Boston Security Conference #3
Details
Cybersecurity is an overwhelmingly massive profession. It is one which lives in overlapping areas of psychology, technology, and law. That is why BSMCon #3 features 10 brilliant Boston hackers from all corners of the trade with talks ranging from new DDoS attacks to exploring the recent Shellshock exploits that hit the tech industry. We're extremely excited to be able to take part in this event, and hope to see you there!
Hosted by Dawn Carroll | @evilDwn (https://twitter.com/evilDwn)
Produced by Akshat Pradhan | LinkedIn (http://linkedin.com/in/akshatpradhan)
Thank you Steven Harper (https://www.linkedin.com/in/sharper) @Radware (http://www.radware.com), for generously providing funding and support for this event!!
http://photos4.meetupstatic.com/photos/sponsor/e/9/4/a/iab120x90_2459722.jpeg
http://photos1.meetupstatic.com/photos/event/8/d/3/8/600_421416152.jpeg
DDoS Botnet: 1000 Knives and a Scalpel! (10-10:25)
by Josh Abraham | @Jabra (http://twitter.com/Jabra) | LinkedIn (http://www.linkedin.com/pub/joshua-abraham/0/a00/152)
This talk will explore the latest DDoS attack techniques. Using recent and high profile DDoS attacks, we will examine core attack patterns against the availability of an asset. Leveraging cloud-based elastic computing, we will showcase methods for simulating DDoS attacks and provide a toolkit that attendees can use to perform their own DDoS test cases.
About Josh. Josh is the Director of Services at Praetorian (http://www.praetorian.com). An avid researcher and presenter, Josh has spoken at numerous conferences including BlackHat, DefCon, ShmooCon, Owasp, CSI, BLUG, LinuxWorld, Infosec World, Comdex, SOURCE Barcelona and The SANS Pentest Summit. In his spare time, he is a contributing developer to numerous open source security projects such as Metasploit, Nikto, Fierce, BackTrack, BeEF, GISKismet, and PBNJ. He has been quoted by media outlets such as DarkReading, ComputerWorld, and SC Magazine. He holds a BS in Computer Science from Northeastern University.
Shellshock Explained! (10:30-10:55)
by Uday Bhaskar | LinkedIn (http://www.linkedin.com/pub/uday-bhaskar/25/6b8/bb8)
Bash gets an incredible amount of usage in the tech industry. This talk will explore all the details of the Shellshock Bash bug. We’ll demonstrate how to find this bug and also go over some local/remote exploitation techniques. We will also investigate the security patches that have been released, some which have already fallen short. You will leave with an understanding of the bug, the potential ramifications, and what you can do.
About Uday. Uday is currently a Masters student at Northeastern University (http://www.northeastern.edu/research/about/research-areas/security/) and independent security researcher. Previously, he was a security consultant performing pentests on web and mobile applications for various companies. Uday comes with 4 years of security experience and has held roles as a Security Consultant, Security Analyst and Security Researcher. He has also published security articles in numerous security magazines and holds a number of professional IT and Security Certifications.
A Growing Mongo Problem! (11-11:25)
by Ming Chow | @0xmchow (https://twitter.com/0xmchow) | LinkedIn (https://www.linkedin.com/in/mchow01)
This talk will expose the number of MongoDbs accessible to the internet, the prevalence of the problem, and the resulting lulz to show. We will also discuss a tool NoSQLMap, which helped with the process.
About Ming. Ming is a Lecturer at Tufts University (http://www.cs.tufts.edu/Faculty/ming-chow.html). His areas of work are in web and mobile engineering and web security. He has spoken at many conferences including DefCon, Owasp, Source, and InfoSec World. Ming's projects in information security include JavaScript/HTML5 security, CTF challenges, and Android forensics.
Break for mixing and mingling (11:25-11:40)
This will provide an opportunity for you to network and mingle with fellow security engineers. I've updated your name badges with your job title to encourage you to get conversation going with the right people. This is a great opportunity for you to mix and mingle! Check out the Radware booth as well!
http://photos4.meetupstatic.com/photos/sponsor/e/9/4/a/iab120x90_2459722.jpeg
PenTest for Mobile Applications! (11:40-12:05)
by Dinesh Shetty | LinkedIn (https://www.linkedin.com/in/dineshshetty1)
Expect to see a lot of demos, tools, hacking and a lot of fun. The presentation focuses on problems of following bad Mobile development practice. During this session, you will learn how to perform a Code Assisted Pentest on Mobile applications and uncover some well-known and some other not so well known security issues. It is far easy to gain a practical knowledge of security vulnerabilities than it is to read about them. We will use a custom created demo application in addition to some other open source mobile applications, to catch security flaws noted in the various hand-held devices.
About Dinesh. Dinesh is a Security Engineer and Trainer for Security Innovation (https://www.securityinnovation.com). He is an accomplished author and speaker, and his research has been published in security zines and sites like Packet Storm, Exploit-DB, PenTest Magazine, SecurityXploded, ClubHACK Magazine, and Exploit-Id. Dinesh is a Hall of Fame member of Apple, Adobe, and Barracuda Networks for his identification and responsible disclosure of critical security vulnerabilities in their products, web sites, and web services. Dinesh also holds a number of professional IT and security certifications.
Impostor Detection! (12:10-12:35)
by Gagan Prakash | LinkedIn (https://www.linkedin.com/in/gaganprakash)
Anomaly Detection techniques are being developed for Impostor Detection. Its an analysis technique on user behavior that identifies imposters from real users. We will talk about real world examples of some of the problems these technologies solve, and we’ll also do a round up of Imposter Detection products on the market today.
About Gagan. Gagan Prakash is the founder of PhishingGuardian (http://www.phishingguardian.com) a product that utilizes Impostor Detection techniques to help guard enterprise employees against phishing and spear phishing attacks. Prior to AstraID, Gagan co-founded a company which provides enterprise-class IT services such as Microsoft Exchange Server & Microsoft SharePoint as hosted services which are now used by thousands of organizations worldwide. Gagan is a software developer with an MBA from MIT.
Lunch InfoSession (12:35-1:35)
Join us as we listen to a twenty five minute talk given by our sponsor Radware!
http://photos4.meetupstatic.com/photos/sponsor/e/9/4/a/iab120x90_2459722.jpeg
About Carl. Carl Herberger is a recognized information security expert, and draws on his extensive information security background in both the private and public sectors. He began his career in the U.S. Air Force as a computer warfare specialist at the Pentagon and managed critical operational intelligence programs aiding both the National Security Council and Secretary of the Air Force. Carl founded Allied InfoSecurity and held executive security positions at BarclayCard US, SunGard, and Campbell Soup Co.
Strategies for a Successful PCI Assessment! (1:35-2)
by Joe Schumacher | LinkedIn (http://www.linkedin.com/pub/joseph-schumacher/5/373/402)
This talk with provide insight around having a successful PCI compliance assessment. We will go through an overview of the PCI requirements including reoccurring tasks, ways to incorporate PCI into business-as-usual for your company, and provide more details on difficult-to-complete requirements. We will highlight some major requirements like vulnerability scanning, penetration testing, and information security governance and operational procedures. The goal of this talk is to give you a fighting chance in turning your annual PCI compliance assessment into a smoother process.
About Joe. Joe is a security consultant with Neohapsis (http://www.neohapsis.com) that focuses on the blue team strategy in areas of technical operations and meeting or exceeding varying compliance requirements. Joe has helped many organizations better understand their risk in using different technologies and define security frameworks to counter or mitigate risks with technology in a business. Joe is active with Neohapsis Labs research around areas of security in mobile devices and cloud services.
CBcrypt! (2:05-2:30)
by Edward Ned Harvey | Github (https://github.com/rahvee)
This talk will be about deterministic asymmetric key derivation, a next-generation user authentication that goes beyond bcrypt, scrypt, and pbkdf2.
CBCrypt deterministically generates an asymmetric keypair from servername, username, and password with rate-limiting function applied client-side, before making an authentication attempt to the server. The user's password is kept secret even from the server they're logging into.
About Edward. Edward is the CTO of Concept Blossom (https://www.conceptblossom.com), responsible for the creation of Synctuary secure cloud file synchronization for business. By night (and weekends and holidays) Ned is a prolific contributor to the community, in discussion forums, mailing lists, volunteer sysadmin, and contributor to several open source projects, including CBCrypt, Tinhat Random, SimpleSMF, and Mono.Security. By day, Ned has a 14-year long career in Computer Engineering, IT, and Software Development.
Break for mixing and mingling (2:30-2:45)
This will provide an opportunity for you to network and mingle with fellow security engineers. I've updated your name badges with your job title to encourage you to get conversation going with the right people. This is a great opportunity for you to mix and mingle! Check out the Radware booth as well!
http://photos4.meetupstatic.com/photos/sponsor/e/9/4/a/iab120x90_2459722.jpeg
The state of cybercrime! (2:45-3:10)
by Andrew Levchuk | LinkedIn (https://www.linkedin.com/pub/andrew-levchuk/13/478/547)
A number of significant cybercrime developments occurred in 2013. This talk will survey some of the most important recent cases, and review current developments in the most important computer crime statutes, including the Computer Fraud and Abuse Act (CFAA) and the Stored Communications Act (SCA). Following that, the talk will look at recent Fourth Amendment and privacy decisions.
About Andrew. Andrew is a former computer crime prosecutor who spent most of his career with the U.S. Department of Justice before joining Bulkley Richardson (http://www.bulkley.com). He served as Senior Counsel in the Computer Crime and Intellectual Property Section, where he assisted in the prosecution of computer intrusions and other high-tech crimes. His interest in computer crime and electronic evidence arose naturally from his undergraduate study of mathematics at the University of Chicago. Before law school, he taught mathematics at Phillips Academy, and recently received his CISSP and GISP certifications.
Security shifts in the Internet of Things! (3:15-3:40)
by Andy Thurai | @AndyThurai (https://twitter.com/AndyThurai) | LinkedIn (https://www.linkedin.com/in/andythurai)
Implementing security along the IoT food chain will be a more complex process than organizations have seen. Security measures will need to encompass a variety of technologies, networks, data access points, end users, and so on. Questions of the responsibility of securing each facet will be addressed as well as ensuring that the lines of command within security are being met and are compatible.
About Andy. Andy Thurai is a Program Director with IBM where he is responsible for solutionizing, strategizing, evangelizing, and providing thought leadership for their API, IoT, and Connected Cloud solutions. Prior to this role, he has held technology architecture leadership and executive positions with Intel, Nortel, BMC, CSC, and L-1 Identity Solutions.
Does your CEO Get It and Project Eavesdrop! (3:45-4:10)
by Paul Paget | LinkedIn (https://www.linkedin.com/pub/paul-paget/5/5a6/785)
Info security has become a well funded part of the IT budget, yet most security professionals believe their organizations are not doing enough. Security has penetrated the CEOs office as a compliance and risk issue but there is still a gap. Is it possible to close the gap and what will it take? We'll discuss how to reach the CEO, and a bit about Project Eavesdrop on NPR.
About Paul. Paul is the CEO of Pwnie Express (http://pwnieexpress.com) and has a history of successfully introducing and establishing new technologies in the info-security market. Previously, he held CEO level positions for Core Security Technologies and Savant Protection where he created the first Application Whitelisting technology specifically aimed at protecting critical infrastructure and industrial systems. Its now used aboard jets, oil rigs and power substations. He has also held executive level positions at IBM, Lotus and GTE Cybertrust.
After Conference Drinks (4:10-5:15)
Provided by Akshat
There will be an open bar (beer only) upstairs at Meadhall. The bartenders will be providing drinks only to people with badges who have a first name with last name or real picture. We're doing this to encourage a better network experience. Let us know if you have another suggestion!
What people are saying!
"Excellent conference, beautifully paced. Will definitely attend future meetups."
by Evan Morse
"This was a great conference. I thought Akshat was great at facilitating the social stuff. The speakers were very informative and engaging. Very seldom do I come away from a conference with my head so stuffed full of ideas and things to try that I feel overwhelmed. Now to go forth and put some of them to the test!"
by Julie Tittler
"I'll add my voice to the chorus of congratulations to Akshat & his team. This was a well-run, well-organized, truly worthwhile conference, and I look forward to the next one."
by Bill Barnert
How to find us (https://www.meetup.com/boston-security-meetup/pages/FAQ/)
Boston Security Conference #3