(Related Pages :: BSidesDFW

BSidesDFW will be held in a semi-unconference fashion with 2 tracks. Track 1 will hold the more traditional talks (with slides/projector), while Track 2 will be done more Barcamp style (lightning talks), wherein talks can either be submitted ahead of time or volunteered and scheduled on-the-spot. Those that submit lightning talks on the wiki get first dibs on timeslots the day of. If you attended BsidesAustin, it is roughly the same idea.

• Name: Greg Martin @gregcmartin
• Title: Mass Exploitation for Dummies
• Abstract: Leveraging the newest developed features in Metasploit learn how to bundle and hide meterpreter to bypass 99% of A/V,  and tunnel out of any security perimeter on a mass-scale basis.  This talk will demo the latest security threats organizations face and why it's so difficult to defend against.  Open Q/A to discuss defense strategies after the talk.

• Name: Branden R. Williams @BrandenWilliams
• Title: The Mistakes QSAs Make
• Abstract: QSAs are a piece of work, aren't they? Have you dealt with one and been frustrated beyond belief? This session will give you some confessions from a QSA, with specific examples of the mistakes they (we) make.  You will walk away with specific examples of the mistakes made, as well as ways to combat them.  The last part of the session will be allocated to dogpile/ask questions about the PCI DSS process, and how to WIN at your assessment! 

• Name: Andrew Wilson @kuzushi | @awilsong / pinvoke@doublethunk.org
• Title: Patterns & Predictability - The Essence of Attack
• Abstract: Effective attacks against a system take advantage of innate vulnerabilities. Regardless of whether these vulnerabilities exist in reality or only in potential, they can still be elicited and compromised. The problem remains then, of how we elicit such openings so that we can use them to our purpose. To do so, we must first analyze a system to understand its natural patterns and cycles. Then, once we understand a systems behavior, we can interrupt it and fit appropriately to position our advantage.  This presentation will demonstrate how this type of analysis, interaction, and fitting can compromise and lead a system (in this case, the human body) to unrecoverable scenarios. Parallels will be demonstrated throughout the presentation showing how this approach can be directly applied to computer systems and infrastructures.

• Name: Simple Nomad @simplenomad / thegnome@nmrc.org
• Title: Emerging Security Threats
• Abstract:This session will examine emerging security threats through real-world examples to help organizations fine-tune their defenses. The topics will include motivations, attack techniques, and current trends used by modern attackers, and discuss in detail such items as client-side attacks, botnets, phishing, the definition and role of 0day, and the definition and signs of APT. In addition, mitigation techniques for the various threats will be discussed, including which ones seem to be more effective than others. The speaker does not work for a security vendor or consultancy, is not selling a book or software, nor is he selling any services at all, so expect a very frank and open discussion, especially in the area of mitigation.�

• Name: Nick Selby    
• Title: Infosec Sheepdogs: Creating an Abstraction/Translation Layer Between InfoSec and Law Enforcement
• Abstract: We in information security don't often call the fuzz when we get hacked. We fear that the cops would a) rush in, shut us down and mill about in the lobby for 15 days in blue windbreakers, drinking coffee and being suspicious, or b) not understand the nature or the specifics of the problem and therefore do nothing. From their perspective, the cops look at us as unstable, scary, untrustworthy, poorly-mannered and possibly akin to those identity thieves they've heard about. Yet the two groups work, generally, for the same purposes: to keep their constituents safe from criminals and threats. This talk will explore ways that infosec professionals can learn what law enforcement agencies - local, county, state and federal - need to get from us to help us, and ways that we can educate law enforcement on who we are, what we do, and what we can do to help them help us, and help others.  It's a call to action. You in?

• Name: Lee Heath
• Title: Phishing to Fraud: The Business Side of Phishing
• Abstract: Looking at phishing from the standpoint of merchant services, rather than an end user's account.  Looking at what kind of services might be attacked and how they could be used.  Most think that when phishing is done it is to gain access to bank accounts or other places where an attacker can gain access to a few individuals credit and cash suplies.  What happens when the attacker already has credit cards?  What if they want more than a single account?  How do they go about using the info they have?

[LIGHTNING TALK]

• Name:    Patrick Florer  (patrick@riskcentricsecurity.com)
• Title:   0 <= P(X) <= 1 :  An Introduction to Information Security Risk Analysis
• Abstract:   This presentation addresses the fundamental issues and concepts of information security risk analysis.  By learning to analyze and to articulate risk in financial terms, information security professionals will begin to bridge the gap that often separates them from their less technically-savvy business counterparts.  This presentation begins with a problem statement, proposes a working definition of risk, presents a number of key risk analysis concepts, and provides a high-level view of the risk landscape and the risk analysis process.  The presentation concludes with a brief discussion of the difference between risk analysis and risk management.  The presentation includes a demonstration of a risk analysis using Monte Carlo simulation. 

[LIGHTNING TALK] 

• Name:  Eric Irvin / @secrunner / eirvin at gmail / ericirvin.com
• Title: Life as a Security Sales Engineer/Solutions Architect (LT)
• Abstract: This lightening talk presentation will discuss life as a sales engineer. We've all seen the Penn and Teller sales team from our vendors. Typically, there is the smooth talking salesperson who tries to step over everyone in his way to reach the person who signs the PO who is traveling with the geek who actually knows how the software/hardware works. This talk will explain what the responsibilities are for some of these positions, how to find jobs, what to expect, and all the general good and bad that comes with working for a security software vendor.  

[LIGHTNING TALK]

• Name: Wendy Nather  
• Title: The Code Your Code Could Smell Like
• Abstract:  Look at your software.  Now back at mine.  Now back at your software.  Now back at mine.  If your code were Rugged, it would be resilient, extensible, long-lasting AND secure -- and it would totally attract CIOs.  Let's talk about putting some Spice in your SDLC.  Bath towels optional.

[LIGHTNING TALK]

• Name: Wardell Motley Jr. / infowarrior0 at gmail dot com
• Title: Footprinting & Intelligence Gathering:Paterva & Beyond
• Abstract: Information gathering is intergral to any penetration test and in this presentation we will examine some of the latest strategies to do just that. By examining some of the latest tools and techniques I hope to improve upon your information gathering tool box. 

[LIGHTNING TALK]

• Name: Ken Lamkin - ken.lamkin at gmail.com
• Title:  Shai-Hulud: The Quest for Worm Sign
• Abstract:  Concept was originally published and peer reviewed for SPIE conference 5812-38.  Presentation addresses latest developments regarding successful worm detection at real-time OC-192 and faster speed.  These high speed communication links require hardware to extract binary sequences and identify worms and other malware in near real time.  Computer hardware advancement in field programmable gate arrays (FPGAs) enables extraction of these sequences, but do not have the necessary mathematical algorithms to detect worm sequences in near real time, or the ability to convert these mathematical algorithms into lookup tables (LuTs) to be compiled into FPGAs.  Data Modeling provides the theory and algorithms for an effective framework to accomplish near real time worm detection and the conversion of these algorithms into LuTs.  Current detection methods such as pattern recognition are limited both by the amount of time to compare the current data sequence with a database of potential candidates, and by their inability to classify information that was absent during the training process.  Data Modeling compensates for these limitations by training on examples of nominal behavior, resulting in a highly tuned and fast running equation model that is compiled into a FPGA as a LuT.  This presentation is an overview for our approach to generate the data models and the subsequent conversion into LuTs.  A proof of concept is given using the binary patterns from WEBDAV, SLAMMER, and RED PROBE with a basic source code example of the detector and LuT.

[LIGHTNING TALK]

• Name: Matt Springfield <matt at mattspringfield.com>, Jim Bibles <jamesb at complyguardnetworks.com>, Branden Williams <brw at brandenwilliams.com>  
• Title: PCI Fireside Chat
• Abstract: Pull up a seat next to the fire and talk PCI. This will be an open discussion/round table format to discuss the hot topics of PCI, recent updates from the council and real world challenges (lets get technical!). Bring a bag full of your most challenging real world scenarios for discussion.
• PCI DSS 2.0
• PCI Compliance and virtualization (it IS possible!)
• Compliance vs. Security
  
• PCI Compliance Program
• Does PCI Compliance Matter? 

[LIGHTNING TALK]

• Name:    
• Title: 
• Abstract: