Take a look behind the scenes at the Microsoft Security Response Center, the group that ships Microsoft's security updates. Learn what happens for an eight-day out-of-band release in response to a 0day vulnerability (MS08-067). Learn also what goes into Microsoft’s standard thorough investigation and testing process for updates released on the regular schedule. Come hear from the security engineers who triage incoming vulnerability reports, build fuzzers to find related issues, review code fixes, write security bulletins, develop mitigations and workarounds, document the vulnerability so MAPP (Microsoft Active Protections Program) partners can understand and build protections for it, and finally push out the update to hundreds of millions of computers every month. This talk will describe the steps that go into the resulting update.exe that shows up on your computer the second Tuesday of each month. And you'll hear it straight from front-line security engineers who have been doing this since 2003.



Mark Wodrich is a Security Software Engineer in the React team within MSRC Engineering. As part of the React team, he works to analyze reported security vulnerabilities, determine their severity and exploitability, and work with product teams to ensure the fix is correct and comprehensive. Since joining the React team in 2004, he has been mainly focused on vulnerabilities affecting the Windows operating system, especially networking components. He has also delved deeper into the Visio file format than is healthy. Prior to joining the React team he spent several years working on various Windows networking components, including the Microsoft RADIUS server (IAS), EAP auth methods and wireless networking.

Dave Midturi is a Security Program Manager in MSRC with a focus on vulnerabilities in the Windows operating system. As an MSRC PM, Dave deals directly with security researchers, external organizations, and companies for security vulnerabilities that are reported via Secure@microsoft.com. MSRC then works with affected owners and stake holders to coordinate an appropriate software release or communicate appropriate actions that users can implement to address security vulnerabilities. Prior to his role as an MSRC PM, Dave has been a network security specialist in private and government sectors.

Jonathan Ness leads the Defense arm of the MSRC Engineering team. His team generates detailed detection guidance for vulnerabilities fixed in security updates. This detection guidance helps Microsoft's partners build protections against attack. The Defense team also builds the mitigations and workarounds found in MSRC security bulletins and provides insight about vulnerabilities straight to customers via the SVRD blog. Jonathan has been a part of Microsoft's security team for six years. Jonathan also serves as a United States Air Force officer as part of a reserve military unit involved with computer security. He is co-author of Gray Hat Hacking and Gray Hat Hacking, Second Edition.

A lifelong hacker and electrical engineer, Joe spent 18 months as a co-host of Prototype This, a science entertainment program on the Discovery Channel that followed the real-life design process of a unique prototype every episode. His self-imposed mission was to show the fun side of engineering and explain complicated techniques and technologies in a way that millions of viewers could understand.

In this light-hearted session, Joe will show some video examples and discuss the necessary elements to consider when trying to convey technical information to a non-technical audience. Sometimes his attempts worked, sometimes they didn't, but you'll be able to apply all of what you learn in this presentation to your own situations.

Joe Grand (aka Kingpin) is an electrical engineer, hardware hacker, and president of Grand Idea Studio, Inc. (www.grandideastudio.com), where he specializes in the invention, design, and licensing of consumer products, video game accessories, and modules for electronics hobbyists. He spent many years as part of the hacker collective L0pht Heavy Industries finding security flaws in hardware devices and was a co-host of Prototype This on Discovery Channel. He is also the sole proprietor of Kingpin Empire (www.kingpinempire.com), a project that gives back to the technology and health communities through charitable donations.

Just how bad is it? Is it time to move to Canada or Australia? Do those breach disclosure laws actually work? Or is it just too darned late. And what about all those credit monitoring services are they worth anything? Or am I just throwing good money after bad?

As CSO-in-Residence, David Mortman, is responsible for Echelon One's research and analysis program. Formerly the Chief Information Security Officer for Siebel Systems, Inc., David and his team were responsible for Siebel's worldwide IT security infrastructure, both internal and external. He also worked closely with Siebel's product groups and the company's physical security team and lead up Siebel's product security and privacy efforts. Previously, Mr. Mortman was Manager of IT Security at Network Associates, where, in addition to managing data security, he deployed and tested all of NAI's security products before they were released to customers. Before that, Mortman was a Security Engineer for Swiss Bank. A CISSP, member of USENIX/SAGE and ISSA, and an invited speaker at RSA 2002 and 2005 security conferences, Mr. Mortman has also been a panelist and speaker at RSA 2007 and 2008, InfoSecurity 2003, Blackhats 2005-2008, Defcon 2005-2008 and Information Security Decisions 2007 and 2008. Additionally Mr. Mortman will be speaking the forthcoming SourceBoston 2009 as well. Mr. Mortman sits on a variety of advisory boards including Qualys, Applied Identity and Reflective amongst others. He holds a BS in Chemistry from the University of Chicago.

Information Security faces a crisis. As a discipline, as a profession or as a passion, the challenges we face have been overwhelming. The economic situation is straining budgets, and security is suffering while cybercriminals are making vast sums of money. Executives don't want to invest, and practitioners are exhausted and dejected. What's causing the crisis, and how can we break free?

Adam Shostack is senior program manager in Microsoft Corp.’s Trustworthy Computing Group. As a member of Microsoft's Security Development Lifecycle team, he is responsible for security design analysis techniques, including the company’s threat modeling methodologies. Shostack joined Microsoft in 2006 with an extensive background in software security. Before joining the company, he was involved in a number of successful start-up ventures involving vulnerability scanning, privacy and program analysis. Additionally, Shostack helped create the Common Vulnerabilities and Exposure (CVE) list, and now serves as the Emeritus Advisor of the group. He is also a founding member of both the International Financial Cryptography Association (IFCA) and the Privacy Enhancing Technologies Symposium, and has been a technical advisor to companies such as Counterpane Internet Security and Debix. He has published articles in a variety of industry and academic venues, and is also co-author of the widely-acclaimed book, The New School of Information Security (Addison-Wesley, April 2008)

The rapid growth of the Internet has been mirrored by a growing number of packet flooding attacks around the world coupled to political motivations. Estonia, Georgia, CNN, the Ukraine, and many other targets have been seen in this sphere in the past few years, and have been going on for nearly a decade. This talk explores the world of DDoS attacks and their growing role as an online political weapon. It also covers how Arbor Networks measured the Estonia and Georgia attacks, how other attacks are measured, and what these attacks mean for the Internet at large.

Dr. Jose Nazario is Senior Security Researcher within the office of the CTO. In this capacity, he is responsible for analyzing burgeoning Internet security threats, reverse engineering malicious code, software development, developing security mechanisms that are then distributed to Arbor's Peakflow platforms via the Active Threat Feed (ATF) threat detection service. Dr. Nazario's research interests include large-scale Internet trends such as reachability and topology measurement, Internet-scale events such as DDoS attacks, botnets and worms, source code analysis tools, and data mining. He is the author of the books "Defense and Detection Strategies against Internet Worms" and "Secure Architectures with OpenBSD." He earned a Ph.D. in biochemistry from Case Western Reserve University in 2002. Prior to joining Arbor Networks, he was an independent security consultant. Dr. Nazario regularly speaks at conferences worldwide, with past presentations at CanSecWest, PacSec, Blackhat, and NANOG. He also maintains WormBlog.com, a site devoted to studying worm detection and defense research.

Higher Education is an interesting field for information security professionals. Many of the rules that we learn in infosec-school do not apply as well as they do in commercial environments. In this presentation, a number of the exceptions that make higher education such an interesting field will be discussed, and lessons that were learned after one year of starting a new security program are presented. Colleges are special places of learning, exploration and the open exchange of information. Through intellectual discussion and organized discourse, students and faculty convene to transfer knowledge and insight on esteemed topics. As idealistic as this sounds, it is truly the case.

Students and faculty are a few special types of unique users not found anywhere else. Students regularly have an ideological sense of ethics that may not always be compatible with the rest of the organization. Some students learn best through experiment and every now and then, experiments have a tendency to go horribly wrong. Residence halls usually have high bandwidth connections with few restrictions. Faculty are self-governing employees who are guaranteed the freedom of academic pursuit. That privilege grants a faculty member the right to work on whatever topic he or she desires, without interference or censorship from the university. In other words, administration cannot interfere with how research and teaching is conducted, which includes to the use of information resources.

The free flow of information is sacrosanct on college and university campuses. Most information security handbooks emphasize that information assets are owned by the organization. Not so in higher education: scholarly works are typically owned by the faculty member who authors them, and each individual member of faculty is in full control of who has access to which resources, under which conditions, and in which way. As information security professionals, this makes our life a little harder than it would be in a comparable commercial organization. Given the previous, starting a new information security program in an institute for higher education is a daunting task. The amount of stakeholders is incredible, and just about any technical control that is going to be proposed will be subject to one very relevant question: "how will it affect the freedom of academic pursuit?"

Ignoring this question is a guaranteed road to failure. Information security managers learn that security controls must be aligned with business goals, and the business goal of a university is to provide education and to perform research. Both of these goals require that the rights of faculty and students be protected from censorship or interference. This lesson, as well as several others that we have learned the hard way, will be the topic of our talk. We will illustrate how much different, yet how much similar, information security work is in higher education, compared to commercial environments. The most important lesson is: Take baby steps. The academic institution has been around for almost two millenia, and it takes it time when faced with change. This also applied to information security.

Adam Dodge is the Information Technology Security Officer for Eastern Illinois University and runs Educational Security Incidents, a web site dedicated to tracking reported breaches that occur at colleges and universities around the world. Adam has spoken on information security in higher education at regional and national conferences.

Kees Leune works as Information Security Officer for Adelphi University and teaches a SANS Mentor Class on incident handling. He owns and operates Leune Consultancy, LLC and is the principal architect and lead developer of the Application for Incident Response Teams. Kees authors his blog at http://www.leune.org.

The complex landscape of Unicode offers a ripe area for vulnerability research and exploitation. Many public misperceptions exist around Unicode. This presentation’s intention is to educate the audience on the security issues around Unicode and Internationalized software in a clear and structured way, while giving real-world test cases and practices for finding vulnerabilities. Unicode is a universal character encoding providing the basis for processing, storage, and interchange of text data in any language in all modern software. Unicode replaces the myriad of historical character sets and encodings which have proven cumbersome and difficult for interoperability. With Unicode we get a single unified model for representing characters in almost any language past, present, and even future. While demonstrating security issues around Unicode, this presentation will draw attention to the types of issues developers need to be aware of, and the types of test cases and inputs security testers will want to know about. We’ll briefly cover the visual security issues relating to script spoofing and the ‘confusables’. Most time will be spent on finding and exploiting non-visual security issues common to Unicode-enabled software handing of UTF-8, UTF-16, legacy code pages and transformations between them.

Chris Weber is co-founder and Managing Principal at Casaba Security where he focuses on software security testing and anti-fraud strategies for some of the world’s leading software development companies and online properties. He’s authored several security books, articles and presentations. Like most of us at this event, he’s worked as a security researcher and consultant for over a decade identifying hundreds of security vulnerabilities in many widely used products.

Chris will showcase a new passive security auditor for performing fast and painless Web-app security checks. He’ll also demo a new API being developed to protect consumers against Unicode visual spoofing attacks.

The passive auditor aims to identify tangible issues and also the ‘hot-spots’ in a web application. It’s simple to use, extensible, and being publicly released for free with over 33 checks already bundled in, and more in development. It’s a no-brainer that using such a tool can help developers, testers, and auditors perform fast sanity checks of a site.

The Spoof-Detection API is in development and being first released as a browser plugin that alerts users to potential Internationalized Domain Name spoofing attacks. Unfortunately the state of IDN is questionable, and spoofing mitigations are scattered across the registry, individual registrars, the browsers, and the IDN specs. With slow-moving specs based on Unicode 3.2 (currently we’re at Unicode 5.1), this API aims to provide more agile protection in Web browsers. Beyond IDN and browsers, the core API is designed to protect against visual spoofing in any scenario.

Chris Weber is co-founder and Managing Principal at Casaba Security where he focuses on software security testing and anti-fraud strategies for some of the world’s leading software development companies and online properties. He’s authored several security books, articles and presentations. Like most of us at this event, he’s worked as a security researcher and consultant for over a decade identifying hundreds of security vulnerabilities in many widely used products.

In this talk, I will discuss the challenges, successes, surprises, and lessons learned creating and delivering a penetration testing course for undergraduate and graduate students at NYU:Poly. The course, which ran on-campus during the Fall 2008 semester, was taught to 30 students and with the help of 5 instructors from outside the university: After 6 weeks, students were given a takehome midterm that tested their ability to apply theoretical techniques discussed in class and that tracked the evolution of their "hacker's mindset." This talk presents lessons learned as ""design patterns"" that conference attendees can apply to their own courses to increase their effectiveness and train their own army of ninjas in a university setting. Additionally, all course material, videotaped lectures, and student work from the Fall 2008 NYU:Poly Penetration Testing and Vulnerability Analysis course have been made freely available online at: http://[check back on January 1st, 2009]/

Dan Guido recently graduated from NYU:Poly with a BS in CS and now works in the information security field at a large government organization in NYC. While a student at NYU:Poly he organized and developed capture the flag competitions, was a teaching assistant for 'Information Security Management', and helped mentor new students of security in the ISIS lab.

The never-ending debate about vulnerability disclosure has taken a new twist. In addition to "responsible disclosure" and "full disclosure," researchers are beginning to partially disclose security flaws, arguing that a phased approach to releasing information is important to ensure minimal exposure to attacks. Are they just playing the media? Overblowing minor issues? Is there common ground to be found to avoid overhyping vulnerabilities while keeping end-users secure?

"Do you have good perimeter security keeping bad guys from coming in the front door? Unfortunately for you, there are other ways of gaining access. Specifically, having your untrained users browse to places they shouldn't, open emails they shouldn't, and downloading and executing things they shouldn't. This presentation will address some of those issues and and describe why and how to go about testing your environment for this very likely vulnerability. Client Sides are the new remote exploit. If you aren't allowing client side attacks during your vulnerability assessments or penetration tests your are ignoring a huge attack vector and the current attack method. You are also failing to exercise your internal and host based exploitation countermeasures (HIDS/HIPS), you ability to test and respond to client side attacks and internal attackers and missing a valuable opportunity for user awareness training. This talk will focus on justifying why you should be allowing client side penetration testing, giving penetration testers a basic methodology to conduct client side attacks during their penetration test, and give (mostly real-world) examples we used during client side penetration tests to go with our methodology.

Outline:

Stats on Client Side Attacks
The New Remote Exploit
Why Client Side Attacks
The User's Desktop
Client Side Pen Test Methodology
Common Client Side Pen Test Scenarios
Common Scopes Within Our Scenarios
Your Entry Points
Delivery Methods
Examples Of The Delivery Methods

Chris Gates (CG). Founder Full Scope Security performing full scope penetration testing and security engineering. Previous jobs includes full scope penetration tester for one of the DoD Red Teams and Army Signal Officer spending gobs of time in layer 2 and layer 3 land. EthicalHacker.net columnist and security blogger.
http://carnal0wnage.blogspot.com

Vince Marvelli (g0ne). Founder Full Scope Security performing full scope penetration testing and security engineering. Previous jobs includes full scope penetration tester for one of the DoD Red Teams, SOC architect and principal engineer, IDS architect and analyst, general IT security analyst and security blogger.
https://g0ne.wordpress.com

The world has become accustomed to the fail-first, patch-later mentality of insecure software. As Michael Vatis, a former director of the FBI’s National Infrastructure Protection Center, has said: “The vulnerabilities are endemic because we have whole networks and infrastructures built on software that’s insecure. Any given day, some new vulnerability pops up.” In one of the most important security achievements in history, however, an operating system has recently been certified to the highest security level (Common Criteria EAL 6+) ever achieved for any major software product. As a result, there now exists, for the first time, an open standards-based operating system that can be trusted to protect corporate intellectual property, financial records, private customer information, national secrets, and critical control systems such as the power grid. This presentation will provide an overview of the certification, including the formal methods, NSA penetration testing, and other requirements that were met. In addition, we will describe the core Principles of High Assurance Software Engineering (PHASE) that have guided development of the certified operating system and other fielded, critical systems software components and discuss how these principles can be applied to the creation of other security-critical components by developers who now have a gold standard by which to evaluate their efforts.

David Kleidermacher is Chief Technology Officer at INTEGRITY Global Security where he is responsible for the company's technology strategy and solutions. As CTO of Green Hills Software since 2002, Mr. Kleidermacher managed the technology evolution of the INTEGRITY secure operating system, of which he was one of the original developers in the 1990s. Mr. Kleidermacher is a leading authority in systems software and security, including secure operating systems, secure virtualization technology, and the application of high robustness security engineering principles to solve computing infrastructure problems. Mr. Kleidermacher has a Bachelor of Science degree in Computer Science from Cornell University and is a frequent writer and speaker on technology subjects.

How are companies impacted as they move from virtualization of systems to a complete cloud computing platform? Interestingly enough there are a number of regulatory and privacy issues to be charted before moving headlong into the future of corporate computing.

This presentation provides a high-level overview of the various options one can mean when they say 'cloud computing' and the various ways this will impact their regulatory and privacy considerations. First, it is important to understand differences in language including “compliance vs validation”, “compromised vs exposed data”, and the details behind “red flag rules”. Once a proper lexicon is defined and outlined, I’ll dispel many myths people have about cloud computing and compliance that have been hotly contested in the public.

Next, I’ll discuss the various business and technical issues to consider including: third-party contracts, baseline configurations, audit logging, and client geography demographic. Each of these play an important role when planning the initial configuration of systems through to the point of compromise. Do companies have to use a compliant cloud network? Who is responsible for the security of the consumer data? What must companies do, at a minimum, to secure their systems? What happens in the event of a compromise if the compromised server no longer exists? This presentation will answer each of these questions to better help companies understand their requirements. These requirements are specific to cloud computing implementations due to their shared-hosting nature and the access that such companies have to the operating system.

Finally, we will touch upon the various privacy laws and legislation. Though there are too many laws to address individually, I will explain the difference between data-breach notification, state privacy laws, and federally mandated legislation, and how they apply to the cloud computing platform.

After walking through each of the pitfalls, I will show several case studies and examples of good/poor planning.

Mike Dahn is the founder of Society of Payment Security Professionals. He has taught and implemented regulatory compliance for major corporations over the past 10 years. He instructed FDIC and NCUA examiners, developed card brand regulatory programs, and has trained thousands of security professionals over the years. He has a MS in Information Assurance and sits on the national Board of Directors for InfraGard.

The DNS bug should not have mattered. For all the noise, it was really a simple, painfully obvious flaw, the effects of which should have been blunted by widespread strong cryptographic authentication. And yet, even a cursory examination of the real world of deployed systems reveals widespread if subtle security dependency on DNS. Why?

DNS offers a reliable and federated mechanism for locating services across organization boundaries, and this one task is so difficult and necessary that everything, from email to the web, from SSL certificate acquisition to Forgot My Password credential repair systems, has been build on top of it. It's not secure. But between not working, and not working securely, the Internet has chosen not working securely as the lesser evil.

So a lot broke when DNS was found wanting, even by its limited standards -- and bad guys are taking advantage of this, having attacked at least one to three percent of the remaining unpatched servers. But we need to do better. DNS has only barely been fixed, and other attacks (like BGP and WPA) offer some of the same MITM capabilities that made DNS attacks so dangerous. DNSSEC offers the potential of trust that scales as well, cross organizationally, as the name-to-IP services we take for granted today. There are deployment headaches, of course, but these can be managed -- and not by training admins, but by automating the servers so that DNSSEC is a patch only on the order of the Source Port Randomization patch deployed last year.

We will talk about what fixing DNSSEC -- and thus, the deployment of trust for all the applications people build, will take. And, just to keep things technical, we'll talk about a few obscure elements of BIND that have made the code in Metasploit not as effective as it might otherwise be.

Previously of Cisco and Avaya, Dan has been operating professionally in the security space since 1999. Dan focuses on design-level fault analysis, particularly against massive-scale network applications. Dan regularly collects detailed data on the health of the worldwide Internet, and recently used this data to detect the worldwide proliferation of a major rootkit.

Wireless Sensor Networking (WSN) technology, as typified by Zigbee and ISA100, makes use of ultra-low power microcontrollers and LPAN radios to form self-sufficient networks. A battery-powered network can survive for a year with today's technology, with lifetimes of several years soon to come. Initiatives are in place to make this technology responsible for public utility metering, industrial process controls, home automation, and countless other things.

The first section of this lecture will focus upon the technology's use. The benefits and business utility of the technology will be presented in depth, with an aim toward `back of the napkin' solutions to reducing costs and increasing productivity in industry. Potential gadgets and toys will also be presented.

Once it has been made clear that this technology is too valuable to overlook, the second half of this lecture will cover how wireless sensors will be exploited, years before such exploits become common. Methods of reverse engineering sensor firmware, forcibly extracting keys, and packet sniffing will all be discussed with photographs and first-hand accounts of the techniques involved.

Travis Goodspeed has been playing with wireless sensor networks for a few years now, authoring the first public example of machine code injection over 802.15.4, a reverse engineering tool for wireless sensors, and a neat little trick for circumventing the MSP430's copy protection in the process.

During this economic hardship, many organizations are buckling down and tightening their budgets. Unfortunately, this often means that organizations are reducing their proactive security spending, which is putting organizations and their customers at risk. However, because legislative and industry requirements for protecting sensitive data have become more stringent, compliance demands are on the rise. Companies are forced to continue spending money on PCI services to achieve and maintain compliance in order to prevent data loss, litigation, financial liabilities, government intervention, as well as avoiding tarnishing the brand and the company’s reputation.

Departmental goals, while competitive for resources, are not divergent in their overall purpose and value they place in protecting the company’s key institutional assets. This presentation will explore strategies that embattled security departments can utilize to leverage resources dedicated to PCI DSS initiatives to address broader security risks.

The Payment Card Industry Data Security Standard (PCI DSS) is increasing its acceptance as a broad set of good security practices that can be used as a baseline for an overall organizational security framework and program. While the specific focus of the PCI DSS is on credit card information, the breadth of the standard covers key areas of operational IT that need to be considered for a strong security stance; and efforts to achieve and maintain compliance with the PCI DSS can be extended to align with more wide-reaching enterprise risk management goals. In order to maintain PCI DSS compliancy, it is imperative companies invest in a comprehensive and overarching information security program.

To supplement this argument, the presentation will also compare the cost associated with vulnerability, exposures, and breaches to the cost of security services for several industries. This data enables security managers to easily quantify to their C-Level executives the value of security in regards to total savings and ROI.

As IOActive's Director of PCI Services, Mr. Spangenberg concentrates on using his knowledge of system and network penetration, web application analysis, and security auditing to provide clients with the necessary tools to meet both Federal and Industry compliancy requirements. Mr. Spangenberg has experience in the government, telecommunications, software, and financial services industries.

MacOS X has so far enjoyed a comparatively safe and malware-free existence on today's hostile Internet. While many previously believed that this was due to its superior security, public demonstrations of the Mac's vulnerability to attacks have hopefully proven otherwise. As with any technology, it is important to know both its strengths and weaknesses. This presentation will focus on the exploitatability of memory corruption vulnerabilities in and on MacOS X by applying currently known techniques to a new platform as well as introducing some new techniques as well.

Mac OS X Leopard includes a number of runtime protection features intended to hamper exploitation of memory corruption vulnerabilities. These features include the Execute Disable (XD) bit on Intel processors, Library Randomization, and Sandboxing. While some of these features are familiar and can be seen on other systems, some of them are unique to Mac OS X. This presentation will discuss the design, implementation, limitations, and evasions of these defenses.

Unlike other modern systems, the MacOS X Scalable Zone (szone) heap allocator does not protect against heap metadata overwrite exploits. This presentation will also describe the design and implementation of the szone allocator and demonstrate how it may be exploited with basic heap metadata overwrites. Finally, this presentation will discuss exploit payload construction techniques for Mac OS X, including the necessity of vfork() in threaded applications, resolving symbols in loaded libraries, and pure memory library injection into the vulnerable (or any other) process using Mach system calls and dyld function calls.

Dino Dai Zovi is an information security professional, researcher, and author. Mr. Dai Zovi has been working in information security for over 8 years with experience in red teaming, penetration testing, and software security assessments at Sandia National Laboratories, @stake, Bloomberg, and Matasano Security. He currently manages information security for a technology-based finance firm in New York City. As an independent researcher, Mr. Dai Zovi is a regular speaker at industry, academic, and hacker security conferences including presentations of his research on hardware virtualization assisted rootkits using Intel VT-x, the KARMA wireless client security assessment toolkit, and offensive security techniques and tools at BlackHat USA, Microsoft BlueHat, CanSecWest, the USENIX Workshop on Offensive Technology, and DEFCON. He has co-authored two books, "The Mac Hacker's Handbook" and "The Art of Software Security Testing". He is perhaps best known in the security and Mac communities for discovering the vulnerability and writing the exploit to win the first PWN2OWN contest at CanSecWest 2007.

Aesop wrote this little ditty about some discontented frogs who lived in a pond. They asked Jupiter for a King. They got one. It ate them. The moral of this story is "be careful what you wish for."

The corresponding analog is that of virtualization and cloud security. It's coming, but it's not going to look much like what security looks like today and it's certainly not what people are expecting. In fact, it may consume us all because we're unprepared for what we're asking for.

Hoff has over 15 years of experience in high-profile global roles in network and information security architecture, engineering, operations and management. Prior to Unisys, he served as Crossbeam Systems' chief security strategist, was the CISO for a $25 billion financial services company and was founder/CTO of a national security consultancy. Hoff obviously also enjoys referencing himself in the third person.

"Best practices" emphasize the need to prepare for incident response before the security breach occurs. Build the toolkit, train the staff, test restore capabilities, document roles and responsibilities... Indeed, that is the right approach to handling security incidents in a controlled manner. What if you never found the time to prepare? In today’s reactive world, you wouldn't be alone. Security incidents are often unexpected. When they occur, stress leads to mistakes and poor decisions made in the spur of the moment. Since small and mid-sized companies rarely have a dedicated incident response staff, the responders frequently lack the confidence and expertise that comes from handling the breaches on regular basis. This talk discusses the questions an individual should ask when responding to a security incident. By having a list of such questions in advance, the responder will be able to take control of the situation quickly and assertively. The questions fall into the following 5 categories:

• Understand the incident's background
• Define communication parameters
• Assess the incident's scope
• Review the initial incident survey's results
• Prepare for next incident response steps

Lenny Zeltser leads a security consulting team at Savvis. He is also a Board of Directors member at SANS Technology Institute, a SANS faculty member, and an incident handler at the Internet Storm Center. Lenny frequently speaks on security and related business topics at conferences and private summits, writes articles, and has co-authored several books. Lenny is one of the few individuals in the world who've earned the highly-regarded GIAC Security Expert (GSE) designation. He also holds the CISSP certification. Lenny has an MBA degree from MIT Sloan and a Computer Science degree from the University of Pennsylvania.

With the advent of IIS7 and its modular design, Microsoft has provided the ability to easily integrate custom modules into the IIS7 request pipeline. This session will present an IIS7 module designed to leverage this architecture to actively and dynamically protect web applications from attack. With minimal configuration, the module can be used to protect virtually any application running on the web server.

This presentation will outline the overall design and architecture of the module, including a detailed explanation of available features and attack defense techniques. The session will focus on live demonstrations of how the module can easily be installed to protect already-deployed applications and how it can block both traditional web application attacks, such as SQL injection and Cross-Site Scripting, and applicationspecific vulnerabilities like parameter manipulation and authorization attacks.

1. IIS7 Overview - The presentation will begin with an introduction to IIS7 and its radical new architecture versus previous versions of IIS
   1. The IIS7 Request Pipeline
   2. Native Modules
   3. Installing and Configuring Custom Modules
2. Sample IIS7 Module (with live Demos) - The majority of the presentation will discuss and demonstrate a freely available module that can be used to provide runtime application security. An in-depth discussion of each core feature and security mechanism built into the module will be discussed, along with how they compare to those typically implemented offered in a commercial web application firewall. For each protection mechanism, a demonstration will be performed to show the audience how typical attacks (such as those included in the OWASP Top 10 List) are thwarted in real-time by the module.
   1. Response Analysis and Dynamic Application Profiling
   2. Active Cryptographic Protection
      1. Links
      2. Forms
      3. Cookies
      4. JavaScript Functions
   3. Form State Tracking
   4. Black-List Input Filtering
   5. Benefits over traditional WAFs

Brian Holyfield is a founding member of Gotham Digital Science. He has worked in the realm of information security for over 9 years, and has deep experience identifying and exploiting software security flaws. Brian is a frequent speaker at various security conferences and was a contributing author for “Network Security Tools (O'Reilly), where he outlined how to build automated vulnerability detection and exploit tools for web-based applications.

Forget Cross-Site Scripting. Forget SQL Injection. If you want to make some serious cash on the Web silently and surreptitiously, you don't need them. You also don't need noisy scanners, sophisticated proxies, 0-days, or ninja level reverse engineering skills -- all you need is a Web browser and a few black hat tricks. Generating affiliate advertising revenue from the website traffic of others, trading stock using corporation information passively gleaned, and inhibiting the online purchase of sought after items to create artificial scarcity are just a small sampling of typical hacks. The real problem, however, is that many of these activities are not technically illegal, they only violate terms of service.

You may have heard these referred to as business logic flaws, but that name really doesn't do them justice. It sounds so academic and benign in that context when the truth is anything but. These are not the same ol' Web hacker attack techniques everyone is familiar with, but the ones staring you in the face and often missed because they are so easy to exploit. Plus, Intrusion Detection Systems (IDS) can't detect them and Web application firewalls can't block them. In fact, these types of attacks are so hard to detect (if anyone is actually trying) we aren't even sure how widespread their use actually is.

During this presentation, Jeremiah Grossman will demonstrate how everything from cheating at online auctions and Blackjack to manipulating password recovery systems is done on websites every day using business logic flaws.

Presentation will cover:

1. How many forms of business logic vulnerabilities commonly exploited by attackers are routinely overlooked during QA.
2. Why and how the bad guys are increasing their attacks on business logic flaws as opposed to SQL Injection and Cross-Site Scripting.
3. A demonstration of the ways in which a malicious user could easily place competing bidders at a disadvantage to improve their own odds of winning an auction.

Takeaways:

1. Have a better understanding of the business logic flaw concept;
2. Understand numerous real-world examples of this attack; and,
3. Be better able to defend your website from being compromised by these techniques.

DNS Tunneling is a well known technique, and various free tools are available to play with it. However, its full power has not been fully unleashed yet: several of the existing tools are mostly targeted to read email for free from an airport lounge and not to be used as a deadly post-exploitation weapon. Also, they all suffer from the fact that a DNS tunnel is painfully slow and quite easy to detect and locate.

In this talk we will introduce a few new tricks that will allow us to:

• Improve the tunnel speed, by leveraging the fact that RFCs allow a lot of flexibility when crafting DNS packets.
• Make the DNS tunnel a lot harder to detect, by spoofing the source IP address of the queries, therefore spreading the traffic signature among all the hosts of the subnet.

Of course there will be a demo, in which we will introduce a first version of Heyoka, a brand new tool implementing these ideas.

Alberto (aka icesurfer) lives and works in London, where he enjoys the bad weather and the astronomical cost of living. He works as a penetration tester and researcher for Portcullis Computer Security, spending most of his time breaking into web applications and into anything else that happens to tickle his curiosity. He has co-authored the OWASP Testing Guide and developed sqlninja, an open source SQL Server exploitation toolkit (http://sqlninja.sourceforge.net)

Nico got his degree in Computer Science at the Karl-Ruprechts University of Heidelberg, Germany, with a Thesis regarding an Authority Based Extension to the ARP Protocol to prevent MITM attacks. He now works as a penetration tester for Portcullis Computer Security, and in his spare time enjoys analyzing the security of databases (http://www.leidecker.info/downloads/Having_Fun_With_PostgreSQL.pdf) and developing various security tools (http://www.leidecker.info/projects/)

In real-world situations, we often find ourselves struggling to find a reasonable balance between business and security. The end result is that we often make compromises that result in severe vulnerabilities or we try to be so secure that people can't get their job done. With recent security breaches potentially costing billions, we can no longer afford to allow this tug-o-war to continue.

Whether you are on the business or security side of things, you can't afford to miss this session. You will hear industry leaders share their valuable experience and perspectives in a discussion of the delicate balance between business, technical & security requirements, and together we will find an acceptable middle-ground.

This session is a continuation of a conversation that began at last year's Source:Boston conference.

Throughout his career, Art Papas has led the charge for developing web-based applications that improve business processes, promote collaboration and reduce inefficiencies. Bullhorn was founded on Art's technological vision and acumen, which continue to impact the day-to-day business operations of staffing and recruiting firms around the world.

As CEO, Art helped Bullhorn become one of the few companies launched in 1999 to successfully navigate the technology recession. He has driven the company to sustained long-term profitability with a client base of over 13,000 users, attracting more than $26 million from investors.

Art has a long history of incorporating innovative and cutting-edge technology to bring about new approaches to traditional business models. Art was the first to develop web-based applications for numerous leading-edge firms in the medical/pharmaceutical, software and financial services industries. He is also founder of the Internet services firm Papillon Software, which specializes in building web-based applications for companies seeking FDA approval for new medications or products.

Prior to founding Papillon Software, Art was a manager and software engineer at GammaGraphX, Inc., a Massachusetts based document imaging software company. Art led GammaGraphX into web-based applications, managing the launch of both the IQTrack and Quality Database products. Prior to GammaGraphX, in his role as software engineer at Thomson Financial Services, Art co-designed and built First Call Insight, a core offering in the First Call product suite. He was also involved in the development of the First Call Research Direct product.

Art currently serves on the board of directors of Portfolio Science.

Art is a Phi Beta Kappa, summa cum laude graduate of Tufts University, holding a bachelor of science degree in Mathematics.

Walter defines Collaborative’s technical strategy, and helps establish its overall direction. He established the company’s flagship performance engineering methodology, and has helped expand its capabilities and services. Currently, Walter is working on the performance aspects of web services, including an assessment of scalability and performance characteristics of emerging technologies. Focusing on Service-Oriented Architectures and is a key member of the Mass Technology Leadership Council and the Object Management Group. A prolific author and thought leader, Walter has published numerous papers, most notably Real Options Analysis. And, as a nationally recognized technologist, he is frequently featured in industry publications, and often speaks at conferences and other events.

Gene Meltser is currently a Senior Consultant at Neohapsis, an IT risk management and security services company. Gene has been in involved in the security field since 1998 and has led and performed numerous security assessments, penetration tests, and security architecture projects for numerous clients in the financial, health care, telecommunications and other industries. Gene has unique visibility into various IT and security structures and organizations of his clients, which allows him to provide unbiased advice and insight while helping balance security with business and regulatory requirements.

Prior to Neohapsis Gene was a security consultant at @stake, a security consulting pioneer which was aquired by Symantec in 2004. While at Symantec, Gene co-founded the Symantec Vulnerability Research group which was responsible for the first vulnerability advisory release in 20 years of Symantec's history.

Gene Meltser holds a B.S. degree in Computer Science and Engineering form the University of Connecticut.

Adriel T. Desautels is a senior partner and co-founder at Netragard LLC. He is also a leader in the IT Security industry and specializes in the delivery of advanced anti-hacking services. Prior to founding Netragard with his partner David Morris, Adriel founded the internationally recognized SNOsoft Research Team that quickly became the think tank for Adriel’s first company, Secure Network Operations, Inc. Today SNOsoft is run and managed by Netragard, LLC. and continues to perform bleeding edge security research.

Adriel also has extensive expertise in the design and deployment of sophisticated Intrusion Detection and Intrusion Prevention (IDS/IPS) technologies. In early 2002 Adriel designed an IDS/IPS technology with powerful correlation capabilities that was later acquired by a private third party. As a result of his expertise Adriel has acted as an expert witness in U.S. Federal Court and still continues to offer expert witness services today.

Adriel’s primary responsibilities at Netragard are to design and manage all of Netragard’s professional service offerings. In doing so Adriel focuses on delivering services that will produce a threat level that is greater than or equal to the threat that Netragard’s customers will face in the real world. Testing at this intense level enables Netragard to protect its customers from real world threats. Adriel’s secondary responsibility is to run Netragard’s Exploit Acquisition Program (EAP). EAP is designed to acquire bleeding edge, high value research from the hacking community.

TBD

Data/code/binary file similarity analysis, anomaly specification or signature detection methods, whether applied statically, dynamically or in concert have failed miserably (i.e. real-world user acceptance testing) whenever applied towards data/code/binary file feature recognition. PTH (Pass the Hash), is a hash database white list system which leverages positive feature identification methods employed throughout P2P file-sharing networks. Adaption of Merkle / Tiger tree data structures enables efficient, high-speed full and partial file identification with surprising applications. Some of which, dramatically alter the majority of incident response best practices, effectively closing the "analysis gap". Tiger tree data structures are compiled in such a way to allow for arbitrarily sliced file fragments to be positively identified. Predominantly implemented for the purposes of P2P file sharing, they can also be used as a security analysis tool.

Tiger trees enable instantaneous recognition of system memory artifacts, pagefile, raw disk and other BLOB (Binary Large OBject) input. Our (Security Objectives’) solution, which leverages these concepts, has developed a facility for querying and submitting our database. In order to provide an animalized communication system for security analysts where researcher A, having found a solution that exterminates MAL-Variant-A, can submit a record with associated details so that when researcher B performs a query for any given fragment of MAL-Variant-A, they may be allowed (if researcher A has signaled), to communicate via private real time chat or message boxes and solicit expertise. Pass The Hash enables a B2B capability derived from a P2P technology delivered at Internet speeds to combat any MAL variant's flash outbreak.

The flexibility of this model allows for Merkle trees to be derived from static, dynamic and hybrid methods. They can be iteratively applied over time to memory snapshots of executing mal code, yielding hash records based on internal binary data that is difficult to quickly modify. Calculating hashes of these internal structures that retain a more consistent state than the associated polymorphic payloads vastly improves the positive identification and categorization of malware. To this end, an effective MBL (Malware RBL) has been built. The initial framework implementation executes crypto++ over a WPF GUI for novice users while more advanced users can take advantage of the IronPython/DLR interfaces. PTH is planned to become an open development project in mid-2009.

Shane Alexander Macaulay is a world class IT Security Specialist. Shane has a deep and broad security view--systems ranging from every major flavor of UNIX, Microsoft and network operating systems. He has made numerous contributions to the security community through various papers, books and revolutionary technical applications.

Recently, he created a suite of tools and applications for reverse engineering attack code. This suite is continuously evolving based on feedback and discoveries from incident response projects. The majority of his work over the past several years has focused on software assurance and reversing malware. Mr. Macaulay devised custom key space reduction entropy attacks for use against malware during a recent incident response. The malware used a challenge-response key exchange to mask its underlying data-stream. He crafted a custom snort plug-in (Windows and Unix), that alerted, cracked and performed endpoint application protocol spoofing against the identified mal-code. A genetic filesystem sanitization tool was used across the over one hundred thousand host enterprise. Mr. Macaulay has audited proprietary source code for security vulnerabilities.

Being proficient at discovering unknown vulnerabilities in custom software applications, as of late, Mr. Macaulay has primarily focused on proprietary software for the Microsoft platform. He has lead many teams internally at Microsoft spanning virtually every product division. Mr. Macaulay is a widely known source of extraordinary security information. He is frequently requested to speak at public industry and private government-only conferences. Mr. Macaulay has co-authored and developed ideas for three published books and has also written multiple IEEE Journal entries. Mr. Macaulay is an alumni member of the international security group The Honeynet Project. The primary objective of the members is to study Blackhat methods and techniques in order to gain an understanding of their typical patterns. The group is hosted at http://www.honeynet.org. The tools, techniques and papers that the group produces further the overall awareness of the security community while advancing the state of defensive countermeasures.

Massachusetts has taken great leaps regarding data breach notification over the past years. In 2007, the Governor signed the Data Breach Notification Law, which requires businesses and government agencies to notify residents and designated officials when data breaches occur. In 2008, the Governer issued Executive 504, which mandates that all confidential information stored by Commonwealth agencies meet approved security guidelines. In 2009, the Massachusetts Office for Consumer Affairs and Business Regulation started enforcing 201 CMR 17.00, titled "Standards for The Protection of Personal Information of Residents of the Commonwealth." This presentation discusses such issues as: How do these new laws and regulations affect entities doing business in the Commonwealth? How effective are they? What situations apply? Who must be notified and when? How is "personal information" defined and classified? And, how is the Commonwealth making sure it's own store is in order?

Ben Jackson is a Senior Security Engineer at the Commonwealth of Massachusetts Information Technology Division. He spends his days doing risk assessments, penetrations tests, and generally breaking things. Ben co-wrote “Asterisk Hacking” by Elsevier publishing, holds a GCIA certification, and has spoken at various technical and industry conferences.

Exploration of the modern eavesdropping threat posed by automobiles and other motor vehicles, common penetration points exploited by eavesdroppers and spies, methods of detecting such penetrations. The use, misuse, and exploitation of cellular communications, tracking devices, and related systems will also be presented including examples of prior penetrations, hacks, and attacks. Will include information on specific methods which may be used by both the engineer and the layman to detect, locate, and counter fairly sophisticated vehicle based surveillance systems.

James M. Atkinson, is the President and Senior Engineer of Granite Island Group and has earned the respect of the most prestigious public and private global client base specializing in the protection of classified, confidential, privileged, or private information against technical attack, eavesdropping, or exploitation.

Lots of organizations have a vulnerability management program. After all, compliance standards such as ISO 27001 require it. So, we can all rest assured that deploying SIMs and sticking an official sounding title on a former network engineer should take care of that little checkmark, right? Well, of course not. Many organizations go through the expense of establishing a formal vulnerability management program, considering it a cost of doing business. What if you could have a vulnerability management program that actually is effective *and* saves money?! This presentation describes how to plan and tune your vulnerability management program to maximize the return on your investment.

Carole Fennelly is an information security professional with over 25 years of hands-on experience in the information security field. She is the author of numerous articles for IT World, SunWorld and Information Security Magazine, as well as a frequent speaker at the Black Hat Briefings. Ms. Fennelly is presently the Director of Content and Documentation for Tenable Network Security.

Anti-debugging is the implementation of one or more techniques within computer code that hinders attempts at reverse engineering or debugging of a target binary. Anti-debugging techniques can be seen in use as commercial software protection, binary packing protection, and even in a nefarious way in today’s malware. While no single layer of security is a silver bullet, an understanding of the latest anti-debugging techniques and their use in common code can help developers to implement an additional layer of security into their applications. Adding anti-debugging routines into the development process can make the analysis and subsequent breakdown of the application a significantly more difficult and time consuming process. The bulk of research conducted in the area of anti-debugging is positioned from the point of view of a security researcher or reverse engineer. Advanced debugging is traditionally the realm of high expertise QA efforts, exploit development, reverse engineering, malware analysis experts, and software pirates. Because of this, much of the researched data is presented using assembly language constructs and requires a reasonably deep working knowledge of machine level programming. Limited output has been produced that allows developers straight forward access to the high level code and methods used in anti-debugging.

The problem this presents is a lack of education and awareness of anti-debugging methods by software engineers and a low adoption rate of even the most trivial anti-debugging methods. During this presentation I will cover a number of the known methods of anti-debugging in a fashion that should be easy to implement for a developer of moderate expertise. Specific classes of anti-debugging to be covered include API based anti-debugging, exception based anti-debugging, direct process and thread block detections, modified code detection, hardware and register based anti-debugging, and timing checks. Upon completion of the presentation the audience should leave with a reasonable awareness of anti-debugging techniques in use today and an understanding of the basic methods with which they can implement them in their own development projects. A brief background will be given on the history of anti-debugging and a clear definition of the problem and terms. Next, the positive role anti-debugging can play in making reverse engineering a difficult process will be discussed. I will conclude with a walkthrough of a number of anti-debugging methods. The presentation will contain demonstration source code, whenever possible, and a line by line explanation of how each anti-debugging technique operates. The goal of the presentation is to educate software engineers with regard to anti-debugging methods and to ease the burden of implementation.

In 1998 Martin Roesch wrote the first line of code that became Snort, the Open Source intrusion detection and prevention system that has become the defacto standard world-wide for this critical internet security capability. Today the Snort project forms the core technology of Sourcefire, the first internet security company to IPO since 2001. Join Martin as he talks about the path he took from building a successful open source project to starting, funding, growing and IPOing Sourcefire.

Martin Roesch founded Sourcefire in 2001 and serves as its Chief Technology Officer. A respected authority on intrusion prevention and detection technology and forensics, he is responsible for the technical direction and product development efforts. Martin, who has 17 years industry experience in network security and embedded systems engineering, is also the author and lead developer of the SNORT® Intrusion Prevention and Detection System (www.snort.org) that forms the foundation for the Sourcefire 3D System.

There are many factors influencing the behavior of cybercriminals, and these factors can be quantified and related to one another for understanding the likelihood of a given methodology’s use on the Internet and the relative probability of a given exploit arising. An understanding of these factors lends itself well to understanding implications for business, government and the general public; and in fact leads to a simple Law of Malware Probability: As the combined attractiveness of computers and networks (and the information they contain) increases, so does the likelihood of an exploit rise; and as the cost and risk increase, the likelihood of an exploit decreases. This can be described as follows:

                          Vm * Nm * Im
? m µ  =  -------------------------------------
                 (Dm + Em + Tm) * (Lm * Pm )

There are numerous theories regarding human behavior, benign and criminal. However, there are surprisingly few academic studies into the motivations of malware writers, and very few in particular around those who ply their skills in service of a commercial agenda. Nevertheless, the last 5 years has seen not just tremendous growth in the number and diversity of malware on the Internet, it has also seen a remarkable shift from Cyber-vandalism and hobby-based malware to financially motivated cybercrime. With this shift, we can now look at the phenomenon from an economic point-of-view, and we can begin to apply theories that have been used to study other economic, social and political events to the emerging attack techniques on the Internet.

This presentation outlines a simple formula that it is hoped will help people understand malignant online behavior better. For governments and corporations, risk models help with planning, risk management and protecting missions for the former and new business ventures for the latter. For researchers and academics, this presentation will hopefully encourage investigation and quantification and, in combination with more rigorous academic studies, will ideally lead to new breakthroughs in defense and preparation. Lastly, for the lay person and casual reader, it is hoped that this will be entertaining fodder for thought experiments, but more importantly, it is hoped that this presentation will motivate us all to realize our duties as Internet and real world citizens at defending not only our computers and our networks but also at understanding legislation, public initiatives and events in which we all participate and which we all witness, day-in and day-out.

18 years of experience in information technology, security, and risk management Currently Chief Technology Officer of BigFix, an enterprise systems and security management solution provider. Held a variety of engineering, management and consulting positions prior to joining BigFix. Most recently, a research director at Gartner, Inc.

Sam Curry is the Vice President of Product Management and Strategy at RSA, The Security Division of EMC. Mr. Curry has more than 14 years of experience in security product management, marketing, product development, quality assurance, support, sales and marketing. Mr. Curry has also has been a cryptographer, researcher and writer. At RSA, Mr. Curry leads and sets the strategic direction for all aspects of product management for RSA’s solutions.

Prior to joining to RSA, Mr. Curry was Vice President of Product Management and Marketing for a broad information security management portfolio at CA. Previously, Mr. Curry was Chief Security Architect and Product Line Manager at Network Associates and also led Product Management and Marketing at McAfee. Earlier, Mr. Curry was a founder of two successful technology companies.

Mr. Curry holds a B.A. in English from Mount Allison University and a B.S. in Physics from the University of Massachusetts.

TBD

Attackers have been increasingly using the web and client side attacks in order to steal information from targets. Some of the more interesting and wide spread attacks seem to be originating from countries like China and Russia. This talk will describe some of these attacks in detail including how they are achieving large numbers of penetrations, their web infrastructures and some of the mistakes they have made which have allowed us to track them back further. This information will provide some evidence as to where these attacks are truly originating from and what their purposes are. We will describe in detail the techniques used by these attackers including source code samples, javascript and binary obfuscation methods, malware, client side exploits and SQL injection. We will show real case studies, log analysis, and packet captures. This talk will be broken up into two main parts, each covering a particular attack in depth. Part one focuses on a specific type of malware attack which begins with ""blog spam"". Blog spam is a series of comments posted in response to legitimate blog posts. In this case the multilingual spam contains links to sites hosting a complex series of web exploits, ultimately leading back to China and Russia. Due to a mistake the attackers made they likely revealed their home DSL IP which we will present here. Part two focuses on a more recent attack which has been targeted against thousands of sites, including at least one moderately large vendor. The goal of this attack is to add a small snippet of code to legitimate webpages which deploys a complex sieve of web exploits to the customers and visitors of these sites. Most recently these attackers included the recent IE07 0day which shows their capability for rapid adaptation.

The Internet continues to grow at an incredible rate due to variety of factors, emerging markets providing infrastructure for private citizens, continued penetration into already connected societies, etc. What new threats will emerge as both law abiding Net-izens and dubious users look to access (or exploit) this vital resource?

We will explore a variety of current trends and their security implications for 2009 including mobility, state sponsored attacks, Internet crimes, money laundering, cloud computing and more. In addition to these challenges, we will consider the security response, including innnovations that have emerged to address the sheer volume that has overwhelmed tradditional approaches.

Dov Yoran is a co-founder and partner of MetroSITE Group. A firm that provides information security and market advisory services firm to security decision makers at F500 organizations and to emerging technology companies. Previously he was VP for Strategic Alliances at Solutionary, a leading MSSP were he was responsible for partnerships, channel revenue and marketing efforts. Prior to that, Dov managed the Services Partner Program, having global responsibility for creating, launching and managing the channel reseller program at Symantec. He came to Symantec as part of the Riptech acquisition where he led channel strategy, marketing and sales operations. He began his career with Accenture (formerly Anderson Consulting) where he focused on technology and strategy engagements in the Financial Services Industry. Dov holds an MS in Eng Mngt and Sys Eng with a concentration in Information Security Mngt from GWU and is a cum laude graduate with a BS in Chemistry from Tufts University.

Jeff Bardin received the 2007 RSA Conference award for Excellence in the Field of Security Practices and won the 2007 SC Magazine Award for Best Security Team. He been a CISO, CSO, and CIO; currently serves as a Principal at Treadstone 71.

Mr. Howard is responsible for the day-to-day intelligence gathering operations at iDefense Prior to iDefense, he ran the Intel and Security Operations Center teams at Counterpane Internet Security He is a retired US Army officer and spent the last two years of his career leading the Army CERT.

As special assistant to the Trend Micro CTO, Anthony Arrott manages the company’s threat analytics operations. Dr. Arrott previously served as Director of Threat Research at anti-spyware provider InterMute. Earlier, after receiving degrees from McGill and MIT, he founded scientific instrumentation company Payload Systems and worked at Arthur D. Little.

Dr. Hallam-Baker has made significant contributions to numerous Web protocols including HTTP, XKMS and SAML. He has been an early and influential participant in many Internet institutions including APWG and CA/Browser Forum. His first book, The dotCrime Manifesto: How to Stop Internet Crime was published in 2008.

Mobile security solutions focus on data to the exclusion of all else. When it comes to voice over mobile phones, the user is left naked in terms of security. This presentation will discuss the threat envelope, risks and best practices for securing mobile devices across the broad spectrum of applications: everything from e-mail, instant messaging and of course, mobile voice.

How mobile voice is breached will also be discussed and illustrative examples of how voice can be intercepted with simple, inexpensive products will be presented. The dilemma facing OEMs who design these mobile devices and the numerous security challenges they face and the trade-offs that must be made to deliver a product will also be shown.

Tony is the inventor of KoolSpan’s TrustChip, a remarkable self-contained cryptographic solution designed in an industry standard microSD card. In 28 years of developing wireless technologies, Tony Fascenda has been awarded twelve individual patents and has taken three separate wireless companies from startup to acquisition. Tony's first foray into wireless began in the late 70s with the development of a first-of-its-kind wireless timing and scoring system for Formula One and Indy 500 auto racing.

Tony built his first company, DataSpeed, around the wireless timing system, and adapted the technology to create QuoTrek, the first handheld, wireless device for real-time tracking of stock quotes. Tony took DataSpeed public in 1982, and it was then acquired by Lotus in 1985. The QuoTrek devices are still in use today under the Signal brand. Tony then formed NewsPager Corporation of America, which developed and marketed the NewsPager device for tracking real-time financial information. NewsPager devices were licensed in 18 countries and licensed for manufacture to Uniden, Motorola, Philips, and Oi Electric. NewsPager was acquired by Motorola in 1997. In the late 1990s, Tony worked with Bethesda-based Mobeo to develop a real-time foreign currency rate reporting system. Mobeo was acquired by Aether Systems in 1999 and subsequently went public.

A professional interest in RF and Wi-Fi technology led Tony to form KoolSpan with two former colleagues. With KoolSpan, Tony saw an opportunity to solve the problem of gaps in Wi-Fi security with an elegant, inexpensive security product based on pre-existing and highly secure Smart Cards already widely used in GSM wireless phones. This led to the creation of an entirely new authentication and security technology that doesn't use certificates — one that works independently of wired/wireless and local/remote connections. Tony has filed 18 patents (3 of which have been awarded) covering the KoolSpan solution, both broadly and specifically.

Tony holds a BS in Electrical Engineering from Drexel University. At Penn State, Tony developed a master's thesis on Formula One racing that eventually led to the creation of his first company and his work in wireless.

Tony has been awarded patent protection over a four-decade span. His patent history is about to be eclipsed by the filings in KoolSpan. KoolSpan currently has fifteen patent applications on file for KoolSpan.

The purpose of this meet-up/reception is to provide student attendees with an opportunity to network with other students, as well an overview of challenges and practical considerations related to breaking into the field of security. Emphasis will be placed on identifying specific potential roadblocks relevant to students and emerging professionals. Attendees will be provided with suggestions on how to gain entry and establish professional relationships in the field of security. Discussion leaders will range from students to experienced security experts will share their experiences as well as raise questions for discussion related to the topic.

Do you an idea for a security-related start-up that would you like to get feedback on? Ever wonder what you need to do to get a company up and running? Meet with our panel of experts (members of the venture capital and management community, experienced entrepreneurs, and theoretical experts) in private confidential one-on-one sessions and ask the questions you’ve always wanted to ask but never knew who would give you the answers.

Interested in participating? Email jcran@sourceconference.com

Please join us as we celebrate the 2nd year of SOURCE Boston and welcome our newest conference, SOURCE Barcelona. This Spanish themed reception will offer tapas, Spanish music, and opportunities to win Spanish good (cava, chorizo, gift certificate to local Spanish restaurant).

These discussion groups are an opportunity for attendees to meet and to discuss with individuals who are interested in similar topics in security. Interested in hosting a group? Email dgroups@sourceconference.com with your topic and brief overview of your topic and intended audience.

Are you a member of Security Twits? Please email zach@n0where.org to RSVP for the Security Twitter Reception.

Join us in the Exhibit Hall to learn about recent developments.

Peter has been following the software industry for over a decade, offering strategic and financial advice for some of the most successful public and private companies. Over his years as a Wall Street analyst, including as head Software Analyst for Morgan Stanley, he has led or advised in the majority of financial transactions in the software industry, including 14 Initial Pubic Offerings, multiple secondary public offerings, convertible debt, and private placement efforts. He has also published a number of key industry research pieces advising clients in the direction of the software industry and opportunities for investment, including IT is All About the Data and Data: The Last Perimeter of Defense. Peter is often solicited by the media including multiple television appearances (CNBC, Bloomberg, New England Business Channel) and quotes in numerous publications including The Wall Street Journal, The New York Times, The Financial Times, Barron’s, BusinessWeek and Forbes. He is also a frequent public speaker including as keynote at the Cisco Global Sales Conference, the Micromuse European Users Conference and Source Boston. Peter is also a Faculty member of the Institute for Applied Network Security and an advisory board member for the Information and Infrastructure Integrity Initiative (IIII) at the Pacific Northwest National Labs. Peter is currently the Managing Partner of HypAdvisor Consulting where he works directly with public and private technology companies.

Marcus J. Ranum, Chief Security Officer of Tenable Network Security, Inc., is a world-renowned expert on security system design and implementation. Since the late 1980's, he has designed a number of groundbreaking security products including the DEC SEAL, the TIS firewall toolkit, he Gauntlet firewall, and NFR's Network Flight Recorder intrusion detection system. He has been involved in every level of operations of a security product business, from developer, to founder and CEO of NFR. Marcus has served as a consultant to many FORTUNE 500 firms and national governments, as well as serving as a guest lecturer and instructor at numerous high-tech conferences. In 2001, he was awarded the TISC "Clue" award for service to the security community, and also holds the ISSA lifetime achievement award. In 2005 he was awarded Security Professional of the Year by Techno Security Conference

Since completing a management buyout from Mantech in 2006, Amit Yoran serves as the Chairman and CEO of NetWitness Corporation, a leading provider of network security analytic products. Prior to NetWitness he was Director of the National Cyber Security Division of Homeland Security, and as CEO and advisor to In-Q-Tel, the venture capital arm of the CIA. Formerly Mr Yoran served as the Vice President of Worldwide Managed Security Services at the Symantec Corporation. Mr. Yoran was the co-founder of Riptech, a market leading IT security company, and served as it’s CEO until the company was acquired by Symantec in 2002. He formerly served an officer in the United States Air Force in the Department of Defense's Computer Emergency Response Team.

Mr. Yoran serves as an independent director on the boards of several innovative security technology companies Boards, including; Guardium, Digital Sandbox, and IronKey. He previously served on the board of Cyota until the company’s acquisition by RSA in 2006, Guidance Software (GUID) through the company’s successful IPO in 2007 and as an advisor to Intruvert Networks until the company’s acquisition by McAfee in 2003.

Mr. Yoran received a Master of Science degree from the George Washington University and Bachelor of Science from the United States Military Academy at West Point.

Tenable CTO and co-founder Ron Gula will personally demonstrate our approach to Unified Security Monitoring. In a short time, you will see how your organization can monitor for PCI and FDCC violations without sacrificing situational awareness or running a wide variety of multi-vendor security solutions. Mr. Gula will demonstrate how vulnerability and configuration monitoring is directly linked with real-time event and log analysis, and how Tenable solutions can help organizations keep their network security obtainable and defensible.

Mr. Gula is known in the global security community as a visionary, innovator, and engineer of extraordinary talent. He traces his passion for his work in security to starting his career in information security at the National Security Agency conducting penetration tests of government networks and performing advanced vulnerability research.

Since co-founding Tenable in 2002, Mr. Gula has been CEO and CTO at Tenable, maker of the world renowned Nessus Vulnerability Scanner and Unified Security Monitoring enterprise solution. As CEO/CTO of Tenable, he is responsible for product strategy, research and development, and product design and development. Mr. Gula is also a leader in his community and a passionate advocate for education and scientific research.

Prior to Tenable, Mr. Gula was the original author of the Dragon IDS and CTO of Network Security Wizards which was acquired by Enterasys Networks. At Enterasys, Mr. Gula was Vice President of IDS Products and worked with many top financial, government, security service providers and commercial companies to help deploy and monitor large IDS installations. Mr. Gula was also the Director of Risk Mitigation for US Internetworking and was responsible for intrusion detection and vulnerability detection for one of the first application service providers. Mr. Gula worked for BBN and GTE Internetworking where he conducted security assessments as a consultant, helped to develop one of the first commercial network honeypots and helped develop security policies for large carrier-class networks. Mr. Gula began his career in information security while working at the National Security Agency.

Mr. Gula has a BS from Clarkson University and an MSEE from the University of Southern Illinois. Ron Gula was the recipient of the 2004 Techno Security Conference "Industry Professional of the Year" award.

We will follow the progression of data breaches and highlight some of the problems that most enterprises fail to address, and then examine uses of encryption to address issues of security within the context of business processing.

• Why they fail: A look at breaches and data security.
• Why encrypt data? Where to encrypt data? What are the pros and cons of different solutions?
• The weakest link: The need for a complete program.
• Encryption as part of the business process.

Adrian Lane is a Senior Security Strategist with 22 years of industry experience, bringing over a decade of C-level executive expertise to the Securosis team. Mr. Lane specializes in database architecture and data security. With extensive experience as a member of the vendor community, including positions at Ingres & Oracle; as well as an IT customer in the CIO role; Adrian brings a business-oriented perspective to security implementations. Prior to joining Securosis, Adrian was CTO at the database security firm IPLocks, where he was responsible for product & technology vision, market strategy, PR, and security evangelism. Mr. Lane also served as Vice President of Engineering at Touchpoint, for three years as CIO of the brokerage CPMi, and for two years as CTO of the security and digital rights management firm Transactor/Brodia. Mr. Lane is a Computer Science graduate of the University of California at Berkeley with post-graduate work in operating systems at Stanford University.

As the economy has continued to act like the world's largest roller-coaster, many Information Security professionals have found themselves reevaluating their careers and their value in the marketplace. With the coming months full of continuing uncertainty, the importance of taking responsibility for the management of one's own career is more important than ever. During their presentation, career coaches Mike Murray and Lee Kushner will discuss strategies that will enable you to continue to differentiate yourself from your peers, make wise career investments, and help you prepare for uncertain times. In addition, they will discuss career "incident response" strategies, that will help guide you if you fall victim to an unplanned and unexpected "career hack". Attendees should leave the session as more effective career managers and better prepared for the future Information Security employment market.

Mike Murray is currently the managing partner of Michael Murray and Associates, as well as the CISO and lead trainer at Foreground Security and The Hacker Academy. He has spent his entire career in information security, from his work in the late 90's as a penetration tester and vulnerability researcher to leadership positions at nCircle, Neohapsis and Liberty Mutual Insurance Group. Mike's interests and aptitudes are broad - he and his team at Michael Murray and Associates, LLC focus on assisting information security organizations with their human systems, from their information security awareness to their organizational design and efficiency and the career paths of the individuals within the industry. His focus at Foreground Security is to lead Foreground's security engagements and training organization, assisting with curriculum and methodology development, staff development, and security planning and execution.

Mike is a widely reknowned speaker, and his talks on a wide variety of topics have been seen at major conferences like RSA, SOURCE, InfoSecurity Canada and Defcon. Mike's thoughts on security can be found on his blog at Episteme.ca, and his work on helping build careers can be found at ConnectedCareer.com. He has written technical articles in publications including BusinessWeek Online and Sys Admin, as well as a regular column on EthicalHacker.net.

Lee Kushner is the President of LJ Kushner and Associates, LLC, an Executive Search firm dedicated exclusively to the Information Security industry and its professionals. For the past thirteen years, he has successfully represented Fortune 2000 companies, information security software companies, information security services organizations and large technology firms in enabling them to locate, attract, hire, and retain top level information security talent. Throughout his career, he has provided career management and career coaching to information security professionals at various stages of their professional development. He is a regular speaker and industry contributor on topics that include career planning, interview preparation, and employee recruitment and retention.

With the ever-growing amount of data collected in IT environments, we need new methods and tools to deal with them. Event and Log Analysis is becoming one of the main tools for analysts to investigate and comprehend the state of their networks, hosts, applications, and business processes. Recent developments, such as regulatory compliance and an increased focus on insider threat have increased the demand for analytical tools to help in the process. At the core of this analysis is the need to search through large quantities of IT data with the ability to report and alert on this data. Learn how Fortune 500 and government organizations are using Splunk to protect themselves against fraud and misuse, and as a valuable tool in their network security and compliance reporting toolboxes.

Robert Fox, Splunk Manager: Mr. Fox has over 20 years experience designing and running highly available, secure data centers in for financial and media organizations. He has adopted a pragmatic approach to IT problem solving that embraces both the adoption of appropriate technologies and an understanding of business driven requirements. Prior to joining Splunk in 2006, Mr. Fox has held engineering positions in Sun Microsystems, Veritas (now Symantec) and several other technology and financial services companies.

You are an information security practitioner who finds them self responsible for the security of their organization’s data. From an application perspective you are most likely looking at hundreds, if not thousands, of internet-facing domains. How do you prioritize one over another? How do you do this on-time and on-budget? This presentation aims to provide answers to these classic challenges. Sahba Kazerooni of Security Compass will present a real-world case study where the requirement is simple: Reduce the risk to an organization from an external attacker's perspective. The discussion is interwoven with lessons of attack surface discovery, risk analysis and application assessment methodology.

Sahba Kazerooni is a Principal Consultant at Security Compass, a consulting and training firm specializing in application security. At Security Compass he harvests his blend of development and security knowledge in threat modeling, runtime security assessment, and source code review of client applications while at the same time leveraging his field experience to deliver Security Compass' one-of-a-kind training curriculum. Sahba is also an internationally-renowned speaker on security topics. He has presented at conferences around the world; he delivers Java secure coding training at the SANS Institute; and he has also provided numerous presentations through ISC2 to their elite network of certified information security professionals.

This session will be an in-depth look at a number of mobile device platforms. We will examine their similarities, and derive a list of their weaknesses. An theoretical attack on a number of devices will be presented along with a proof-of-concept demo. Devices examined will include BlackBerry, Windows Mobile, Symbian, iPhone, and Android. Come and learn about this wide array of mobile devices and what to look for in both attack and defense scenarios. Recommendations for mobile device vendors, programmers, and users will presented.

Christien Rioux, co-founder and chief scientist of Veracode, is responsible for the technical vision and design of Veracode’s advanced security technology. Working with the engineering team, his primary role is the design of new algorithms and security analysis techniques.

Before founding Veracode, Mr. Rioux founded @stake, a security consultancy, as well as L0pht Heavy Industries, a renowned security think tank. Mr. Rioux was a research scientist at @stake, where he was responsible for developing new software analysis techniques and for applying cutting edge research to solve difficult security problems. He also led and managed the development for a new enterprise security product in 2000 known as the SmartRisk Analyzer (SRA), a binary analysis tool and its patented algorithms, and has been responsible for its growth and development for the past five years.