Thursday, September 13
Security & Technology
Security & Business
RESTful Services, The Web Security Blind Spot
Ofer Shezaf, Hewlett-Packard
Security Lessons From Star Wars
Lessons of Binary Analysis
Journey To The Clouds:
Maturity, Agility, Risk & Trust
Bryan K. Fite, BT
Why Developers and Vulnerability
Researchers Should Collaborate
Dr. David Rees & Karthik Raman, Adobe
Scoring PDF structure
to detect malicious files
Rodrigo Montoro, Trustwave/SpiderLabs
Just Another Day at the Office...
September 11, 2001, The White House
Coffee Break & Discussion Groups
Unified Communications: Information Loss Through the Front Door
Jason Bubolz & Rachel Engel
Data Breach: Let the Finger Pointing Begin!
William Cook, McGuire-Woods
iSec Partners Party
Friday, September 14
SECURITY AND TECHNOLOGY
The Future of Automated Malware Generation
Stephan Chenette, IOActive
Cyber-criminals have had back-end infrastructures equivalent to Virus Total to test if malware is effective against AV scanners for many years, showing that attackers are proactively avoiding detection when building malware. In this day of age malicious binaries are generated on demand by server-side kits when a victim visits a malicious web page, making reliance solely on hash based solutions inadequate. In the last 15 years detection techniques have evolved in an attempt to keep up with attack trends. In the last few years security companies have looked for supplemental solutions such as the use of machine learning to detect and mitigate attacks against cyber criminals. Machine Learning (ML), though not a new concept, is all the rage these days, touted as the next big thing in defensive technology. While ML is beginning to be used in the detection of polymorphic malware, let's not pretend attackers aren't also experimenting with ML to create advanced malware which can bypass learning algorithms and heuristics. I will present work to show how attackers might be utilizing ML offensively, in a supervised learning mode, to expose common features to avoid or alternatively utilize in order to increase the chances of bypassing binary AV scanners that utilize heuristics and ML for detection.
Stephan Chenette (@StephanChenette) is the Director of Research and Development at IOActive where he conducts ongoing research to support internal and external security initiatives within the IOActive research team. Stephan has been in involved in security research for the last 10 years and has presented at numerous conferences including: Blackhat, CanSecWest, RSA, RECon, AusCERT, ToorCon, SecTor, SOURCE and PacSec. His specialty is in writing research tools and investigating next generation emerging threats. He has released public analyses on various vulnerabilities and malware. Prior to joining IOActive, Stephan was the head security researcher at Websense for 6 years and a security software engineer for 4 years working in research and product development at eEye Digital Security.
Building Dictionaries and Destroying Hashes Using Amazon EC2
Steve Werby & Randy Todf University of Texas
By aggregating and creating new dictionaries and manipulating them to guess plaintext and hashed passwords in high profile password exposures, we'll demonstrate which dictionary attacks are the most effective. Further research will allow for the building of passphrase dictionaries from commonly accessible sources and their effectiveness will be analyzed.
Steve is Chief Information Security Officer at the University of Texas at San Antonio (UTSA), where he leads the university's 11-person Office of Information Security. He was formerly the enterprise information security officer for the Virginia Department of Corrections and Virginia Commonwealth University. Before making the shift to information security program management, he operated an information security consultancy with an international client base largely consisting of ISPs, web hosting firms and ecommerce businesses. He has an engineering degree, an MBA and numerous certs, but is prouder of the fact he hasn't signed his name the same way twice since 2009.
Randy is an information security analyst with the University of Texas at San Antonio. He has a BBA with a major in Management of Information Systems from St. Mary's University. Randy has an extensive training and web development background and joined the security team over three years ago. He's designed and administrated several enterprise systems including; online learning and visitor websites, virtual classrooms, an enterprise ADA compliance aggregator, among others, and most recently, received his GIAC Certified Penetration Tester (GPEN) certification. He's currently in charge of Education and Consulting for UTSA's Office of Information Security.
Leveraging Collective Intelligence to Combat Cyber Crime - Panel
Whether by computer, tablet or mobile phone, the headlines these days are filled with the latest security breaches. But while most security approaches involve guarding against intrusions with a traditional firewall, recent breaches have shown that this tactical approach alone is not sufficient. So what makes more sense? Two words: Information sharing. Hear from Internet security company IID (Internet Identity), credit union BECU and AT&T Wireless about how they are pooling their collective intelligence on the latest malicious Internet threats to combat cyber criminals.
President and CTO, IID
Rod Rasmussen co-founded IID and is the company’s CTO and President. He is widely recognized as a leading expert on the abuse of the domain name system by criminals. Rasmussen serves in leadership roles in various industry groups including the FCC's Communications Security, Reliability and Interoperability Council (FCC CSRIC), ICANN’s Security and Stability Advisory Committee (SSAC), the Anti-Phishing Working Group (APWG), the Online Trust Alliance (OTA), and the Forum of Incident Response and Security Teams (FIRST).
Principal Architect, AT&T
Alex Bobotek leads mobile messaging anti-abuse architecture and strategy at AT&T Labs and is Co-Chairman of the Messaging, Malware and Mobility Anti-Abuse Working Group (M3AAWG) and is also a co-chair of the organization’s technical committee. Mr. Bobotek has over 15 years of experience in mobile messaging, with over half specifically focused on fighting abuse of mobile services. Mr. Bobotek holds a Masters Degree in Electrical Engineering from the University of Washington, and has over 16 years experience in mobile data services. He has participated in and chaired the development of industry-wide IETF and OMA standards, and numerous industry and government security initiatives.
Information Protection & Business Continuity Officer,
Ken Kinloch is the Information Protection Officer for BECU. In this role, he sees first hand the effect and challenges of phishing, vishing, and smishing on the public and financial institutions. He has over 15 years experience in information technology and nearly half of it focused on security issues.
Adam Meyers, Crowdstrike
By nature, computer network defenders tend to be very reactive - an IDS alert triggers and they take action. This can quickly cause a defense team to become overwhelmed with things they need to react to, causing them to miss key indicators. Proactive network defense allows defenders to look at the threat landscape to proactively anticipate where the adversary will be in-order to defend against an attack before it happens. Today we collect large volumes of data on our enterprises, this massive amount of data coupled with defenders who are focusing on technical analysis and typically do not have the background or experience in what has been a traditional intelligence discipline inhibits thinking proactively. This presentation is tailored towards technical analysts who want to learn about intelligence collection and analysis and how to couple it with technical analysis in-order to mine the myriad of data to extract powerful information about the adversary such as their Tools. Techniques, and Practices (TTP). As this data is extracted the audience will learn to start asking proactive questions about the data so that they may anticipate the adversaries next move and begin the defense in advance. This presentation will provide background on intelligence collection, intelligence analysis, building a collection, and introduce some powerful tools to mine intel.
Adam Meyers is the Director of Intelligence for CrowdStrike, in this role he overseas the team's daily activity, and provides direction and strategic vision for the company's intelligence collection, reverse engineering, and analysis efforts. He also serves as a senior security researcher, who focuses on reverse engineering targeted malware threats, mobile malware and related technologies. Previously he was the Director, Cyber Security Intelligence with the National Products and Offerings Division of SRA International. In that role Mr. Meyers served as a senior subject matter expert for cyber threat and cyber security matters for a variety of SRA projects. Mr. Meyers provided both technical expertise at the tactical level and strategic guidance on overall security program objectives. Mr. Meyers also acted as the product manager for SRA Cyberlock, a dynamic malware analysis platform.
Browser extensions: The Backdoor to Stealth Malware
Julien Sobrier, Senior Security Researcher, Zscaler
Browser extensions are widely used, yet users underestimate just how much control these pieces of software can exert over the computer that they are installed on. Many browser frameworks also have no requirement that extensions report the level of access that they require,essentially creating a black box that users must blindly trust. Browsers themselves have very few protections against rogue extensions and those that are in place can be easily bypassed. Unfortunately, client side security controls such as antivirus solutions are of little help as well, since they employ only rudimentary monitoring and detection capabilities for abusive extensions. Where does this leave the many users employing browser extensions? Very exposed. This talk will detail how malicious extensions are able to successfully evade browser protections and antivirus solutions. Firefox, Chrome and Internet Explorer browser extension frameworks will be covered, including live demonstrations and proof-of-concept exploits, which illustrate how weaknesses in the three major browsers can be exploited. Various approaches to installing rogue extensions on different browsers will also be covered, including silent external installation, hijacking or replacement of existing extensions (addition of code, hijacking the upgrade process, etc.) and bypassing administration rights. While rogue extensions have been found in the wild, this attack vector has yet to reach it’s full potential. Rogue browser extensions represent an emerging threat as they require limited skills to create, are largely trusted by the general public and are relatively hard to detect and remove when found to be malicious.
Julien Sobrier is a Senior Security Researcher at Zscaler, a cloud security company focused on protect users. In his role, he identifies the latest threats and provide new detection techniques. Julien has released many free tools to protect users:security browser extensions (IE, Firefox, Firefox Mobile, Safari, Opera, Chrome), API for Google Safe Browsing v2 (Perl, Ruby, Python), etc. Prior to joining Zscaler, Julien was a security engineer at Juniper working on the IDP/IDS product line. Julien is also co-author of "Security Power Tools" (O'Reilly).
Talks: Google Talk on BlackHat SEO, OWASP San Diego and Bay Area
- BlackSheep (Firefox): detect the use of Firesheep on the same network
- Zscaler Safe Shopping (IE, Chrome, Firefox, Opera, Safari): blacklist of fake online stores
- Search Engine Security (IE, Chrome, Firefox,Fennec): protect against
Blackhat SET spam and hijacked sites
- Zscaler Likejacking Prevention (Firefox, Chrome, Safari, Opera):
detect and protect against Facebook Likejacking
- Paper: Google Safe Browsing v2: Implementation Notes
Libraries: Net::Google::Safe Browsing2, Google Safe Browsing Lookup API for Ruby and Python
RESTful Services, The Web Security Blind Spot
Ofer Shezaf, Hewlett-Packard
As a light weight alternative to web services, RESTful services are fast becoming a leading technology for developing mobile applications and web 2.0 sites. At first glance, RESTful services seem very different than web services and suspiciously similar to regular web technology. The similarity of RESTful services to regular web leads to the mis-conception that RESTful services are secured in the same way. However, RESTful services share many of the security risks of web services without the compensating Web Services security controls. The presentation will describe RESTful services and their use, the complexities in protecting them and common attack vectors that specific to REST services such as ULR embedded attacks. The presentation concludes with a discussion of the challenges of security testing for RESTful services and present novel approaches for automated testing of RESTful services using grey-box testing, a method combining a client attack tool and a server based monitor.
Ofer Shezaf is an internationally recognized application security expert. Ofer manages security solutions at HP ArcSight division and prior to that managed web security research at HP Fortify and at Breach Security. Ofer is an OWASP (Open Web Application Security Project) leader, the founder of the OWASP Israeli chapter and a WASC (Web Application Security Consortium) officer. Some open source projects Ofer has led are the ModSecurity core rule set, WASC web hacking incident database and the Web Application Firewall Evaluation criteria project.
Next Generation Android Exploiation using AFE
Android Market allows any app developer to develop and publish its app to the Android Market. On the top of all, Android Market also allows app publishing as “Anonymous”, so that the user downloading the app won’t be able to know, who is the original developer of the application. Android Application consists of components namely: Activities, Services, Intents, Content Providers, and Shared Preferences. We will be using the features provided in the Android SDK for our benefit, and to create the malware.
The steps involved in this would be –
1. Fetching all the important and private information from the phone
2. Sending the information to a remote server, managed by us
3. Receiving the data
4. Executing further commands on the phone
After that, we will be showing an Android Botnet setup, developed by us. We will be able to send commands to each of our slaves using the Botnet.
Also, we will be demonstrating the framework, which we have made for the creation of malwares. The old-school-way of doing this in Android is, taking a legitimate app, decompiling it, using either apktool or dex2jar & jd-gui, inserting our codes, repackaging it, and then getting the infected app which appears to be a legitimate one.
2.02::Main Presentation:Part II
When used on a large scale, this process will take a lot of time, and also, some other coding issues, may come in, while repackaging.
So, we’ve developed a framework, named AFE (Android Framework for Exploitation), whose beta version will be released internationally at SOURCE Seattle. The framework, still in development, will be used to create a malware, receive the incoming information, control the victims and do a lot more. Also, we have created some templates for the malware, such as File Explorer, Tic Tac Toe, Jokes app and few more.
For the malware part, we have written our own services and stored them in the Android Framework for Exploitation modules. We have prepared 8 templates (more to be added soon), from which the user will be asked to select one of them. The template selected, will then be modified by the IP address variable being replaced by the listening IP of what the user has entered. Since, all the connection would then be sent to that IP address, the user will have to set up a listener too, which is also included in the AFE. The APK would be created, which will automatically be signed with a certificate, using keytool and jarsigner.
The following features could be used in a malware right now:
1. Getting the Call logs
2. Getting the Contacts Information
3. Getting the Inbox/Outbox
4. Sending new text messages
5. Downloading any file from the SD Card
6. Creating a new file on the SD Card
7. Viewing the browsing habits
8. Creating new Bookmarks
9. Recording and listening to Phone Conversations
10. Changing the Phone State (ON/OFF)
11. Running root exploits
12. Capturing the screen
13. Make a call to the specified number
14. Capture images with camera and send to us
15. Start at boot up
16. Undetected by all AntiMalwares for Android
17. Obfuscated network data
18. Respawn after it’s closed
19. Access the GPS location
20. Start any other application installed on the phone
We will also demonstrate exploitation of Android to get a reverse shell, as well as steal a file from the phone, using available Android exploits and customizing them according to our need.
Also, a user could use AFE to use Android Exploits and steal the databases from the victims phone, apart from execution of commands over the phone.
We would also be telling on how to write plugins for AFE to extend the framework.
3.01 :: Hacking Android Applications
After talking about Android Malwares and Botnets, we will shift on to Android application vulnerabilities.
The following vulnerabilities will be discussed:
Cross Site Scripting
Insecure File Storage
Open Content Providers
We will also show how to find Android Application vulnerabilities, both manually and using our framework.
3.02 :: Secure Application Coding
We will discuss about how one can develop secure applications, and the need to pentest own apps before publishing to Android Market.
Aditya Gupta is a well known Mobile Security Researcher and Penetration Tester. His main expertise includes Exploiting Web Applications, Evading Firewalls and Exploit Research. He is an expert in mobile research. Aditya is responsible for the discovery of much serious vulnerability in websites such as Google, Apple, Microsoft, Skype, Adobe, and a variety of other major software technologies. Aditya has worked on many Android security projects and has been a frequent speaker to many conferences.
Unified Communications: Information Loss Through the Front Door
Jason Bubolz and Rachel Engel, iSEC Partners
What if you scanned your external network and found an open LDAP listener offering access to your corporate directory for anyone who happened to stop by? Ten years ago instant messaging entered the security spotlight when the Sarbanes-Oxley Act made everyone scramble for an answer to a problem that nobody understood. But since that time we've stopped looking. Compliance is solved, and it's very tedious.
A decade of inattention brings a lot of change, and while we were distracted by mobile devices these enterprise instant messaging systems became the backbone for a suite of communications. Microsoft, Cisco, IBM, and the telephony vendors have migrated to VoIP and offer audio, video, and application sharing products that initiate over IM connections. The public cloud is offering instant messaging between competitors in an effort to own your identity and your attention. While instant messaging has always been a fragmented array of protocols and clients the market has coalesced on SIP and XMPP as the focus changed from owning the protocol to building new features. The Defense Information Systems Agency (DISA) now defines XMPP and more specifically federated XMPP as a requirement for sales of "near-real-time, text-based messaging products" into the US Department of Defense, and vendors are following.
This talk focuses on the mechanics of XMPP, XMPP server to server federation, and the surprising collection of data corporations expose as they open their unified communications systems to the world. We will complete the talk with a discussion of a practical exploitation of these weaknesses via custom tools.
Jason Bubolz is a Security Consultant at iSEC Partners, an information security firm specializing in application, network, and mobile security. Jason holds a BS in Computer Engineering from the University of Michigan, and has spent over a decade developing distributed network applications. Jason began his career in the financial services sector and quickly followed a startup venture into financial communications software in 2000. In 2006, after serving as security engineer and project manager for a multi-user instant messaging and presence product Jason moved to Microsoft in the unified communications space.
Jason has significant experience in application development across many languages and focused on large networked systems deployments. He is experienced with security design and security protocol reviews, client/server testing, authentication and authorization schemes, human-computer interaction, and chat communications systems
Rachel Engel is a Senior Security Consultant at iSEC Partners, an information security firm specializing in application, network, and mobile security. Rachel holds a BA in Computer Science, and has spent the last 5 years developing secure applications at iSEC Partners. She has lectured extensively on security and technology topics. Ms. Engel has presented at various conferences including Black Hat USA, the iSEC Partners Open Forum and various software enterprise specific venues. In addition to these accomplishments Rachel is the author of Gizmo, http://code.google.com/p/gizmo-proxy/, a lightweight graphical web proxy
Rachel has significant experience in application security across many languages and focused on operating systems, web applications, mobility and large networked systems deployments. She is experienced with security design and security protocol reviews, client/server testing, authentication and authorization schemes.
Mapping and Evolution of Android Permissions
Zach Lanier, Veracode
The Android Open Source Project provides a software stack for mobile devices. The provided API enforces restrictions on specific operations a process is allowed to perform through a permissions mechanism. Due to the fine-grained nature of the model (and lack of a map), it is non- obvious which calls require which permission(s) for an API of over 2400 classes. Also, due to the on-going development of the AOSP and API, these required permissions have evolved over SDK revisions. Both of these provide headaches for application security testers and application developers. We first discuss our methodology for building a Android API permission map, including active and passive discovery tools. We then present the evolution of the map as the Android API has transformed through releases. This work is significant because of the need for an understanding of the API permission requirements in application security testing and the current lack of clarity in this ever-growing environment.
Zach Lanier is a Security Researcher with Veracode, specializing in network, mobile, and web application security. Prior to joining Veracode, Zach served as Principal Consultant with Intrepidus Group, Senior Network Security Analyst at Harvard Business School, and Security Assessment Practice Manager at Rapid7. He has spoken at a variety of security conferences, including INFILTRATE, ShmooCon, and SecTor, and is a co-leader of the OWASP Mobile Security Project. Zach likes Android, vegan food, and cats (but not as food).
Scoring PDF structure to detect malicious files
Rodrigo Montoro, Trustwave/SpiderLabs
Rodrigo "Sp0oKeR" Montoro is certified LPI, RHCE, SnortCP with 14 years experience deploying open source security software (firewalls, IDS, IPS, HIDS, log management) and hardening systems. At Trustwave, Rodrigo works in the SpiderLabs Research division where he focuses on IDS/IPS Signatures, Modsecurity rules, and new detection research ( PDFScore , HTTP Header Research and new scoring idea for binary malwares). Author of Patent pending technology involving discovery of malicious digital documents. He is currently coordinator and Snort evangelist for the Brazilian Snort Community and OWASP Brazilian chapter member. Rodrigo has spoken at a number of open source and security conferences (OWASP AppSec, Toorcon (USA), H2HC (São Paulo and Mexico), SecTor (Canada) , CNASI, SOURCE Boston) and serves as a coordinator for the creation of new Snort rules, specifically for Brazilian malware.
Advanced Exploitation of Mobile/Embedded Devices: The ARM Microprocessor
Stephen A. Ridley
We are currently entering into a "post-PC" exploitation environment where threats to mobile devices are becoming more of a reality. The mini computer in your pocket that is always internet connected,
tracks your location, performs financial transactions, holds your address book, and is equipped with a microphone is emerging as a more valuable a target than the computer you leave on your desk after
close of business. Go figure Shifts shifts towards these platforms for vulnerability research and the emergence of malware on mobile devices are all indicative of this.
Early last year (2011) the maintainers of http://www.DontStuffBeansUpYourNose.com debuted a talk entitled "Hardware Hacking for Software People" (see: http://bit.ly/pGAGlO). In that talk we covered a range of topics from hardware eavesdropping and bus tapping to simple integrated circuit interfacing and debugging. That talk concluded with demonstration of a real-world bug in a home cable modem. However, it did not dive into the gritty details of exploitation on embedded processors. Late last year (2011) we developed and privately delivered 5 day courses that taught Advanced software exploitation on ARM microprocessors (used in iPhones, appliances, iPads, Androids, Blackberries, et al.) We opened that course to the public for CanSecWest 2012 and Blackhat 2012 (see http://bit.ly/wKHKsG).
In this talk we will share the more interesting bits of the research that went into developing the Practical ARM Exploitation course such as reliably defeating XN, ASLR, stack cookies, etc. using nuances of the ARM architecture on Linux and Android (for embedded applications and mobile devices). We will also demonstrate these techniques and discuss how we were able to discover them using several ARM hardware development platforms that we custom built (see: http://bit.ly/zaKZYH ).
Stephen A. Ridley was a research partner at a major U.S Defense contractor that supported the U.S. defense and intelligence communities in areas of
information security research and development. He and Stephen Lawler maintain the blog: http://www.dontstuffbeansupyournose.com
Stephen A. Ridley
Stephen A. Ridley is a security researcher with more than 10 years of experience in software development, software security, and reverse engineering. Before becoming an independent researcher, Mr. Ridley served as the Chief Information Security Officer of a financial services firm. Prior to that: Senior Researcher at Matasano. He also was Senior Security Architect at McAfee, and a founding member of the Security and Mission Assurance (SMA) group at a major U.S defense contractor where he did vulnerability research and reverse engineering in support of the U.S. intelligence community. He has spoken about (and given trainings on) reverse engineering and software security at BlackHat, ReCon,EuSecWest, CanSecWest, Syscan and others. Mr. Ridley currently lives in Manhattan and frequently guest lectures at New York area universities such as NYU and Rensselaer Polytechnic Institute.
Lessons Of Static Binary Analysis
Christien Rioux, Veracode
Ever wanted to know more about how static binary analysis works? It's complicated. Ever want to know how C++ language elements are automatically transformed? The high-level overview of how machines analyze code for security flaws is just the beginning. In this talk we'll be delving into the gritty details of the modeling process. This is a two hour workshop, ending with demonstrations of the decompilation and binary modeling process.
Christien Rioux, co-founder and chief scientist of Veracode, is responsible for the technical vision and design of Veracode's advanced security technology. Working with the engineering team, his primary role is the design of new algorithms and security analysis techniques. Before founding Veracode, Mr. Rioux founded @stake, a security consultancy, as well as L0pht Heavy Industries, a renowned security think tank. Mr. Rioux was a research scientist at @stake, where he was responsible for developing new software analysis techniques and for applying cutting edge research to solve difficult security problems. He also led and managed the development for a new enterprise security product in 2000 known as the SmartRisk Analyzer (SRA), a binary analysis tool and its patented algorithms, and has been responsible for its growth and development for the past five years
BUSINESS AND SECURITY
Why Developers and Vulnerability Researchers Should Collaborate
Dr. David Rees & Karthik Raman, Adobe
In a software company, the roles of a software developer and a vulnerability researcher might seem to have little symbiosis. At Adobe, we have found that building working relationships between the two is to the benefit of the players, of software security, and helps us serve our customers and partners better. In this talk, we’ll discuss incident response (IR) at Adobe and our involvement in vulnerability sharing with partners through the Microsoft Active Protections Program (MAPP). We’ll show how a mature IR process developed into a workflow for collaboration between developers and vulnerability researchers on addressing vulnerabilities covered in MAPP. We’ll present some insights on security bug fixing in a complex product area (3D graphics). We’ll demonstrate how the collaborative relationships catalyzed Adobe’s response to two zero-days in December 2011, CVE-2011-2462 and CVE-2011-4369, resulting in accelerated patch development. We’ll review what the collaborators learned from responding to these zero-days and conclude by offering best practices for other security-development team collaborations.
Dr David Rees is a Group Lead in the Adobe Acrobat team, specializing in 3D and GIS topics while managing relationships with industry partners. Prior to that, David was CTO at Altor Systems, developing and licensing high performance 3D engine and gaming technology, and a Lead at Electronic Arts advanced technology labs. He holds a PhD in Computer Science from University College London, and a BSc in Computer Science from Exeter University. He has spoken and published in the subject areas of Archaeology, Astronomy, Computer Graphics, Geomatics, HCI, and Image Processing.
Karthik Raman, CISSP, is a security researcher on the Adobe Secure Software Engineering Team (ASSET), where he focuses on vulnerability analysis and technical collaboration with industry partners. Before joining Adobe, Karthik was a research scientist at McAfee Labs, where he worked on threat analysis, building automation systems, malware analysis, and developing advanced antimalware technology. Karthik holds a Master of Science degree in Computer Science from UC Irvine and Bachelor of Science degrees in Computer Science and Computer Security from Norwich University. Karthik has spoken at Infosec Southwest, SOURCE Boston, LayerOne, and delivered a Black Hat Web cast.
The Base Rate Fallacy: Information Security Needs To Understand This.
Patrick Florer, Risk Centric Security & Jeff Lowder, SIRA
A base rate is the prevalence of an item of interest in a population. In medicine, it would be the prevalence of a disease in a group of people. In information security, it might be the prevalence of sql injection flaws in web applications or the prevalence of malware in the population of downloaded *.exe files. Without an estimate of the base rate, it isn’t possible to talk meaningfully about detection rates (true positives) or false positives. Those who do so commit the “base rate fallacy. If the base rate is known, then a Fourfold table, also called a 2 x 2 table or matrix, is a mechanism that helps us understand the correct probabilities of True Positive, False Positive, True Negative, and False Negative events and avoid the base rate fallacy. Understanding these probabilities enables us to evaluate the claims of many types of security technologies, including the effectiveness of antivirus software, web application scanners, and IDS/IPS systems.
• The base rate fallacy will be explained and demonstrated.
• Gigerenzer’s Natural Frequencies Technique for Avoiding the Base Rate Fallacy
• Examples of why base rates apply to information risk management:
- Common Vulnerability Scoring System (CVSS)
- The Distinction between Inherent Risk vs. Residual Risk
- Intrusion Detection Systems
- Vendor Management, Hosting Providers, and SOC 2 (formerly SAS70) Audit Reports
Patrick Florer has worked in information technology for 32 years. In addition, during 17 of those 32 years, he worked a parallel track in medical outcomes research, analysis, and the creation of evidence-based guidelines for medical treatment. His roles have included IT operations, programming, and systems analysis. From 1986 until now, he has worked as an independent consultant, helping customers with strategic development, analytics, risk analysis, and decision analysis. He is a cofounder of Risk Centric Security and currently serves as Chief Technology Officer.
Jeff Lowder is President, Society of Information Risk Analysts and Director, Global Information Security and Privacy for OpenMarket. He has more than 16 years of experience in information security; his previous roles include information security leadership positions at Disney, United Online, Elemica, and the US Air Force Academy.
Just Another Day at the Office... September 11, 2001, The White House
This will be the first time speaking publicly about my role as the Counterintelligence Operations Officer at The White House.
Everyone remembers what they were doing on 9/11, as it is a date that will be forever part of our lives. While I played but a minor role, as compared to the countless number of heroes in New York City, I was charged with an interesting responsibility, played out behind the scenes during that fateful day in history. This talk will share insightful perspective on what was happening behind the scenes, and out of the limelight, in and around the most famous address in The United States. On 9/11, I linked up with the First Lady and her protective detail to ensure her needs were met in the event we needed to evacuate her and key members of her staff. I, along with her physician, and USSS detail spent the day with Mrs Bush, and the events leading up to the events that day, throughout the day, and our return to reunite her with POTUS was an emotional roller coaster that will be with me forever, and a story worth sharing. With more than 28 years of counterintelligence and security experience, Tony Rucci currently serves as the Director, Reno Data Center, Critical Infrastructure Protection & Risk, NJVC, LLC, in Reno Nevada where he and his team of techincal professionals provide full spectrum, fixed priced, flexible model, managed data center services to customers who require highly secure, available, reliable data center services and consulting, with an emphasis critical infrastructure protection and Risk Management.
Prior to NJVC, Mr. Rucci ran IC Programs for the Global Security Directorate (GSD) at the Oak Ridge National Laboratory (ORNL), Department of Energy, Oak Ridge, Tennessee. Mr. Rucci was hired by ORNL in 2004 as a Technical Security and Intelligence Programs Manager to spearhead the design and accreditation of the Multiprogram Research Facility. After accreditation, Mr. Rucci served as the Director of Intelligence Operations and in 2007, assumed responsibilities as the Collection Manager and Cyber Initiatives. In 2010, was given an opportunity to reach back to his community of interest and become an IC Programs Developer for the Global Security Directorate. Prior to his employment with ORNL and now NJVC, Mr. Rucci retired after 21 years as a United States Army Counterintelligence (CI) Warrant Officer / Special Agent, having served in a variety of leadership positions and conducted numerous security and espionage investigations to protect our national interests, culminating with his final assignment as the Counterintelligence Operations Officer for the Director of Security, White House Military Office.During the attacks of 11 September 2001, Mr. Rucci and the Director of Security quickly formulated a plan of action and implemented it. Mr. Rucci relocated with the First Lady where he served as the military support officer providing critical assistance in establishing contact between the President and the First Lady. He also used his extensive knowledge of communications protocol and continuity of government plans to help the United States Secret Service interact with Department of Defense elements to develop plans to provide for the safety of the First Lady. Mr. Rucci was the lead counterintelligence officer on over 70 Presidential visits to 94 foreign countries. During these trips, he performed diverse tasks to ensure the White House Military Office mission was successfully performed, provided force protection measures to ensure the security of military forces, provided critical intelligence to the Military Aide to the President and the United States Secret Service, which affected the President of the United States. Mr. Rucci accomplished this by fusing disparate information from national intelligence agencies, host country law enforcement agencies, and Department of State personnel into a coherent, succinct threat picture. Mr. Rucci retired from the U.S. Army and left the White House in December 2004 but continues to serve the intelligence community and national security efforts in his current capacity with NJVC, LLC. Tony speaks regularly at government and industry events on such topics as Critical Infrastructure Protection, Spear Phishing, Social Networking and Insider Threats. Mr. Rucci and his wife Pam are “Proud Empty Nesters” and reside in Reno, Nevada.
Data Breach: Let the Finger Pointing Begin!
William Cook, McGuire-Woods
Whether it's a malicious Flame attack, a Trojan enhanced Simurgh compromise or a compromise caused by an improperly installed security patch, a data breach and information loss almost always causes immediate big league finger pointing and blame attribution. From a legal point of view, this reaction is understandable, completely counterproductive, wastes critical time and exponentially increases the likelihood of corporate downstream liability and loss of shareholder value. It's part of the problem, not part of the answer.
This presentation will discuss how to deal with data breaches in a way that effectively defines the problem and the response in a way that meets the company's legal obligations and minimizes the impact of the intrusion on the corporation. The discussion will include best practices in light of new SEC disclosure guidelines, GLB, SOX, Canada's PIPEDA, HIPAA/HITECH, State breach notification laws and the newly proposed EU Data Privacy Provisions. Learn the pros and cons of NIST's just-released guide to handling computer security incidents.
Mr. Cook is head of the McGuire Woods Data Privacy and Security team. He focuses his practice on IP litigation, internal investigations, data security and privacy counseling and litigation and export and import regulatory compliance and litigation. He served as an assistant U.S. attorney in Chicago, serving for 14 years in the Special Prosecutions Unit of that office. He has tried 85 cases as a prosecutor and in private practice. Each year since 2008, he has been recognized as a "Leader in the Field" by Chambers USA and Global for his security and privacy practice.
As an intellectual property litigator, he handles cases involving trade secrets, copyrights, patents, malvertising, privacy rights, and unfair competition before federal and state courts and the FTC. He has handled white collar criminal matters for victims and defendants concerning healthcare fraud, defense contracting fraud, mail fraud and violations of U.S. export restrictions. He conducts internal corporate investigations involving industrial espionage, employee misconduct, computer intrusions and corporate security audits. He also has experience with e-commerce, as well as advertising, database protection and domain name transfers. He also counsels clients with respect to all aspects of the payment credit card industry data security standards (PCI DSS) and related liability exposures. He counsels corporate clients regarding business continuity planning, export and import regulations, regulatory compliance with HIPAA and other federal security standards.
Mr. Cook also advises clients on export and import regulations and compliance with respect to the Commerce Department’s Export Administration Regulations and the State Department’s International Traffic in Arms requirements. He litigates matters with respect to export and import compliance, as well as new shipper review designations.
Journey To The Clouds: Maturity, Agility, Risk & Trust
Bryan K. Fite, BT
We will explore the evolution of Information Security from its technology focused roots to “Outsourcing & Transformation”. We will focus on the opportunities & challenges associated with all things cloud. New business models demand aggressive return on investment. By embracing innovation, compensating controls and trust management techniques CSO’s and other security practitioners can survive and prosper in the age of Cloud Computing and Shared Services.
After 3.5 years serving as the Global Security & Compliance Director for a fortune 50 company, my main objective in creating this presentation was to provide practical tools for the modern CSO. By determining where an organization is on the Security Maturity Continuum the pragmatic CSO can move from being the person who says “No” to a Trusted Advisor role with a seat at the table. New business models demand aggressive return on investment. By learning how to embrace standard service offerings, innovation, compensating controls and trust management techniques CSO’s and other security practitioners can survive and prosper in the age of Cloud Computing and Shared Services.
The evolution of Information Security within large organizations has followed a linear and predictable path. Organizations with prescriptive control requirements, rigid policies and arduous risk management practices were perfect candidates for “Outsourcing & Transformation” with little to no change in corporate governance or culture. However, many times this approach misses additional opportunity because of the custom nature of the client’s perceived requirements. I will discuss the stages of the evolution and the relevant maturity required to take advantage of each stage. The ultimate goal is to determine your organization’s appetite for risk and to facilitate the cultural move from a “Zero Risk/Zero Breach” mentality to a “Predict & Prevent”/”Risk Resilient” mentality.
The Confidence leadership has in its organization’s security program comes from a combination of Control & Trust. The more Control an organization wields the less Trust required and vice versa. Organizations can employ Rapid Risk Assessments and Trust Management Practices (a form of due diligence) to develop agile security governance which align with the objectives of the organization and yield business reasonable policies.
Trust Management is an evolving discipline and as such is not without its critics. However, I am confident it will find its place in the modern CSO’s tool kit right next to risk assessments and technical controls.
Bryan K. Fite: A committed security practitioner and entrepreneur, Bryan is currently the US&C Security Portfolio Manager for British Telecom (BT). Having spent over 20 years in mission-critical environments, Bryan is uniquely qualified to advise organizations on what works and what doesn’t. Bryan has worked with organizations in every major vertical throughout the world and has established himself as a trusted advisor. “The challenges facing organizations today require a business reasonable approach to managing risk and protecting information assets.”
• Creator & Host of the “Non-Con” Day-Con Hacker Conference
• Founded Meshco™ Producers of PacketWars™
• Introduced Forensix™ computer forensics collection, analysis and visualization suite
• Released AFIRM: Active Forensic Intelligent Response Method to the general public
• Founded GETSecure™ a full service security practice; products, professional services, managed services and training.
• Co-Founded SecureIT™ (acquired by VeriSign) a pure play security practice; products, services and training
The Interim Years of Cyberspace - Security in a Domain of Warfare
Robert Lee, US Air Force
Cyberspace is the fifth and newest domain of warfare, yet the domain was used by people around the world long before it was militarized. With the launch and discovery of cyber weapons such as Stuxnet it has become brutally obvious that operations within cyberspace can impact daily lives at any time. Our dependency on the Internet and the technologies connected to it, such as critical infrastructure and financial services, raise many points of concern and challenges for security professionals. This presentation will make the case that the current state of cyberspace is in the interim years akin to that of aerial warfare between World War I and World War II. The presentation will also cover current advanced threats and recommendations to security professionals operating within the domain. Understanding the past as well as gaining a more holistic understanding of the present will empower security professionals to prepare for the rapidly evolving advanced threats they will face.
Robert M. Lee is currently stationed in Germany working under the Air Force Intelligence, Surveillance, and Reconnaissance Agency. He is a graduate of the United States Air Force Academy and of the Air Force’s Undergraduate Cyber Training technical school. Robert Lee has published and presented internationally on topics including control systems cyber security, cyber warfare, advanced cyber threats, and future nation-state cyber weapons.
Security Lessons From Star Wars
Shostack will examine the traditional threats against which we fight
and follow Darth Vader's advice ("Don't be so proud of this
technological terror you've created") to its logical conclusions,
asking if the technological terrors on which we focus so much
attention are the only threat out there, and if perhaps we'd be better
off asking about the force: that which flows through all living
beings, and has a light side and a dark side. In particular, we'll
look at software bugs, social engineering, feature abuse, and ask what
we can do to effectively defend ourselves from the temptations of the
dark side. The talk will include engineering tools that attendees can
take back and apply immediately.
Shostack helped found the CVE, the Privacy Enhancing Technologies
Symposium and the International Financial Cryptography Association. He
has been a leader at a number of successful information security and
privacy startups, and is co-author of the widely acclaimed book, The
New School of Information Security. Shostack is currently a principal
program manager on the Microsoft Trustworthy Computing Usable Security
team, where among other accomplishments, he's Shostack helped found
the CVE, the Privacy Enhancing Technologies Symposium and the
International Financial Cryptography Association. He has been a leader
at a number of successful information security and privacy startups,
and is co-author of the widely acclaimed book, The New School of
Information Security. Shostack is currently a principal program
manager on the Microsoft Trustworthy Computing Usable Security team,
where among other accomplishments, he shipped the Microsoft Security
Development Lifecycle (SDL) Threat Modeling Tool and the Elevation of
Privilege threat modeling game as a member of the SDL team.
BYOD: The Risks, Rewards, and Challenges
Adam Ely, Bluebox
As computing becomes more portable and accessible we struggle to find the balance between enabling access and protecting the value assets of our organizations. The trend of BYOD has been underway for years and we're continuing to see the desire for open access from any device increase on an almost daily basis. To protect our assets we must focus on enabling access, meeting the needs of the organization, and layering protections into the workflow rather than building an iron wall users will go around. Through proper planning of strategies, use of existing and emerging technologies and understanding our organization we can increase security rather than force end users to find less secure ways of achieving their goals.
Adam Ely is the Founder and COO of Bluebox. Prior to this role, Adam was the CISO of the Heroku business unit at Salesforce where he was responsible for application security, security operations, compliance, and external security relations. Prior to Salesforce, Adam led security and compliance at TiVo and held various security leadership roles within The Walt Disney Company where he was responsible for security operations and application security of Walt Disney web properties including ABC.com, ESPN.com, and Disney.com. Adam was named one of the top 25 security influencers to follow in 2012 for his industry contributions and is the author of the forthcoming McGraw-Hill book, Information Security Business & Strategy Essentials.