Boston Security Conf #1!

Talks that hackers would find interesting!

1. NSA Spying Concerns? Learn counter surveillance!

You will learn how easily we are all being spied upon - not just by the NSA but by cyber criminals, malicious insiders and even online predators who watch our children.

Then you will learn the basics in the art of Counterveillance and how you can use new tools and techniques to defend against this next generation threat of data theft and data leakage. The talk has been developed for IT and IT security professionals including Network Administrators, Data Security Analysts, System and Network Security Administrators, Network Security Engineers and Security Professionals.

About

Gary S. Miliefsky is the founder of SnoopWall and the sole inventor of the company’s new technology. He has been extremely active in the INFOSEC arena, most recently as the Editor of Cyber Defense Magazine.

LinkedIn: Gary S. Miliefsky (https://www.linkedin.com/in/miliefsky)

2. A Cyber Law How-to Guide

This is an overview of the most important statutes for computer crime investigations and the key cases decided under them (e.g. Computer Fraud and Abuse Act, the Stored Communications Act, the Wiretap Act, Foreign Intelligence Surveillance Act).

We will use recent cases, such as the prosecution of Aaron Swartz, as working examples to examine the scope and limits of federal and state jurisdiction over computer crimes. We will also discuss common international issues that arise in significant computer crime investigations. Lastly, we'll touch upon the preservation and use of electronic and computer-based evidence, and issues arising under Article 14 of the Massachusetts Constitution and the Fourth Amendment from the seizure and search of such evidence, including the permissible scope of searches and the search of stored communications.

About

Andrew Levchuk spent most of his career with the U.S. Department of Justice before joining Bulkley Richardson. He served as Senior Counsel in the Computer Crime and Intellectual Property Section, where he assisted in the prosecution of computer intrusions and other high-tech crimes. His interest in computer crime and electronic evidence arose naturally from his undergraduate study of mathematics at the University of Chicago. Before law school, he taught mathematics at Phillips Academy, and recently received his CISSP and GISP certifications.

LinkedIn: Andrew Levchuk (https://www.linkedin.com/pub/andrew-levchuk/13/478/547)

3. Security for the coming vehicle system

The US Department of Transportation announced on February 3rd, 2014, that it intends to mandate a system for inclusion in all light vehicles that would allow them to broadcast their position and velocity on a more-or-less continuous basis.

The system is claimed to have the capability to prevent up to 80% of all unimpaired collisions. The presentation, by a key member of the team designing the communications security for the system, will discuss the security needs, the constraints due to cost and other issues, and the efforts that are being made to ensure that the system will not compromise end-user privacy.

About
William Whyte has been the lead communications security architect for the project for nearly ten years, interacting with the government, with OEMs, and with standardization bodies both in the US and in Europe to ensure the system will be robust when deployed.

LinkedIn: William Whyte (http://www.linkedin.com/in/wwhyte/)

4. Correlating Behaviors

Behavior is a fundamental element often overlooked in the wake of attacks or human error within the enterprise.

Understanding how your employees behave is as critical as knowing the behavioral characteristics of your adversaries. Understanding both, and being able to pull effective data can build the foundation to an entirely new security model.

About

Tom Bain has over 12 years of experience working with leading IT Security organizations. Bain joined CounterTack from Security Innovation, an application security provider, where he was Director, Product Marketing. There he helped the company grow the security training product division year over year. Prior to Security Innovation, Bain was Senior Manager, Industry Marketing with Q1 Labs, an IBM company. He earned an MS degree in International Relations and Public Affairs from UMASS-Boston and holds a BA in Communications from Rhode Island College.

LinkedIn: Tom Bain (https://www.linkedin.com/in/thomasbain)

5. Blitzing with your defense

The days of simply responding to alerts are over and a shift to employing more "active" defenses along with developing intelligence about threat actors has started.

We will discuss developing a defense that “blitzes” how to gather threat intelligence via open source data, how to analyze and extract data from attacks against your environment, and how to establish a more "active defense" of your network.

About

Ben Jackson is the author of Asterisk Hacking, has spoken at various conferences, and has appeared on various media outlets discussing security and privacy. Ben spends his time enjoying being a husband, dad, and messing around with anything that has a button, dial, or blinking light on it. Ben strongly dislikes Thursdays and writing about himself in the third person.

LinkedIn: Ben Jackson (http://www.linkedin.com/in/benjaminbjackson/)

6. Insider threats in the software supply chain

Developers have unique access and privileges when it comes to creating and deploying code. Many companies have established source code review programs to prevent common vulnerabilities such as the OWASP Top 10. They are not looking for malicious code as a primary target and there is plenty of time for a developer to insert malicious code before production but post security analysis. How do we detect that malicious code? This talk will discuss how to design a malicious code detection program as well as the problems such a program fixes and introduces.

About

Brenton Kohler is a security consultant with Cigital, a software security consulting company. Brenton has a MS degree from James Madison University in Secure Software Systems. He has professional experience as a developer, researcher, and consultant. Brenton's security expertise includes penetration testing, security assessments, and security focused source code reviews in a diverse set of technologies and across several verticals.

LinkedIn: Brenton Kohler (https://www.linkedin.com/pub/brenton-kohler/7b/463/98b)

7. Pharmaspam at a .edu

In 2012, a major university's web server was being used to game Google results and increase visibility of online discount pharmacies.

In this talk we'll see how it may have been done, the tools used and fun with .htaccess to make all the magic work. Oh yeah, and some prevention steps too.

About

Patrick has been working for Akamai Technologies in Cambridge, MA as a member of their CSIRT. He works on incident response for some of the largest banking, media, transportation and other companies from around the world. His main area of focus is on application security. He is the founder of OWASP Rhode Island and is a co-organizer of Security BSides Rhode Island.

LinkedIn: Patrick Laverty (http://www.linkedin.com/pub/patrick-laverty/2/a37/147/)

8. The future of smarter monitoring and detection

The Linux operating system has some powerful auditing capabilities, and defenders who aren’t taking advantage of this are seriously missing out.

We will discuss collection capabilities and current audit APIs that exist today in the Linux kernel. We'll also explore the many open source tools currently available to interface with audit data, and the advantages and limitations they have in terms of performance, collection and querying.

About

Mark Ellzey (Satanist, husband, programmer) is a Principal Software Engineer and Kernel Hacker at Threat Stack. Mark's a consummate C hacker with > 15 years writing software for high performance networking and security applications. He holds several patents in network security, and is a dedicated open source advocate (he is currently a contributor & maintainer for the popular projects libevent, libevhtp, libulz, and author of Mandiant's open-sourced RProxy).

9. Social engineering: understood through the lexicon of classic swindling

This talk will show that the world of Internet based Social Engineering can and should be described, categorized, and understood through existing taxonomies of classical grift techniques and language.

In this talk, a bridge is built between the contemporary understanding of highly technical Social Engineering and the long standing art of the swindle and confidence game. There is particular emphasis put on the specialized argot of the turn of the century American confidence man as documented by David W. Maurer.

About

Erik Kamerling is a Senior Security Consultant at Neohapsis with over fourteen years of experience in the fields of network security assessment, penetration testing, vulnerability research, large scale incident response, and fundamental research in information security.

10. Reducing Uncertainty by Managing Risk

Uncertainty is the realm of the "unknown unknown" -- vulnerabilities we don't know we have, undiscovered technical debt, and so on. Risk, by contrast, is the "known unknown" -- we can quantify, manage, and reason about it.

In this talk, we'll discuss the ways in which security practices turn uncertainty into risk, explore methods to shine light on uncertainty, and talk about evaluating security in an inherently risky world.

About

Christian Ternus is a security researcher on Akamai Technologies' Adversarial Resilience team, where he works on attacks, architecture, design, analysis, and the human factors in security. He graduated from MIT and has previously worked in kernel security and mobile health-tech. He has previously spoken at industry conferences including SOURCE Boston and BrainTank, as well as organizing Akamai's Humanity in Security miniconference.

Linkedin. Christian Ternus (https://www.linkedin.com/in/ternus)

Lockpicking Village

Max will bring all of his gear along with handouts, instruction sheets, and even a projector for the showing of diagrams and videos. He’ll spread out a huge array of sample locks and picks and conduct lessons and hands-on trainings through out the day, letting the public experience just how easy lockpicking is. You will also get an opportunity to purchase high quality lock picking tools suited for your needs.

Show Schedule

9:55 - 10:00: Cybersecurity opener by Lucy

10:00 - 10:25: 1. NSA Spying Concerns?

10:30 - 10:55: 2. Staying out of prison

11:00 - 11:25: 3. Security for the coming vehicle system

11:25 - 11:40: break

11:40 - 12:05: 4. Correlating behaviors

12:10 - 12:35: 5. Blitzing with your defense

12:35 - 1:35: lunch

1:35 - 2:00: 6. Threats in the Software Supply Chain

2:05 - 2:30: 7. Pharmaspam at a .edu

2:30 - 2:45: break

2:45 - 3:10: 8. Smarter monitoring and detection

3:15 - 3:40: 9. Social engineering

3:45 - 4:10: 10. Reducing uncertainty

4:30 - 7:00: Beer @ Mead Hall

What people are saying

http://photos1.meetupstatic.com/photos/event/4/1/5/2/event_279136722.jpeg

"I don't always hack, but when I do, I forward my ports."

http://photos2.meetupstatic.com/photos/event/4/1/3/e/event_279136702.jpeg

"Oh, you went on your friend's facebook when he wasn't looking? You must be the best hacker ever."

http://photos4.meetupstatic.com/photos/event/4/1/2/a/event_279136682.jpeg

"I'll encrypt ALL the things!!"

http://photos3.meetupstatic.com/photos/event/4/1/4/8/event_279136712.jpeg

"One does not simply GOOGLE how to hack"

This counts towards your Security CPE credits! You'll receive a certificate of attendance!

Sponsor

http://photos4.meetupstatic.com/photos/event/7/6/7/2/event_328530322.jpeg

Thank you to Tom Bain of CounterTack for buying us healthy lunches!

How to find us (https://www.meetup.com/boston-security-meetup/pages/FAQ/)