Registration\Networking – Coffee and Muffins Served
Opening Remarks/Door Prize Give Away
Name: Robert Masse
Talk: How We Broke into an International Bank to Steal Money
Name: Alex Argeris
Talk: Are You Sinkholing Me?
Name: Zack Mullaly
Talk: Joining Hands and Singing Merrily; Security and Development in Beautiful Harmony
Name: Dean Parsons
Talk: ICS/SCADA Breakfast Sandwich, with a Side of Weapons
Lunch/Networking/Prize Giveaways
Name: Glen Stacey
Talk: “Wireless Security” – Myths and Realities (Wireless is more secure than Wired Networks)
Name: Ed Dubrovsky
Talk: Building a Bulletproof Vulnerability Management Program
Name: Sandra Escandor-O’Keefe
Talk: Let’s Encrypt – A ‘fun’damental Overview
Name: Matthew Middleton
Talk: BRAINS! Why We Need More Humans in Testing
Name: Nabeel Hasan
Talk: The Botnet of Things: How Hackers are Already Using Nanny Cams and Home Routers as Weapons
Name: Travis Barlow
Talk: Lessons from the Huntsman – Successes and Failures in building a Modern Hunt Team
Grand Prize Giveaway and Networking
Capture the Flag (CTF)/Networking/Prizes
Name: Dean Parsons
Title: ICS/SCADA Breakfast Sandwich, with a Side of Weapons
Abstract:
The world relies on ICS (Industrial Control System)/SCADA systems such as the electrical power grid for seemingly mundane daily tasks, like preparing your morning breakfast sandwich. Today’s ICS attacks are well-funded and orchestrated campaigns of destruction using cyberweapons. ICS installations have certainly improved their security posture this last decade, but there’s always room for improvement in ensuring reliability when turning on your electric stovetop to make breakfast! Like sweet lingering tones of citrus and dark chocolate in your favorite Scotch, the presentation also has an undertone of how today’s media can assist security awareness programs, while Stuxnet, Havex and Blackenergy3 malware elbows their way in for an appearance.
Name: Ed Dubrovsky
Title: Building a Bulletproof Vulnerability Management Program
Abstract:
A dose of reality, the bad guys are getting better at being bad (or should we say really good bad guys?) and there are great reasons for that. Technology is getting faster, easier to manage, easier to deploy and paybacks can be enormous. Cloud services enable unlimited scalability, with relative anonymity and are only limited by the depth of the adversary’s purse. Automation of attacks is a reality organizations must face and in addition, the reality that to meet and address these challenges, the good guys, must have access to resources that can out-pace, out-smart, out-scale and frustrate these adversaries. But how do we tackle such challenges? Obviously, there is no easy answer, but one thing is certain, we must ensure the basics are covered, automated and operate flawlessly. However, it is not only an issue of technology, but process and the weakest link..people.
Name: Glen Stacey
Title: Wireless Security – Myths and Realities (Wireless is more secure than wired networks)
Abstract:
Wireless LAN’s have exploded in popularity over the past several years. Once confined to specialized applications and to consumer equipment, 802.11 wireless LAN’s are now increasingly making their way into the enterprise space. But with much more at stake, how can network managers ensure that wireless doesn’t weaken security? Many recommended security techniques for residential wireless LAN’s are inappropriate or ineffective for enterprise deployments. This presentation explores what works and what doesn’t.
Name: Matthew Middleton
Title: BRAINS! Why We Need More Humans in Testing
Abstract:
It seems like a lot of people are talking about the need to automate software testing, and how it’s going to magically solve all our problems. Yet, we keep seeing security breaches which can be traced back to software bugs – anyone remember Heartbleed?
I have a novel proposal, which may help reduce these kinds of problems – brains! We need to have people who are thinking about the problems of quality software at both the micro and macro levels, considering the context of the project as a whole. This should help us reduce the number of defects that escape in to the wild, and thus help us improve the overall security of our applications.
Name: Nabeel Hasan
Title: The Botnet of Things: How Hackers are Already Using Nanny Cams and Home Routers as Weapons
Abstract:
In May of 2015, over 60 Incapsula customers were attacked by a Botnet made up of over 10,000 home routers. Later in the year, we noticed 900 Internet-connected CCTV cameras flooding one of our customers with bogus traffic. These are just two cautionary tales of what can happen when the IoT is compromised for malicious purposes – what we call the Botnet of Things.
Our security research team has noticed a steady uptick on devices used in attacks on websites and web applications. Poorly secured and infrequently updated devices – from home routers to nanny cams to networked storage — are the perfect target for hackers. Then, rounded up by the hundreds, thousands, or tens of thousands, compromised devices make up a giant recruiting target for bot herders looking to grow the size of their botnets. The Botnet of Things is a growing problem.
Botnets are used for comment spam, site scraping, vulnerability probing, denial of services attacks, and worse. At Incapsula, we see these attacks on a weekly basis. This talk will cover:
• How hackers discover and compromise Internet connected devices
• Case studies of IoT botnet attacks
• How to identify IoT botnets and protect yourself against them
We plan to incorporate new research findings from the Incapsula security research team on the state of the Botnet of Things into our session, including: device trends, recent exploits and vulnerabilities.
Name: Robert Masse
Title: How We Broke into an International Bank to Steal Money
Abstract:
During the talk, Rob will take participants through the true story of a Red Team engagement infiltrating an international bank over a three month period with the purpose of exposing security vulnerabilities (and stealing money). Rob will highlight the Red Team methodologies used which puts a twist on the traditional approach to red team infiltrations. Throughout the talk Rob will also touch on other Red Team war stories and lessons learned, by both the Red Team and the clients involved.
Name: Sandra Escandor-O’Keefe
Title: Let’s Encrypt – A ‘fun’damental Overview
Abstract:
Let’s Encrypt is a system for automating the process of obtaining a browser-trusted certificate for web servers that want to serve content over the HTTPS protocol. The talk will describe the motivation behind browser-trusted certificates, describe the fundamental concepts behind browser-trusted certificates (public/private keys, signing, nonces, etc.), and will also talk about how Let’s Encrypt works.
Name: Travis Barlow
Title: Lessons from the Huntsman – Successes and Failures in building a Modern Hunt Team
Abstract:
During his presentation Mr.Barlow will discuss the requirements of building a world class hunt team, what has worked and what has failed, and discuss the future of hunting unknown threats. Additional topics covered will be the pro/cons of machine learning assisted threat detection, the benefits/risks of affordable quantum computing, and of course the current InfoSec industry.
Name: Zack Mullaly
Title: Joining Hands and Singing Merrily; Security and Development in Beautiful Harmony
Abstract:
Let’s talk about security – but not just security; Security Engineering! We all want to see more software in the wild developed with security in mind from the get-go. We want to see security experts and developers working together to build robust systems on time. The relationship between the two teams doesn’t have to be a struggle! At Stratum Security, the development team behind our new XFIL product has hit a sweet spot that brings modern tech together with a security-focused design process that has brought rigour to our development cycle. In this talk we’ll take a detailed look at our approaches, including everything from the choices of programming languages we use to our architecture and protocol design process, to solving the broad set of security challenges we’ve faced. Our journey has taken us through a tonne of fascinating problems and resulted in a robust process that has repeatedly helped us to produce secure and reliable software that we hope can be emulated by other teams.