If you are citizen of an European Union member nation, you may not use this service unless you are at least 16 years old.
Buried in cloud files? We can help with Spring cleaning!

Whether you use Dropbox, Drive, G-Suite, OneDrive, Gmail, Slack, Notion, or all of the above, Dokkio will organize your files for you. Try Dokkio (from the makers of PBworks) for free today.
Dokkio (from the makers of PBworks) was #2 on Product Hunt! Check out what people are saying by clicking here.

BSidesStJohnsTalks2012

Security BSides St. John's

Friday, September 21st, 2012

Submitted Talks

Name: Karim Nathoo
Title: Command and Control and Data Exfiltration, Version 2.0
Abstract: As defenders become more proficient at using network based detection techniques to identify the presence of malware on enterprise networks, we have inevitably seen attackers shift tactics to make network based detection more difficult. This talk will present a survey of both common and lesser-known techniques used by attackers to perform command and control functions and data exfiltration from enterprise networks and avoid detection. Case studies based upon analysis of malware found in the field will be presented to demonstrate that the techniques to be discussed have graduated into mainstream use. Each technique will be discussed in the context of the ability of current safeguards to detect and prevent use of the technique. Proof of concept code demonstrating techniques that could be observed in the future will be shared with the audience.

Offensive practitioners will be able to use the techniques discussed to perform more effective penetration tests and red team engagements. Defensive practitioners will come away with a better understanding of current blind spots within their networks and deficiencies in current threat models. Recommendations for better defenses will be presented to the extent possible. This talk will be presented at a level applicable to both technical and management level audiences.

Name: Darryl MacLeod
Title: Have Credentials, Will Travel... Literally.
Abstract: As we all know, infosec certifications have been taking a beating lately. Many feel that they are not worth the time or effort to obtain. Darryl MacLeod is proof that they are, in fact, worth the effort.

In his presentation, Darryl will tell the story of his long journey from audio geek to infosec geek. He has gone from working for small Atlantic Canadian IT companies to working for a global Information Security firm. All due to his certification efforts, the support of the Atlantic Canadian Information Security community… and a bit of luck.

Join Darryl as he tells you where he has been, what he has done (right AND wrong), and where he is now.

Name: Stefano Tiranardi
Title: Today's Threat Landscape – Facts, Figures, Myths and Perceptions
Abstract: This presentation will focus on the changing threat landscape and how it affects today's information environments by examining threat statistics from Symantec's Global Intelligence Network and discussing how some popular myths and perceptions have affected our security strategies and potentially made life easier for today's attackers.

Name: Bruno Germain,
Title: Services defense in depth: an emerging paradigm for protecting the Data Center
Abstract: The current and accepted methodology for deploying network security is based on establishing security zones and letting compliant traffic flow through. Application layer attacks of the last years, new functionality in products and corporate liability for employee’s Internet activities have forced us to revisit the model and adapt it in order to offer more granular “per service” protection with the challenges of tool proliferation and operational complexity. This session is a security architecture discussion meant to introduce you to current security challenges and see how they get addressed by large organizations such as banks, Facebook, Sony and their likes

Name: Mark Nunnikhoven,
Title: The Basics & Other Things That We're Probably Doing Wrong
Abstract: We're barely keeping our heads above water while trying to defend our information. We always need more time, money, and people in order to implement our security programs. But what if we're focusing on the wrong things? What if the core principles we hold dear no longer hold true?

In this talk, we'll discuss those core principles and--given where things are and where they are headed--try to figure out;

- do we have the right set of controls?

- are we using those existing controls in the right manner?

- where are the gaps in our defences?

- how do we not go crazy while trying to figure this all out?

Name: Jamie Goodyear,
Title: Anatomy of an Apache vulnerability report, and Secure Release Management
Abstract: In this talk we'll discuss the procedure for reporting a security vulnerability to an Apache project, and what you as a reporter should expect to see happen as the project community validates the issue, and proceeds towards a resolution. We'll then switch gears to talk about how users can validate that their Apache project downloads are in fact legitimate.

Name: Kellman Meghu,
Title: How NOT To Do Security: Lessons Learned From the Galactic Empire
Abstract: An analysis of the strengths and weaknesses of the Galactic Empire security policy. This presentation seeks to conduct a post-mortem on the data security policy implemented during the events that led to the destruction of critical technology needed by the Empire for continued operational efficiencies. A history of the company, as well as a detailed look at the events that followed, provides a great working analysis that can be applied to your policy in hopes of avoiding the same fate. Learning from past mistakes, let's ensure we are not doomed to repeat them, and potentially, suffer a similar fate.

Name: Russ Doucet
Title: Key Considerations in Securing Internet Access
Abstract: While the internet offers us access to a wealth of information and tools, we know it is increasingly being used as the vehicle to compromise our infrastructure via viruses, malicious code, advanced persistent threats (APT’s) etc. This leaves us with two important challenges:

1) How do we customize our users’ internet access to their business requirements and

2) How to minimize the risk that invariably comes with giving users internet access

We will explore the various ways in which your users’ internet access can compromise your security and application performance and how a multi-layer approach can help you to customize user internet access to their work-related requirements while minimizing the chances of being successfully attacked or hacked. We will also discuss the role of policy and procedure in establishing internet use guidelines, surveillance and enforcement.

Schedule

Friday September 21st, 2012	Track 1
8:30 AM - 9:00 AM	Registration\Networking - Coffee and Muffins Served
9:00 AM - 9:10 AM	Opening Remarks
9:10 AM- 9:50 AM	Name: Mark Nunnikhoven Talk: The Basics & Other Things That We're Probably Doing Wrong
10:00 AM - 10:20 AM	Name: Jamie Goodyear Talk: Anatomy of an Apache vulnerability report, and Secure Release Management
10:30 AM - 11:20 AM	Name: Russ Doucet Talk: Key Considerations in Securing Internet Access
11:30 AM - 12:20 AM	Name: Karim Nathoo Talk: Command and Control and Data Exfiltration, Version 2.0
12:30 PM - 1:30 PM	LUNCH
1:30 PM - 2:20 PM	Name: Kellman Meghu Talk: How NOT To Do Security: Lessons Learned From the Galactic Empire
2:30 PM - 3:00 PM	Name: Darryl MacLeod Talk: Have Credentials, Will Travel... Literally.
3:00 PM - 3:30 PM	Break
3:30 PM - 4:20 PM	Name: Bruno Germain Talk: Services defense in depth: an emerging paradigm for protecting the Data Center
4:30 PM - 5:20 PM	Name: Stefano Tiranardi Talk: Today's Threat Landscape – Facts, Figures, Myths and Perceptions
5:30 PM - 6:00 PM	Grand Prize (iPad) Give Away
6:00 PM - Onwards	Finger Foods\Drinks and Social Gathering