WEDNESDAY

KEYNOTE SPEAKERS

 

Mr. Purdy, an attorney and Certified Information Systems Security Professional, is Chief Cybersecurity Strategist for CSC. In this role he is providing strategic input to the development and implementation of a coordinated, company-wide initiative to address cybersecurity needs of CSC’s global client base, including: government, commercial, and outsourcing clients. He is also working in national and international venues to influence public policy, best practices, and standards development, and to raise cybersecurity awareness and effectiveness.

Andy Purdy was a member of the White House staff team that helped to draft the U.S. National Strategy to Secure Cyberspace (2003). Shortly after its release by President Bush in February 2003, Mr. Purdy went to the Department of Homeland Security to serve on the tiger team that helped to form the National Cyber Security Division (NCSD) and the U.S. Computer Emergency Readiness Team (US-CERT). Mr. Purdy worked at DHS for three and a half years, the last two heading the NCSD and US-CERT, in a capacity that has been referred to as the “Cyber Czar” of the U.S. In 2006-2007, he served as a Special Government Employee on the Defense Science Board Task Force on Mission Impact of Foreign Influence on DoD Software.

Mr. Purdy also serves as Co-Director of the International Cyber Center at George Mason University, Fairfax, Virginia. The International Cyber Center at George Mason University was formed to promote strategic collaboration and information sharing to address major cyber issues such as CERT capacity building in the developing world, coordination of global cyber R&D efforts, and facilitating a global approach to cyber crime and other malicious activity (www.internationalcybercenter.org). Mr. Purdy joined CSC after serving as President of DRA Enterprises, Inc. (www.andypurdy.com), specializing in IT consulting, business development, and government relations. He was also a partner with the law firm of Allenbaugh Samini Gosheh, LLP (www.alsalaw.com), with headquarters in Irvine, California.

Before joining the White House staff, Mr. Purdy served as Acting General Counsel, and long-time Chief Deputy General Counsel at the U.S. Sentencing Commission. Mr. Purdy served as an Assistant U.S. Attorney in the Eastern District of Pennsylvania, Senior Staff Counsel of the House Select Committee on Assassinations, Special Counsel to the House Committee on Standards of Official Conduct (Ethics), and Counsel to the Senate Impeachment Trial Committee (on the articles against Judge Walter Nixon). He also served for five years in network television news as an Associate Producer for NBC News magazines, and Producer for the CBS News broadcast NIGHTWATCH in Washington, D.C.

Mr. Purdy is on the Executive Advisory Board of BigFix, Inc., and the Advisory Boards of HBGary, Lancope, Inc., Lookingglass, Inc., TrustDefender, Wombat Technology, and 3VR Security, Inc.

HD Moore, Chief Security Officer at Rapid7 and Chief Architect of Metasploit
HD is Chief Security Officer at Rapid7 and Chief Architect of Metasploit, the leading open-source penetration testing platform. HD founded the Metasploit Project in the summer of 2003 with the goal of becoming a public resource for exploit code research and development. Prior to joining Rapid7 and continuing his work on the Metasploit Framework, HD was the Director of Security Research at BreakingPoint Systems, where he focused on the content and security testing features of the BreakingPoint product line. Prior to BreakingPoint, HD spent seven years providing vulnerability assessments, leading penetration tests, and developing exploit code.
 

Mary Ann Davidson, Chief Security Officer, Oracle Corporation
Mary Ann Davidson is the Chief Security Officer at Oracle Corporation, responsible for Oracle product security, as well as security evaluations, assessments and incident handling. She represents Oracle on the Board of Directors of the Information Technology Information Security Analysis Center (IT-ISAC), is a member of the Global Chief Security Officer Council and the editorial advisory board of SC Magazine. She was named one of Information Security’s top five “Women of Vision” and is 2004 Fed100 award recipient from Federal Computer Week. She has served on the Defense Science Board and is a member of the Center for Strategic and International Studies Cyber Commission for the 44th President. She was recently named to the Information Systems Security Association Hall of Fame.

Ms. Davidson has a B.S.M.E. from the University of Virginia and a M.B.A. from the Wharton School of the University of Pennsylvania. She has also served as a commissioned officer in the U.S. Navy Civil Engineer Corps, during which she was awarded the Navy Achievement Medal.
 

 

Sam Curry, Chief Technologist, The Security Division of EMC
Sam Curry is Chief Technologist at RSA, The Security Division of EMC. Mr. Curry has more than 18 years of experience in security product management and development, marketing, quality assurance, customer support and sales.  Mr. Curry has also been a cryptographer and researcher and is a regular contributor to Internet Banking Security. Prior to his current role, Mr. Curry was Vice President of Product Management where he led the strategic direction for all RSA solutions.  Prior to joining RSA, Mr. Curry was Vice President of Product Management and Marketing for a broad information security management portfolio at CA. Previously, Mr. Curry was also Chief Security Architect and had led Product Marketing and Product Management at McAfee.  Earlier, Mr. Curry was a founder of a successful technology company. Mr. Curry is a frequent speaker at industry events and has been quoted in Forbes, Bloomberg, CNET, Technology Review, PC World and Computerworld. He has also appeared on Tech TV, CNN and MSNBC.  Mr. Curry holds a B.A. in English from the University of Massachusetts and a B.S. in Physics from Mount Allison University.

 

TRACK 1 : APPLICATION SECURITY

0-Knowledge fuzzing, Vincenzo Iozzo, Zynamics
Nowadays fuzzing is a pretty common technique used both by attackers and software developers. Currently known techniques usually involve knowing the protocol/format that needs to be fuzzed and having a basic understanding of how the user input is processed inside the binary. In the past since fuzzing was little-used obtaining good results with a small amount of effort was possible. Today finding bugs requires digging a lot inside the code and the user-input as common vulnerabilies are already identified and fixed by developers. This talk will present an idea on how to effectively fuzz with no knowledge of the user-input and the binary. Specifically the talk will demonstrate how techniques like code coverage, data tainting and in-memory fuzzing allow to build a smart fuzzer with no need to instrument it.

Linux Kernel Exploitation: Earning Its Pwnie a Vuln at a Time, Jon Oberheide, University of Michigan
As userspace applications and services become increasingly hardened against traditional memory corruption exploits, operating system kernels have become a source for abundant exploitation opportunities. In particular, the Linux kernel has recently suffered a bout of severe and high-profile vulnerabilities and drawn ire from the security community for it's mishandling of bugs with known security impact, resulting in a Pwnie award for "Lamest Vendor Response". Given the importance the Linux operating system plays in many enterprise environments, it is necessary to understand the strengths and weaknesses of its kernel's security. In this presentation, we'll explore these strengths and weaknesses by diving deep into the exploitation of vulnerabilities in the Linux kernel. Using real-world vulnerabilities and exploits, we'll detail the traditional classes of kernel vulnerabilities such as control flow hijacking (via stack smashing and SLAB/SLUB/SLOB allocator corruption), invalid userland memory accesses (including NULL pointer dereferences), and information leakage. In addition to traditional bug classes, we'll cover the semantic vulnerabilities inherent in complex operating systems that require deep knowledge of kernel internals to identify and exploit subtle conditions (e.g. desynchronization in the VM subsystem), some of which have previously thought to be unexploitable. We'll also explore the attack surface of the Linux kernel and enumerate the most common vulnerability entry points using historical data. Lastly, we'll release several tools assisting vulndev/auditing and discuss the effectiveness of deployed countermeasures and best current practices for securing the Linux kernel.

Jon Oberheide is the CTO of Scio Security, an Ann Arbor-based startup. He previously attended the University of Michigan for a BS, MS, and PhD in Computer Science and has held positions at Merit Networks and Arbor Networks. Jon has presented at numerous security conferences, both in academia (USENIX Security, WOOT, HotSec, etc) as well as the industry (BlackHat, CanSecWest, NANOG, etc).


NT Object Insecurity, Riley Hassell, iSec Partners
At the core of the Microsoft Windows operations system is the Object Manager. This subsystem is one of the most used and also least documented subsystems within Microsoft Windows. We use it for every action we perform. The management of all files, registry keys, shared memory, LPC ports, and many other object types are handled by the Object Manager. During this presentation we will discuss this subsystem in depth and how it affects the security of Windows applications. A new tool will be released, ObjectTrace, that can be used to enumerate the Windows objects that are created insecurely by targeted applications. After completing the introduction other advanced topics will be covered including new privilege escalation techniques and hardening strategies. While the methodologies are focused to Microsoft Windows they can be applied to any operating systems.

Windows File Pseudonyms: Pwnage and Poetry, Dan Crowley, Core Security Technologies
In Windows systems, path and filename normalization routines have some interesting quirks. One file can be referred to with many different filepaths; some are well known, and some are not. The lesser known ways to refer to files are not often considered when designing security mechanisms. By referring to files in these strange ways one can, in many circumstances, cause unexpected behaviour in systems which do not account for alternate prefixes, aliases and mangled versions of filenames. In this presentation, I will show some of these quirks with a live demonstration on real products and how techniques based on these quirks can be used to bypass filters and access control mechanisms, evade IDS detection, alter the way that files are handled and processed, and make brute force attacks to enumerate files easier. This presentation will also feature the release of the a new tool.

Dan Crowley is an independent security researcher and lecturer also working for Core Security Technologies. Dan runs a security education group called CSEC, which is in the process of becoming a hackerspace. In his free time, he can frequently be found playing with Web-based technologies and locks.

An Uninvited Guest (Who Won't Go Home), Bill Blunden, Below Gotham
While there are a multitude of battle-tested forensic tools that focus on disk storage, the domain of memory analysis is still emerging. In fact, even the engineers who work at companies that sell memory-related tools have been known to admit that the percentage of investigators who perform an in-depth examination of memory is relatively small. In light of this, staying memory resident is a viable strategy for rootkit deployment. The problem then becomes a matter of remaining inconspicuous and finding novel ways to survive a system restart. In this presentation I’ll look at rootkit technology that tackles both of these issues on the Windows platform.

Bill Blunden (MCSE, MCITP: Enterprise Administrator) began his journey into enterprise computing over ten years ago at an insurance company in Cleveland, Ohio. Gradually forging a westward path to Northern California, he's worked with ERP middleware, developed code for network security appliances, and taken various detours through academia.
.
Attacking WebOS, Chris Clark, iSec Partners & Townsend Ladd Harris
WebOS developers work with a large spectrum of web and system languages, including JavaScript, Java, and C++. WebOS is the first mobile platform that primarily uses web languages; however, we believe that they will become more common as platform vendors court the massive web developer community. But, web developers do not understand how the subtleties of how the mobile security model differs from that of the web. For example, WebOS does not enforce the Same Origin Policy (SOP) and some valuable user data is shared. Consequently, minor web application vulnerabilities have a much larger impact on WebOS phones.

Almost all WebOS applications run as JavaScript within a WebKit process. However, the same privileges do not apply to all applications. Attackers can use attacks, such as Cross-Site Scripting or buffer overflows, to compromise low-privileged applications and then exploit WebOS unique vulnerabilities classes, such as Card Parameter Injection, to compromise system services and elevate privileges. This presentation will show how to find and exploit these vulnerabilities, a topic which has never been discussed in a public forum.

Combined, the presenters published the first WebOS security information and responsibly disclosed over ten WebOS vulnerabilities. Discovering these vulnerabilities required developing innovative security testing techniques. For example, we created a WebOS specific fuzzing agent that uses JavaScript to monitor and detect application failures. We plan on releasing these tools at SOURCE Boston.

Into the Rabbit Hole: Execution Flow-Based Web Application Testing, Rafal Los & Matt Wood, HP Software
Since the caveman first fashioned a spear humans have been using tools to make them more efficient and effective. Unfortunately, today's analysts often misunderstand the role tools play in testing web applications. While tools can be quite good at mapping a web application's attack surface there is still much human analysis that must be done to find the elusive defects that lie just below the surface. That human analysis is daunting and irregular ... until now. The answer is an execution-flow-based approach to application security testing. By first understanding application logic and execution flow it is possible to completely map a web application's attack surface, and therefore fully test the application. Along the way, we will cover the principles of data-flow analysis, application process mapping and building execution-flow diagrams (EFDs), which together form a complete picture of the web application and allow an analyst to uncover potentially critical defects.

Rafal's unique blend of technical expertise and business knowledge enable him to teach audiences about security techniques, programs and processes that they can both understand strategically, and realistically apply. He has extensive experience in security testing, risk analysis and management, penetration testing and architecture and policy.

Matt Wood is currently the lead security researcher in HP’s Web Security Research Group. He has been involved in security for 6 years both professionally and academically. Matt has led the development of both HP Scrawlr and HP SWFScan, which are free security tools designed to help organizations find SQL injection and Adobe Flash security vulnerabilities, respectively. Beyond making sweet free tools, he has also given numerous presentations at major security conferences including BlackHat and RSA. Matt currently is focusing his research on client-side static analysis and using AI to help security practitioners audit complex Ajax/RIA applications.

Cracking the Foundation: Attacking WCF Web Services, Brian Holyfield, Gotham Digital Science
Hacking a web service generally isn't rocket science. But what if the web service requires messages to be sent using a binary protocol? What if it requires message level encryption but you don't have a key? These are just a few common scenarios you are likely to encounter when trying to attack a web service built with Windows Communication Foundation (WCF). Through a series of live demonstrations, the presentation will show how to identify and attack WCF web services and discuss useful tools and tips to make testing WCF services easier. Attendees will leave with the knowledge necessary to effectively conduct penetration testing against WCF applications.

The following live demonstrations will be conducted (time permitting):
- Burp Plug-in for WCF Binary Soap Messages (MC-NBFS)
- De-compilation of Silverlight XAP for obtaining WCF Meta Data
- Crafting Meta Data Exchange (MEX) Requests for Retrieving WCF Meta Data
- Communicating with WCF using WS-S Anonymous Message Encryption
- Writing a Custom WCF Test Client (in less than 10 lines of code)
- TCP Port Probing through WCF Duplex Callback Channels

Presentation Outline:
1. WCF Overview
2. Silverlight WCF Web Services
2a. MC-NBFS Protocol
2b. Obtaining Meta Data from WCF
2c. Analyzing Silverlight XAP
3. Secure WCF Binding
3a. WS-S Message Encryption
3b. Custom WCF Clients
4. WCF Duplex Services
4a. Attacking Callback Channels

Brian Holyfield is a founding member of Gotham Digital Science. He has worked in the information security industry for over 10 years, and specializes in software security. Brian is a frequent speaker at security conferences and a regular contributor on the GDS Security Blog.

Rooting Out the Bad Actors, Alex Lanstein, FireEye, Inc.
Considering the remarkably small number of data centers that host services for those groups who operate the most sophisticated malware and botnets on the Internet, it's surprisingly difficult to detect and stop the illicit activities of these bad actors. Why? There are three primary reasons. First, it's due in part to the international nature of their business. While hosting providers in the Eastern Bloc might openly market Spam Email Services,ICQ Based Spam and Spam Hosting among their service offerings, their operations are much more covert, leveraging US-based hosting fronts, multi-national partnerships, IP space sharing and more. Cyber security experts say this handful of ISPs and domain name registrars work closely with cyber criminals to support spam operations (still a highly lucrative business), Web sites that sell fake software, and other scams. Starline Web Services hosted out of Estonia, ZlKon hosted out of Latvia, and Atrivo’s relationship with Chinese provider HostFresh are some examples that illustrate the global reach of bad actors and their hosting providers. Another difficulty in stopping bad actors is their speed and agility in responding to shut downs and countermeasures. Botnets are designed from the ground up to be highly complex, intertwined and reliable. Cyber criminals program contingency plans into their bots through DNS algorithms and other schemes. The Mega-D botnet take down involved a coordinated shutdown of C&C servers, DNS relays, and domain name registrars lead by FireEye research. As another example, when San Jose-based hosting provider McColo was shut down in the fall of 2008, stranded Srizbi bots utilized a DNS algorithm to search out new rogue servers. Hackers were then able to get those bots back online within days through another ISP in Estonia. It's not only the shut downs that cyber criminals are prepared for; their scams showcase increasing stealth and sophistication to evade detection at every step and execute their payloads. Some popular exploits include the DNSChanger Trojan that can override ISP settings to reroute traffic through rogue DNS servers, redirectors that take users to exploit sites; fake antivirus sites and other counterfeit software, .gif files that appear harmless but in actuality house stolen data, and more. Cyber criminals increasingly marry a Web-based infiltration exploit with a call back to the C&C infrastructure, establishing an unmonitored callback channel to siphon information and resources from victims. The third chief obstacle in combating bad actors and their providers is the lack of law enforcement resources and interest. Hosting providers wishing to maintain a semblance of legitimacy may respond to complaints or pressure from their upstream ISPs to shut down suspected malicious servers. However, the rogue IPs usually pop up elsewhere, either through a sister organization or another less scrupulous hosting provider. Domestic law enforcement wields what force it has, but without a multi-national effort among authorities, providers and domain name registrars, there is little systemic impact protecting the health of the Internet. This session will examine the most recent Web exploits perpetrated by Starline Web Services, ZlKon, Atrivo/Intercage, HostFresh, UralNet and other bad actors. Discussion will include popular attack schemes, obfuscation tactics and hosting models. Extensive research findings and case studies will be shared to illuminate key points and discuss malware and botnet activity.

Alex handles sales engineering and security research. Most recently, his research has been covered in the Washington Post, PC World, and CSO Magazine. Prior to FireEye, Alex was founder and network administrator of an Internet hosting company. His areas of expertise include malware, network security, and functional binary analysis.

Managed Code Rootkits – Hooking into Runtime Environments, Erez Metula
This presentation introduces an underestimated threat of application level rootkit attacks on managed code environments, enabling an attacker to change the language runtime implementation, and to hide malicious code inside its core. We'll be covering generic methods of malware development (rootkits,backdoors,logic manipulation, etc.) for application VM such as Java, .NET, Dalvik, and other managed code platforms by changing their internal behavior. The presentation will include attack scenarios and demos of information logging, reverse shells, backdoors, encryption keys fixation, and other nasty things. This presentation will introduce the new version of "ReFrameworker" (previously known as .NET-Sploit) - a generic language modification tool, that can be used to implement the application level rootkit concept. More information on Managed Code Rootkits (MCR) can be found here:
http://www.AppSec.co.il

Erez Metula is an application security consultant, spending most of his time finding software vulnerabilities and teaching developers how to fix them. He has extensive hands-on experience performing security assessments and training for worldwide organizations, and had previously talked at BlackHat, Defcon, RSA, OWASP, CanSecWest and more.

Rugged Software: A Value Based Strategy For Improving Our Digital Infrastructure, Josh Corman, 451 Group
Software has become modern infrastructure. Though we have made progress with tools and frameworks in the security community, too few outside of security recognize the security context of this digital infrastructure and the awesome responsibility that comes with developing it. Rugged is a meme - a contagious value set aimed to reach the hearts and minds of the masses who create software, purchase software, and depend upon software. We've been working hard fighting the heads of the Hydra. It's time to fight smarter and better focus on the heart. Digital infrastructure needs software that is not only agile, but also Rugged. Rugged software is capable of withstanding hostile actions and hostile environments while delivering business value. Rugged Software Development provides a philosophical foundation for regularly and consistently creating resilient, survivable software. Rugged guides software developers to create better software without the draconian notion of security police breathing down their necks. Rugged is a value system, not a compliance system. In a technology-dependent world, software needs to be Rugged. Read the Rugged Manifesto at www.ruggedsoftware.org for more information. Rugged is just beginning.

Joshua Corman is the Research Director of Security for The 451 Group - a leading analyst firm focussed on the business of IT innovation. Corman is a candid, strategic thinker and a highly coveted speaker who has spoken at leading industry events such as RSA, Interop, ISACA, and SANS. His efforts to educate and challenge the industry recently led NetworkWorld magazine to recognize Corman as a top 10 Influencer of IT for 2009. (Link to article: http://www.networkworld.com/supp/2009/outlook/010509-tech-people-to-know.html)




TRACK 2 : SECURITY AND TECHNOLOGY

Travis Goodspeed - Breaking Zigbee Crypto
This lecture describes a vulnerability in the ZigBee Smart Energy Profile stack available from Texas Instruments for the CC2530 chip, as used in many Smart Grid devices. The ephemeral key generation is poisoned by a poor psuedo-random number generator, allowing for only 65,536 ephemeral keys. The ECQMV key exchange, which is used by ZigBee SEP, allows an attacker who knows a device's ephemeral key to extract its private key. In this way, it is possible to extract a signed keypair from a Smart Energy Profile device. The vulnerability's discovery, mitigation, and impact will be discussed in technical detail, as well as some expectations for remaining vulnerabilities as this one is patched.



Jake Appelbaum - Anonymity, Privacy, and Circumvention with Tor in the Real World

Moxie Marlinspike
A lot has changed since discussions around digital privacy began. The security community won the war for strong cryptography, anonymous darknets which presumably make the eradication of information impossible have been successfully deployed, and much of the communications infrastructure has been decentralized. These strategies were carefully conceived while planning for the most dystopian visions of the future imaginable, and yet somehow they've fallen short of delivering us from the most pernicious privacy threats today. Rather than a centralized state-backed database of all our movements, modern threats to privacy have become something much more subtle, and perhaps all the more sinister. This talk will explore these evolving trends and discuss some interesting solutions in the works.

Practical Return-Oriented Programming, Dino Dai Zovi
This session will demonstrate the practical applications of return-oriented techniques for exploit payloads against systems with modern exploit mitigation technologies such as Microsoft's DEP and ASLR as well as the iPhone's non-executable memory and code signing. Most importantly, this session will demonstrate that for defenders it is more important to prevent malicious computations than injection of malicious code. For attackers it is becoming more important to control ESP than EIP.

Dino Dai Zovi has worked in information security for over 9 years with experience in red teaming, penetration testing, and software security assessments at Sandia National Laboratories, @stake, Bloomberg, and Matasano Security. He is a co-author of the books "The Mac Hacker's Handbook" (Wiley, 2009) and “The Art of Software Security Testing” (Addison-Wesley, 2006). In 2008, eWEEK named him one of the 15 Most Influential People in Security.

The Four Types of Locks, Deviant Ollam
Physical security is an oft-overlooked component of data and system security in the technology world. You can have the most hardened servers and network but that doesn't make the slightest difference if someone can gain direct access to a console keyboard or, worse yet, march your hardware right out the door. While numerous ratings and standards exist in order classify specific security hardware, many of these standards are ill-defined and poorly-understood.

Do you know what makes a "hardened" or "contractor grade" lock special? What does the phrase "high security" signify on hardware packaging? As it turns out, many of these terms are just for show... but Deviant will walk you step-by-step through some distinct and easy-to-follow examples of how low-grade locks can fail as well as how to clearly identify quality equipment. Additionally, we will cover the more difficult matter of hardware purchase decisions at the highest levels... fine distinctions such as which locks belong on the CEO's office versus which ones to use on your server rooms. Every situation calls for something a bit different, and those differences add up when you're spending $100 or more per lock. Make your money count and keep your budget, and your data, secure.

While paying the bills as an auditor with The CORE Group, Deviant is also member of the Board of Directors of The Open Organization of Lockpickers. Deviant has coordinated physical security sessions at DEFCON, ShmooCon, Black Hat, DeepSec, ShakaCon, HackInTheBox, CanSecWest, and the United States Military Academy at West Point.

Drinking from the Firehose: Ten Years of Vulnerabilities through the CVE Lens, Steve Christey, MITRE
In middle of the 1990's, the disclosure of vulnerabilities frequently occurred on a need-to-know basis.  Details were rarely available.
Vendors took ages to patch.  There was no Full-Disclosure mailing list, no blogs, very few public vulnerability databases, no responsible disclosure policies, and scant media attention.  The handful of people who cared about security vulnerabilities at all were mostly concerned with a small number of products and vendors.  Then commercial vulnerability scanning tools and IDSes hit the market just about when the Web boom happened, and suddenly everybody started writing and distributing software.

In short, when we created CVE in 1999, the world of vulnerabilities was a different place than it is today.  I will provide a history of vulnerabilities through the last 10 years, including:

* the early challenges that we still face

* applications of the "fast/cheap/good" mantra

* the costs and benefits of "lean and mean" post-disclosure analysis

* the four I's principle of vulnerability information

* how too much information is about as bad as not enough

* how this is all just the tip of the iceberg anyway.

You will see how CVE has grown and changed with the times, while trying to keep true to the spirit (if not the letter) of the "one vulnerability, one identifier" motto.  In the process, you will learn some of the ugly truths of filtering the Internet firehose into a consumable information product for the masses.  I will finish with some pointers on how to recognize vulnerability trends before they happen, and some thoughts on how new practitioners can make a positive impact on an industry that is still growing.

Steve Christey is a Principal Information Security Engineer in the Security and Information Operations Division at The MITRE Corporation. Since 1999, he has been the Editor of the Common Vulnerabilities and Exposures (CVE) list and the Chair of the CVE Editorial Board. He is the technical lead of the Common Weakness Enumeration (CWE) project. He was the technical editor of the 2009 CWE/SANS Top 25 Most Dangerous Programming Errors list and the CVE vulnerability trends analysis, and he has been an active contributor to other efforts including NIST's Static Analysis Tool Exposition (SATE), the Common Vulnerability Scoring System (CVSS), and the SANS Secure Programming exams. Despite his active participation in community efforts, he still struggles with the definitions of apparently-simple concepts such as "vulnerability" and "risk." His current interests include secure software development and testing, understanding the strengths and limitations of automated code analysis tools, the theoretical underpinnings of vulnerabilities, making software security accessible to the general public, vulnerability information management including post-disclosure analysis, and vulnerability research. Past work, which dates back to 1993, includes co-authoring the "Responsible Vulnerability Disclosure Process" draft with Chris Wysopal in 2002, reverse engineering of malicious code, automated vulnerability analysis of source code, and vulnerability scanning and incident response. He holds a B.S. in Computer Science from Hobart College.


SCCP hacking, Attacking the SS7 & SIGTRAN Applications One Step Further and Mapping the Phone System, Philippe Langlois, P1 Security
Attacking the SS7 network was fun, but there's a world beyond pure SS7: the phone system applications themselves, and most notably what transforms phone numbers into telecom addresses (also known as Point Codes, DPCs and OPCs; Subsystem Numbers, SSNs and other various fun.), and that's called Global Title Translation. Few people actually realize that the numbers they are punching on their phone are actually the same digits that are used for this critical translation function, and translate these into the mythical DPCs, SSNs and IMSIs. More and more data is now going through the phone network, creating more entry point for regular attacks to happen: injections, overflow, DoS by overloading capacities. And we have an ally: the mobile part is opening up, thanks to involuntary support from Motorola, Apple and Android. We'll study all the entry points and the recent progresses in the Telecom security attacks.

How to Detect Penetration Testers, Ron Gula, Tenable Security
In this talk we will examine the problem of detecting authorized penetration testers from a variety of technical and political aspects. One on hand, we need to monitor and protect from many threats, but politically, we also don't want to have the pen test team make your security monitoring, your SIM or your NIDS look like a joke. Attendees will quickly realize that the tips and insights for making better use of firewall logs, netflow, systems logs and so on can and should be applied to monitoring for real bad guys as well.

Mr. Gula has more than 15 years of experience developing products such as Nessus and the Dragon IDS that effectively help organizations monitor their security. He also provides very informative and entertaining speeches about compliance, security monitoring and how to use security technologies in a more effective manner.

Reverse Engineering Broken Arrows, Adam Meyers, SRA International
This session will introduce the concepts of exploit reverse engineering in support of incident response and/or post mortem analysis. Attendees will learn the tools and techniques required to take malicious exploit code and understand what it is targeting and how to identify and prevent future success against the enterprise. This will include a live demonstration of the techniques to re-enforce how to reverse exploit code.

Adam Meyers is a Senior Principal with the NPO Division of SRA International. Mr. Meyers serves as a senior subject matter expert for cyber threat and cyber security matters for a variety of SRA projects. Mr. Meyers provides both technical expertise at the tactical level and strategic guidance on overall security program objectives.


Embedded System Hacking and My Plot to Take Over The World, Paul Asadoorian, PaulDotCom
It seems that as Moore's law is proven time and time again, we as a society are seeing more and more embedded systems help us in our daily lives. Embedded or purpose-built systems those that perform a specific function â are contained in the carriers of our data, from your computer to your online backing site, from the coffee shop network back to your corporate VPN. Each time we use the computer on our home cable modem network, print an important document, or use a wireless network there is typically some kind of embedded system involved. While embedded systems have made our lives easier, security is largely an afterthought if it's a thought at all.
Embedded systems simplify tasks for the end user, but implement very little security. This presentation analyzes common vulnerabilities in popular embedded systems that carry sensitive data every day. It will demostrate the abundance of these systems and vulnerabilities by using public source and new scanning methods. Solving the problem is more difficult, but starts with changing both the developers and user's perception of embedded systems technology.

In this presentation we will cover:

- Finding embedded system vulnerabilities on a large scale
- Ways to exploit embedded vulnerabilities and hide from the end user
- Why controlling embedded systems is so powerful (and how they could be used to take over the world)
- Ways to mitigate the potential threat
- Explore some longer term solutions for embedded systems security

Paul Asadoorian is currently the Product Evangelist for Tenable Network Security, where he regularly uses vulnerability scanning and management products and showcases them using blogs, podcasts, and videos. Paul is also the Founder of PaulDotCom, an organization centered around the award winning PaulDotCom Security Weekly podcast that brings listeners the latest in security news, vulnerabilities, research, and interviews with the security industry's finest. Paul has a background in penetration testing, intrusion detection, and is the author of WRT54G Ultimate Hacking a book dedicated to hacking Linksys routers.

ZigBee Hacking and the Kinetic World, Josh Wright. InGuardians, Inc.
ZigBee has been established as a low-power wireless protocol, boasting features that make it attractive for smart grid technology. Combined with the Smart Energy Profile, ZigBee is quickly becoming a staple technology in the home area network, bridging the interface between a smart meter, smart thermostat, load control and demand response devices.
To date, however, there has been little independent and open evaluation on the security of ZigBee implementations. To ensure the security of ZigBee implementations, developers, vendors and ZigBee must evaluate to identify security faults and threats to the integrity and confidentiality of the system. In this presentation, the author will demonstrate a framework and utilities designed for the evaluation of ZigBee technology. Through the use of readily-available hardware, packet sniffers and data manipulation tools, the author will present the results of testing various ZigBee implementations, discussing the strengths and weaknesses of ZigBee networks and the opportunities and techniques by which an attacker can exploit ZigBee implementations. Attendees in this presentation will gain an understanding of the strengths and weaknesses affecting the security of ZigBee technology. Following the presentation, the attendees will have an introduction to a new, open-source suite of ZigBee testing tools which can be used to evaluate ZigBee technology in their own organizations. Using these tools, developers will be able to build and expand on their own testing needs for standards-based or proprietary ZigBee profiles to validate the security of technology before it is deployed.

Joshua Wright is a senior security analyst with InGuardians, an information security research and consulting firm, and a senior instructor and author with the SANS Institute. A regular speaker at information security and hacker conferences, Joshua welcomes the job of breaking wireless networks at any opportunity.

Neurosurgery With Meterpreter, Colin Ames, Attack Research & David Kerbs
A crucial step in post-exploitation technology is memory manipulation. Metasploit's Meterpreter provides a robust platform and API on which to build memory exploitation tools to assist the attacker in post-exploitation tasks. This talk will cover several examples of memory manipulation using meterpreter and introduce an extension to aid post-exploitation activities. We will demonstrate the extraction of unique process memory to analyze for valuable information such as passwords. We will also demonstrate the injection of utilities into a processes memory in order to alter execution flow to provide new "features" like Putty Hijack. Another example that will be covered is interacting with the lsass process memory in order to steal windows session hashes required for pass the hash. Finally we will discuss the use of meterpreter to patch process memory in order to introduce vulnerabilities which can be leveraged for things such as persistence. Another form of "memory" is the knowledge a host has about its network environment. This presentation will discuss the utilization of a meterpreter extension to automate and facilitate passive network reconnaissance over time, allowing for smart network data acquisition and analysis.

Colin Ames is a security researcher with Attack Research LLC where he consults for both the private and public sectors. He's currently focused on Pen testing, Exploit Development, Reverse Engineering, and Malware Analysis.

We Found Carmen San Diego, Don Bailey, iSec Partners & Nick DePetrillo
Using new resources in concert with new and old telephony tricks, the speakers have been able to successfully track users of GSM mobile phones without direct access to SS7. Though, initially, the granularity of the location information was not fine enough, the speakers have been able to develop effective techniques to supplement the location data. Augmenting this attack is the ability to learn a target user's mobile phone number without the user's knowledge, enhancing the passive nature of the attack. The speakers will elaborate on new real world attack vectors that make these threats both credible and practical. GSM location data in the US is private. However, unscrupulous providers have exposed this data to an international audience, allowing anyone access to this information for a price. The researchers will elaborate on the technical details of how and why the above attacks work, what solutions are possible, and how users can protect themselves.

Don Bailey is a security consultant with iSEC Partners, Inc. Don has found and exploited unknown vulnerabilities in both userland and kernel code on many popular computing platforms including Mac OSX, Linux, FreeBSD, and OpenBSD. He also has a strong background in network protocol analysis and root-kit design and detection. Don's prior work includes threat assessment for a wide range of clients, including the financial sector, government sector, and Fortune 500 companies. Mr. Bailey has previously spoken at several national and international security conferences on various topics such as zero-day development, root-kit design, and NULL pointer dereferences.

Nick DePetrillo is an independent security researcher with a focus on critical infrastructure. Most recently, Nick was a senior security consultant with Industrial Defender performing physical and electronic security assessments for utility companies and power plants. Nick also researched Smart Grid/AMI hardware and software security issues while at Industrial Defender. Previously, he worked as a research and development engineer for Aruba Networks, concentrating on wireless security threats and prototyping new products. Mr. DePetrillo has also consulted for U.S. government agencies, Fortune 500 companies, and worked as a network security engineer for an Internet2 giga-pop. Nick has presented new security threats and mitigation techniques at both national and international conferences.

The Fine Art of Hari Kari (.JS), And Other Approaches For The Strange Reality Of Web Defense, Dan Kaminsky, IOActive
The web is remarkably difficult to secure.  Browsers are ornery, powerful creations, and we security people demand all sorts of things of developers to make them behave.  By in large, the developers ignore us.  Our asks, they say, are too expensive. Rather than just guilting them, could we make better asks -- of both web developers, and browser manufacturers? Possibly.  In this talk, I explore a couple of interesting techniques for easily mitigating entire classes of Cross Site Scripting and Cross Site Request Forgery attacks.  They aren't perfect, but they work, and more importantly they represent a new class of ask for browser manufacturers that might even be implementable past the genuinely more powerful forces of application compatibility, performance, and developer compliance.  I will also discuss Treelocking, a generic mechanism for mitigating injections into protocols as diverse as SQL, LDAP, XML, and JSON.


Blackberry Mobile Spyware - The Monkey Steals the Berries (Part Deux), Tyler Shields, Veracode
Spyware has become a primary tool used in the capture of personal and private data. Surreptitiously installed on the computing system of a target victim, spyware can capture, log, monitor, and exfiltrate any data that the spyware owner desires. Your phone holds all of the same personal information as your computer, only in a smaller form factor. While a number of "vendors" sell Blackberry spyware, until now only a limited number of public code examples exist. Real time capture of SMS messages, Emails, and phone call logs are a fraction of the features to be presented. Full source code to the spyware will be released. Definition of the potential risk and threat involved in mobile related spyware is a requirement to implementation of security mechanisms. Finally, functional reference code has been presented and released that can be used in a positive manner. Until then only shady web sites selling compiled versions of the code for $100 - $400 annually existed. This is a future looking presentation that will help others learn about the security of their personal data in the time of mobile devices.

Tyler Shields is a Senior Researcher for the Veracode Research Lab whose responsibilities include understanding and examining interesting and relevant security and attack methods for integration into the Veracode product offerings. In the past, Tyler has worked as a consultant for both @Stake and Symantec, delivering security assessments to fortune 500 companies, major financial institutions, institutions of higher education, and the highest levels of the U.S. government. Tyler has presented at major industry conferences including Shmoocon, H.O.P.E, and SOURCE Boston and released numerous security advisories.



TRACK 3 : SECURITY AND BUSINESS

PCI Done Right and Wrong, Dr. Anton Chuvakin & Branden Williams, RSA
We will go through some interesting and teaching examples of PCI DSS controls implemented right and wrong.

Involuntary Case Studies in Data Breaches, Rich Mogull, Securosis
It's absolutely bass ackwards, but while the bad guys constantly share details of their exploits, including techniques, when it comes to real incidents, actual defenders rarely talk about what worked, and what didn't. Our entire industry is built on anecdote and the few tidbits we can glean from press reports. Thus we, as an industry, don't link means and methods to actual security outcomes. Without this information we're like a bunch of blindfolded wannabe ninjas trying to catch rounds from a machine gun with our bare hands. In this session we'll name names as we build in-depth case studies based on publicly available information, some of which isn't overly public. We will combine these with the latest information from breach reports released by incident response companies and the Dataloss Database. The session will build a picture of how real breaches happen, which security controls really work, and which compliance checkboxes are a complete and total waste of time.


Securely Moving Your Business into the Cloud, Alex Stamos, iSec Partners
Cloud computing has become an irresistible force in the IT industry, due to the unbeatable efficiencies of warehouse-scale computing infrastructures and the desire of businesses to reduce their CapEx on IT hardware. The most pressing concerns still holding back companies from moving into a public or semi-private cloud environment are security and compliance, and corporate security groups are under pressure to provide solutions that allow their enterprises to benefit from cloud computing technologies while appropriately managing risk.

In this talk, we will review several different cloud computing models and discuss the breakdown of security responsibility in each. We will then deconstruct the currently accepted models of enterprise IT and identify which security controls truly matter for most organizations and which are leftovers from an earlier era of computing. The speaker will then propose several architectures that are implementable in current public cloud providers that provide equivalent or better assurance than traditional IT stacks, and discuss which risks can and should be accepted as part of the new computing paradigm. The talk will be aimed at the system architecture, risk management and CIO levels of organizations, and will be best absorbed by attendees with enterprise architecture experience.

Alex Stamos is a co-founder and Partner at iSEC Partners, Inc. He has been a featured speaker at top industry conferences such as Black Hat, Web 2.0 Expo, CanSecWest, DefCon, SyScan, Microsoft BlueHat and OWASP App Sec. He holds a BSEE from the University of California, Berkeley.

Cloudifornication Redux: Stacked Turtles - Predicting The Future State Of Cloud Computing By Staring Wide-Eyed At The Present, Chris Hoff, Cisco Systems
Where and how our data is created, processed, accessed, stored, backed up and destroyed in what are sure to become massively overlaid cloud-based services - and by whom and using whose infrastructure - yields significant concerns related to security, privacy, compliance, and survivability. This presentation discusses how staggering interdependencies and the reliance on both aging technology approaches as well as cloud-on-cloud infrastructure and services exposes flawed assumptions and untested theories as they relate to security, privacy, and confidentiality in the cloud. Most importantly we will discuss what we should do to prepare for moving to Cloud-based services securely.

Chris Hoff has over 15 years of experience in high-profile global roles in network and information security architecture, engineering, operations, product management and marketing with a passion for virtualization and all things Cloud. Hoff is currently Director of Cloud and Virtualization Solutions, Data Center Solutions at Cisco Systems. Prior to Cisco,he was Unisys Corporation’'s Systems & Technology Division’s Chief Security Architect. Additionally, he served as Crossbeam Systems'’ chief security strategist, was the Chief Information Security Officer for a $25 billion financial services company, and was founder/Chief Technology Officer of a national security consultancy. Hoff regularly speaks at high profile conferences, interviewed regularly by the media, is a featured guest on numerous podcasts and blogs at http://www.rationalsurvivability.com/blog. Hoff is a CISSP, CISA, CISM and NSA IAM. He was twice nominated as the Information Security Executive of the Year and won the Security 7 award in Financial Services in 2005.

Why the Google Aurora Attack Will Happen Again. How to Analyze your Defenses and Stay Out of the Headlines, Vikram Phatak, NSS Labs
What you don’t know can hurt you. NSS Labs will share research findings from our analysis of the attack and potential variants, along with a breakdown of security vendor approaches to protecting against these types of threats.  Includes discussion of what security vendors are not covering that could prevent the next big attack. Vikram Phatak is CTO and leads the research team at NSS Labs. Mr. Phatak has over 15 years of experience in computer, network, and information security. Prior to joining NSS Labs, Mr. Phatak was CTO of Trustwave, founded and was CTO for an intrusion prevention product company, was chief security architect for a Fortune 500 company, and started one of the first Internet service providers in 1994.

Cloud Security: The Road Ahead, Cloud Security Alliance
This presentation will provide an overview of strategic cloud security issues today and in the future, as well as an overview of the Version
2 Security Guidance for Critical Areas of Focus in Cloud Computing by the Cloud Security Alliance (CSA). A roadmap of CSA research priorities for the coming year will also be provided.

Why Blackhats Always Win, Val Smith & Chris
From the origins of hacking and black hat hackers a new industry called penetration testing has evolved. Penetration testing is intended to emulate a real attacker in order to uncover what vulnerabilities an organization may have that could put them at risk so they can be fixed. This has led to the term "White Hat Hacker" being used to describe those who perform these tests. However the goals of a White Hat differ greatly from the goals of a Black Hat, as do the mindsets. This presentation will describe these differences as well as some of the things black hats have to consider that white hats may not even be aware of. This paper will explain why black hats have the advantage over white hats and why the penetration industry has to change. The take away from this presentation is that current common penetration methodologies are ineffective in demonstrating the actual risk and threats that exist and hopefully provide some insight into how real attacks actually work from the point of view of a black hat.

Val Smith has been involved in the computer security community and industry for over ten years. He currently woks as a professional security researcher on a variety of problems in the security community. He specializes in full-scope penetration testing, reverse engineering and malware research. He works on the Metasploit Project as awell as other exploit development efforts. Most recently Val Smith founded Attack Research which is devoted to deep understanding of the mechanics of computer attack. Previously Val Smith founded a public, open source malware research projects.

Chris is a Security Consultant and Researcher with Secure DNA. Chris specialize's in web based application security. He has collaborated with some of the top security researchers and companies in the world including Computer Associates and GTE. Chris has performed static and dynamic security assessments of for companies and government agencies across the U.S. and Asia.


Motivations and Objectives That Are Shaping Emerging and Future Information Security Threats, Max Kilger, Founding Member of the Honeynet Project
As the information security threat matrix continues to grow exponentially, there are some important shifts in the motivations and objectives of individuals, groups and nation-states perpetrating these attacks. The presentation describes how key social and economic factors are influencing changes in the distribution and dynamics of these motivations and how these changes might alter the nature of the information threat matrix. The presentation suggests a shift from a defensive strategy to an offensive strategy by anticipating emerging information security threats and concludes with a set of scenarios that outline new areas of emergence as well as describe the nature of these potential new and unique future threats.

Max Kilger received his doctorate from Stanford University in Social Psychology in 1993. He is a founding member of the Honeynet Project information security research group and currently is on their board of directors as well as serving as their Chief Membership Officer. He also is the Project’s chief profiler and contributes additional efforts in the areas of statistical and data analysis. Dr. Kilger has written and co-authored research articles and book chapters in the areas of influence in decision-making, the interaction of people with technology and profiling the social structure of the computer hacker community. He was the lead author for the Profiling chapter (Know Your Enemy, second edition) which serves as a reference guide for a number of governmental, military and private sector organizations. Max was also a member of the National Academy of Engineering's Combating Terrorism Committee, which was charged with recommending counterterrorism methodologies to the Congress and relevant federal agencies. He is a frequent national and international speaker to law enforcement, the intelligence community and military commands as well as information security forums.


Knock, knock. How attackers use social engineering to bypass your defenses, Lenny Zeltser, Savvis and SANS Institute
Why bother breaking down the door if you can simply ask the person inside to let you in? Social engineering works, both during penetration testing and as part of real-world attacks. This talk explores how attackers are using social engineering to compromise defenses. It presents specific and concrete examples of how social engineering techniques succeeded at bypassing corporate security defenses.

Lenny Zeltser reviews how attackers have bypassed technological controls by making use of social engineering techniques such as:
* Starting attacks in the physical world, rather than the virtual Internet: We have spent most of our lives in the physical world, whose norms we know well. As a result, we tend to trust messages that come to us in the physical world more than those in the "virtual" world of the Internet. The talk presents several examples of suck scenarios.
* Tricking victims into willingly installing malicious software: Attackers increasingly rely on social engineering tactics to trick victims into installing malware, such as worms and trojans. The talk will explore several numerous variations of the approaches seen in the wild.
* Targeting attacks through the use of spear phishing and social networks: The talk will explore how attackers may profile victims to include the person or company-specific social engineering elements in an intrusion campaign. Attend this engaging talk to improve the relevance of your security awareness training and to adjust your defenses by revisiting your perspective of the threat landscape.

Lenny Zeltser leads the security consulting practice at Savvis. He is a board of directors member at SANS Technology Institute, a SANS faculty member and an incident handler at the Internet Storm Center. Lenny authored courses, books and articles, and earned GSE and CISSP certifications and MBA and CS degrees.


Failagain's Island - The Perils of Banking in an Island Nation, Andrew Hay, University of Lethbridge
According to Wikipedia, experts believe that as much as half the world's capital flows through offshore centers. Tax havens have 1.2% of the world's population and hold 26% of the world's wealth, including 31% of the net profits of United States multinationals. You would expect that isolated offshore financial centers, such as Bermuda, Cayman Islands, and Bahamas, would be exponentially more secure than your local bank branch due to the magnitude of money being protected…but you would be wrong.

Foreign nations, malicious attackers, and malware creators know that most tax havens, especially those located in small water-locked countries, are behind the times when it comes to security. This knowledge, combined with the amount of money that flows through the offshore financial centers, makes them juicy targets for major financial exploitation. The goal of this presentation is to dispel common security myths and provide detailed explanations of the risks associated with offshore banking. Let Andrew Hay, who was responsible for the implementation and monitoring of security controls at a major offshore bank, provide an in-the-trenches account of the security issues surrounding banking with an island nation.

Andrew Hay is a Canadian security professional that writes and speaks on privacy, forensics, incident handling, and network security management. He has authored three books on network security management and in 2008 was honored with the title of Security Thought Leader by the SANS Institute.


Protecting Customers from Online Threats, Allison Miller, Paypal
New platforms and tools deployed via the web attract innovation, foster collaboration, and for many of us -- have changed our lifestyles (how we communicate, socialize, and pay for things). At the same time we're seeing these same technologies used as attack vectors -- with end-users being the target of choice. In this talk we'll discuss threats and attacks targeting end users such as social engineering, credential theft, malware, spam & abuse -- and the resulting problems like account takeovers, botnet activity, privacy leaks, and identity theft. We'll then discuss our successes and lessons-learned from adding additional controls both at the system level and provided directly to customers.

In this presentation we will examine threats/attacks that target customers/end-users of web-delivered tools services, and the different strategies employed by system owners/companies.

First, we will review attacks/vulnerabilities that have been experienced in this space in the last 12-18 months , with special attention to attacks that leveraged a service provider organization in order to exploit customers. We will look at some recent case studies where customers have been targeted to answer some key questions: What are the downstream impacts of these attacks on individual customers? Does the presence of known vulnerabilities or "safety gaps" have an effect on the reputation of the service provider in economic terms?


Too Many Cooks Spoil The Broth: How Compliance Regulations Get Made - Panel Discussion
We've selected an all star panel of folks who have been intimately involved in the creation of various compliance frameworks. Moderated by David Mortman, the panelists include Mike Dahn (PCI), Katie Moussouris (ISO), James Arlen (NERC) and Dave Lewis to cover MA 201 CMR 17. We'll discuss the whys and wherefores of how these frameworks get built and what we can do to improve them in the future. (Hint: It's not just about being in the right lobby). The discussion will be lively and to encourage audience participation, David Mortman will again be bringing homemade artisan bread.


Understanding: The key to Protecting Highly Sensitive Personally Identifiable Information, Dr. Timothy Brueggemann, Boeing Company
Protection of Highly Sensitive Personally Identifiable Information (HSPII) data is essential to every organization and requires a well-developed set of rules and processes to be enforced by the Information Technology (IT) organization. These rules and processes must be incorporated into a formal HSPII protection program that is understood by all IT workers in the organization. The purpose of this study was to examine the IT employee understanding of HSPII programs. The assumption is made that the security of the vast amount of HSPII data stored on organizational systems is directly related to the understanding level of the HSPII programs implemented . There were significant correlations between each of the six demographic variables examined in this study as they related to understanding. The results of this study provide a realistic view of the IT professional's understanding of their responsibility and ability in protecting HSPII data.

Dr. Brueggemann is a Chief IT Architect employed by The Boeing Company. He also has served as Adjunct Faculty member in the School of Business and Entrepreneurship, at Lindenwood University for the past ten years. Tim lives in St. Charles, Missouri with his wife and two daughters.

Legal Aspects of Computer Network Security and Privacy, Robert Clark, Cybersecurity and Communications, Department of Homeland Security
This presentation reviews the important legal opinions and law review articles of the past year that affect privacy as it relates to the internet and computer network operations. We will review the cases and legal commentaries on those issues that most affect your conduct and business operations. This presentation is strongly audience driven and it quickly becomes an open forum for questions and debate. This year the past key precedents have involved: work place monitoring and searches; compliance with State data breach laws and jurisdiction; employer's right to monitor their computer network systems and employees' rights; acceptable use policies; banners; user agreements; personally identifiable information and IP addresses; what is personally identifiable information; privacy and social networks; privacy rights in information turned over to a third party; theft of proprietary information and the CFAA; and, web site policies and notice.

Robert Clark is currently (in a non-attorney position) with the Office of Cybersecurity and Communications, Department of Homeland Security. He is the former legal advisor to the Navy CIO; United States Computer Emergency Readiness Team; and, the Army's Computer Emergency Response Team. In these positions he has provided advice on all aspect of computer network operations and privacy. He consults regularly with DoJ Computer Crime and Intellectual Property Section and National Security Division; DoD; NSA; and, other agencies involved in cybersecurity and privacy. He lectures at the iapp; Defcon; Black Hat; the Army's Intelligence Law Conference; and, at the DoD's Cybercrimes Conference.

Security Sucks, Amit Yoran, Netwitness
Security sucks. Ask the CISOs and security managers within government agencies and banks that have known about advanced threats such as Operation Aurora for a long time, but have been forced to fund flawed behaviors, antiquated technologies, and narrow scope security projects focused on compliance versus operational efficacy. Ask the financial services and retail enterprises that have spent so much on PCI only to find that they were blindsided by the latest sophisticated attacks in spite of their compliance check mark. Compliance drives I/T security spending and perceptions of successful and complete security programs in many important organizations. Yet, the result often is a sub-optimized security posture rewarding the wrong behaviors and placing emphasis on low impact objectives. Security sucks, but it doesn’t have to.

Assuming that a) you are not happy with the current situation, and b) you believe that security compromises are inevitable but want to protect your organization, this session is for you. This interactive session will discuss:

1. Why security sucks: the compliance and platform-related death spiral of current security programs.
2. The importance of Operation Aurora and the Google China hack to advanced threat awareness at the “C†level, greater honesty about living in compromise to advanced persistent threats, and a movement away from compliance-driven security programs.
3. How to ensure that your CEO gets InfoSec news from the security organization, versus from the FBI or NSA regarding sophisticated attacks and compromises within your organization.
4. The minimum components of a sophisticated operational defensive security program in 2010.
5. How to make security suck a whole lot less and make your security team more successful.

Amit Yoran is CEO of NetWitness. Before NetWitness, he was Director of the US-CERT and National Cyber Security Division of DHS, and CEO and advisor to In-Q-Tel. Mr. Yoran was co-founder of Riptech, and served as CEO until its acquisition by Symantec. He served as an officer in the US Air Force in the DoD Computer Emergency Response Team.

Carole Fennelly, Chris Wysopal, Steve Christey, Bob Martin, Jonathan Klein, HD Moore, & Kelly Todd
Vulnerability management - how tough can it be? Vulnerabilities are identified, categorized, and then (hopefully) fixed through patches or upgrades. Simple enough, right? Actually, the process is far from simple, as anyone who has worked in the area of vulnerability management can tell you. Identifying vulnerabilities through a slew of vendor alerts, vulnerability databases, and third-party references is only the first step. From there, solutions must be identified, fixes obtained and tested, patch and upgrade deployments scheduled, and then monitor the whole mess... until the next patch cycle comes around so you can start the process all over again.

This panel will discuss various aspects of the vulnerability management cycle: the assignment of common names for easy identification, using available information to gather appropriate remediation measures, pros and cons of patch testing, and how vulnerability management can be improved as an overall process. Join panelists Chris Wysopal of Veracode, Steven Christey and Bob Martin of MITRE Corporation, Jonathan Klein of Broadridge Financial Solutions, Kelly Todd of Tenable Network Security and moderator Carole Fennelly of Tenable Network Security as they look at vulnerability management: what works, what doesn't work, and what can be done to help improve processes, procedures, and remediation techniques.