iSEC Open Forum Bay Area

-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-

iSEC Open Forum Bay Area

-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-

DATE: Thursday, June 12, 2014

TIME: 6:00pm-9:00pm

LOCATION: Yelp, 140 New Montgomery Street

San Francisco, CA 94105

Please visit https://www.meetup.com/iSECOpenForums/ or RSVP to rsvp@isecpartners.com if you wish to attend!

technical managers and engineers only please

food and beverage provided

-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-

AGENDA

-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-

SPEAKERS: Jasper van Woudenberg / CTO / Riscure

PRESO TITLE: 20 Ways Past Secure Boot

PRESO SUMMARY: This talk presents an overview of all things that can go wrong when developers attempt to implement a chain of trust also called ‘secure boot’. This talk is not so much focused at things like UEFI and Microsoft lockdown, but more at the general application in pay-tv, gaming and mobile devices.

On both sides of the fence secure boot is a vital mechanism to understand. Starting out from design mistakes, we look at crypto problems, logical and debug problems and move towards side channel problems such as timing attacks and glitching. All problems will be illustrated with either public examples or the presenter's experiences. To illustrate the practicality, an electromagnetic glitch attack will be demonstrated.

SPEAKER BIOS: Jasper (@jzvw) currently is CTO for Riscure North America. As CTO of Riscure North America, Jasper is principal security analyst and ultimately responsible for Riscure North America's technical and commercial activities.

Jasper's interest in security matters was first sparked in his mid-teens by reverse engineering software. During his studies for a master's degree in both CS and AI, he worked for a penetration testing firm, where he performed source code review, binary reverse engineering and tested application and network security.

At Riscure, Jasper's expertise has grown to include various aspects of hardware security; from design review and logical testing, to side channel analysis and perturbation attacks. He leads Riscure North America's pentesting teams and has a special interest in combining AI with security research.

Jasper's eagerness to share knowledge is reflected by regular speaking appearances, specialized client training sessions, student supervision and academic publications.

Jasper has spoken at many security conferences including BlackHat trainings, Intel Security Conference, RSA, EDSC, BSides, ICMC, Infiltrate, has presented scientific research at SAC, WISSEC, CT-RSA, FDTC, ESC Design {West,East}, ARM TechCon, has reviewed papers for CHES and JC(rypto)EN, and has given invited

talks at Stanford, GMU and the University of Amsterdam.

-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-

SPEAKERS: Peleus Uhley / Lead Security Strategist / Adobe Secure Software Engineering Team

PRESO TITLE: Misconceptions in the Cloud

PRESO SUMMARY: This presentation will discuss 5 common misconceptions that affect companies moving to the cloud. These aren’t the top 5 obvious issues when moving to the cloud such as, “Do you have a plan for secure, centralized, scalable logging?” Instead, these are more subtle, smaller issues that can affect whether you are conceptualizing your problem statements correctly. As seasoned security professionals, our pre-cloud experiences lead to certain implicit assumptions that do not always hold true when working with cloud-based teams. This talk will highlight a few of those assumptions and their risks.

SPEAKER BIOS: Peleus Uhley is Adobe’s Lead Security Strategist on the Adobe Secure Software Engineering Team (ASSET). He is a cross-team resource providing technical security guidance within the ASSET organization as well as to teams throughout Adobe. Current projects include assisting with the security strategies for Flash Player and the Adobe Creative Cloud. Prior to joining Adobe, Peleus was a senior developer for Anonymizer, Inc. and a security consultant for @stake and Symantec.

-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-

SPEAKERS: Loïc Simon / Security Engineer / iSEC Partners

PRESO TITLE: AWS security: Scouting your production environment

PRESO SUMMARY: The number of Cloud-hosted applications is growing extremely fast, and AWS is a major actor in this field. While a number of tools exist to allow administrators to manage their production environment, the industry was lacking a security-oriented tool to help AWS administrator assess their environment’s security posture.

To address this need, iSEC released AWS Scout2. While a number of security concerns are architecture-specific and require technical interviews to be conducted, a number of AWS-specific misconfigurations can easily be detected with static analysis. Scout2 was designed with this in mind, and gives a head start to security/IT professionals who decide to undertake a security assessment of their AWS environment.

During this presentation, we will first discuss common misconfigurations found in AWS environments, then demonstrate how Scout2 can be used to review the security of an AWS environment.

SPEAKER BIOS: Loïc Simon is a Security Engineer at iSEC Partners, an information security firm specializing in application, network, and mobile security. At iSEC, Loïc specializes in web application and web services security, threat modeling and architecture review. Prior to working with iSEC Partners, Loïc was a Software Engineer at Sigma Designs, a System on Chip company. Loïc received a M.S. in Computer and Electrical Engineering from the "Institut Supérieur d'Electronique de Paris (ISEP)".

-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-

Interested in presenting at a future Forum? Email forum@isecpartners.com. Talks should be 20-30 minutes max.

-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-

About the iSEC Open Security Forum

-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-

The iSEC Open Security Forum is an informal and open venue for the discussion and presentation of security related research and tools, and an opportunity for security researchers from all fields to get together and share work and ideas.

The Forum meets quarterly in the Bay Area, Seattle, New York City and Austin. Forum agendas are crafted with the specific needs/interests of its members in mind and consist of brief 20-30 minute talks. Talks are not product pitches or strongly vendor preferential. Attendance is by invite only and is limited to engineers and technical managers. Any area of security is welcome including reversing, secure development, new techniques or tools, application security, cryptography, etc.