View
 

BSidesStJohns2016

 

 

 

Steering you through the Security Fog

 

 

This year's BSides St. John's will be held on Thursday, September 15th, at the Capital Hotel - see below for details

 

Find us on Twitter (@BSidesStJohns) and Google+! 

 

Call For Sponsors is open! Email [email protected] to recieve a Sponsorship Package

 

The speaker schedule is now available - see below for details

 

The Security BSides St. John's CFP is now closed. We had a tremendous amount of submissions, all of them being high quality and engaging topics, which will make this year's final decision on speakers a very difficult one. We thank everyone for their submissions. The organising committee will be voting on submissions and notifying all submitters.

 

We will be hosting a Capture-The-Flag Hackathon after this year's talks - registration will be on the day of the event, and will be pairs of contestants competing for some awesome prizes!

 

 

 

 

 

This year's event will be hosted at the Capital Hotel, 208 Kenmount Road in St. John's. This will be our second year at this location, and we'll be taking over the entire set of ballrooms this time around!

 

 

 

 

 

Never been to a BSides conference before? Here's the deal:

 

B-Sides events combine security expertise from a variety of platforms in search of the “next big thing” in information security. B-Sides is an open platform that gives security experts and industry professionals the opportunity to share ideas, insights, and develop longstanding relationships with others in the community. It is a rare opportunity to directly connect and create trusted relationships with key members of the community.

 

B-Sides are free, community organized events put on by local individuals with the expressed goal of enabling a platform for information dissemination. B-Sides is an ‘unconference’ that follows the ‘open spaces’ format. This varies from structured presentations to smaller break-out groups, but both provide a direct connection between speakers and the audience.

 

 

For more details, check out What to expect at a BSides Event

 

 

 

Never been to St. John's? Here are some fun facts!

 

 

 

St. John's is located along on the East Coast of Canada, on the northeast of the Avalon Peninsula in southeast Newfoundland. It is the most easterly city in North America.

 

  

Referred to as "North America's Oldest City", St. John's is the oldest settlement in North America to hold city status, with year-round settlement beginning sometime before 1620. The first transatlantic wireless transmission was also received in St. John's by Guglielmo Marconi on 12 December 1901. St. John's is very close to the Cape Spear National Historic Site which is the most easterly point in North America.

 

Schedule

 

 

   
8:00 AM - 9:00 AM Registration/Networking - Coffee and Muffins Served
9:00 AM - 9:10 AM Opening Remarks/Door Prize Give Away
9:10 AM- 9:50 AM

How we broke into an international bank to steal money

Robert Masse

9:55 AM - 10:35 AM

Are you sinkholing me !

Alex Argeris

10:40 AM - 11:20 AM

Joining Hands and Singing Merrily; Security and Development in Beautiful Harmony

Zack Mullaly

11:25 AM -12:05 AM

ICS/SCADA Breakfast Sandwich, with a Side of Weapons

Dean Parsons

12:10 PM - 1:00 PM Lunch/Networking/Prize Give Aways
1:00 PM - 1:40 PM

“Wireless Security” - Myths and Realities (Wireless is more secure than Wired Networks)

Glen Stacey

1:45 PM - 2:25 PM

Building a bulletproof vulnerability management program

Ed Dubrovsky

2:30 PM - 3:10 PM

Let's Encrypt - A 'fun'damental Overview

Sandra Escandor-O'Keefe

3:15 PM - 3:55 PM

BRAINS! Why we need more humans in testing

Matthew Middleton

4:00 PM - 4:40 PM

The Botnet of Things: How Hackers are Already Using Nanny Cams and Home Routers as Weapons

Nabeel Hasan

4:45 PM - 5:25 PM

Lessons from the Huntsman - Successes and Failures in building a Modern Hunt Team

Travis Barlow

5:25 PM - 6:00 PM Prize Giveaways/Networking
6:00 PM - 10:00 PM Capture The Flag (CTF)/Networking/Prizes

 

 

Sponsors

 

 

Platinum

 

 

 

 










Gold

 


 



Silver

 

 

 
   
Bronze

 

 

 

 
Educational Sponsor
 

 

 

Speakers (Official Schedule Coming Soon!)

 

 

Speaker Topic Abstract
Alex Argeris Are you sinkholing me ! Sinkholing is a technique that allows the redirection of traffic to an inspection hole, based on different criterias. This presentation will cover multiple techniques including DNS sinkhole, HTTP sinkhole and others. You will learn how to configure a sinkhole in your environment, using open source and commercial technologies to redirect threats to an inspection point. We will look at a real life scenario and options to mitigate that threat using a sinkhole solution. The presentation will end with a sneak peek at a public cloud based sinkhole solution.
Dean Parsons ICS/SCADA Breakfast Sandwich, with a Side of Weapons The world relies on ICS (Industrial Control System)/SCADA systems such as the electrical power grid for seemingly mundane daily tasks, like preparing your morning breakfast sandwich. Today’s ICS attacks are well-funded and orchestrated campaigns of destruction using cyberweapons. ICS installations have certainly improved their security posture this last decade, but there’s always room for improvement in ensuring reliability when turning on your electric stovetop to make breakfast! Like sweet lingering tones of citrus and dark chocolate in your favorite Scotch, the presentation also has an undertone of how today’s media can assist security awareness programs, while Stuxnet, Havex and Blackenergy3 malware elbows their way in for an appearance.
Ed Dubrovsky Building a bulletproof vulnerability management program A dose of reality, the bad guys are getting better at being bad (or should we say really good bad guys?) and there are great reasons for that. Technology is getting faster, easier to manage, easier to deploy and paybacks can be enormous. Cloud services enable unlimited scalability, with relative anonymity and are only limited by the depth of the adversary’s purse. Automation of attacks is a reality organizations must face and in addition, the reality that to meet and address these challenges, the good guys, must have access to resources that can out-pace, out-smart, out-scale and frustrate these adversaries. But how do we tackle such challenges? Obviously, there is no easy answer, but one thing is certain, we must ensure the basics are covered, automated and operate flawlessly. However, it is not only an issue of technology, but process and the weakest link..people.
Glen Stacey “Wireless Security” - Myths and Realities (Wireless is more secure than Wired Networks)

Wireless LAN’s have exploded in popularity over the past several years. Once confined to specialized applications and to consumer equipment, 802.11 wireless LAN’s are now increasingly making their way into the enterprise space. But with much more at stake, how can network managers ensure that wireless doesn’t weaken security? Many recommended security techniques for residential wireless LAN’s are inappropriate or ineffective for enterprise deployments. This presentation explores what works and what doesn’t.
Matthew Middleton BRAINS! Why we need more humans in testing It seems like a lot of people are talking about the need to automate software testing, and how it's going to magically solve all our problems. Yet, we keep seeing security breaches which can be traced back to software bugs - anyone remember Heartbleed?

I have a novel proposal, which may help reduce these kinds of problems - brains! We need to have people who are thinking about the problems of quality software at both the micro and macro levels, considering the context of the project as a whole. This should help us reduce the number of defects that escape in to the wild, and thus help us improve the overall security of our applications.
Nabeel Hasan The Botnet of Things: How Hackers are Already Using Nanny Cams and Home Routers as Weapons In May of 2015, over 60 Incapsula customers were attacked by a Botnet made up of over 10,000 home routers. Later in the year, we noticed 900 Internet-connected CCTV cameras flooding one of our customers with bogus traffic. These are just two cautionary tales of what can happen when the IoT is compromised for malicious purposes – what we call the Botnet of Things.

Our security research team has noticed a steady uptick on devices used in attacks on websites and web applications. Poorly secured and infrequently updated devices – from home routers to nanny cams to networked storage — are the perfect target for hackers. Then, rounded up by the hundreds, thousands, or tens of thousands, compromised devices make up a giant recruiting target for bot herders looking to grow the size of their botnets. The Botnet of Things is a growing problem.

Botnets are used for comment spam, site scraping, vulnerability probing, denial of services attacks, and worse. At Incapsula, we see these attacks on a weekly basis. This talk will cover:
• How hackers discover and compromise Internet connected devices
• Case studies of IoT botnet attacks
• How to identify IoT botnets and protect yourself against them

We plan to incorporate new research findings from the Incapsula security research team on the state of the Botnet of Things into our session, including: device trends, recent exploits and vulnerabilities.
Robert Masse How we broke into an international bank to steal money During the talk, Rob will take participants through the true story of a Red Team engagement infiltrating an international bank over a three month period with the purpose of exposing security vulnerabilities (and stealing money). Rob will highlight the Red Team methodologies used which puts a twist on the traditional approach to red team infiltrations. Throughout the talk Rob will also touch on other Red Team war stories and lessons learned, by both the Red Team and the clients involved.
Sandra Escandor-O'Keefe Let's Encrypt - A 'fun'damental Overview Let's Encrypt is a system for automating the process of obtaining a browser-trusted certificate for web servers that want to serve content over the HTTPS protocol. The talk will describe the motivation behind browser-trusted certificates, describe the fundamental concepts behind browser-trusted certificates (public/private keys, signing, nonces, etc.), and will also talk about how Let's Encrypt works.
Travis Barlow Lessons from the Huntsman - Successes and Failures in building a Modern Hunt Team During his presentation Mr.Barlow will discuss the requirements of building a world class hunt team, what has worked and what has failed, and discuss the future of hunting unknown threats. Additonal topics covered will be the pro/cons of machine learning assisted threat detection, the benefits/risks of affordable quantum computing, and of course the current InfoSec industry.
Zack Mullaly Joining Hands and Singing Merrily; Security and Development in Beautiful Harmony Let's talk about security - but not just security; Security Engineering! We all want to see more software in the wild developed with security in mind from the get-go. We want to see security experts and developers working together to build robust systems on time. The relationship between the two teams doesn't have to be a struggle! At Stratum Security, the development team behind our new XFIL product has hit a sweet spot that brings modern tech together with a security-focused design process that has brought rigour to our development cycle. In this talk we'll take a detailed look at our approaches, including everything from the choices of programming languages we use to our architecture and protocol design process, to solving the broad set of security challenges we've faced. Our journey has taken us through a tonne of fascinating problems and resulted in a robust process that has repeatedly helped us to produce secure and reliable software that we hope can be emulated by other teams.

 

Comments (0)

You don't have permission to comment on this page.