speaker biographies and
seminar abstracts
ABSTRACT: Format String Vulnerabilities 101
A comprehensive presentation on format string vulnerabilities within the Windows Intel Architecture environment. This presentation will take the audience from the basics of discovering format string vulnerabilities, through to the execution of exploit code. Using a debugger, we will show how format strings can trigger various exceptions and gain control of the flow of execution within a vulnerable application. Presentation will include several live demonstrations.
BIO: Deral Heiland
Deral Heiland CISSP Serves as a Senior Information Security Analyst for a fortune 500 company. In addition, Deral is the founder of Layered Defense Research and co-founder of Ohio Information Security Forum, a non-profit organization focused on information security training and education. Deral has also presented at numerous conferences including Defcon (2004, 2005), Interzone 5, Information Security Summit, and AFCEA InfoTech 2007. With over 15 years of work in the Information Technology field, Deral has held prior positions including: Senior Network Analyst, Network Administrator, Database Manager, and Financial Systems Manager.
ABSTRACT: Local-Link Networking
As the SOHO networks grow with home-automation and networked entertainment systems, the home user will have more installation concerns than the typical blinking 12:00. While TCP/IP is a terrific wide-area protocol, it wasn't designed to fill the niche of the local-area protocols it eventually replaced, leaving us with a bare local network. This presentation will show how protocols such as SLP, UPnP, and Zeroconf address the issues of local-link networking, including a demonstration of Zeroconf with Linux using Avahi.
BIO: Christopher Gragsone
Chris Gragsone works with a broad range of security and network technologies with various technical associations, drawing from his understanding of complex abstraction and analytical ability. He is currently attending University of Maryland University College pursuing a Bachelors of Science in Computer Science with a minor in Math. In his spare time he researches emerging technologies.
ABSTRACT: Ethical Hacking for Forensic Investigations
When conducting a digital forensic investigation that involves a breach or compromise of network systems, sound knowledge of digital forensic procedures may not be enough. Understanding the system being investigated and the ways that a system can be compromised can lead to a greater understanding of the events that comprised the attack. This 'Ethical Hacking in Forensics' hands-on lab will take students through some of the more common attacks that Crackers execute against network systems today.
BIO: Robert A. Andrews II, CISSP
Robert Andrews is the co-founder of P3 Strategic, a forensics investigation and training firm. He currently is the CTO and lead investigator. Robert A. Andrews II is a security consultant and trainer as well. He previously was the lead instructor and program coordinator of the IT Security and Forensics Associate Degree program at Pittsburgh Technical Institute. His service experience includes working with several Fortune 500 companies and governmental agencies at the local, state and federal levels. His experience also includes teaching high level security certification programs, CISSP and Cisco boot camp classes around the nation.
Rob has been a technical editor for and has collaborated on several IT certification manuals for Course Technology and McGraw-Hill. He has also been the Key Note speaker at many National Information Technology seminars including several ISSA/ISACA organizations nationwide. He is also a member of the International High Technology Crime Investigation Association.
ABSTRACT: Blogging for Bad Guys: What Not to Say On-Line
The preponderance of social networking sites enables individuals to share all sorts of information about their lives. Interestingly, criminals and deviants are using this technology to discuss their lives and activities. As a consequence, researchers and law enforcement can better understand the motivations, actions, and routines of criminals, thus linking individuals behind computers to criminal events on and offline. This presentation will discuss the complexities and challenges involved in examining and compiling information about bad guys of all sorts from around the glove, with particular emphasis on malware writers, carders, and other nefarious types. In addition, this talk can provide examples of why you should not provide any details about your personal beliefs and behaviors in online outlets.
BIO: Thomas Holt
Dr. Thomas J. Holt is an Assistant Professor in the Department of Criminal Justice at the University of North Carolina at Charlotte specializing in computer crime, cybercrime, and technology. His research focuses on computer hacking, malware, and the role that technology and the Internet play in facilitating all manner of crime and deviance. He works with computer and information systems scientists, law enforcement, business, and technologists to understand and link the technological and social elements of computer crime. Dr. Holt has been published in academic journals, and has presented his work at various computer security and criminology conferences. He is also a member of the editorial board of the International Journal of Cyber Criminology.
ABSTRACT: ZFS (on FreeBSD)
ZFS, developed by Sun Microsystems, is a big shift in filesystem concepts and design. Without going into the underlying code we will discuss ZFS concepts, features, and abilities. If you plan on deploying a file server then this talk is for you, since ZFS very well may change your plans.
BIO: Wesley Shields (wxs)
Wes is a hacker and security ninja. His day job includes breaking into networks and his night life consists of hacking on things, writing new tools, or just generally causing mischief with technology. His tools have been included in the most popular security-oriented live CD - BackTrack - and he is responsible for bug fixes in countless applications. He is a member of 0x90.org, Ghetto Hackers, and is a FreeBSD developer.
ABSTRACT: Monumental Women Who Influenced Today's Technology
A topic-organized summary of women who either participated in or were leaders of advancements that affect the computer-driven industries of today. Almost all businesses today are affected by computers in one way or another but few ever considered how some of the advancements have come about. It will be a semi- well-rounded overview that covers various aspects about advancements to the telephone systems, the Internet, and various computer science areas.
BIO: l33tphreak
Phreak will be a 2008 college graduate with two Bachelor's and four Associate's degrees in the fields of Information Technology and Computer Sciences. Her specialty is Information Security and Network Security. She is A+ and Network+ equivalency certified, as well as an advocate for gender equality among the hacking community.
ABSTRACT: An introduction to the alteration of electrical control units for purposes unintended, or Console Modding 101.
Video Game consoles are not new and modifying them for the purpose of altering their programing isn't either. This talk will cover the basic concepts behind modifications to current generation (Wii, Xbox 360, PS3) and previous generation (Xbox, PS2, Gamecube) game consoles. In particular the talk will focus mostly on hardware related modifications but software will also be discussed.
BIO: Nick Fury
In 1972, a crack commando was sent to prison by a military court for a crime he didn't commit. He promptly escaped from a maximum security stockade to the Los Angeles underground. Today, still wanted by the government, he survives as a soldier of fortune. If you have a problem, if no one else can help, and if you can find him, maybe you can hire... Nick Fury*.
* This is all a lie. Nick Fury is a kitchen robot. Don't tell him though, he thinks he's "undercover." Keep stirring, Nick.
ABSTRACT: Exploit-Me Series: Firefox Application Penetration Testing Suite
The cost of fixing bugs is drastically reduced in the development stage compared to production. If developers and QA engineers have the proper tools they will be able to scan their applications for security vulnerabilities. The Exploit-Me series of tools is the basis for this tool set. The XSS-Me plug-in provides the ability to scan for reflective Cross-Site Scripting vulnerabilities. SQL Inject-Me provides the ability to look for SQL injection vulnerabilities. By building these plug-ins into the development cycle, developers and QA engineers will be able to find security issues early.
This presentation will take a demonstration-based approach and will provide examples of advanced XSS and SQL Injection attacks and display how the Exploit-Me tools can be used to identify these vulnerabilities in the application, thus empowering the attendees with the ability to search for such vulnerabilities in their applications.
BIO: Sahba Kazerooni
Sahba Kazerooni, Security Consultant at Security Compass, is an expert in application security assessments, having performed penetration testing and source code review of many client applications. He is also an internationally renowned speaker on Web Services security topics, and has provided presentations at security conferences around the world including BlackHat Security Conference in Amsterdam, Security Opus in San Francisco, and IDC WebSec in Mexico City. Mr. Kazerooni also plays a critical role in the development of curriculum for and delivering of Security Compass training services. He has developed and taught courses on various topics such as Exploiting and Defending Web Applications, Application Security Awareness and Secure Coding in J2EE.
BIO: Dan Sinclair
Dan Sinclair is a Security Consultant with a string background in application development. Prior to joining Security Compass, he worked as a solutions architect, web developer, and, most recently, as a Solaris 10 migration specialist and instructor for TrekLogic Advanced Solutions. Dan is a contributor to several Open Source projects including the Enlightenment project and OpenSolaris where his work has included design, development, testing and documentation. He serves as a lead developer for the Enlightened Widget Library (EWL).
ABSTRACT: Rootkits 101
Rootkits 101. A brief history of subversive software will be provided. We will discuss the different types of rootkits, detection of rootkits, and the future of rootkits. Operating system fundamentals are required to get the most from this presentation. Demonstration will be provided.
BIO: txs
txs is a 1-year-old baby who is driven by his goal to become the sole ruler of the entire world. In fact, if it were not for his lack of muscle strength, toilet training and his need for parental sustenance, txs would have become leader over most of the third world, including Canada. txs has the voice and manner of an evil Rex Harrison, but he's only recently celebrated the one-year anniversary of his escape from his mother's "cursed ovarian Bastille", in which he was incarcerated for nine gruelling months. Another goal for txs is to murder his brother, wxs. Just because wxs has narrowly escaped several attempts on his life thus far doesn't mean that he is off the hook.
ABSTRACT: Layer 7 Attacks
It used to be that the majority of attacks occurred at the network and data link layers of the OSI model. Today attackers are focusing their efforts at the application layer, specifically web applications. This talk will delve into the vulnerabilities that are common to web applications and how attackers are leveraging those vulnerabilities for profit. Most of the talk will be actual demonstrations, both how to discover vulnerabilities and how attackers exploit those weaknesses.
BIO: Travis Altman
Travis Altman has been in the information security field for over 3 years and has consulted with major organizations about vulnerabilities and threats to their information systems. He currently works at the Federal Reserve where he is an Information Security Engineer. His other writings on information system security can be seen at his website, http://travisaltman.com, and you can contact him via email at travisaltman@gmail.com.
ABSTRACT: An update on RIAA lawsuits under the DMCA
This talk will focus on RIAA and other recording groups' more recent file-sharing lawsuits. New legal theories that RIAA and others are using will be discussed, such as suing for "attempted" copyright infringement. The presentation will also cover the College Opportunity and Affordability Act, recently passed by the House, which ties financial aid to colleges' antipiracy efforts.
BIO: Sapna Kumar is a faculty fellow with Duke University's Law School and is a part of the Center for Genome Ethics, Law & Policy. Her recent publications include Enforcing the GNU GPL, 2006 U. of Illinois Journal of Law, Technology & Policy 1 and Synthetic Biology: The Intellectual Property Puzzle, 85 U. Texas Law Review __ (forthcoming 2007). Prior to joining the faculty at Duke, Ms. Kumar was an adjunct professor at the University of Chicago Law School.
Ms. Kumar received her B.A. in Philosophy and B.S. in Mathematics from the University of Texas at Austin in 1999. She received her JD from the University of Chicago Law School, where she was a staff member of the University of Chicago Law Review. Following graduation in 2003, she joined Kirkland & Ellis' Chicago office as an associate in their Intellectual Property Group, and two years later, moved to Pattishall, McAuliffe, Newbury, Hilliard & Geraldson. Her law firm practice focused on patent litigation and software licensing.
ABSTRACT: Introduction to TSCM
TSCM is the systematic physical and electronic examination of a designated area by a qualified person or persons, utilizing approved equipment and techniques in an effort to locate surreptitious listening devices, security hazards, or other means, in which classified, sensitive, or proprietary information could be intercepted or lost.
This discussion will cover many applicable areas, such as; Radio and Electronics, Investigations, Interrogations, Locks, Alarms, Physical Security, Systems Analysis, Carpentry / Building construction and codes, Electricity, Telephones, Cellulars phones, Threat assessment, Threat evaluation, Management and personnel, Finance, Salesmanship, Computers, Fax, Video and emanations, Photography, Access Control, Etc.
BIO: Tim Johnson
Tim Johnson's career in the security and investigative field began in 1972 as a Special Agent with the Air Force Office of Special Investigations after 13 years as a radio and electronic equipment maintenance technician with the Army and Air Force. He received additional training by the AFOSI, CIA and FBI in electronic countermeasures (debugging), investigative support (bugging), crime scene photography, locks and alarms and barrier and physical defense, as well as advanced signal identification and analysis and antenna theory.
After retiring from the Air Force in 1981, he was employed at NASA, Johnson Space Center as a GS-11 Physical Security Specialist, further developing the ECM program supporting classified Space Shuttle missions.
In 1983, he assisted in establishing the ECM program for Headquarters, Department of Energy, Washington, DC. This quickly expanded to include support to include all DOE activity east of the Mississippi river, DOE SCIF areas nationwide, Naval nuclear research facilities and other nuclear related activities, closed sessions of Congress in energy related hearings and response and technical support to foreign locations in which bugging activities had been discovered.
He moved to the Phoenix area and established Technical Security Consultants Inc. in April 1986. In addition to the TSCM work, he has worked as a contract investigator for the Department of Defense, Department of Treasury and the Deopartment of Justice over the past 15+ years. In June 2002, Technical Security Consultants Inc. relocated to Carrollton, Georgia, near Atlanta.
ABSTRACT: Hacker Trivia
Back by popular demand, Hacker Trivia will be hosted by Vic Vandal
and Al Strowger on Saturday night. Astound your peers, squash your
enemies, win valuable prizes, or look incredibly stupid in the game
that tests your knowledge of arcane hacking-related information/history.
BIO: Vic Vandal
Vic Vandal is his name, digital havoc is his game! From skateboards to keyboards and everything in between, Vic can manipulate, conjugate, and
detonate his tactical skills (that pay the bills) to burn your eyes
with visual napalm!
Trained in cyber-warfare by the United States armed forces (actually it was more vice-versa, but such details are unimportant), Vic is now a digital mercenary ready to unleash his diabolical digital deeds for the right price.
His objective? Communications! A modern day ENIAC, Vic makes, creates, and propagates the everyday analog into digital mayhem for the masses. A Wizard of Oz in his own private cyber-wonderland, he is on his way to taking over all global transmissions. All your base are belong to him!
BIO: Al Strowger
Al Strowger is an enigma wrapped in a riddle wrapped in a spicy chicken soft taco. The long time MC at CarolinaCon, not much is known about his true identity other than his predilection for educating today's youth and his inability to stay interested in any one thing for longer than three seconds, other than the aforementioned youths.
His research focus likewise changes hourly and currently includes some blather about the neocortex, 80's British Pop vinyl recovery tactics, a guide to Puerto Rican nightlife hotspots, and strategies for death match Wii Tennis. He can be found anywhere there is technology, or bacon.