Recent News

Call For Papers

888888888  888    888        d8888 888    d8P         d8888  .d8888b.   .d88888b.  888b    888
888        888    888       d88888 888   d8P         d88888 d88P  Y88b d88P" "Y88b 8888b   888 
888        888    888      d88P888 888  d8P         d88P888 888    888 888     888 88888b  888
8888888b.  8888888888     d88P 888 888d88K         d88P 888 888        888     888 888Y88b 888
     "Y88b 888    888    d88P  888 8888888b       d88P  888 888        888     888 888 Y88b888
       888 888    888   d88P   888 888  Y88b     d88P   888 888    888 888     888 888  Y88888
Y88b  d88P 888    888  d8888888888 888   Y88b   d8888888888 Y88b  d88P Y88b. .d88P 888   Y8888
 "Y8888P"  888    888 d88P     888 888    Y88b d88P     888  "Y8888P"   "Y88888P"  888    Y888

Who: Shakacon Crew
What: 5hakacon
When: June 25-28 2013
Where: Paradise aka Honolulu Hawaii (nuff said)
Why: Why NOT?
How: By plane, boat, canoe, yacht, hydrofoil, stand-up paddle board, jetski, long board, dolphin, whale sled, nuclear submarine...

[Overview]

Want to learn the Hula while increasing your security skills? Want to attend a conference where you can grab a drink with some of the top security minds in the industry? Want to surf the beautiful waters of the pacific in the morning and then drop some 0day in the afternoon? Sitting around somewhere freezing your a$$ off? Dreaming about warm days, rainbows, decadent tropical drinks sipped out of coconuts? Sure you could drop your 0day in Vegas, bring down the Internet in Germany, or satisfy your dark desires in Asia; however, wouldn't you rather submit your research or topics to our CFP and maybe win yourself a paid trip to Hawaii? If the answer to any of the above is yes then we are your conference.

The Shakacon security conference is a laid back conference where industry, government, academia and independent experts will get together to share knowledge and experience in one of the most beautiful places on Earth.

Shakacon will offer local, national, and international participants a casual, social, learning environment designed to present a "holistic" security view and the opportunity to network with peers and fellow enthusiasts in a relaxed setting. Leave your ego at the airport (or shoreline if you come in via another method) as we look forward to attendees varying in skill level from N00b to Ninja.

During the day, sessions will include: best practices, case studies, research projects, etc. covering all different aspects of the information security landscape. There will be something for everyone and if sitting through talks isn't your cup of kava, there will be exciting events and contests for you to sharpen your skills and knowledge on.

You will not want to miss the closing ceremonies where we pour enough alcohol that we convince some interverted security geniuses to get up on stage and dance the Hula.

[Trainer Opportunities]

Don't want to speak at the Con but have an uncanny ability to teach and a proven track record for delivering quality courseware and want to come to Hawaii? We're also interested in bringing in trainers to provide world class training leading up to Shakacon (June 25 and 26). Submit a synopsis/class agenda, prior teaching experience, and maybe get selected to teach in Hawaii.

[CFP Details]

We have a very limited number of spots so get your submissions in early to ensure you get a spot.

(1) Abstract for papers must be submitted to the review committee by _February 22, 2013_.
(2) Selection notification will occur by _March 1, 2013_ and abstracts posted to the site by _March 15, 2013_.
(3) Full Slides for your papers must be submitted by _May 15, 2013_.

CFP Review Committee:

Caleb Sima - BlueBox
Katie Mossouris - Microsoft
Colin Ames - Attack Research
Matthieu Suiche - MoonSols
Vincenzo Iozzo - TiQad
Kent Backman
Jonathan Brossard - Toucan Systems
Jeremiah Grossman - Whitehat Security
Daniel Hodson
Kris Harms - Cylance
Mark Ryan Talabis - Secure DNA
Chris - Secure DNA
Jason Martin - Secure DNA

As mentioned, there are a limited number of speaking sessions for which the conference organizers will provide travel and accommodations so please submit your abstract early if you are interested in speaking. Speaking slots will be 55 minutes long (45 minutes for your talk and 10 minutes for Q&A).

The audience will be a broad mix of professional, academic, and enthusiast, so we welcome both technical and non-technical submissions on all aspects of security. The key criteria are practicality and timeliness. We want to provide our attendees with up to date materials they can take away and immediately gain benefit from as well as new research or tools. Absolutely NO SALES presentations will be accepted.

Proposals should include:

Subject Line: "Shakacon CFP Submission: <paper title>, <your name>"

Body:

1. Name, address, and contact info.
2. Employer and/or affiliations.
3. Brief biography.
4. Presentation experience.
5. Topic summary.
6. Reason this topic should be considered.
7. Other publications or conferences where this material has been or will be published/submitted.

Please include plain text of all information provided in the body of your email as well as any file attachments.
The plain text information will be reviewed first to find the most suitable candidates.

Please forward the above information to cfp at shakacon.org in order to be considered.

[Media Partners]

We are media friendly. Please email info at shakacon.org for inquiries about press passes.

ALOHA FROM THE SHAKACON CREW!

Pricing

Cost*: $275

*ISSA, ISACA, Infragard, Active Military, Federal Government Employees, Students and current Secure DNA customers, please contact info@shakacon.org for discount information

5hakacon Training and Conference dates: June 25-26, 2013 Training 8am-5pm and June 27-28, 2013 Conference 8am-6pm.

Speakers

Below you will find the selected speakers for 5HAKACON:

---

Name: Robert Goldberg

Bio: Rob is the Vice President of Global Information Technology (IT) and eCommerce Audit for Wal-Mart Stores, Inc. Rob leads a global team providing independent, objective audit and advisory services by identifying and evaluating risks and controls within Walmarts global IT and eCommerce environments and the related business processes. Rob works to ensure that Walmarts IT and eCommerce assets and processes are protected and optimized in a way that supports the achievement of Walmarts business strategy. Rob joined Walmart in October, 2009 after a 15 year career in professional services, providing audit and consulting services to clients in many industries around the world. Prior to Walmart, Rob was a Partner with KPMGs IT Advisory practice in Sydney, Australia where he was the Asia Pacific lead partner for KPMG's Information Protection and Business Resilience (IPBR) services. In this capacity, he was responsible for leading, managing and delivering strategic and tactical projects focused on IT, information security, privacy, IT audit, business continuity, crisis management and disaster recovery for regional and global companies throughout the Asia Pacific region. Prior to KPMG, Rob spent five years with Accenture (formerly Andersen Consulting), focused on IT architecture, large systems development, IT project management and information security. Rob has a Bachelor of Science degree in Computer Engineering from the University of Florida.

Topic: Managing Security Risks at the Speed of Business

Summary: The world around us continues to change at an alarming rate. New markets emerge almost weekly which threaten the staying power of tried and tested business models. In response, businesses look for ways to adapt and innovate to maintain their relevance at the speed of change occurring in the world around them. The key enabler to maintain relevance, sustain growth and adapt is technology. But here is the catch our rate of technology adoption far outweighs our rate of controls adoption. This increasing gap may create a recipe for disaster if new approaches to IT security risk management are not applied. During this keynote, Rob will explore some of the key trends occurring in business and how technology is influencing those changes. Rob will then provide techniques that can be applied to better understand the IT security risk landscape and focus IT security risk management efforts in a way that will best leverage company resources, maximize value to the business and maintain pace with the rapidly changing world of business.

---

Name: Nikita Tarakanov

Bio: Nikita Tarakanov is an independent information security researcher who has worked as an IS researcher in Positive Technologies, VUPEN Security and CISS. He likes writing exploits, especially for Windows NT Kernel and won the PHDays Hack2Own contest in 2011 and 2012. He also tried to hack Google Chrome during Pwnium 2 at HITB2012KUL but failed. He has published a few papers about kernel mode drivers and their exploitation and is currently engaged in reverse engineering research and vulnerability search automation.

Topic: Exploiting Hardcore Pool Corruptions in Microsoft Windows Kernel

Summary: Each new version of Windows OS Microsoft enhances security by adding security mitigation mechanisms. Kernel land vulnerabilities are getting more and more valuable these days. For example, the easy way to escape from a sandbox (Google Chrome sandbox for example) is by using kernel vulnerability. That's why Microsoft struggles to enhance security of Windows kernel. Kernel Pool allocator plays significant role in security of whole kernel. Since Windows 7 Microsoft started to enhance security of kernel pool allocator. Kernelpool aka Tarjei Mandt has done great job on analyzing internals of kernel pool allocator, which includes great attack techniques, mitigations bypasses etc. In windows 8 Microsoft has eliminated almost all reliable techniques of exploiting kernel pool corruptions. However, attack techniques by Tarjei need a lot of prerequisites to get success. There are a lot of types of pool corruptions where these techniques don't work, unfortunately. What if there is no control over overflown data? What if there is constant(zero bytes) and you have no chance to apply one of Tarjei's techniques? What if there is uncontrolled continuous overflow and #PF and BSOD is unavoidable? So what to do? Commit suicide instantly? NO! Come and see this talk! This talk presents technique of 100% reliable exploitation of kernel pool corruptions. This unique technique works since NT 4.0 to Windows 8 including.

---

Name: Colin Ames

Bio: Colin Ames is a founding Partner and Security Researcher with Attack Research where he consults for both the private and public sectors. He's currently focused on Pen testing, Exploit Development, Reverse Engineering, and Malware Analysis.

Topic: Smart Cards and Single Sign On - The Dark Secrets of Windows Enterprise Authentication and Credentials

Summary: Smart Cards and two factor authentication have often been touted as advanced solutions in enterprise network security. However, the reality is that Windows enterprise implementations of Smart Cards with Single Sign On (SSO) provide a false sense of security. This false sense of security hides the dark secrets of Windows authentication and credentials behind a veil of policy, procedure, and show. This talk will focus on Windows enterprise authentication and credentials, specifically their use and misuse. This talk will provide in depth explanation of windows enterprise authentication and credentials, as well as real world examples of authentication and credential exposures that exist in windows enterprise networks. Several known and unknown techniques and tools for Windows credential exploitation will be demonstrated, including attacks against Windows enterprise Smart Card deployments.

---

Name: Robert McPherson and Ryan Talabis

Bio's: Bob leads a team of data scientists for a Fortune 100 Insurance and Financial Service company in the US. He has 13 years of experience as a leader of research and analytics teams, specializing in predictive modeling, simulations, econometric analysis, and applied statistics. Bob has over 26 years of experience in insurance and financial services, where security concerns are of paramount importance in protecting customer and account information. Bob is currently one course away from completing a Master's in information management from the Harvard Extension School. He also holds an MBA from the University of Phoenix and the Project Management Professional Certification, as well as several insurance and financial services related designations.

Ryan is a Manager for the Secure DNA Consulting practice. He is co-author of the book Information Security Risk Assessment Toolkit: Practical Assessments through Data Collection and Data Analysis (Syngress). He has extensive experience in information security risk assessments, information security policy and program development, vulnerability assessments, and penetration testing. He also has specialized expertise in security analytics and data mining as applied to information security. He has a Master's degree in Information Technology from Ateneo de Manila University; as well as several security related certifications and designations. He has presented in various conferences and organizations around the world including Blackhat, DEFCON, INFRAGARD, ISSA, and ISACA and has a number of published papers to his name in various peer-reviewed journals. He is an alumni member of the Honeynet Project and is currently one course away from a Master of Liberal Arts (ALM) in Extension Studies degree from Harvard.

Topic: The World of Security Seen Through Analytics

Summary: Analytics. Well, you've probably heard about it. It's being discussed from scientific papers to board rooms, from text books to the cooler. It is a buzz word that a lot of companies use to be perceived as cutting edge (like living in a Smarter Planet!). But under all the hype, analytics, when it comes down to it, is simply discovering meaningful insights in data. What you probably dont know is that analytics is everywhere now. When applying for insurance or a loan, when someone calls you about a credit card purchase, or even when you see an ad in a website! In this talk, Bob and Ryan will give us a glimpse of what analytics is all about and, more importantly, how we as security professionals can utilize it in our day to day activities. Have you ever tried to look through millions of lines of security logs manually? Have you ever tried to make sense of hundreds of thousands of vulnerability results? Has your boss ever tried to ask you to review years worth of VPN access logs? Did you ever want to analyze the trends of exploit development to see if any of your systems are at risk? Do you need to be a statistics or algorithm guru for this? No! Do you have to buy a fancy server appliance and business intelligence software? Not really! In this talk, Bob and Ryan will show you step by step (yes, there will be live demos) how to use readily available open source analytics tools and techniques such as text analysis, outlier detection, and clustering to augment dreary security chores. This will get you started on becoming the resident security analytics guru in your workplace!

---

Name: Max Sobell

Bio: Max is a senior consultant with the Intrepidus Group in frequently-way-too-hot-or-cold New York City. He heads to warmer weather any chance he can get, under the guise of work or conferences. While stuck in NYC, he frequently reviews devices prior to their release for a range of security vulnerabilities. The weather gives him plenty of time to stay indoors and research NFC, Bluetooth, and other radio technologies. Before working in security, Max was suckered into designing algorithms for high speed trading at hedge funds, an experience that now helps to keep him off the Wall Streets. Max is a licensed HAM operator and contributes chapters to several best-selling Linux books. He has presented at ShmooCon, CanSecWest, EuSecWest, SecTor, and various local conferences.

Topic: Android 4.0: Ice Cream "Sudo Make Me a" Sandwich

Summary: With the advent of Android 4.0+, we have seen the rooting landscape shift dramatically. This presentation gives a brief, but highly technical overview of the most ingenious new types of attacks on 4.0+. We will give an overview of Android's device protection mechanisms in 4.0+ and how they can be circumvented or unintentionally undermined by device manufacturers. Each device manufacturer and carrier can add or modify code from the Android Open Source Project (AOSP). This can include access to device memory, exploitable processes which run as the root user, initialization scripts which perform privileged actions without proper validation, or APKs which leak access to otherwise-protected information sources. This talk will examine what carriers and device manufacturers are doing to prevent (or assist) customers root their devices. We will also detail /boot and /recovery differences between OEMs, how signature checks are performed, and demonstrate some of our tools to examine new devices and find potential security flaws. This talk is not about exploiting the AOSP, but rather identifying mistakes and misconfigurations due to customized builds and additional features.

---

Name: Kyle Maxwell

Bio: Kyle Maxwell is a senior network security analyst for Verizon Business on the RISK Intel team, producing unclassified threat intelligence for private and public sector clients as well as supporting field investigators. He writes a blog on threat intelligence and network security at ThreatThoughts.com. Previously, he led the incident response team at Heartland Payment Systems and performed digital forensics for clients across the United States at several private investigation firms. Mr. Maxwell holds a degree in Mathematics from the University of Texas at Dallas.

Topic: Open Source Threat Intelligence

Summary: Organizations can no longer rely purely on general, preventive controls. Instead, defenders must continually adapt to their adversaries, including using threat intelligence as appropriate. This talk will examine a number of tools and sources of "open source" intelligence (OSINT) focusing on network indicators, malware, and threat actor tracking. We will also look at how to extend and integrate these tools and sources with existing common technologies for already-stressed incident response teams.

---

Name: Andreas Kutz

Bio: Andreas Kurtz is co-founder of NESO Security Labs, an independent information security consulting and research company based in Germany. He has several years of professional experience in conducting penetration tests for large-scale enterprises, corporations and public authorities as well conducting trainings, presentations and workshops. Currently, he is focused on researching the security of mobile devices and mobile applications for the chair of IT Security Infrastructures at the Friedrich-Alexander-University Erlangen-Nuremberg in Germany.

Topic: Pentesting iOS Apps - Runtime Analysis and Manipulation

Summary: Security testing of mobile apps and their environment has become increasingly important in recent years. However, there is still a lack of testing methodologies and supporting tools. Accordingly, the objective of this presentation is to close that gap. As in any kind of software security assessment two different approaches do exist: static and dynamic analysis. While static analysis gives detailed insights into a mobile app, it is not always the most practicable way. To evaluate the security level of a mobile app within an economically reasonable timeframe, it is worthwhile to combine both, static and dynamic analysis. During this talk, I will explain the basic concepts of Objective-C and its runtime. Objective-C supports the concepts of reflection, also known as introspection. This describes the ability to examine and modify the structure and behavior (specifically the values, meta-data, properties and functions) of an object at runtime. Based on this dynamic nature of the Objective-C runtime, I will show how runtime analysis and manipulation eases security assessments of mobile apps. For this purpose, I will discuss the backgrounds, techniques, problems and solutions to Objective-C runtime analysis and manipulation. I will demonstrate how running applications can be extended with additional debugging and runtime tracing capabilities, and how this facilitates both dynamic and static analysis of Apple iOS apps. Moreover, a new tool to assist dynamic analysis and security assessments of iOS Apps will be introduced and demonstrated. This tool allows on-the-fly manipulations of arbitrary iOS Apps with an easy-to-use graphical user interface. Thus, bypassing client-side restrictions or unlocking additional features and premium content of Apps is going to be a child's play.

---

Name: Paul Rascagneres

Bio: Paul has been a security consultant and security researcher for 10 years. He is the creator of the project malware.lu, a repository of free samples for security researchers which also publishes technical analysis. Paul created the first private CERT in Luxembourg and also makes reverse engineering, malware analysis and incident response for several European institutions.

Topic: Reality about Red October

Summary: This presentation will focus on the technical analysis of the malware, Red October (announced in January by Kaspersky). The presentation will include the analysis of the exploit, how to recover the dropper, how to unpack the dropper and how to get the final binary (a decrypt it). Finally, I will explain how the malware works. The presentation will include IDA Pro screenshot and a lot of ASM.

---

Name: Rahul Kashyap

Bio: Rahul Kashyap is Chief Security Architect, Head of Security Research at Bromium. Before joining Bromium, he led the worldwide Vulnerability Research teams at McAfee Labs, a wholly owned subsidiary of Intel. For many years, he has led cyber defense technologies focused on exploit prevention and mitigation for both host and network related products. Rahul has published papers in renowned security journals, and has been a speaker at several security conferences.

Topic: How Trustworthy are your Sand-(de)fences?

Summary: In this talk we cover in-depth architecture details of windows application sandboxes like Google Chrome, Adobe Reader, Sandboxie. Then we look at the design assumptions these sandboxes make. Are these assumptions the weakest link? After this decomposition, we'll do live exploit demos to bypass these sandboxes; not by exploiting vulnerabilities in them - rather by exploiting the architectural assumptions. The talk will also cover aspects of windows internals, kernel mode vulnerabilities and also give ideas on generic ways how to pivot out of some sandboxes. For the malware analyst or security practitioner - this talk will also cover the perils of doing unknown malware analysis inside sandboxes.

---

Name: Scott Behren & Ben Toews

Bio's: Scott Behrens is currently employed as a senior security consultant at Neohapsis and an adjunct professor at DePaul University. An avid coder and researcher, he has contributed to a number of open source tools for both attack and defense. Scott Behrens is the co-developer of NeoPI, a framework to aid in the detection of obfuscated malware. Scott also co-developed BBQSQL, a rapid blind sql injection exploitation framework. Scott has presented security research at DEF CON, DerbyCon, Security Forum Hagenberg, Security B-sides Chicago, and ISACA Milwaukee. Scott has also published security white papers for InformationWeek magazine, the Infosec Institute, and the Neohapsis blog.

Ben hacks stuff at GitHub. In past lives, he has been a pentester, a developer, and a security researcher. Ben has spoken at DefCon, ThotCon, DerbyCon, etc, has contributed to various publications, including Hack In the Box Magazine, and has contributed to and maintained numerous open source security projects.

Topic: State of the Union: Advances in Web Application and Browser Security

Summary: Mr. IETF, Mr. W3c, members of the information security community, distinguished developers, and fellow hackers. Ben Toews and Scott Behrens present to you a state of the web security union address. We have seen a surge of proposed standards and governing documents to improve web security. Client side flaws are being addressed by standards such as content-security-policy and IFRAME sandboxing. Data in transit is being more tightly secured using HTTP Strict Transport Security. There is a plethora of technologies available like X-frame-options, ORIGIN header, encrypted media extensions, X-XSS-Protection? We look at the intricacies of the proposed and accepted standards as well as how they are implemented. Security considerations will be addressed for these technologies from a design perspective and with a discussion on any weaknesses observed. What about which browsers have support for these new security standards? What browsers are supporting security technologies that are not yet standards? Information will be presented that breaks down which browser versions support these technologies as well as estimates of the number of users who run compatible browsers. The defensive side of web application security is moving at a very rapid pace and deserves to be investigated and presented in a way that is useful for both developers and security engineers. Developers should leave this talk with knowledge of how these security technologies work and where they can be applied. Security engineers will have a clearer understanding of these security technologies including how and when to recommend them as well as some common pitfalls associated with them.

---

Name: Kevin Cardwell

Bio: Kevin Cardwell is the author of the Center for Advanced Security and Training (CAST) Advanced Network Defense course. He is technical editor of the Learning Tree Course Penetration Testing Techniques and Computer Forensics. He is author of the Controlling Network Access course. He has presented at the Blackhat USA Conferences. He is a contributing author to the Computer Hacking Forensics Investigator V3 Study Guide and The Best Damn Cybercrime and Digital Forensics Book Period. He holds a BS in Computer Science from National University in California and a MS in Software Engineering from the Southern Methodist University (SMU) in Texas. His current research projects are in Computer Forensic evidence collection on "live" systems, Professional Security Testing and Advanced Rootkit technologies. He developed the Strategy and Training Development Plan for the first Government CERT in the country of Oman, he serves as a professional training consultant to the Oman Information Technology Authority, and developed the team to man the first Commercial Security Operations Center in the country of Oman. He serves as an advisor to the Government of Malaysia in establishment of the Cyber Security and Forensics Asia/Pac Center of Excellence.

Topic: Defense is not that hard? So, why is so many not doing it right?

Summary: According to the Verizon data breech report 90% of the attacks were not that difficult, and would have been prevented with practical security fundamentals, yet, we continue to see all of these large companies failing at the fundamentals of defense? Why! In this presentation I will discuss the importance for developing robust ingress and egress filtering to mitigate the threat of sophisticated malware. I will discuss the steps you need to take to defend from the majority of the known attacks. I will show the need and importance for analyzing your systems live memory. The talk will conclude with the importance of adding hardware based protection to your defenses. It is time we test the skills of the hacktivists and start at least doing the fundamentals right.

---

Name: Jason Shirk

Bio: Jason Shirk has been involved in Security, Privacy, and Telecommunications for close to 15 years, working at Lucent Technologies/Bell Labs, Avaya, and Microsoft, with specialties in Social Media Privacy, Fuzzing, and VoIP. He has done work ranging from writing and driving Privacy and Security policy and programs to penetration testing and incident management/response (and most things in between). Jason also lived in the Ukraine and is fluent in Russian and Ukrainian. He is currently the Privacy Manager for Bing.

Topic: Privacy for Security Geeks - Dancing with Lawyers

Summary: Privacy is front-page news on just about a weekly basis. Lawmakers and regulators are scrutinizing privacy like never before. And oh, by the way, privacy is a security problem. As hackers we spend a lot of time protecting the rights and sensibilities of users. We secure users largely by building tools, platforms and libraries to protect said data and other tools and platforms and libraries to break/ruin/steal this data. We can use these non-trivial skills and apply them to Privacy as well. All we need is a little bit of new vocabulary, a nudge in the right direction, and a (slight) tolerance for talking to lawyers.

---

Name: Neil Matatall

Bio: Neil accidentally started writing code in high school and immediately loved it. Early into his professional career, he transitioned into breaking and fixing code. As a big believer in the open source communities, he has contributed to or authored numerous open source libraries related to testing and developing secure web applications. Today he focuses on enhancing the strength of the platforms Twitter uses to build web applications and providing libraries to augment the existing behaviors.

Topic: Automating Application Security + Continuous Delivery == <3

Summary: Automating application security at any level can prove to be very helpful in continuous delivery environments. We will discuss the techniques used at Twitter to keep up with this pace including but not limited to: automated workflows integrated w/ static/dynamic analysis, dynamic scanning (custom/vendor), manual code reviews, framework improvements, libraries, etc. This will include our lessons learned in the last year and how it fits in with our transition to a scala backend. Our documented wins and fails in each iteration along the way will paint a picture of our progress. This is a slightly technical discussion that is meant to paint the "big picture" and how all the pieces fit together, including what is/will be open sourced. It will have some language specific tools, but the content is meant to be generic to any technology stacks/shops.

---

Name: Dan Tentler

Bio: Dan Tentler is the sole proprietor of Aten Labs, a freelance Information Security consultancy firm in San Diego and is routinely parachuted into various clients in southern California. Dan carries a wide breadth of clients and engagements, ranging from threat intelligence, to wireless site surveys and penetration testing, to full blown social engineering campaigns, to lockpicking and threat & vulnerability assessments. Dan has presented at DefCon, BlackHat, Hack in the Box Amsterdam, various BarCamps, Toorcon San Diego, ToorCon Seattle, regional OWASP meetings Refresh San Diego and SDSU computer security advanced lecture classes. Dan has been interviewed by the BBC, CNN, The San Diego Reader and a variety of information security blogs and publications. If you need a bad guy, call Dan.

Topic: Shodan Computer Search Engine: 2013 Edition

Summary: Ever hear of the Shodan Computer Search Engine? This young project scans the Internet IPv4 space, collects banners from exposed systems' services, and places them in a searchable database. The impact of Shodan over the past few years is significant, with multiple DHS ICS-CERT advisories on exposed systems, several hacker conference talks, and valuable integration into other tools like Metasploit. We'll cover Shodan's capabilities, the API and a special focus on some of the scariest and sp00kiest devices discovered on the Internet via Shodan, including: SCADA, traffic lights, lawful intercept CALEA, giant mining trucks, TV station antennas, gasoline pumps, crematoriums, and more! Attendees can expect an eye-opening talk where they'll learn about a powerful tool one can leverage to see their own networks in a new light and use as an awareness and metrics tool in their own organization.

---

Name: Yaniv Miron & MC

Bio's: Yaniv Miron is a security consultant and researcher currently working at FortConsult in Copenhagen, Denmark. Yaniv performs penetration testing and security assessments for international businesses and organisations. Yaniv is the founder of the largest Israeli hacking convention - IL.Hack. Yaniv is certified as a CISO from the Israel Institute of Technology and a Certified Locksmith. Yaniv spoke at security and hacking conferences all around the world (BlackHat/SyScan/PoC/CONFidence/HackerHalted/OWASP/IL.Hack). Yaniv is highly skilled with hands on penetration testing and security research and found many security vulnerabilities at Microsoft/Oracle/IBM and more.

MC is a security consultant who works at FortConsult in Copenhagen, Denmark. He is a jaded intercontinental man of mystery who spent too many years in the Infosec industry. He has presented at POC (South Korea) and once had a talk accepted at Defcon (US). He likes to mod his TR-808 when off-duty.

Topic: F**k 0-days, We Will Pwn U with Hardware Mofos

Summary: We give you the ultimate hardware hacking kit. Wanna pwn some banks? Wanna own big companies? You need some boost up. We will show you that your current set of tools is not enough. You need to have some help from hardware, like 007. We have bundled a set of hardware hacking tools that will assist you. For example, we will show you how to bypass typical corporate Windows 7 machines with Bitlocker encryption enabled, dump and extract goodies from memory, long range RFID tricks to copy your CEOs proxcard, using hardware screenloggers (not the old crappy keyloggers - because everybody knows them and it's lame) and more. You have to be there - because we rock.

---

Name: Deviant Ollam

Bio: While paying the bills as a security auditor and penetration testing consulting with his company, The CORE Group, Deviant is also a member of the Board of Directors of the US division of TOOOL, The Open Organisation of Lockpickers. His debut book, "Practical Lock Picking," became one of Syngress Publishing's best-selling titles. At multiple annual security conferences, Deviant runs the Lockpicking Village workshop area, and he has conducted physical security training sessions at Black Hat, DeepSec, ToorCon, HackCon, ShakaCon, HackInTheBox, CanSecWest, ekoparty, and the United State Military Academy at West Point.

Topic: Android Phones Can Do That?!? Custom Tweaking for Power Security Users

Summary: While half of all smartphones are running Android, only a small portion of their users choose to modify their phone's stock environment or attempt to perform custom tweaks to their O/S. Indeed, most people within the techy and hacker community are familiar with concepts like "rooting" or installing custom ROMs, but not everyone does that. However, SMALLER STILL is the proportion of seriously security-minded folk who dive to the deepest layers of their Android system, modifying and patching core elements in order to tweak and restrict things beyond what most people know to be possible. Do you know that it is possible to selectively restrict permissions on an app-specific basis? How about the possibility of FAKING data that gets returned when an app attempts to interact with GPS? Spoofing your IMEI, IMSI, and SIM card data?... That's possible, too. Would you like to be able to unlock your device with a 6-digit PIN while simultaneously protecting your /data partition with a 40-character encryption passphrase? All of this and more is possible, depending on how willing you are to delve deeply into your Android O/S and perform a series of advanced -- yet entirely understandable -- tweaks and patches. This talk is for serious power users with a strong need for well beyond the average level of mobile security. It will demonstrate a variety of tools and tweaks and get Android users thinking about just how much more they could be doing to protect themselves and their data, particularly if they routinely travel to hostile areas of the world or are subject to device confiscation.

---

Name: Brian Lockrey

Bio: Brian Lockrey is a college professor of Computer Security and Computer Forensics. Brian has over 30 years of experience with Information Technology and has been using and managing Internet services since 1990

while working for major government defense contractor at the time. Brian is the CEO of Assist Data, a data recovery and digital forensics service business. He is passionate in sharing his expertise in Internet Security, Social Media, IT best practices and incident reporting. He often consults with educators, law enforcement and business managers and provides professional seminars on a variety of Digital Forensics topics. Brian's much sought work has also been published in several journals and books. Brian earned his A.S. degree from Florida Institute of Technology, his B.S. degree from the University of Toledo, and his M.S. degree in Computer Science from the Ohio State University. Brian is a Certified Computer Forensics Examiner and is a member of several Information Security organizations and civic organizations.

Topic: Social Media Digital Forensics

Summary: With the advent of social media, mobile devices, digital photography and media sharing sites becoming critical data repositories, digital forensics investigators are now faced with new challenges when looking for artifacts. This presentation will cover the tools and techniques for collecting artifacts from social media networks and other devices. Many popular social networks will be discussed including Facebook, LinkedIn, Google+, Twitter, Google Communities, Instagram, Pinterest, FourSquare, Gowala, Yelp, YouTube, TwitPic, Yfrog, Mylife, XeeMe, Flickr, Picasa, Tinychat, Tumblr and others. Additional services that will be covered include DropBox, SkyDrive, Google Drive, Box and other popular cloud storage and filesharing services. Other topics of interest to the digital forensics examiner include Open Graph, Graph Search, URL encoding, images and Exif data, GPS locations, cross-mapping, mapping friends, directory services, programming API's and scripting.

Training Sessions

Training 1: Building Secure Web Applications, Webservices and Mobile Applications, Jim Manico - June 25-26, 2013

Description: The major cause of web insecurity is poor development practices. This highly intensive 2-day course provides essential application security training for web application, webservice and mobile software developers and architects. The class is a combination of lecture, hands-on security testing and code review. Participants will not only learn the most common threats against applications, but more importantly they will learn how to also fix the problems and design secure web solutions via defense-based code samples and review. We provide free email support for life for all students. Digital copies of all course ware will be provided.

Biography: Jim Manico is the VP of Security Architecture for WhiteHat Security, a web security firm. He authors and delivers developer security awareness training for WhiteHat Security and has a background as a software developer and architect. Jim is also a global board member for the OWASP foundation. He manages and participates in several OWASP projects, including the OWASP cheat sheet series and the OWASP podcast series.

Training 2: Being an Advanced Persistent Threat: How to Compromise and Persist on Any Network, Colin Ames & Chris Potter - June 25-26, 2013

Description: With this course you will learn how to leverage the latest offensive techniques and capabilities to compromise and persist on any network with a 100% success rate. Students will walk away with the skills and tools needed to compromise any system regardless of skill set. During this course we will discuss the tactical exploitation methodology. This methodology includes targeting systems and users, profiling the selected targets, properly weaponizing exploits and payloads, proper exfiltration and miss-attribution techniques and how to get away with all of it. All of these techniques are taught with hands on, real world, and lab based exercises. Each student will receive a TEENSY USB device for the final exercise of the course as well as copies of all slides, tools, and relevant source code material. Prizes will also be given out for successful exercises.

Biographies: Colin Ames is a founding Partner and Security Researcher with Attack Research where he consults for both the private and public sectors. He's currently focused on Pen testing, Exploit Development, Reverse Engineering, and Malware Analysis.

Chris Potter is a Security Consultant and Researcher with Secure DNA. Chris specializes in web based application development security. He has collaborated with some of the top security researchers and companies in the world and has performed static and dynamic security assessments for numerous companies and government agencies across the U.S. and Asia.

Training 3: Lock Picking and Physical Security, Deviant Ollam - June 25, 2013

Description: Physical security is an oft-overlooked component of data and system security in the technology world. While frequently forgotten, it is no less critical than timely patches, appropriate password policies, and proper user permissions. You can have the most hardened servers and network but that doesn't make the slightest difference if someone can gain direct access to a keyboard or, worse yet, march your hardware right out the door. This course will cover basic Pin Tumbler Locks in Doors, Deadbolts, & Padlocks Wafer Locks in Desks, Cabinets, & Access Panels Shimming & Decoding of Combination Locks Lock Bumping & Countermeasures Attacking Pick-Resistant Pins Secrets of Master Keyed Systems Quick Lock Bypassing Tactics An introduction to Key Impressioning.

Biography: While paying the bills as a security auditor and penetration testing consultant with his company, The CORE Group, Deviant is also member of the Board of Directors of the US division of TOOOL, The Open Organisation Of Lockpickers. His debut book "Practical Lock Picking" became one of Syngress Publishing's best-selling titles. At multiple annual security conferences Deviant runs the Lockpicking Village workshop area, and he has conducted physical security training sessions at Black Hat, DeepSec, ToorCon, HackCon, ShakaCon, HackInTheBox, CanSecWest, ekoparty, and the United States Military Academy at West Point.

Sponsors

Check out our sponsorship packet here: Sponsorships

Diamond:

Platinum:

Gold:

Silver:

Bronze:

Watch, Add, Like, Follow Us!