| Speaker | Topic |
| David Bryan | Hacking with GnuRadio |
| Don Ankney | Is XSS Solveable? |
| Jim O’Gorman | Policy – The Biscuit Game of Infosec |
| Datagram | Lockpicking Forensics |
| Kevin Nassery | Diplomatic Security Consulting |
| Erik Berls | Deploying DNSSEC |
| Joe McCray | Advanced SQL Injection |
| Strom Carlson | Why your mother will never care about Linux |
| Deviant Ollam | Packing and the Friendly Skies |
| CP, Adam, Frank^2, Vyrus | TwatFS: Surly abuse of social networking bandwidth |
| Ryan S. Upton, CISSP | Incident Response 101 |
| Doug Cohen | Computation and Modeling |
Speaker: David M. N. Bryan – CISSP – (AKA: VideoMan)
Presentation name: Hacking with GnuRadio
Overview: This presentation I will focus on the requirements for GnuRadio, cost, code, and radio technology basics and a short GnuRadio primer. I will also present some of attacks that others have completed using the GnuRadio. I will present some of my own research from a successful hack of a proprietary Multiple Address System (MAS) SCADA network, and a quick demo of the GnuRadio in action.
Speaker Bio: David (aka VideoMan) has 9+ years of experience doing computer security. He started by working at several ISPs, and then transitioned into working for large enterprise financial institutions to secure their networks. As a computer security consultant, he enjoys working for NetSPI’s clients to help them reduce their risks. In his spare time he and his wife run the local DefCon Group (DC612), and help to run the network at DefCon. He also likes to brew beer, and bike the many miles of pathways in Minnesota.
Speaker: Don Ankney
Presentation Name: Is XSS Solveable?
Overview: The presentation will begin by defining the scope of the problem – exactly what cross site scripting is, the risks that it poses, and how attackers use it to attack your customers.
From there, we will spend some time defining what successful XSS mitigation code would look like including both input validation and output encoding..
Finally, we will look at what it takes institutionally to implement a solid mitigation across your enterprise throughout the development lifecycle with an emphasis on how static code analysis tools can help verify that your code conforms to the XSS design requirements.
Speaker Bio: Don Ankney is a Security Advisor is Online Services Security and Compliance at Microsoft. Previously, he was an Analyst at the University of Washington where he was a coordinator of the web application security working group and has worked in the security access management group at Cingular Wireless.
Speaker: Jim O’Gorman
Presentation name: Policy – The Biscuit Game of Infosec
Overview: We love to say that policy is the foundation of our information security programs, and go on and on about how important it is. But when it comes time to create policy, all the good intentions go out the window and the game of CYA and liability transfer starts up. The output from the policy creation process has less to do with improving security for the organization and more with politics. Risk acceptance has become something no one will admit too, yet we all do. We will break down what is wrong with current policies and how to correct it. If you are ready to stop playing the biscuit game of Infosec and want to make real improvements, this is the talk for you.
Speaker Bio: Jim O’Gorman is a life long computer geek starting with getting away with tech murder in high school. His over eleven years in the field started at a mom and pop ISP up to working at Netscape doing large scale mail, ldap and PKI deployments. For years now, Jim has specialized in system security and has been active in the community for quite a while. Jim can be found at Elwood.net and blogs at binint.com.
Speaker: Datagram
Presentation Name: Lockpicking Forensics
Overview: Lockpicking is portrayed as the ultimate entry method. Undetectable and instantaneous as far as films are concerned. Nothing is further from the truth, but freely available information on the topic is nearly impossible to find. This talk will focus on the small but powerful fragments of evidence left by various forms of bypass, lockpicking, and impressioning. Attendees will learn how to distinguish tool marks from normal wear and tear, identify the specific techniques and tools used, and understand the process of forensic locksmithing in detail.
Speaker Bio: Datagram is a prime example of what the combination of cinnamon rolls, pizza, assembly, lock picking, and tapeworms do to a person. When not eating, lock picking, or programming, he is generally asleep, or otherwise unconscious. Despite constant hate mail and threatening voice mails, he continues to speak at conferences, yell at small children, and write bad biographies.
Speaker: Kevin Nassery
Presentation Name: Diplomatic Security Consulting
Overview: Security consulting offers unparalleled opportunities for professional learning. In fact, each new engagement offers a new systems infrastructure, new security challenges, and a unique opportunity to make significant, long-term contributions through leading, progressive, short-term projects. Interestingly, some brilliant security minds today lack the ability to navigate and adapt to the non-technical challenges in a given environment. This talk will provide real-world accounts of difficult customer engagements and build on some of the successes and failures charted during my own career.
Sample topics:
- Why “you’re dumb” will not get you very far.
- Simply being correct does not establish credibility among those who cannot understand you.
- Establishing influence quickly within an organization.
- Understanding why and how you were engaged.
- Understanding the evolution (or devolution) of security issues.
- Maintaining a perspective for the tools and skills present within an organization.
- Maintaining a focus on active engagement.
Speaker Bio: Kevin A. Nassery is a hands-on technical architect, who has been an active Unix systems, network, and security engineer and consultant for more than a decade. After serving for more than four years as principal infrastructure architect for a major online presence, he recently returned to his passion of security consulting. At present, he is a RHCE, CISSP, and a graduate student at Depaul University, where he studies Computer, Information, and Network security. He is currently a senior security consultant with Consciere LLC.
Speaker: Erik Berls
Presentation Name: Deploying DNSSEC
Overview: DNSSEC has been around for over 10 years (RFC 2535, March 1999) and setting it up still presents challenges. DNS is one of the last few widely unsecured core Internet protocols. DNSSEC presents with a chicken and egg problem for adoption, like many new changes before it. The investment in increasing the number of DNSSEC enabled domains must come before we can start actively verifying look-ups.
This is a blitz approach to setting up DNSSEC. We’ll skip past any long, boring documentation, and jump into what you’d need to get this up over your lunch break. This nuts and bolts presentation focuses on getting your server up, running, and configured in short order. However, attention will be made to running and maintaining this server in a production environment. Architecture recommendations and guidelines will be discussed.
Speaker Bio: Erik currently resides on the outskirts of the greater San Francisco Bay Area, biding his time as a Gentleman Adventurer. He bounces between endeavors such as spontaneous travel, network security, running, software design, and cooking. He has run the gamut from 3 person start-ups to 10s of thousand person multinationals, doing computer and network security for financial sector, big oil, and telecom.
Speaker: Joe McCray
Presentation Name: Advanced SQL Injection
Overview: SQL Injection is a vulnerability that is often missed by web application security scanners, and it’s a vulnerability that is often rated as NOT exploitable by security testers when it actually can be exploited.
Advanced SQL Injection is a presentation geared toward showing security professionals advanced exploitation techniques for situations when you must prove to the customer the extent of compromise that is possible.
The key areas are:
- IDS Evasion
- Privilege Escalation
- Re-Enabling stored procedures
- Obtaining an interactive command-shell
- Data Exfiltration via DNS
Speaker Bio: Joe McCray has 8 years of experience in the security industry with a diverse background that includes network and web application penetration testing, forensics, training, and regulatory compliance. Joe is a frequent presenter at security conferences, and has taught the CISSP, CEH, CHFI, Security+, and Web Application Security at Johns Hopkins University (JHU), University of Maryland Baltimore College (UMBC), and several other technical training centers across the country.
Speaker: Strom Carlson
Presentation Name: Why your mother will never care about Linux
Overview :Hackers are people, not machines. Unlike machines, hackers are susceptible to the insecurity and fear that regular people experience as well. The social manifestations of these problems are familiar cliches: groupthink, fanboyism, hatred for anything popular, and a desire to be seen as unique and offbeat — and it is these very things which are stunting the growth of the hacker community, making us no better than a bunch of cliquey high school students. This talk will humorously explore the problem, analyzing why we love some tech toys and hate others, pointing out where we go wrong, and offering some simple solutions to this epidemic.
Speaker Bio :Strom Carlson is an experienced technical trainer and
telecommunications specialist.
Speaker: Deviant Ollam
Presentation Name: Packing and the Friendly Skies
Overview :Many of us attend cons and other events which involve the transportation of computers, photography equipment, or other expensive tech in our bags. If our destination if far-flung, often air travel is involved… this almost always means being separated from our luggage for extended periods of time and entrusting its care to a litany of individuals with questionable ethics and training.
After a particularly horrible episode of baggage pilferage and tool theft, I made the decision to never again fly with an unlocked bag. However, all “TSA compliant” locks tend to be rather awful and provide little to no real security. It was for this reason that I now choose to fly with firearms at all times. Federal law allows me (in fact, it REQUIRES me) to lock my luggage with proper padlocks and does not permit any airport staffer to open my bags once they have left my possession.
In this talk, I will summarize the relevant laws and policies concerning travel with firearms. It’s easier than you think, often adds little to no extra time to your schedule (indeed, it can EXPEDITE the check-in process sometimes), and is in my opinion the best way to prevent tampering and theft of bags during air travel.
Speaker Bio :While paying the bills as a network engineer and security consultant, Deviant Ollam’s first and strongest love has always been teaching. A graduate of the New Jersey Institute of Technology’s “Science, Technology, & Society” program, he is always fascinated by the interplay that connects human values and social trends to developments in the technical world. A member of the Board of Directors of the US division of TOOOL (The Open Organization of Lockpickers) Deviant runs the Lockpicking Village at DEFCON and ShmooCon. A fanatical supporter of First Amendment rights who believes that the best way to increase security is to publicly disclose vulnerabilities, Deviant has conducted lockpick training sessions at Black Hat, ToorCon, HOPE, HackCon, ShakaCon, HackInTheBox, SecTor, CanSecWest, and has even had the honor of lecturing the cadets at the United States Military Academy at West Point. His favorite Amendments to the US Constitution are, in no particular order, the 1st, 2nd, 9th, & 10th.
Speaker: CP, Adam, Frank^2, Vyrus
Presentation Name: TwatFS: Surly abuse of social networking bandwidth
Overview :Imagine a pseudo file system for small files where everyone in the world has read access from their computers and mobile devices. Utilizing character smuggling, we can increase the amount of data, as well as type of data, that can be sent to and stored on Twitter. TwatFS, pointless exercise in Rube Goldberg programing? or the beginnings of a global, social, pseudo file system? Only time, and this talk will tell. We will be covering the details of this full featured Proof Of Concept application, as well as theoretical alternate uses. Audience participation, Demo (sorry strom), and Source code release.
Speaker Bios :CP is a hacker first, security professional second. He maintains the notion that Firefox is a dangerously underused platform, to this end he has developed several extensions for use in security auditing. An active member of DC949, CP spends much of his time developing for oCTF, and more recently the first (annual) Barcode-Shmarcode contest at Shmoocon. He strives to enrich the hacker community, which has so enriched his own life.
Adam was a co-author of Skynet, an autonomous wifi auditing program, and is currently working on challenges for the fifth annual Defcon Open Capture The Flag contest. The majority of his waking hours are spent writing code and exploring the digital landscape. Recently he’s started working with designing hardware devices which has yielded new perspectives on solving problems.
frank^2 is a malware hobbyist and a computer scientist. Like most geeks, since a young age he’s always had a keen interest in computers, focusing on software and the curiosities of malware. This curiosity eventually lead him down the path of low-level software development, vulnerability research and reverse engineering. Now, more often than not, he can be found hunched over his laptop either taking apart a virus or hacking away at a complex programming problem– and completely losing track of time while doing so.
Vyrus is a 24 year old application security engineer who has been involved with the hacker community since childhood. From a 10 year old sneaking into the back rooms of printing houses and service bureaus chatting up a storm on BBS lines, to a bored kid in his mid 20’s hacking on malware, Vyrus has never lost his passion hacking itself, or the hackers he hacks with. Besides being an avid anime fan and jazz pianist for 21 years, he continues to stay involved with DC949 as well as other hacker related communities and projects.
Speaker: Ryan S. Upton, CISSP
Presentation Name: Incident Response 101 – “What, you didn’t prepare already?”
Overview :Incident Response basics. I recently made the mistake of producing the IR plan for our infosec group. Now I’m managing semi-yearly IR scenarios with the fundamentals of that IR plan as the corporate standard. Be careful what you do well. A general topic with personal experience included. Covers the general aspects of an IR plan, but excludes specialist knowledge such as malware RE, Forensics, etc. As the title suggests, the theme is preparation.
Speaker Bio :Ryan Upton is a security analyst for a large multinational financial services company. His experience includes consulting for Fortune 1000 companies providing Information Security review, analysis and testing. He currently establishes and contributes to governance and operational security responsibilities, including by having created the foundation and formation of the corporate Incident Response program.
Speaker: Doug Cohen
Presentation Name: Computation and Modeling
Overview: Computational models are used to understand and predict behavior of many kinds of systems. They come in two flavors, theoretical and statistical, both of which have proven useful in modern day applications. Theoretical models often are preferable to statistical models because they utilize an underlying intuition that can be used in the particular. I have had experience building both kinds of models for systems biology, computational finance and internet marketing applications. In order to create these kinds of models, extensive data mining systems need to be implemented, for both model
creation and validation. Each particular application has its own processes for creation and implementation, but understanding broadly how to create and implement models is becoming invaluable in many sectors.
Speaker Bio: Douglas Cohen previously worked as an analyst for a quantitative hedge fund where he built computational models for credit derivatives, fixed income securities and risk management. Currently, he works as an analyst building models to predict consumer behavior in social media applications and games. He attended the University
of California, San Diego where he majored in Bioengineering: Biotechnology and Management Science and graduated Cum Laude with honors from the Economics department. While attending he worked at the Jacobs Retinal Center producing imaging software for the neural engineering laboratory, and creating innovative models applied to both bioengineering and econometrics.