Security BSides San Francisco: Speakers and Topics Lineup

Wednesday, February 08, 2012

Security BSides


Register for Security BSides San Francisco Event today!

Invite your friends by posting this on Twitter: "#BSidesSF Feb. 27-28, 2012: Discover the next big thing!"

About the Event:

Each BSides is a community-driven framework for building events for and by information security community members.

The goal is to expand the spectrum of conversation beyond the traditional confines of space and time. It creates opportunities for individuals to both present and participate in an intimate atmosphere that encourages collaboration.

It is an intense event with discussions, demos, and interaction from participants. It is where conversations for the next-big-thing are happening. You don’t want to miss it!

When: Mon-Tues, Feb 27-28, 2012

Where: Children's Creativity Museum
221 Fourth Street San Francisco, CA 94103

Cost: Free (as always!)


Security BSides San Francisco Speakers and Topics:

Ask the EFF panel!

Featuring EFF staff Dan Auerbach, Eva Galperin, Hanni Fakhoury, Marcia Hofmann, Jennifer Lynch and Trevor Timm.

Come with your questions!

Metasploit for penetration testing ~ Georgia Weidman (HALF DAY COURSE - PLEASE REGISTER IF YOU PLAN TO ATTEND)

This class will begin with the basics of using the Metasploit Framework. We will continue on following the penetration test methodology to use Metasploit to exploit vulnerable systems in a lab. Students will learn to exploit provided systems as well as test their knowledge in a CTF style challenge at the end of class. This class is suitable for those with no background in Metasploit or penetration testing as well as penetration testers who want to add the Metasploit Framework to their arsenal.

Serious Threat or FUD Machine? The Mobile Security Debate ~ Dan Hoffman

Recent reports around mobile security threat ignited strong responses from some in the security community claiming that the reports overstate the concern and that security controls built into the phone like sandboxing, mitigate the threat. In November, a number of reports emerged within the security community finding a staggering growth in malware targeting smartphones on Android and other platforms. Reports from both Juniper Networks and McAfee found significant increases in malicious applications targeting Android and Lookout Mobile Security identified malware on the official Android Marketplace. So who’s right?

This session will deconstruct this debate and argue that mobile security, while different than traditional PC security, is a growing and significant concern. It will explore the risks presented by malware, as well as the threats presented by unsecured wireless networks and other threats absent in the current public debate.
The session is intended to be interactive and encourage audience participation in the discussion into this newly emerging trend, looking to separate the real threats from the hype.

Your IR Team: More than Firemen and Maids ~ Wade Baker and Christopher Porter

All organizations have incidents and most do some level of reporting around them. Unfortunately, such reports often have little analytical value and are soon forgotten. The investigative response (IR) program’s contribution to risk management is largely underutilized. IR should not only “put out the fires” and “clean up the mess” but inform and improve security management as well. This talk provides tips and examples on how to make that happen.

So you want to be the CSO ~ Daniel Blander

Do you have a CSO who seems disconnected from his team?  Is your Security Manager struggling to get attention and budget from upper management?  Do the users seem completely oblivious and unwilling to get on the security bandwagon?  This talk is a collection of researched ideas on how we can better work within our organization's to become Security Leaders and successfully integrate security into the culture of an organization. 

The material is drawn from over 20 years of stubbing toes, and researching dozens of organization's for best practices.  It uses analogies from organizational and personal psychology and boils them down into ideas each of us can use every day.  My end goal is to continue building playbooks of tools and techniques to make us more agile, and effective in being Security Leaders in our organizations.

Identity in the Open Web ~ Yvan Boily

This presentation will cover the security and privacy considerations of identity service providers and protocols.  Covering Facebook, Google, Twitter, OpenID and BrowserID, I will explain the security features and issues related to each provider, the data that an identity consumer receives during authentication, and how these impact the security and privacy of each of the parties in the identity circus.

We are Handling Security the Wrong Way ~ Brett Hardin

We are currently handling information security the wrong way.

* Sony was breached through an outdated Apache server.
* 47% of developers don't know if their open source is out of date.
* Why do we use vulnerability scanners to identify assets?
* We hire penetration testers before having a "simple" security process in place.

This talk covers how organizations, large and Small, can benefit from looking at security in a new way.

Hacking the Bank: Figuring out what the cost of hacks may be. ~ Gillis Jones

As someone who actually performs hacking on a daily basis for Fortune 50 companies, financials are not a large part of my job description. But, as someone closely tied to the safety and health of a company, it is clear that we need to be vocal about these costs in order for us to function at the right level.

This presentation will be a discussion of my personal research into the financials of breaches and the bleak discoveries I came across as an infosec professional venturing into the business-side of our work. Namely, discrepancies in accounting, lack of disclosure around hacks and ballpark estimates being the standard. Numbers are far too removed from the realities of security. So I will talk about how to focus on every aspect of a breach, and how to approach past breach cost estimation from a real life perspective. Case studies will be shown to reflect actual expenditures, as well as descriptions of some of the actual hacks which were utilized in order to breach the systems.

I will also give my recommendation on how we can best adjust our accounting for hacking attacks based on the actual workflow of someone who deals with these situations.

Metrics That Don’t Suck: A New Way To Measure Security Effectiveness ~ Dr. Mike Lloyd

How does your organization measure and report its security posture and performance?  Do you have spreadsheets that show how many vulnerabilities you found last month, or how many viruses your AV system stopped? Those numbers might pacify your management, but any security pro can tell you that they are no way to benchmark the real work you do – or how much danger your enterprise might be in.

Maybe the problem is that we’re all trying to use the data we already have – host metrics, network metrics, applications data – instead of building the data we actually need.  We need metrics that show the current range of threats, and the enterprise’s exposure. We need data that shows whether our security tools and programs are actually working or not. We need methods for demonstrating that our security teams are performing well – not only this month, but over a period of time.

In this thought-provoking presentation, we’ll describe methods for building an enterprise security metrics program that’s completely different from the current, sucky model of counting vulnerabilities or numbers of patches applied. We’ll outline methods for monitoring the threat landscape, and your organization’s exposure. We’ll offer some best practices for measuring the effectiveness of current security tools and systems. Best of all, we’ll outline a way to build a maturity model for security, so that you can show your security team’s performance on a month-to-month basis, and demonstrate its continuing improvement over time.

Want to stop reporting a bunch of crap and start building a real set of data that accurately measures your organization’s risk and its effectiveness in controlling it?  Want to learn how to integrate security data across hosts, networks, and applications?  Want your performance – and your company’s security posture – to be monitored using metrics that don’t suck?  Here’s a chance to look at the picture from a whole new angle.

Fundamental Flaws in Security Thinking ~ Martin McKeay

The current trajectory in security is leading us straight into a brick wall.  You have only to look at the number of high profile breaches to realize this is true.  If we don't make changes, companies are going to start realizing they're going to be compromised no matter how much money they throw at security, so why try at all?  What is it that got us to this point in history?

There are fundamental flaws in the assumptions we make about security, those that form the most basic building block that we use to form our every idea.  Building blocks that are more sandstone than granite.  Walk through some of our history with me and examine how these flawed assumptions have expressed themselves in PCI and the wider world of security

Cracking the Encrypted C&C Protocol of a New p2p Botnet ~ Kevin McNamee

This session will explore how we cracked the encryption algorithm and decoded the command and control protocol of a p2p botnet that is being used by cybercriminals to control an advanced malware distribution system used for wide scale fraud and identify theft attacks.

The analysis starts with the discovery of an unusual traffic pattern from computers infected with a variety of malware in a real-world deployment. A relatively small group of infected computers (~300) from the monitored network were communicating with over 60,000 computers on the Internet, using what was obviously an encrypted command and control protocol. One infected computer was in communication with over 5,000 different peers in a single day.

The obvious conclusion was that this was a new p2p botnet that was being used to control these computers and infect them with a variety of malware. The scale of the infection and the number of different malware varieties involved indicated that this was a significant operation.

In this session we will describe how we used traffic analysis from our network sensors and malware samples in the lab to reverse engineer this bot, crack the encryption algorithm and decode the command and control protocol. In addition, we will describe the infection process, how the malware injects itself into a variety of system processes and how it protects itself from detection. We will provide a detailed analysis of how it maintains contact with its peers and discuss various approaches for infiltrating this botnet.  

By examining the protocol in more detail, we can see how it is used by cybercriminals to manage a large multi-tiered botnet, which is then used to distribute additional malware components for a fee or launch widescale fraud or identity theft attacks.

How NOT To Do Security: Lessons Learned From The Galactic Empire ~ Kellman Meghu

An analysis of the strengths and weaknesses of the Galactic Empire security policy.  This presentation seeks to conduct a postmortem on the data security policy implemented during the events that led to the destruction of critical technology needed by the Empire for continued operational efficiencies.  A history of the company, as well as a detailed look at the events that followed provides a great working analysis that can be applied to your policy in hopes of avoiding the same fate.  Learning from past mistakes, let's ensure we are not doomed to repeat them, and potentially, suffer a similar fate.  Appropriate for anyone who has, or has not, seen the movie.

Mapping the Penetration Tester's Mind: 0 to Root in 60 min ~ Kizz MyAnthia

Mapping the Penetration Tester’s Mind is a bridge gap series made to bring information technology professionals, auditors, managers, penetration testers and all those with an interest in information security to an equal understanding. Many times an auditor, manager, or compliance officer understands that a Penetration Test is required and the importance of having it done, but may not understand how it is performed or why certain actions were made.

Mapping the Penetration Tester’s Mind will allow these professionals to gain insight in to how a Pen Tester looks at the project from start to finish, including viewing the SOW, applying methodologies and experience, target selection, exploitation, evidence collection, and reporting. Mapping the Penetration Tester’s Mind will not only present the ideals that are used to perform a test, but will also arm the attendees with the information and knowledge to ensure that they are choosing the right Pen Tester for their engagement.

This material has never been presented with this type of focus or insight from an experienced tester like this before. Mapping the Penetration Tester’s Mind is sure to provide every attendee a high value of return and a better understanding of the “dark art” of penetration testing making it the bright light at the end of the tunnel.

Building your own Zombie Horde - Dynamic Web Scanning at Massive Scale ~ Erik Peterson

In the 12 years since automated dynamic application scanning tools have been available, DAST has gone from something a few in the know were doing to something everyone is doing, but are we really all scanning our web applications? The number of hacks would suggest either the tools are broken or we really are not scanning enough.

To understand what was really going on I met with dozens of fortune 100 security and learned that on average only the top 1% of web applications at a fortune 100 company are being aggressively tested both manually and using automated tools but the rest are often going without any security testing at all. Reasons given were that it was just too cumbersome of a task, scanning that number of sites would be impossible and at the current pace would take years to assess everything. Clearly a better solution is needed.

In my talk I'll discuss the modern enterprise challenges that stand in the way of assessing thousands of web applications rapidly in parallel, the trade offs that have to be made as well as those that don't and why you have no excuse to be scanning everything. I'll detail the cloud computing platforms I researched and choose and the key things to consider when attempting to do anything at scale. Finally I will review the results of a project that started with over 30,000 hosts and ultimately ended with a fully automated assessment of almost 3000 sites in less than 2 weeks time.

Money$ec Evolved ~ Jared Pfost and Brian Keefer

Statistics are trendy, real metrics measure outcomes. Inspired by Money Ball (pre-movie) last year we proposed a list of 14 metrics we believe have the greatest correlation to reducing incidents. We've refined our thoughts, candidate metrics, and have some experience to share. Metrics programs struggle for attention in today’s reactive world so we need your support, more measurement, and contribution: pre & post-prod app vulns, role verification, device vuln age, change regressions, social eng. incidents, and more. Help us to inspire and call out the IT industry to stop whining and start measuring what matters.

40 Hours and a Tool ~ Hart Rossman

Do you ever get the feeling that the "talk" or "research" presentation you're listening to at a conference is essentially the result of 40 hours of work with some security tool? Where are the security scientists toiling away for years outside the limelight?  Where are the stories of repeated spectacular failures that lead to unparalleled successes that have changed the industry forever?

Are you curious about the national cyber security research agenda and its capacity to unveil a new era of scientific innovation?  What are the open "hard problems" in cyber security?  How can governments, corporations, and individuals help bridge the gap between cyber security applications and cyber security scientific exploration? Come to this talk if you're interested in bringing the science back to security.

SCADA Security: Why is it so hard? ~ Amol Sarwate

SCADA security and advance persistent threats have now taken center stage. While the industry has some success in dealing with IT security, when it comes to industrial control systems or SCADA systems, we still have enormous challenges.  This session will discuss why implementing SCADA security is so difficult, and discuss strategies to meet these challenges. I will discuss my experience working with large organizations with control system installations, and present how SCADA security can be deciphered. The session will include:

- A very brief technical introduction to SCADA and industrial control systems
- SCADA systems under the hood, including SCADA protocols like MODBUS and DNP3 at the packet level
- Attacks on RTU, PLC, HMI, FEP, SCADA slaves and master stations
- Real world examples of successful and not-so-successful implementations of securing control systems and SCADA systems.
- How to use security tools, technical solutions and a change in mindset to address SCADA security
- Pointers on using the free open-source SCADA scanning tool

This presentation will help organizations trying to implement security measures for their controls systems and SCADA systems. It identifies hurdles that organizations face and will help avoid them, from mistakes made by others. It will help attended try out some tools and techniques when they get back from the conference. It will also help security vendors as well as vendors of SCADA systems to align their solutions to achieve a common goal. For attendees who are not familiar with in-depth SCADA security, the presentation will be an excellent introduction and fast forward to effective SCADA security implementation.

Get Secure or Die Tryin' ~ Dave Shackleford

Ah, the life of a security consultant. You get paid well, tell people about their problems and how to fix them, and still see the same stupid human tricks over and over again. In this presentation, I'll talk about a few lessons learned in consulting. Often times, what we say or recommend is interpreted inaccurately, partially, or completely ignored by business units and sometimes even security or IT teams. This presentation will describe some interesting cases where recommendations were given, and hilarity ensued.

Yet Another Type of Application Layer Denial of Service Attack that Should Be Taken Care of  ~ Sergey Shekyan

While developers and administrators are paying attention to handling slow HTTP requests without issues, another aspect is being overlooked – making sure clients of HTTP servers are accepting server data fast enough.

This workshop will present a tool that, along with other attacks, performs a Slow Read Application Layer DoS attack, that keeps the HTTP server busy by requesting relatively large resources and accepting them abnormally slowly by exploiting TCP Persist Timer (MS09-048, CVE-2008-4609, CVE-2009-1925, CVE-2009-1926). Although the possibility to prolong the TCP connection forever was first mentioned three years ago, most web servers are still not able to handle this issue. My approach, unlike others, doesn’t require any TCP packet crafting, and the tool I developed controls TCP bandwidth by manipulating socket options through the socket API.

The attack is easy to execute because a single machine is able to establish thousands of connections to a server and generate thousands of legitimate HTTP requests in a very short period of time using minimal bandwidth. Due to implementation differences among various HTTP servers, different attack vectors exist which will be discussed in this talk, along with demonstration and the best approaches to detect vulnerability to these attacks. Detection and mitigation techniques will also be discussed.

My past research on slowloris and slow POST DoS attacks is available at New research related to the Slow Read DoS attack will also be published soon (January 3rd, on Qualys community website). The new version of slowhttptest implements the Slow Read DoS attack, and could be used as pentesting tool, rather than proof of concept, to simulate this and some other Application Layer Denial Of Service attacks.
The tool is open-source and available at along with documentation and usage examples. A demo is available at .

Playing to Win - Designing Protection Based on Mafia Rules ~ Matt Stern and Derek Gabbard

Conventional wisdom dictates it should be possible to have virtual security in cyberspace. However, with its competing authorities, responsibilities, and domains, it is untenable to fully secure cyberspace. Even if it were technically possible, would we have what it takes to secure the Internet? The level of commitment required, the appetite for risk and the willingness to “do what it takes” to get the job done is not present within the cyber security community of interest.

So what would it take to effectively secure the Internet or at least the portion of the network relevant to you? Thinking outside of the norm, what would happen if the Corleone or Soprano Family governed the Internet? Could the fictional scenario of a made for movie mafia families do what can’t be done with current technology and policy?

If we look at the Internet as a turf war with different elements maneuvering for position within cyberspace for infractions involving losses of revenue that would have began large scale wars on the streets of Chicago, what would a cunning, ruthless, yet family oriented approach involve:

Commitment versus involvement – a willingness to “go to the mattresses” or hole up until the battle is won. Hackers live eat, sleep, and live their work. They are motivated to get the job done no matter the cost.

Laws are what the suckers follow – not constrained by policy that doesn’t forward the family goals. Laws punish the innocent in cyber space. At what point do you take off the gloves and change the rules to your favor? Leverage partners to do what we can’t do alone.
Break the family rules and there are consequences – self-policing, must abide by a code of conduct.
Mess with the family or those it protects and there is retaliation – not defensive minded, retaliation without remorse. Maintaining a sense of order. If attacked, attack back. There are no innocent victims.
They do not talk about the family outside the family – strong operational security.
Have the best technology money can buy – look at the tommy gun and the Ford Model 18 getaway car; or the sophistication of counterfeiting. Invoke the best technology money can buy.

We will explore how the Mafia family dynamic can be applied to securing each
segment of their cyber ecosystem. Their methods, while brutal and sometimes
unprovoked, are effective. If you are going to play, play to win!

No Guts, No Glory - Securing Your Network Military Style ~ Matt Summers

Security is adversarial by nature.  Throughout history there have been military leaders that were all highly trained; however, some failed where others succeeded. From Custer to Patton, one strategic decision can stand between legendary greatness and epic defeat.

Everything from technology to training, if you don’t have a strategy then you could be setting yourself up for your last stand. During this presentation we will look at military tactics how they can be applied to information security and help you build a stronger organisation. You are either the attacker or defender. Do you want to become Custer or Patton?

I can read your mind ~ Will Tarkington

An overview of the common techniques used by con men, psychics, spiritualists, and salesmen. The talk will cover a wide range of cold, warm, subtle expressions, Barnum statements, , selective memory, and body language.

Participants will learn:
1) How Cold reading works
2) Why it works
3) What and when warm reading is used
4) How to interpret body language in context
5) How to use "hooks" I.E. Tarot Cards
6) How to spot verbal techniques involved in these practices
7) Leave the talk and start using these techniques

Lastly they should be fully armed to walk into the world and pretend they too too are psychic!

Automating Security for the Cloud: Why we all need to care? ~ Rand Wacker

Alternative title: “How I learned to stop worrying and get DevOps to love security”
Take a look around, you might be surprised who is running servers in the cloud; you might be even more surprised about what they are running. Unfortunately, these people rarely if ever thought to tell the security teams, and that means big problems for us all. Securing servers in the cloud is different, very different, than in a traditional data center; but all the same risks are there.

Lets start by understanding who is using the cloud, why it is so different, and what works and doesn't work from our typical security toolbox. Then lets try to solve some of those problems and come up with some best practices to help us and those we work with do what they need…securely. 

2012: The End of Security Stupidity ~ Amit Yoran , Kevin Mandia, Ron Gula and Roland Cloutier

Although the Mayans predicted the world would end at the end of 2012, I am predicting that 2012 will mark the end of stupidity in the world of information security.  How much longer can we put up with:  meaningless certifications, inadequate technical training, vendor point solutions that do not stop criminals and nation-state attackers, and hoards of industry know-it-alls that comment on everyone else's woes while secretly freaking because they themselves are probably owned as well.  All will change in 2012.
This presentation explores two main areas:  1) what's wrong with security today from the perspective of a seasoned technical security executive who has worked across government, start-ups and the private sector, and 2) provides some fresh thinking on how we can all move past the recent apocalypse of hacktivists, nation-sponsored groups, and deficiencies, including gaps in training, collaboration, technology, and security operations.

Across the Desk: Different Perspectives on InfoSec Hiring and Interviewing ~ Lenny Zeltser & Lee Kushner

Landing the perfect security job and finding the right candidate takes more than merely matching the person’s skills to the job requirements. The hiring manager and the candidate explore each other’s traits and persuade each other of the right fit during email, phone and in-person interactions. Succeeding at these discussions and getting the upper hand requires understanding your negotiation objectives and the other party’s tactics.

This session investigates the perspectives of both sides of the hiring process: the candidate and the employer. The two speakers, experienced in recruiting, hiring and job-searching, will alternate between the viewpoints to clarify how each side views topics such as the resume’s role, the job’s appeal, career advancement, interview communications and compensation. Providing insight into the hiring process, they’ll dispel some of the myths of how it really works. Attendees will come away as more effective interviewers and interviewees, as they pursue to build their teams and attain career goals.

The session starts by clarifying why the dynamics of the job search and the hiring process are often misunderstood, which leads to bad decisions. It then explores several key topics related to the job search and to filling an open position in the information security industry:

1. Presentation: How to describe the candidate and the job?
2. Expertise: What skills to possess and to demand
3. Negotiations: How to get what you need or want

The presenters will demonstrate how the same event or issue can be seen from two points of view, which often leads to sub-optimal negotiations or bad job decisions.
The discussion completes by explaining that like in dating, finding the right match in a candidate and employer is hard: there are many variables to consider and track. Understanding the other party's perspective is key to a successful outcome.

Register for Security BSides San Francisco Event today!

Possibly Related Articles:
Security Training
Information Security
Training Penetration Testing Network Security hackers Information Security Infosec Professional Security BSides Conferences BSidesSF
Post Rating I Like this!
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.