iSEC Open Forum Bay Area
DATE: Thursday, March 13, 2014
LOCATION: LinkedIn, 2025 Stierlin Ct, Mountain View, CA 94043
NON-DISCLOSURE AGREEMENT: LinkedIn requires an NDA for all on-site visitors, which will be available to attendees upon arrival.
Please RSVP if you wish to attend!
***technical managers and engineers only please***
***food and beverage provided***
SPEAKERS: Arvind Mani / Data and Infrastructure Security Manager / LinkedIn
PRESO TITLE: Life of a Password@LinkedIn
PRESO SUMMARY: Salted password hashes prevent dictionary attack with
pre-computed rainbow tables. However salted password hashes do not altogether stop dictionary attacks, nor do they prevent an active attacker in the production network from overwriting the password database to get into member accounts. We start the talk with advanced attacks against stored passwords and then describe ingredients of a good password hashing scheme. We then go over handling of passwords from the moment the password leaves the user agent to when the password is stored in our database.
SPEAKER BIOS: Arvind Mani heads the Data & Infrastructure Security Team at LinkedIn. In his current role, Arvind manages an engineering team responsible for building frameworks, tools, and services to secure member data, web applications, and internal systems. Prior to joining LinkedIn, Arvind worked as a security engineer at Yahoo and PayPal. Previous to this, he developed security software at Symantec and McAfee. Arvind received his M.S. in Electrical Engineering from University of Maryland, College Park, with thesis on "Authenticated Key Agreement in Dynamic Groups".
SPEAKERS: Ryan Huber / Architect / Risk I/O
PRESO TITLE: Running at 99%: Surviving an Application DoS
PRESO SUMMARY: Application-Level Denial of Service (DoS) attacks are a threat to nearly everyone hosting content on the Internet. DoS attacks are simple to launch, but can be difficult to defend against. Modern websites are a diverse set of moving parts, and a malicious actor only needs to find the point at which any one of these systems is overwhelmed to bring your website to a halt. Organizations may approach this problem by increasing capacity, perhaps leveraging the cloud to expand horizontally. This can be a successful short term mitigation strategy, but a combined historic and real-time view of who is accessing your website (and why) gives you the chance to actively defend as opposed to simply absorbing the traffic. Trending this data over time allows your response time to decrease while keeping your front door open. In this talk I will present a new open source project, written primarily in Node.js, that can be used as a defense framework for mitigating these attacks.
SPEAKER BIOS: Ryan is an engineer at Risk I/O, a security Software-as-a-Service company. Prior to Risk I/O he spent the majority of his career at Orbitz.com, where his varied roles included: management of the flight search farm, leader of EU information security at sister site eBookers.com, and finally architect on the security team where he explored the defensive side of security.
SPEAKERS: Paul Youn / Technical Director / iSEC Partners
PRESO TITLE: Exploiting Browser Extension Password Managers
PRESO SUMMARY: Advancements in password cracking and frequent theft of password databases endanger single-factor password authentication systems. Password managers are one of the only tools available that can help users remember unique high-entropy passwords, and other secrets such as credit card numbers, for a large number of applications. Can password managers deliver on security promises, or do they introduce their own security vulnerabilities? This talk examines popular browser-based password managers and presents common security flaws that could be exploited to remotely extract a user's password.
SPEAKER BIOS: Paul Youn is a Technical Director at iSEC Partners, an information security firm specializing in application, network, and mobile security. Paul has over 10 years of professional security experience in development and penetration testing. In addition to performing penetration testing and security design review, he has conducted research throughout his career on password managers, enterprise Mac security, OAuth, cryptographic APIs, and encryption/key management solutions.
Before joining iSEC, Paul developed enterprise security software at Oracle. He mainly worked on the Transparent Data Encryption (TDE) product and significantly improved Oracle’s key management infrastructure. Paul received his education at MIT where he earned a B.S. in Computer Science and in Mathematics as well as a M. Eng. in Computer Science. He wrote his Masters thesis under advisor Professor Rivest and was awarded the Johnson thesis award.