Talk 1. Secure Password Storage: Increasing Resistance to Brute Force Attacks
In the event that your password table gets into the wild, how long will it take an attacker to expose the plaintext passwords? The recent set of well publicized disclosures of user passwords raised the question of whether current best practices adequately protect passwords from brute force attacks by many of our clients. In addition, with the advent of GPU-based (or FPGA) computing where GPUs are used for general purpose computing, are the current defenses and practices built for brute-force attacks sufficient?
This talk discusses the pros and cons of the current practices such as salted-hashes, adaptive hashes and proposes an alternative solution for strengthening these existing practices. The talk will discuss the cryptographic properties of the current practices, but does not require a PhD in mathematics to understand the details.
Dawn Carroll is currently a Senior Security Consultant for Cigital in Boston. She possesses a master's degree in Computer Science with a concentration in Security from Boston University. Dawn’s roles throughout her career have ranged from developer to senior security analyst for both corporate and business organizations. Prior to joining Cigital she worked for a Department of Defense (DoD) contractor and an educational company giving her experience in a variety of industry standards and processes. Her favorite security task is pen-testing –from traditional web apps to web services to mobile apps (iOS and Android).
Dawn recently created a Twitter account which she is “learning” to use – here’s an attempt: follow her @evilDwn.
Talk 2. Five security changes in a post-virtualized environment
The manner in which IT organizations deliver technology services is changing in most organizations. Specifically, surveys already suggest that more than half of IT shops already leverage virtualization extensively -- and the use of virtualization is showing no signs of decreasing. For those of us in security, this changes the game somewhat on the practical steps we take to secure the environment. For example, it means that previously-complicated efforts (e.g. patch management) can become easier – but it can also mean that some efforts become harder.
This discussion will discuss five security "game changers" enterprises should watch out for as they increase their use of virtualization technologies. These include areas where virtualization introduces new challenges (e.g. sprawl, image deprecation, data aggregation) but also areas where existing investments and controls might need to be rethought.
Ed Moyle is currently a Senior Security Strategist with Savvis’ information security practice providing advisory services, solutions, and consulting to clients worldwide as well as a founding partner of Security Curve. Ed was previously a Senior Manager with CTG’s global security practice and prior to that served as Vice President and Information Security Officer to Merrill Lynch Investment Managers. Ed is co-author of "Cryptographic Libraries for Developers", and a frequent contributor to the Information Security industry as author, public speaker, and analyst.
How to find us
6:00 - 6:30: Networking
6:30 - 6:45: Lulzy News by Akshat
6:45 - 7:00: Tool of the Month by Roy
7:00 - 7:30: Increasing Resistance to Brute Force Attacks
7:30 - 8:00: 5 Sec changes in post virtualized environment
8:00+ Craft beer @ Meadhall