Please go to:
BSidesPGH
for information on current events!
When: June 14-15, 2013
Where:
June 14: Left Field Meeting Space, 116 Federal St., Pittsburgh 15212 (www.leftfieldmeetings.com)
June 15: TechShop, 192 Bakery Square Boulevard Pittsburgh, PA 15206
Cost: Free!
Needed: Volunteers, Speakers, Sponsors, Ideas!
New This Year! BSides Pittsburgh is adding a SECOND DAY on Saturday, focused on highly technical workshops and demos.
Extras!
All, We have a bit of a funding shortfall this year. Call it "BSidesPGH sequestration." Therefore, we are doing some crowdsourced fundraising. Attendance to both days is still free. Breakfast and lunch on Friday, and possibly Saturday, are still free. What we're asking is that if you want some of the "extras", you cover the cost. We usually have a lot of waste on these items.
The following extra perks are available for purchase via paypal:
A) Custom cassette badge with mystery audio-encoded secret message - $5
B) BSides Pittsburgh 2013 T-shirt - $15
All of the above PLUS "Friends of BSides" Sponsorship listing - $100
The T-shirt and badge must be ordered no later than May 20.
To order, email [email protected] with PURCHASE in the subject line. Your support is greatly appreciated and will help us have the best BSides Pittsburgh ever.
About
BsidesPittsburgh is a free, volunteer-run computer security conference held every summer in Pittsburgh, PA. Security Bsides is a global series of community-driven conferences presenting a wide range of information security topics from technical topics, such as dissecting network protocols, to policy issues such as managing information leakage via social networks. In keeping with the community-driven theme and to help minimize event costs, the conference format, talks, and activities are agreed upon by all attendees. We’re currently looking for presenters, ideas and topics. Please post your ideas at the BsidesPittsburgh website.
Pittsburgh has a flourishing information security community; this is a great chance to meet each other, share ideas and work together. Many of those professionals in Pittsburgh as well as nationally recognized experts are doing awesome things in the field; let's get together to learn, collaborate, and protect. Please see our web page for more information, to RSVP, or to submit a talk or suggestion. The event is free – even the food and drinks – and held in full view of the City of Pittsburgh and PNC Park at the Left Field Meeting Space on the north shore.
This year we are adding a second day of events. Friday will be at Left Field and will focus more on policy, best practices, security management, and legal issues (although technical submissions are still welcome.) Saturday will be at a different location and will be entirely technical deep-dives. Attendance at either or both is free.
Sponsors
We are once again asking for sponsors to choose a sponsorship level. Please contact [email protected] if you are interested in sponsoring at any level.
Platinum
Gold
as the Sponsor of <dual core>!
Silver
Friends of BSides
Andy Johnson
Premier - $5,000.00
Platinum - $1,500.00
Gold - $750.00
Silver - $500.00
Call For Presenters (CFP)
The CFP for 2013 is closed.
Schedule
Subject to change
Day 1
| 9:00 |
Keynote: SSA J. Keith Mularski |
Cyber Threat Landscape |
| 10:00 |
Dave Kennedy |
Getting Creative - A Story in Thinking Outside of the Box |
| 11:00 |
Eve Adams
|
Hack The Hustle! Career Strategies For Information Security Professionals |
| 12:00 |
Lunch |
|
| 1:00 |
Randy Trzeciak |
Risk Mitigation Strategies: Lessons Learned from Actual Insider Attacks |
| 2:00 |
Jake Liefer |
Building a Better Pond: Tactically Thwarting Spear Phishing Attacks |
| 3:00 |
Kevin Poniatowski |
How I Stopped Worrying and Learned to Love BYOD |
| 4:00 |
Dave Ries |
What Is Reasonable Security from a Legal Perspective? |
| 5:00 |
After Party with Ali Spagnola's Power Hour and Dual Core!
|
|
Day 2
| |
Room 1 |
|
Room 2 |
|
Room 3 |
|
| 10:00 |
John Geyer |
We Need More D-Fence |
Brent Kennedy |
Pentester's Playground*
|
Raphael Mudge |
Armitage and Cobalt Strike Penetration Testing Lab**
(4 hours)
|
| 11:00 |
Dr. Charles Wood |
The Dangers of Steganography: What Worked for Bin Laden can Work Against You |
|
|
|
|
| 12:00 |
David Warren
|
Software Defined Radio
|
Brandon Morris
|
Eating the Elephant - Using Nessus and Microsoft Office to analyze and compare large host scans
|
|
|
| 1:00 |
Joshua Schwartz
|
Making attacks Go Backward
|
Sid Faber / George Warnagiris
|
A Profile of Traffic on my Home Network
|
|
|
| 2:00 |
Brandon Franklin / Justin Zimmerman |
Skeletons in the Closet: Is Your Crypto Keeping You Safe?
|
|
|
Andy Cooper
|
iptables, and doing stuff with it
|
* This is a hands-on workshop!
Students must bring a laptop with a VMWare product installed.
** This is a hands-on workshop!
Students must bring a laptop with a VMWare product installed. VMWare player is OK. The instructor will provide attack and target virtual machines on a DVD. A USB DVD drive will be available to use. Student systems must have 12GB of free space and at least 2GB of RAM.
Speakers / Abstracts
Keynote: Supervisory Special Agent Keith Mularski, Federal Bureau of Investigation
Cyber Threat Landscape
A discussion of the cyber threat landscape, with examples of what the FBI is seeing in the areas of Advanced Persistent Threats, organized cyber criminal gangs, underground forums, Anonymous and other hacktivists, and cyber terrorism.
Randy Trzeciak, CERT Insider Threat Center
Risk Mitigation Strategies: Lessons Learned from Actual Insider Attacks
The Insider Threat Center at CERT, which was formed in 2001, has built an extensive library and comprehensive database containing hundreds of actual cases of insider cybercrimes. This presentation will describe findings from our analysis of three primary types of insider cybercrimes: IT sabotage, theft of intellectual property (e.g. trade secrets), and fraud. All CERT insider threat research focuses on both the technical and behavioral aspects of actual compromises. The presentation will describe who committed the crimes, their motivation, organizational issues surrounding the incidents, methods of carrying out the attacks, impacts, and precursors that could have served as indicators to the organization in preventing the incident or detecting it earlier. In addition, this session will outline nineteen practices organizations should consider implementing to prevent, detect, and respond to insider threats. It will convey the "big picture" of the insider threat problem - the complex interactions, relative degree of risk, and unintended consequences of policies, practices, technology, insider psychological issues, and organizational culture over time.
Eve Adams, a.k.a. @HackerHuntress, Halock Security Labs
Hack The Hustle! Career Strategies for Information Security Professionals
While information security is widely considered a negative-unemployment industry (it's actually closer to 3%), most of us will look for a job at some point. Seasoned technical recruiter Eve Adams (@HackerHuntress) provides infosec-specific insight on writing resumes that attract the kind of attention you want, getting short-listed for cool positions before they're even posted, strategically riding infosec employment trends, and how to most effectively work with those delightful recruiters. This talk will have something for those just entering the workforce, mid-career security professionals, and former VAX hackers alike!
Dave Kennedy, a.k.a @dave_rel1k, TrustedSec
Getting Creative - A Story in Thinking Outside of the Box
Ever run in to a crazy configuration and secure setup that you just couldn't break in to? It's rare, but it happens. As penetration testers, we need to think outside of the box and get creative. We are hackers and we need to think like them. This presentation goes over some examples that I've run in to during penetration tests that made me get creative and think outside the box. Often times we get complacent when we can't find MS08-67, the latest and greatest exploit, or a default password. We chalk it up and walk away as if they're secure. Instead, let's fight, work for it, and most importantly, pop a box. This presentation will have lots of demos, tricks that I use during penetration tests, and more.
Kevin Poniatowski, Director of Instructor Led Services, Safelight Security
How I Stopped Worrying and Learned to Love BYOD
“Tweeting from the pub using my work Twitter account seemed like a good idea at the time.”
“How could our customer data be stolen? No one knows my iPhone pin except me.”
“After I send off this email to sales, I’m going to download Angry Chinese Birds. It’s free!”
It’s becoming more and more common for staff to bring their own devices to work, and blending their personal data with sensitive organizational data. What could possibly go wrong? Lack of user education concerning both physical and cyber threats to mobile devices and the sensitive data stored within them is creating an epidemic of embarrassment to organizations. This presentation will highlight the dangers of an untrained staff bringing their own devices to work and the steps that could be taken to mitigate the risk of lost data, compromised devices, and embarrassing Twitter posts.
Learning Objectives:
Attendees will become much more paranoid about the common practice of blending personal and organizational data and applications within their mobile devices. They will also be introduced to coping skills, also known as secure best practices, for dealing with this paranoia.
Brandon Morris
Eating the Elephant - Using Nessus and Microsoft Office to analyze and compare large host scans
Chances are you've heard of the Tenable Nessus Vulnerability scanner. It slices, it dices, it can run over 50,000 security checks against a wide range of targets. However, if you've ever tried to use it to assess 500, 1000, 2000 hosts it can quickly become an overwhelming endeavour. This presentation is how to tame the Nessus beast using Powershell to import multiple scans into a Microsoft Access Database, Easily Review/Filter/Query Results, Create comparative finding matrices in Microsoft Excel, and much much more.
Sivaram Rajagopalan, Independent Security Consultant, Powernet Group
Cloud Security Governance and Risk Management Controls
This presentation will try addressing the current Cloud Computing adoption trends, cloud economy, security risks, GRC approaches and relevant information security controls. Cloud Governance from the perspective of Enterprise Risk Management (ERM), Legal issues, Compliance/Audit Management, Data Security, and Interoperability/Portability standards will be discussed. Control guidelines and mappings utilizing CSA GRC Stack, CSA STAR, FedRAMP, NIST SP 800-53, ISACA and other cloud assurance metrics will also be reviewed.
Dave Ries, Partner, Clark Hill Thorp Reed
What Is "Reasonable Security"? Emerging Legal Standards
Corporate officers and boards, security professionals, and attorneys advising them regularly face the challenge of defining and implementing “reasonable security” for the business or enterprise. The answers are complicated by rapidly developing technologies, increasing threats, advances in available safeguards, and changes in regulatory requirements. This session will explore current legal requirements and evolving standards for “reasonable security” under them.
Jake Liefer, Security Risk Advisors
Building a Better Pond: Tactically Thwarting Spear Phishing Attacks
While you were busy reviewing your onerous firewall rules, an attacker just bypassed all your best efforts and gained internal access on your network thanks to a simple, well crafted malicious email that took 10 minutes to create. From high profile attacks on corporations such as RSA, to the thousands of unreported and unknown attacks, spear phishing has become a formidable threat. However, in the midst of these mounting attacks, many security teams best effort is to simply tell users to not open malicious emails. Evidence shows that this is not working.
In this session, we'll discuss the tactical and technical details to thwarting spear phishing attacks. We'll look at real world attacks and how to stop them. From developing a network infrastructure that detects these threats in-bound to fingerprinting what these attacks look like, we'll go beyond simple user awareness training to actively detect and mitigate spear phishing attacks.
John Geyer
We Need More D-Fence
Mid size and small businesses require teamwork to get the job done. Not every company has a dedicated security team, and operations staff usually share the work load. We will discuss why your defense still sucks, why rock stars do not fit in, why zealots ruin such a potentially awesome defensive career candidates, and why we train for offensive security when we need more d-fence.
Dr. Charles Wood, Duquesne University
“The Dangers of Steganography: What Worked for Bin Laden can Work Against You”
Osama Bin Laden transmitted messages embedded inside porn pictures through the Internet. His methods are still hard to detect. The same techniques that Bin Laden used to transmit secret messages to terrorists can be used to do the following:
- Steganography can be used to transmit customer lists secretly from the CRM system from your site!
- Steganography can be used to transmit private Visa card information from the accounts receivable department from your site!
- Steganography can be used to transmit engineering plans or future business opportunities to domestic and foreign competitors from your site!
And there is little in place to stop it. Email filters won’t work. Viewing the emails won’t detect anything amiss. It is truly, truly scary!
This presentation will incorporate some PowerPoint with some examples of tool use to encrypt and embed secret messages, and will illustrate what steganography is, how it works, why it works so well(!) and is so undetectable(!), and what you can do to stop it. Further, the presentation discusses what tools need to be developed that are not currently available to protect ourselves from our secret information being transmitted. The presentation will start out managerial, move to computer science as we go to the bit-level representation of information and how that can be used to embed information, and then move back to managerial to discuss the tools that are readily available to hackers, and the lack of tools that are readily available to managers.
Josh Schwartz (@FuzzyNop)
Making Attacks Go Backwards
Imagine a pentest where there is no scope, no time restraints, and no budget. How would you do it? Would you write your own tools? Would you get detected? And if you did would they know what you stole and what was owned? As time went on, would you get lazy?
It sounds like a dream gig for most pentesters out there and lucky for some threat actors, this is the 9 to 5 job. By now we shouldn't have to mention the advanced persistent buzzword for you to know what we are talking about. Targeted threat actors are people too, they make mistakes, their judgement is bad sometimes, they get lazy, and sometimes their skills are bad and they should feel bad.
In this talk we will cover how attacker tactics can leave behind obvious evidence, how their tools can be identified and analyzed quickly, and how the human side of every attacker can lead to some great lulz. Attendees should leave armed with a variety of examples from the trenches of incident response and malware analysis that will give them an edge against the less advanced of advanced attackers. Key takeaways will include tips and tricks for identifying and reverse engineering malware and utilities used in targeted attacks as well as the forensic evidence they leave behind.
Brandon Franklin and Justin Zimmerman
Skeletons in the Closet: Is Your Crypto Keeping You Safe?
Cryptography, like many areas of security, has the devil in the details. Most of us know better than to develop our own crypto algorithms, but there are a host of gotchas that come with the implementation of any secure protocol. Properly applying secure algorithms is critical for maintaining safe harbor under regulations such as HIPAA. The presentation will cover a set of common cryptography anti-patterns we have encountered in security assessments and how to fix these broken architectures. Less technical folks should expect to walk away with a checklist of things to watch for in their daily practice. More technical folks will come away with a better understanding of how to critically think about architecting crypto solutions.
Salvador "grecs" Grec (@grecs)
Malware Analysis: N00b to Ninja in 60 Minutes
Knowing how to perform basic malware analysis can go a long way in
helping infosec analysts do some basic triage to either crush the
mundane or recognize when its time to pass the more serious samples on
to the the big boys. This presentation covers several analysis
environment options and the three quick steps that allows almost
anyone with a general technical background to go from n00b to ninja
(;)) in no time. Well … maybe not a "ninja" per se but the closing
does address follow-on resources on the cheap for those wanting to
dive deeper into the dark world of malware analysis.
David Warren
Software Defined Radio
TBD
Sidney Faber and George Warnagiris, A Profile of Traffic on My Home Network
TBD
Hands On Labs! (Saturday)
Raphael Mudge (@armitagehacker), Developer of Armitage and Cobalt Strike
Armitage and Cobalt Strike Penetration Testing Lab
The Metasploit Framework is a must-have tool for penetration testers. Armitage builds a workflow on top of the Metasploit Framework and exposes its most advanced capabilities. Cobalt Strike augments Armitage with tools to simulate advanced persistent threat-style targeted attacks. This lab oriented class will introduce you to the penetration testing process from the perspectives of Armitage and Cobalt Strike. You'll learn how to craft an attack package, deliver it to a target, spy on a user, attack systems from a foothold, and abuse trust relationships to gain access.
Student Requirements:
Students must bring a laptop with a VMWare product installed. VMWare player is OK. The instructor will provide attack and target virtual machines on a DVD. A USB DVD drive will be available to use. Student systems must have 12GB of free space and at least 2GB of RAM.
Andy Cooper
iptables, and doing stuff with it
Abstract TBD.
Brent Kennedy (@bk_up)
Pentester's Playground
After learning about Armitage and Cobalt strike from Raphael Mudge's awesome class, come and try your skills in a brand new virtual environment. This free-for-all playground will allow you to think and act like a penetration tester while you try to conquer as many boxes as possible. Think you're already a ninja? We'll see about that...
Other Activities
Lockpick Village
After Party
Local Interest Talks
Topics I would like to hear about
Potential Sponsors
Over the past two years, a series of information security events called BSides has been organized across the U.S. and internationally (www.securitybsides.com). These events vary in format, but share the common philosophies that they are free, open to anyone, and entirely organized and run by volunteers. Another common trait they share is that they focus on the community where they are held, with mostly local speakers, local sponsors, and local vendors.
We are putting together a third BSides event for Pittsburgh, scheduled for June 2013. Pittsburgh has a substantial presence in the information security world, with major universities, CERT, the NCFTA and an FBI Cyber Crime unit, and numerous software developers in a variety of industries. Our goal is to bring many of them together to learn from each other, share information, and network.
In order to do this, and keep it free for all attendees, we are looking for both local and national organizations who are interested in sponsoring some portion of the event. All BSides events are required to abide by a policy that there be no vendor booths or sales presentations; however, sponsors can be recognized at the event and in its materials. Representatives from sponsor organizations are encouraged to participate in the event, as it's a great opportunity to meet other information security professionals in the area. If you're interested in sponsoring Bsides Pittsburgh, please email [email protected].
- Dan Klinedinst (@dklinedinst)
- Joe Wynn (@wynnjoe)
- Scott Kriebel (@smkriebel)
- Scott Thomas (@notscottthomas)
- Tracy Cassidy
Volunteers
Task List
(please -cross out- when it's done)
Tech
Wifi
Projector, White Boards
Photo
Video
Audio
Streaming or Stickam or Skype or Ustream or Livestream
Non-tech
Breakfast
Lunch
Coffee/Tea
Tables and chairs
Tags for flickr, twitter, blog, etc.
Please use the tag #BsidesPGH for content related to this event
Comments (0)
You don't have permission to comment on this page.