• If you are citizen of an European Union member nation, you may not use this service unless you are at least 16 years old.

  • Want to get organized in 2022? Let Dokkio put your cloud files (Drive, Dropbox, and Slack and Gmail attachments) and documents (Google Docs, Sheets, and Notion) in order. Try Dokkio (from the makers of PBworks) for free. Available on the web, Mac, and Windows.



Call For Presenters (CFP)


Please list your presentation for BSidesLasVegas01 below (and an external link to outside material if appropriate.)  Once we have a list of presentations we will vote and decide on the finalists by popular demand.  The CFP will be open until July 1, 2009. 


Do you want to be a speaker?  Have your friends send their vote on Twitter to @SecurityBSides.  The most votes gets added to the list.




Please update with your: name, contact information (email, twitter, website), presentation title, and short description.  Please leave use the example text as a template.  Simply copy and paste it into a new entry, then edit it to fit your talk.



  • Name: Martin McKeay, http://www.mckeay.net
  • Title: Don't expect someone else to secure your systems for you
  • Abstract:  Why do we expect frameworks and government mandates to secure our systems for us?


  • Name: Jonathan Cran, http://www.rapid7.com / http://www.0x0e.org
  • Title: Organizing Ninjas: A How To for Better Team Pentesting
  • Abstract: Penetration testing may be a loaded term, but what remains consistent is the need to gather large sets of data and analyze them. Regardless of whether you've worked on a globally distributed red team or you're pentesting your own company, it's easy to understand the need for good process tools for  penetration testing. This talk will demonstrate tactics, techniques and tools (some old, some new) that can be utilized in pentesting, collaborative or not. These will allow you to focus on the techical aspects of security testing, and give you "free" updates, reports and collaboration. Explanations and examples of real-world usage will be given, and you'll walk away with a set of tools that will allow you to participate in a world-class red team.


  • Name: David Maynor, http://www.erratasec.com
  • Title: Doing assessments with Metasploit
  • Abstract: Metasploit has made life easy for penetration testers the world over but what most people don’t know is how useful it is for application assessments. If you think of Metasploit as a large collection of APIs waiting to be put to work then Metasploit becomes a powerful tool for reverse engineering, blackbox and fuzzer development, and creation of the PoC. This talk wil highlight real examples of how Metasploit doesn’t just help you to exploit vulnerabilities, it helps to find them. Examples of Metasploit in action will include creating a web proxy that can do rewriting of content on the fly, testing a DCE/RPC service, and reverse engineering a new file format. All of these examples will be done using nothing more than Metasploit and a basic knowledge of Ruby.


  • Name: David Rook, http://www.securityninja.co.uk
  • Title: The Principles of Secure Development
  • Abstract: The common approach towards secure development education is to discuss a small set of common vulnerabilities instead of telling developers how to develop securely. We don't teach people to drive by giving learner drivers a list of the common ways to crash so why do we do this with developers? This presentation will discuss a small set of secure development principles that developers can follow without having to know the intricate details of any web application vulnerability. "Teach a developer about a vulnerability and he will prevent it, teach him how to develop securely and he will prevent many vulnerabilities".


  • Name: Marisa Fagan ([email protected], Twitter: @errata); Elizabeth Wharton ([email protected], Twitter: @LawyerLiz)
  • Title: "The EX Factor: Exploring Proximity-based Identity Theft"
  • Abstract: Everyone has a few skeletons in their closet: old relationships, former co-workers/employees, business rivals, and nosy neighbors they would like to forget. While breaking up is hard to do, what happens when one of these skeletons has a bone to pick with you or your company? Because of their proximity, certain people have unique access to personal information that can be used to compromise your online identity. As business continues to expand into the social media arena, and vice-versa, the potential reputation and monetary damage to your online identity becomes magnified.  Current ID Theft attack tree models fail to acknowledge this threat and legal protections are slow to respond. This talk will address current vulnerability and legal trends as well as give you the power through tips, tricks, and techniques to put the skeletons back in the closet.


  • Name: JJ (Jennifer Jabbusch), http://SecurityUncorked.com, @jjx

    TitleCatching the Unicorn: A Technical Exploration of Why NAC is Failing

    Abstract: There are a variety of reasons NAC has failed in its quest to make it as a mainstream technology, but none of them are marketing-related. This session is an exploration of the technical intricacies of current network access control technologies, why they're failing and how vendors, market and consumers (yes, even consumers) can make it successful in the next 18 months.


  • Name: Ryan Linn, @sussurro

    Title: Cain BeEF Hash: Snagging Passwords without Popping Boxes

    Abstract: Chaining exploits and abusing trust are two heavily discussed topics in security today. If you ever deal with Windows domains come see what tools and techniques can be used to quietly liberate hashes even if the workstations are patched.  This presentation will go in depth into what tools can facilitate turning acquired credentials into usable passwords quickly.  Once the demonstrations are finished, there will be explanations of techniques and policies that can be used to mitigate and reduce the impact of these types of attacks.


  • Name: Sam Bowne @sambowne http://samsclass.info

    Title: Foolish Password Storage in Microsoft and Cisco Products

    Abstract: Windows stores passwords as unsalted NT Hashes, which is vulnerable to an offline dictionary attack. I will briefly demonstrate how salting hashes protects passwords. Linux systems have been salting password hashes since c. 1975, but Microsoft hasn't gotten the memo yet. Cisco's VPN client profile settings files use an even weaker form of password obfuscation that can be easily reversed. Both problems will be demonstrated, and countermeasures will be discussed.


  • Name: Luis Corrons @luis_corronshttp://pandalabs.pandasecurity.com/
  • Title: Study: An Inside Look at the Ever Evolving Rogue Antivirus Economy 
  • Abstract: Back in October 2008 PandaLabs published findings from a comprehensive study on the rogueware economy which concluded that the cybercriminals behind fake antivirus software applications were generating upwards of $15 million per month. This session will showcase findings from a new PandaLabs report that examines the evolution of the rogue antivirus economy and the increasingly sophisticated social engineering techniques deployed by cybercriminals to generate even greater returns, including the rise of Twitter trending malware and Blackhat SEO campaigns. Participants will also gain visibility into the current economics of rogueware, with previously unpublished findings that reveal hard dollar figures, corrupt affiliate systems, and free hosting services. Finally, the session will share PandaLabs’ recent findings and analysis on the different social network distribution methods (e.g. Digg, Facebook, MySpace, Twitter, etc.) and uncover the unique vulnerabilities of each platform.


  • Name: Damon Cortesi @dacorthttp://alchemysecurity.com/
  • Title: Social Networking, the Age Before Firewalls and the Pitfalls of Rapid Application Development
  • Abstract: Discussion of the inherent lack of security on social networks such as Twitter, and the challenges of organizations in the web 2.0 space to build and maintain a secure web application. Damon will take a look at a few startups from the past year and examine the different types of failure they have experienced from a security perspective. The inherent risks of communication via social networks will also be discussed. Whether it's malware propagation or a lack of fine-grained access controls, your data is at risk no matter how hard you may try to protect it.


  • Name: Alex Hutton (@alexhutton) & David Mortman (@mortman):  http://www.newschoolsecurity.com
  • Title: Can Risk Management be Science?  Challenging the Epistemological Anarchist to Escape our Dark Age
  • Abstract: We're really freaking tired of people who insist that information security & risk management remain a cargo cult.  So this discussion will center on what we need to do to escape ignorance:  that which we need to understand, how we should go about attempting to understand it, and how we can share our knowledge to ultimately do a better job. 


  • Name: frank^2 (@franksquared)
  • Title: Binary Obfuscation from the Top-Down: Obfuscating Executables without Writing Assembly
  • Abstract: Isn't it completely cool and hair-pullingly frustrating when you come across a binary with reality-bending obfuscation that sends your EIP to the moon? You may not be able to pull off all the coolest of cool binary tricks writing the code from the top-level, but there's quite a bit you can do! If you know how your compiler translates your code, you can leverage it against whomever tries reversing it, making your compiler do your obfuscation for you-- sometimes even giving you full control over manipulation of the underlying assembly. The only pre-requisite for this talk is knowledge of C and C++ programming.


  • Name: Vikram Phatak (@vikphatak) & Rick Moy  http://www.nsslabs.com
  • Title: Web Reputation Systems: A practical measurement of cloud-based security
  • Abstract: After being on the defensive for what feels like forever, security professionals finally have a tool to fight back.  While still in their infancy, Web Reputation Systems hold enormous promise.  What are they?  How do they work?  Do they really work?  Where are they heading?  -- NSS Labs has researched and developed new testing methods to empirically validate several different approaches to web reputation: from Google (SafeBrowsing) and Microsoft (SmartScreen) to McAfee (SiteAdvisor), Trend Micro (Web Reputation) and others.  Come here us talk about the results from those tests and discuss the future of reputation-based technologies.










Comments (0)

You don't have permission to comment on this page.