasury Department, the National Research Council, the Commonwealth of Massachusetts, the Department of Defense, the National Institute of Justice and the Institute for Information Infrastructure Protection. He served as President of USENIX, the advanced computing systems association.

Dr. Geer holds a Sc.D. in Biostatistics from the Harvard School of Public Health and a S.B. in Electrical Engineering and Computer Science from MIT.

Richard Thieme
has published dozens of articles and short stories, 3 books, and a thousand speeches. He speaks about the challenges posed by new technologies and the future, how to reinvent ourselves to meet those challenges, and radical creativity. He has keynoted conferences in Sydney & Brisbane, Wellington & Auckland, Dublin, Berlin, & Heidelberg, Amsterdam Rotterdam & The Hague, Dubai & Kuala Lumpur, Israel, and lots in Canada & USA. Clients range from GE, Medtronic, and Microsoft to the NSA, FBI, US Secret Service, and US Dept of the Treasury, plus dozens of hacker conferences including 17 years at Def Con & BH.

Joshua Corman is the Director of Security Intelligence for Akamai Technologies and has more than a decade of experience with security and networking software.  Most recently he served as Research Director for Enterprise Security at The 451 Group following his time as Principal Security Strategist for IBM Internet Security Systems. Mr. Corman’s research cuts across sectors to the core security challenges plaguing the IT industry, and helps to drive evolutionary strategies toward emerging technologies and shifting economics. His research and education efforts won him the title of Top Influencer of IT by NetworkWold magazine in 2009.

Mr. Corman is a candid and highly-coveted speaker with engagements at leading industry events such as RSA, DEFCON, Interop, ISACA, and SANS.  As a staunch advocate for CISOs, Corman also serves as a Fellow with the Ponemon Institute, on the Faculty for IANS, and co-founded Rugged Software – a value-based initiative to raise awareness and usher in an era of secure digital infrastructure. Corman received his bachelor’s degree in philosophy, graduating Phi Beta Kappa and summa cum laude, from the University of New Hampshire. He resides with his wife and two daughters in New Hampshire.

Corman can be found on twitter @joshcorman and on his blog at
Herding Lizards: How to avoid Security Subsistence Syndrome – Andy Ellis, CSO, Akamai

Security professionals are always in need of more resources. But getting the necessary budget isn't easy. In his talk, Herding Lizards: How to avoid Security Subsistence Syndrome Andy Ellis, CSO at Akamai proposes a different idea: get the budget to come to you. What security managers and CISOs need to do is to make it clear how security efforts provide value the business. 

Andy Ellis is Akamai's Chief Security Officer, responsible for overseeing the security architecture and compliance of the company's massive, globally distributed network. He is the designer and patentholder of Akamai's SSL acceleration network, as well as several of the critical technologies underpinning the company’s Kona Security Solutions. Mr. Ellis is at the forefront of Internet policy; as a speaker, blogger, member of the FCC CSRIC, supporting Akamai's CEOs on the NIAC and NSTAC, and an advisory board member of HacKid. He is a graduate of MIT and a former US Air Force officer, the recipient of the CSO Magazine Compass Award, the Air Force Commendation Medal, The Wine Spectator's Award of Excellence, and the Spirit of Disneyland Award. He can be found on Twitter as @csoandy



Speaker Sessions

Games We Play: Payoffs & Chaos Monkeys
Allison Miller, Senior Director of Operations, Electronic Arts (
Game theory is a technique for modeling system behavior, given different potential scenarios and the decisions that can be made by participants. Whether you are on offense or defense, game theory could be a useful tool for deciphering the underlying system dynamics that help you predict what your competition is going to do, and likewise, the strategies you should adopt in order to win. In this session we’ll review how different scenarios can be interpreted and analyzed as games. We’ll then discuss how theories break-down in reality -- which is full of fuzzy payoffs and hidden motives -- and how theoretical frameworks provided by game theory can be tempered by more experimental approaches, borrowed from behavioral economics.

Allison Miller is Senior Director of Operations at Electronic Arts, where she oversees the business operations of EA's cross-company digital platform. Allison has over 10 years of experience in designing, building and deploying real-time threat detection and prevention systems. Miller is active in the security community and presents research on fraud prevention and account security issues regularly to both industry and government audiences, including the ITWeb Security Summit, Black Hat Briefings, SOURCE Conferences (Boston, Barcelona, Seattle), USENIX/Metricon, and RSA. Prior to joining EA, Miller led Tagged's Security & Risk Management team, managed PayPal's Account Risk & Security team and was Director of Product / Technology Risk at Visa International.

Inside the Black Hole Exploit Kit (BHEK)
Chester Wisniewski, Sr. Security Advisor, Sophos (
One of the most successful drive-by attack toolkits available to criminals, Black Hole, is dominating the criminal marketplace. In this talk we will explore how the exploit kit is sold, available options, how attackers are using it to ensnare victims and the speed with which new vulnerabilities are being exploited. Techniques for defending against Black Hole and other exploit kits will be presented along with trends in the underground that may hint at what is coming next.
As the Senior Security Advisor at Sophos Canada, Chester Wisniewski shares information on the latest IT security threats. Since joining Sophos in 2003, has worked closely with SophosLabs to study threats and provide informational seminars, blogs and other publications to customers and the public on securing their networks and data against evolving threats.

Bring Your Own Device: Keeping it Simple and Effective
Andrew Jaquith, CTO, Perimeter E-Security (
Bring-Your-Own-Device (BYOD) has gained favor with companies: 94% will allow employees to bring their own mobile devices to work by 2013. Panicky stories in the press suggest that BYOD is the first horseman of an impending apocalypse. But the reality is that BYOD isn’t complicated. This talk describes how to create a BYOD program for mobile devices that is safe, secure and legal.
Jaquith has 20 years of IT and information security experience. Before Perimeter, he was a senior analyst with Forrester Research where he led team coverage for data, endpoint and mobile security topics and wrote 20 popular reports. Previous roles include program manager in Yankee Group's enabling technologies enterprise group, co-founder of @stake, and project manager and business analyst positions at Cambridge Technology Partners and FedEx. Andrew holds a B.A. in Economics and Political Science from Yale University.

Attacking Cloud Services with Source Code
Jonathan Claudius, Security Researcher, Trustwave (
It is a lot of work to ensure that an open source project runs the correctly on all of its supported platforms. Fortunately, there are a growing number of cloud-based services that offer to remove this tedium, and for free! They will download, compile, and *execute* your code and let you know if everything goes as planned. This presentation will explore attack scenarios that could happen if malicious source code is fed into these services and provides perspective, advice and a new tool to help defend them from compromise.
Jonathan Claudius is a Security Researcher at Trustwave. He is a member of Trustwave's SpiderLabs -the advanced security team focused on penetration testing, incident response, and application security. He has eleven years of experience in the IT industry with the last nine years specializing in Security. At Trustwave, Jonathan works in the SpiderLabs Research Division where he focuses on vulnerability research, network exploitation and is the creator of the BNAT-Suite. Before joining SpiderLabs, Jonathan ran Trustwave's Global Security Operations Center.

JavaScript Pitfalls
Ming Chow, Tufts University (
Listen to the podcast! Podcast
This presentation will cover both offensive and defensive JavaScript programming techniques including what JavaScript developers are still doing wrong, the security woes surrounding offline storage and WebGL, Node.js attack vectors, and concerns with WebSockets.
Ming Chow is a Lecturer at the Tufts University Department of Computer Science. His areas of work are in mobile development, web security, and web engineering. Ming is a frequent guest speaker and have spoke at numerous organizations and conferences including OWASP, InfoSec World 2011 and 2012, and DEF CON 19.

The Base Rate Fallacy:  Information Security Needs To Understand This.
Patrick Florer, CTO, Risk Centric Security (
A base rate is the prevalence of an item of interest in a population.  In medicine, it would be the prevalence of a disease in a group of people.  In information security, it might be the prevalence of sql injection flaws in web applications or the prevalence of malware in the population of downloaded *.exe files.  Without an estimate of the base rate, it isn’t possible to talk meaningfully about detection rates (true positives) or false positives.  Those who do so commit the “base rate fallacy. If the base rate is known, then a Fourfold table, also called a 2 x 2 table or matrix, is a mechanism that helps us understand the correct probabilities of True Positive, False Positive, True Negative, and False Negative events and avoid the base rate fallacy. Understanding these probabilities enables us to evaluate the claims of many types of security technologies, including the effectiveness of antivirus software, web application scanners, and IDS/IPS systems.
• The base rate fallacy will be explained and demonstrated.
• Gigerenzer’s Natural Frequencies Technique for Avoiding the Base Rate Fallacy
• Examples of why base rates apply to information risk management:

Common Vulnerability Scoring System (CVSS)
The Distinction between Inherent Risk vs. Residual Risk
Intrusion Detection Systems
Vendor Management, Hosting Providers, and SOC 2 (formerly SAS70) Audit Reports

Patrick Florer has worked in information technology for 32 years. In addition, during 17 of those 32 years, he worked a parallel track in medical outcomes research, analysis, and the creation of evidence-based guidelines for medical treatment. His roles have included IT operations, programming, and systems analysis. From 1986 until now, he has worked as an independent consultant, helping customers with strategic development, analytics, risk analysis, and decision analysis. He is a cofounder of Risk Centric Security and currently serves as Chief Technology Officer.

Theory and Application of Realistic Capture the Flag Competitions
Julian Cohen (
Capture The Flag is a type of offensive competition where teams solve security challenges to score points. Teams are either pitted directly against each other or against a clock. This presentation will go over the different kinds of CTF competitions and how each of them change the dynamics of the game.For a long time, Capture The Flag competitions have been one of the best ways for students to learn and professionals to prove themselves. This presentation analyzes why CTF competitions are so popular, and so effective at educating and judging teams on their technical ability. Different qualitative elements define different CTF competitions. Design and quality of infrastructure, logistics, and challenges will be covered in detail.
Julian Cohen is a security researcher from New York City. For the past three years, Julian has run NYU Poly's world-renowned CSAW CTF competition. When he isn’t finding bugs and developing exploitation techniques, Julian spends his downtime writing technical articles and participating in CTF competitions around the world. Julian occasionally uses computers.

Third Party Security Assurance: The Service Provider Perspective
John Nye, Consultant, BitSight Technologies (
For enterprises and their service providers alike, due-diligence efforts have become expensive and un-enlightening. It's time to call this process broken and find a solution. We'll review real-world contract failures and assessments gone bad, discuss how this security make-work is dangerously distracting from information protection goals, and look at ways to improve these partnerships to more efficiently manage risk.
John Nye is an information security professional with BitSight Technologies. During his 15-year career in information security, Nye has conducted hundreds of third party assessments and serves as an information security executive for a technology service provider - protecting information and managing corporate risk from both sides of the due-diligence table.

Distributed Security: Expanding the Toolkit for Institutional Resilience
Sam Curry, CTO, RSA  (
@samjcurry) & Sandy Carielli, Senior Product Manager, RSA

It has become almost trite to say that institutions must operate on the assumption that an attacker will get in. Institutional resilience strategies are chock full of prevention and detection tools, but the evolution of a more advanced set of tools for recovery has yet to become commonplace. Distributed Security falls squarely into that recovery area by splitting critical resources and security processes across servers or services and by adding self healing capabilities that make even silent compromise a recoverable event. This talk describes the types of resources that should be distributed, including authentication decisions, access controls, and collections of personal data, and how that distribution can address institutional resilience, reduce liability and address privacy concerns. We will also discuss deployment strategies and address the benefits and challenges of diversification in a distributed security system.

Sam Curry is Chief Technology Officer, for Identity and Data Protection at RSA, The Security Division of EMC. Mr. Curry has more than 20 years of experience in security product management, development, marketing, engineering, quality assurance, customer support and sales.

Sandy Carielli leads product management for Distributed Credential Protection and the BSAFE portfolio at RSA, The Security Division of EMC.



Birds, bots and machines - Fraud in Twitter and how to detect it using Machine Learning Techniques
Vicente Diaz, Senior Security Analyst, Kaspersky Labs (

Summarizing the main points of this presentation:
- Analysis of real malicious campaigns on Twitter and methodology used
- How these campaigns are related to Ads companies that take your digital
fingerprint to cross-check your browsing with real world information.
- How much money are these trackers making (and how profiling relates to governments).
- A method using Machine Learning with real world data for detecting malicious (and hacked!) profiles with over a 90% success.
- Reflections on how we can help in avoiding social networks to become next fraud ́s haven.

Former lead of the Intelligence eCrime Group at S21sec, Vicente joined Kaspersky Lab in 2010 as a Security Analyst at GReAT Team and R&D Manager for Iberia. He also cooperates in the Master of Security of the UOC as professor. He is a co-founder of Edge-Security Team and is a member of the board of directors of FIST Conferences. He has been a speaker at several conferences such as EUSecWest, Deepsec and VirusBulletin, and participates in several anti-fraud efforts.

Analyzing the Chemistry of Data
Wendy Nather, Research Director, Enterprise Security Practice, 451 Group (@451wendy)
Data security doesn't involve just securing data at rest or in transit. It also needs to be secured in use – which means that at any point, the characteristics of the data can change. We call this situation a "data event," and it can mean that security requirements have to change as a result. This talk discusses the implications of data events, and how their dynamic, business-driven nature needs to be addressed, possibly by new security technologies.
Wendy Nather is Research Director of the Enterprise Security Practice at 451 Research. She has worked as a CISO both in the investment banking sector and state government, and has written and spoken on topics ranging from identity and access management to risk analysis, cloud security and data privacy.

Hooked on Packets: Reading Pcaps for D students
Ryan Linn, Senior Security Consultant, Trustwave (
@sussurro) & Mike Ryan, Lead Security Researcher, Trustwave (@justfalter)
Understanding what's going on with a network is a critical skill for security professionals, sys admins, and IT professionals. Not everyone has a networking background, though viewing network information shouldn't require it. This talk will focus on how to use Etteracp and filters to do more than Man-In-The-Middle attacks. We will demonstrate how to use span ports, taps, and passive sniffing to detail network transactions, find credentials , and more without having to know what happens when you push an ack with your urgent bit. For students, we'll have information on how to extend this framework for your classmates.

Ryan Linn is a Senior Consultant with Trustwave’s SpiderLab. Ryan is an author, a developer, and an educator, and a penetration tester. He has contributed to Metasploit , BeEF, and Ettercap.

Mike Ryan is a Lead Security Researcher at Trustwave. Mike has over 14 years experience in IT with the last 9 years in Security R&D. Mike is responsible for the design of Trustwave’s vulnerability scanning engine,

Protecting sensitive information on iOS devices
David Schuetz, Senior Consultant, Intrepidus Group (
This talk reviews the key technologies available to keep data protected on iStuff, hopefully framing the discussion in a way decision makers can understand. From built-in features, to tricks for getting around them, to advanced attacks, we look at the most important things you can do to keep your data secure. And provide a non-nonsense reality check on the reasons you'll never be 100% safe. We conclude with a short review of best practices, both for configuration and custom application development, as well as a review of improved controls introduced in iOS 6.
David is a Senior Consultant at Intrepidus Group, where he focuses on iOS research and application testing. He enjoys solving puzzles,from security conferene crypto contests to reverse-engineeringApple's MDM system, and everything in between. He can be found on Twitter as DarthNull, and occasionaly blogging at

Punch and Counter-punch with .Net Apps
J Wolfgang Goerlich, Information System and Security Manager, Munder Capital (
Alice wants to send a message to Bob. Not on our network, she won’t! Who are these people? Then Alice punches a hole in the OS to send the message using some .Net code. We punch back with Windows and .Net security configurations. Punch and counter-punch, breach and block, attack and defend, the attack goes on. With this as the back story, we will walk thru sample .Net apps and Windows configurations that defenders use and attackers abuse. Short on slides and long on demo, this presentation will step thru the latest in Microsoft .Net application security.
J Wolfgang is the information systems and security manager for a Michigan-based financial institution. He is responsible for managing the software development and network operations team. Wolfgang's background is in architecting new systems, securing existing systems, and optimizing performance and recovery. With over a decade of experience, Mr. Goerlich has a solid understanding of both the IT infrastructure and the business it enables.

Big Data? Big Liability!
Jake Kouns, Director, Cyber Security and Technology Risks Underwriting, Markel (
Companies that embrace “big data” may not realize that they are also opening up the possibilities of big liability at the same time. It is critical to understand what types of data generate what type of exposure and evaluate options to reduce liability.
Jake Kouns is the Director of Cyber Security and Technology Risks Underwriting for Markel Corporation. In addition to his responsibilities at Markel, Mr. Kouns is the CEO of the Open Security Foundation, a non-profit organization that oversees the operation of that provides detailed information data breach incidents world-wide.

"Hacking Back" is a Bad Idea
Steven Maske – (
Recently there has been a lot of discussion around responding to attacks by "hacking back". Many respected industry professionals have written articles or presented talks on how to gain valuable information on your attacker and how to do so legally. What has been missing from this discussion is whether or not "hacking back" is a good idea to begin with. This talk will discuss the reasons why a counter-attack is probably not in your best interest.
Steven Maske is a Security Engineer for a Fortune 1000 company. He has worked in the IT industry for 12 years, 7 of which have focused on Information Security. His experience includes project oversight, risk management, vulnerability
assessments, penetration testing and social engineering. Steven holds multiple technical degrees and professional certifications including a Master of Information Systems, CISSP and CISA. You can find him on Twitter as @ITSecurity or on his blog,

No-Knowledge Crypto Attacks
Dan Crowley, Managing Consultant, Trustwave –SpiderLabs (
Check out the podcast video! Podcast
The strength of a cryptographic system does not depend solely on the strength of the algorithm used. Come learn about easily launched attacks which require little to no knowledge of cryptography, but which can break through cryptographic protections.
Daniel (aka "unicornFurnace") is a Managing Consultant for Trustwave's SpiderLabs team. Daniel has developed configurable testbeds such as SQLol and XMLmao for training and research regarding specific vulnerabilities. Daniel has been working in the information security industry since 2004 and is a frequent speaker at conferences including DEFCON, Shmoocon, and SOURCE.

Data Analysis and Visualization for Security Professionals
Bob Rudis, Liberty Mutual & Jay Jacobs, Verizon

You have a deluge of security-related data coming from all directions and may even have a fancy dashboard full of pretty charts. However, unless you know the right questions to ask and how to ask them, all you really have is compliance artifacts. Move beyond the checkbox and learn techniques for collecting, exploring and visualizing the stories within our security data.
Bob Rudis is Director of Enterprise information Security & IT Risk Management for Liberty Mutual Insurance.

Jay Jacobs an author of the Verizon Data Breach Investigations Report and Principal and Verizon Business specializing in information security data analysis.


Adversarial Decision Making in Critical Infrastructure Cyberattacks
Aunshul Rege, Assistant Professor, Temple University

This talk investigates technical and non-technical factors that influence adversarial decision-making (ADM) in critical infrastructure cyberattacks. Individuals from both the electricity industry and hacking communities are
surveyed and interviewed. Nine factors influencing ADM emerged and were organized to create the PARE RISKS framework: (P) Prevention Measures; (A) Attacks and Alliances; (R) Result; (E) Ease of Access; (R) Response and Recovery; (I) Interconnectedness and Interdependencies; (S) Security Testing, Assessments, and
Audits; (K) Knowledge, Skills, Research and Development; and (S) System Weaknesses. Cyberattacks occur as a step-by-step process, with five distinct stages: preparation, entry, initiation, attack dynamics, and exit.

Dr. Rege has over eight years of experience in researching cybercrimes from a criminological perspective. She has studied critical infrastructure cybercrimes, focusing on information warfare, the organizational dynamics of cybercriminals and their modus operandi, adversarial decision-making and decision trees, the anatomy of cyber-attacks, the 'hybridity' (cyber-physical relationships) of crime, and trend analyses. Dr. Rege has published on critical infrastructure cybercrimes in academic journals such as the Security Journal and Criminal
Justice Studies and presented at criminological and critical infrastructure conferences.


Blitzing with your Defense
Ben Jackson, Grand Poohbah, Mayhemic Labs (
The traditional response model for blue teams, designed with years of experience with virus and worm outbreaks, starts to become less effective when applied to adversaries who are actively attempting to bypass your defenses. The days of simply responding to alerts are over and a shift to employing more "active" defenses and developing intelligence about threat actors has started. This presentation will discuss developing a defense that “blitzes” how to gather threat intelligence via open source data, how to analyze and extract data from attacks against your environment, and how to establish a more "active defense" of your network.

Ben spends his time enjoying being a husband, dad, and messing around with anything that has a button, dial, or blinking light on it. He was the author for "Asterisk Hacking" from Elsevier Publishing, has spoken at various conferences, and has appeared on various media outlets discussing security and privacy. Ben strongly dislikes Thursdays and writing about himself in the third person.

HTTP Header Hunting - A Behavioral Approach to Malware Detection
Rodrigo Montoro, Security Researcher, Trustwave/SpiderLabs (
@spookerlabs)  & Jonathan Claudius,  Security Researcher (@claudijd)
A large percentage of malware today uses HTTP/HTTPS as it’s call back mechanism. These call back mechanisms are used for anything from command and control, deploying new malware payloads, exfiltrating sensitive data and a variety of other malicous activities. It’s become increasingly difficult detect this malware as thousands of new samples appear daily as this threat continues to evolve.

Rodrigo and Jonathan are Security Researchers at Trustwave. They are members of Trustwave's SpiderLabs - the advanced security team focused on penetration testing, incident response, and application security. Jonathan has ten years of experience in the IT industry and works in SpiderLabs where he focuses on vulnerability scanning signature development, network exploitation and is the creator of the BNAT-Suite. Rodrigo has 13 years experience deploying open source security software (firewalls, IDS, IPS, HIDS, log management) and hardening systems. Rodrigo also works in Spiderlabs, where he focuses on IDS/IPS Signatures and new malware detection researches( PDFScore and HTTP Header Research).


Facilitating Fluffy Forensics (a.k.a. Considerations for Cloud Forensics)
Andrew Hay, Chief Evangelist, CloudPassage (
In this session, CloudPassage Chief Evangelist Andrew Hay will address the forensic and IR challenges of investigating servers and applications in cloud environments in addition to the opportunities that cloud presents to help expedite forensic investigations. Topics that will be discussed include:
• Traditional forensics and IR
• Cloud architectural challenges for responders
• Chain-of-custody and legal issues across architectures and regions
• How existing forensics/IR tools can help - and what they can do better
• Advantages of conducting forensics/IR in cloud environments

Andrew Hay is the Chief Evangelist at CloudPassage, Inc. where he serves as the public face of the company and lead advocate for its SaaS server security product portfolio. Prior to joining CloudPassage, Andrew served as a Senior Security Analyst for industry analyst firm 451 Research and provided technology vendors, private equity firms, venture capitalists and end users with strategic advisory services.

Attacking NFC Mobile Wallets: Where Trust Breaks Down
Max Sobell, Senior Consultant, Intrepidus Group (
This talk covers the attack surface of NFC Mobile Wallets (including Google Wallet) and details attacks to date. As more and more Mobile Wallet rollouts are deployed, it is important to understand Wallets' inherent strenghts and limitations. This talk details communication with the Secure Element, the EMV payment standard, and Android, iOS, and BlackBerry NFC APIs.

Max is a senior consultant at Intrepidus Group. Along with traditional security assessments, Max frequently reviews pre-release embedded devices to ensure both hardware and software meet industry best practices. He has done extensive hardware security research, notably in the fields of RFID, NFC, and Bluetooth. He has spoken at security events including local conferences, CanSecWest, ShmooCon, SecTor, and OWASP. Max is a licensed HAM operator and contributes chapters to several best-selling Linux reference books.

Building Your Own Packet Capture Platform
Dragorn & Mike Ossman

Watch the podcast video! Podcast
Building your own hardware for packet capture is easier than you mightthink.  New resources for the beginner in embedded electronics make itpossible for a novice to produce a working device with unprecedented speed.  We'll show our working designs including Ubertooth One, Kisbee,and HackRF, and we'll discuss the changing landscape of wireless security now that such tools are within the reach of both attackers and defenders.

Mike Kershaw aka Dragorn is the author of the Kismet packet sniffer and IDS, as well as assorted other open-source wireless tools on various platforms, and the Kisbee 802.15.4/Zigbee sniffing hardware.

Michael Ossmann is a wireless security researcher who makes hardware for hackers.  He founded Great Scott Gadgets in an effort to put exciting, new tools into the hands of innovative people.

Suicide Risk Assessment and Intervention Tactics
Amber Baldet


Suicide is the 10th leading cause of death in the United States, yet it persists as one of the few remaining taboo topics in modern society. Many characteristics linked to elevated suicide risk are prevalent in the technical community, and the effects of suicide within any community extend far beyond those directly involved. Prevention and intervention, however, are not a mystery. This workshop presents evidence based practices to assess suicide risk in others, and an introduction to the step-by-step practice of crisis intervention. Rather than presenting a "depressing discussion of depression," attendees will learn basic QPR  (Question, Persuade, Refer) methodology - the same as taught to first responders and mental health professionals - in a condensed format that answers many common questions people may be afraid to ask. Special attention will be paid to risk as it affects our particular community, and an overview of crisis network technical implementations / limitations (effects of digital anonymity & ethical concerns, etc.) will be presented. Much like simple CPR training equips everyday people with the knowledge and confidence to help a heart attack victim that is likely a stranger, widespread dissemination of QPR training aims to equip everyday people to prevent a suicide - most often, of a friend.

Amber Baldet performs product development for the Central Technology group at a top tier investment bank. She was certified as an Online Counseling and Suicide Intervention Specialist by the QPR Institute in 2011. 

We See The Future And It's Not Pretty
Chris Wysopal, CTO, Veracode

We all know that applications are inherently insecure, yet some of the highest profile breaches in 2012 were the result of easily remediated coding flaws. These flaws persist in almost all the software that runs most websites and businesses; SQL injection alone affects 32% of web applications. If the current state of software security is any indication, we’ll continue to hear about major data breaches in 2013 and beyond.

Chris Wysopal, Veracode’s Co-Founder and CTO will discuss the current and future state of appsec. He will dive into the data that drive the predictions detailed in the Veracode’s fifth annual State of Software Security Report. This report pulls data from tens of thousands of live application scans performed on the Veracode Platform.

You’ll learn why we’ll see the following dynamics in the near future:

  • Higher turn-over rates for CISOs and security professionals.
  • The rise of the everyday hacker.
  • Default data encryption for mobile communications.

Kinetic Pwnage: Obliterating the Line Between Computers and the Physical World
Ed Skoudis - SANS Institute

The infosec industry has spent decades struggling to secure computers and the vital data they hold, with some successes and many frustrating failures.  Infosec pros and hackers alike have a wealth of lessons learned borne in our scars from battles to protect PII, PHI, and other information assets.  Increasingly, however, we are facing a shifting threat, as attackers target not just computers and data, but instead the industrial control systems and related equipment we use to operate our physical world.  Successful attacks in this realm could pack a lot more wallop than merely purchasing credit monitoring for a year or reimaging worm-infected PCs.  In this talk, Ed will analyze this shift, looking at actual attacks against the power grid, water systems, transportation infrastructure, and more.  We'll see how the separation of the computer realm from the kinetic world is evaporating, as most equipment is online all the time.  We'll discuss how hackers and information security professionals can marshall our capabilities to apply the hard-fought lessons we've learned in securing data to the kinetic control system realm, along with the types of new skills and thinking that will be required.  We'll also look at how kinetic attacks are modeled in the CyberCity project, a miniaturized town constructed to help train government and military warriors about how computer attacks can have significant kinetic impact.  


"Cyber" Momentum: Understanding & Leveraging the National Cybersecurity Policy Debate
Jack Whitsitt
- Principal Analyst, Energysec

As the national dialogue on cybersecurity and critical infrastructure reaches a fevered and occasionally irrational pitch - most visible in the form of relentless media reporting, constant legislative proposals, and a forthcoming Executive Order - many are left wondering what it all means and how to respond. In particular, this talk will focus on providing context and conceptual tools to help dissect, interpret, and respond to the present momentum in ways which will create opportunities for your organization rather than risks. The second half of the talk will allow the audience to interactively guide follow-up discussion.

Jack Whitsitt is currently a Principal Analyst at Energysec, a non-profit electric sector information sharing organization. There, he is also the lead facilitator and thought leader for a national public/private partnership initiative with more than 50 companies participating to assess the business risk from cybersecurity to a specific industry. 

Prior to Energysec, Jack was one of the two primary federal points of contact for transportation industry cyber security at TSA and co-led the development of a sector-wide cybersecurity strategy and the first ever transportation sector cyber exercise. Past, more operational, roles and projects have included time at Idaho National Laboratory supporting ICS-CERT and the National Cybersecurity & Communications Integration Center (NCCIC) and the development of cutting edge SOC correlation tools and techniques for an MSSP. 

Entering the security world 10 years ago as an open source developer, his unusual combination of hard technical knowledge, public/private partnership development and outreach expertise, and national level risk management perspectives allow him to provide particular insight into the current state of the national cybersecurity dialogue and how it can best be leveraged by industry.

Pwnie Express presents Practical MitM Pentesting
Jonathan Cran

With the explosion of small embedded devices, your internal network just got turned into a dark alleyway. This presentation will arm you with the knowledge you need to protect and test yourself. We'll give you a quick runthrough of the history of man-in-the-middle attacks, document and details tips and tricks, and bring you an arsenal of tools you can use. 

Jonathan is the CTO at Pwnie Express. He leads the development of Pwnie Express's security assessment platform. He previously built and ran the quality assurance program for Rapid7's Metasploit products. Before joining Metasploit, Jonathan was a penetration tester and assessment team lead with Rapid7. Jonathan has been heavily involved in the open source and security communities for eight years, was a developer and network administrator for Iowa State University, and is an advisor for the SOURCE Boston conference.

Insider Threat: Hunting for Authorized Evil
Tom Cross - Lancope

The prevalence of Insider Threat is often a subject of disagreement and unsourced statistical assertions. Many approaches to addressing the problem are both ineffective and overbearing at the same time. Complicating the issue as well is the need to detect the use of legitimate access credentials by external attackers. This talk will review academic research into Insider Threats, discussing the frequency and impact of the attacks and who does them and why. The talk will then cover strategies for managing the problem from both a business and technical point of view, discussing different techniques for identifying suspicious activity in large collections of data.

Strategic Analysis of the iOS Jailbreak Development Community
Dino Dai Zovi - Trail Of Bits

Attackers, just like defenders, are resource-constrained. The choices of where to look for exploitable vulnerabilities and how to leverage them are shaped by the resources at the attackers' disposal, the relative difficulty of the available attack surfaces and vectors, and the return on attack investment. Malicious attackers, however, are rarely forthcoming with their strategies, expenditures, or forecasts. The jailbreak development community, in contrast, is much more visible with blog posts, Tweets, and public software releases. As the technical development of a jailbreak overlaps significantly with the development of a malicious attack, the high-visibility jailbreak development community can serve as an analysis proxy for the low-visibility malicious attacker communities. An analysis of the jailbreak community's strategies can thus serve as a model for the strategies of malicious attacker communities. These communities, however, are not completely isolated. An advanced public jailbreak community provides information, tools, and know-how that may be leveraged by malicious attackers as well. This presents a choice for an integrated hardware and software platform vendor: should jailbreaking be facilitated in order to discourage the release of advanced jailbreaks that may easily be repurposed as malicious attacks? Or should the jailbreak release and security patch cycle be encouraged in order to identify and fix vulnerabilities that may also be discovered and exploited by malicious attackers?

A Brief History of Physical Security - Schuyler Towne

This talk will take you from the door seals of ancient Mesopotamia to the proving grounds of LockCon in the Netherlands, with particular attention paid to the evolution of mechanical locks. We'll explore the myriad uses of locks, and find out why our present relationship to them is so far from their intended purpose. And throughout our exploration of the history of physical security you may see parallels to, and possible futures of, digital security.

Schuyler Towne (@shoebox) is a research scholar at the Ronin Institute, studying the history of security. He has been a competitive lockpicker, an expert consultant for television producers and mystery authors, and a guest lecturer at Princeton & MIT. He has recently embarked on a project to recover as much information as possible on the lock patents lost in the Patent Office fire of 1836.


Practical Exploitation of Embedded Systems - Andrea Barisani, Inverse Path

The presentation covers some exotic challenges arising from the in-depth exploration of the reverse engineering and exploitation of embedded systems.

We will cover hardware by showing how to identify and probe debugging and I/O ports on undocumented circuit board layouts.

We will cover software by exploring the analysis, reverse engineer and binary patching techniques for obscure real time OSes and firmware images with real world examples.

We are also going to address the post compromise art of debugging and patching running live kernels with custom backdoors or interception code.

At least one Apple laptop embedded subsystem will be harmed during the course of the presentation.

Andrea Barisani is an internationally known security researcher. Since owning his first Commodore-64 he has never stopped studying new technologies, developing unconventional attack vectors and exploring what makes things tick...and break.

His experiences focus on large-scale infrastructure administration and defense, forensic analysis, penetration testing and software development, with more than 13 years of professional experience in security consulting.

Being an active member of the international Open Source and security community he contributed to several projects, books and open standards. He is now the founder and coordinator of the oCERT effort, the Open Source Computer Security Incident Response Team.

He has been a speaker and trainer at BlackHat, CanSecWest, DEFCON, Hack In The Box, PacSec conferences among many others, speaking about TEMPEST attacks, SatNav hacking, 0-days, OS hardening and many other topics.


Hiring/Recruitment - Hosted by Lee Kushner

The need for information security talent is increasing. Bright, passionate, information security professionals have a number of options to choose from as they select their places of employment. Making the correct decisions early in one's career can have a huge impact on your ability to accelerate your career, and gain experience that can be effectively leveraged as you journey toward your career goals. The decision is not an easy one, and without any experience it is often difficult to determine which opportunities are best suited for you.

In this session, well respected companies are going to provide their value proposition to the SOURCE attendees in an attempt to best describe why their work environment is a valuable option. Seeing each of these opportunities side by side, will help the attendees make comparisons and differentiate between them. This presentation will be moderated by Lee Kushner, who will help guide the audience members ask the difficult questions, share guidance on how to handle the interview process, that will be useful in ultimately determining which opportunities are best suited for them. Upon conclusion of the session, attendees will be encouraged to network with the panelists during the break.

**This session is NOT solely for new information security professionals who are searching for positions. The information shared during the session should be helpful in educating all SOURCE attendees on how to prepare for interviews and to better understand employers expectations during the interview process.**


Analysis of The BroBot DDOS Attack - Eric Kobrin, Akamai

Eric Kobrin is a Senior Security Architect in the Infosec organization of Akamai Technologies, the global leader in Cloud-based application acceleration and content delivery. Eric has been involved in Software Architecture for over 15 years, having worked at such companies and IBM, Velocitude and He has a passion for programming languages, security, and software performance and has worked in all layers of the software stack from hypervisors to complex servers and web applications. Eric's works have been published, presented at international conferences and patented. Some of Eric's core competencies, in addition to Application Security Architecture, are performance, mobile development, mobile web, web development, mobile strategy, technical instruction, virtualization, hypervisors, Java, Perl, Clojure, C, Javascript, bourne shell, HTML, CSS, HTTP and Linux.

His presentation will provide an analysis of the use of BroBots to launch DDOS attacks, including discussion of vulnerable system discovery, zombie compromise, control structure, attack traffic and mitigation steps.

Speed Networking - Hosted by Jonathan Cran

Think all of the good talent has left Boston? Think again. This session is a great chance to meet infosec professionals in the SOURCE community. Join us for a friendly assembly where you will be placed 1-1 with other SOURCE attendees. Following the widely known speed networking format, this interactive session allows you to create new friends and contacts. Libations available at the cash bar.

Adversarial Resilience at the Planetary Scale - Christian Ternus, Akamai

Denial-of-Service attacks seem to come out of nowhere, and reacting to them - much less predicting them - can keep you up at night.  When there's no way to know what the next attack will look like, how can you keep your infrastructure robust and defensible?  Here's how Akamai's Adversarial Resilience team defends an attack surface the size of the Internet.

Keep In Touch

Mailing List Sign-Up


Boston 2014 Sponsors

Session Videos Channel