Event details
When: Saturday April 18 & 19, 2015
Where: DMACC Southridge Campus, Des Moines, Iowa
Cost: Free
More Information: www.bsidesiowa.com
CFP is Closed.
Ticket Information: http://www.eventbrite.com/e/bsidesiowa-2015-conference-tickets-15468334204
Sponsorship information please email: BsidesIowa - @ - gmail.com
Invite your friends by posting this on Twitter: "#BSidesIowa Saturday April 18 & 19, 2015 : Discover the next big thing!"
Sponsors
Platinum Sponsors
|
 |
 |
| Gold Sponsors |
 |
| |
Schedule
BSidesIOWA 2015 Conference Schedule
April 18th / 19th DMACC Southridge Center
1111 E Army Post Rd Des Moines, IA 50315
www.bsidesiowa.com
|
4/18/15
|
Room 1
|
Room 2
|
|
7:00-8:00
|
Coffee, registration, Vendor Expo
|
|
8:00-8:10
|
Welcome & Opening Remarks
|
|
|
8:10-9:00
|
Keynote
Ben Johnson
|
|
|
9:00-9:30
|
Intro to Web App Testing with Mutillidae
– Andrew Freeborn
|
Security Metaphors
- Josh More
|
|
9:30-9:45
|
Short Break & Vendor Expo
|
|
9:45-10:45
|
Deconstructing the Catalog
- Kenneth Johnson
|
Tricks, tips, and techniques to Exploit Kit/DRIVEBY analysis, hunting, protection - Will Metcalf
|
|
10:45-11:45
|
Anatomy of a Full Scale
Social Engineering Attack - Dave Nelson
|
Zombies on the Airwaves
- Evan Davison
|
|
11:45-12:55
|
Lunch Break & Vendor Expo
|
|
1:00-2:00
|
Security by Design in a Continuous Deployment Shop - Nathan Gibson, Alex Hart, Nick Starke
|
Hacking the Job Market
- Josh More
|
|
2:00-3:00
|
Integrating Vulnerability Scanning into the SDLC - Eric Johnson
|
Assessing Network Sandboxing Solutions
- Jared McLaren
|
|
3:00-3:15
|
Short Break & Vendor Expo
|
|
3:15-4:15
|
Adversarial Testing through Unconventional Offensive Breach Techniques - Dan Kottmann & Chris Patten
|
Secure Process Isolation with Docker
- Greg Rice
|
|
4:15-4:45
|
Update from SA Jordan Loyd, FBI Cyber Investigations & Iowa InfraGard
|
|
|
4:45-5:00
|
Sponsor Appreciation & Closing Remarks
|
|
|
4/19/15
|
Room 1
|
|
8:00-9:00
|
Coffee & Doors Open. Please arrive early.
|
|
9:00-10:30
|
A Guide to Hacking the OWASP Top 10 – Full Day Training Class
|
|
10:30-10:45
|
Short Break
|
|
10:45-12:15
|
A Guide to Hacking the OWASP Top 10 – Full Day Training Class
|
|
12:15-1:15
|
Lunch Break
|
|
1:15 – 3:00
|
A Guide to Hacking the OWASP Top 10 – Full Day Training Class
|
|
3:00-3:15
|
Short Break
|
|
3:15 – 5:00
|
A Guide to Hacking the OWASP Top 10 – Full Day Training Class
|
Keynote, Presenter Pending
Abstract Pending
Intro to Web App Testing with Mutillidae, Andrew Freeborn
This presentation will introduce web application testing to aspiring security professionals as well as assist existing security professionals. The content will be based on the premise that “you don’t know what you don’t know”, as it is can be challenging to know where to locate tools and resources in web app testing. While there are many books and videos on YouTube, how do you know what to trust? I will introduce OWASP standards, a simple test OWASP web app platform and OWASP open source tools. The talk will cover using OWASP ZAP and Burp Suite Free against the OWASP Mutillidae 2 platform. After attending the presentation, participants will leave with an understanding of basic web app testing and industry standard testing tools to jumpstart their way forward.
Security Metaphors, Josh More
There is a divide between the so-called "security/technical" people and the "business" people. We've all heard about how we need to "speak the language of business" and "get soft skills" to succeed. However, even after decades of trying, the divide still exists. Why does it seem that we never make progress? Are we truly not improving? Is the goal receding as we chase it? This presentation posits that we've been making a fundamental error in trying to explain things to people outside our field. One thing that people-oriented people do naturally and technically-oriented people do not is communicate with others using the target's metaphors. By taking this approach and translating issues into different frames of reference, more time is spent exploring the issue instead of arguing over why it matters.
Deconstructing the Catalog, Kenneth Johnson
This talk will focus on the deconstructing the FileHistory Catalog that has been introduced in Windows 8 and still present in Windows 10. I will look at other artifacts that are important on the Host systems before diving into teaching the attendees how to understand the FileHistory Catalog that shows what files were present and backed up by the system. Examiners will be able to identify when a specific file was first identified in a Directory/Library that is part of the backup, as well as identify when it was removed/deleted from those same Directories. This allows Examiners to prove the presence of a file and how long it was being backed up by the system. I will showcase my tool that allows examiners to quickly produce a XLS report with the important information regarding these files.
Tricks, tips, and techniques to Exploit Kit/DRIVEBY analysis, hunting, protection, Will Metcalf
A how-to guide for detection, analysis, replay, and protection from Drive-by downloads and Exploit kits. I have spent the last couple of years tracking, observing and creating IDS signatures for exploit kits and their associated payloads, which in talking to many people seems to be a little understood topic outside of the high level blog posts that occasionally make it into their twitter feed. I think my presentation will enlighten people on topic they should have interest in.
Anatomy of a Full Scale Social Engineering Attack, Dave Nelson
This session will show how to perform a full scale social engineering attack against an organization using multiple attack vectors over an extended period of time to gain knowledge, insight and a physical foothold in the targeted organization. According to the 2014 VDBIR 35% of reported attacks had a social engineering aspect to the attack. We often hear about phishing but rarely do we see how a coordinated social engineering attack can so completely compromise an organization. Attendees will learn how attack vectors can be used to build a complex attack campaign against which there is no technical fix. Only through awareness and training of our end users can we hope to slow or stop these attacks.
Zombies on the Airwaves, Evan Davison
50 years of obsolescence hasn't taught us anything apparently! Get prepared for a modern day "War of the Worlds" on a scale Orson Wells couldn't have imagined! On a typical morning you hear the familiar "EEEERRRR" tone on the radio or television and turn it up for the latest Sever Weather Advisory but instead hear "A nuclear bomb has hit Atlanta. The CDC is destroyed and zombies are roaming the earth!" Pretty far fetched right? Maybe instead you hear "A terrorist attack has destroyed…insert place." Starting to hit home? We'll show you the vulnerabilities in the Emergency Alert System (EAS) that will allow you to create your very own emergency. We'll show you the tools, the technology, and the joke that is security in the EAS. But we won't stop there! With newly mandated updates to the EAS, you'll soon be getting unsolicited messages on your phones, the internet, and elsewhere. But with these new mandates, surely they established security requirements right? The discussion will continue on the future of the EAS and its replacements by the Commercial Mobile Alert Service (CMAS) and other systems. We’ll show you how these systems could be leveraged to broadcast your plea for rescue far beyond your imagination. Even if you don't hack the EAS (and I'm not saying you should), I'm sure you'll find the discussion eye opening and engaging in an area where RF hacking and critical infrastructure collide to create one hell of a mess!
Security by Design in a Continuous Deployment Shop, Nathan Gibson, Alex Hart, Nick Starke
Continuous deployment is a practice used in software development to automate and improve the process of software delivery. Maintaining, analyzing, confirming, and reporting on the status of required information security, compliance, and privacy controls is a difficult and significant task for software and security engineers. This talk discusses real world applications and examples for integrating Security by Design with your Continuous Deployment environment. Tools include the use of Jenkins, Chef, Metasploit, Fuzzers, vulnerability scanning (Nexpose), test driven development and system hardening.
Hacking the Job Market, Josh More
There is considerably more skill in the IT and security communities than is reflected in the jobs people are able to attain. Most people's limiting factor in their ability to get better jobs is not technical skills or even the soft skills necessary to do well in a new job. It is that getting a job is a completely different skill set and one that most people only practice every few years. We live in a world where our personal data is no longer ours to control. Fortunately, that applies to our prospective employers as well. It's time to turn the world's proliferation of data to our advantage. This presentation explains the job hunting process, why the most commonly followed models fail and how to better approach the search. It covers deciding to leave your current job, researching new possible job opportunities, targeting your new boss, controlling the job interview process and negotiating your new compensation and the departure from your current job.
Integrating Vulnerability Scanning into the SDLC, Eric Johnson
The Agile and DevOps software development lifecycles present interesting challenges for application security. How can security keep up with the rapid development cycles, constantly changing code base, and continuous deployment schedules? The answer lies with an automated security framework that is integrated into the development lifecycle. This presentation will demonstrate how to integrate a new application security testing framework into your build environment. Popular open-source vulnerability scanners, such as the Zed Attack Proxy (ZAP), will be leveraged to provide real-time feedback to development teams, allowing them to remediate vulnerabilities before they reach production.
Assessing Network Sandboxing Solutions, Jared McLaren
It seems that no network security model is complete without the addition of an automated malware analysis product. These systems keep an eye on the wire for potentially malicious files and study their behavior in a presumably safe, sandboxed environment. With the number of products rushing to market in this space, it’s essential that security professionals be armed with information about their operation, effectiveness and pitfalls. This talk will give the attendee actionable information regarding general architectures, product assessment, vendor “gotcha’s”, and how to take advantage of automated detonation.
Adversarial Testing through Unconventional Offensive Breach Techniques, Dan Kottmann
Traditional vulnerability scanners and pentests, although useful and valuable in an overall security program, generally lack the context and comprehensiveness to fully evaluate risk of identified vulnerabilities. Breach assessments (i.e. blended assessments commonly referred to as Red Team testing in the military) identify risk from a multi-faceted, opportunistic manner that closely simulates the style and approach of an actual attacker. This style exposes valuable information within a context, demonstrating typically unidentified weaknesses, chained attack opportunities, and actual severity.
Using anecdotes based on the presenters' experience, the presentation will highlight the following:
- Critical vulnerabilities not commonly identified
- Effective and ineffective defensive measures commonly encountered
An emphasis will be placed on understanding potential attackers while not underestimating their creativity. The intended message will be twofold. First, organizations can take specific actionable measures to greatly increase their security posture (these measures will be common themes of the anecdotes discussed and will be highlighted as killchain disruptions). Lastly, organizations should be doing more than relying on traditional vulnerability scanners and penetration tests to better capture context, opportunity, and attacker creativity.
Secure Process Isolation with Docker, Greg Rice
Docker is rapidly growing in popularity as a lightweight mechanism to deploy software applications within virtualized containers across any Linux system. Docker provides strong resource isolation and security without the need for separate operating systems or additional virtualization overhead. In this presentation, we will present an overview of Docker and describe its present virtualization and isolation capabilities. The presentation will describe the intrinsic security features of Docker containers, secure configuration of containers, and common techniques to harden the underlying OS kernel. The presentation will review Docker’s benefits and disadvantages over traditional virtualized OS infrastructures as well as other common Linux containerization systems, demonstrating Docker’s effectiveness in establishing process isolation.
Update from SA Jordan Loyd, FBI Cyber Investigations & Iowa InfraGard
Special Agent Loyd has been with the FBI since 2009 in New York City where he conducts investigations into computer intrusions with criminal and national security focus. Prior to being assigned to Cyber investigations in mid-2010, SA Loyd conducted operations targeting organized crime entities in the New York area. Prior to the FBI, SA Loyd served as a Network Manager for six years.
A Guide to Hacking the OWASP Top 10 (Full Day Course)
The publicized security incidents of the past year have shown us that managing and improving the application security in your organization is a top priority. Unfortunately, application security is often not prioritized because management and development teams do not understand the types of threats their applications face after deployment. Instead, new features are prioritized and existing vulnerabilities lie dormant within an application until it is too late.
This course provides you with an understanding of the web application vulnerabilities published in the OWASP Top 10. You will learn how an attacker exploits these issues, how damaging they can be to your organization, and how to help your development teams defend your applications.
A1 Injection
A2 Broken Authentication & Session Management
A3 Cross-Site Scripting (XSS)
A4 Insecure Direct Object Reference
A5 Security Misconfiguration
A6 Sensitive Data Exposure
A7 Missing Function Level Access Control
A8 Cross-Site Request Forgery (CSRF)
A9 Using Components with Known Vulnerabilities
A10 Unvalidated Redirects and Forwards
Prerequisites
This is a course designed to help management, security professionals, and development teams better understand the importance of web application security in your organization. No experience in security is required to take this course. As you will discover in this course, given the right tools, hacking the OWASP Top 10 is more simple than you might think.
Requirements
The instructors will be walking through live demonstrations during this course, and participants are welcome to follow along. If you would like to do so, bring a laptop (Windows, Mac, or Linux) with at least 3 GB RAM, 10 GB of free disk space, and a working USB drive. Virtualbox and VMWare virtual machines will be provided for participants to load onto their laptop. Please ensure your laptop has one of the following installed:
Virtualbox is free and open source: https://www.virtualbox.org/.
VMWare has trial versions available: (Player, Fusion, Workstation):
http://www.vmware.com/products/player/
http://www.vmware.com/products/fusion/features.html
http://www.vmware.com/products/workstation
Topics I would like to hear about
Planners
Volunteers
Participants
| Name |
Twitter/Email |
Day 1 |
Day 2 |
| Kenneth Johnson |
Patories |
|
|
Task List
(please -cross out- when it's done)
Tech
Wifi
Projector, White Boards
Photo
Video
Audio
Streaming or Stickam or Skype or Ustream or Livestream
Non-tech
Breakfast
Lunch
Coffee/Tea
Tables and chairs
Tags for flickr, twitter, blog, etc.
Please use the tag #Bsideslocation for content related to this event
Who's blogging?
Comments (0)
You don't have permission to comment on this page.