NCC Group Security Open Forum

-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
NCC Group Security Open Forum - San Francisco
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-

DATE: Thursday, September 17, 2015
TIME: 6:00pm-9:00pm
LOCATION: NCC Group SF Offices
123 Mission Street, 9th Floor
San Francisco, CA 94105
(1 block from Embarcadero BART)

Please visit https://www.meetup.com/NCCOpenForumSF/ if you wish to attend!

technical managers and engineers only please
food and beverage provided

-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
AGENDA
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-==-=-=-=--=-=-=-

SPEAKER: Adrienne Porter Felt / Staff software engineer / Google (Chrome security team)

PRESO TITLE: Diagnosing the causes of TLS errors

PRESO SUMMARY: Chrome shows hundreds of millions of TLS/SSL errors a month. When a certificate fails to validate, Chrome warns the user about the risk and asks her what to do. These warnings are problematic because often neither the browser nor the user knows whether the error indicates a real attack -- but we're trying to change that. Our moonshot is for Chrome to automatically identify the causes of TLS errors, with as little user involvement as possible. We've started by combining client and crawler data to identify common causes of errors. I'll talk about the different types of client and network issues that we've seen cause TLS errors in practice, and give insight into our discussions about possible remedies.

SPEAKER BIO: Adrienne Porter Felt works on the Chrome security team, focusing on usable security. Whenever you see security UI in Chrome (SSL warning, malware warning, permission request...), it's probably something that Adrienne's worked on. Previously, Adrienne worked on Google's security research team, where she came up with new ways to identify malicious extensions using activity traces. Adrienne earned a PhD in computer science from UC Berkeley, where she built tools to see how developers use permission systems.

-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-

SPEAKER: Yan Zhu / Security Engineer / EFF

PRESO TITLE: Auditing JavaScript Optimizers

PRESO SUMMARY: JavaScript runs pretty much everywhere these days. Although JS is not a compiled language, the typical JS developer toolchain nowadays includes transpilers, minifiers, type checkers, and other tools to transform source code into optimized JS. How secure are these transformations that affect much of the code running on the web? This talk is about an ongoing project to answer that question.

SPEAKER BIO: Yan is a Technology Fellow at EFF and a core developer of Let's Encrypt, HTTPS Everywhere, Privacy Badger Firefox, and SecureDrop. She is also a security engineer at Yahoo, mostly working on End-to-End email encryption. Yan has been a speaker at HOPE, DEFCON, jQuerySF, Real World Crypto, SXSW, and various other human gatherings. She can be contacted via Twitter (@bcrypt) or her blog (useless.site).

-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-

SPEAKER: Cara Marie / Senior Security Consultant / NCC Group

PRESO TITLE: Dropping Bombs

PRESO SUMMARY: The decompression bomb is not a new attack, it's been around since at least 1996, but unfortunately they are still a pretty common occurrence. The stereotypical bomb is the zip bomb, but in reality nearly any compression algorithm can provide fruit for this attack. What algorithms have the highest compression ratio and make for good bomb candidates? This talk is about an ongoing project to answer that question.

SPEAKER BIO: Cara Marie is a Senior Security Engineer at NCC Group, an information security firm specializing in application, network, and mobile security. Cara specializes in web application/web services security, network security, client/server testing, and mobile application security. She is experienced in C, C++, Java, web technologies, as well as a variety of scripting languages.

Prior to joining NCC Group, Cara was the head of web design for a boutique firm. She then attended Hackbright Academy where she developed an experimental linux kernel module (rootkit) with a keylogger and integrated IRC bot.

-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
About the NCC Group Security Open Forum
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-

The NCC Group Security Open Forum is an informal and open venue for the discussion and presentation of security related research and tools, and an opportunity for security researchers from all fields to get together and share work and ideas.

The Forum meets quarterly in the Bay Area, Seattle, New York City, and Austin. Forum agendas are crafted with the specific needs/interests of its members in mind and consist of brief 20-30 minute talks. Talks are not product pitches or strongly vendor preferential. Attendance is by invite only and is limited to engineers and technical managers. Any area of security is welcome including reversing, secure development, new techniques or tools, application security, cryptography, etc.