B-C-METOYX

SOURCE Boston Agenda - May 27-28, 2015

Blog Post created by B-C-METOYX Employee on May 4, 2015

SOURCE Boston will be held later this month at the Marriott Courtyard. Several people from Akamai InfoSec will be there volunteering, working the Akamai booth and attending talks. The full agenda is below.

 

A full daily break-down of talks with specific time slots will be published shortly. Meantime, here's a list of confirmed speakers and keynotes.

 

Keynotes:

Jim Routh, CISO Aetna

Mike Murray, Director, Cyber Security Assessment and Consulting at GE Healthcare

David Kennedy, Founder of Trusted Sec and Binary Defense Systems

 

A Swift Teardown

Jared Carlson

Veracode

"This talk centers on understanding Swift, Apple's new language for iOS and OS X development. In this talk I will discuss how Swift works, what's different from Objective-C, and the benefits and drawbacks of using it. We'll dive into the details, such as ""What's protocol witness table? how the swift runtime works, how does Swift work with LLVM, as well as how to approach reverse engineering Swift apps.

 

All That Cybers Is Not War

Brendan O'Connor/Leviathan Security Group, Dr. John Linwood Griffin/TripAdvisor

Frightened by people saying "the Geneva Conventions don't apply" to the Internet? Confused by vendors and Feds saying that APT is an act of war and the proper response is a missile? Take a deep breath and sit down for a talk both hilarious and somber on the law of war. You'll learn how to experiment with war crimes in your spare time and how to use illegal hot-air-balloon-mounted guns as we travel from Geneva to The Hague to Tallinn on a whirlwind tour of wars, weapons, and wanton destruction!

 

iROP - Interesting ROP gadgets

Xiaoning Li

INTEL

Today ROP based exploits are still very popular. Security solutions including EMET/KBouncer have designed different policies such as call-preceded ret location to detect/block ROP gadgets, at the same time control flow integrity becomes the popular proposal to solve ROP problem. But researcher finally found valid gadgets are still enough to create ROP chains. In this talk, we will discuss existing ROP defense approaches and evaluate new proposal like CFI/Shadow Stack with more powerful interesting gadgets.

 

Bugged Files: Is Your Document Telling on You?

Daniel Crowley, Damon Smith

iSEC Partners

Certain file formats, like Microsoft Word and PDF, are known to have features that allow for outbound requests to be made when the file opens. Other file formats allow for similar interactions but are not well-known for allowing such functionality. In this talk, we explore various file formats and their ability to make outbound requests, as well as what that means from a security and privacy perspective. Most interestingly, these techniques are not built on mistakes, but intentional design decisions, meaning that they will not be fixed as bugs. From data loss prevention to de-anonymization to request forgery to NTLM credential capture, this presentation will explore what it means to have files that communicate to various endpoints when opened.

 

Using NLP to detect phishing and APT CnC domains

Jeremiah O'Connor

OpenDNS

Spoofed branded domain names have been equally used in mass phishing campaigns and as CnC domains in recent APT attacks. In this talk we present NLPRank, a generic detection model we developed to identify targeted attacks' CnC domains and also commodity phishing attacks. The system uses heuristics such as: Natural Language Processing (NLP), domain to ASN mapping, and HTML tag analysis. Through careful analysis, we have created a malicious language derived from the lexical features of FQDNs of specific APT data sets. This model runs on our live streaming authoritative DNS traffic and is part of our real-time alert system.

 

This system has been having great success in detecting compromised and dedicated phishing sites as well as cyber-espionage CnC domains. In this presentation, we will be sharing various use cases and results showcasing the accuracy and coverage of this model.

 

Embedded Insecurity: Can We Fix The Internet of Evil Things?

Paul Asadoorian

Security Weekly

While many have proven the threat of embedded systems, or IoT as "they" say, the question remains, can we fix it? Dive in and discover what are the things, why all of the things are vulnerable, how are the things vulnerable, and what can we do to fix the problem? Attackers are using things to profit, manufacturers keep producing insecure things, running insecure software, when will it end? Explore this topic, including a few technical demonstrations and conclude with top ten lists for different audiences to educate the masses on this topic.


Getting the most from your managed security providers

Wade Woolwine

Josh Feinblum

Rapid7

How can you effectively leverage a third party provider in your incident response program? In this talk the speakers will provide an inside look at how incident response programs can succeed, drawing from years of experience and real-world scenarios to share what works when you're evaluating a vendor - as well as what doesn't, and the steps you can take to ensure an effective third-party partnership, including how to classify assets, users and data and the importance of practicing response scenarios.


Protecting your cloud server with a cloud IDS

Josh Pyorre

OpenDNS

Most cloud providers don't provide any kind of intrusion detection or other advanced security solutions. Often, you might find out about a compromise of your website or other publicly-accessible service through other sources, such as social media. I'm proposing a simple way of building an IDS that you can send traffic through to provide some degree of protection from attackers.


Rebuilding the Credibility of a Security Team

Paul Davis

Cisco

Many CISOs/CSO and Directors of Security Operations are facing the challenge of increased expectations, misplaced assumptions of responsibility and limited resources to deliver success. This leads to increased frustration within the security teams who are striving to protect their organizations. The rest of the organization often feels that the security team is either not delivering the results or regard IT security as an unwanted, interfering overhead. Paul has been brought in multiple times to rebuild IT security organizations, and turn them into respected and valued teams that deliver results and are relied upon.

 

This presentation will show how Paul has been able to change the delivery model of the IT security teams, improving morale and efficiency, while simultaneously regaining the respect of other teams within the organizations including audit, IT service delivery, and the business leaders. He has delivered success within Fortune 5 companies, within critical infrastructure organizations and for multiple IT security delivery organizations.


Defending the Enterprise with Evernote

Salvador Grec

NovaInfosec.com

Most people are already familiar with Evernote. It's easy to just throw all our miscellaneous data into the Elephant and effortlessly find it later with a quick search or correlate similar ideas with tags. Evernote is literally our external brain that increases our intelligence and helps us become more productive overall. This presentation discusses an experiment of using Evernote as a defensive management platform, the specific concepts and strategies used, and its overall effectiveness. Specific topics covered will include the advantages of using an open and flexible platform that can be molded into an open/closed source threat intelligence database, an information sharing platform, and an incident case management system. Although using Evernote in this way in large enterprises is probably not possible, the same lessons learned can be applied to implement a similarly effective system using internally-hosted open source or commercial software.

 

Selling for Security Professionals

Stephanie Losi

How can security professionals talk to business executives in their language? Business managers may focus on ROI, decision modeling and growth, while security professionals are thinking worst-case scenarios, redundancy and diversity of controls, and risk reduction. Do you see the problem here? Our Venn diagram appears to be fairly non-overlapping, though with some intersection around protecting reputation. But in reality, our Venn diagram is more like this: hugely overlapping circles geared toward maximizing the business' reputation, making the business resilient to inevitable errors and incidents, and helping the business lines grow.

 

This talk will focus on how security professionals can sell what they bring to the table and communicate better with business lines, shifting from two different perspectives to a meeting of the minds.

 

Penetration Testing in the Cloud

Dan Lambright

RedHat

This talk discusses challenges associated with ensuring your infrastructure is secure in the cloud. Cloud providers are very careful with letting customers run penetration tests because they can be misunderstood for real attacks, but such tests are needed to confirm data is safe. This talk discusses the conditions and limits of permissions obtainable, and explores methods of doing targeted tests in ways that will not affect others using multi-tenant hardware. A promising approach is to have a docker instance play the role of the hacker, and use an instance's internal network interface to carry out attacks.

 

Adversary Profile: Gothic Panda

Silas Cutler

CrowdStrike

CrowdStrike has been actively tracking an advanced adversary group known as Gothic Panda. Known for high-profile targeting of government research groups, financial institutions, and companies in the development sector, the adversary's activity has been hallmarked by the reuse of the malware Pirpi, which has evolved since 2009. It is speculated they are using compromised servers for hosting control infrastructure as an operational security measure. It is believed that this adversary originates from the

People's Republic of China and likely will resurface in 2015. This presentation will provide an analysis of hallmarks of the malware Pirpi, as well as explore the origins of this adversary.

 

Improving the State of Healthcare Information Security as a Security Investigator

Roy Wattanasin

MITM

The time has begun. You have already heard about these warnings from the news and from your security intelligence infrastructure.

 

The FBI had warned that hackers are or will be targeting your healthcare organization. 2014 was a rough year for data security in the healthcare industry. About 43 percent of breaches came from healthcare per the Ponemon Institute. 2015 has been a trickier and rougher year with one of the largest healthcare breaches reported to date. This talk highlights and walks you through the top four healthcare breaches.

 

It plans to dive in to the role as a security investigator (using public information), review how/why the breach happened, when it was discovered, how many people were impacted, whom had discovered it and what the organization(s) did to assist and help with the breach. Additionally, the open talk hopes to provide recommendations on how to help prevent the breaches and get comments and feedback from the audience. All references and sources will be provided from the research that has been done. "Time is inevitable, but knowledge and pro-activeness is on your side. "

 

Multipath TCP - Breaking Today's Networks with Tomorrow's Protocols

Catherine Pearce

Neohapsis

MultiPath TCP (MPTCP) is an extension to TCP that enables sessions to use multiple network endpoints and multiple network paths at the same time, and to change addresses in the middle of a connection. MPTCP works transparently over most existing network infrastructure, yet very few security and network management tools can correctly interpret MPTCP streams. With MPTCP network security is changed: how do you secure traffic when you can't see it all and when the endpoint addresses change in the middle of a connection?

 

This session shows you how MPTCP breaks assumptions about how TCP works, and how it can be used to evade security controls. We will also show tools and strategies for understanding and mitigating the risk of MPTCP-capable devices on a network.

 

Quantifying cyber attacks - to optimize and assess your defense

Jason Syversen

Siege Technologies

This talk will describe the challenges of quantifying offensive and defensive capabilities and posture. This is not an IT-oriented metrics-talk about measuring the firewall rules or number of incidents last year. Instead, you'll hear about new military-backed research on how to quantify the effectiveness of attacks, predict outcomes and measure defensive strength will be discussed, as well as the future of data-driven security technologies.


Growing Up: A Maturity Model and Roadmap for Vulnerability Management

Eric Cowperthwaite

Core Security

There are differences between each of the high-profile hacks you've seen in recent headlines, but there are also a few consistent characteristics of the modern breach. Inevitably, we discover known software vulnerabilities were left unpatched, networks were exposed and critical assets were open to attack. This pattern is repeating itself because - across industries and sectors - threat and vulnerability management (TVM) programs are operating far below their potential, and most leaders don't know how to take their programs to "the next level."

 

That's why Eric and the team at Core Security created the five-level Threat and Vulnerability Management Maturity Model. It uses a traditional Carnegie Mellon Maturity Model to illustrate the continuum of capability that an organization can implement. This is a significant departure from the current approach to vulnerability management, which essentially calls for implementing a vulnerability assessment product, establishing a few basic measurements to prioritize patch management and few, if any, means of measuring the efficacy of the program. In fact, today's typical TVM program will be somewhere around level one or two in this Maturity Model.

 

During this session Eric will outline the five levels, and attendees will be able to easily identify where their respective organizations stand on the Maturity Model. He will also review the specific steps necessary to advance through each level, ensuring attendees leave with clear action items for maturing their TVM programs.

 

Monitoring Social Media in 5 Minutes a Week

Dakota Nelson

Independent Researcher

Physical reconnaissance is constantly getting easier - now, your employees are on the attacker's side! Using social media, attackers can access a trove of information about their target's security measures. Learn about these threats and how to counter them by keeping an eye on social media yourself. Includes a new open source tool, pushpin-web, that can give you valuable, actionable social media insight in 5 minutes a week.

 

Reactive JS Security Testing & Exploitation

Matt Wood

Sunera

JavaScript applications continue to become more and more complex. With real-time collaboration in mind and entire applications becoming supported by a "single UI page," a new buzzword for these applications has arisen over the last few years, Reactive Applications/JavaScript. Stated simply, this is the separation of the HTML/CSS UI from the real-time event-driven data back end. There are many compelling reasons for these advances/changes, unfortunately many of the same application design mistakes are being made that the industry saw when AJAX heavy applications first entered the majority (the over exposure of the data API). While some frameworks allow for secure deployment, it is not easy or intuitive in all cases. Many researchers and framework developers have put a lot of effort into the security design of these "reactive" frameworks, but application developers are not utilizing these features effectively, or worse, do not know it is necessary. This presentation will offensively review some of the new technologies employed, how to identify these event-driven back ends, review several OWASP attack classes in the context of "Reactive" frameworks (MeteorJS/RxJS/Microsoft Data API/Angular) and finally how to address data-security within these "Reactive" frameworks. Attendees will witness poorly secured reactive frameworks dumping sensitive information, effective injection techniques against various reactive endpoints and finally what a security professional needs to know and look for to identify and secure "Reactive" endpoints across several frameworks.


"MQTT, CoAP, and Building Secure Things"

Jack Mannino

Nvisium

In this presentation we will explore two of the most commonly used IoT protocols, MQTT and CoAP. We will explore how they work, protocols they're designed to work with, and common architectures. Attacks against the protocols and specific implementations will be demonstrated that can be used to impersonate other devices, knock systems offline, and potentially execute remote code. We will demonstrate how to mitigate these issues within your own code as well as library and framework issues to watch out for.

 

iOS App Analytics VS Privacy: An analysis of the use of analytics

Guillaume Ross

Rapid7

As developers attempt to tailor their applications to customers, obtain more information about how they are used and how reliable they are, the use of app analytics services on mobile devices is now very common. During this talk, we will look at the usage patterns of analytics services by the most popular apps in various categories, such as games and productivity applications, as well as different application business models (free, freemium, paid, etc.). What does it all mean for your privacy? Can you prevent it? What types of apps are the greatest offenders? How can you detect it? These are questions we will answer, as we look at the patterns, the analytics providers used, and explore the type of data that is sent as well as the privacy policies of these analytics service providers.


Who Watches the Watchers? Metrics for Security Strategy

Michael Roytman

risk.io

Security Metrics are often about the performance of information security professionals - tranditional ones are centered around vulnerability close rates, timelines, or criticality ratings. But how does one measure if those metrics are the rights ones? How does one measure risk reduction, or how sucecssful your metrics program is at operationalizing that which is necessary to prevent a breach.   

Outcomes