(Related Pages :: BSidesAtlanta)

Call For Presenters (CFP)

BSidesAtlanta will be held in a semi-unconference fashion with 2 tracks. Track 1 will hold the more traditional talks (with slides), while Track 2 will be done more Barcamp style, wherein talks can either be submitted ahead of time or volunteered and scheduled on-the-spot. Those that submit talks on the wiki get first dibs on timeslots the day of BsidesAtlanta. If you attended BsidesAustin or heard about, it is roughly the same idea.

Please note the following deadlines:

• CFP Submission Deadline: Friday, September 10, 2010 at 11:59pm ET
• CFP Speaker Notification: Friday, September 17 2010

Talks

Please update with your: name, contact information (email, twitter, website), presentation title, and short description.  Please leave use the example text as a template.  Simply copy and paste it into a new entry, then edit it to fit your talk.   

• Name: Martin Fisher  @armorguy / armorguy@gmail.com
• Title: Why We Suck At Incident Response (and How To Suck Less)
  
• Abstract: If we're honest with ourselves we generally suck at Incident Response.  We'll discuss people, process, and tools and reveal the secret to creating teams and techniques that will help us suck less at IR.

• Name: Marisa Fagan  @dewzi
• Title: A Password Alternative
  
• Abstract: A case study of one website's successes and failures with a home-grown user authentication solution that doesn't involve passwords. 

• Name: Dave Shackleford @daveshackleford / dave.shackleford@gmail.com
• Title: Right-brained Infosec: Creatively evangelizing security and solving problems
• Abstract: Why the future of information security will depend on “designers” and creative teams that can adapt to changing threats, vulnerabilities, and overall business/environmental conditions. In addition, the ability to tell stories and relate current business needs to information security will be critical in evangelizing and “selling” security to business leaders who need guidance on the right approach that best suits each organization.

• Name: Brian Wilson  @slimjim100 / slimjim100(a)gmail.com
• Title: Intro to DOCSIS (how your cable modem works)
  
• Abstract: A quick lesson on how you broadband cable modem gets your data packets from your home to the internet and back over coaxial cable networks. Learn how DOCSIS has evolved from 1.0 to 3.0 and how the CMTS works and controls thousands of modems on a shared network with per modem speeds of over 150Mbs.

• Name: Michael Woolfe @wfmn / michaelwoolfe_gmail.com
• Title: How to get someone else to do your job
• Abstract: Working with contractors, under staffed, mergers, remote support, and hiring MSSPs are all scenarios where we have to rely upon someone else to do our job or a job.  We'll discuss how to leverage these 'resources' while staying insane, employed, and applying some resemblance of QA.

• Name: Mike Doyle @fe3mike
• Title: Pivoting arbitrary tools with Socket Proxy
• Abstract: An attack platform can host many tools for reconnaissance, enumeration, vulnerability analysis, and exploitation. These are all too frequently left at the doorstep of the target network once the first host is compromised. Socket Proxy is a post-exploitation pivot tool for leveraging the versatility of your attack platform in the network context of a compromised host.

• Name: Tony UV  (@versprite / tonyuv at versprite dot com)
• Title: Applying Application Threat Modeling Beyond the Conceptual Hype
• Abstract: As delusions of effective risk management for application environments continue to spread, companies continue to bleed large amounts of security spending without truly knowing if the amount is warranted, effective, or even elevating security at all. In parallel, hybrid, thought provoking security strategies are moving beyond conceptual ideas to practical applications within ripe environments. Application Threat Modeling is one of those areas where, beyond the hype, provides practical and sensible security strategy that leverages already existing security efforts for an improved threat model of what is lurking in the shadows. This presentation seeks to walk though practical applications and exercises associated with application threat modeling. Integration to multi-security focused disciplines will be included, such as dynamic analysis, static analysis, incident monitoring, vulnerability management, social engineering, penetration testing, and more.

• Name: (Gary Palgon)  (@GaryPalgon/ GPalgon@nuBridges.com)
• Title: A New Approach to Enterprise Data Security: Tokenization
• Abstract: To lower the risk of data theft and comply with privacy laws, organizations are seeking ways to secure more types of sensitive and confidential data. A new data security model — tokenization — is proving effective for securing credit card numbers as well as personally identifiable information while reducing scope for PCI audits and lowering business risk across the extended enterprise.

• Name: Erik Peterson  (@silvexis, epeterson@veracode.com)
• Title: The long Con of Automated Dynamic Web Application Security Testing
• Abstract: It's been over 10 years since the first automated web security testing products were introduced so why are so many of the dynamic or black box testing tools still challenging to use and often ineffective? With the average organization having hundreds or even thousands of web applications organizations have turned to automated solutions as their only option to assess their online risks, but are automated web application security testing solutions really effective? This session outlines why today’s tools and approaches are increasingly only giving us a false sense of security and how a new approach to dynamic web application security testing is required.

• Name: (Christopher Elisan) (@tophs / celisan@damballa.com)
• Title: Malware Factory – A Peek at the Darkside of the Force
• Abstract:  Every year, the number of unique malware samples being discovered by anti-virus vendors grows more astounding. In 2010, 50,000 to 60,000 unique samples per day are fast becoming the norm and many of them are targeting enterprise businesses. This keeps every enterprise security team awake at night and it is a big challenge for anti-virus vendors, as they work to process and analyze them. Can the bad guys really continue to produce this volume of UNIQUE malware samples each and every day? The answer is unfortunately YES, especially with the aid of the right tools.
  This presentation will cover how easy it is for script kiddies and cybercriminal newbies to create an army of bot agents in a large scale for use against a specific target and for a specific purpose by using freely available automation and serial variant production resources that can be found on the Internet. We will explore the process of selecting the target, the tools, and the methods of producing the bot agents – and ensuring that they pass QA tests for “undetectability”.
  But where there is darkness, there is light. In this session we will present ways to fight this threat. The solution is not found in the system level technical race but on a higher plane that directly affects the criminal operator behind the botnet.

• Name: Dave Shackleford  / @daveshackleford
• Title: Happy Little Clouds: Governing, Assessing, and Auditing Cloud Environments
  
• Abstract: Although the technical security concerns surrounding cloud implementation and usage are numerous, there are many other fundamental issues surrounding risk assessment, governance by both providers and customers, and auditing and compliance within cloud environments. Standards? Who needs those? Most agree the cloud does, and various groups are working on creating frameworks and guidance for auditors and security practitioners alike to help in navigating these new environments.This presentation will explore the current state of affairs with regard to cloud auditing and assessments, and also delve into governance, risk, and compliance (GRC) within the cloud environment. Technical controls and frameworks will be covered, ranging from virtualization to networking, system, and application security within the cloud.

• Name: Dave Shackleford  / @daveshackleford (and maybe 1-2 others)
• Title: Testing Exfiltration: Recreating Outbound Evil
• Abstract: For years, security professionals have worried about protecting the perimeter, as well as systems and applications, from external threats. Insider threats have become much more prevalent now, as have stealthy sophisticated attacks and malware. Much to-do has been made of solutions like DLP and IPS, but are they really able to defend you from sensitive data and attacker communications *leaving* your network?
  In this presentation, we'll walk through a methodology you can put to use for simulating outbound data leakage and attacker communications scenarios. Traffic generation tools, obfuscation and tunneling techniques, and simulated bot and stealth malware comm channels will be covered. Fun for the whole family, guaranteed.

• Name: Mike Rothman / @securityincite
• Title: Information Security 2011: Gaze into the Crystal Ball
• Abstract: Things seem to be bad out there. More attacks, higher value targets, less budget, declining economy, the list goes on and on. Why do we even bother? And more importantly what can we look forward to in 2011? Will it be more of the same, or is change finally coming to information security? Mike Rothman of Securosis will set the stage for the coming year, discussing the major (and expected) threat vectors. He'll also key trends regarding network, endpoint, and data security. And yes, have no fear, he'll talk about clouds, virtualization, and compliance too. You'll laugh, you'll cry. Actually, you'll mostly cry, but at the end of the session, you should be able to start thinking about your own priorities for 2011.

• Name: Rob Ragan  @sweepthatleg
• Title:  Lord of the Bing: Taking back search engine hacking from Google and Bing 
  
• Abstract: During World War II the CIA created a special information intelligence unit to exploit information gathered from openly available sources. One classic example of the team’s resourcefulness was the ability to determine whether Allied forces had successfully bombed bridges leading into Paris based on increasing orange prices. Since then OSINT sources have surged in number and diversity, but none can compare to the wealth of information provided by the Internet. Attackers have been clever enough in the past to take advantage of search engines to filter this information to identify vulnerabilities. However, current search hacking techniques have been stymied by search provider efforts to curb this type of behavior. Not anymore - this demonstration-heavy presentation picks up the subtle art of search engine hacking at the current state and discusses why these techniques fail. Several new search engine hacking techniques will be demonstrated that have resulted in remarkable breakthroughs against both Google and Bing. New tools will be demonstrated, along with the first ever "live vulnerability feed", which will quickly become the new standard on how to detect and protect yourself against these types of attacks.

• Name: Aldrich de Mata / ademata@damballa.com
• Title: Detecting Packed Malware: Looking at Packer Identifiers and Malware Packers
• Abstract: Problems arise for the malware researcher when malware uses packers to compress and pack a binary file. Packed binaries evade detection of antivirus vendors and make the analysis of malware difficult for the researcher. This issue can be solved by first identifying which packer was used by the malware to pack the binary using a packer identifier, which is one of the essential tools of malware researchers in analyzing malware. Most good packer identifiers were created for the Windows operating system, so porting a packer identifier to Linux will be discussed. A framework for a packer identifier in Linux that is written in Python will be shown. Essential information about packers will be introduced in the presentation, including the differences between packers, file archivers, file binders, compressors, and encryptors; a comparison of packed and unpacked files; and two best practices in identifying  packers - signature-based and heuristic-based detection.

• Name: Martin Fisher  @armorguy / armorguy@gmail.com
• Title: It's All About Choices...
  
• Abstract: Lessons learned (some the hard way) about how the choices you make early in your career can impact you (positively or negatively) later.  We'll talk about the stages and levels of your career and some of the expectations that come along with that.  No matter where you are in your career you can learn, share, and teach during this session.

• Name: Nick Owen @wikidsystems / nowen@wikidsystems.com
• Title: Securing Remote Access with Two-factor Authentication & Open Source tools 
  
• Abstract:  In these times of tight budgets, it pays to explore open-source remote access solutions.  This talk discusses how to create robust, secure remote access offerings that are simple and secure.  Network protocols, remote desktop, web-applications, VPNs, etc. will be discussed.

• Name: Peter Hesse @pmhesse / pmhesse@geminisecurity-dot-com
• Title: Security Policies: The Next Generation 
  
• Abstract:  Today's average corporate information security policy is meant to solve a problem: it codifies practices and rules for dealing with information in storage, transmission, and use.  Unfortunately, most policies have become the problem that needs to be solved. With unreadable language, amazing depth, breadth, and length, and unimplementable requirements, current policies only push users further from what they need. This talk will give real-life examples of bad security policy practice, and share a glimpse into my vision of the next generation of security policies which will (hopefully) gain better acceptance and allow for improved awareness.

• Name: Karthik Rangarajan @krangarajan / rangarajan.karthik@gmail.com
• Title: Browser Add-Ons That Steal
• Abstract: Both Mozilla Firefox and Google Chrome offer the ability to obtain third party extensions/add-ons to extend functionality. None of these third party add-ons are verified by anyone, except by developers - and that is only in the case of a highly collaborative project. There have been cases where Mozilla has pulled add-ons from the addons site, and has even come up with a plan to code review extensions before they go live. There's already a system in place where addons are scanned for known malware before they are uploaded - but that's only known malware. The code review policy hasn't seen the light of day yet, Extensions that just steal passwords from login forms have been done, and have been taken off. But what if the extension had code that read other things from your computer? Like the database that holds your form's autocomplete. Its not obvious why that is useful - but consider certain websites that don't turn autocomplete off for sensitive information. ATT does that for SSN, Bank Of America does that for your account number, there are some sites that do that for your credit card numbers. An extension that could read this information has then given you a mine of data. The usual approach for such an extension is to find an exploit in another one, but if an extension could be pushed in as an innocent one by itself, then it could do a lot more damage.

• Name: Karthik Rangarajan @krangarajan / rangarajan.karthik@gmail.com
• Title: Why wildcarding of SSL certificates is bad
• Abstract: The way SSL certs work is that the certificate is given to the domain, and anything under that particular domain automatically gets the certificate. So this is automatically true for all of Google's products, including Google Sites, Google Forms, etc. Its also true for all of Wordpress' sites. This is not something that's usually considered a big deal - but consider someone who trusts a site based purely on the "lock" that they see on the browser. If they came to a Google Site that I had set up, maliciously, requesting for information for what was apparently an innocent reason, pretending to be someone else, they would fill it out happily enough, especially if I promised them security due to SSL. But the more dangerous case is when websites end up getting compromised. Consider a domain that has an SSL cert, and allows people to host their own servers/content on that domain. If one of these websites are compromised, an attacker can put any page he wants on that site, claim it to be SSL certified, claim to be that company/organization, and steal information.

• Name: Daniel Frye @frizille / frizille@gmail dot com
• Title: Dragging the Elephant to Water (or How [not] to Start a Security Team)
• Abstract: As security has taken on a dedicated role in business many IT professionals are migrating away from their operations roles to a dedicated security role. Based on 5 years of experience planning, establishing, and evangelizing the start of a dedicated security team from scratch, this talk will discuss the successes and failures reached along the way. Additionally, the talk will discuss the business skills needed to effectively relate to the business owners so you can be successful with security initiatives and how to derive security metrics from operational data to help aid your arguments for tighter controls.

• Name: Daniel Frye @frizille / frizille@gmail dot com
• Title: Basics of Securing PeopleSoft Architectures
• Abstract: Many organizations rely upon Oracle’s PeopleSoft ERP applications but many organizations treat ERP as ‘just another app’ to secure and manage. Unfortunately this is not the case and the misconception is opening many organizations to increased risk – especially given the sensitive nature of the data found inside the ERP systems. This talk will discuss “PeopleSoft Basics” as it relates to infrastructure security based on the experiences of running the security team for an ERP hosting provider. The talk will also provide security teams responsible for securing PeopleSoft a starting checklist to validate their own PeopleSoft architectures once they leave the conference.

• Name: Todd Merrill @ToddMerrill / todd.merrill at globalcrypto dot com
• Title: Protecting PHI with encryption for HIPAA compliance
  
• Abstract: This talk is a run down of the misery that is the American Recovery and Reinvestment Act and it's impact on the Health Care community in the US.   The ARRA strengthened the old HIPAA regulations in a number of ways and is now forcing medical practitioners and their Business Associates to finally embrace Healthcare IT,  Security and Privacy.  Encryption is a vital part of this regulation and will keep you out of trouble if you can implement it properly.  http://www.slideshare.net/ToddMerrill/protecting-phi-with-encryption-for-hipaa-compliance  

• Name: Gal Shpantzer @Shpantzer
• Title: Security Domination via Hard Drive Isolation
• Abstract:

"Security Domination via Hard Drive Isolation"
Every organization is a reluctant participant in the malware arms-race, investing untold blood and treasure in securing the essentially unsecurable: Commercial general-purpose, fat-client endpoints that are simply inappropriate for certain high-risk business processes and sensitive data.  This talk goes through this problem and proposes an alternative approach to the one-size-fits-all desktop. SANS.edu grad students call this approach ROBAM, while Gartner calls it Trusted Portable Personality Devices. 

You will learn how leading government, financial and emergency response sector organizations are improving security while simultaneously extending remote access and mobility to administrators as well as end users. Several pecific use-cases are outlined and analyzed in this talk.

• Name: Gal Shpantzer @Shpantzer
• Title: Security Outliers: Cultural Cues from High Risk Professions
  
• Abstract: 

Information security managers typically focus on managing risk and implementing technology controls. Yet despite a recent focus on the important role of the human factor in information security they often neglect to consider it in their planning. When they do consider human factors, attention is often focused on training security staff and developing security awareness and education for users. Little if any attention has been devoted to analyzing interactions and patterns of communication between security professionals, their managers, and corporate executives. This presentation will explore aspects of successful risk management for security officers by drawing upon lessons from other high risk professions that have a cultural legacy of overcoming risk.

The foundation for this presentation is based upon Malcolm Gladwell's Outliers, a book about cultural legacies and their contributions to success and failure in business. We adapt and extend Gladwell's work to analyze the human factors behind major disasters in areas such as surgery, nuclear power, and military special operations to identify best practices security professionals can use to develop our own rich cultural legacy to ensure success and minimize risks due to communication disconnects. We will derive a list of key indicators that act as warning signs of impending disasters or breaches. We will also present a list of predictors of effective communication between information security professionals and stakeholders. We conclude by recommending specific actions and training objectives designed to dramatically improve risk management outcomes.