June 15-16, 2012

richmond's security conference


Marcus Ranum

Marcus J. Ranum, Chief Security Officer of Tenable Security, Inc.
Marcus J. Ranum is a world-renowned expert on security system design and implementation. Since the late 1980′s, he has designed a number of groundbreaking security products including the DEC SEAL, the TIS firewall toolkit, the Gauntlet firewall, and NFR’s Network Flight Recorder intrusion
detection system. He has been involved in every level of operations of a security product business, from developer, to founder and CEO of NFR. Marcus has served as a consultant to many FORTUNE 500 firms and national governments, as well as serving as a guest lecturer and instructor at numerous high-tech conferences. In 2001, he was awarded the TISC “Clue” award for service to the security community, and also holds the ISSA lifetime achievement award. In 2005 he was awarded Security Professional of the Year by Techno Security Conference.

RVAsec 2012 Keynote: The Easy Stuff is Done

Computer security is in an interesting spot right now – the easy stuff, like building firewalls and setting up logging, we know how to do. But, now what? New stuff like Cloud Computing and Big Data scare security practitioners with as-yet unnamed problems; what is the fear we’re not acknowledging?

Adam Ely

CISO of Heroku (Salesforce business unit)
Adam Ely is the CISO of Heroku at Salesforce. Previously he lead information security and compliance at TiVo and held multiple roles with The Walt Disney Company where he was responsible for security operations and application security for The Walt Disney Internet Group overseeing security and compliance for all web properties including Disney.com, ABC.com, and ESPN.com. Adam was named one of the top 25 security influencers to follow in 2012 for his industry contributions and is the author of the forthcoming McGraw-Hill book, Information Security Business & Strategy Essentials.

Title: Managing Security Within The Cloud

Now that our enterprise borders have all but disolved and our data is spread around the world, we must face the fact that the cloud is real. Dealing with security in the cloud requires a change in mindset and approach but isn’t so different from what we’re use to. We must understand the technical and management differences, how to work with our cloud providers, and apply our security practices to the new innovations driving our business.

Tim Elrod

Security Consultant, Fishnet Security
Tim has been an information security professional for over seven years but his passion for information security began when he first attached a 300 baud modem to a Commodore 64 and began this wild ride. Tim is a security Consultant for FishNet Security focusing on Security Assessments and Penetration Test. Tim is also a member of the Bastard Labs Vulnerability Research Team as well as the OKC2600 and a regular speaker at the DC405. Tim has found and exploited vulnerabilities in most major network operating systems including AIX, HPUX, Tru64, Linux, and Microsoft Windows as well as many enterprise software packages. Tim is an open source advocate and a contributor to the Metasploit Exploitation Framework as well as many other open source projects.

Title: I’m not a Doctor But I Play One On Your Network

How secure is your Protected Health Information? This talk will expose the world of Health Information Systems with an in depth technical review of their common protocols and technologies. Many of these life-critical systems had once relied on the security provided by air gapped medical networks. Recently, in an effort to realize savings and further share health information, medical systems have moved onto interconnected networks, opening them up to a plethora of attacks. We believe these systems have not had adequate research performed against them due to high cost and relatively low availability. Our talk will not only reveal weaknesses we have discovered in medical protocols but will create a foundation of knowledge for researchers who want to continue investigation of these systems. We will release findings and vulnerabilities that were discovered during the course of this research as well as fuzzers designed to allow penetration testers and researchers to further assess healthcare specific protocols for security vulnerabilities. We will take a look at healthcare specific hardware and discuss vulnerabilities related to these devices including prescription dispensing drug cabinets and the ability to dispense scheduled substances without authentication, authorization, or accounting. Finally, we will discuss how the impact of vulnerabilities on healthcare systems have changed with the introduction of large health information repositories such as the Google Health and Microsoft Health Vault as well as with countless regional and national Health Information Exchanges.

Schuyler Towne

Physical Security Researcher
Schuyler Towne is obsessed with locks. While he got his start picking locks competitively, his interest has since exploded into every aspect of their history, design and manipulation. He’s taught hackers, authors, cops and even toy designers. There is nothing Schuyler loves more than to talk locks with anyone who will listen. His interests in the history of physical security and design of locks provides a passionate background to his lectures and workshops on lockpicking. Currently he is writing an Almanac of Locksport for O’Reilly and studying media portrayals of lockpicking.

Title: Why Do You Lock Your Door?

2 factor authentication, key space, security by obscurity, public and private keys; all of these things, and many other conventions of digital security, had their origin well before the birth of the computer. Today most security professionals think of locks as curiosities or puzzles, and are well acquainted with the idea that “locks keep honest people honest.” However, physical security has a rich history and our modern relationship to locks is very different than it was even a hundred years ago. In this talk we’ll explore the history of physical security, from the origins of the lock, to the locksmith King of Worms, to the great lock controversy of 1851 and beyond. Knowing how different times and cultures designed, attacked and lived with locks provides remarkable context to the modern history of digital security.


Chief Curmudgeon, attrition.org
Jericho has been poking about the hacker/security scene for 18 years (for real), building valuable skills such as skepticism and anger management. As a hacker-turned-security whore, he has a great perspective to offer unsolicited opinion on just about any security topic. A long-time advocate of advancing the field, sometimes by any means necessary, he thinks the idea of ‘forward thinking’ is quaint (we’re supposed to be thinking that way all the time). No degree, no certifications, just the willingness to say things most of the industry is thinking but unwilling to say themselves. He remains a champion of security industry integrity and small misunderstood creatures.

Title: Errata Hits Puberty: 13 Years of Chagrin

The attrition.org Errata project has documented the shortcomings, hypocrisy, and disgraces of the information technology and security industries. For 13 years, we have acted as a watchdog and reminder that industries who sell integrity should have it as well. The public face of Errata is very different than the process that leads to it. This presentation will give a unique insight into the history, process, and blowback that are cornerstones of the project. This will include statistics, how Errata has fallen short, how it can be improved, and where the project is going. Most importantly, it will cover how the industry can better help the project, both in staying off the pages on attrition.org, as well as contributing to it.

Carsten Eiram

Chief Security Specialist at Secunia
Carsten Eiram comes from a reverse engineering background and is currently the Chief Security Specialist at Secunia. Here he holds the dual responsibility of developing and managing the Secunia Research unit as well as maintaining close dialogue with software vendors and the security community, thereby ensuring both the quality and integrity of Secunia’s work. Carsten is a key contributor to the high technical quality and accurateness of Secunia’s Vulnerability Intelligence solutions and one of his most important responsibilities is to ensure that Secunia continues to be the most respected and trustworthy provider of Vulnerability Intelligence. Based on his and his team’s research efforts, Frost & Sullivan has presented awards to Secunia in both 2010 and 2011. Apart from being a vulnerability connoisseur with extensive experience in the field of Vulnerability Intelligence, Carsten is also a very accomplished vulnerability researcher, having discovered and coordinated many critical vulnerabilities in popular software from major software vendors. Carsten is also a regular contributor to the “Threat of the Month” column in SC Magazine, a credited contributor for the “CWE/SANS Top 25 Most Dangerous Software Errors” list, a speaker/panellist at Defcon and RSA, and member of the CVE Editorial Board.

Title: Code Maturity: Is SDL a Waste of Time?

For many years we’ve heard how implementing a SDL (Security Development Lifecycle) for software development allows “developing demonstrably more secure software” [quote Microsoft from: "The Security Development Lifecycle"].

The presentation briefly covers Microsoft’s SDL and its history. The concept and premises for evaluating the security state of software based on various metrics is then discussed, specifically focusing on how to evaluate “code maturity” by analysing the types of vulnerabilities discovered in the software. We will then delve deep into a couple of vulnerabilities’ core problems in order to really understand them and apply a simple “code maturity” metric.

Armed with this understanding, we will finally based on extensive analysis of the core problems of pre-SDL and post-SDL vulnerabilities fixed by Microsoft in one or two of their products determine if SDL really made a demonstrably difference to the security state of these products or was just a waste of time.

Travis Altman

Travis Altman has been working in the information security field for six years and teaching in the same field for about two years. Originally from Lake City, SC but currently resides in Richmond, VA. Travis has worked in many different fields from health care to financial institutions and has assessed the security of numerous systems and applications, hopefully none you’ve broken into.

Title: Reverse Engineer an Obfuscated .Net Application 

.Net applications are becoming more prevalent. .Net makes it easy to quickly stand up a standalone application that accomplishes some functionality, and developers are under pressure and want to crank out solutions to problems. Just go to download.com or softpedia.com and download an application that you think serves a purpose, more times than not it’ll be a .Net application. Because .Net is growing in popularity it has a bigger target on it’s back, and attackers are sharpening their teeth by tearing apart these applications.

Most .Net applications can be easily decompiled into their original source code, which makes it fairly simple to reverse engineer.  Because of this, developers deploy techniques to hide and obfuscate the original source code making it harder for others to tear apart their code.  This talk will demonstrate how to analyze an obfuscated .Net application, tear it apart, and completely manipulate the original code to create our own functionality which could include subverting controls.  I will demo a .Net application that stores your “encrypted” passwords for safe keeping then explain how to subvert the
authentication that stores those safe passwords.

Chris Gerling

SecuraBit Founder
Chris GerlingFounder of the SecuraBit podcast, Chris Gerling has been involved in information security formally for the last 8 years and altogether for the last 14 years.

Title: Don’t be a Cog in the Wheel

How do we help each other out? This presentation is focused on bringing awareness to everyone in our IT/IT Security industry of the ability we all have to improve each other. There are a great many of us who do this through the podcasts we record and release, through our blogs, through organizing events like bsides and other security conferences, and in a variety of other ways. It’s important to realize that not everything has to be learned through official channels, although they are useful they are but one source of knowledge and experience. Our interactions with each other can help shape our careers and cause shifts in our industry that solve common problems we encounter both from outside forces, and ones from within, such as managing our own infrastructures and not being compromised in the same ways we tell others not to be.

Salvador Grec

Founder, NovaInfosecPortal.com
Salvador Grec
Salvador Grec has over 16 years experience, undergraduate and graduate degrees in Electrical Engineering, and a really well known security
certification. Even though his training was in Electrical Engineering, Sal has always been more of a Computer Science person at heart going
back to his VIC-20, Commodore 64, and high school computer club days. After doing the IT grind for 5 years, he discovered his love of
infosec and has been pursuing this career ever since. Currently, he spends his days doing cyber security paperwork drills in building and
maintaining multi-billion dollar government systems. At night he runs a local infosec website and tries to get some hands-on skillz.

Title: PHP Website Security, Attack Analysis, & Mitigations

PHP is a very powerful language for easily developing web applications however this convenience sometimes comes at the cost of security.
Issues can arise from everything from language vulnerabilities and weak default settings to insecure coding practices and misconfigurations. This presentation plans to address many of these concerns by providing valuable lessons in the security of, attacks against, and management of PHP in your environment. The talk begins with an overview of PHP security, including it’s known issues and corresponding security enhancements the maintainers have incorporated over time. Beginning with a general discussion of PHPIDS and how it can be used as an event tracker, the presentation next provides a peak
into some of the more interesting attacks against a security website as well as overall trends from two years in deployment. The talk closes with a strategy for analyzing the risks in your PHP environment and applying corresponding PHP and platform/network mitigations to minimize your attack surface.