• Earn a $50 Amazon gift card for testing a new product from the makers of PBworks. Click here to apply.

  • If you are citizen of an European Union member nation, you may not use this service unless you are at least 16 years old.

View
 

BSidesATL-2012

 

Event Details:

 

When: Friday, October 19, 2012

 

Where: Think Inc World HQ, 1375 Peachtree St. Suite 600, Atlanta, Ga (The Earthlink Bldg).

The venue is located on the 6th floor. Front Desk will instruct attendees on which elevator bank to use to reach the secured floor.

 

Parking: Parking can be found in several locations near the venue.

  • Before 9:30, parking in the building is $6/day
  • After 9:30, $8/day (mention BSides)
  • $3 Early Bird 1/2 block south and nearby

 

Cost: Free of course!

 

Videos of BSides Atlanta 2010 and 2011: http://vimeo.com/user5089985

 

Sponsors

To make the very most of this event, we need your help! We currently are looking for sponsors. If you are interested in sponsoring, please contact Nick Owen at nowen at wikidsystems.com or securitybsidesatl at gmail.com.

 

We would like to thank the sponsors that have contributed to this year's event. Without you these events are not possible.  

THANK YOU!

 

Our current sponsors include:

 

 

We’re a curious bunch that makes digital things — and not just apps or banners or sites. We bring digital to life with integrated solutions that make sense — for the companies that need them, the users that demand them and the digital world that consumes them.

 

The WiKID Strong Authentication System is a patented dual-source, software-based two-factor authentication system designed to be less expensive and more extensible than hardware tokens. The WiKID Strong Authentication Server comes as a software appliance, an ISO or in RPM format and works in conjunction with software tokens running on PCs (Windows, Mac, Linux) or smart phone to securely deliver one-time passcodes. WiKID uses public key cryptography allowing greater extensibility and cross-enterprise two-factor authentication without requiring multiple tokens. A trial version of the server is available for download.

 

Amidst the growing noise of polarizing security topics, hacking vs compliance religious warfare, and misunderstood risk phobias, VerSprite provides tailored security guidance that supports technology and operational objectives. VerSprite reflects a fresh take on understanding and managing risk around people, process, and technology. Focusing on GRC, AppSec, and BCM solutions, VerSprite's hybrid approach to InfoSec navigates beyond the super-hyped to a more balanced approach to functional security. Discover more at www.versprite.com.

 

Founded twenty seven years ago, Sayers has grown into an industry-leading IT services and solution provider, offering the latest and most sophisticated technologies. Over the past three decades, we have established a powerful track record of success, highly personalized service and lasting client relationships.

Companies stay with Sayers because we deliver. We create customized, thoughtful solutions to meet their needs, not off-the-shelf approaches, or technology companies do not need. We partner with world-class vendors.

Our senior professionals are focused, customer-driven and among the most experienced in the business. Sayers is an independent, minority-owned business committed to our core values and to producing exceptional results for our customers.

 

Stach & Liu provides IT security consulting services to help companies secure their business, networks, and applications. Our team is comprised of industry experts and thought leaders with over 100 years of combined experience.

 

Rapid7 is the leading provider of security risk intelligence solutions. Rapid7's integrated vulnerability management and penetration testing products, Nexpose and Metasploit, empower organizations to obtain accurate, actionable and contextual intelligence into their threat and risk posture. Rapid7's solutions are being used by more than 1,700 enterprises and government agencies in more than 65 countries, while the Company's free products are downloaded more than one million times per year and enhanced further by over 125,000 security community users and contributors. Rapid7 has been recognized as one of the fastest growing security companies worldwide by Inc. Magazine and is backed by Bain Capital Ventures. For more information about Rapid7, please visit http://www.rapid7.com

  Securosis is an information security research and advisory firm dedicated to transparency, objectivity, and quality. We are totally obsessed with improving the practice of information security. Our job is to save you money and help you do your job better and faster by helping you cut through the noise and providing clear, actionable, pragmatic advice on securing your organization.  Following our guiding principle of Totally Transparent Research, we provide nearly all our content for free.  
 

Tenable Network Security is a privately held company founded in 2002 by security product innovators Ron Gula, Renaud Deraison and Jack Huffard. Together with Tenable CSO, Marcus Ranum, they have developed a Unified Security Monitoring approach based on the award winning Nessus scanner for securing enterprise networks world-wide.

 

Lancope, Inc. ® is the leading provider of flow-based monitoring to ensure high-performing and secure networks for global enterprises. Unifying critical network performance and security information for borderless network visibility, Lancope provides actionable insight that reduces the time between problem onset and resolution.

 

Through strategic partnership with industry leading and innovative security product manufacturers, Sword & Shield delivers best-of-breed security technologies for enterprise IT environments in the Fortune 1000. With a highly trained professional staff, Sword & Shield has extensive experience in network security and regulatory compliance for large-scale corporate IT environments and mission-critical federal systems.

 

Mission Critical Systems is an information technology security reseller and integrator focused only on security solutions.  We have been providing top quality security products and consulting services throughout Florida, Georgia, and the Caribbean since 1997.

 

Our mission is to provide best-in-breed data and network security products and expert services that will reduce our client's exposure to information theft and destruction. We advocate a comprehensive approach to information security - evaluating all aspects of an organization's vulnerabilities from internal compromises to external threats; and, can provide your organization with the tools, controls and training to secure your infrastructure. Our sales and engineering professionals will work with you to design and implement strategies to address your complex information security challenges.  

Barracuda Networks, Inc. offers industry-leading solutions designed to solve mainstream IT problems – efficiently and cost effectively – while maintaining a level of customer support and satisfaction second to none. Our products span three distinct markets, including: 1) content security, 2) networking and application delivery, as well as 3) data storage, protection and disaster recovery.

 

While we maintain a strong heritage in email and web security appliances, our award-winning portfolio includes more than a dozen purpose-built solutions that support literally every aspect of the network – providing organizations of all sizes with true end-to-end protection that can be deployed in hardware, virtual, cloud and mixed form factors.

 

Schedule

 

Time Track 1 Track 2 ACE Hackware Village Podcast Room
8-9am Registration and Coffee/Breakfast  
9-10am KEYNOTE - John W Graham
     
10-11am Rob Ragan & Oscar Salazar Daniel Peck ACE Village All day podcasting
11-12pm Gursev Singh Kalra Robert David Graham ACE Village All day podcasting
12-1pm LUNCH All day podcasting
1-2pm Mike Rothman Bill E. Ghote ACE Village All day podcasting
2-3pm Jason Ding James Edge ACE Village All day podcasting
3-4pm Tom Cross Valerie Thomas ACE Village All day podcasting
4-5pm Patrick J.D. Taylor Adam Compton ACE Village All day podcasting
5-7pm Reception  

 

Abstracts

John W Graham - KEYNOTE Speaker

 

John W Graham is the Vice President of Global Information Assurance and Risk, with the First Data Corporation and represents First Data on the Payment Card Industry (PCI) Standard Council Board as a member of the board of Advisors. John has an extensive background as an Information Assurance executive with experience in strategy, design and implementation of solutions, which provide governance in Enterprise Risk Management, IT Risk Management, Security, Privacy, Compliance, and Business Continuity. Prior to joining First Data, he has provided technology transformation consulting, executed global programs for a fortune 50 technology enterprise, as well as, several global service providers, large scale acquisitions, and business partners in technology, communications, healthcare, and financial industries. This is to include oversight and implementation of the Payment Card Industry Standard (PCI), ISO 27001 certification and governance of companies in the US, European Union, India, and South America. He has a complex technical background including Enterprise Architecture, Cloud Computing, Networking, IPS, relational database, and Unix. He prides himself on balancing business need with control, through understanding both business & technology constructs.

 

His professional certifications include CISA, CISM, CISSP, CRISC, which complement more than 20 years experience in Technology. He balances this with a Bachelors of Business Administration degree in Marketing from Georgia Southern University, and a Masters of Science in Information Assurance (MSIA) from Norwich University in Northfield Vermont.

 

Rob Ragan & Oscar Salazar

Attack Chaining: Advanced Maneuvers for Hack Fu
Just as a good chess player thinks five moves ahead, a great penetration tester should be able to visualize their attack in order to compromise high-value targets. This presentation will explore how a penetration tester can learn to leverage attack chaining for maximum impact. A penetration test is supposed to be a simulation of a real-world attack. Real-world attackers do not use expensive automated tools or a checklist. Nor do they use a single technique or exploit to compromise a target. More commonly they combine several techniques, vulnerabilities, and exploits to create a “chained” attack that achieves a malicious goal. Chained attacks are far more complex and far more difficult to defend against. We want to explore how application vulnerabilities relate to one another and build a mind map that guides penetration testers through various attack scenarios. Prepare to be blown away on this roller coaster ride with real-world examples of massive compromises. If you are not a thrill seeker, this presentation may leave you a bit queasy.

 

Robert David Graham

Freaky Economics of Cyber security, part 1

Expansion of blog posts like these into a presentation:
http://erratasec.blogspot.com/2011/12/freakonomics-vs-cybersecurity.html
http://erratasec.blogspot.com/2012/07/myth-that-secret-coffee-slush-fund.html

Whenever economics is discussed in terms of cyber security, it's in the context of "market failure" and why we need to punish Microsoft for Flash vulnerabilities and Java 0day. That's not economics, just politics. This talk is about real economics. It starts with basic college-level Economics 101, then uses that to discuss the strange ideas that economists would have about cyber security. In many ways, it's inspired by such books as "Freakonomics".

 

Mike Rothman

Controlling BYOD before it Becomes Your Own Demise

Mobile security is the hottest topic for senior security professionals as organizations struggle with how to support smartphones and other consumer-grade devices connecting to the network. This session will present a process to evaluate the risk of these devices, define appropriate policies, and control the use of these devices. We'll also discuss (at a high level) the security architectures of the major mobile phone platforms, and determine how to mix old and new controls to manage these devices.

 

Adam Compton

Professional Pen Testing and Learning from Your Mistakes

This presentation is a straightforward walk through a typical vulnerability assessment/penetration test methodology.  However, throughout the presentation, I will be highlighting several areas where I have seen mistakes made and how to avoid them.  Think of it as a "Learn from My Mistakes" kind of talk.  We all make mistakes; yes everyone makes mistakes.  The key is to learn from them.  Over my 12+ years, I have made several mistakes and seen others make them as well.  Hopefully by presenting some of these mistakes, you will not make the same ones.

 

Tom Cross

Hunting Insider Threats

Everyone has come to terms with the fact that even the best perimeter defenses are permeable, but where does that leave us? What is going on inside the network? How do you detect exfiltration by malicious insiders? How do you deal with sophisticated attackers who come in with legitimate access credentials?

The answer comes from understanding the adversary - what their motivations and behaviors are and how they differ from the normal user population - and setting up processes that can help detect when a particular user has turned to the dark side of the force. This talk will cover recent research on insider threats as well as sophisticated targeted external attacks - who commits attacks, why do they do it, how do they do it, what does their behavior look like on the network, and what technical and business controls can be effective in practice at detecting that behavior?

 

Patrick J.D. Taylor

Something Seems Phishy

Ahhhh….hackers. They are smart, no doubt, but conventional hacker wisdom has traditionally been all about phishing and gaining unauthorized access, stealing proprietary data and selling it. More times than not, the prized jewels have been credit card numbers. However, the value of stealing credit cards has gone down due to mandates that companies report these and the risk of hackers being turned into law enforcement. New hacker wisdom suggests that these criminals are starting to figure out a better, stealthier and smarter way to infiltrate an organization – by committing the equivalent of internal fraud – taking on the identity of an internal employee and stealing money. These sophisticated attacks are slow and sustained and often go undetected. In this presentation, Patrick Taylor will share several real-life stories of companies that have experienced major internal fraud incidents, how they uncovered it, and how to minimize the repercussions. He will also provide recommendations for how information security professionals can monitor and uncover hackers gaining access as authorized users as well as how they can prevent internal fraud by understanding how to monitor and perform transactional analysis beyond the file system and database to the business application layer as well as to large business management systems such as SAP.

 

Daniel Peck

Dynamic Analysis and Exploration of Android Apps

This will be a walkthrough presentation on dynamic exploration of Android app using JRuby. We'll give an overview of the entire process, beginning with tools to disassemble the package, followed by a crash course in understanding small disassembly, modifying, and rebuilding APKs. Finishing up with a tutorial on running code from a targeted android package within a jruby session and a discussion on what this allows us to do, such as access APIs restricted to mobile only, extraction of secret keys, and bypassing/calling custom crypto routines.

 

Gursev Singh Kalra

Attacking OData

OData is a new data access protocol that is being adopted by many major software manufacturers such as Microsoft, IBM, and SAP but hasn’t been publically explored in terms of security. This presentation dissects the OData protocol and explores the potential areas of weakness. I’ll give an attack and penetration testing perspective of OData and present a new tool that can be used to assess OData implementations.

This talk assumes no prior OData knowledge and makes the OData attack and penetration testing concepts easy to understand. The approach is to start with a single read URI, just like a black box penetration test and builds on concepts. OData penetration testing aspects are introduced along with OData concepts along with unique OData vulnerabilities that may come into play with OData implementations. Finally, a new OData assessment tool Oyedata will be demonstrated.

 

Bill E. Ghote

Lotus Domino Password Hash Redux

Despite publication of CVE-2007-0977, CVE-2005-2696, and CVE-2005-2428, enterprises continue expose their users' password hashes through insecure deployments of Lotus Notes and related products (Quickr, Sametime, etc.). Over the past year, hashes were collected from approximately 600 sites. Vulnerable sites are not limited to the software versions described by the CVE notices, but also include the latest software releases from IBM. Public and private sector across every conceivable industry with exposures were discovered.

This presentation will highlight the impact of these exposures by demonstrating techniques for discovering vulnerable web sites via web searches (Google and ERIPP), new scripts for acquiring password hashes from web sites were developed to accelerate download times when compared with existing scripts. Prior work from other researchers was also used in some cases; proper attribution will be given to these where referenced.  Updated statistics of continued work in finding and scraping vulnerable sites since last covering this material at BSidesLV will be discussed.

 

James Edge

Custom Power Pwn

 

The people over at Pwnie Express are coming out with a neat device called the Power Pwn.  This device follows up on the Pwn Plug and the PwnPhone.  With my experience as a penetration tester and junior hardware hacker I’ve been working on my own “pwn” hardware. I combined the PCEngines Alix 6f2, an APC BE650R Battery Backup Power Strip, and a battery Power Pack for a Custom Power Pwn. I integrated the Alix connectors for the serial, ethernet, and external antenna connectors with the existing APC coax, rj45, and rj50 ports.  This talk is a show and tell on what I did and how anyone who is a fan of hardware hacking can do this themselves.

http://www.jedge.com

 

Valerie Thomas

Social Engineering in Penetration Testing

If you're performing penetration tests without social engineering then you're leaving out the greatest security weakness, the human.  As a security consultant I've used social engineering to increase my penetration success rate for years.  Join me as we discuss the basics of social engineering, its role in penetration testing, and some unique attack vectors I've developed.  You'll leave this talk with an understanding of the social engineering attack process and some new tools to get you started. 

 

Jason Ding

Social Networks & Fake Accounts: New Heaven for Spammers & Attackers

Social connections and interactions are the core value of current online social media platforms, and have greatly improved the communication efficiency of individuals and businesses. These core features have also been fully explored by attackers to easily spread malicious contents to a large scale of victims. Many social engineering tricks, such as click-jacking, phishing and fake apps, can be effectively delivered to millions of users in a short amount of time.
 
One of the fastest growing threats on social networks is the fake social botnet. Fake social botnets contain fake users or pages, fake apps, and fake interactions (such as likes, followings or comments). These social elements fundamentally break the trust model that all online social platforms try to build. These fake profiles and apps give attackers a long-lived path to continuously present malicious links and malware to innocent users. Friending fake accounts can lead to not only rampant spamming attacks and also account takeover using Facebook's trusted friend account recovery.

This session reviews several cases of fake social botnets and their monetization. We conducted a five-month analysis involving over 3,000 Facebook fake profiles used by attackers to determine features and patterns that distinguish them from real users. We created a feature-based heuristic engine to distinguish real users from fake profiles. We also studied the fake followers’ economy on Twitter, uncovering the blooming underground market that involved hundreds of dealers, thousands of abusers and numerous fake accounts, which can be easily controlled to spread malicious links and malware on a large scale. Another case will show that spammers can blend their activities into regular users activities, which make the detection strategy ineffective.

Finally, this interactive session will discuss the scale and nature of malicious social activities and explore ways to remediate them.

 

Event Planners

  • Nick Owen
  • Eric Smith
  • Tony UcedaVelez
  • Martin Fisher
  • Dan McGinn-Combs
  • Mike Rothman 

 

Volunteers

  • If you would like to help with the event, we need you! Please let us know. Email: securitybsidesatl at gmail.com

 

CPEs

Your attendance at BSides Atlanta is valid toward the CISSP continuing education credits (CPEs). If you are a CISSP, please print a copy of this form and bring it to the meeting. Give it to the meeting moderator or one of the BSides Atlanta Staff members to sign, after which you can submit it to (ISC)2 as needed.

 

Hashtags

Please use the tag #BSidesATL for content related to this event.

Founded twenty seven years ago, Sayers has grown into an industry-leading IT services and solution provider, offering the latest and most sophisticated technologies. Over the past three decades, we have established a powerful track record of success, highly personalized service and lasting client relationships.

 

Companies stay with Sayers because we deliver. We create customized, thoughtful solutions to meet their needs ¬ not off-the-shelf approaches, or technology companies do not need. We partner with world-class vendors.

Comments (0)

You don't have permission to comment on this page.