SOURCE Boston 2015
May 25-28, 2015
Marriott Courtyard
Boston, MA, USA
CFP Status: OPEN
SOURCE Dublin 2015
Trinity College
Dublin, Ireland
SOURCE Seattle 2015
Bell Harbor Maritime Museum
Seattle, WA, USA

SOURCE Seattle 2011 - Speakers And Publications


Wednesday, June 15, 2011


Security & Technology

Security & Business


Registration Opens
Continental Breakfast


Kris Herrin
Heartland Payment Systems


The 4 Layers of Smart Grid Security
Ernie Hayden
Verizon Business

Evolving from best practices to an empirical security program in the face of overwhelming audit
Raymond Pompon
HCL Capital Stream


AM Break


Common Flaws and Failures of Distributed Authentication
Brad Hill

Paypal Video

The Latest Developments in Computer Crime Law
Marcia Hofmann
Electronic Frontier Foundation




Mat Oldham

Applied Risk Analytics
Allison Miller


Reputation Digital Vaccine: Reinventing Internet Blacklists
Marc Eisenbarth
HP TippingPoint

Banking Fraud Evolution: New Techniques in Real Fraud Cases
Jose Miguel Esparza





Improving Software Security with Dynamic Binary Instrumentation
Richard Johnson

Taking Back Privacy: Consumers Have More Control Than They Think
David Gorodyansky


Forensic Memory Analysis of Android's Dalvik Virtual Machine
Andrew Case, Digital Forensics Solutions

Threat Modeling: Best Practices
Robert Zigweid


Security Spending: Here's How To Find The Right Amount
Jared Pfost, Third Defense


 Thursday, June 16, 2011


Security & Technology

Security & Business

8:00am - 8:50am

Continental Breakfast
Breakfast Session - Building the DEFCON network, making a sandbox for 10,000 hackers
Luiz Eduardo Dos Santos & David M.N. Bryan, Trustwave


Keynote PPTVideo
Eric Cowperthwaite
Providence Health and Services

10:00am - 10:50am

JSF Security
Krishna Raja
Rohit Sethi
Security Compass

Gamifying Online Extremism: Using Fun to Wreak Mayhem
Jarret Brachman
Cronus Global

10:50am - 11:10am

AM Break

11:10pm - 12:00pm

Everything you should already know about MS-SQL post-exploitation PPTVideo

Rob Beck
Attack Research

Putting a Virus under the SIEM Microscope
Ron Gula
Tenable Network Security

12:00pm - 1:15pm


1:15pm - 2:05pm

Defying Logic - Theory, Design, and Implementation of Complex Systems for Testing
Rafal Los
HP Software & Solutions

Security Metrics: If You Can't Measure It, No One Will Care
Jason M. Leuenberger

Ernst & Young Video

2:15pm - 3:05pm

Slicing into apple: iPhone Reverse Engineering
Ryan Permeh

Panel: Will We Ever Be Secure?

3:05pm - 3:30pm


3:30pm - 4:20pm

Apple OS X Enterprise Security: Kick it to the Kerb
Aaron Grattafiori
Tom Daniels
iSEC Partners

Who should the security team hire next?
Myles Conley
Auspices Consulting

4:30pm - 5:20pm

Art of InfoJacking - Analyzing Web Network Devices
Aditya K. Sood

PCI Compliance in the Cloud: Why or Why not?
Mike Dahn
Pricewaterhouse Coopers

5:30pm - 6:00pm Closing Remarks and Feedback Session




Kris Herrin, Chief Technology Officer, Heartland Payment Systems


Kris is responsible for delivering secure and reliable IT services for Heartland's state-of-the-art payments processing platforms and enterprise applications, including application development, infrastructure and operations. He joined Heartland in April 2008 as chief security officer where he helped lead the IT response to the illegal intrusion of Heartland's systems. Kris transitioned to the role of chief technology officer in August 2009. His work to drive operational efficiencies and delivery of innovative services using industry IT Service Management best practices won him recognition in the InfoWorld CTO 25 Awards. Kris is an advisory board member at the University of Dallas Graduate School of Management, Cybersecurity Program, where he has taught classes in Risk Mitigations and Digital Forensics.

Eric Cowperthwaite, System Director & CISO of Providence Health & Services


Eric W. Cowperthwaite has more than 25 years experience as a security practitioner and leader in both civilian and military settings. He was born in Sacramento, California, and raised in the surrounding communities. Eric graduated from Davis Senior High School and enlisted in the US Army shortly after. After serving in the Army for a decade, Eric returned to Sacramento and attended CSU, Sacramento, earning a BS in Computer Engineering. Currently, Eric is the System Director & CISO of Providence Health & Services, headquartered in Renton, Washington. Providence has 27 hospitals and more than 50,000 employees located in Washington, Oregon, California, Alaska and Montana.
Prior to that, Eric worked for EDS for a decade. Eric worked in the Chief Security and Privacy Office of EDS, US Government Services, Security and Privacy Professional Services and U.S. Consulting. Eric served in the US Army for 10 years, including time in the Middle East, Western Europe on the "Iron Curtain" and Africa.
Eric is a member of a variety of industry organizations, including:

• Chair, Catholic Healthcare ISO Forum
• Pacific Northwest CISO Forum
• ISSA CISO Executive Forum
• Security Executive Council

Eric was CISO of Providence when they were the first healthcare organization to enter in to a Resolution Agreement with Health & Human Services to resolve allegations of violating the HIPAA Privacy and Security rules. He is the first CISO to be the Monitor for such a resolution agreement and has successfully overseen the implementation of the Agreement at Providence for the past 3 years. In addition, Eric served as the first ISO of Medi-Cal program (California's Medicaid program) and established a HIPAA compliant program for them while contracted to the State of California from EDS. Eric is a member of the Absolute Software Customer Advisory Council and the Symantec Managed Security Services Customer Advisory Council. He was also an inaugural member of both Cybertrust and GuardianEdge's Advisory Councils prior to their acquisitions. Eric was asked by the ISSA Board to serve on the first CISO Executive Forum Advisory Council and was instrumental in helping to revitalize the CISO Forum and establish it as the premier peer to peer information security leadership forum.
Eric is routinely asked to speak on security topics by a variety of organizations, including the Society for Information Management, Gartner, CSO Magazine, the Department of Homeland Security, Senator Lieberman's office, the Information Systems Security Association, and SANS. Eric is a 2008 Computerworld Premier 100 IT Leaders honoree.

About Providence Health & Services
Providence Health & Services is a not-for-profit health system committed to providing a comprehensive array of services to meet the needs of communities across five states, including Alaska, Washington, Montana, Oregon and California. Providence continues the legacy of the Sisters of Providence and the Sisters of the Little Company of Mary in the West spanning more than 150 years. Providence Health & Services includes 27 hospitals, more than 35 non-acute facilities, physician clinics, a health plan, a liberal arts university, a high school, approximately 50,000 employees and numerous other health, housing and educational services. The system office is located in Renton, Washington, a suburb of Seattle.


Forensic Memory Analysis of Android's Dalvik Virtual Machine
Andrew Case (@attrc), Senior Researcher, Digital Forensics Solutions

Within a year of being released, Android has exploded in the mobile market and is expected to overtake it in 2011. Due to the widespread adoption of Android, it is vital that the forensics community has the ability to analyze devices using it. While applications exist that can analyze Android’s filesystem, no tool exists for application memory analysis. Memory forensics allows for complete recovery of allocated data structures and variables and partial recovery of deallocated objects. During this presentation, we will present the first public analysis of Android’s Dalvik virtual machine, which is used to execute all Android applications. This will include the design of the Dalvik VM and how arbitrary class instances and members can be located within an application’s memory, and how this leads to recovery of a wealth of forensically interesting information. We will also discuss the feasibility of recovering previously deleted objects related to these applications.

Andrew Case is a security researcher at Digital Forensics Solutions where he is responsible for source code audits, penetration testing, reverse engineering, and other computer security related tasks. He is also a GIAC-certified digital forensics investigator and has conducted numerous large scale investigations. Andrew's primary research focus is physical memory analysis, and he has published a number of peer-reviewed papers in the field.


Banking Fraud Evolution: new techniques in real cases fraud
Jose Miguel Esparza, E-Crime Analyst, S21sec (@eternaltodo)


New techniques in banking fraud are applied not only to malicious binaries,but also to how different cybercriminal groups use these binaries.Criminals always attempt to make the most of their malicious software.An example of this is the broad possibilities offered by HTML code injection.The latest injections discovered in both ZeuS and SpyEye show,once again,their continuous struggle to adapt to the changes and measures put in place to counter them. In the case of ZeuS,one of the latest strategies involves rendering useless the two-factor authentication used in numerous on-line banking operations.Similarly,in a campaign for distributing SpyEye,the group responsible for the malware injected code designed to automatically make fraudulent transfers after dynamically obtaining the destination accounts (mules) from a server.Therefore,the impact of campaigns to spread malware depends not only on the dangerousness of the malicious software itself,but also on how this software is used and the creativity of its criminal owners.

Jose Miguel Esparza is a security researcher and has been working as e-crime analyst at S21sec e-crime for more than 4 years, focused in botnets, malware and Internet fraud. Author of some exploits and analysis tools ( like peepdf and Malybuzz, with which he has discovered vulnerabilities in several products. He is also a regular writer in the S21sec blogs ( and and about security and threats in Internet, and has taken part in several conferences, e.g. RootedCon (Spain) and CARO Workshop (Czech Republic).

Building an empirical security program while facing overwhelming audits
RayPompon, HCL CapitalStream (@dunsany)


Many organizations have security programs driven by auditors and an culled together list of best practices. At our company, the challenge was to develop a risk reduction programs tailored to our specific business needs, while not having resources drained away by one-size-fits-all compliance requirements. This talk will focus on how our security team transformed a reactive compliance-driven security program to a proactive, business-friendly risk management program that weathers at least twenty external audits a year against a wide-range of strict national and international privacy regulations. We built an empirical security program based on evidence that applies sufficient controls to reduce relevant threats to a prioritized list of business objectives. The talk will cover how we leveraged meticulous discovery efforts, strong risk analysis, and proper logging in building a defensible empirical security program. Since we are paving new ground, I will also detail some of false starts and problems we befell.

Ray Pompon is the senior security officer at HCL Capital Stream. With over 20 years of experience in Internet security, he works closely with Federal investigators in cyber-crime investigations and apprehensions. He has been directly involved in several major intrusion cases and for six years was president of the Seattle chapter of FBI InfraGard. He is a lecturer and on the board of advisors for two information assurance certificate programs at the University of Washington.

JSF Security
Krishna Raja & Rohit Sethi (@rksehi), Security Compass

Developing secure applications with Java Server Faces is challenge for most developers due to the lack of consolidated, reliable advice on how to protect against all major application security threats. This low-level talk will focus on specific protections for JSF, both the Reference Implementation and MyFaces, for the following domains:

Web output encoding
Input validation options
Controlling page navigation
CRSF protection
Addressing oracle padding vulnerabilities
Avoiding parameter manipulation

We will also discuss unique challenges with Facelets and how to evaluate XSS protection in 3rd party tag libraries.

Krishna Raja, Senior Security Consultant, Security Compass has performed comprehensive security assessments across Canada and the United States. Krishna has carried out the role of security advisor, security analyst, project manager and trainer.

Rohit Sethi, VP Product Development, Security Compass, is a specialist in threat modeling, application security reviews, and building security controls into the software development life cycle (SDLC). Rohit is a SANS course developer and instructor on Secure J2EE development.

The Latest Developments in Computer Crime Law
Marcia Hofmann, Electronic Frontier Foundation (marciahofman)


Marcia Hofmann is a senior staff attorney at the Electronic Frontier Foundation, where she focuses on computer crime and security, electronic privacy, freedom of expression, and other digital civil liberties issues. She is also a non-residential fellow at Stanford Law School's Center for Internet and Society. Prior to joining EFF, Marcia was staff counsel and Director of the Open Government Project at the Electronic Privacy Information Center (EPIC).

Art of InfoJacking - Detecting Web Network Devices
Aditya K Sood, Security Practitioner, Michigan State University


This talks shed lights on the information gathering techniques of hidden devices in the network which is required to conduct efficient penetration testing. We will talk in detail about HTTP response scrambling, unique session management, dynamic proxy configurations etc that are used by network devices for robust functioning. The point is every device shows some unique behavior that differentiates it from other running devices.Further , this talk also lays emphasis on collecting information about internal networks from the network devices like load balancers, web firewalls, disk stations, proxies, surveillance cameras etc.

Aditya K Sood is a Security Researcher, Consultant and PhD candidate at Michigan State University. He has already worked in the security domain for Armorize, COSEINC and KPMG. He is also a founder of SecNiche Security. He has been an active speaker at conferences like RSA,ToorCon, HackerHalted,TRISC, EuSecwest, XCON, Troopers(09), OWASP AppSec , SecurityByte ,FOSS , CERT-IN etc. He has written content for ISACA, CrossTalk, ISSA, HITB Ezine, Hakin9, Usenix Login,Elsevier Journals such as NESE,CFS.

Metrics: If You Can’t Measure It, No One Will Care
Jason Leuenberger, Ernst & Young (@securitah)


As a CSO or CISO, building an Enterprise Security Program can be overwhelming. Not only will you face doubt internally, but you also have every security practitioner in the world telling you to do things differently that what you’re currently doing. When building a Security Program of any size, you’ll need a plan and a method to measure the plan’s effectiveness. If you can’t measure progress towards your desired goal(s), no one will care, and your Program will suffer.

In discussing security metrics, we’ll review these key topics:

• You need goals to produce metrics: how to define those goals and associated measurement criteria
• You need data to produce metrics: where to get it
• You need to report on those metrics: different reports, for different people
• Metrics Gone Wild: when numbers overwhelm you, it’s time to pull it together and keep it simple

Jason Leuenberger is the Manager of the Advisory Services Practice at SecureState, where his primary responsibilities include acting as Chief Information Security Officer for 10 organizations, and providing advisory services to both commercial and government sector clients. He leads special projects involving Risk Assessment and Management, as well as building security programs to support operational resiliency and business objectives while meeting or complying to ISO 27001/2/5, NIST, PCI, HIPAA, and various privacy laws.

Jason Leuenberger is a Manager within the Advisory Ser-vices Practice at Ernst & Young focusing on strategic information security initiatives, risk management, and security program development.

Putting a Virus under the SIEM Microscope
Ron Gula, Tenable Network Security

When a virus infected one of my Nessus scan targets, I did what any sensible CEO of a SIEM company would do--I let the virus run to see what types of logs and alerts it generated! Over the 30 days that I let it run, I was able to collect a wide variety of interesting data. This included suspicious Windows application logs, internal network scans, communication anomalies, attempts to break into other lab computers and "classic" outbound connections to various IRC channels. The virus even modified how logins worked, breaking my Nessus patch audits. Attendees of this presentation will learn about various detection methods that can be used with SIEMs to look for malicious software and computers infected with hostile code.

Who Should You Hire to Improve Computer Security?
Myles Conley, Auspices LLC (@goodauspices)

Security breach data shows strong trends in the relative strength of attacks and defense. What skills were needed to prevent these breaches? How many people have those skills, and can your company hire them? What is the alternative?
This talk will use breach data, social network sites, and a statistical model to show how most companies are in more trouble than they realize, and where they should look for relief.

Myles Conley is CEO of Auspices, a consulting firm that informs executives on the profitability and risks of their IT Security program. Myles has been a senior consultant at Leviathan Security, @Stake and Secure Computing, improving security policy and architecture for government, military and Fortune 500 customers. While working at, he lead the security upgrade of credit card processing infrastructure. Myles has an MBA from University of California, Davis, and a number of information security certifications.

The 4 Layers of Smart Grid Security
Ernie Hayden, Verizon Business


In about 2008 the US government placed a strong focus on improving the reliability and security of the newly developed "smart electric grid." This Smart Grid -- as it has become known -- has been the focus of a variety of government subsidized smart grid deloyments by many US utilities. One area that should not be forgotten is the security of the smart grid deployment.

Therefore, this paper will offer the listener the opportunity to gain a high-level perspective of the security issues -- or "layers" -- that need to be understaood when effectively deploying a smart grid project.

Ernie Hayden is a seasoned executive with over 30 years experience in the energy and secuirty industries. He is currently a Managing Principal with Verizon Business Global Energy and Utilitiy practice and his focus is on Energy Security. Previously, Ernie has beeen an information security officer for four separate critical infrastructure agencies including the Port of Seattle, Seattle City Light and a large SCADA/energy management company.

Common Flaws and Failures of Distributed Authentication Systems
Brad Hill, PayPal


In the spirit of the “OWASP Top 10”, this session will identify common flaws and failures of identification and authentication protocols from the last 15 years. Those inventing, implementing, deploying and evaluating such systems may find the list useful in avoiding similar mistakes. Examples from the literature and the author’s experience are discussed, and mitigation strategies provided.


Slicing into apple: iPhone Reverse Engineering
Ryan Permeh, Principal Security Architect, McAfee (@rpermeh)

Malicious code can and does run on Apple's iOS. Most of the world sees their iPhone as a black box, and Apple's decision to keep the iPhone a very closed system via its walled garden appstore and restrictive platform design does little to foster openness or clarity. There is a strong need for advancement into tools and techniques to analyze iPhone code for both malware analysis as well as general understanding.
This talk will examine the process needed to reverse engineer iPhone binaries. We will cover several areas in iphone reverse engineering, from how to get binaries, how to make them usable, and what to do with them when you have them. We will be examining tools and techniques on the iPhone itself, on a Mac loaded with tools for analysis, and on a PC with IDA pro.

Ryan Permeh manages product security for McAfee. Additionally, he focuses on general vulnerability research and helps set product guidelines for McAfee products. He's been in the industry for nearly 15 years, and has spoken at several security conferences.

Gamifying Online Extremism: Using Fun to Wreak Mayhem
Jarret Brachman, Cronus Global


Gamification is the latest buzzword for the application of gaming principles to activities not usually considered fun. Corporations, however, aren't the only ones trying to gamify the online consumer experience. Terrorist organizations both domestic and international, now understand that their Internet-based supporters will mobilize faster and more vigorously when the elements of social competition, leader boards, leveling-up and reputation systems are introduced. By "gamifying" the online experience, extremist groups across the board have been able to tap more people in more places in a more profound way than ever before. Through a structured set of challenges and rewards, onlookers are brought into the experience. From the initial on-boarding phase, users are brought into a gamified world wherein they can earn radicalization scores, boost their fundamentalist meters, level-up on leaderboards, incre! ase their "thanked" numbers or posting totals. The trend now poses an unprecedented threat for America's private/public sector infrastructure and operations.

Dr. Jarret Brachman is an internationally recognized counterterrorism specialist, author and public lecturer. Currently the Managing Director of Cronus Global, a security consulting group, Brachman previous served as the founding Director of Research for West Point's Combating Terrorism Center where he oversaw research projects about al-Qaida strategy for various government clients. Brachman published his first book, Global Jihadism in 2008. He is routinely cited in the media and has testified before Congress multiple times.

Apple OS X Enterprise Security: Kick it to the Kerb
Aaron Grattafiori, Security Consultant, iSEC Partners
Tom Daniels, Security Consultant, iSEC Partners

One bad Apple can spoil the bunch. As OS X Server extends into the enterprise, security must scale appropriately. Windows has had decades to build their protocols and tools in a secure fashion. With Apple "thinking differently" and automagical functionality ingrained, can we trust their enterprise security?

With only brief analysis, several "bad apples" were easily shaken off the lower branches of the proverbial security tree, both in areas of function and design.

In the core of this talk, Tom and Aaron will discuss design problems inherent within several of Apple's networking protocols, some egregious security defaults, a major fail of SSL and show how vulnerability chaining can have dire consequences in any enterprise deployment. Finally, an argument will be made as to what steps can be taken to secure enterprise Mac deployments and we will discuss ye olde authentication problem. Shortly following this talk, an Open Source tool will be released to shine a light on weak authentication and trust inherent within their protocols.

Aaron Grattafiori is a Security Consultant with iSEC Partners. With over 7 years of security experience, he utilizes a wide array of skills and a history of independent research to discover vulnerabilities. Prior to working at iSEC Partners, Aaron was a Security Consultant at Security Innovation as well as a Linux Systems Administrator for a statewide ISP. During this time Aaron independently discovered and privately reported major vulnerabilities in widely deployed software and wireless systems. Aaron's areas of interest include vulnerability research and analysis, exploit development, intelligent fuzzing systems, and reverse engineering.

Tom Daniels is a Security Consultant at iSEC Partners. While at iSEC, Tom has been given the opportunity to demonstrate, and continue development of, multiple technical competencies including: network security assessments; web application security audits; mobile application security audits; and review of C, Objective-C, Java, and Ruby source code. Prior to working at iSEC, Tom was a Systems Auditor at PricewaterhouseCoopers in New York City. Tom received a B.S. in Computer Science with a minor in Japanese from Georgetown University in 2008. Tom's areas of interest and current research surrounds Apple OS X, reverse engineering, lock picking and exploit development.

Taking Back Privacy: Consumers Have More Control Than They Think
David Gorodyansky, CEO, AnchorFree


As the debate between federal regulators and advertisers over online privacy wears on and the Obama administration advocates for a privacy bill of rights and the focus on consumers' control over their privacy will persist into 2011 and beyond.

Consumers face increasing threats to their online privacy every time they enter a password, make a purchase or surf the web using an unsecured network. Fortunately, the tools to protect consumer privacy already exist. By keeping users' identities anonymous and encrypting all websites through HTTP(S), Virtual Private Networks allow consumers to keep their online transactions private and secure. Anti-virus protection scans users' computers to detect and eliminate threatening viruses. And private browsing, which protects from cookie tracking, helps round out the mix of tools to ensure online sessions stay private. This session will address threats to personal privacy and offer simple ways consumers and businesses can remain private when online.

David leads the execution of all business operations at AnchorFree. Previously, David founded Intelligent Buying Inc., a profitable asset management company. David's earlier work includes several years of research, planning, and enterprise strategy at Remedy Corporation, Fulcrum Management, and with analyst companies such as Gartner Group, IDC, and Meta Group. David is a member of the Society of Competitive Intelligence Professionals and an adviser on the Technology Expert Council to San Francisco Mayor Edwin Lee.

Defying Logic - Theory, Design, and Implementation of Complex Systems for Testing Application Logic
Rafal Los, HP

Flaws in the business logic of web-based applications have long been ignored, partly because they are so difficult to explain to developers, but mainly because they are so difficult to test for in a consistent manner. Today, security testing for business logic flaws is done manually, and it is painstakingly difficult work which requires an in-depth understanding of application purpose and function as well as underlying logic. This talk will feature research which focuses on automating, (as much as possible), the modeling and detection of business logic flaws in web-based applications. What are the principles behind partially and fully automated business logic flaw detection? While it may never be possible to fully automate business logic flaw detection, (a la artificial intelligence), the research hypothesizes that it IS possible to create a framework tool which allows a tester armed with appropriate application knowledge to 'fuzz business logic' in a meaningful way. The research will present a proof-of-concept framework tool that enables this type of modular testing. A theoretical perspective, as well as practical implementation will be shared, balancing theory and reality in one of the most difficult areas of application security.

Rafal Los is the Application Security Evangelist for the HP Software & Solutions business at HP. Los is responsible for bridging industry, customer, and solutions- bridging the gaps between security technologies and business needs.

Improving Software Security with Dynamic Binary Instrumentation
Richard Johnson, Sourcefire VRT (@richinseattle)

Topic Synopsis:
This talk will present an analysis of three popular dynamic binary instrumentation frameworks, focusing on the performance of the engine and the feasibility for use in vulnerability mitigation technologies.

Dynamic Binary Instrumentation (DBI) is a process control technique that forgoes the traditional debugging facilities supplied by the operating system in favor of an in-process framework for manipulating the runtime state of a process. The most common frameworks available for performing DBI include Pin, DynamoRIO, and Valgrind. These frameworks facilitate the development of Dynamic Binary Analysis (DBA) tools that can perform security related tasks such as process tracing and debugging or sandboxing and other exploit mitigations. This talk will begin with a discussion the general shared architecture of a DBI framework and include an overview of the functionality available from each of the frameworks. Further, an analysis of the performance of each engine and the feasibility for use in vulnerability mitigation technologies will be presented and illustrated with code examples.

Everything you should already know about MS-SQL post-exploitation
Rob Beck, Attack Research

Old tricks are still the best tricks, and pretty much all the same rules apply. This talk discusses methods of post-exploitation of a MS-SQL server, ways to capture system information, SQL information, and expand your level of influence on a compromise with a minimal footprint. A lot of talks and publications discuss SQL injection and commands to execute, but always resulting in the end-game of xp_cmdshell, this talk focuses on the other extended stored procedures
people warn you about, but don't tell you why they're bad. -None of the information presented here is new, but this is a revisit of the functionality afforded to an attacker in MS-SQL that people still neglect to lock-down even today; It's also a
refresher in tactics and techniques that have been in the wild and are actively being used in the wild, but that pen-testers seem to forget once in the field. The ideas and concepts presented here, while tailored to MS-SQL, can be directly applied to other DB environments and functionality.

Applied Risk Analytics
Allison Miller, Tagged

In this session we will discuss methods for using data/analytics to make better risk decisions, with an emphasis on automating risk and security decisions.
For background we will review how fraud scoring models work and how they are designed and implemented, including:
- What kinds of decisions can be automated/answered with data?
- Where can we find data sets to guide an analytic approach?
- What are the business drivers we must keep in mind to use data successfully (i.e. trade-offs, like catch rate vs hit rate, costs of false positives vs false negatives)

PCI Compliance in the Cloud: Why or Why not?
Mike Dahn, PricewaterhouseCoopers

PCI Compliance is the boogieman every merchant has to contend with; 'Cloud computing' is the current marketing buzzword that promises to do everything you ever wanted. So why aren't merchants moving their web infrastructure and credit card processing to the Cloud and saving themselves a ton of money? Because being PCI compliant in the Cloud requires significant thought and planning!

Mr. Dahn is a globally recognized payment security expert. He founded the Society of Payment Security Professionals and Secure Payments Magazine devoted to risk management in securing payments. He has assisted forensic experts and law enforcement understand the underground economy and data breach risks associated with payment card fraud. He has traveled the world training PCI qualified security assessors (QSA), merchants, banks, and payment application vendors on the risks associated with payment card data theft. Mr. Dahn is on the National Board of Directors for the InfraGard Members Alliance and has a Masters in Information Assurance.

Threat Modeling: Best Practices
Robert Zigweid, IOActive

Robert Zigweid, a Principal Compliance Consultant at IOActive, is an accomplished developer and application tester with advanced skills in the creation and analysis of systems architecture and threat modeling. In his role with IOActive, he works with clients to discover and solve network and application problems that threaten their business goals and assets. In addition to his direct efforts on penetration tests, security reviews, and network and application audits, Zigweid contributes to the advancement of more stable, secure systems through his research and development. He was a co-founder of OSJava, is working on a JDBC driver and more robust Java class loader, and has conducted groundbreaking research that will further the formal understanding of application and network security for audiences at varying levels of technical fluency.

Security Spending: Here's How To Find The Right Amount
Jared Pfost, Third Defense

Jared Pfost

How much should you spend? If your leadership really wants to know, this session shares the scares and tools how I learned to enable management to accept risk or spend to mitigate. You'll see how we break down the question in two parts: are we operating at acceptable risk, and are we as efficient as possible. You'll see the processes and tools to get it done: evidence-driven risk prioritization, role definition for accountable acceptance, justify spend by business value, metrics with targets to define acceptable performance, budget segmentation, service definition, resource allocation, and SLA's. Spending just enough to be compliant is a fine answer, it's avoiding the question that's not acceptable.

Jared brings 16 years of information security experience to Third Defense (, which he co-founded on the belief that effective management is the key to manage risk. Jared's unique career combines working in IT Security teams and consulting with designing and shipping software across startups, banking, and technology. Jared is a self-proclaimed process nut and has demonstrated you don't need unlimited resources to run a measurable, accountable, and effective security shop.

Building the DEFCON network, making a sandbox for 10,000 hackers
Luiz Eduardo Dos Santos & David M.N. Bryan, Trustwave

We will cover on how the DEFCON network team builds a network from scratch, in three days with very little budget. How this network evolved, what worked for us, and what didn't work over the last ten years. This network started as an idea, and after acquiring some kick butt hardware, has allowed us to support several thousand users concurrently. In addition I will cover the new WPA2 enterprise deployment, what worked, and what didn't, and how the DEFCON team is going to make the Rio network rock!

David M. N. Bryan is a penetration tester with Trustwave's SpiderLabs. He has 10 years of computer security experience, including pentesting, consulting, engineering, and administration. As an active participant in the information security community, he volunteers at DEFCON, where he designs and implements the firewall and network for what is said to be the most hostile network environment in the world. This network allows speakers, press, vendors, and others to gain access to the Internet, without being hacked. In his spare time he runs the local DEFCON group, DC612, is the president of Twincities Makers group, and participates in the Minneapolis OWASP chapter.

Luiz Eduardo is the Director of SpiderLabs for Latin America and Caribbean Countries. With almost 20 years of experience, throughout his career he has worked with possibly all types of networking technologies on the enterprise and service provider sectors and the security involved in these technologies, specially 802.11 WiFi. He has also created the Incident Response practices at two networking hardware vendors.
Luiz is the founder of the y0u Sh0t the Sheriff security conference held in Brazil and has worked on the wireless infrastructure of Blackhat, DefCon, Computer Chaos Congress and Shmoocon. As a public speaker, he has given presentations on diverse infosec topics at worldwide on conferences such as DefCon, FIRST, H2HC, HitB Malaysia, Layerone, ShmooCon, BlueHat, ThotCon, Toorcon and others. Luiz currently holds many certifications in the information security field.

Reputation Digital Vaccine: Reinventing Internet Blacklists

Marc Eisenbarth, HP TippingPoint

With increasing inventiveness and agility, cutting edge Internet attack techniques such as "fast fluxing" and advanced persistent threats challenge the effectiveness of traditional blacklists. Blacklists must be reliable and current, as well as trusted by the customers who are using them. The major shortfall of existing blacklists is the fact that they do not classify, discriminate via a relative or absolute reputation score, or offer a confidence metric. To achieve this level of improvement, blacklist research must perform additional intelligence gathering out-of-band and must analyze attacks that occur across multiple, disparate network flows which can occur over an arbitrary amount of time. Furthermore, active interaction with a suspected malicious host is often needed to confirm its disreputable intent. This talk serves as an overview of these problems as well as a deep dive into the inner workings of the HP TippingPoint Reputation Digital Vaccine Service.

Marc Eisenbarth recently noticed the word "Architect" has been appended to his business cards, and while not entirely sure what that means, he has continued to just do what he has been doing for the last five years, namely improving the HP TippingPoint Intrusion Prevention System (IPS) as a member of DVLabs' Advanced Security Intelligence team. Prior to this, he managed "cyber liability" at a US defense contractor for five years and completed a graduate program at Columbia University in Computer Science. Off the clock, he is a "hardware guy" who enjoys releasing various do-it-yourself projects to the general public.

Panel Topic: Will we EVER be secure?
Information security incidents are at an all-time high. We have solutions to many of the known problems, but they often don't get implemented quickly or effectively enough. The result is that many organizations lag far behind their attackers in terms of defense against attacks, both known & unknown.

While we must recognize that we have made significant improvements over the past 10 years, the attackers are still far ahead. This panel will explore the rate of adoption of defensive tools and practices. Are we proceeding at the right pace? Are we sufficiently mitigating risk or are we taking too many short-cuts that are setting ourselves up for a future disaster? What should our vision be for the next 3-5 years to keep information safe and ensure that the knowledge gap between attackers and defenders doesn't become insurmountable? What should we be doing right now to get us there?

The panelists we have assembled are information security thought leaders from a variety of perspectives that represent critical points of view on this topic. This one is not to be missed.

Moderator: Rob Cheyne, CEO, Safelight Security Advisors
Panelist: Adam Shostack, Principal Program Manager, Usable Security, Microsoft's Trustworthy Computing Group
Panelist: Jared Pfost, CEO, Third Defense
Panelist: Michael Glaros, Director, Information Security, Coinstar | Redbox
Panelist: Michael Hamilton, CISO, City of Seattle

Rob Cheyne:
Rob is the CEO of Safelight Security, a leading provider of information security training. He has over 20 years of experience in information technology, and has consulted and trained for some of the world's largest global companies. As a co-founder of @stake, he helped define application security assessment methodologies that are still in use today. At Safelight, he develops innovative methods for teaching information security, and has personally trained over 12,000 people.

Adam Shostack:
Adam is a principal program manager on the Usable Security team in Trustworthy Computing. As part of ongoing research into classifying and quantifying how Windows machines get compromised, he recently led the drive to change Autorun functionality on pre-Win7 machines; the update has so far improved the protection of nearly 400 million machines from attack via USB. Prior to Usable Security, he drove the SDL Threat Modeling Tool and the Elevation of Privilege threat modeling game as a member of the SDL core team. Before joining Microsoft, Adam was a leader of successful information security and privacy startups, and helped found the CVE, the Privacy Enhancing Technologies Symposium and the International Financial Cryptography Association. He is co-author of the widely acclaimed book, The New School of Information Security.

Jared Pfost:
Jared brings 16 years of information security experience to Third Defense (, which he co-founded on the belief that effective management is the key to manage risk. Jared's career combines working in IT Security teams and consulting with designing and shipping software across startups, banking, and technology. Jared is a self-proclaimed process nut and has demonstrated you don't need unlimited resources to run a measurable, accountable, and effective security shop.

Michael Hamilton:
Michael Hamilton is a veteran of more than 20 years in Information Security, holding roles as practitioner, entrepreneur, consultant, and in executive management. He has direct experience in retail, manufacturing, government, defense, academic, energy, law enforcement, publishing and financial sectors, from Fortune 1 to small nonprofits. Currently the CISO of the City of Seattle, his purview includes more than twenty departments including law enforcement, public safety, transportation management and utilities. He is a member of the State, Local, Tribal and Territorial Government Coordinating Council, is a liaison to the Water Sector, and is the architect of the PRISEM system for cross-organizational information sharing across the Puget Sound metropolitan region. His BS and MS are from the University of Southern California.

Michael Glaros:
Michael joined Coinstar in May 2010 as director of data security in the Corporate IT department. In January 2011, Michael and team transitioned into the Risk Management Department where they are now responsible for a converged set of duties including business continuity management, information security management and compliance across all lines of business – Coinstar, Redbox, Corporate, and New Ventures. Michael's past experience includes 15 years of delivering security architecture, ISO 27001 certification programs and data privacy compliance campaigns for organizations including Sony Pictures Entertainment, Deloitte and Touche, and Computer Associates.

OpenIOC, Mat Oldham, Mandiant

OpenIOC is an open, extensible format that is used to organize and describe unique indicators associated with malware such as file names, MD5's, file sizes, etc. While much of the emphasis has been on host-based Indicators of Compromise, the OpenIOC format has been developed in such a way that it is platform and technology agnostic. This discussion will talk about what OpenIOC is, how to use OpenIOC to describe network based Indicators of Compromise, how to combine host- and network-based Indicators of Compromise into one logical grouping and how to convert OpenIOC indicators to other common network based platforms such as Snort. Mat Oldham is a Technical Director at MANDIANT with over five years of computer and information security experience. In this role, Mr. Oldham leads MANDIANT's network intrusion detection and threat analysis team. This includes research and development of emerging sophisticated network based threats along with the development of tools and analysis capabilities to make MANDIANT a leader in finding evil in motion at clients around the world.




Informational Brochure
Download our informational brochure, with everything you need to know about SOURCE Seattle 2013!

Seattle 2013 Sponsors

No Starch Press

Risk Centric Security

Email for sponsorship opportunities
Keep In Touch

Mailing List Sign-Up