Event Details:

 

When: Friday, November 8, 2013

 

Where: Think Inc World HQ, 1375 Peachtree St. Suite 600, Atlanta, Ga (The Earthlink Bldg).

The venue is located on the 6th floor. Front Desk will instruct attendees on which elevator bank to use to reach the secured floor.

 

Parking: Parking can be found in several locations near the venue.

• Before 9:30, parking in the building is $6/day
• After 9:30, $8/day (mention BSides)
• $3 Early Bird 1/2 block south and nearby

 

Cost: FREE!!

Booze: FREE!!!

Food: FREE!!!!

Award Winning Smiles: - PRICELESS

 

Videos of BSides Atlanta 2010 and 2011: http://vimeo.com/user5089985

 

SCHEDULE:

 

Time	Track 1	Track 2	ACE Village
8-9am	Registration and Coffee/Breakfast
9-10am	KEYNOTE - Kevin Greene
10-11am	Benjamin Watson	Bill E. Ghote	ACE Village
11-12pm	Katrina Rodzon & Jack Daniel	Rob Harvey	ACE Village
12-1pm	LUNCH
1-2pm	Michael Murray & Kati Rodzon	JoEtta LeSueur	ACE Village
2-3pm	Mike Rothman	Christopher Elisan	ACE Village
3-4pm	Eric Smith	Winston Messer & Evan Stuart	ACE Village
4-5pm	Michael Lockhart	Robert McCurdy	ACE Village
5-7pm	Reception

 

 

REGISTRATION IS CLOSED :(

 

SPONSORS:

We would like to thank the sponsors that have contributed to this years and previous years events. Without you these events are not possible.  

THANK YOU!

 

Our current sponsors include:

 

	We’re a curious bunch that makes digital things — and not just apps or banners or sites. We bring digital to life with integrated solutions that make sense — for the companies that need them, the users that demand them and the digital world that consumes them.
		Tenable Network Security is a privately held company founded in 2002 by security product innovators Ron Gula, Renaud Deraison and Jack Huffard. Together with Tenable CSO, Marcus Ranum, they have developed a Unified Security Monitoring approach based on the award winning Nessus scanner for securing enterprise networks world-wide.
	Layer 3 Communications is a Professional Services organization that provides: Consulting, Network Audits, Network Analysis, Network Design, Network Security, Project Management, Staging and Implementation, Installation, Time and Materials, and Support Planning. We also provide Network Systems Integration for Local Area Networks and Wide Area Networks including: Internet Access, Virtual Private Networks, Remote Access, Network Security, and Firewalls. Our Infrastructure Architects and Project Managers design, implement, and support network infrastructures for data, voice, and video communications.
	The WiKID Strong Authentication System is a patented dual-source, software-based two-factor authentication system designed to be less expensive and more extensible than hardware tokens. The WiKID Strong Authentication Server comes as a software appliance, an ISO or in RPM format and works in conjunction with software tokens running on PCs (Windows, Mac, Linux) or smart phone to securely deliver one-time passcodes. WiKID uses public key cryptography allowing greater extensibility and cross-enterprise two-factor authentication without requiring multiple tokens. A trial version of the server is available for download.
	Amidst the growing noise of polarizing security topics, hacking vs compliance religious warfare, and misunderstood risk phobias, VerSprite provides tailored security guidance that supports technology and operational objectives. VerSprite reflects a fresh take on understanding and managing risk around people, process, and technology. Focusing on GRC, AppSec, and BCM solutions, VerSprite's hybrid approach to InfoSec navigates beyond the super-hyped to a more balanced approach to functional security. Discover more at www.versprite.com.
	Securosis is an information security research and advisory firm dedicated to transparency, objectivity, and quality. We are totally obsessed with improving the practice of information security. Our job is to save you money and help you do your job better and faster by helping you cut through the noise and providing clear, actionable, pragmatic advice on securing your organization.  Following our guiding principle of Totally Transparent Research, we provide nearly all our content for free.
	Lancope, Inc. ® is the leading provider of flow-based monitoring to ensure high-performing and secure networks for global enterprises. Unifying critical network performance and security information for borderless network visibility, Lancope provides actionable insight that reduces the time between problem onset and resolution.

 

ABSTRACTS and BIOS:

 

Kevin Greene

Kevin has over 17 years of experience in Cyber Security. Kevin holds a Master’s and Bachelor Degree from New Jersey Institute of Technology (NJIT). Kevin manages a Software Assurance program at DHS Science and Technology (S&T), Cyber Security Division (CSD). As a program manager at CSD, Kevin is responsible for oversight and management of research and development projects focused on improving the testing, analysis, and evaluation techniques used in software quality assurance tools. In addition, Kevin is also responsible for building the Software Assurance Marketplace (SWAMP) which will provide continuous software assurance services to advance improvements in software development activities, and will also play a key role in discovering new breakthroughs in software quality assurance tools in the area of precision, soundness, and scalability.

New R&D projects

- Hybrid Analysis Mapping (HAM). HAM map disparate outputs from both SAST and DAST tools to provide relational context of weaknesses and vulnerabilities from independent assessment activities.

 

Kevin is a huge Kobe Bryant fan and admires his determination, will to win, and dedication to being the best at all times. Kevin enjoys inspiring others to be the best they can possibly be.

 

Collaborative Research to improve Software Security

 

Key points will focus on:

• DHS S&T efforts in funding R&D in Software Assurance to improve technology
• State of the art – why are we here? 
• Collaboration Opportunities
• Collaboration – working together
• Vision and thoughts for the future

 

Michael Lockhart

Navigating the Shoals - Preventing practitioners from running around with executive management

All too often security practitioners run around on the shoals of reality presented by executive management.  Aligning goals and expectations between security practitioners and executive management is a common problem many organizations face.  This talk provides practitioners with an actionable model to educate executive management on; defined vs. perceived risk, gaining support, defining common goals, approval for initiatives, and improving communications.  Armed with this knowledge, security practitioners are better enabled to avoid running aground in the dark waters of executive management.

Mike Lockhart is an information security executive with over fifteen years of experience in security, operations engineering, development and advisory roles.  He has worked for startups and corporations, along with founding two companies.  Mike's focus is aligning a practical and pragmatic approach to security with the needs and goals of an organization.

Winston Messer & Evan Stuart

Open Security: We Told You So

In light of recent events and revelations regarding specific government agencies, there has been a renewed call for openness in the information security industry.  However, this has been a rallying call of the open source community for many years.  This talk will show why this is the right response and that this approach is neither novel nor unique to the current situation.

This talk will serve as an introduction to Open-Sec.  It will address the rationale behind conducting security openly, the history of open source within the information security community, policies regarding open source, and an overview of current OSS security use in industry."

Winston Messer is a Research Scientist in the Open Technology Branch of Georgia Tech Research Institute's Cyber Technology and Information Security Laboratory (GTRI-CTISL).  Prior to joining GTRI, Messer was the Technical Program Director at the Open Source Software Institute.  Messer holds an MS in Information Security from Georgia Tech.

Evan Stuart is a Technician in the Open Technology Branch of GTRI-CTISL. Prior to joining GTRI, Stuart was a Technical Consultant at the Open Source Software Institute.

Messer and Stuart are active in the Open Security community @ open-sec.org.

Katrina Rodzon & Jack Daniel

Five Cocktails [every hacker/everyone] Should Know

In an era of the apple-tini and drinks that require liquid nitrogen and a degree in chemistry to concoct, sometimes it's just good to get back to the basics. You have to walk before you can run right? In this presentation Jack Daniel and Kati Rodzon will come together to go over, and make, 5 basic -but amazing- cocktails. Each with a history and a story you will discover the origin as well as some new twists on drinks that you shake, stir, or pour.

This interactive and illuminating presentation will give you a foundation in mixed drinks, and encourage you to experiment with and enjoy them.    This in turn will make you more popular, give you whiter teeth, fuller hair, a better vocabulary, and make you more talented at everything you attempt.  At least until you sober up.

We will cover several categories of drinks with an example of each:

·         Bitters drinks

·         Shaken drinks

·         Muddled drinks

·         Layered drinks

·         Hot drinks

·         “The next morning” drinks

Kati and Jack will also discuss related topics:

 

Tools and equipment: while it is fun to buy toys to play with behind the bar, a little improvisation can find adequate alternatives for most specialty tools. We’ll also discuss our preferences for various bar gear and glassware.

Liquor: guidelines for quality, quantity, and variety will be discussed, with suggestions for almost every taste and budget.

Bibliography: There are a myriad of books on the topic of drink, from the early books of Jerry Thomas (the first “celebrity bartender”) to recipe books from liquor wholesalers, to books on bar culture and the drinking class.  Suggestions, warnings, and insights will be presented."

Kati Rodzon is a trained psychologist and hobby bartender. Since learning to make her first cocktail in 5th grade - a white russian- she has continued to mix drinks for friends, family, and money ever since. Combined with her love of history and reading she is filled with several useful and useless facts that flow freely while preparing and drinking all sorts of drinks. When she is not creating cocktails, she spends her time creating content and manipulating behavior. @krodzon

Jack Daniel has over 20 years’ experience in network and system administration and security, and has worked in a variety of practitioner and management positions.  Jack is a sporadic blogger at his Uncommon Sense Security and Travels with Jack blogs, a SecurityBSides co-founder, InfoSec Curmudgeon, Very Reluctant CISSP, Amateur Blacksmith, and BS Artiste Extraordinaire.  Often found on barstools during his frequent travels, Jack’s views on drinks and drinking have developed, evolved, and merged with the help of many a bartender- his ideas coming into focus as the rest of the world blurred around him. @jack_daniel

Michael Murray & Kati Rodzon

Biohacking: Hacking your health, happiness and fitness

We all spend a lot of time hacking on computer and other systems, but many of us forget to hack the systems that most enable us to hack everything else.  Luckily, it's never been easier as we live in a time of smart phones, activity trackers, calorie counting apps, and sleep monitors that can collect data that give us insight in to the patterns of our bodies and brains.  Why not use that data to hack your own body and optimize your performance? In this talk, Michael Murray and Kati Rodzon will go over how to collect and analyze your body’s information as well as how to use that to hack your system and improve your overall performance. Already collecting FitBit data? Why not start tracking cognitive function to see if the more steps you take the better your attention is during the day? What about sleep and productivity? Through live demonstrations, as well as personal experience, Michael and Kati will demonstrate that like any other system, your body is just another platform to hack.

Mike Murray finds the most happiness when he’s hacking away at problems that annoy him.  Whether those problems are technical, physical or mental, he spends his life organizing systems, teams and companies to tackle problems in new ways.   The majority of his work has been in the information security realm, where he has built research teams and businesses to take on the threats against IT, business and human systems.  He is a co-founder of MAD Security / The Hacker Academy, a leading information security education and consulting firm.   With Fitoop, his focus has been on bringing order to the huge data sets of personal health and fitness data that are growing wildly each year.  In his spare time, he is a triathlete who makes sure to fit in at least one Ironman distance race each year.

Kati Rodzon has spent the last 10 years studying psychology and human behavior in an effort to understand how we work and how we improve. With graduate training in positive and cognitive psychology as well as behavior analysis she has used her knowledge to study everything from how our environment impacts our mood to the most effective ways to change behavior. As a co-founder at Fitoop, Kati has started to use her knowledge to help others be happier and healthier through aggregation and analysis of an ever growing mass of app and device data. When she is not working or reading, she is a runner and avid cook who is always experimenting with new things.

Eric Smith

Cheat Codez: Level UP Your SE Game

Everyone knows what phishing is. Everyone realizes Java applets lead to massive storms of shells. Everyone accepts tailgating is the easiest way into your building. Everyone knows smoking (areas) are bad for you AND your business. Admit it, you paid for that EXACT assessment last year. I could write your report for you without even doing the job. So what’s the problem you ask? That’s EXACTLY the problem, I say. So how do we fix these issues that plague our industry and misalign business expectations? This talk will discuss the value of Social Engineering exercises when conducted with realistic goals yielding actionable results. Of course, that means putting in REAL work throughout the engagement, not “point, click, report, rinse and repeat”. We’ll discuss tips, techniques and secrets that the PROS don’t always blog about. *PRO TIP* – This won’t be a talk on how to use a particular framework or release of a tool (there are plenty of those already). So bring your work boots, it’s time to get dirty and UP your game.

Eric Smith (@InfoSecMafia) is a Senior Partner and Principal Consultant at LARES. Eric specializes in penetration testing with over 15 years of experience in the IT/IS industry. Eric is well versed in a variety of Risk Assessment services and has extensive experience in penetration testing, insider threat assessments, Social Engineering, physical security and Red Team engagements. When Eric isn’t compromising large scale, heavily protected fortresses, he goes on retreats in search of unicorns, horseshoes and hidden treasures that many claim to be “suicide missions”. Eric was also born with invisible gills and is referred to by close friends and closer enemies as the “phish whisperer”.

Benjamin Watson

Error 500 | Exceptions That Will Get You Owned

This talk is about reviewing the vulnerabilities discovered for Java Web Application Frameworks, the impact they present, and why stack traces should never be considered a low risk.  It will serve as an introduction to the vulnerability classes, how to identify and test for them in web application security assessments and penetration tests.

Benjamin Watson is a Management Consultant at VerSprite based out of Atlanta, Georgia.  His primary focus is on web application security, penetration testing, and application security architecture.  Currently interests are python development, competing in capture the flags, and security research.  His hobbies include the gym, hip-hop, coffee consumption, paint ball, and playing guitar. @rotlogix

Bill E. Ghote

Security architecture and the NIST Cybersecurity Framework

Adapting the Critical Security Controls to an enterprise security architecture, maturity assessments and project roadmaps.

Bill (not his real name, of course) has over 20 years of IT experience in a variety of companies, and is currently enterprise security architect for a major US insurance firm, and has previously presented at BSidesLV, Def Con Skytalks, and BSidesATL, but mostly maintains a discreetly low profile.

http://scrapeghote.blogspot.com/

Twitter: @bill_e_ghote"

JoEtta LeSueur

Netkit and VisualNetkit: Network Simulation

This presentation talks about open source tools that are available to simulate a network within a virtual machine. This allows users to create many different network configurations virtually in order to learn about the behavior of routers and protocols. It can allow for capturing the simulated network traffic for viewing in wireshark and testing iptable rulesets.

I'm currently a senior at Kennesaw State University. I am new to the security field. http://www.linkedin.com/in/joettalesueur/

Mike Rothman

FUFW: 5 Steps to Rearchitect Your Perimeter

The hype train around next-generation firewalls (NGFW) continues to race forward, but replacing one device with a new shiny object isn’t going to ultimately solve the security problem. Securosis analyst Mike Rothman will put NGFW into proper context regarding the evolution of network security and give you 5 steps to move your perimeter protection forward.

 

Why do you care? Far too many folks we talk to think that plugging in a NGFW device will solve all of their network security problems. That’s just wrong. This session will address those misconceptions and allow folks to understand what their perimeter should be doing, the key technologies to do those functions, and how to get there. To be clear, NGFW is a component of the new perimeter. But it’s not the only function needed.

@securityincite

Christopher Elisan

Malware Automation

Automation is key when it comes to production. The same is true for malware. Malware production has moved on from the traditional manual method to a more efficient automated assembly line. In this talk, I will take the audience on an over-the-shoulder look at how attackers automate malware production. Discussion will focus on the tools and methodologies the attackers use to produce thousands of malware on a daily basis. The talk will then conclude with a live demonstration of how malware is produced in an automated fashion.

Christopher Elisan is the author of “Malware, Rootkits and Botnets: A Beginner’s Guide.” Elisan is a seasoned reverse engineer and malware researcher. He is currently the Principal Malware Scientist at RSA. Before joining RSA, Elisan was with Trend Micro, F-Secure and Damballa. He frequently speaks at various security conferences across the globe and provides expert opinion about malware, botnets and advance persistent threats for leading industry and mainstream publications.

@tophs
facebook.com/ccelisan
linkedin.com/in/elisan

Rob Harvey

PCI DSS 3.0: Preparing for the Change

The purpose of this informative discussion is to give an overview of what the new v3 Payment Card Industry (PCI) Data Security Standard (DSS) (Public release November 7, 2013) is, and what this change may mean to merchants and service providers.  Even though the entire audience may not be merchants, service providers, banks and other institutions that use, process, or may potentially process credit card transactions, as consumers, we would benefit from the presentation.

Proposed Agenda:

 

1.            Introduction (2 min.)

2.            PCI Definitions – all speaking the same language (3 min.)

        a.    Compliance vs. Validation

        b.    Risk Based vs. Compliance (Checklist) Methodology

3.            Overview – what’s changed, simply: (15 min. total)

       a.     PCI Data Security Standard

       b.     Payment Application DSS (PA-DSS)

       c.      Other PCI SSC controlled standards

4.            PCI Business as Usual – the day after you validate PCI Compliance (3 min.)

5.            Not All QSAs are Created Equal – what you should know before you buy (2 min.)

       a.     Questions for your Vendor

       b.     Current PCI Related Trends in the Industry

6.            Questions and Answers (5 minutes)"

http://about.me/rharvey

Rob brings business and technology expertise from over sixteen years in Information Technology to his current role as a Principal Consultant for Online Business System's Security Consulting Practice. “With a focus on driving Information Security and Risk Management forward from the inside out.” He specializes in his advisory services to companies working to address complex technology solutions that align with their key business objectives while maintaining its security and compliance posture.

Rob has worked with top named global clients in the transportation, travel, retail, manufacturing and entertainment sectors. He possesses the ability to communicate to and with both technical and business orientated audiences, and promotes the sense of collaboration for Information Security into the boardroom.

Specialties:
Consultative Management, Sales and Delivery
Qualified Security Assessor, 2006 – Present
Security management and operations
Securing large scale enterprise operations

 

Robert McCurdy

Command Line FU an J00 "The art of efficiency (Laziness)
http://phreaknic.info/pn17/schedule#83

Command line fu and J00
Operat0r hosting rmccurdy.com will go over the best CLI fu collected/created over the years:

Windows WMIC
Parsing obfuscated web pages with bash/curl/awk/sed/java ... ya I said it ( ripping proxies , google image,  etc. )
Regex made easy search for PII in office documents with one command
windows mass task killer
quick remote access with VNC repeater
OCLHashcat scripts

Robert is an advisory associate in KMPG LLPs southeast advisory services practice. Very skilled with hands-on technology projects focused on making portable versions of attack / penetration tools, custom scripted scanning applications and automation       

 

Event Planners

• Nick Owen
• Eric Smith
• Tony UcedaVelez
• Martin Fisher
• Dan McGinn-Combs
• Mike Rothman 

 

Volunteers

• The volunteer sign up sheet is UP! Sign up at https://docs.google.com/spreadsheet/ccc?key=0ArwMaY2S8WIDdHpvTnZDdXAzcl9WNmlzQlprbUQ5UWc&usp=sharing

 

 

CPEs

Your attendance at BSides Atlanta is valid toward the CISSP continuing education credits (CPEs). If you are a CISSP, please print a copy of this form and bring it to the meeting. Give it to the meeting moderator or one of the BSides Atlanta Staff members to sign, after which you can submit it to (ISC)2 as needed.

 

Hashtags

Please use the tag #BSidesATL for content related to this event.