Director, Information Security Policy, Education & Awareness, CBS Corporation
The use of third party services, systems and applications continues to increase in order to lower cost and increase efficiency of business. The vendor selection process a company establishes must respond to this need by enhancing the security evaluation process of third parties that have access to company information and information systems. We will discuss why vendor evaluation is a necessary step in the pre-contract phase of the vendor selection process, the aspects of the vendor, the system, service and/or application that require evaluation and the red flags a security professional must be aware of.
A Head Start on Software Security
Senior Security Architect, SITA
There are many tools and resources available to assist in securing the software development process, but where do you start? How do you plan, design, and execute a software security initiative? We’ll look at how one of the world’s largest suppliers of IT systems to the airline industry adopted such a program, transforming the way in which software is produced and radically improving the robustness of it’s solutions. This presentation takes us through the journey of creating a software security initiative from scratch: what works, what doesn’t, and what resources can be leveraged to give you a head start.
A Risk Based Approach to Cloud Security Assessment
Consultant - Technology, Audit & Security
There are a number of new and unproven control frameworks for evaluating cloud security. Though informative, these frameworks should not be blindly adopted as a cookie cutter approach by organizations that are planning to use cloud services. In the absence of a standardized IT governance, risk and compliance (GRC) product in the cloud computing market space, it is important that organizations architect a customized strategy for evaluating security and risks that are associated with their specific cloud usage needs. This session will guide you through a risk assessment model to evaluate organizations’ use case scenario of cloud, potential risks and available compensating controls to determine and potentially mitigate the trust requirement from the CSPs. Organizations can apply the results of this risk assessment exercise along with use case analysis and emerging standard control frameworks to draw an assessment compliance framework for evaluation of CSPs; the eventual objective being to lower the requirements to trust the CSPs. This session will conclude by describing three different models of enterprise security strategies that work with the cloud-based computing services.
Adventures in Automotive Networks and Control Units
Charlie Miller and Chris Valasek
Security Engineer, Twiitter and Director of Security Intelligence, IOActive
Automotive computers, or Electronic Control Units (ECU), were originally introduced to help with fuel efficiency and emissions problems of the 1970s but evolved into integral parts of in-car entertainment, safety controls, and enhanced automotive functionality. This presentation will examine some controls in two modern automobiles from a security researcher’s point of view. We will first cover the requisite tools and software needed to analyze a Controller Area Network (CAN) bus. Secondly, we will demo software to show how data can be read and written to the CAN bus. Then we will show how certain proprietary messages can be replayed by a device hooked up to an ODB-II connection to perform critical car functionality, such as braking and steering. Finally, we’ll discuss aspects of reading and modifying the firmware of ECUs installed in today’s modern automobile.
Bringing Nothing to the Party
Director of Security Engineering, Trail of Bits
There has been a lot of talking about the issues that Information Security is facing today ranging from APT attacks to the ever growing goverment intervention in shaping the defenses of private companies. The goal of this talk is to analyze the current state of affairs from a quasi-economical perspective and address the underlying technical problems that are too often overlooked. Specifically, the thesis of the talk is that the primary reasons for the lack of effective defensive solutions are poor threat modeling and misguided Application Security investments.
ChopShop: Busting The Gh0st
Wesley Shields & Murad Khan
Lead & Senior Information Security Engineer, The MITRE Corporation
In incident response or intelligence gathering the question “what happened on the network” is commonplace. As adversaries are deploying remote access trojans onto target networks being able to answer that question depends upon your ability to understand the protocols being used. Some protocols are well understood by common utilities like wireshark, but what do you do when the protocol is foreign to your tools? You have to write a custom decoder. We will present ChopShop, an open source framework for protocol analysis and decoding. ChopShop tries to make the task of writing a custom protocol decoder as easy as possible by presenting a standard API for the decoder and a rich set of libraries. The decoders are modules that run on top of the framework, which makes sharing the decoders with third parties and partners considerably easier. We will demonstrate ChopShop in the context of the gh0st protocol (discussed in published reports such as The VOHO Campaign), a well-known remote access trojan.
Countermeasures in Modern Operating Systems
Senior Research Engineer, Sourcefire
Memory errors are some of the most devastating vulnerabilities that exist today because they can potentially give attackers that can exploit them full control of the system. Stack- or heap-based buffer overruns, dangling pointers and format-string related vulnerabilities are typical examples of these bugs. To make it harder for these vulnerabilities to be exploited by attackers, operating systems have incorporated multiple different types of countermeasures. Some examples of these countermeasures that are well-known and well-understood are stack cookies and address space layout randomization. However, these are not the only countermeasures out there, nor is it impossible for an attacker to bypass these. In this talk, we will examine some of the most important mitigations in common use today, some of their limitations and some improvements (and their limitations) that have been made in Windows 8 and that are offered by Microsoft's EMET tool. We will also discuss advancements in countermeasures in the academic world that could show up in future operating systems or compilers.
Digital Energy – BPT
Internetwork Consulting Solutions Architect, Dynetics, Inc
There is a great deal of conversation today regarding APT and critical infrastructure networks for ICS/SCADA, smart grid networks and service providers. The basic persistent threat (BPT) issues are being ignored in many cases. How can the APT be mitigated when the BPT issues have not been resolved? Typically, the technical capability to mitigate BPT many of the APT risks already exist in the installed HW/SW but proper attention to trust relationships, integration and interdependencies are overlooked. Close attention should be given to the often overlooked network vulnerabilities in the network architecture and protocols that enable BPT. In this presentation common network BPT issues that are often discovered during security consulting engagements will be discussed. BPT network architecture mitigations including separation of services for control, management and data traffic as well as securing and monitoring trust relationships and interdependencies will be covered.
Lessons Learned from Managing Malware Compromises
VP of Delivery, ThreatGRID, Inc.
Coordinating the response to a malware compromise is a multi-faceted challenge that requires the security manager to coordinate at all levels within an organization. A daunting challenge that is fraught with opportunities to lose momentum and support. This presentation represents over 20 years of responding to security incidents, and malware compromises, and highlights some of the common mistakes and errors made. The attendee will get insight into the lessons learned and come away with a broader perspective on how to handle malware compromises and APTs. During the presentation, the attendees will get a perspective into Building the Right Team, When to bring in the "Experts", The Follies of Commanding and Controlling "Decisions, Responses, and People", The Coordinators Toolkit, and The Critical Soft Skills To Guide Executives, Manage IT Teams, and those rogue individual contributors.
Lessons Learned from the Galactic Empire
Head of Security Engineering, Check Point Software Technologies Inc.
Join me for a critique of the Lucas Film epic, from the perspective of a security audit. Let’s review the security procedures and practices of the Galactic Empire, and see what they did well, but more importantly, learn from the mistakes they made. Prepare for a discussion on security policies and procedures, applied during the events that lead to the catastrophic business impact the Galactic Empire suffered as the result of data loss. This data was then turned against the Empire, with an advanced persistent threat that targeted, and eventually destroyed critical infrastructure. Then let us re-examine the situation with a proper security policy in place to understand how even the most basic policy approach, could have saved the Empires business, employee lives, and ultimately billions of dollars.
Managing the APT Risk
Senior Security Architect, SITA
The Advanced Persistent Threat, over-hyped or under-managed? Much of the attention around the APT is on the technical side, understanding the tools and techniques of these adversaries. Beyond technology, what should organizations be focused on in evaluating, prioritizing and mitigating risk attributable to APT? In this presentation, we’ll look at some of the risk management strategies employed by targeted organizations. We’ll explore various approaches and practical steps taken to detect, defend and respond to APT-style attacks and how these have factored into business decision-making. Finally, we’ll cover the story of how one company opted to counter the APT with it’s own, novel, approach – fighting back not with technology, but with disinformation.
Mobile Threats - Hype vs. Reality
Security Engineer, Twitter
There is a lot of hype out there about attacks on mobile devices. It’s enough to make you break out that old flip phone from 2005. In this talk, I’ll try to discern truth from reality. I’ll discuss how mobile operating systems defend themselves as well as give examples of mobile operating system exploits. I’ll clarify how easy (or hard) it is to write exploits and attack mobile devices, from the perspective of someone who has written exploits for most mobile platforms. I’ll outline how easy (or hard) it is to write mobile malware and what malware of this kind can do. Finally, I’ll address mobile security software and how it works (or doesn’t). By the end of this talk, you’ll be in a better position to determine the risk mobile devices present and differentiate the reality from the hype.
Patriot Act Impact on Canadian Organizations Using Cloud Services
Scott N. Wright
President, Security Perspectives Inc.
Since the USA PATRIOT Act of 2001 was put into law – effectively granting US government authorities more power to collect customer records from US-owned businesses, without warrants – many Canadian organizations have struggled with the issue of whether or not it is safe to use US-owned cloud-based services. Recently, the Snowden incident has revealed that US government authorities have been undertaking extensive surveillance initiatives on Internet-based service providers, which has raised even more questions about the risks of using online services based in the USA. Not surprisingly, there has been a great deal of speculation about the threats and vulnerabilities related to nation-state level surveillance initiatives. So, where does that leave Canadian businesses with respect to information security strategy and guidance?
In this session, I will highlight some of the perceived risks related to the use of US-owned cloud services by Canadian organizations, as a result of the Patriot Act, and extrapolate the analysis to all “Big Surveillance” threats to Canadian businesses using the Internet. Are these concerns justified? Does it really matter? What can be done, if anything, to reduce the risks posed to Canadian corporate data by nation-state level surveillance?
Quantifying Maliciousness in Alexa Top-Ranked Domains
Research Consultant, Barracuda Labs
Many people assume that it is safe to visit popular, long-lived websites. While anecdotal examples of popular website compromises (e.g., USAToday.com, PBS.org) contradict this expectation, there exist few comprehensive studies that attempt to systematically quantify maliciousness in top-ranked sites.
To address this gap in understanding, my presentation details the design and results of long-running experiments that identify maliciousness in popular websites, in a vulnerability and exploit-independent manner. To perform experimentation, I created a scalable URL analysis system that forces a browser within a sterile virtual machine to visit a given site, then examines the network-level actions of the VM to determine whether a drive-by download occurred. As input to this system, I provided the Alexa top 25,000 most popular domains each day in what became a series of month-long studies.
In combination with reverse engineering parts of the Alexa rankings system, detailed analysis of the results yields cause for concern. My findings show that each month, millions of users are served malicious content from just tens of popular websites, and at least one million users are successfully compromised. In addition to an assessment of the experimentation results (e.g., use of Java or ad networks in drive-by downloads), my presentation will coincide with release of the raw data collected to promote a better understanding of this issue.
Risk Management: Where is the Information?
Information Security Architect, Netrus Inc.
We have the tools and technology to secure our systems and infrastructure, but people remain the weakest link. How many unencrypted USB sticks does it take to cause a Privacy Breach? or someone misplacing corporate data containing personal, confidential or personal health information in the “Blue Bin” or using the auto-fill feature in eMail and sending it to the wrong person. It only takes one instance and the Twitter World is a buzz; and then the lead headline in the News.
We have diligently created build books for our systems, implemented change management, intrusion detection, disaster recovery plans and spend hours testing our system for potential security vulnerabilities.
But, what about people equation in all of this? The IT Security Team understands Information Security, but have you actually interviewed Senior Management and the Business Owners to understand what keeps them up at night? It may surprise many:
• An aging workforce with corporate history and knowledge that will disappear in the next 5 years
• Lack of fully documented processes and procedures
• Lack of Information Security Governance; more Transparency; Freedom of Information
Some of our greatest Information Security Risks are People and what they do every day – Information Security is about behaviour and culture. Risk Management can assist in identifying the issues and Governance can assist in filling the gaps.
Running at 99%: Surviving an Application DoS
Engineer, Risk I/O
Application-Level Denial of Service (DoS) attacks are a threat to nearly everyone hosting content on the Internet. DoS attacks are simple to launch, but are often very difficult to defend against. Modern websites are a diverse set of moving parts, and a malicious actor only needs to find the point at which any one of these systems is overwhelmed to bring your website to a halt.
Organizations may approach this problem by increasing capacity, perhaps leveraging the cloud to expand horizontally. This can be a successful short term mitigation strategy, but a combined historic and real-time view of who is accessing your website (and why) gives you the chance to actively defend as opposed to simply absorbing the traffic. Trending this data over time allows your response time to decrease while keeping your front door open. In this talk I will present a new open source project, written primarily in Node.js, that can be used as a defense framework for mitigating these attacks.
Smashing Exploit Detectors: The Java Exploits Case
Co-Founder & Security Researcher, ReVuln Ltd.
There are two main ways to perform an attack. One way is to use 0-days and the other is to use old vulnerabilities. While using 0-days is an easy win, using old vulnerabilities can be more complicated. In fact there are two main problems: the target is using an updated version of the software, or the target is using some protection like IPS/IDS/AV to defend itself.
As soon as we move into the Java world the first problem usually disappears (people don't like updating the JRE, and the official patches for known vulnerabilities are incredibly slow to come out), making the second problem, the detections on old vulnerabilities, a very intriguing topic.
There are several known ways to harden Java exploits from strategies ranging from obfuscation to java reflection. These techniques are not only known to attackers, but even to defenders. In this talk we will show several new techniques to harden Java exploits in order to bypass AV/IDS/IPS detections, and we will detail some possible countermeasures.
Starting from Scratch – A CISO’s Journey
SVP & Chief Information Security Officer, Live Nation Entertainment
When Jonathan Chow took the role of senior vice president and CISO at Live Nation he was stepping into unfamiliar territory. Walking away from an established, mature security program, Chow agreed to become the first ever CISO at the organization, undertaking the inception and development of a robust security program. The first question he asked himself was, “Where do I even begin?” In this session, Chow will discuss his approach to the implementation of an information security program at Live Nation. He will share what he wish he knew going into this process, what he has learned through this unique experience, and what insights he will take with him as he continues his own journey as an information security leader.
The Life of Py
Senior Security Researcher, Immunity Inc.
Python is the king (or queen depending on preference) of languages for security professionals, with massive adoption and many mature libraries used for a range of tasks from crafting raw network packets to reverse engineering tasks. Justin will spend 2 hours giving a whirlwind tour of how to:
- Write quick and dirty network tools
- Analyze Windows binaries for malware signatures
- Create trojans and keyboard loggers
- Test rootkit detection methods in the kernel
- Create visualizations
- Automate debugging tasks
The SCADA That Didn't Cry Wolf - Who's Really Attacking Your ICS Devices
Trend Researcher, Trend Micro
These attackers had a plan, they acted upon their plan, and they were successful…targeting SCADA devices that were Internet facing. This talk will profile, provide intelligence, and list actors that attacked my ICS devices in the wild. This talk will also feature a demo of the attackers in progress, exfiltrating perceived sensitive data. In addition, I will discuss in greater detail how I geo-located these individuals, and tracked their movements, operations, and attacks. Some of the findings are truly surprising and substantial, and my not be what you think they are. This talk will release brand new statistics and attack details seen nowhere else in the ICS community.
Using Mobile App Conscription as a Backdoor Into Unrestricted APIs
Principal Research Scientist, Barracuda Labs
This will be a presentation focused on abusing web application APIs through the use of associated Android apps. We'll demonstrate using the JVM based scripting language JRuby to load, modify, and run code from targeted APKs in an easily scriptable way. We'll leverage this to demonstrate attacks against web APIs that have reduced their security requirements in order to allow for a more frictionless mobile experience, such as removing the need for captchas, email validation, and other usage restrictions. We'll conclude with case studies of popular apps demonstrating private key retrieval, arbitrary unlimited account creation on a social network, and locating and using custom cryptographic routines in our own scripts without the need to understand their implementation.