• If you are citizen of an European Union member nation, you may not use this service unless you are at least 16 years old.

  • You already know Dokkio is an AI-powered assistant to organize & manage your digital files & messages. Very soon, Dokkio will support Outlook as well as One Drive. Check it out today!



Related pages :: BSidesSanFrancisco

Call For Presenters (CFP)


Please list your presentation for BSidesSanFrancisco below (and an external link to outside material if appropriate.)  Once we have a list of presentations we will vote and decide on the finalists by popular demand.  



Thanks for your valuable input - we hope to announce our final speaker list sometime this week!




Please update with your: name, contact information (email, twitter, website), presentation title, and short description.  Please leave use the example text as a template.  Simply copy and paste it into a new entry, then edit it to fit your talk.   


  • Name: Song Liu / pentester at gmail.com / www.faronics.com
  • Title: "How to attack windows kernel"  
  • Abstract:Through two kernel vulnerabilities the speaker discovered, the speaker will discuss the difference between attacking user-mode application and kernel, discuss how to define attacking surface for kernel, as well as the common mistakes kernel developer would make, and how to exploit. Among the two demonstrative kernel vulnerabilities, one is remote kernel vulnerability of tcpip.sys, and another one is local kernel vulnerability of file system filter driver.

         The Presentation outline  is like this:
          a> Difference between attacking windows application and kernel.
          b> Defining windows kernel surface.
          c> Common mistakes kernel developers would make
          d> Finding kernel vulnerabilites.
          e> How to exploit.
          f> 2 Examples(one remote kernel vulnerability and one local kernel vulnerability).


  • Name: Nick Selby / nick dot selby at tridentrm dot com
  • Title: "Post Attack: Working with Law Enforcement"  
  • Abstract: We in information security don't often call the fuzz when we get hacked. We fear that the cops would a) rush in, shut us down and mill about in the lobby for 15 days in blue windbreakers, drinking coffee and being suspicious, or b) not understand the nature or the specifics of the problem and therefore do nothing. From their perspective, the cops look at us as unstable, scary, untrustworthy, poorly-mannered and possibly akin to those identity thieves they've heard about. Yet the two groups work, generally, for the same purposes: to keep their constituents safe from criminals and threats. This pragmatic and readily applicable talk will explore ways that infosec professionals can learn what law enforcement agencies - local, county, state and federal - need to get from us to help us, and ways that we can educate law enforcement on who we are, what we do, and what we can do to help them help us, and help others.  It's a call to action. You in?


  • Name: Nick Selby / nick dot selby at tridentrm dot com
  • Title: "Intelligence in the Commercial Enterprise"  
  • Abstract: Say the word, "Intelligence" with a straight face in a corporate setting and you might be mocked as a crank or set upon by marketers of really expensive "intelligence platforms." This talk defines "intelligence" in the context of a contemporary commercial organization: what it is, how you get it and what to do with it. In plain English, and without breathless reference to Clive Cussler bullshit like "three-letter agencies", we'll cover the commercial enterprise intelligence process; Data vs Information vs Intelligence vs Knowledge; information sources your enterprise already has; and how to leverage what you've got into actionable tactical and strategic enterprise intelligence. There will be practical examples. You'll probably save some money and learn of some great sources of information, too.  


  • Name: Dr. Mike Lloyd / drmike@redseal.net / @redsealsytems
  • Title: "Gone in 60 Keystrokes"  
  • Abstract: As organizations analyze their network environments during security assessments, they often find a wide variety of mistakes – some minor, some far more serious.  Some mistakes are obvious, while others have proven significantly harder to see, even to trained professionals.  Professionals sometime react by saying “that’s got to be a false positive – we don’t have problems like that”.  This session will describe in detail several real-world stories from Global 2000 organizations that demonstrate serious defensive problems that were uncovered during actual automated network security assessments. The focus is on mistakes that are easy for human operators to make, but which have dire consequences. 

    Attendees of this session will:
    1. Understand the serious firewall/ACL configuration mistakes presented
    2. Know the patterns to hunt for to isolate such mistakes in their own networks
    3. Analyze the consequences of these issues when uncovered in their own networks
    4. Demonstrate the severity, to drive remediation


  • Name: Christopher Elisan / @tophs / celisan (@) damballa (.) com
  • Title: The Curious Case of Storm Worm 2
  • Abstract: Recently, a new Storm Worm emerged dubbed as Storm Worm 2. Most of the reports that came out concentrated on its host-based behavior but very little on its network behavior and how it was being used by the bad guys.

    In this presentation, I will go beyond the usual analysis by looking at the whole ecosystem and discuss my research findings on Storm Worm 2 and how it behaves not only on the host level but on the network level as well. A detailed view of its Command & Control (C&C) will be presented and discussed.

    My research shows that Storm Worm 2 is a part of a bigger BOTNET campaign. One that reaches as far back as December 2009. Based on the collected Command & Control data, I have established its relationship with other malware families that are part of the same BOTNET campaign. And as I plot all the different variables together and correlate them with one another a pattern began to emerge that will enable us to predict the C&C that will be utilized by future, possibly unknown and undetected malware families that will be used in this campaign. Giving us a step ahead of the bad guys for once.

    And as a conclusion, I will discuss a better solution when it comes to proactive malware protection based on my research findings.


  • Name: Jack Daniel @jack_daniel
  • Title: Surviving a Teleporter Accident
  • Abstract: Don’t you hate it when you are minding your own business, in a familiar place, in the right time...and you end up in a strange place, in the wrong time, maybe even the wrong century?  In this talk I will provide tips and tricks for dealing with this all-too-common tragedy.  Don't be a victim, be prepared.  (This is actually an informative, yet lighthearted introduction to the topic of pragmatic, risk-based security, but without using terms like "risk-based security".  There are two target audiences for this talk, those who need a non-technical introduction to thinking about risk and security, and those interested in using "subversive education" to get their message out to an audience).


  • Name: Tony UcedaVelez, www.versprite.com/@versprite
  • Title: Real World Threat Modeling for Web Applications
  • Abstract: Threat modeling gets a lot of sexy headlining - rightfully so, but nothing is a bigger turnoff when you're burning for actionable, realistic models, and get more theoretical, pragmatic hype.  Risk mitigation for web application environments is broken today as a result of many shortcomings in proper design, coding, security testing, and even governance efforts. This discussion, focused on web application environments aims to marry various concepts across various security disciplines, thereby proving to provide a utopia of relevance to all participants, regardless of technical role.  The presentation will cover all the germane aspects to application threat modeling including Data Flow Diagramming, Trust Boundaries, and different approaches but will also address how to effectively build the necessary content for attack and vuln libraries in order to evolve beyond saying your practicing threat modeling and actually doing it.


  • Name: Avishai Wool, avishaiDOTwoolATalgosecDOTcom, www.algosec.com

  • Title: Firewall Configuration Errors: Measuring the Holes in Swiss Cheese

  • Abstract: Practically every corporation that is connected to the Internet uses firewalls as the first line of its cyber-defense. However, the protection these firewalls provide is only as good as the policy they are configured to implement. It has been said, “the single most important factor of your firewall’s security is how you configure it.”


This presentation is based on my research, which defines a measurement of rule-set complexity and provides statistics from more than 80 firewall rule-sets related to 36 configuration errors. This quantified research and analysis indicates firewalls are poorly configured and that a rule-set’s complexity is positively correlated with the number of detected configuration errors. Hence, “less is more.”


My discussion will focus on defining firewall rule-set complexity and a statistical analysis of more than 80 firewall rule-sets. Participants will learn the most serious and common firewall rule-set configuration errors, as well as the conclusions of my research. Additionally, I will provide insight into the best practices for configuring a firewall rule-set, based on my findings.


  • Name: Mike Krueger (??), Daniel Blander, (www.techtonica.com @djbphaedrus) 
  • Title: WOMBAT and other fun security and IT terms
  • Abstract:  Every one of us has experienced challenges in discussing and presenting technology to managers, executives, loved ones, and MCE's (Magazine Certified Engineers).  We feel it is time to let the world know that we should delight in their ignorance.  This presentation is intended to be a review of twenty years of stupid, amusing, and outright WTF names, terms, and situations collected by the authors over their 30 years of combined work in IT and Information Security.  This presentation will be complete with graphics, Security Circles of Doom, songs about iPhones, and a description of how your presentations can be certified as WOMBAT safe.  We promise to use fowl language, make you giggle, and give you more reasons to point at people and laugh.  We promise not to insult the cute marsupial.


          Best observed while partaking in a beer or other inebriating material.


  • Name: Davi Ottenheimer, flyingpenguin.com/@daviottenheimer
  • Title: Dr. Stuxlove or: How I Learned to Stop Worrying and Love the Worm
  • Abstract: Has our "Human Reliability Program" improved since Stanley Kubrick's 1964 dark comedy film? What has 44 years of international security, leadership and incident response plans taught us? This presentation gives a look at trends in information security breaches and what really has been changing in order to offer several predictions of how best to prepare for what may be ahead. It then sorts out and clarifies the technical details from the most common and most damaging security breaches. Convergence from the trend data and the technical analysis are then wrapped (and if there is a DJ perhaps also rapped) into a conclusion that might surprise you. As Dr. Stuxlove would say: "the whole point of the Doomsday Malware is lost if you keep it a secret". Grab your hat, open the bay doors and enjoy the ride.


  • Name: David Mortman, securosis.com/newschoolsecurity.com/@mortman
  • Title: Cloud Security Realities
  • Abstract: There has been a lot of discussion of late on how (in)secure the Cloud(tm) is today. And while the criticisms and concerns are valid they rarely discuss what can be done today to make things work in the meantime. The reality is that cloud isn't going way so you need to know what to do today. I'll be discussing how to manage security in an IaaS environment with today's technologies, proceeses and people. Hint: It's not as hard as you think.


  • Name: Andy Ellis, www.csoandy.com / @csoandy
  • Title: Doing Battle in 70,000 trenches
  • Abstract: Scaling security technologies, processes, and compliance efforts into the cloud -- or any wide scale distributed system -- can be a challenge for any organization. Gain practical insights into Akamai's lessons learned in choosing how to secure 70,000 servers across the globe, with a focus on application of security technologies, understanding audit and compliance, and selecting scalable operational practices. Hint: It's harder than you think.


  • Name: Andy Ellis, www.csoandy.com / @csoandy
  • Title: Letting someone else's phone ring at 3 am: Building robust incident management frameworks
  • Abstract: In a startup, it's okay if your phone rings when any customer has a problem.   But as you grow to a billion dollar business, you'd better have better processes than that.   Learn about Akamai's incident management process, and figure out how to build your own.  Your mileage might vary. 


  • Name: Andy Ellis, www.csoandy.com / @csoandy
  • Title: CVSS: Management Jiu Jitsu.   These numbers do not mean what you think they mean. 
  • Abstract: Created by the NIAC seven years ago, CVSS was going to revolutionize how we prioritize vulnerability remediation.  Has it?  Learn more about its strengths and deficiencies from the first organization to adopt CVSS (as a vulnerability consumer).


  • Name: Gal Shpantzer @Shpantzer
  • Title: Security Domination via Hard Drive Isolation
  • Abstract: "Security Domination via Hard Drive Isolation"

Every organization is a reluctant participant in the malware arms-race, investing untold blood and treasure in securing the essentially unsecurable: General-purpose, fat-client endpoints that are simply inappropriate for certain high-risk business processes and particularly sensitive data.  This talk goes through this problem and proposes an alternative approach to the one-size-fits-all desktop. SANS.edu grad students call this approach ROBAM, while Gartner calls it Trusted Portable Personality Devices. 

You will learn how leading government and private sector organizations are improving security while simultaneously extending remote access and mobility to administrators as well as end users. Several specific approaches and use-cases are outlined and analyzed in this talk.


  • Name: Brett Hardin @miscsecurity
  • Title: You Are Alone. Enjoy It.
  • Abstract: Implementing any type of policy or procedure is a challenging. Security Policies and Procedures are even more challenging. This talk will not include roadmaps, diagrams, or bulky slides. This talk will be filled with humorous stories and anecdotes about how I begin attempting to be a fixer instead of a breaker. This talk may or may not involve drinking beer. Please dress accordingly.


  • Name: Will Gragido, @wgragido
  • Title: Sight Beyond Sight: The Importance of Global Threat Visualization
  • Abstract: A new era is upon us one which requires the ability to qualify and quantify potential and imminent threats in ways previously not considered or worse yet, considered to cumbersome to invest in.  You’ve seen the news, look at any media source and you can’t avoid topics ranging from botnets, to targeted attacks, to state sponsored attacks such as Stuxnet to the now ubiquitous Advanced Persistent Threat.   Regardless of your belief or feelings toward taxonomic terminology, the era of the Subversive Multi-vector Threat has arrived and the realities therein are, for many, only now being realized.  Join Will Gragido, Sr.Product Line Manager, of HP TippingPoint’s DVLabs , and co-Author of Cybercrime and Espionage: Analysis of the Subversive Multi-vector Threat as he explores the Global Threat Visualization as an operational function, a tactical element and strategic initiative for combating new and advanced categories of threat while applying reason in their qualification and quantification.


  • Name: Will Gragido, @wgragido
  • Title: State of the Scape: The Modern Threat landscape and Our Ability to React Intelligently
  • Abstract: This talk is meant to take the form of an informed panel discussion to be moderated by Will Gragido, Sr.Product Line Manager, of HP TippingPoint’s DVLabs , and co-Author of Cybercrime and Espionage: Analysis of the Subversive Multi-vector Threat.  The panel will consist of five participants all of whom are actively engaged in recognizing new trends, the impact of said trends, in addition to the identification of confluence points between exploits and vulnerabilities equating to new threats and risk.   During this lively discussion topics will range and include (though not be exclusive to) the following:
    • Our comprehension of the Internet Threat Landscape as an ecosystem driving be profit
    • Cyber Arms Dealers: The role of organized crime in perpetuating the cycles which power the ecosystem vs the independent operator
    • The value of current research techniques and information sharing in combating these new threats
    • Areas of improvement in research and development necessary for narrowing the gaps
    • The attack surface: Is there one universal attack surface today? Or are we seeing a resurgence of ‘closed’ or ‘siloed’ attack surfaces emerging once more?
    • Bombs, Bullets, or Bits: What Has the Potential to do the Most Harm in the 21st? How as Professionals can we aid in mitigating the risk


          Confirmed Panelists for this talk!

-- Josh Corman, Research Director, Enterprise Security Practice, the 451Group
-- Marc Eisenbarth, Security Researcher, HP TippingPoint DVLabs
-- HD Moore,HD is Chief Security Officer at Rapid7 and Chief Architect of Metasploit 
-- Dave Shackleford, founder and principal consultant with Voodoo Security, and a SANS instructor and course author

 -- Alexander Hutton is a Principal in Research & Risk Intelligence with Verizon Business 

-- Caleb Sima, Chief Executive Officer, Armorize




  • Name: Will Gragido, @wgragido

  • Title: Perfect Asymmetry:  How the Establishment of Cyber Reputation Management (CRM) via Global Threat Intelligence (GTI) Improves Visibility and Next Generation Threat Mitigation

  • Abstract:

Organizations the world over painstakingly work to preserve their reputations and brand value in the face of ever changing business climates.  Even in the absence of the dynamics associated with conducting business, organizations in the public and private sectors must be increasingly vigilant in safe guarding their reputations in traditional and non-traditional forums alike.  Lessons learned in the late twentieth century and the first decade of the twenty-first century have demonstrated in unequivocal terms maturity and unparalleled determination in both focus and effort with respect to goal attainment by cyber actors in the threat landscape.  Never before in the history of the analysis of cyber activity has this been more the case than today.


As a result the need for the establishment of Cyber Reputation Management (CRM) has now become a requirement rather than an option in safe guarding the cyber profiles of businesses and individuals the world over.  Evidence of this can be seen in the vast number of cases associate with compromised web presences, advancements in botnet works, IP Fast Fluxing, DNS Fast Fluxing and the countless cases of documented subversive multi-vector threats identified over the course of the last decade.  This paper will strive to identify contributing factors which have and continue to influence the proliferation of these threat conditions while addressing specific examples and advanced threat mitigation solutions such as Global Threat Intelligence assembly for combating and mitigating such occurrences. 


Join Will Gragido, Sr.Product Line Manager, of HP TippingPoint’s DVLabs , and co-Author of Cybercrime and Espionage: Analysis of the Subversive Multi-vector Threat for this lively discussion!


  • Name: John Pirc, @jopirc
  • Title: Culture Shift: Social Networking and Enterprise Environments (Security Risk vs Reward)
  • Abstract: Social networking for most of us is becoming wrapped into our DNA.  This is especially important for the next generation workforce. Additionally, the employees today and those of tomorrow will expect the capability to blog and social network with corporate assets and corporate bandwidth. Additionally, these technologies are being widely used for corporate marketing and communication.  That’s why it’s important to look at all aspects of securing your infrastructure and more importantly, the people that drive your organization today.  This involves educating people, corporate process and the right security technologies.  The following session will cover the benefits and the security risks inherit with social networking across all business verticals. Additionally, the talk will cover the analysis of transparent web beacons being used to collect information of interest.


Join John Pirc, Sr. Product Line Manager, of HP TippingPoint’s Next Generation Security Products , and co-Author of Cybercrime and Espionage: Analysis of the Subversive Multi-vector Threat for this discussion.


  • Name: Marc Eisenbarth / http://dvlabs.tippingpoint.com / hwhack _at_ hp _dot_ com
  • Title: Active Exploitation Detection 
  • Abstract: Security professionals have a massive number of acronyms at their disposal: IPS, VA, VM, SIEM, NBAD, and more. This talk is about a tool that resists classification by these acronyms. The goal of Active Exploitation Detection (AED) is to actively monitor and identify compromise of arbitrary, remote systems with the express intent to discover novel exploitation methods, track down elusive zero-day details, compile a list of known-compromised hosts, and most importantly get into the mind of today’s cyber criminals. Simplistically, AED correlates changes visible to the remote monitoring system with external stimuli such as software patch schedules and security media sources in order to gain unique insight into the security threat landscape on an Internet scale. AED is a framework which is driven by arbitrary pluggable modules that must provide four high level implementations, namely port scanning, application identification via static and dynamic methods, and a data mining engine. The primary goal of this talk is to both present findings that trend the threat landscape of the Internet as a whole, and the tool itself, which is a means to introduce the audience to a number of best-of-breed open-source tools which have been integrated into this project.  


  • Name: Dave Shackleford, www.daveshackleford.com/@daveshackleford
  • Title: Get Secure or Die Tryin'
  • Abstract: Ah, the life of a security consultant. You get paid well, tell people about their problems and how to fix them, and still see the same stupid human tricks over and over again. In this presentation, I'll talk about a few lessons learned in consulting. Often times, what we say or recommend is interpreted inaccurately, partially, or completely ignored by business units and sometimes even security or IT teams. This presentation will describe some interesting cases where recommendations were given, and hilarity ensued. Does security need its own Rosetta Stone? Hmmmm. Good question. 


  • Name: Dave Shackleford (@daveshackleford) & Andrew Hay (@andrewsmhay)
  • Title: A Brief History of Hacking
  • Abstract: Phreaking? Captain Crunch? Blue boxes? Not to mention LoD, MoD, and the evolution of cyberpunk in modern society. This may be all Greek to you, or you might know exactly what all of these monikers mean. Either way, come along for the ride as we revisit the beginnings of hacking, as well as the key players that contributed to its growth and notoriety. We'll cover the early days of phone phreaks and bulletin boards, hacker gangs and 2600, Kevin Mitnick and Cliff Stoll's story of how a 75 cent accounting error led to an international computer crime investigation. Learn about Bill Cheswick's evening with "Berferd", the first Trojan Horse programs, and which "hacker movies" are the most realistic, if that's even a possibility. Audience participation required - this thing is fast, furious, and ridiculous.


  • Name: Damon Cortesi (@dacort)
  • Title: Homo developomicus - Developers are human too 
  • Abstract: I spent ten years as a security consultant telling people how to secure their applications. From network security to web app security to full-on PCI compliance, I knew all the answers and was the first to tell my clients what they were doing wrong and how to fix it. Fast-forward and I'm co-founder of a web development startup writing code 16 hours a day. We may think it's easy to secure an application, but join me as I divulge stories of how I've gone down roads I would have previously crucified myself for. Learn how it's not that developers just don't give a damn, it's that we're just trying to build stuff that works. Look at security from the other side, that of those who actually need to implement it on a daily basis. 


  • Name: Kevin Bankston, Senior Staff Attorney; Eva Galperin, International Activist; Marcia Hofmann, Senior Staff Attorney; Kurt Opsahl, Senior Staff Attorney; Chris Palmer, Technology Director; Julie Samuels, Staff Attorney -- http://www.eff.org/ 
  • Title: Ask the EFF
  • Abstract: Hear the latest about digital civil liberties from the Electronic Frontier Foundation, the nation's premiere non-profit fighting for freedom and privacy in the computer age. Several members of EFF's staff will update you on the battle for free speech, electronic privacy, innovation and more. Half the session will be devoted to question-and-answer, so it's your chance to ask EFF about the law and technology issues that are most important to you.


  • Name: Brett McDowell, http://www.thesecuritypractice.com / @brettmcdowell
  • Title: PayPal's Experience with DKIM/ADSP Can Benefit Your Anti-Phishing Strategy
  • Abstract: In 2008 PayPal's CISO presented our new anti-phishing strategy through a paper we published in conjunction with RSA Security Conference titled A Practical Approach to Managing Phishing.  This session is a follow-up case study that shares our experience implementing that strategy with special emphasis on deploying the technology standards DKIM and DKIM ADSP.  The goal of this case study is to inform attendees through sharing PayPal's experience with these technologies so they are equipped to join us in growing this emerging authenticated messaging ecosystem.  As the ecosystem grows our collective exposure to phishing attacks diminishes, making the internet an inherently more trustworthy environment for everyone.


  • Name: Dr. Anton Chuvakin, http://www.chuvakin.org, @anton_chuvakin
  • Title: Something Fun About Using SIEM and Not Failing or Only Failing Non-Miserably or Not-Too-Miserably
  • Abstract: The presentation will cover my experiences building and running SIEM and log management tools - success tips, failure tips, best/worst practices, useful correlation rules, and stuff like that. To be honest, I plan to add a lot of new material on how to make SIEM even more useful, but none of it is finalized it. You have to trust me it would be fun! :-) And useful.


  • Name: Raffael Marty, http://www.loggly.com / @zrlram
  • Title: Log Analysis and Visualization in the Cloud
  • Abstract: In this presentation we will look at some of the challenges that the cloud is posing with regards to security. I will show that one of the bigger challenges is visibility. To solve the visibility challenge, we need new ways of managing, processing, and analyzing log data and infrastructure metrics. With the advent of the cloud, a number of big data management tools have become available. I will talk about all the hype technologies from Hadoop to NoSQL to Hive, Pig, and Cassandra, and show how they will change the log management world.
    Once the data management problem is solved, we still have an analytical challenge and I will show how visualization can help. We will discuss some visualization tools and a number of visualization use-cases and examples, such as network traffic and firewall data visualization, or ways of visualizing IDS data. 


  • Name: Hart Rossman, www.saic.com, @HartDanger
  • Title: 40 Hours and a Tool
  • Abstract: Do you ever get the feeling that the "talk" or "research" presentation you're listening to at a conference is essentially the result of 40 hours of work with some security tool? Where are the security scientists toiling away for years outside the limelight?  Where are the stories of repeated spectacular failures that lead to unparalleled successes that have changed the industry forever? Are you curious about the national cyber security research agenda and its capacity to unveil a new era of scientific innovation?  What are the open "hard problems" in cyber security?  How can governments, corporations, and individuals help bridge the gap between cyber security applications and cyber security scientific exploration? Come to this talk if you're interested in bringing the science back to security.


  • Name: Hart Rossman, www.saic.com, @HartDanger
  • Title: APC < APD > APT 
  • Abstract: Can your life as a security practitioner be summed up by the following equality: APC < APD > APT;  where A=Advanced P=Persistent {Compliance, Defenses, Threat}? Lots of conferences cover the APC and APT domains of the equality.  Let's have a talk about APD!  APD's defining features encompass collaborative security models that are ecosystem-driven, eventually consistent, real time, and fully integrate human intelligence tasks through an architecture of participation.

  • Name: Jim Manley/@txbikerider
  • Title: Bare Metal Client Side Hypervisor: The Next Big Thing?
  • Abstract: The desktop has been described as the new security perimeter but is manned by the weakest link in the security chain – the human. In spite of the enormous amounts of money and manpower go into maintaining the desktop against an increasingly sophisticated attacker, the tide remains in the favor of the threat actor. What if there was a way to effortlessly return a desktop to a known good state but still provide enterprise class management? Virtual desktop infrastructure solutions have been put forward as a means of doing just that but do not have provide the compute resources for high end users nor provide support for the mobile user. Bare metal client side hypervisors (BMCSHv) may be the answer. This presentation will address the potential of the BMCSHv as another tool for protecting the company network from the end user and the bad actors.


  • Name: Hart Rossman, www.saic.com, @HartDanger
  • Title: Security, Supply Chains, and You
  • Abstract: "It’s a national security imperative in a global economy that we have confidence in the supply chains of integrated systems and the integrity of the people, processes and technology that comprise them." -- Me. “In the digital age, sovereignty is demarcated not by territorial frontiers but by supply chains.” – Dan Geer, CISO In-Q-Tel. If you plan, build, operate, sell or buy anything that includes hardware, software, or online services, then this is the talk for you!  This presentation will cover the state of the art in IT supply chain security, with an emphasis on managing risk resulting from the product of inter-relationships between system & product development lifecycles across the supply chain. From acquisition to disposition, this talk will have something for everyone :) This presentation will highlight leading research from a multi-year study at the University of Maryland's Supply Chain Management Center, alongside government & industry efforts, to characterize the state of the art, use & abuse cases, threats, and suggest some solution sets that can be embraced by the IT supply chain ecosystem.


  • Name: Marcia Hoffman, eff.org
  • Title: Wikileaks, Free Speech, and You
  • Abstract: How does the controversy swirling around Wikileaks affect us? This presentation will discuss the legal rights of publishers, hosts, and readers of Wikileaks documents. We'll talk about what the First Amendment means for those who publish leaked government and corporate information, whether Wikileaks, the New York Times, or the average blogger. We'll also consider the free speech implications of mirroring or hosting documents, as well as reading and getting involved in the public debate about them.


  • Name: Robert Zigweid / robert.zigweid@ioactive.com
  • Title: Threat Modeling: Learn to Optimize Your Security Budget
  • Abstract: This presentation will discuss how threat modeling, when implemented properly, is an effective tool organizations can use to mitigate risk. Since threat modeling is not a revenue generating process, many organizations overlook it because they think it requires too much time. This presentation will counter this misconception by emphasizing the economic value of threat modeling. When used correctly, it can be a cost-saving technique that helps organizations avoid reputational loss, decrease money spent to repair broken or compromised products, and save customers money. Often cost-savings is a difficult number to quantify, but how do you really put a price on quality?

    In addition to describing the economic benefits of threat modeling, this presentation will discuss best practices for implementing threat modeling, including when to begin threat modeling, how much threat modeling to perform, and who should be involved. Threat modeling can actually be used too early in the product lifecycle; organizations should at the minimum know what they are building and the product’s assets before beginning to threat model. However, it is important to remember that threat modeling is an ongoing process that doesn’t stop when a product is on the market. Attackers will not stop developing threats because a product has gone to market, so it’s important to continue to counter these threats and prevent attacks. By listening to this presentation, attendees will gain a better understanding of the process of threat modeling and how it can benefit their organizations.


  • Name: Joe Gottlieb, joe.gottlieb@sensage.com, @joe_gottlieb
  • Title: Open Security Intelligence: Art of the Possible or Science of the Necessary?
  • Abstract: As cyber crime and cyber war drive up the stakes involved, security management has become much more proactive - organizations must understand where they are most vulnerable, where they have been hacked, and why. Currently, organizations have *too much* security data and not enough tools to efficiently analyze it.  They have security *content*, but not enough *context* to recognize new attacks or trends that might indicate a breach.  What’s missing is the ability to “mine” security data to find the key bits of information that may define a new attack. With so many logs and data stores from so many systems, network, and security tool vendors, it’s a nightmare to find the key “needles” in the haystacks of security information. This process of mining security intelligence needs to be improved – and it needs to be open. 

    Nearly a decade old, the SIEM and log management market has matured over time and is now widely adopted among large enterprises and government agencies seeking to maintain compliance and respond to security incidents. Unfortunately, most SIEM and log management products constrain end users’ ability to drill down and analyze the data, which is so necessary to drive informed incident response and the continuous improvement efforts originally intended by compliance regulations.

    Led by a panel of security management experts, this talk will discuss emerging use cases that are “prying open” SIEM platforms, analytics and dashboards. Sub-topics of interest will include:

    - How to Walk, Talk and Dream Like a Security “Quant”
    - SQL as Cyber-attack Signature Language
    - Leveraging BI Tools to Mine Security Data
    - Dashboards For All My Friends (CISO, CIO, CEO, Customer 1, Customer 2…)

    The goal of this session is to stimulate an industry dialogue on how best to turn “the art of the possible” into “the science of the necessary” when it comes to truly customer-driven security data analysis. Panelists will include: Joe Gottlieb, CEO of SenSage; Andrew Hay, Security Analyst at The 451 Group; and Dan Ritari, Vice President of Enterprise Information Risk Management at Deluxe Corporation. Come join the debate and help shape the revolution!


  • Name: Nicholas J. Percoco / http://blog.spiderlabs.com / @c7five
  • Title: Highlights from Global Security Report 2011: Evolving Attack Vectors
  • Abstract: The 2011 Global Security Report correlates data from hundreds of compromise investigations and thousands of penetration tests conducted in more than 40 countries in 2010. This year’s edition offers a unique analysis of the world's information security weakness and defense capabilities, including the newest threats businesses will face in 2011. The report also analyzes the shift in attack vectors over the past 30 years from physical threats in the 1980s to those arising from mobile computing and social networking in 2010. This talk will include the most interesting trends and ideas that are explored within the report. In addition, we'd like to use the BSides audience as a sounding board for comments and feedback on this year report. Feedback will be taken and applied to the data gathering and creation of the 2012 report.


  • Name: Aaron Cohen, http://thehackeracademy.com / @aaronco 
  • Title: Selling Security Without Selling Your Soul
  • Abstract: Most people don't "get" security, and it's hard to convince them of what they need...manager, executive, boss or client prospect.  We constantly try to persuade people with our ideas, sometimes they take it, but usually they leave it.  Whether or not someone buys security has nothing to do with whether they need it or not, it has to do with whether they think they need it, and that is our job as a sales professional.  The sky can only fall so many times, which is why it is imperative to learn to sell security without selling your soul.  In this talk with will discuss and show real world examples as to how to be effective in different sales scenarios, which is important for those that want to win business, consulting gigs, project funding and in some cases keep your job.


  • Name: Brett Hardin and Mike Dahn
  • Title: Being Sneaky about Security and Regulations OR "Misdirection: The Rise and Fall and Rise of Regulatory Compliance"
  • Abstract: Mystery Talk! OR... To prevent compliance we need critical-mass adoption of sound security practices. The last 1000 years has shown that we cannot achieve such a lofty goal. As industries inoculate the population to save the individual, this presentation will help you make compliance a by-product instead of an end-goal.  The lessons learned here can be used for good or evil... don't be evil.  


  • Name: Gary Palgon, @GaryPalgon
  • Title: A New Approach to Enterprise Data Security: Tokenization
  • Abstract: To lower the risk of data theft and comply with privacy laws, organizations are seeking ways to secure more types of sensitive and confidential data. A new data security model — tokenization — is proving effective for securing credit card numbers as well as personally identifiable information while reducing scope for PCI audits and lowering business risk across the extended enterprise.


  • Name: Chris Poulin, @chrispoulin, chris.poulin@Q1Labs.com
  • Title: 7 Things You Didn't Know You Could Do with SIEM
  • Abstract: SIEM has the reputation of being as hard to get right as an SAP implementation. It doesn’t have to be an exercise in futility, and when it’s done right with the right tool, SIEM can be the Swiss army knife of your security program. For the white hats, find out the unique ways others are using SIEM to gain real security intelligence; if you’re on the darker side, this is an opportunity to gather some counterintelligence. If you think SIEM is log management with a fancy name, this demonstration of how it can provide DLP, fraud detection, and evolving situational awareness will challenge your preconceptions.


  • Name: Sandy Bird, Sandy.Bird@Q1Labs.com
  • Title: You want to put that WHERE?
  • Abstract: For years, security program managers have talked about needing a warehouse for all of their security information so it's easier to correlate events and identify threats. Without a plan, a central repository is just a dumping ground. What logs and context data should you collect to transform the pile of data into actionable security intelligence? Some event sources have more value and need to be prioritized, taking into consideration other security solutions already in place. We'll discuss situational awareness and 3rd party feeds, including malware domains, bot command & control lists, Zeus Trackers, as well as the pitfalls, and how you should craft rules to take advantage of the amalgam of security information at your disposal. We'll also cover tuning a SIEM to optimize its performance and effectiveness, and offer some methods of importing security intelligence feeds into just about any SIEM, with product-specific tips as a bonus.


  • Name: Scott Dunlop / Senior Security Consultant at IOActive / www.ioactive.com
  • Title: Reverse Engineering Using the Android Emulator
  • Abstract: Google provides Android developers a nice shrink-wrapped package of tools for writing and testing Android applications without actually purchasing a device. All hackers get from Papa Google is the source code for those fancy tools and an urge to break things. This is an ideal recipe for disaster to occur. In this presentation, Scott Dunlop and IOActive will present research from the evil eye view of perspective of a hacker. Scott will demonstrate how to combine the Android Emulator, associated SDK, JDWP and Baksmali to dissect, instrument and tamper with Android applications for fun and profit. As with all great talks, this one includes a live demonstration of dissecting an Antivirus application from the Marketplace.  

          The Presentation outline will include:

a> Overview of Android application security model.

b> Typical Android mount points and filesystem layout.

c> Extract filesystems from Android Emulator images.

d> Constructing new filesystems using Android Emulator images.

e> Using JDWP and ADB to instrument Android applications.

f> A live demonstration of dissecting an Antivirus application from the Marketplace. 


  • Name: Iftach Ian Amit @iiamit / VP Business Development at Security Art
  • Title: Pushing in, admiring the view, and pulling out slowly without anyone noticing
  • Abstract: The Subtle art of penetration and exfiltration. The industry is saturated with penetration testing experience and have adapted itself to test organizations using "best practice" methodologies over the past decade or so. With not a lot of changes happening in the field, organizations find themselves on the defense with not a lot to account for when data breaches happen. In this presentation we will offer an alternative view of how a security test is done, with a strong focus on data exfiltration techniques employed by advanced attackers and criminals. After an overview of how the initial phases of how an attacker would infiltrate a business (common knowledge), we will explore the targeting considerations when choosing what to look after, as well as advanced techniques for getting the data out without being detected. Finally, some approaches to data monitoring and control would be proposed in order to mitigate the techniques that are already in place and have affected large organizations. 


  • Name: Steve Piper, spiper@sourcefire.com, Sourcefire 
  • Title: Achieving Optimal Network Security Through A Shared Intelligence Framework
  • Abstract: Today's cyber threats are growing in both number and sophistication. To keep up, organizations are compelled to acquire "best-of-breed" network security solutions, but are frequently disappointed with the lack of technical integration among them. In this session, you'll discover how operating in a shared intelligence framework can increase security, reduce risk and lower total cost of ownership.


  • Name: Andrew Hay, @andrewsmhay, Senior Security Analyst, The 451 Group
  • Title: Attacking Cyber Security Marketecture 
  • Panelists:
    • Richard Bejtlich, Director, Incident Response at General Electric
    • Rob Lee, Director, MANDIANT Corporation 
    • Amit Yoran, CEO, Netwitness
  • Abstract: There are likely no terms wielded within the information security industry with greater carelessness than those of ‘Cyber Security’ and 'Cyberwarfare'. A $55b market by 2015, the nation-state Cyber Security market can not, and should not, be defined by the broad strokes employed by enterprise marketing personnel. Chaired by Andrew Hay, this panel of industry experts with hands-on experience protecting cyber security assets serves to provide unbiased third-party insight into the differences between traditional enterprise security and government, military and intelligence agency-driven Cyber Security. 


  • Name: Marisa Fagan, VP Marketing & Project Services, Errata Security
  • Title: SDLC Survey 2.0: A look at secure coding program adoption, past and future.
  • Abstract:  2010 was the year of the call for measurements. Errata Security announced a survey at Security BSides SF 2010 measuring developers' adoption of secure coding techniques in their Software Development LifeCycle. Using the data collected, Errata published a free whitepaper discussing the current adoption rate in the security affiliated community. We found that the SDL model had serious limitations. This year at BSides, we will announce the second year of the SDLC survey, and discuss our predictions for how the landscape is changing for getting more application security "baked in."


  • Name: Ivan Ristic (http://blog.ivanristic.com / @ivanristic)
  • Title:  Stop complaining and solve a security problem instead!
  • Abstract: We have failed. Decades of ignorance have brought us to this point, right now, where software is universally insecure. It's tempting to hope that someone else will make things better, but letting things slide is exactly what got us here. Pointing to problems is not enough, either. We must pick ourselves up, dust ourselves off, and start fixing things. We must each take a problem -- no matter how small -- and fix, or help fix, the root cause. Talk will be updated with the announcement of the fund-raiser for OpenSSL to implement TLS 1.2. You can find the current slides here. Note: Should my talk be selected, please do not schedule it before the lunch on the first day. 


  • Name: Ron Woerner, CyberSecurity Director, Bellevue University, ronw2007@gmail.com / @ronw123
  • Title: F*&%^ing with Humans - Using Social Engineering to get your way
  • Abstract: What?! No talks at BSidesSanFran on Social Engineering? Humans are too fun and easy to mess with not to have at least one talk on it.  Most attendees already have at least a basic idea of Social Engineering and how humans continue to be Security's weakest link. This session will expand on that knowledge/experience.  Technology won't/can't/shouldn't stop this problem. We need to understand Human wetware in order to stop the mindlessness that causes security breaches.  That's what this is about. I'll start by sharing what I know about Psychology & Human Factors (using Chris Hadnagy's SE book as a reference). Then we'll have a conversation on other SE techniques, how to use it to improve our security programs, and how to better prepare the humans in our organizations. Social Engineering is everyone's problem, so let's work together to solve it as best we can.  I'm open to leading this session with others who want to join the party.


  • Name: Eric Irvin, Security Solutions Architect, Alert Logic, eirvin@gmail.com / @secrunner
  • Title: Nobody Likes You and You Look Funny
  • Abstract:  So you read the blogs, are active in the forums, go to BSides/Defcon/Blackhat/etc and stay in tune to the latest hacks and techniques to prepare your organization against the next mega attack. Yet, when you try and talk to your leadership and management, they look at you as if you have lobsters crawling out of your ears. Traditionally, most organizations are stuck in old mindsets where smart people are often viewed as being "geeks" or "nerds". When we start talking about the new 0-day or how our there are too many Domain Admin's running wild, they just see it as "blah blah blah geek stuff blah blah blah". So how do you get them to take you seriously and understand the risks that you are finding? In this talk, we will discuss how many geeks have been able to earn the respect of their leadership and executive teams, improve your ability to communicate, and advance in your career through hacking the business game. 


  • Name: Eric Irvin, Security Solutions Architect, Alert Logic, eirvin@gmail.com / @secrunner
  • Title: What the Vendor Isn't Telling You: Confessions of a Security Vendor Monkey
  • Abstract:  Have you ever wondered why security companies hire some of the people they do to sell security software? What REALLY is the difference between MegaSecurity Company X and Y's firewall product? Can you really believe the hype from a trade magazine or "independent report"? During this talk, I will explain some of the games vendors are playing. I'll also speak on making the change from working as a consultant or in an enterprise, to going to work for a security company. Finally, I'll answer any question you may have as to some of the games we play and how we play them.


  • Name: HD Moore, Chief Security Officer, Rapid7, hd_moore@rapid7.com, @hdmoore
  • Title: When CSOs Attack
  • Abstract:  This talk will discuss my experience implementing mandatory audits of new products and services in the office of the CSO and how the results led to better decisions across the organization. Security researchers tend to see the world in an odd light; every product is a source of potential exploits, exposed services are an invitation to attack, and vendors are not to be trusted. By contrast, the folks who are responsible for enterprise security have to focus on business enablement, risk management, and juggling costs with accumulating technical debt. Over the last 15 months, we have implemented a security program that tries to bridge these worlds by bringing security audits into the first phase of due diligence for new products and services. The results have been extremely positive; we have able to identify bad solutions prior to investing substantial amounts of time in implementation, have improved the security of the solutions we did accept, and developed tons of new vulnerability checks, exploit modules, and advisories in the process.  While this talk will cover the overall process and some of the most surprising results, it will also dive into the technical details of the most interesting vulnerabilities and their exploits.


  • Name: Brian Lucena, Chief Mathematician, Guardian Analytics, blucena at guardiananalytics dot com 
  • Title: Fraud or Not?: Using Behaviorial Data to Tell Friend from Foe
  • Abstract: Who can you trust? Take the case of financial institutions: Banks often incorrectly flag completely legitimate online behavior as fraud and miss real fraud altogether. Making matters more confusing is that many online behaviors that indicate fraud have a high “legitimate probability,” meaning they’re actually quite common in genuine user behavior. In this talk, I’ll show how to use behavioral data and probabilities to determine the relative riskiness of a given visitor on your website. I’ll also present some rarely known customer behavior statistics from financial institutions, revealing just how difficult it has become for them to identify true fraud. 


  • Name: Logan Kleier, Chief Information Security Officer, City of Portland OR, logan.kleier@portlandoregon.gov, @PortlandInfoSec 
  • Title: Stupid is as Stupid Does: Security Awareness Training 
  • Abstract:  Every security professional and control regime teaches that end users must be trained to be aware of security threats. This training comes in many forms: email, computer based training, posters, and even brown bag sessions. However, it's rarely asked whether any of this works. Does security awareness training change people's behavior? If it doesn't, why not and what is to be done? Is it possible that training just wastes everyone's time? This session is designed to answer these questions by presenting a summary of research on security awareness and how we can more effectively spend our time as security professionals if this training isn't truly paying of in a terms of creating a more secure environment.


  • Name: Daniel Peck, Barracuda Networks (@ramblinpeck)
  • Title: Lessons Learned From Running a Bug Bounty Program 
  • Abstract:  A few months ago, Barracuda Labs launched a bug bounty program, soliciting and rewarding security researchers for finding vulnerabilities in our security appliances. We weren't the first people to do this kind of program, but we were the first security product vendor to do so. As such, we've got a bit of an interesting perspective.  In this talk, we’ll share the conversations we had with the other parts of the company (marketing/engineering/execs) to get buy in to start the program, as well as tips on processes to have in place to make everything run smoothly. We will also share stories of miscommunication, pissed off developers, and researchers who have a hard time following the simplest of directions.  We'll also talk about some of the benefits to a bounty program, counterarguments to the naysayers, and some stats on the types of vulnerabilities reports we receive. 


  • Name: Ray Kelly, Barracuda Networks (@vbisbest)
  • Title: Screw the TSA: I’ll Be Where I Want, and Get Credit for It! 
  • Abstract:  It’s no secret that the rapid growth in popularity of location aware social networking sites, such as Foursquare and Facebook Places, a new target is presented for mischievous hackers to exploit. What’s to be gained by GeoHacking? Free t-shirts, free coffee, or a new car? This talk will explore how the API’s work for Foursquare and Facebook, and how hackers can use the API against itself to put a user somewhere to get “Credit” for it.  We will discuss the list of services that use location and ways to fake location with popular services (demo), examine the threat overview/risk matrix of what someone can accomplish with fake location, and review possible countermeasures. 


Comments (0)

You don't have permission to comment on this page.