iSEC NYC January Open Forum

DATE: Wednesday, January 23rd, 2013 TIME: 6:00pm-8:30pm LOCATION: Goldman Sachs 200 West Street #200 New York, NY 10282 Enter the building and check-in with building security. You will then be escorted to the break room and auditorium. PLEASE BRING ID OR YOU MAY NOT BE ABLE TO ENTER THE PREMISES. Lost? Questions on the day of the event? Contact Karsten at 347-413-3091 Closest trains are: 1, 2, 3 (Chambers Street station) A, C (Chambers Street station) N, R (Cortlandt Street station) E (World Trade Center station) ** RSVP if you wish to attend ** ** Complimentary food and beverages also provided ** -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= AGENDA -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= SPEAKER: Corey Benninger & Max Sobell / Intrepidus Group TITLE: NFC For Free Rides and Rooms (on your phone) ABSTRACT: A number of cities are rolling out RFID/NFC enabled access control as they move away from magstripe cards. This comes at a time when smartphones are also being enabled with NFC capabilities. Unfortunately, a number of mass transit systems have misunderstood how the security around these systems needs to be implemented. We'll break down how NFC enabled cards were designed to be used and the software we wrote for mobile phones which can exploit one of the known flaws. We'll then discuss how these systems could be fixed, what to look out for when riding on one of these system, and some examples of proper deployments. We'll also review the risks associated with similar cards being used for access control at hotels and business locations. SPEAKER: Julian Cohen / NYU: Polytechnic University TITLE: Theory and Application of Realistic Capture The Flag Competitions ABSTRACT: For a long time, Capture The Flag competitions have been one of the best ways for students to learn and professionals to prove themselves. This presentation analyzes why CTF competitions are so popular, and so effective at educating and judging teams on their technical ability. Different qualitative elements define different CTF competitions. Design and quality of infrastructure, logistics, and challenges will be covered in detail. SPEAKER: Glen Saunders / iSEC Partners TITLE: Java in the enterprise: can’t live with it, can’t live without it! ABSTRACT: It is understood that Java is insecure and that the only way to completely protect yourself from its insecurities is to remove it from your machines. In an enterprise of thousands of servers and even more employee machines, how can you know where you need or don't need Java? While it would be nice to uninstall Java enterprise-wide and see what breaks, a better (and more realistic) alternative would be to determine what machines actually run Java, what specific programs they are running and what network access those programs need. Java allows you to tweak settings of the JVM itself and define DNS, debugging settings, and proxy settings that allow you to direct traffic or keep track remotely (through calls every time the JVM is invoked) of what is invoking Java in the first place. Examples of how to track Java application invocations using these tools will be presented along with the results of testing a simulated network to determine their efficacy. Further points on bugs found when disabling Java from IE and other quirks uncovered during testing will also be discussed. -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= About the iSEC Open Forum -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= The iSEC Open Forum is an informal and open venue for the discussion and presentation of security related research and tools, and an opportunity for security researchers from all fields to get together and share work and ideas. Open Forum meets quarterly in the Bay Area, Seattle and New York City. Forum agendas are crafted with the specific needs/interests of its members in mind and consist of brief 30 minute talks. Talks are not product pitches or strongly vendor preferential. Attendance is by invite only. Any area of security is welcome including reversing, secure development, new techniques or tools, application security, cryptography, etc. -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=