(Related Pages :: BSidesNewDelhi)

Call For Presenters (CFP)

BSidesNewDelhi will be a structured presentation style event with 1 primary track and several break-out rooms. Please send your presentation abstracts in here or post it in our LinekdIn space (or an external link to outside material if appropriate) and thus will be substituted below. Once we have a list of presentations we will vote and decide on the finalists and will publish their names on the presenters list at BSidesNewDelhi.  

For further info. on CFP visit this post specifying further details.

Template:

Please update with your: Name, Contact Information (email, twitter, website), Presentation Title, and Abstract (500 words). Please use the following example text as a template.

• Name: First_Name Last_Name  @twitter / email / website
• Title: Title of your presentation
  
• Abstract: Include a brief 2-5 sentence abstract describing your presentations goals and objectives. 

Talks Abstract Received: 

• Name:Mayank Aggarwal
• Title: Malicious Applications for Smartphones
  
• Abstract: Given the rise of popularity in smartphones over the past few years with new, more robust smartphones being released each month, it becomes increasingly important for us to question the security and discuss the risks of these handheld devices to the enterprise and to the consumer. Time after time, malicious applications find their way to the smartphone of an unsuspecting user by enticing users to download free applications. The smartphone giants like RIM, APPLE, Windows, Symbian, and Android have implemented various countermeasures and security models. However, the question of whether the existing countermeasures prevent the smartphone from being compromised still exists. The goal of malware and attacks has changed from simply being disruptive, to being financially motivated and stealthy. By presenting actual, current exploits and proof-of-concept malicious applications, see how users and enterprises who are waiting to experience an infection or data loss prior to implementing security software for their smartphones are placing themselves into the unsavory position of unknowingly becoming exploited and having absolutely no security software to address that exploitation.

• Name: Mark Brown
• Title: Buzzword Compliant - Penetration Testing Google AppEngine 'Cloud'? Applications
  
• Abstract: All of the cool kids are doing it – talking about “the cloud”. IT professionals, previously left to rot with the other social outcasts can now make themselves the light of the party simply by dropping the word cloud into conversation. As a result, we’re told that the number of companies that have either deployed applications in “the cloud” or are looking at doing so is on the up.Google’s AppEngine platform is one method of getting into “the cloud”. The platform allows developers to write Java or Python code and to deploy this code onto Google’s massive global infrastructure. In exchange Google can bill customers for CPU time, bandwidth, disk space and other computing resources. In fact, to make the process of getting yourself buzzword compliant all the more simple, Google make use of similar billing model to your local drug dealer – the first 1.3M hits/day are free – the rest you pay for.AppEngine provides developers with an almost complete version of the Java and Python API’s to work with. Restrictions are placed around certain functions which are either incompatible with the concept of running an application in a “cloud” or have potential security implications.Like any development framework, there are aspects of the AppEngine API’s that could lead developers to develop applications that suffer from security weaknesses. In this presentation I’ll cover some of the traps that I think that some developers may fall into, and wrap this into a methodology for testing apps deployed in the AppEngine environment.This talk is specifically focused at application testing. Those looking to escape the AppEngine sandbox and take over the world using Google’s infrastructure are probably not going to be interested with the contents of this presentation. That said, IT execs who get sweaty when they hear the word “cloud” are sure to leave impressed.

• Name: Mike Dahn (@MikD) 
• Title: Confessions of a PCI Trainer - 12 Steps to Regulatory Compliance Recovery
  
• Abstract: TBD

• Name: Morgan Marquis-Boire
• Title: Digital Forensics
• Abstract: Digital Forensics is the art of recovering evidence from an electronic crime scene.  The effort to create a convincing narrative which conveys the whys and wherefores of a specific act of digital malfeasance.  Primarily employing techniques against those who prowl the digital badlands, the forensic analyst must stay up to date with the latest methods that may be used to cover up evidence of misdeeds, hinder investigations or mislead an investigator. The realm of such techniques is known as anti-forensics.  This talk will detail techniques commonly used to frustrate, annoy or evade. Data desctruction, data contraception, secure deletion, duress filesystems, rootkits, and more will all be covered in this cornucopia of concealment.  This talk will offer practical advice for both the large enterprise and the digital bad-ass.

• Name: Kizz MyAnthia (Nick D.)
• Title: Weaponizing The Smartphone: Protecting Against The Perfect WMD 
  
• Abstract: The acceptance and integration of mobile phones, specifically smartphones, into our everyday life has allowed for these devices to penetrate deep into secure areas. The ability to have your phone along with you at any moment of the day feeds our needs for social media, email, business, and pleasure. This ability and access has allowed the use of smartphones to be bred into devices that rival other penetration testing hardware/software combinations.I have developed and created an OS platform package that allows penetration testers and security professionals the ability to test both physical security and technical security without being constrained by computers, cords, or the image of suspicious behaviour. The WMD platform package is based on Windows Mobile 6.5 Smartphones and is executed similar to a virtual machine. The WMD package is preloaded with many of the same applications and testing tools that are included with Backtrack 4, www.backtrack-linux.org, there is no affiliation between the two projects, only the similar desire to create a single source of the latest tools, applications, and techniques used by today's security professionals integrating today's latest technologies."Weaponizing The Smarphone: Protecting Against The Perfect WMD" will show the audience how to create a deployable package on a MicroSD card for use on the HTC Rhodium (AT&T Tilt2) or similar Windows Mobile 6.5 smartphone. Then using a test wireless AP, a windows server 2003 VM, and The loaded WMD Smartphone the audience will be presented with a live demonstration of some of the tools. This includes NMap, Metasploit, and The Social Engineering Toolkit to exploit the Windows Server 2003 VM and gain administrative access.The fundamental security flaw of accepting technology to perform only for what is was "made" for without the expectation of manipulation presented by "Weaponizing The Smartphone: Protecting Against The Perfect WMD" will help security professionals protect their environments while stimulating "out-of-the-box" thinking..

• Name: Jelle Niemantsverdriet (@jelle_n) 
• Title: Don't believe the hype - keeping our heads cool
  
• Abstract: It's hard to keep up with all the new information securitydevelopments in today's world. But do we actually have to keep up with EVERYTHING that is out there? This presentation will explore a "keepit cool" and fact-based approach to information security, using datafrom real world forensic investigations Verizon, the US Secret Serviceand the Dutch High Tech Crime Unit (taken from Verizon's Data BreachInvestigation Report) but also using analogies and practices fromother fields such as medicine and aviation.

• Name: Nikhil Mittal (@nikhil_mitt) 
• Title: Here are your keystrokes or “Mere paas Teensy hai”
  
• Abstract: It is getting difficult by day to exploit machines using “ms08_netapi” during internal penetrationtests. Nowadays, enterprises who are even a little serious about their security have their patches inplace, servers are hardened, firewall policies are there, IPS and IDS devices are present (andconfigured) and there is some monitoring too. You may not find a machine vulnerable to a wellknown bug which allows you to exploit your way in the network (Ok, you may but we should knowother ways too, right? ;-)). The first thing that comes to mind is client side attacks, a simple webpageor email attachment may do more damage than a shiny exploit. You have to turn to your socialengineering skills to send some emails wishing that users click on some links and/or open someattachments, which again may depend on client side vulnerability. What if you can catch anunlocked system and type in some commands quickly or force a user browse to webpage of yourchoice? What if it would be possible to be dead accurate while using such commands? Know Teensy. Teensy which is a very versatile device can be used as a keystroke dongle and can be programmed to“type” commands, use mouse when a specific condition is met. All you need to do is to programcommands into the device, connect it to a system using USB port and you will see commands beingsent. Much work has been done on Teensy, with some really great things done with this.This talk focuses on simple usage of Teensy in a Penetration Test. The emphasis is on typing as lessas possible to be stealthy, so mostly there will be one line code. You will see how easy it is to pwn amachine using teensy with just a few keystrokes. Some intuitive attack methods (or commands youcan say) will be tried. We will have a look on how fabulously teensy goes through the instructionsprovided. We will also go through some steps in tutorial mode so that you can program your ownteensy device. This is a relatively new attack vector and needs attention and contribution. The talkwill be full of live demos..