Foundations Talk – Security B-Sides Orlando 2016 Presented By FC² http://bsidesorlando.org/2016 Bringing Infosec to Central Florida Since 2013 Mon, 03 Oct 2016 13:56:28 +0000 en-US hourly 1 Adam Losey | Data Privacy: Legal Alphabet Soup http://bsidesorlando.org/2016/adam-losey-data-privacy-legal-alphabet-soup Fri, 12 Feb 2016 17:00:40 +0000 http://bsidesorlando.org/2016/?p=351

Abstract

CFAA, CAN-SPAM, HIPPA, and CADRA are just a few of the many alphabet-soup acronyms that make up the legal rubric in the United States that govern information security, privacy, and technological issues- information security professionals need to understand the patchwork of laws in the United States (and Florida in particular) to be truly effective in their endeavors.  New state laws appear every day with different standards for what data is considered sensitive and how an organization is dealt with if they disclose protected information. What laws should you be aware of when engaging your organization about risk and data disclosure? This talk will focus on the CFAA, the Computer Fraud and Abuse Act, as well as CADRA, Florida’s Computer Abuse and Data Recovery Act. Adam Losey, an internationally recognized attorney working in Central Florida will discuss information security and privacy law, what it means to information security professionals, and how to approach data privacy laws. The talk will include 20-30 minutes of round table style discussion allowing the audience to ask questions regarding matters of law and data privacy.

Bio

Adam Losey is an internationally recognized attorney, author, and educator in the field of technology law. He represents a number of Fortune 100 companies in high-stakes complex litigations across the country involving challenging issues at the intersection of law and technology. In addition to his litigation practice, Mr. Losey routinely advises clients large and small on a variety of sophisticated information security, incident response, privacy, electronic discovery, and data management matters. Inside and out of the courtroom, he efficiently and creatively solves problems for clients in a variety of situations.

]]>
Dodi Glenn | History of Ransomware http://bsidesorlando.org/2016/dodi-glenn-history-of-ransomware Fri, 12 Feb 2016 16:49:13 +0000 http://bsidesorlando.org/2016/?p=346

Abstract

A recent study titled, “Battling the Big Hack” by IT professional network Spiceworks found that that 80% of organizations experienced an IT security incident in 2015, with 53% of respondents having a concern for ransomware in 2016. But how did we get here? And how can we avoid these growing attacks in the coming year and beyond? In general, all ransomware pretty much works the same in that it tries to extort money from a user, but each variation of it does something slightly different. This presentation will discuss the history of ransomware – from the first known ransomware, which hit the scene back in 1989 (the “AIDS” or “PC Cyborg” Trojan), to Gpcode (RSA encryption schemes), CryptoLocker (Bitcoin transactions), and Cryptowall (targeting Windows), with many others in between. We’ll close out the discussion with 2016 ransomware predictions, as well as how users can mitigate these attacks in the future.

Bio

Dodi is VP of CyberSecurity for PC Pitstop with 10+ years’ experience in the cyber security industry, specializing in security risk assessment, programming, firewalls, malware/targeted attacks, antivirus, & more. Previously, he led several initiatives in malware research, software development, software testing, and product management for ThreatTrack Security, Sunbelt Software, & GFI Software.

]]>
David Switzer | Wifi Tracking: Collecting the (probe) Breadcrumbs http://bsidesorlando.org/2016/david-switzer-wifi-tracking-collecting-the-probe-breadcrumbs Fri, 12 Feb 2016 16:43:26 +0000 http://bsidesorlando.org/2016/?p=336

Abstract

Wifi probes have provided giggles via Karma and Wifi Pineapples for years, but is there more fun to be had?  Like going from sitting next to someone on a bus, to knowing where they live and hang out?  Why try to MITM someone’s wireless device in an enterprise environment where they may notice — when getting them at their favorite burger joint is much easier.
 
In this talk we will review ways of collecting and analyzing probes. We’ll use the resulting data to figure out where people live, their daily habits, and discuss uses (some nice, some not so nice) for this information.   We’ll also dicuss how to make yourself a little less easy to track using these methods. Stingrays are price prohibitive, but for just tracking people’s movements.. this is 
cheap and easy.

Bio

David Switzer has been through the train industry, the cable industry, and even the ISP industry (technically twice) in his 20 years of being in technology. He works for a security firm in Tampa, Florida where he is paid to do mean things to companies, only because they ask nicely.  Infosec interests include doing mean things with RF signals, metadata mashing, looking for “oopsies” in firmware, and talking about himself in the third person.  Who doesn’t enjoy that last one, really?

 

]]>
Emori Medeiros | Resume Building for Security Professionals http://bsidesorlando.org/2016/emori-medeiros-resume-building-for-security-professionals Fri, 12 Feb 2016 16:40:21 +0000 http://bsidesorlando.org/2016/?p=331

Abstract

Do you ever feel like your resume is holding you back? I can help you translate your work experience to paper and help you land that dream InfoSec job. From the basics of resume no no’s to highlighting your security skills. Please bring a copy of your resume!

Bio

Emori Medeiros has been on both sides of the recruiting world. She was an internal recruiter for a tech company in San Francisco and now she is a technical recruiter at BlueWave. Her experience has taught her the ins and outs of perfecting resumes so that YOUR resume is the one that stands out. BlueWave is a Technology Boutique Firm that specializes in Information Security and Software Development Recruiting.

]]>
sk4ld | Simulated Physics And Embedded Virtualization Integration http://bsidesorlando.org/2016/sk4ld-simulated-physics-and-embedded-virtualization-integration Fri, 12 Feb 2016 16:07:29 +0000 http://bsidesorlando.org/2016/?p=264

Abstract

The Simulated Physics And Embedded Virtualization Integration (SPAEVI, rhymes with gravy) methodology is designed for industrial control system (ICS) cybersecurity research. The cost of hardware-based industrial control system testbeds often limits entire categories of vulnerability analysis, testing, malware analysis, and etc. Specifically memory corruption vulnerability analysis often risks bricking ICS embedded systems. The SPAEVI methodology is proposed for software-based ICS/SCADA testbeds via embedded system virtualization, where the inputs and outputs are integrated within a physics simulation. The challenges of implementing the methodology are nontrivial, and one must rely on reverse engineering, virtual machine development, exploit development, engineering experience, and embedded system design experience. Foremost, the virtualization of an embedded system will pose unique, non-trivial challenges per target system, due to the wild variation of microprocessor architectures in ICS/SCADA.

Bio

Aside from his mohawk and beard, Owen is renown for creating and teaching the Offensive Computer Security Courseware, which has been used in some form at over a dozen universities around the world. He earned his BS in CS from Georgia Tech, MS in CS from FSU, and is finishing his PhD dissertation on Cyber Physical Systems Vulnerability Research & Sandboxing.

]]>
Mitch Stoltz | Jailbreaks and Pirate Tractors: Reverse Engineering Do’s and Don’ts http://bsidesorlando.org/2016/mitch-stoltz-jailbreaks-and-pirate-tractors-reverse-engineering-dos-and-donts Mon, 08 Feb 2016 22:51:52 +0000 http://bsidesorlando.org/2016/?p=286

Abstract

Taking things apart to figure out how they work is great fun at any age. It can also be the first step in building a great new product. But reverse engineering software and systems can be a legal minefield that takes care and planning to traverse.

In this talk, Mitch Stoltz, Senior Staff Attorney with the Electronic Frontier Foundation, will discuss how to explore and modify hardware and software, and use the knowledge you gather, while avoiding common legal problems. He will also share stories about the latest efforts to preserve the freedom to tinker with everything from phones to cars to medical implants.
I’m a copyright lawyer at EFF, once a software engineer and security specialist at Netscape/AOL/Mozilla. I’ve done some corporate litigation too, mostly for consumer technology companies.

Bio

Mitch is passionate about free speech, coders’ rights, and letting innovation thrive wherever it grows.

]]>
Jason Blanchard | How to Social Engineer your way into your dream job http://bsidesorlando.org/2016/jason-blanchard-how-to-social-engineer-your-way-into-your-dream-job Mon, 08 Feb 2016 22:32:26 +0000 http://bsidesorlando.org/2016/?p=284

Abstract

This talk will cover how to social engineer or persuasively position yourself to be the best candidate for the job of your dreams. We will cover reconnaissance and open-source intelligence gathering, developing phishing emails that help you get people to open your resume, and how to reach your target audience “Recruiters” & “HR Managers” I have trained 1,000’s of college graduates on how to find the right job when it is needed, and this talk can help a student, recent graduate, or a seasons IT professional find their next step in their careers, in a funny and witty presentation where you’ll leave with a road map on how to social engineer your way to success… and stuff.

Bio

Jason is a professional Social Engineer… a dreaded marketer that ruins everything in life that was once free, and good, and easy to use. But… He also has some serious skills of persuasion, that can be used for the forces of good – your good.

]]>
Samuel Greenfeld | Dox Yourself http://bsidesorlando.org/2016/samuel-greenfeld-dox-yourself Tue, 26 Jan 2016 15:51:10 +0000 http://bsidesorlando.org/2016/?p=259

Abstract

This talks starts out by looking at how companies have tried to authenticate people using public information. It then looks at current authentication practices, and finishes by discussing how companies try to determine who you are without letting you know.

Bio

Samuel is a Senior QA Engineer testing XenDesktop performance at Citrix. Prior to that he worked on the One Laptop per Child project, and at Secure Computing & McAfee on the Sidewinder (McAfee Firewall Enterprise) product line.

]]>
Paul Arnold | The Wizarding World of SELinux http://bsidesorlando.org/2016/paul-arnold-the-wizarding-world-of-selinux Tue, 19 Jan 2016 15:34:53 +0000 http://bsidesorlando.org/2016/?p=232

Abstract

Dissolving the stigma surrounding SELinux and discussing how important SELinux is to hardened and trusted systems. The talk will describe what SELinux is and its purpose, briefly touch on its history, explain its current functionality with some high-level examples, and provide tips on first tackling SELinux implementation. This is intended as a “introduction” or “beginner” talk into the world of SELinux for those with some experience with *nix systems.

Bio

White-hat hacker, tinkerer, and Linux user since epoch time was 9 digits. Currently a Cybersecurity Engineer supporting the defense sector.

]]>
Ean Meyer | Dress for the Job You Want (to fake) not the One You Have http://bsidesorlando.org/2016/ean-meyer-dress-for-the-job-you-want-to-fake-not-the-one-you-have Thu, 07 Jan 2016 16:15:17 +0000 http://bsidesorlando.org/2016/?p=181

Abstract

Billions of dollars are spent globally on technical controls for information security. Most, if not all, of these controls can be overridden by the implicit trust that someone with physical access has to a system. Yet, physical security is often the easiest control to circumvent.

This talk will focus on ways a legal, ethical, and authorized penetration tester can prepare themselves to inspire trust in those protecting their target allowing them to gain access to protected areas.

This talk will look at the physical signs that someone doesn’t belong in an area and how to create a persona that “belongs”. During the talk we will compare different outfits and uniforms used by workers who would be expected to be in controlled areas. The talk will also look at paralanguage and body language that can be used to put people at ease.

The talk will cover:

Why physical access controls are critical
Tales of “Physical Access Gone Wrong”
Uniforms, attire, and details that give away an imposter
Paralanguage – What to say to put people at ease
Body language – What to do to put people at ease
“The Getaway” – How to get out gracefully
Preventing Interlopers – What can you do to stop attackers using these techniques

By the end of the talk the audience should be able to leverage these techniques to test their own security program, bolster their approved penetration testing program, and develop new controls to prevent physical attackers.

Bio

Ean Meyer is an information security professional working in Central Florida. Ean’s current focus areas are PCI, FERPA, HIPAA HITECH, Intrusion Detection and Prevent Systems, Information Security Program Management, Penetration Testing, and Social Engineering/User Awareness Training. Ean has a BS in Information Security and an AS in Computer Network Systems. Ean also holds a CISSP certification. He runs the blog www.thetheaterofsecurity.com.

]]>