Track Two
You voted, and here are the results:
Time: 10:15 - 11:15
The Realex Payments Application Security story, narrated by Security Ninja. David Rook - @securityninja Bio: David Rook is the Application Security Lead at Realex Payments in Dublin. He is a contributor to several OWASP projects including the code review guide and the Cryptographic Storage Cheat Sheet. He has presented at leading information security conferences including DEF CON, BlackHat USA and RSA Europe. In addition to his work with OWASP David created a security resource website and blog called Security Ninja. The Security Ninja blog has been nominated for five awards including the best technology blog at the Irish Blog Awards, the Computer Weekly IT Security blog award and was a finalist for the Irish Web Awards Best Technology Site. David received a Developer Security MVP award from Microsoft in 2011 and 2012 as well as the SC Magazine Europe 2012 Rising Star award. David strives to practice what he preaches and has backed up his work experience by developing two open source security code review tools called Agnitio and the Windows Phone App Analyser. Abstract: "As the old British Telecom adverts used to say, it's good to talk, so I thought now was a good time to talk about how we do application security at Realex Payments. Rather than just talk about where we are today this talk will focus on the lessons learned over the past five years and what I'd do differently if I could it all again. I will tell the story of how application security has worked and evolved in a fast growing technology company from the day we created our first application security role in the business to our current application security approach. The story will include how we scaled application security to keep up with the changes in a fast growing business, how playing card games with developers was one of the best things we've ever done and how following the KISS principle in the early days of an application security program is vital. You will see how we have progressed from having no dedicated application security resources to our current staffing levels and how our goals have evolved from simply security reviewing our applications to more grand goals such as wanting to provide free application security training for anyone in Ireland. This isn't an application security talk focusing on the theory and approaches that seem good on paper. You will have the opportunity to learn the lessons from five years of real world application security from the person who was at the centre of application security in Realex Payments. Following on from the success of Agnitio I will be releasing three new open source application security tools I have developed in this talk. These tools have helped improve application security reviews, reporting and visibility in Realex and I hope they will do the same for you! The Ninja News Daily said "5 stars! The Realex Payments Application Security story is a gripping story of one ninjas journey through five years of application security. Do not miss!" The presenter says... The level of difficulty of this talk is 3 and I consider it is suitable for Techies, Business, Any Geek. This is a new talk and it can be filmed and released.
Time: 11:30 - 12:30
How to build a personal security brand that will stop the hackers, save the world and get you the girl Javvad Malik - @J4vv4D Bio: Javvad Malik is a Senior Analyst in the 451 Enterprise Security Practice, providing in-depth, timely perspective on the state of enterprise security and emerging trends. Prior to joining 451 Research, he was an independent security consultant, with a career spanning 12+ years working for companies including NatWest Group, Royal Bank of Scotland Group, Halifax Treasury Services, Tesco Bank, Lloyds Banking Group and BP. Javvad is an active blogger, video blogger and contributor to the information security community. His articles have been published in several online and offline publications and a coauthor of The Cloud Security Rules book. Javvad was a founder of the Security B-Sides London conference, and in 2010 was named as a finalist for SC Magazine's Blogger of the Year award. Abstract: "You're a security professional, but even your boss doesn't remember your name. Your brilliant ideas aren't listened to, you're never invited to speak at conferences and not even your mother visits your blog. In this talk I will take you down a journey of self-discovery that took me 3 years and went from another faceless security dude, to someone in control of my personal security brand. What worked, what didn't work and all the behind-the-curtain magic exposed. If you're into building your personal brand, making your voice heard amongst the 100's of security 'rockstars' and dinosaurs who get all the attention - this is the talk for you to attend." The presenter says... The level of difficulty of this talk is 2 and I consider it is suitable for Any Geek. This is a new talk and it can be filmed and released.
Time: 12:45 - 13:30
HTML5: attack and defense Ksenia Dmitrieva Bio: Ksenia Dmitrieva is a Security Consultant with Cigital, Inc. and has several years of experience developing and securing web applications. Ksenia holds a Master of Computer Science degree from George Washington University. As a consultant, her customers include Bank of America, Morgan Stanley, IBM, EA and Sony, where she was performing penetration testing and code reviewing, focusing on web applications, web services and new web frameworks. Ksenia’s current concentration is on studying new web technologies, their security implications, vulnerabilities and how these could be discovered and remediated. Abstract: "With the emergence of HTML5 web applications become more interactive and responsive. Using Web Workers for multithreading and Web SQL for storing data on the client side, HTML5 applications start to resemble desktop applications. But what new attack opportunities do the new technologies bring? How can we exploit Cross-Origin Resource Sharing, Web Messaging, Web Storage and iframe sandboxing? And how do we write secure code that is resilient to these attacks? Several common vulnerabilities will be presented during this talk together with the code examples of how to do things right." The presenter says... The level of difficulty of this talk is 3 and I consider it is suitable for Techies, Any Geek. This is a new talk and it can be filmed and released.
Time: 14:30 - 15:30
Dissecting Targeted Attacks - Separating Myths from Facts. Candid Wuest - @mylaocoon Bio: Candid Wuest holds a master of computer science from the Swiss Federal Institute of Technology (ETH) and various other certifications. When the sun is shining he works for Symantec's global security response team, where he has been going far beyond anti virus signatures during the last ten years. He researches new threat vectors, analyses trends and formulates new mitigation strategies. He has published various articles and appeared in magazines and TV shows. He is a frequent speaker at conferences like VB & RSA and of of the organizers of hashdays. He learned coding and the English language on a Commodore 64. Abstract: "A lot of media do report on targeted attacks or so called APTs, but how sophisticated or those attacks really? Flamer & co. are only the tip of the iceberg and even they had flaws. Most of the attacks are not so smart at all, but nevertheless successful. I will elaborate on the common methods of targeted infection & exfiltration, happening every day around the globe. Explaining the methods and tools used by the attackers with real life examples. I will show why they successfully bypass most security tools and analyse where these attacks differ from the common malware flood." The presenter says... The level of difficulty of this talk is 3 and I consider it is suitable for Any Geek. This talk has been presented at other conferences and it can be filmed and released.
Time: 15:45 - 16:45
I'm the the guy your CSO is STILL warning you about! Gavin 'Jac0byterebel' Ewan - @jac0byterebel Bio: Gavin 'Jac0byterebel' Ewan is a ranty, shouty, sweary Scottish hacker. After selling lots of things to lots of people, he decided to get firmly into the field of information security, always having been a geek at heart. Having taken his education and training in psychology, particularly sales psychology into the field of social engineering, he is now re-writing the social engineering rulebook and chasing out the snake-oil salesmen. Already a successful speaker, Gavin has delivered talks on social engineering worldwide to various audiences. Abstract: "I'm the Guy your CSO warned you about' was not your typical social engineering talk. Out went the snake oil sale of analysing the minutia of pop psychology and trying to squeeze out real answers to the questions asked during a real social engineering attack. In came a hard hitting account of a social engineering attack drawn from real sources but anonymised to protect the pwned. Deano, our 'hypothetical' bad-guy hacked and social engineered his way to cash in his pocket and no cash in your pocket, but the despite the warnings, y'all didn't listen enough. This talk will see our hypothetical bad guy, Deano, up the stakes and deliver the kind of aggressive attack you have all lived in fear of. No longer a phone call to get your credentials, or a rogue e-mail to direct you to a fake website, this time its personal and Deano is looking to do you REAL damage. Still drawing on real data from anonymised sources, from the account given of this attack, attendees of the talk will see that a real social engineer doesn't once pick up a psychology textbook. Deano will instead pose you a question - "What if Joe Bloggs on the street had access to the kind of skills and instructions to destroy all my data?". Live in fear of Hactivism? You won't sleep at night after meeting Deano this time. If you want an hour of being told that 'looking to the right makes you easier to social engineer', go to another talk. If you want to see how the real bad guy operates, and talk about how to defend against him, then I look forward to seeing you there." The presenter says... The level of difficulty of this talk is 3 and I consider it is suitable for Any Geek. This is a new talk and it can be filmed and released.
Time: 17:00 - 18:00
Playing CTFs for fun & profit Tim P - @impdefined Bio: By day I'm a software developer. By night I like taking things apart and seeing how they work. I got interested in wargames and CTFs about 18 months ago, and have played and learned a lot in the last year and a half. This year (2012) I won the 44CON CTF and went home with some sweet lewt. Abstract: "Want to know what's involved in playing a Capture The Flag contest? These competitions are a great way to put your skills into practice, and learn a lot along the way! I'll be talking about CTFs and wargames in general, and then going through some of the 44CON CTF 2012 challenges in detail. There will be code! Note that this will be an expanded version of the talk I gave at DC4420 in November 2012." The presenter says... The level of difficulty of this talk is 3 and I consider it is suitable for Techies. This talk has been presented at other conferences and it can be filmed and released.