• United States



Vote for BSidesSanFrancisco talks

Jan 10, 20119 mins
Data and Information Security

Last year I got hooked on Security B-Sides, an anti-conference of sorts that has since gone global. B-Sides has been everywhere: Dallas, Berlin, San Francisco and Boston, to name a few places.

I like the stripped-down approach and the security practitioners it attracts. I always learn from these folks.

I mention it now because the planners of BSidesSanFrancisco want YOU to choose the talks that will take place next month.

The website has a full list of talk titles and descriptions, and you can vote for those that sound most appealing. The full list is here.

At first glance I particularly like those listed below, though as a longtime security journalist I should note that you never really know where the gems are until the event is in progress.

Most talks look good on paper, so it’s always a roll of the dice.

* Name: Jack Daniel @jack_daniel

* Title: Surviving a Teleporter Accident

* Abstract: Don’t you hate it when you are minding your own business, in a familiar place, in the right time…and you end up in a strange place, in the wrong time, maybe even the wrong century? In this talk I will provide tips and tricks for dealing with this all-too-common tragedy. Don’t be a victim, be prepared. (This is actually an informative, yet lighthearted introduction to the topic of pragmatic, risk-based security, but without using terms like “risk-based security”. There are two target audiences for this talk, those who need a non-technical introduction to thinking about risk and security, and those interested in using “subversive education” to get their message out to an audience).

* Name: David Mortman,

* Title: Cloud Security Realities

* Abstract: There has been a lot of discussion of late on how (in)secure the Cloud(tm) is today. And while the criticisms and concerns are valid they rarely discuss what can be done today to make things work in the meantime. The reality is that cloud isn’t going way so you need to know what to do today. I’ll be discussing how to manage security in an IaaS environment with today’s technologies, proceeses and people. Hint: It’s not as hard as you think.

* Name: Andy Ellis, / @csoandy

* Title: Letting someone else’s phone ring at 3 am: Building robust incident management frameworks

* Abstract: In a startup, it’s okay if your phone rings when any customer has a problem. But as you grow to a billion dollar business, you’d better have better processes than that. Learn about Akamai’s incident management process, and figure out how to build your own. Your mileage might vary.

* Name: Andy Ellis, / @csoandy

* Title: CVSS: Management Jiu Jitsu.These numbers do not mean what you think they mean.

* Abstract: Created by the NIAC seven years ago, CVSS was going to revolutionize how we prioritize vulnerability remediation. Has it? Learn more about its strengths and deficiencies from the first organization to adopt CVSS (as a vulnerability consumer).

* Name: Will Gragido, @wgragido

* Title: State of the Scape: The Modern Threat landscape and Our Ability to React Intelligently

* Abstract: This talk is meant to take the form of an informed panel discussion to be moderated by Will Gragido, Sr.Product Line Manager, of HP TippingPoint’s DVLabs , and co-Author of Cybercrime and Espionage: Analysis of the Subversive Multi-vector Threat. The panel will consist of five participants all of whom are actively engaged in recognizing new trends, the impact of said trends, in addition to the identification of confluence points between exploits and vulnerabilities equating to new threats and risk. During this lively discussion topics will range and include (though not be exclusive to) the following:

–Our comprehension of the Internet Threat Landscape as an ecosystem driving be profit

–Cyber Arms Dealers: The role of organized crime in perpetuating the cycles which power the ecosystem vs the independent operator

–The value of current research techniques and information sharing in combating these new threats

–Areas of improvement in research and development necessary for narrowing the gaps

–The attack surface: Is there one universal attack surface today? Or are we seeing a resurgence of ‘closed’ or ‘siloed’ attack surfaces emerging once more?

–Bombs, Bullets, or Bits: What Has the Potential to do the Most Harm in the 21st? How as Professionals can we aid in mitigating the risk

Confirmed Panelists for this talk!

— Josh Corman, Research Director, Enterprise Security Practice, the 451Group

— Marc Eisenbarth, Security Researcher, HP TippingPoint DVLabs

— HD Moore,HD is Chief Security Officer at Rapid7 and Chief Architect of Metasploit

— David Shakleford Director of security assessments and risk and compliance at Sword & Shield Enterprise Security, is a SANS analyst and instructor and a GIAC technical director

— Alexander Hutton is a Principal in Research & Risk Intelligence with Verizon Business

— Caleb Sima, Chief Executive Officer, Armorize

* Name: Aaron Cohen, / @aaronco

* Title: Selling Security Without Selling Your Soul

* Abstract: Most people don’t “get” security, and it’s hard to convince them of what they need…manager, executive, boss or client prospect. We constantly try to persuade people with our ideas, sometimes they take it, but usually they leave it. Whether or not someone buys security has nothing to do with whether they need it or not, it has to do with whether they think they need it, and that is our job as a sales professional. The sky can only fall so many times, which is why it is imperative to learn to sell security without selling your soul. In this talk with will discuss and show real world examples as to how to be effective in different sales scenarios, which is important for those that want to win business, consulting gigs, project funding and in some cases keep your job.

* Name: Eric Irvin, Security Solutions Architect, Alert Logic, / @secrunner

* Title: Nobody Likes You and You Look Funny

* Abstract: So you read the blogs, are active in the forums, go to BSides/Defcon/Blackhat/etc and stay in tune to the latest hacks and techniques to prepare your organization against the next mega attack. Yet, when you try and talk to your leadership and management, they look at you as if you have lobsters crawling out of your ears. Traditionally, most organizations are stuck in old mindsets where smart people are often viewed as being “geeks” or “nerds”. When we start talking about the new 0-day or how our there are too many Domain Admin’s running wild, they just see it as “blah blah blah geek stuff blah blah blah”. So how do you get them to take you seriously and understand the risks that you are finding? In this talk, we will discuss how many geeks have been able to earn the respect of their leadership and executive teams, improve your ability to communicate, and advance in your career through hacking the business game.

* Name: HD Moore, Chief Security Officer, Rapid7,, @hdmoore

* Title: When CSOs Attack

* Abstract: This talk will discuss my experience implementing mandatory audits of new products and services in the office of the CSO and how the results led to better decisions across the organization. Security researchers tend to see the world in an odd light; every product is a source of potential exploits, exposed services are an invitation to attack, and vendors are not to be trusted. By contrast, the folks who are responsible for enterprise security have to focus on business enablement, risk management, and juggling costs with accumulating technical debt. Over the last 15 months, we have implemented a security program that tries to bridge these worlds by bringing security audits into the first phase of due diligence for new products and services. The results have been extremely positive; we have able to identify bad solutions prior to investing substantial amounts of time in implementation, have improved the security of the solutions we did accept, and developed tons of new vulnerability checks, exploit modules, and advisories in the process. While this talk will cover the overall process and some of the most surprising results, it will also dive into the technical details of the most interesting vulnerabilities and their exploits.

* Name: Daniel Peck, Barracuda Networks (@ramblinpeck)

* Title: Lessons Learned From Running a Bug Bounty Program

* Abstract: A few months ago, Barracuda Labs launched a bug bounty program, soliciting and rewarding security researchers for finding vulnerabilities in our security appliances. We weren’t the first people to do this kind of program, but we were the first security product vendor to do so. As such, we’ve got a bit of an interesting perspective. In this talk, we’ll share the conversations we had with the other parts of the company (marketing/engineering/execs) to get buy in to start the program, as well as tips on processes to have in place to make everything run smoothly. We will also share stories of miscommunication, pissed off developers, and researchers who have a hard time following the simplest of directions. We’ll also talk about some of the benefits to a bounty program, counterarguments to the naysayers, and some stats on the types of vulnerabilities reports we receive.

* Name: Ray Kelly, Barracuda Networks (@vbisbest)

* Title: Screw the TSA: I’ll Be Where I Want, and Get Credit for It!

* Abstract: It’s no secret that the rapid growth in popularity of location aware social networking sites, such as Foursquare and Facebook Places, a new target is presented for mischievous hackers to exploit. What’s to be gained by GeoHacking? Free t-shirts, free coffee, or a new car? This talk will explore how the API’s work for Foursquare and Facebook, and how hackers can use the API against itself to put a user somewhere to get “Credit” for it. We will discuss the list of services that use location and ways to fake location with popular services (demo), examine the threat overview/risk matrix of what someone can accomplish with fake location, and review possible countermeasures.

Good luck to everyone who submitted a talk. Whoever gets picked, I expect great things to come out of this event.

–Bill Brenner