Never Ending Security

It starts all here

Category Archives: Conferences & Events

NISTFOIA: FOIA for NIST documents related to the design of Dual EC DRBG



nistfoia


Results of a recent FOIA for NIST documents related to the design of Dual EC DRBG.

These FOIA results are the combined result of two separate requests. Thanks to the following requestors:

  • Matthew Stoller and Rep. Alan Grayson
  • Andrew Crocker and Nate Cardozo of EFF

I have contributed only OCR and hosting. Happy hunting,

Matt Green, 6/5/2014


1.15.2015 production/9.1.2 Keyless Hash Function DRBG.pdf
1.15.2015 production/ANSI X9.82 Discussions.pdf
1.15.2015 production/ANSI X9.82, Part 3 DRBGs Powers point July 20, 2004.pdf
1.15.2015 production/Appendix E_ DRBG Selection.pdf
1.15.2015 production/Comments on X9.82, Part 4_Constructions.pdf
1.15.2015 production/E1 Choosing a DRBG Algorithm.pdf
1.15.2015 production/Five DRBG Algorithms Kelsey, July 2004.pdf
1.15.2015 production/Hash Funciton chart.pdf
1.15.2015 production/Letter of transmittal 1.15.2015 .pdf
1.15.2015 production/Part 4_Constructions for Building and Validating RBG Mechanisms.pdf
1.15.2015 production/Scan_2015_01_27_13_05_55_026.pdf
1.15.2015 production/Validation Testing and NIST Statistical Test Suite July 22, 2004.pdf
1.22.2015 production/10.1.2 Hash function DRBG Using HMAC.pdf
1.22.2015 production/10.1.3 KHF_DRBG.pdf
1.22.2015 production/8.6.7 Nonce.pdf
1.22.2015 production/8.7 Prediction Resistance and Backtracking Resistance.pdf
1.22.2015 production/ANSI X9.82 Part 3 Draft July 2004.pdf
1.22.2015 production/Annex G_Informative DRBG mechanism Security Properties.pdf
1.22.2015 production/Appendix G Informative DRBG Selection.pdf
1.22.2015 production/Comments on X9.82 Part 1, Barker May 18, 2005.pdf
1.22.2015 production/Cryptographic security of Dual_EC_DRBG.pdf
1.22.2015 production/D.1 Choosing a DRBG Algorithm.pdf
1.22.2015 production/DRBG Issues Power Point July 20, 2004.pdf
1.22.2015 production/Draft X9.82 Part 3 Draft May 2005.pdf
1.22.2015 production/E.1 Choosing a DRBG Algorithm (2).pdf
1.22.2015 production/E.1 Choosing a DRBG Algorithm.pdf
1.22.2015 production/Final SP 800-90 Barker May 26, 2006.pdf
1.22.2015 production/Fwd_Final SP 800-90 Barker May 26, 2006.pdf
1.22.2015 production/Kelsey comments on SP April 12, 2006.pdf
1.22.2015 production/Latest SP 800-90 Barker May 5, 2006.pdf
1.22.2015 production/Letter of transmittal 1.22.2015.pdf
1.22.2015 production/SP 800-90 Barker June 28, 2006.pdf
1.22.2015 production/SP 800-90_pre-werb version> Barker May 9, 2006.pdf
1.22.2015 production/Terse Description of two new hash-based DRGBs Kelsey, January 2004.pdf
1.22.2015 production/Two New proposed DRBG Algorithms Kelsey January 2004.pdf
1.22.2015 production/X9.82, RGB, Issues for the Workshop.pdf
6.4.2014 production/001 – Dec 2005 -NIST Recomm Random No. Gen (Barker-Kelsey).pdf
6.4.2014 production/002 – Dec 2005 – NIST Recomm Random No. Gen (Barker-Kelsey)(2).pdf
6.4.2014 production/003 – Sept 2005 – NIST Recomm Random No. Gen (Barker-Kelsey).pdf
6.4.2014 production/004 – Jan 2004 – Terse Descr. of Two New Hash-Based DRBGs.pdf
6.4.2014 production/005 – Proposed Changes to X9.82 Pt. 3 (Slides).pdf
6.4.2014 production/006 – NIST Chart 1.pdf
6.4.2014 production/007 – RNG Standard (Under Dev. ANSI X9F1) – Barker.pdf
6.4.2014 production/008 – Random Bit Gen. Requirements.pdf
6.4.2014 production/009 – Seed File Use.pdf
6.4.2014 production/010 – NIST Chart 2.pdf
6.4.2014 production/011 – 9.12 Choosing a DRBG Algorithm.pdf
6.4.2014 production/012 – May 14 2005 – Comments on ASC X9.82 Pt. 1 – Barker.pdf
6.4.2014 production/013 – X9.82 Pt. 2 – Non-Deterministic Random Bit Generators.pdf

More info you can find on: https://github.com/matthewdgreen/nistfoia


CERIAS Security Seminar Archive Video Talks 2010-2011-2012-2013-2014-2015


01/14/2015

Learning from Information Security Maturity: A Textual Analysis

Learning from Information Security Maturity: A Textual Analysis

Jackie Rees Ulmer – Purdue University
(374.0MB): Video Icon MP4 Video   Flash Icon Flash Video   Watch on Youtube

01/21/2015

Security with Privacy - A Research Agenda

Security with Privacy – A Research Agenda

Bharath Samanthula – Purdue University
(117.4MB): Video Icon MP4 Video   Flash Icon Flash Video   Watch on Youtube

01/28/2015

Practical Confidentiality Preserving Big Data Analysis in Untrusted Clouds

Practical Confidentiality Preserving Big Data Analysis in Untrusted Clouds

Savvas Savvides – Purdue University
(148.3MB): Video Icon MP4 Video   Flash Icon Flash Video   Watch on Youtube

02/04/2015

Regulatory Compliance Checking Over Encrypted Audit Logs

Regulatory Compliance Checking Over Encrypted Audit Logs

Omar Chowdhury – Purdue University
(149.6MB): Video Icon MP4 Video   Flash Icon Flash Video   Watch on Youtube

02/11/2015

Code-Pointer Integrity

Code-Pointer Integrity

Mathias Payer – Purdue University
(90.3MB): Video Icon MP4 Video   Flash Icon Flash Video   Watch on Youtube

02/18/2015

Privacy Notions for Data Publishing and Analysis

Privacy Notions for Data Publishing and Analysis

Ninghui Li – Purdue University
(216.9MB): Video Icon MP4 Video   Flash Icon Flash Video   Watch on Youtube

02/25/2015

Software updates: decisions and security implications

Software updates: decisions and security implications

Kami Vaniea – Indiana University
(181.3MB): Video Icon MP4 Video   Flash Icon Flash Video   Watch on Youtube

03/04/2015

Aiding Security Analytics -- From Dempster-Shafer Theory to Anthropology

Aiding Security Analytics — From Dempster-Shafer Theory to Anthropology

Xinming Ou – Kansas State University
(112.5MB): Video Icon MP4 Video   Flash Icon Flash Video   Watch on Youtube

03/11/2015

Virtual Android Malware Detection and Analysis (VAMDA)

Virtual Android Malware Detection and Analysis (VAMDA)

Andrew Pyles – MITRE
(85.3MB): Video Icon MP4 Video   Flash Icon Flash Video   Watch on Youtube

03/25/2015

Symposium/Michelle Dennedy, Intel

Symposium/Michelle Dennedy, Intel

Michelle Dennedy – Intel
(242.2MB): Video Icon MP4 Video   Flash Icon Flash Video

04/01/2015

Breaking Mobile Social Networks for Automated User Location Tracking

Breaking Mobile Social Networks for Automated User Location Tracking

Kui Ren – University at Buffalo
(109.5MB): Video Icon MP4 Video   Flash Icon Flash Video   Watch on Youtube

04/15/2015

Engineering Secure Computation -- Efficiently

Engineering Secure Computation — Efficiently

Yan Huang – Indiana University
(107.4MB): Video Icon MP4 Video   Flash Icon Flash Video   Watch on Youtube


01/15/2014

Open

01/22/2014

Cancelled

01/29/2014

Secure and Private Outsourcing to Untrusted Cloud Servers

Secure and Private Outsourcing to Untrusted Cloud Servers

Shumiao Wang – Purdue University
(311.0MB): Video Icon MP4 VideoFlash Icon Flash VideoWatch on Youtube

02/05/2014

Cancelled

02/19/2014

Technical Tradeoffs in the NSA's Mass Phone Call Program

Technical Tradeoffs in the NSA’s Mass Phone Call Program

Ed Felten – Princeton University
(155.3MB): Video Icon MP4 VideoFlash Icon Flash VideoWatch on Youtube

03/05/2014

Machine Intelligence for Biometric and On-Line Security

Machine Intelligence for Biometric and On-Line Security

Marina Gavrilova – University of Calgary
(335.5MB): Video Icon MP4 VideoFlash Icon Flash VideoWatch on Youtube

03/12/2014

General-Purpose Secure Computation and Outsourcing

General-Purpose Secure Computation and Outsourcing

Marina Blanton – University of Notre Dame
(299.6MB): Video Icon MP4 VideoFlash Icon Flash VideoWatch on Youtube

04/02/2014

CERIAS Poster Contest Winners

CERIAS Poster Contest Winners

Philip Ritchey & Mohammed Almeshekah – Purdue University
(302.5MB): Video Icon MP4 VideoFlash Icon Flash VideoWatch on Youtube

04/16/2014

Online Privacy Agreements, is it Informed Consent?

Online Privacy Agreements, is it Informed Consent?

Masooda Bashir – University of Illinois at Urbana-Champaign
(320.2MB): Video Icon MP4 VideoFlash Icon Flash VideoWatch on Youtube

04/23/2014

Cancelled

04/30/2014

Women In Cyber Security

Women In Cyber Security

Rachel Sitarz – Purdue University
(313.2MB): Video Icon MP4 VideoFlash Icon Flash VideoWatch on Youtube

08/27/2014

Tree-based Oblivious RAM and Applications

Elaine Shi – University of Maryland

09/10/2014

WarGames in Memory: Fighting Powerful Attackers

WarGames in Memory: Fighting Powerful Attackers

Mathias Payer – Purdue University
(102.4MB): Video Icon MP4 VideoFlash Icon Flash VideoWatch on Youtube

09/24/2014

Threat intelligence and digital forensics

Threat intelligence and digital forensics

Sam Liles – Purdue University
(166.4MB): Video Icon MP4 VideoFlash Icon Flash VideoWatch on Youtube

10/08/2014

Biometrics and Usability

Biometrics and Usability

Stephen Elliott – Purdue University
(164.9MB): Video Icon MP4 VideoFlash Icon Flash VideoWatch on Youtube

10/15/2014

Canceled

10/22/2014

“Memory Analysis, Meet GPU Malware”

Golden G. Richard III – University of New Orleans
(170.0MB): Video Icon MP4 VideoFlash Icon Flash VideoWatch on Youtube

10/29/2014

Healthcare Security and Privacy: Not There Yet

Healthcare Security and Privacy: Not There Yet

Robert Zimmerman – Inforistec
(206.1MB): Video Icon MP4 VideoFlash Icon Flash VideoWatch on Youtube

11/05/2014

Improving Analyst Team Performance and Capability in NOC / SOC Operations Centers

Improving Analyst Team Performance and Capability in NOC / SOC Operations Centers

Barrett Caldwell and Omar Eldardiry – Purdue University
(145.2MB): Video Icon MP4 VideoFlash Icon Flash VideoWatch on Youtube

11/19/2014

Privacy in the Age of the Police State

Privacy in the Age of the Police State

Marcus Ranum – Tenable Network Security
(209.0MB): Video Icon MP4 VideoFlash Icon Flash VideoWatch on Youtube

12/03/2014

Open

12/10/2014

How Program Analysis can be Used in Security Applications

How Program Analysis can be Used in Security Applications

Xiangyu Zhang – Purdue University
(148.5MB): Video Icon MP4 VideoFlash Icon Flash VideoWatch on Youtube


01/09/2013

Open

01/23/2013

Differentially Private Publishing of Geospatial Data

Differentially Private Publishing of Geospatial Data

Wahbeh Qardaji – Purdue University
(168.8MB): Video Icon MP4 Video   Flash Icon Flash Video   Watch on Youtube

01/30/2013

A Semantic Baseline for Spam Filtering

A Semantic Baseline for Spam Filtering

Christian F. Hempelmann – Texas A&M University-Commerce
(264.1MB): Video Icon MP4 Video   Flash Icon Flash Video   Watch on Youtube

02/06/2013

Using Probabilistic Generative Models for Ranking Risks of Android Apps

Using Probabilistic Generative Models for Ranking Risks of Android Apps

Chris Gates – Purdue University
(161.9MB): Video Icon MP4 Video   Flash Icon Flash Video   Watch on Youtube

02/20/2013

Minimizing Private Data Disclosures in the Smart Grid

Minimizing Private Data Disclosures in the Smart Grid

Weining Yang – Purdue University
(104.3MB): Video Icon MP4 Video   Flash Icon Flash Video   Watch on Youtube

02/27/2013

Protecting Today’s Enterprise Systems against Zero-day Attacks

Saurabh Bagchi – Purdue University

03/06/2013

Whole Genome Sequencing: Innovation Dream or Privacy Nightmare?

Whole Genome Sequencing: Innovation Dream or Privacy Nightmare?

Emiliano DeCristofaro – PARC
(148.0MB): Video Icon MP4 Video   Flash Icon Flash Video   Watch on Youtube

03/20/2013

Active Cyber Network Defense with Denial and Deception

Active Cyber Network Defense with Denial and Deception

Kristin Heckman – MITRE
(170.1MB): Video Icon MP4 Video   Flash Icon Flash Video   Watch on Youtube

03/27/2013

Regulatory Compliance Software Engineering

Regulatory Compliance Software Engineering

Aaron Massey – Georgia Tech
(125.5MB): Video Icon MP4 Video   Flash Icon Flash Video   Watch on Youtube

04/03/2013

Symposium

04/17/2013

Towards Automated Problem Inference from Trouble Tickets

Towards Automated Problem Inference from Trouble Tickets

Rahul Potharaju – Purdue University
(165.0MB): Video Icon MP4 Video   Flash Icon Flash Video   Watch on Youtube

04/24/2013

Identity-Based Internet Protocol Network

Identity-Based Internet Protocol Network

David Pisano – MITRE
(81.8MB): Video Icon MP4 Video   Flash Icon Flash Video   Watch on Youtube

08/21/2013

New possibilities of steganography based on Kuznetsov-Tsybakov problem

New possibilities of steganography based on Kuznetsov-Tsybakov problem

Jarek Duda – Purdue University
(247.6MB): Video Icon MP4 Video   Flash Icon Flash Video   Watch on Youtube

08/28/2013

Information Security Challenges in an Academic Environment

Information Security Challenges in an Academic Environment

Keith Watson – Purdue University
(294.2MB): Video Icon MP4 Video   Flash Icon Flash Video   Watch on Youtube

09/11/2013

Cyber Threats and the Cyber Kill Chain

Kevin Brennan – FBI

09/18/2013

 Protecting a billion identities without losing (much) sleep

Protecting a billion identities without losing (much) sleep

Mark Crosbie, Tim Tickel, Four Flynn – Facebook
(269.1MB): Video Icon MP4 Video   Flash Icon Flash Video   Watch on Youtube

10/02/2013

Open

10/09/2013

Open

10/16/2013

Open

10/23/2013

Systems of Systems: Opportunities and Challenges

Systems of Systems: Opportunities and Challenges

Daniel DeLaurentis – Purdue University
(317.7MB): Video Icon MP4 Video   Flash Icon Flash Video   Watch on Youtube

10/30/2013

Membership Privacy: A Unifying Framework For Privacy Definitions

Membership Privacy: A Unifying Framework For Privacy Definitions

Ninghui Li – Purdue University
(316.2MB): Video Icon MP4 Video   Flash Icon Flash Video   Watch on Youtube

11/06/2013

Yahoo! Messenger Forensics on Windows Vista and Windows 7

Yahoo! Messenger Forensics on Windows Vista and Windows 7

Tejashree Datar – Purdue University
(203.1MB): Video Icon MP4 Video   Flash Icon Flash Video   Watch on Youtube

11/13/2013

Cloud Security: How Does Software Assurance Apply

Cloud Security: How Does Software Assurance Apply

Randall Brooks – Raytheon
(139.1MB): Video Icon MP4 Video   Flash Icon Flash Video

11/20/2013

Trust Management for Publishing Graph Data

Trust Management for Publishing Graph Data

Muhammad Umer Arshad – Purdue University
(359.0MB): Video Icon MP4 Video   Flash Icon Flash Video   Watch on Youtube

12/04/2013

Economic Policy and Cyber Challenges in Estonia

Economic Policy and Cyber Challenges in Estonia

Marina Kaljurand
(549.8MB): Video Icon MP4 Video   Flash Icon Flash Video   Watch on Youtube


01/11/2012

“Introduction to Biometrics”

Stephen Elliott – Purdue University
(442.4MB): Video Icon MP4 Video   Flash Icon Flash Video   Watch on Youtube

01/18/2012

 Secure Provenance Transmission for Data Streams

Secure Provenance Transmission for Data Streams

Salmin Sultana – Purdue University
(517.4MB): Video Icon MP4 Video   Flash Icon Flash Video   Watch on Youtube

01/25/2012

A Flexible System for Access Control

A Flexible System for Access Control

Frank Tompa – University of Waterloo
(543.0MB): Video Icon MP4 Video   Flash Icon Flash Video   Watch on Youtube

02/01/2012

Is it time to add Trust to the Future Internet/Web?

Is it time to add Trust to the Future Internet/Web?

George Vanecek – Futurewei Technologies
(547.3MB): Video Icon MP4 Video   Flash Icon Flash Video   Watch on Youtube

02/15/2012

Forensic Carving of Network Packets with bulk_extractor and tcpflow

Forensic Carving of Network Packets with bulk_extractor and tcpflow

Simson Garfinkel – Naval Postgraduate School
(532.8MB): Video Icon MP4 Video   Flash Icon Flash Video   Watch on Youtube

02/22/2012

Vulnerability Path and Assessment

Vulnerability Path and Assessment

Ben Calloni – Lockheed Martin
(537.9MB): Video Icon MP4 Video   Flash Icon Flash Video   Watch on Youtube

02/29/2012

Cryptographic protocols in the era of cloud computing

Cryptographic protocols in the era of cloud computing

Nishanth Chandran – Microsoft Research
(552.9MB): Video Icon MP4 Video   Flash Icon Flash Video   Watch on Youtube

03/07/2012

Privacy-Preserving Assessment of Location Data Trustworthiness

Privacy-Preserving Assessment of Location Data Trustworthiness

Chenyun Dai – Purdue University
(535.8MB): Video Icon MP4 Video   Flash Icon Flash Video   Watch on Youtube

03/21/2012

Adding a Software Assurance Dimension to Supply Chain Practices

Adding a Software Assurance Dimension to Supply Chain Practices

Randall Brooks – Raytheon
(535.2MB): Video Icon MP4 Video   Flash Icon Flash Video   Watch on Youtube

04/04/2012

J.R. Rao, IBM Research

J.R. Rao – IBM

04/11/2012

: K-Anonymity in Social Networks: A Clustering Approach

: K-Anonymity in Social Networks: A Clustering Approach

Traian Truta – Northern Kentucky University
(538.5MB): Video Icon MP4 Video   Flash Icon Flash Video   Watch on Youtube

04/25/2012

A Practical Beginners' Guide to Differential Privacy

A Practical Beginners’ Guide to Differential Privacy

Christine Task – Purdue University
(530.0MB): Video Icon MP4 Video   Flash Icon Flash Video

08/22/2012

The New Frontier, Welcome the Cloud Brokers

The New Frontier, Welcome the Cloud Brokers

Scott Andersen – Lockheed Martin
(443.9MB): Video Icon MP4 Video   Flash Icon Flash Video   Watch on Youtube

08/29/2012

Challenges for R&D in the Security Field

Challenges for R&D in the Security Field

Lewis Shepherd – Microsoft
(445.2MB): Video Icon MP4 Video   Flash Icon Flash Video   Watch on Youtube

09/05/2012

The Inertia of Productivity

The Inertia of Productivity

Ed Lopez
(447.4MB): Video Icon MP4 Video   Flash Icon Flash Video   Watch on Youtube

09/12/2012

Trends in cyber security consulting

Trends in cyber security consulting

Sharon Chand & Chad Whitman – Deloitte & Touche
(442.5MB): Video Icon MP4 Video   Flash Icon Flash Video   Watch on Youtube

10/03/2012

 Defending Users Against Smartphone Apps: Techniques and Future Directions

Defending Users Against Smartphone Apps: Techniques and Future Directions

William Enck – North Carolina State University
(448.0MB): Video Icon MP4 Video   Flash Icon Flash Video   Watch on Youtube

10/10/2012

Understanding Spam Economics

Understanding Spam Economics

Chris Kanich – University of Illinois at Chicago
(445.1MB): Video Icon MP4 Video   Flash Icon Flash Video   Watch on Youtube

10/17/2012

The Boeing Company

The Boeing Company

Edmund Jones – Boeing
(443.0MB): Video Icon MP4 Video   Flash Icon Flash Video   Watch on Youtube

10/31/2012

Risk perception of information security risks online

Risk perception of information security risks online

Vaibhav Garg – Indiana University
(446.6MB): Video Icon MP4 Video   Flash Icon Flash Video   Watch on Youtube

11/07/2012

Publishing Microdata with a Robust Privacy Guarantee

Publishing Microdata with a Robust Privacy Guarantee

Jianneng Cao – Purdue University
(444.5MB): Video Icon MP4 Video   Flash Icon Flash Video   Watch on Youtube

11/28/2012

A New Class of Buffer Overflow Attacks

A New Class of Buffer Overflow Attacks

Ashish Kundu – IBM
(316.8MB): Video Icon MP4 Video   Flash Icon Flash Video   Watch on Youtube

12/05/2012

You are Anonymous!!! Then you must be Lucky

You are Anonymous!!! Then you must be Lucky

Bilal Shebaro – Purdue University
(220.7MB): Video Icon MP4 Video   Flash Icon Flash Video   Watch on Youtube


01/12/2011

Risk Perception and Trust in Cloud

Risk Perception and Trust in Cloud

Fariborz Farahmand – Purdue University
(444.7MB): Video Icon MP4 Video   Flash Icon Flash Video   Watch on Youtube

01/19/2011

Retrofitting Legacy Code for Security

Retrofitting Legacy Code for Security

Somesh Jha – University of Wisconsin
(446.4MB): Video Icon MP4 Video   Flash Icon Flash Video   Watch on Youtube

02/02/2011

Campus closed/snow

02/09/2011

Understanding insiders: An analysis of risk-taking behavior *

Understanding insiders: An analysis of risk-taking behavior *

Fariborz Farahmand – Purdue University
(442.2MB): Video Icon MP4 Video   Flash Icon Flash Video   Watch on Youtube

02/16/2011

Malware Trends and Techniques

Tom Ervin – MITRE

02/23/2011

A couple of results about JavaScript

A couple of results about JavaScript

Jan Vitek – Purdue University
(443.1MB): Video Icon MP4 Video   Flash Icon Flash Video   Watch on Youtube

03/02/2011

“Modeling DNS Security: Misconfiguration, Availability, and Visualization”

Casey Deccio – Sandia National Labs
(443.7MB): Video Icon MP4 Video   Flash Icon Flash Video   Watch on Youtube

03/09/2011

Exploiting Banners for Fun and Profits

Exploiting Banners for Fun and Profits

Michael Schearer – Booz Allen Hamilton
(446.7MB): Video Icon MP4 Video   Flash Icon Flash Video   Watch on Youtube

04/06/2011

Society, Law Enforcement and the Internet:  Models for Give and Take

Society, Law Enforcement and the Internet: Models for Give and Take

Carter Bullard – QoSient, LLC
(451.8MB): Video Icon MP4 Video   Flash Icon Flash Video   Watch on Youtube

04/13/2011

FuzzyFusion™, an application architecture for multisource information fusion

FuzzyFusion™, an application architecture for multisource information fusion

Ronda R. Henning – Harris Corporation
(446.7MB): Video Icon MP4 Video   Flash Icon Flash Video   Watch on Youtube

04/27/2011

Mobile Phones and Evidence Preservation

Mobile Phones and Evidence Preservation

Eric Katz – Purdue University
(447.7MB): Video Icon MP4 Video   Flash Icon Flash Video   Watch on Youtube

08/24/2011

Provisioning Protocol Challenges in an Era of gTLD Expansion

Provisioning Protocol Challenges in an Era of gTLD Expansion

Scott Hollenbeck – Verisign
(443.6MB): Video Icon MP4 Video   Flash Icon Flash Video   Watch on Youtube

08/31/2011

Non-homogeneous anonymizations

Non-homogeneous anonymizations

Tamir Tassa – The Open University, Israel
(447.7MB): Video Icon MP4 Video   Flash Icon Flash Video   Watch on Youtube

09/07/2011

Detecting Bots in Online Games using Human Observational Proofs

Detecting Bots in Online Games using Human Observational Proofs

Steven Gianvecchio – MITRE
(445.0MB): Video Icon MP4 Video   Flash Icon Flash Video   Watch on Youtube

09/21/2011

 Methods and Techniques for Protecting Data in Real Time on the Wire

Methods and Techniques for Protecting Data in Real Time on the Wire

Joe Leonard – Global Velocity
(444.0MB): Video Icon MP4 Video   Flash Icon Flash Video   Watch on Youtube

09/28/2011

Weighted Multiple Secret Sharing

Weighted Multiple Secret Sharing

Xukai Zou – Indiana University-Purdue University Indianapolis
(449.7MB): Video Icon MP4 Video   Flash Icon Flash Video   Watch on Youtube

10/05/2011

Trusted Computing and Security for Embedded Systems

Trusted Computing and Security for Embedded Systems

Hal Aldridge – Sypris Electronics
(445.0MB): Video Icon MP4 Video   Flash Icon Flash Video   Watch on Youtube

10/12/2011

Enterprise-Wide Intrusions Involving Advanced Threats

Enterprise-Wide Intrusions Involving Advanced Threats

Dan McWhorter and Steve Surdu – Mandiant Corporation
(443.0MB): Video Icon MP4 Video   Flash Icon Flash Video   Watch on Youtube

10/19/2011

Ontological Semantic Technology Goes Phishing

Ontological Semantic Technology Goes Phishing

Julia M. Taylor, Victor Raskin, and Eugene H. Spafford – Purdue University
(446.3MB): Video Icon MP4 Video   Flash Icon Flash Video   Watch on Youtube

11/16/2011

Jam me if you can: Mitigating the Impact of Inside Jammers

Jam me if you can: Mitigating the Impact of Inside Jammers

Loukas Lazos – University of Arizona
(443.7MB): Video Icon MP4 Video   Flash Icon Flash Video   Watch on Youtube

11/30/2011

Soundcomber: A Stealthy and Context-Aware Sound Trojan for Smartphones

Soundcomber: A Stealthy and Context-Aware Sound Trojan for Smartphones

Apu Kapadia – Indiana University
(447.9MB): Video Icon MP4 Video   Flash Icon Flash Video   Watch on Youtube

12/07/2011

No Seminar


01/13/2010

“Thinking Outside the Box”

Eugene Spafford – Purdue University
(443.9MB): Video Icon MP4 Video   Flash Icon Flash Video   Watch on Youtube

01/20/2010

Applications of biometric technologies

Applications of biometric technologies

Stephen Elliott – Purdue University
(416.3MB): Video Icon MP4 Video   Flash Icon Flash Video   Watch on Youtube

01/27/2010

Fast-flux Attacks

Shijie Zhou – University of Electronic Science and Technology of China

02/03/2010

Detecting Insider Theft of Trade Secrets

Detecting Insider Theft of Trade Secrets

Greg Stephens – Mitre
(429.3MB): Video Icon MP4 Video   Flash Icon Flash Video   Watch on Youtube

02/10/2010

Dissecting Digital Data: Context & Meaning through Analytics

Dissecting Digital Data: Context & Meaning through Analytics

Marcus Rogers – Purdue University
(465.4MB): Video Icon MP4 Video   Flash Icon Flash Video   Watch on Youtube

02/17/2010

Provenance-based Data Trustworthiness Assessment in Data Streams

Provenance-based Data Trustworthiness Assessment in Data Streams

Hyo-Sang Lim – Purdue University
(379.8MB): Video Icon MP4 Video   Flash Icon Flash Video   Watch on Youtube

03/10/2010

Making of the CWE Top-25, 2010 Edition

Making of the CWE Top-25, 2010 Edition

Pascal Meunier – Purdue University
(444.7MB): Video Icon MP4 Video   Flash Icon Flash Video   Watch on Youtube

04/07/2010

60 years of scientific research in cryptography:  a reflection

60 years of scientific research in cryptography: a reflection

Yvo Desmedt – University College London, UK
(449.3MB): Video Icon MP4 Video   Flash Icon Flash Video   Watch on Youtube

04/14/2010

Security of JavaScript in a Browser Environment

Security of JavaScript in a Browser Environment

Christian Hammer – Purdue University
(448.0MB): Video Icon MP4 Video   Flash Icon Flash Video   Watch on Youtube

04/21/2010

The role of System Security Engineering in the engineering lifecycle

The role of System Security Engineering in the engineering lifecycle

Stephen Dill – Lockheed Martin
(446.1MB): Video Icon MP4 Video   Flash Icon Flash Video   Watch on Youtube

04/28/2010

“Ontological Semantic Technology for Detecting Insider Threat and Social Engineering”

Victor Raskin & Julia Taylor – Purdue University
(451.7MB): Video Icon MP4 Video   Flash Icon Flash Video   Watch on Youtube

08/25/2010

Secure Network Coding for Wireless Mesh Networks

Secure Network Coding for Wireless Mesh Networks

Cristina Nita-Rotaru – Purdue University
(443.7MB): Video Icon MP4 Video   Flash Icon Flash Video   Watch on Youtube

09/01/2010

Data in the Cloud: Authentication Without Leaking

Data in the Cloud: Authentication Without Leaking

Ashish Kundu – Purdue University
(441.4MB): Video Icon MP4 Video   Flash Icon Flash Video   Watch on Youtube

09/08/2010

Rootkits

Rootkits

Xeno Kovah – MITRE
(445.4MB): Video Icon MP4 Video   Flash Icon Flash Video   Watch on Youtube

09/22/2010

Security of Mobile Ad Hoc Networks (MANETs)

Security of Mobile Ad Hoc Networks (MANETs)

Petros Mouchtaris – Telcordia
(448.2MB): Video Icon MP4 Video   Flash Icon Flash Video   Watch on Youtube

09/29/2010

Assured Processing through Obfuscation

Assured Processing through Obfuscation

Sergey Panasyuk – Air Force Research Laboratory
(445.8MB): Video Icon MP4 Video   Flash Icon Flash Video   Watch on Youtube

10/06/2010

Global Study of Web 2.0 Use in Organizations

Global Study of Web 2.0 Use in Organizations

Mihaela Vorvoreanu, Lorraine G. Kisselburgh – Purdue University
(444.4MB): Video Icon MP4 Video   Flash Icon Flash Video   Watch on Youtube

10/20/2010

Trust and Protection in the Illinois Browser Operating System

Trust and Protection in the Illinois Browser Operating System

Sam King – University of Illinois
(451.0MB): Video Icon MP4 Video   Flash Icon Flash Video   Watch on Youtube

10/27/2010

The role of automata theory in software verification

The role of automata theory in software verification

P. Madhusudan – University of Illinois at Urbana-Champaign
(451.1MB): Video Icon MP4 Video   Flash Icon Flash Video   Watch on Youtube

11/03/2010

Tackling System-Wide Integrity

Tackling System-Wide Integrity

Trent Jaeger – Pennsylvania State
(444.9MB): Video Icon MP4 Video   Flash Icon Flash Video   Watch on Youtube

11/10/2010

Detecting Coordinated Attacks with Traffic Analysis

Detecting Coordinated Attacks with Traffic Analysis

Nikita Borisov – University of Illinois at Urbana-Champaign
(439.5MB): Video Icon MP4 Video   Flash Icon Flash Video   Watch on Youtube

11/17/2010

Security Applications for Physically Unclonable Functions

Security Applications for Physically Unclonable Functions

Michael Kirkpatrick – Purdue University
(447.9MB): Video Icon MP4 Video   Flash Icon Flash Video   Watch on Youtube

12/01/2010

Nudging the Digital Pirate: Behavioral Issues in the Piracy Context

Nudging the Digital Pirate: Behavioral Issues in the Piracy Context

Matthew Hashim – Purdue University
(443.7MB): Video Icon MP4 Video   Flash Icon Flash Video   Watch on Youtube

CERIAS Security Symposium 26&27 March 2014


We’re living in a time of transition. Cyberthreats are increasing and becoming more sophisticated, victimized organizations are cooperating with competitors and fighting back, and the discussion of expected privacy has become front-page news. These topics, and more, were explored at the 15th Annual CERIAS Security Symposium.

Welcome and Opening Keynote

Watch on Youtube

Welcome: Mitch Daniels

President, Purdue University

Keynote: Amy Hess

Executive Assistant Director of Science and Technology, FBI

Fireside Chat

Watch on Youtube

At the Table

  • Prof. Eugene Spafford
    Executive Director, CERIAS – Purdue University
  • George Kurtz
    President/CEO and Co-Founder, CrowdStrike
  • Josh Corman
    Chief Technology Officer, Sonatype
  • Amy Hess
    Executive Assistant Director of Science and Technology, FBI

Featured Technical Speaker

Watch on Youtube

Josh Corman

Chief Technology Officer, Sonatype

Keynote #2

Watch on Youtube

George Kurtz

President/CEO and Co-Founder, CrowdStrike

Security Plus (not Versus) Privacy

Watch on Youtube

Mark Rasch

Former Chief Privacy Officer at SAIC and Principal at Rasch Technology and Cyber Law

David Medine

Chairman, Privacy and Civil Liberties Oversight Board

CERIAS Awards

Watch on Youtube

Awards Given

  • Diamond & Pillar Awards
  • Poster Presentation Winners

Panel: Sharing Incidence Data While Under Attack

Watch on Youtube

On the Panel

  • Dave Fiore
    Senior Systems Engineer, CyberPoint
  • Paul Baltzell
    Chief Information Officer at State of Indiana
  • Kevin Nauer
    Cyber Security Researcher, Sandia National Laboratories
  • Prof. Sam Liles
    Associate Professor, Cyber Forensics Laboratory – Purdue University
  • Michael West
    Vice President, Cyber Investigations – Fidelity Investments

Panel: APT, Threat Actors, and Trends in Cybercrime

Watch on Youtube

On the Panel

  • Ben Anderson
    Sandia National Laboratories
  • Kevin Alejandro Roundy
    Symantec
  • Marc Brooks
    MITRE Corporation
  • Prof. Marcus Rogers
    Purdue College of Technology

Posters & Presentations 2014

Page Content

  • Consumer Privacy Architecture for Power Grid Advanced metering infrastructure
  • Privacy Preserving Access Control in Service Oriented Architecture
  • pSigene: Generalizing Attack Signatures
  • Resilient and Active Authentication and User-Centric Identity Ecosystems
  • Semantic Anonymization of Medical Records
  • The Password Wall — A Better Defense against Password Exposure
  • Top-K Frequent Itemsets via Differentially Private FP-trees
  • VeryBioIDX: Privacy Preserving Biometrics-Based and User Centric Authentication Protocol
  • A Framework for Service Activity Monitoring
  • A Key Management Scheme in BYOD Environment
  • FPGA Password Cracking
  • A Study of Probabilistic Password Models
  • Analysis of Coping Mechanisms in Password Selection
  • Detecting Tic-Tac-Stego: Anomaly Detection for Steganalysis in Games
  • Enhancing Analyst Situation Awareness and Event Response in Cyber Network Operations Centers
  • Finland’s Cyber Warfare Capabilities
  • Mutual Restraining Voting Involving Multiple Conflicting Parties
  • Natural Language IAS: The Problem of Phishing
  • Using social network data to track information and make decisions during a crisis
  • A Framework to Find Vulnerabilities Using State Characteristics in Transport Protocol Implementations
  • Divide & Recombine for Big Data Analysis for Cybersecurity – Application of DNS Blacklist Query Study
  • Confidentiality Guidelines for Cloud Storage
  • Cyber 9/12 Student Challenge: Team Purdue Cyber Forensics
  • DC3 Digital Forensics Challenge
  • Implementing Bayesian Statistics from an Analysis of Competing Hypothesis Framework
  • Netherland’s Cyber Capabilities
  • Saudi Arabian Policy on Cyber Capabilities
  • South Korea ICT Index Leader Cyber Assessments
  • Technological Impact of Criminal Enterprises: The Impact of Cloud Computing:
  • The Efficacy of Case Studies for Teaching Policy in Engineering and Technology Courses
  • The Impact of University Provided Nurse Electronic Medical Record (EMR)Training on Hospital Provider Systems: A Computer Simulation Approach
  • The Irish Economy’s Vulnerability to Cyber Conflict
  • Threats, Vulnerabilities, and Security Controls in Cloud Computing
  • A Critical Look at Steganographic Investigations
  • Analysis of Cyberattacks on UASs in Simulation
  • Communications, Information, and Cybersecurity in Systems-of-Systems
  • Distributed Fault Detection and Isolation for Kalman Consensus Filter
  • End to End Security in Service Oriented Architecture
  • INSuRE — Information Security Research and Education
  • Log-Centric Analytics for Advanced Persistent Threat Detection
  • Making the Case of Digital Forensics Field Training for Parole Services
  • Periodic Mobile Forensics
  • Robust Hybrid Controller Design: Cyber Attack Mitigation Strategy for Cyber-Physical Systems
  • Text-based Approaches to Detect Phishing Attacks
  • The Case of Using Negative (Deceiving) Information in Data Protection

Assured Identity and Privacy

Consumer Privacy Architecture for Power Grid Advanced metering infrastructure

Dheeraj Gurugubelli, Dr. Chris Foreman and Dr. Melissa Dark

http://www.cerias.purdue.edu/assets/symposium/2014-posters/616-591.pdf

Utilities install smart meters in homes. These smart meters allow the tracking and management of the energy consumption of the consumers. This will enable the utility companies to increase increase efficiency, lower costs, and reduce pollution. But the advanced meters, which use wireless and digital technologies to send frequent consumption data to utilities, face opposition from customers and others who see them as a threat to health, privacy, and security. From a utility company perspective, collection and management of such huge volumes of data at an individual level is not an essential business function. The goal of this research is to create an architecture preserving privacy of the consumer in the power grid advanced metering infrastructure while helping the utility company better manage data.

Privacy Preserving Access Control in Service Oriented Architecture

Rohit Ranchal, Ruchith Fernando, Zhongjun Jin, Pelin Angin, Bharat Bhargava

http://www.cerias.purdue.edu/assets/symposium/2014-posters/955-3C4.pdf

Service Oriented Architecture (SOA) comprises of a number of loosely-coupled services, which collaborate, interact and share data to accomplish a task. A service invocation can involve multiple services, where each service generates, shares, and interacts with the client’s data. These interactions may share data with unauthorized services and violate client’s policies. The client has no means of identifying if a violation occurred and has no control or visibility on interactions beyond its trust domain. Such interactions introduce new security challenges which are not present in the traditional systems. We propose a data-centric approach for privacy preserving access control in SOA based on Active Bundles. This approach transforms passive data into an active entity that is able to protect itself. It enables dynamic data dissemination decisions and protects data throughout its lifecycle. The granularity of the data being shared with a service is determined by the client’s data dissemination policy.

pSigene: Generalizing Attack Signatures

Jeff Avery, Gaspar Modelo-Howard, Fahad Arshad, Saurabh Bagchi, Yuan Qi

http://www.cerias.purdue.edu/assets/symposium/2014-posters/F74-76F.pdf

Intrusion detection systems (IDS) are an important component to effectively protect computer systems. Misuse detection is the most popular approach to detect intrusions, using a library of signatures to find attacks. The accuracy of the signatures is paramount for an effective IDS, still today’s practitioners rely on manual techniques to improve and update those signatures. We present a system, called pSigene, for the automatic generation of intrusion signatures by mining the vast amount of public data available on attacks. It follows a four step process to generate the signatures, by first crawling attack samples from multiple public cyber security web portals. Then, a feature set is created from existing detection signatures to model the samples, which are then grouped using a biclustering algorithm which also gives the distinctive features of each cluster. Finally the system automatically creates a set of signatures using regular expressions, one for each cluster. We tested our architecture for the prevalent class of SQL injection attacks and found our signatures to have a True and False Positive Rates of over 86% and 0.03%, respectively and compared our findings to other SQL injection signature sets from popular IDS and web application firewalls. Results show our system to be very competitive to existing signature sets.

Resilient and Active Authentication and User-Centric Identity Ecosystems

Yan Sui, Xukai Zou

http://www.cerias.purdue.edu/assets/symposium/2014-posters/621-AD0.pdf

Existing proxy based authentication approaches have problems (e.g., non-binding, susceptible to theft and dictionary attack, burden on end-users, re-use risk). Biometrics, which authenticates users by intrinsic biological traits, arises to address the drawbacks. However, the biometrics is irreplaceable once compromised and leak sensitive information about the human user behind it. In this research, we propose a usable, privacy-preserving, secure biometrics based identity verification and protection system. Specifically, we propose a novel biometric authentication token called Bio-Capsule (BC) which is generated by a secure fusion of user biometrics and a (selected) reference subject biometrics. The fusion process preserves the biometric robustness and accuracy in the sense that the BC can be used in place of the original user’s biometric template without sacrificing the system’s acceptability for the same user and distinguishability between different users. There are more potential applications on this research: a user-centric identity ecosystem – a highly resilient, privacy-preserving, revocable, interoperable, and efficient user-centric identity verification and protection ecosystem; and an active authentication system – a provably secure, privacy-preserving, biometric active authentication system to support continuous and non-intrusive authentication.

Semantic Anonymization of Medical Records

Tatiana Ringenberg, Julia M. Taylor, Victor Raskin

http://www.cerias.purdue.edu/assets/symposium/2014-posters/79D-5DB.pdf

With the availability of large amounts of data in the medical industry, it is becoming necessary, due to both regulatory and ethical concerns, to find unique ways of protecting patient identities. A name and social security number are no longer the only fields in a patient’s record that can identify them. Data under HIPAA requires the removal of several Protected Health Information Identifiers. Symptoms themselves can also distinctly identify an individual in a large group. To prevent this, the Purdue OST Anonymization Project is using semantics to determine the degree to which any patient record is identifiable from others in a system. Our approach combines the conceptual mapping of Ontological Semantic Technology with the anonymity principles of K-Anonymity to semantically anonymize patient data for compliance with regulatory and research policies.

The Password Wall — A Better Defense against Password Exposure

Mohammed Almeshekah, Mikhail Atallah and Eugene Spafford

http://www.cerias.purdue.edu/assets/symposium/2014-posters/356-E8E.pdf

We present an authentication scheme that better protects users’ passwords than in currently deployed password-based schemes, without taxing the users’ memory or damaging the user-friendliness of the login process. Our scheme maintains comparability with traditional password-based authentication, without any additional storage requirements, giving service providers the ability to selectively enroll users and fall-back to traditional methods if needed. The scheme utilizes the ubiquity of smartphones, however, unlike previous proposals it does not require registration or connectivity of the used phones. In addition, no long-term secrets are stored in the user’s phone, mitigating the consequences of losing it. The scheme significantly increases the difficulty of launching a phishing attack; by automating the decisions of whether a website should be trusted and introducing additional risk at the adversary side of being detected and deceived. In addition, the scheme is resilient against Man-in-the-Browser (MitB) attacks and compromised client machines. Finally, we incorporate a user-friendly covert communication between the user and the service provider giving the user the ability to have different levels of access (instead of the traditional all-or-nothing), and the use of deception (honeyaccounts) that make it possible to dismantle a large-scale attack infrastructure before it succeeds (rather than after the painful and slow forensics that follow a successful phishing attack). As an added feature, the scheme gives service providers the ability to have full-transaction authentication.

Top-K Frequent Itemsets via Differentially Private FP-trees

Jaewoo Lee and Chris Clifton

http://www.cerias.purdue.edu/assets/symposium/2014-posters/026-59A.pdf

Frequent itemset mining is a core data mining task and has been studied extensively. Although by their nature, frequent itemsets are aggregates over many individuals and would not seem to pose a privacy threat, an attacker with strong background information can learn private individual information from frequent itemsets. This has lead to differentially private frequent itemset mining, which protects privacy by giving inexact answers. We give an approach that first identifies top-k frequent itemsets, then uses them to construct a compact, differentially private FP-tree. Once the noisy FP-tree is built, the (privatized) support of all frequent itemsets can be derived from it without access to the original data. Experimental results show that the proposed algorithm gives substantially better results than prior approaches, especially for high levels of privacy.

VeryBioIDX: Privacy Preserving Biometrics-Based and User Centric Authentication Protocol

Hasini Gunasinghe, Elisa Bertino

http://www.cerias.purdue.edu/assets/symposium/2014-posters/642-A07.pdf

We propose a privacy preserving biometric based authentication protocol by which user can authenticate to different service providers from mobile phone, without involving identity provider in transactions, thus enhancing privacy. Authentication is based on a cryptographic identity token which embeds a unique, repeatable and revocable identifier generated from the user’s biometric image and a random secret, supporting two-factor authentication based on zero-knowledge proofs of knowledge. Our approach for generating biometric identifiers from users’ biometric is based on perceptual hashing and SVM classification techniques.

End System Security

A Framework for Service Activity Monitoring

Ruchith Fernando, Rohit Ranchal, Pelin Angin, Bharat Bhargava

http://www.cerias.purdue.edu/assets/symposium/2014-posters/10E-9E2.pdf

In a service-oriented architecture (SOA) environment, a service can dynamically select and invoke any service from a group of services to offload part of its functionality. This is very useful to build large systems with existing services and dynamically add services to support new features. One of the main problems with such a system is that, it is very difficult to trust the service interaction lifecycle and assume that the services behave as expected and respect the system policies. We propose a centralized service monitor, that audits and detects malicious activity or compromised services by analyzing information collected via monitoring agents. The service monitor includes two modes of operation – active and passive – where one can evaluate service topologies with various policies.

A Key Management Scheme in BYOD Environment

Di Xie, Baijian Yang

http://www.cerias.purdue.edu/assets/symposium/2014-posters/953-6AD.pdf

Bring-Your-Own-Device (BYOD) refers to an IT policy that encourages and allows employees to use their personal devices to access privileged corporate network resources. Current BYOD practices are not sufficient to provide both flexible and secure access to data stored on personal devices and are likely to cause privacy infringement issues and incur high management cost. This research presents an Innovative Key Management Scheme (IKMS) approach that employs a hierarchical and time-bounded key management system to battle the security and privacy issues in BYOD deployment.

FPGA Password Cracking

Max DeWees, Michael Kouremetis, Matthew Riedle, Craig West

http://www.cerias.purdue.edu/assets/symposium/2014-posters/AB6-C90.pdf

Field Programmable Gate Arrays (FPGAs) are a unique hardware component that allows for dynamic prototyping design and implementation of hardware logic. FPGAs provide the advantages of dedicated hardware functionality and parallelization for specific tasks. In this research, we look to apply these advantages of FPGAs to breaking cryptographic functions, primarily hash functions and encryption passwords. While this has been done successfully in the past to older functions like MD5, it has not been thoroughly analyzed for more complex systems such as TrueCrypt, Windows BitLocker, or Mac OS X FileVault. Our focus is to analyze the feasibility, scalability, and success of using one or more FPGAs to crack these systems.

Human Centric Security

A Study of Probabilistic Password Models

Jerry Ma, Weining Yang, Min Luo, Ninghui Li

http://www.cerias.purdue.edu/assets/symposium/2014-posters/293-790.pdf

A probabilistic password model assigns a probability value to each string. Such models are useful for research into understanding what makes users choose more (or less) secure passwords, and for constructing password strength meters and password cracking utilities. Guess number graphs generated from password models are a widely used method in password research. In this paper, we show that probability-threshold graphs have important advantages over guess-number graphs. They are much faster to compute, and at the same time provide information beyond what is feasible in guess-number graphs. We also observe that research in password modeling can benefit from the extensive literature in statistical language modeling. We conduct a systematic evaluation of a large number of probabilistic password models, including Markov models using different normalization and smoothing methods, and found that, among other things, Markov models, when done correctly, perform significantly better than the Probabilistic Context-Free Grammar model, which has been used as the state-of-the-art password model in recent research.

Analysis of Coping Mechanisms in Password Selection

Brian Curnett, Paul Duselis, Teri Flory

http://www.cerias.purdue.edu/assets/symposium/2014-posters/ED9-F1E.pdf

Do more stringent password policies actually create stronger and more secure passwords? Do humans reach a threshold when creating passwords that follow policies but fail to provide an adequate level of protection? Previous work has focused on password strength and the effectiveness of password defeating tools, but has only briefly touched on user frustration with policies, or the coping mechanisms that may be employed by the users to satisfy those stringent policies. Our work will utilize the information available from previous studies and expand on that to include user frustration and coping methods. Our examination will include multiple policies that are currently accepted and in use by organizations and companies from a wide variety of backgrounds. This will attempt to show the true measure of protection that the industry standard policies provide. It will be necessary to review processes of data collection, and determine the most effective procedures to gather this information. We will then develop a method, utilizing this plan, and propose this to the partners for future review and use. We will propose an analytic procedure to be used in determining an optimal relationship between password policy’s strength and coping mechanisms. And finally a set of repeatable statistical procedures that can be applied toward data sets of passwords to ensure the policy’s strength.

Detecting Tic-Tac-Stego: Anomaly Detection for Steganalysis in Games

Philip C. Ritchey, Vernon J. Rego

http://www.cerias.purdue.edu/assets/symposium/2014-posters/EF2-A3A.pdf

Motivated by the identification of potential areas in the broader field of information security where the study of human behavior can be used to enhance and improve information security, we investigated methods for detecting information hiding in games. This work builds on previous work which presented Tic-Tac-Stego, a general methodology for hiding information in games. The focus of this work is to understand and experiment with three steganalysis techniques for detecting steganography in games: rules-based, feature-based, and probabilistic model-based detectors. Under the assumption that the adversary is unable to predict the play style of the stego-agent, we find that a feature-based steganalysis method performs the best at detecting usage of the covert channel, capable of achieving accuracy greater than 97% against all stego-agents tested. On the other hand, under the assumption that the adversary is able to predict the play style of the stego-agent, the rules-based method is more accurate and requires fewer games per example than the feature-based method. The probabilistic-based method is found to be overall less accurate than both the feature-based and rules-based methods.

Enhancing Analyst Situation Awareness and Event Response in Cyber Network Operations Centers

Omar Eldardiry, Barrett Caldwell

http://www.cerias.purdue.edu/assets/symposium/2014-posters/BA8-C6C.pdf

The development of cyber network operations centers has created new needs to support human sense-making and situation awareness in a cyber network common operating picture (CNCOP). The goal of this research is to identify critical features that support expert analysts in event detection, identification, and response to cyber events (emergency scenarios, hardware breakdowns or other sources of degraded performance). The goal is to improve information visualization to support recognition and response to cyber- and cyber-physical network events. The results of this research project will be used to improve operational capability and analyst situation awareness in NOC environments and provide design guidance to improve analyst event monitoring and response in other cyber-physical infrastructure operations centers.

Finland’s Cyber Warfare Capabilities

Filipo Sharevski

http://www.cerias.purdue.edu/assets/symposium/2014-posters/B76-BC6.pdf

In light of the discussion on cyber intelligence, the content of this paper includes analysis of open source data in respect to a methodical assessment of Finland’s cybersecurity and cyberwarfare capabilities. The information related to Finland’s cyber preparedness and cybersecurity awareness is analyzed together with the relevant statistical factors in order to outline the relative stage of cyber capability development in the military context. Finland’s cybersecurity strategy, Finnish security and defense policy, and Finland’s academia perspectives on cyber operations realms are elaborated in parallel with the conceptualization on military doctrine adaptation in the cyber domain in order to describe Finland’s posture relative to potential cyberwarfare conflict engagements. In addition to this, the key stakeholders in cybersecurity governance are also enlisted, providing insight into the practical aspects of the nations’ efforts for cybersecurity maintenance and constant improvement.

Mutual Restraining Voting Involving Multiple Conflicting Parties

Dr. Xukai Zou (xkzou@cs.iupui.edu), Yan Sui, Huian Li, Wei Peng, and Dr. Feng Li

http://www.cerias.purdue.edu/assets/symposium/2014-posters/CFF-BFE.pdf

Scrutinizing current voting systems including existing e-voting techniques, one can discern that there exists a gap between casting secret ballots and tallying & verifying individual votes. This gap is caused by either disconnection between the vote-casting process and the vote-tallying process or opaque transition (e.g., due to encryption) from vote-casting to vote-tallying and damages voter assurance, i.e., any voter can be assured that the vote he/she has cast is verifiably counted in the final tally. We propose a groundbreaking e-voting protocol that fills this gap and provides a fully transparent election. In this fully transparent internet voting system, the transition from vote-casting to vote-tallying is seamless, viewable, verifiable, and privacy-preserving. As a result, individual voters will be able to verify their own votes and are technically and visually assured that their votes are indeed counted in the final tally, the public will be able to verify the accuracy of the count, and political parties will be able to catch fraudulent votes. And all this will be achieved while still retaining what is perhaps the core value of democratic elections–the secrecy of any voter’s vote. The new protocol is the first fully transparent e-voting protocol which technologically enables open and fair elections and delivers full voter assurance, even for the voters of minor or weak political parties.

Natural Language IAS: The Problem of Phishing

Lauren M. Stuart, Gilchan Park, Julia M. Taylor, Victor Raskin

http://www.cerias.purdue.edu/assets/symposium/2014-posters/568-98B.pdf

Phishing emails solicit personal and sensitive information while masquerading as legitimate messages from financial institutions. Automatic detection of phishing emails will help reduce the financial losses incurred by their victims. Computer understanding of message meaning and other hallmarks of legitimate and illegitimate emails can improve detection, and continue the expansion of natural language understanding techniques and processes into information assurance and security applications.

Using social network data to track information and make decisions during a crisis

Student: David Hersh Advisors: Julia Taylor, Victor Raskin

http://www.cerias.purdue.edu/assets/symposium/2014-posters/63B-A51.pdf

Social network use has dramatically increased in recent years, causing a surge in the amount of data people publicly share. Many share events of their lives on a daily basis, and get much of their news from social networks. So when a crisis occurs, such as a school shooting, many people in the affected area report what is going on through their social networks, allowing others to get firsthand accounts of the situation as it progresses. This information is often available before official information is, making it a valuable resource for anyone who needs to know the most up-to-date information on the crisis. In this research, we take the first steps toward the development of a system that extracts crisis information from social networking data in real time, allowing the system’s users to have a consistently up-to-date version of the situation.

Network Security

A Framework to Find Vulnerabilities Using State Characteristics in Transport Protocol Implementations

Sam Jero, Hyojeong Lee and Cristina Nita-Rotaru

http://www.cerias.purdue.edu/assets/symposium/2014-posters/0CA-1EC.pdf

We propose a platform for automatically finding attacks in transport protocol implementations. Our platform uses virtual machines connected with a network emulator to run unmodified target implementations, ensuring realism. We focus on attacks involving the manipulation or injection of protocol messages and build a framework to perform these basic malicious actions. To mitigate state-space explosion resulting from numerous combinations of malicious actions and protocol messages, we leverage protocol states. First, we build a state tracker that can infer the current state of the target system from message traces. Using the state tracker and a benign execution, we classify states based on observable characteristics. We then associate basic attack actions with characteristics of states and compose attack strategies based on this information. We monitor the effect of these attack strategies and determine which actions are effective for which states. We use this information to focus or prune our attack strategies for states with similar characteristics.

Divide & Recombine for Big Data Analysis for Cybersecurity – Application of DNS Blacklist Query Study

Ashrith Barthur, Dr. William S. Cleveland, John Gerth

http://www.cerias.purdue.edu/assets/symposium/2014-posters/1D1-D96.pdf

D&R is a statistical approach to big data that provides comprehensive, detailed analysis. This is achieved because almost any analytic method from machine learning, statistics, and visualization can be applied to the data at their finest level of granularity. D&R also enables feasible, practical computation because the computations are largely embarrassingly parallel. Our work has two core threads. 1. Tailor the D&R environment to analyse big data in cybersecurity. 2 Apply this tailored environment the Spamhaus traffic at the Stanford University mirror.

Policy, Law and Management

Confidentiality Guidelines for Cloud Storage

Joseph Beckman, Matthew Riedle, Hans Vargas

http://www.cerias.purdue.edu/assets/symposium/2014-posters/638-07D.pdf

As cloud computing is becoming more popular among the average user, and even governments, the question arises of how secure the data stored in the cloud. Guidelines have been established by FedRAMP that evaluate certain security protocols for cloud providers like Google Drive and Amazon Web Services. This project will examine the confidentiality and access control guidelines for Amazon’s S3 data storage, looking to see if they are sufficient for current and future markets.

Cyber 9/12 Student Challenge: Team Purdue Cyber Forensics

Rachel Sitarz, Eric Katz, Nick Sturgeon, & Jake Kambic

http://www.cerias.purdue.edu/assets/symposium/2014-posters/125-226.pdf

The four Purdue Cyber Forensics graduate students competed in the Cyber 9/12 Student Challenge. They were asked to take on the role of the Cyber Security Directorate of the National Security Staff. They had to create four policy response alternatives, to a fcitional major cyber incident, that affected the US National Security. They were tasked with creating the four policies, then presenting the policies to experts in Cyber Security policy in Washington DC.

DC3 Digital Forensics Challenge

Will Ellis, Jake Kambic, Eric Katz, Sydney Liles

http://www.cerias.purdue.edu/assets/symposium/2014-posters/06E-C7C.pdf

This poster is designed to show the accomplishments of team or11–, winners of the 2013 Defense Cyber Crime Center’s Cyber Forensics Challenge. This is the largest and most prestigious cyber forensics competition in the world. Going up against over 1,200 competing teams, Purdue’s team took 1st place in US and global graduate division.

Implementing Bayesian Statistics from an Analysis of Competing Hypothesis Framework

Brian Curnett and Samuel Liles

http://www.cerias.purdue.edu/assets/symposium/2014-posters/423-BAF.pdf

The Analysis of Competing Hypotheses system is a decision analysis tool developed by the intelligence community to aid analysts in decision making. It was first developed by Richards J. Heuer to help analysts keep their biases in check when making important decisions. This system’s effectiveness can be furthered to counter forms of deception and cultural bias by implementing a Bayesian Belief Network and by quantifying cultural trends.

Netherland’s Cyber Capabilities

Hans Vargas

http://www.cerias.purdue.edu/assets/symposium/2014-posters/5C4-B69.pdf

The purpose of this study was to perform a OSINT analysis of the Netherlands capabilities to protect itself from cyber-attacks. A list of all possible and typical Actors were identified as they represent different levels of threats to this nation, the table at the left explains in detail who those actors are, what their intentions might be, the level of expertise they are expected to have, and finally the more likely targets that they might attack. The Netherlands has a population of close to 18 million people with as estimated GDP of 696 billion USD and a per capita of 41,000 USD, which represents in the world rank, 23rd and 12th respectively. It comes as not surprise that its ICT rank is also high, occupying 7th place in the word from 2012.

Saudi Arabian Policy on Cyber Capabilities

Brian Curnett and Samuel Liles

http://www.cerias.purdue.edu/assets/symposium/2014-posters/736-4CD.pdf

Saudi Arabia is a major player in the arena of world politics. However they are only a fledgling nation in the field of cyber arena and is still trying to bring itself into the modern era. It is the Saudi Arabian policy of replacing cyber security with cyber censorship which led to the vulnerabilities which exposed then nation’s oil industry to attack. As a compensatory mechanism foreign nation’s contractors to solve technical problems rather than developing a domestic knowledge base. This has made the nation of Saudi Arabia more vulnerable for the long term.

South Korea ICT Index Leader Cyber Assessments

Faisal Alaskandrani, Dr. Samuel Liles

http://www.cerias.purdue.edu/assets/symposium/2014-posters/889-AE7.pdf

did South Korea neglect the security aspect while developing its telecommunication infrastructure?

Technological Impact of Criminal Enterprises: The Impact of Cloud Computing:

Rachel Sitarz, Sam Liles

http://www.cerias.purdue.edu/assets/symposium/2014-posters/C58-160.pdf

Cloud computing is an abstract term, which is often difficult for people to understand, yet most are moving to the cloud to store data. Criminal organizations are also utilizing the cloud of data storage, transmission, and communications, which led to the research question of, how are current criminal organizations structuring their criminal enterprises, and how does technology impact the structure? The current project is exploratory, making comparison of current criminal organizations with historical groups and maintains that those groups that are utilizing the cloud are no different than historical criminals. They simply are utilizing a new medium to facilitate their criminal activity. Criminal organizations have typically maintained a hierarchal and organizational structure. With the developments of technology, such as the cloud, groups are continuing to maintain enterprise structure, but allowing for geographically disparate transmission of data. This also leads to the potential problem of remote destruction of evidence, when Law Enforcement executes searches on a party or parties, within the organization. Criminals have taken to the technological advancements for many reasons, such as the anonymity factor, the expertise needed by law enforcement to apprehend criminals, and the ease of access. Technological advancements are often taken for granted, but is something that needs to be considered in the apprehension of criminals and the combat of criminal activity.

The Efficacy of Case Studies for Teaching Policy in Engineering and Technology Courses

Rylan Chong, Dr. Melissa Dark, Dr. Ida Ngambeki, and Dr. Dennis Depew

http://www.cerias.purdue.edu/assets/symposium/2014-posters/A5D-F63.pdf

Public policy is an increasingly important topic in the engineering and technology curriculum as it has been recognized by a community of experts, National Research Council of the National Academies (NRCNA), Accreditation Board for Engineering and Technology (ABET), American Association for the Advancement of Science (AAAS), and the National Academy of Engineering (NAE). The purpose of this study was to extend the work of Chong, Depew, Ngambeki, and Dark “Teaching social topics in engineering: The case of energy policy and social goals” by exploring a method to introduce public policy using a case study approach to undergraduate engineering technology students in the engineering economics course in the College of Technology at Purdue University. The substantive contribution of this study addressed the following questions: 1) did the students understand and identify the policy context, 2) how effective was the use of case studies to introduce the students to policy, and 3) areas of improvement to enhance efficacy of the case studies to introduce students to policy?

The Impact of University Provided Nurse Electronic Medical Record (EMR)Training on Hospital Provider Systems: A Computer Simulation Approach

James Anderson, Elizabeth Borycki, Andre Kushniruk, Shannon Malovec, Angela Espejo, Marilyn Anderson

http://www.cerias.purdue.edu/assets/symposium/2014-posters/67A-535.pdf

Hospitals lose valuable productivity when nurses are off of the unit for electronic medical record system (EMR) training. Universities lose valuable clinical training hours when students are required to learn various EMR systems at clinical sites during clinical rotations. Centralizing EMR training within the university classroom curriculum could provide the hospital with trained new hires while preserving student clinical time for bedside care. Through this study we investigated the cumulative influence of integrating EMR training in nursing classroom curriculum on hospital nurse time away from caregiving and number of EMR trained nurses. A computer simulation model was specified using the STELLA program. The model simulated once a year hiring of nurses over a 4 year period for a total of 500 new hires. The model predicted the number of new hires that need EMR training, the number of new hires that arrive trained by the University, and the time away from caregiving to train new hires in terms of change in University curriculum to include EMR training. Findings indicate that efficiency of clinical training can be potentially improved by centralizing EMR training within the nursing curriculum. Integrating EMR training in nursing classroom curriculum potentially results in more available time for nurse bedside care and reduced cost in health organization training of new nurses. Further investigation is needed to assess the cost impact of curricular integration.

The Irish Economy’s Vulnerability to Cyber Conflict

Courtney Falk

http://www.cerias.purdue.edu/assets/symposium/2014-posters/68A-4A1.pdf

Information technology comprises a quarter of Ireland’s GDP. This project aims to answer the question of whether or not the Irish government is adequately prepared to protect this vulnerable sector of their economy.

Threats, Vulnerabilities, and Security Controls in Cloud Computing

Hans Vargas, Temitope Toriola

http://www.cerias.purdue.edu/assets/symposium/2014-posters/47D-18C.pdf

In cloud computing, information is not stored on your personal computer it is stored on the cloud. The cloud is a metaphor for the Internet. The cloud can be accessed by any computer anywhere in the world. This includes devices such as cell phone and kindle. Personal computers have limited space and often run out of resources. The equipment cannot keep up with the demand and the service slows down. The cloud can do anything it has no limits. The cloud takes the work off of one computer and puts the software into one database that many people can access at once from different computers. However there is risk in using cloud computing. Unauthorized people such as hackers may be able to get to your data as well. Cloud providers are companies that host cloud services and are in charge of protecting your data. They use many methods to protect your data in the cloud and keep it from hackers. This research investigates cloud providers to see if they are protecting cloud data like they claim to be.

Prevention, Detection and Response

A Critical Look at Steganographic Investigations

Michael Burgess

http://www.cerias.purdue.edu/assets/symposium/2014-posters/6DA-2BF.pdf

Steganography, the practice of hiding hidden information in plain sight, has been a threat for hundreds of years in different medium. In today’s world, hiding files and information digitally inside of images, audio, programs, and most any other file-type could pose a very real danger when two individuals are communicating without anyone knowing they are doing so. Researcher Michael Burgess designed a process and made a tool that takes any file and injects (and extracts) it inside of any mono wave file, as long as the wave file is approximately double the size of the target hidden file. The resulting file has the same size and properties of the original wave file, and no difference can be heard by the human ear. Alongside, all current anti-stego tools have a difficult time detecting that anything is hidden. With a tool as simple as this being able to pass by detection, steganographic investigations need to be taken much more seriously, and include more discovery of these tools rather than the files themselves.

Analysis of Cyberattacks on UASs in Simulation

Scott Yantek, James Goppert, Nandagopal Sathyamoorthy, Inseok Hwang

http://www.cerias.purdue.edu/assets/symposium/2014-posters/60D-1F6.pdf

Unmanned aerial systems (UASs) have attained widespread use in military and research applications, and with recent court rulings their commercial use is rapidly expanding. Because of their dependence on computer systems, their high degree of autonomy, and the danger posed by a loss of vehicle control, it is critical that the proliferation of UASs be accompanied by a thorough analysis of their vulnerabilities to cyberattack. We approach the issue from a controls perspective, assuming the attacker has already gained some amount of control over the system. We then investigate vulnerabilities to certain types of attacks.

Communications, Information, and Cybersecurity in Systems-of-Systems

Cesare Guariniello, Dr. Daniel DeLaurentis

http://www.cerias.purdue.edu/assets/symposium/2014-posters/762-07D.pdf

The analysis of risks associated with communications, and information security for a system-of-systems is a challenging endeavor. This difficulty is due to the interdependencies that exist in the communication and operational dimensions of the system-of-systems network, where disruptions on nodes and links can give rise to cascading failure modes. In this research, we propose the application of a functional dependency analysis tool, as a means of analyzing system-of-system operational and communication architectures. The goal of this research is to quantify the impact of attacks on communications, and information flows on the operability of the component systems, and to evaluate and compare different architectures with respect to their robustness and resilience following an attack. The model accounts for partial capabilities and partial degradation. By comparing architectures based on their sensitivity to attacks, the method can be used to guide decision both in architecting the system-of-systems and in planning updates and modifications, accounting for the criticality of nodes and links on the robustness of the system-of-systems. Synthetic examples show conceptual application of the method

Distributed Fault Detection and Isolation for Kalman Consensus Filter

Kartavya Neema, Daniel DeLaurentis

http://www.cerias.purdue.edu/assets/symposium/2014-posters/5B1-A88.pdf

This research deals with the problem of developing a distributed fault detection methodology for recently developed distributed estimation algorithm called Kalman Consensus Filter (KCF). We extended the residual covariance matching techniques, developed for detecting faults in centralized Kalman filters, and use it for distributed fault detection in KCF. Faults present due to faulty sensor measurements are diagnosed and isolated from the system. Specifically, faults due to change in sensor noise statistics and outliers in the sensor measurements are considered. We further develop a Robust Kalman Consensus Filter algorithm and demonstrate the effectiveness of the algorithm using simulation results.

End to End Security in Service Oriented Architecture

Mehdi Azarmi, Bharat Bhargava

http://www.cerias.purdue.edu/assets/symposium/2014-posters/AB0-BBB.pdf

With the explosion of web-based services and increasing popularity of cloud computing, Service-Oriented Architecture is becoming a key architectural style for the development of distributed applications. However, there are numerous security challenges in SOA that need to be addressed. In this poster, we discuss the key security challenges in SOA and propose two solutions. These solutions are: a framework for end to end policy monitoring and enforcement; and secure and adaptive service composition.

INSuRE — Information Security Research and Education

PI: Dr. Melissa Dark, CoPI: Brandeis Marshall, Project Team: Courtney Falk, L. Allison Roberts, Filipo Sharevski

http://www.cerias.purdue.edu/assets/symposium/2014-posters/B4D-540.pdf

The INSuRE project is an attempt to pilot and scale, and then again pilot and scale a sustainable research network that 1) connects institution-level resources, University enterprise systems, and national research networks; 2) enables more rapid discovery and recommendation of researchers, expertise, and resources; 3) supports the development of new collaborative science teams to address new or existing research challenges; 4) exposes and engages graduate students in research activity of national priority at participating institutions; 5) provides for the development and sharing of tools that support research, and, 6) facilitates evaluation of research, scholarly activity, and resources, especially over time.

Log-Centric Analytics for Advanced Persistent Threat Detection

Shiqing Ma, Xiangyu Zhang, Dongyan Xu

http://www.cerias.purdue.edu/assets/symposium/2014-posters/DC5-04B.pdf

Today’s enterprises face increasingly significant threats such as advanced persistent threats(APTs). Unfortunately, current cyber attack defense technologies are not catching up with the attack trends. Meanwhile, enterprises continue to generate large volume of logs and traces at system, application, and network levels and they remain under-utilized in cyber attack detection. We present an integrated framework for advanced targeted attack detection. Our framework consists of two major components: LogIC(Log-based Investigation of Causality): a fine-grain system logging and causal analysis tool which enables high-accuracy causal analysis of system log generated by an individual machine, and LogAn(Log Analytics): a “Big Data” analyzer and correlator on end-system and network logs which enables advanced targeted attack detection by querying and correlating logs across machines in an enterprise. The key idea behind LogIC is to partition the execution of a long-running application process into multiple finer-grain “execution units” for high causal analysis accuracy, without application source code. The key idea behind LogAn is to leverage the single-host causal analysis results to detect an enterprise-wide APT, via causal graph recognition and context correlation.

Making the Case of Digital Forensics Field Training for Parole Services

Chris Flory

http://www.cerias.purdue.edu/assets/symposium/2014-posters/F1A-504.pdf

The purpose of my research is to provide insight into the need for digital forensic field training for parole services. The current system utilized by most parole agencies is inefficient, costly, and disadvantageous to public safety. Basic forensic field training and digital equipment for parole agents could reduce arrest times, taxpayer costs, and increase public safety.

Periodic Mobile Forensics

Eric Katz

http://www.cerias.purdue.edu/assets/symposium/2014-posters/137-661.pdf

Android devices are becoming more pervasive. Currently there are few enterprise methods to identify and measure malicious user and application behavior in order to detect when a compromise has occurred. Research being conducted at MITRE in conjunction with Purdue is looking at over the air (OTA) methods to determine when a phone has been compromised and how it can best be detected.

Robust Hybrid Controller Design: Cyber Attack Mitigation Strategy for Cyber-Physical Systems

Cheolhyeon Kwon and Inseok Hwang

http://www.cerias.purdue.edu/assets/symposium/2014-posters/531-FF5.pdf

This paper considers the controller design for Cyber-Physical Systems (CPSs) that is robust to various types of cyber attacks. While the previous studies have investigated a secure control by assuming a specific types of attack strategy, in this paper we propose a hybrid robust control scheme that contains multiple sub-controllers, each matched to a different type of cyber attacks. Then the system can be adapted to various cyber attacks (including those that are not assumed for sub-controller design) by switching its sub-controllers to achieve the best performance. We propose a method for designing the secure switching logic to counter all possible cyber attacks and mathematically verify the system’s performance and stability as well. The performance of the proposed control scheme is demonstrated by an example of the hybrid H 2 – H infinity controller applied to a CPS subject to cyber attacks.

Text-based Approaches to Detect Phishing Attacks

Gilchan Park, Lauren Stuart, Julia M. Taylor, Victor Raskin

http://www.cerias.purdue.edu/assets/symposium/2014-posters/410-0E0.pdf

The purpose of the first research is to report on an experiment into text-based phishing detection. The developed algorithm uses previously published work on the, so-called PhishNet-NLP, a content based phishing detection system. In particular, this research aims to analyze the keywords that lead used to do some actions in email texts. The algorithm produced the considerable results in filtering out malicious emails (TPR); however, the rate of text falsely identified as phishing (FPR) needed to be addressed. To solve the FPR problem, tradeoff between TPR and FPR was performed to reduce the FPR while minimizing the decrease in the phishing detection accuracy. The second research’s aim is to compare the results of computer and human ability to detect phishing attempts. Two series of experiments were conducted, one for machine and the other one for humans, using the same dataset, and both were asked to categorize the emails into phishing or legitimate. The results prove that machine and human subjects differ in classification of phishing emails. This comparison suggests that humans intelligence to detect some types of phishing emails that machine could not recognize needs to be semantically computerized so as to ameliorate the machine’s phishing detection ability.

The Case of Using Negative (Deceiving) Information in Data Protection

Mohammed Almeshekah, Mikhail Atallah and Eugene Spafford

http://www.cerias.purdue.edu/assets/symposium/2014-posters/822-479.pdf

In this paper we develop a novel taxonomy of methods and techniques that can be used to protect digital information. We explore complex relationships among these protection techniques grouped into four categories. We present analysis of these relationships and discuss how can they be applied at different scales within organizations. We map these protection techniques against the cyber kill-chain model and discuss some findings. Moreover, we identify the use of deceit as a useful protection technique that can significantly enhance the security of computer systems. We posit how the well-known Kerckhoffs’s principle has been misinterpreted to drive the security community away from deception-based mechanisms. We examine advantages these techniques can have when protecting our information in addition to traditional methods of denial and hardening. We show that by intelligently introducing deceit in information systems, we not only lead attackers astray, but also give organizations the ability to detect leakage; create doubt and uncertainty in leaked data; add risk at the adversaries’ side to using the leaked information; and significantly enhance our abilities to attribute adversaries. We discuss how to overcome some of the challenges that hinder the adoption of deception-based techniques.

CERIAS Security Symposium 24&25 March 2015


Cybersecurity discussions have moved from the server room, to the board room, to the talking heads of the media — but all this new found mass awareness has not translated to being more secure. Major intrusions are now common place and a “standard operating procedure” within many industries. Join us for the 16th Annual CERIAS Security Symposium as we examine the current state and emerging trends in information assurance and security; and share some of the breaking research addressing the new landscape. Topical keynotes from government and industry, and in-depth panel discussions addressing current trends and needs, will highlight the two-day event. CERIAS research will be highlighted in faculty technical talks and poster sessions.


Videos

Invited Talk: Sam Curry, Arbor Networks

  • Eugene Spafford, Executive Director CERIAS, Purdue University
  • Debasish (Deba) Dutta, Provost – Purdue University
  • Sam Curry, CTO and CSO, Arbor Networks

Security Fireside Chat

  • Eugene Spafford, Executive Director at CERIAS
  • Sam Curry
  • John Walsh – President Sypris Electronics
  • Dave Toomey – AVP Cyber Business at SRC

CERIAS Program Overview: INSuRE, Melissa Dark

  • Melissa Dark, W.C. Furnas Professor in the College of Technology, Purdue University

Panel Discussion: Advanced Persistent Gullibility

  • Barrett Caldwell, Professor of Industrial Engineering, Purdue University
  • Ellen Powers, MITRE
  • Howard Sypher, Professor; Faculty Fellow, Purdue University, Brian Lamb School of Communication
  • David White, Senior Manager, Computer Security R&D, Sandia National Laboratories
  • Hongxia Jin, Senior Director, Advanced Technology Lab, Samsung Research America

CERIAS TechTalk: Vijay Raghunathan, Purdue University

  • Vijay Raghunathan, Associate Professor of Electrical and Computer Engineering

Invited Talk: Deborah Frincke, Director of Research, NSA/CSS

Video to be Available Soon
  • Deborah Frincke, Director of Research, NSA/CSS

CERIAS Awards: Pillar, Diamond and Poster Awards

  • Eugene Spafford, Executive Director, CERIAS, Purdue University

CERIAS Program Overview: CERIAS / Sypris Cyber Range

  • Joel Rasmus, Director of Strategic Relations, CERIAS
  • Scott Peters, Sypris Electronics

Michelle Finneran Dennedy, McAfee/Intel Security

  • Michelle Finneran Dennedy, VP and CPO McAfee/Intel Security

Download (for free!) Michelle Finneran Dennedy’s book “The Privacy Engineer’s Manifesto: Getting from Policy to Code to QA to Value”

Google Play

iTunes – Books

Barnes & Noble

Panel Discussion: Financial Sector Security

  • Sarath Geethakumar, Senior Director of Mobile & Product Security, Visa Inc
  • Jackie Rees Ulmer, Associate Professor, Management Information Systems, Purdue University
  • Ralph Spencer Poore, PCIP, CFE, CISA, CISSP, CHS-III, Director, Emerging Standards at PCI Security Standards Council
  • Blake Self, Principal Security Architect, US Bank

Firewall Policy Language and Complexity

  • CERIAS TechTalk: Ninghui Li, Professor of Computer Science, Purdue University

Trustworthy Data from Untrusted Services

  • Sunil Prabhakar, Professor and Department Head, Dept. of Computer Science, Purdue University

Indiana – Information Sharing and Analysis Center

  • CERIAS Program Overview: Indiana ISAC, Hans Vargas, CERIAS Alumnus

Closing Comments

Eugene Spafford, Executive Director, CERIAS, Purdue University


Posters & Presentations 2015

Assured Identity and Privacy

A Taxonomy of Privacy-protecting Tools to Browse the World Wide Web

Kelley Misata, Raymond Hansen, Baigan Yang

http://www.cerias.purdue.edu/assets/symposium/2015-posters/1AE-1EA.pdf

There is a growing public concern regarding big data and intelligence surveillance on unsuspecting Internet users, and an increase in public conversation around what does privacy really mean in the digital realm. Although technologies have been developed to help generate public protect their privacy, average users found the tools complex and difficult to decipher. This research aims to weed through some of these complexities by reviewing 6 publicly recognized technologies promoted to help users protect their privacy while browsing the web. The scope will be broad in order to touch on the important aspects each technology including promises, privacy realities, technical construct, ease of use and drawbacks average users should be aware of before using.

Data Spillage in Hadoop Clusters

Joe Beckman, Tosin Alabi, Dheeraj Gurugubelli

http://www.cerias.purdue.edu/assets/symposium/2015-posters/8A5-562.pdf

Data spillage is the undesired transfer of classified information into an unauthorized compute node or memory media. The loss of control over sensitive and protected data can become a serious threat to business operations and national security (NSA Mitigation Group, 2012. We seek to understand if classified data leaked, by user error, into an unauthorized Hadoop Distributed File System (HDFS), be located, recovered, and removed completely from the server.

Deception in Computing – Where and how it has been used

Jeffrey Avery, Chris Guterriez, Mohammed Almeshekah, Saurabh Bagchi, Eugene H. Spafford

http://www.cerias.purdue.edu/assets/symposium/2015-posters/494-E03.pdf

Deception is defined as “presenting an altered view of reality” and has been used by mankind for thousands of years to influence other’s behavior and decision making. More recently, deception has also been applied to computing in a variety of areas, such as human computer interaction and digital communities. This work surveys different areas of computing to determine where and how they use deception. One area we study in particular is how deception is applied to security practices. This work also shows that while security is a growing field, deceptive practices have not been as readily adopted to improve defense.

FIDO Password Replacement: Spoofing a Samsung Galaxy S5 and PayPal Account Using a Latent Fake Fingerprint

Rylan Chong, Chris Flory, Jim Lerums, David Long, Prof Melissa Dark, and Prof Chris Foreman

http://www.cerias.purdue.edu/assets/symposium/2015-posters/1A8-BC8.pdf

Fingerprints are the most common biometric means of authentication. This project was to de-termine if the Samsung Galaxy S5 and PayPal FIDO Ready implementation was vulnerable to latent fake fingerprint spoofing using Brown’s (1990) and Smith’s (2014) approaches. Latent fake fingerprints could allow an illegitimate user access to secure information.

INSuRE

Melissa Dark

http://www.cerias.purdue.edu/assets/symposium/2015-posters/CF2-F2E.pdf

The INSuRE project is an attempt to pilot and scale a sustainable research network that: 1. Connects institution-level resources, University enterprise systems, and national research networks; 2. Enables more rapid discovery and recommendation of researchers, expertise, and resources; 3. Supports development of new collaborative science teams addressing new or existing research challenges; 4. Exposes and engages graduate students in research activity of national priority at participating institutions; 5. Provides development and sharing of tools that support research, and, 6. Facilitates evaluation of research, scholarly activity, and resources, especially over time.

Malware in Medical Devices

Susan Fowler

http://www.cerias.purdue.edu/assets/symposium/2015-posters/B6D-644.pdf

Health care facilities are increasingly adopting computers and medical devices into patient care regimens and therapies. Medical devices have evolved to become popular for many purposes, including prolonged managed care including implantable medical devices. Wireless communications are becoming popular for these IMDs as well as for networking medical devices in a clinical setting. Along with these progressions in technology, security and privacy must be considered to ensure patient privacy and safety. Malware can be introduced in many of the same ways traditional computer systems suffer compromises, with wireless technology compounding these vulnerabilities. Regulations and practices must recognize these threats to security, availability and privacy to both health care entities and patients. Keywords: Medical device, malware, information security

Monitoring DBMS Activity for Detecting Data Exfiltration by Insiders

Elisa Bertino, Lorenzo Bossi, Syed Rafiul Hussain, Asmaa Sallam

http://www.cerias.purdue.edu/assets/symposium/2015-posters/C52-5A9.pdf

Data represents one of the most important assets of an organization. The undesired release (exfiltration) of sensitive or proprietary data outside of the organization is one of the most severe threats of insider cyber-attacks. A malicious insider who has the proper credentials to access organizational databases may, over time, send data outside the organizations network through a variety of channels, such as email, file transfer, web uploads, or specialized HTTP requests that encapsulate the data. Existing security tools for detecting cyber-attacks focus on protecting the boundary between the organization and the outside world. While such tools may be effective in protecting an organization from external attacks, they are less suitable if the data is being transmitted from inside the organization to the outside by an insider who has the proper credentials to access, retrieve, and transmit data. The “Monitoring DBMS Activity for Detecting Data Exfiltration by Insiders” (MDBMS) project is a research effort developing mechanisms to detect and counter efforts on the part of insiders to extract and exfiltrate sensitive data from government and enterprises.

Privacy-Enhancing Features of Identidroid

Daniele Midi, Oyindamola Oluwatimi, Bilal Shebaro, Elisa Bertino

http://www.cerias.purdue.edu/assets/symposium/2015-posters/65B-48E.pdf

As privacy today is a major concern for mobile systems, network anonymizers are widely available on smartphones systems, such as Android. However, in many cases applications are still able to identify the user and the device by means different from the IP address. Our work provides two solutions that address this problem by providing application-level anonymity. The first solution shadows sensitive data that can reveal the user identity. The second solutions dynamically revokes Android application permissions associated with sensitive information at run-time. In addition, both solutions offer protection from applications that identify their users through traces left in the application’s data storage or by exchanging identifying data messages. We developed IdentiDroid, a customized Android operating system, to deploy these solutions, and built IdentiDroid Profile Manager, a profile-based configuration tool for setting different configurations for each installed Android application.

Private Information Retrieval

Michael Kouremetis, Craig West

http://www.cerias.purdue.edu/assets/symposium/2015-posters/C67-802.pdf

Private Information Retrieval(PIR) is an important subject in the field of Information Retrieval. PIR allows two parties to communicate without revealing the information to one of the parties. The goal of our project is to implement a Private Information Retrieval proof of concept utilizing a robust protocol by I. Goldberg (Goldberg’s Protocol). By implementing a proof of concept we will look at the underlying structures and cryptographic protocols used in Private Information Retrieval. With a greater understanding of Private Information Retrieval, and the underlying protocols, we would potentially be able to help develop systems which need certain privacy based queries, an extension beyond just index retrieval.

The Deep Web: An Exploratory Study of Social Networks

Rachel Sitarz and Kelly Cole

http://www.cerias.purdue.edu/assets/symposium/2015-posters/89B-BFD.pdf

The purpose of the current study was to investigate the reason one would use an anonymous .onion social network. The current study surveyed users on various Tor social networks (n=200), through the use of an unstructured, open ended questionnaire. Data was analyzed using a Thematic Analysis method. The top 5 themes and demographics were recorded and presented below.

End System Security

Car Hacking: Determining the Relative Risk of Vehicle Compromise

David Hersh

http://www.cerias.purdue.edu/assets/symposium/2015-posters/D27-C0C.pdf

In recent years, cars have gone through a technological renaissance, with each generation containing more features than the previous one. One of the features becoming increasingly common is built-in wireless connectivity, such as Bluetooth, Wi-Fi and 3G. While this added functionality is beneficial to the consumer, this opens up a new avenue of attack for hackers and criminals. But unlike a personal computer, if a car is hacked, the potential negative consequences are much higher. If an adversary can wirelessly exploit a car, they may be able to eavesdrop on conversations, turn off warning lights, and even control brakes and steering. Although multiple groups of researchers have shown that there are major security problems in common consumer vehicles, there is little experimental research on vehicle security. To encourage further research in this area, this work introduces a methodology for assessing the relative risk level of a vehicle (i.e., the risk associated with adding specific features to a vehicle and how they’re implemented).

Data Confidentiality and Integrity

Scott Carr, Mathias Payer

http://www.cerias.purdue.edu/assets/symposium/2015-posters/212-C85.pdf

The root cause of most security vulnerabilities is memory corruption. Previous research focused on preventing memory corruptions attackers use to change the program’s intended control-flow. As these protections become more refined and widely deployed, attackers will resort to non-control data attacks. Non-control data attacks do not divert the intended control-flow, but simply read or write data in unintended ways by abusing a temporal or spatial memory safety error or a type error. A recent example of this is the HeartBleed bug where a buffer overflow allows an attacker to read the server’s private key. This example shows that non-control data attacks can be just as damaging as control-flow hijack attacks. Data Confidentiality and Integrity (DCI) augments the C programming language with a small set of annotations which allow the programmer to select protected data types. The compiler and runtime system prevent illegal reads and writes to variables of these types. The programmer selects types that contain information such as password lists, cryptographic keys, or identification tokens. Allowing the programmer to choose the protected data reduces overhead. Total memory protection mechanisms have been proposed, but have not been widely adopted due to prohibitively high overhead. With DCI, the programmer can specify the subset of security critical data and only pay the protection overhead cost of that subset – rather than all the data in the program. Our prototype shows the practicality of our approach. It effectively protects benchmarks and large programs.

PD3: Policy–based Distributed Data Dissemination

Rohit Ranchal, Denis Ulybyshev, Pelin Angin, Bharat Bhargava

http://www.cerias.purdue.edu/assets/symposium/2015-posters/A61-FBE.pdf

Modern distributed systems (such as composite web services, cloud solutions) comprise of a number of hosts, which collaborate, interact and share data. One of the main requirements of these systems is policy-based distributed data dissemination (PD3). In the PD3 problem, the data owner wants to share data with a set of hosts. Each host is only authorized to access a subset of data. Data owner can directly interact only with a subset of hosts and relies on these hosts to disseminate data to other hosts. In order to ensure correct delivery of appropriate data to each host, it is necessary that each host shares entire data even though the hosts are only authorized for certain subset of data. We provide a formal description of the problem and propose a data-centric approach to address PD3. The approach enables policy-based secure data dissemination and protects data throughout their lifecycle. It is independent of trusted third parties, does not require source availability and has the ability to operate in unknown environments. The approach is demonstrated through its application to composite web services.

SNIPE: Signature Generation for Phishing Emails

Jeff Avery, Christopher Gutierrez, Paul Wood, Raffaele Della Corte, Jon Fulkerson Gaspar Modelo-Howard, Brian Berndt, Keith McDermott, Saurabh Bagchi, Dan Goldwasser, Marcello Cinque

http://www.cerias.purdue.edu/assets/symposium/2015-posters/79F-4F7.pdf

Phishing attacks continue to pose a major headache for defenders of computing systems, often forming the first step in a multi-stage attacks. There have been great strides made in phishing detection and email servers have gotten good at flagging potentially phishing messages. However, some insidious kinds of phishing messages appear to pass through filters by making seemingly simple structural and semantic changes to the messages. We tackle this problem in this paper, through the use of machine learning algorithms operating on a large corpus of phishing messages and legitimate messages. By understanding common phishing features, we design a system to extract features and extrapolate out values of such features. The algorithms are specialized for phishing detection, such as, the use of synonyms or change in sentence structure. The insights and algorithms are instantiated in a system called SNIPE (Signature geNeratIon for Phishing Emails). To evaluate SNIPE, we collect the largest known corpus of phishing messages (used in any publicly known study) from the central IT organization at a tier-1 research university. We run SNIPE on the dataset and it exposes some hitherto unknown insights about phishing campaigns directed at university users. SNIPE is able to detect 100% of phishing messages that had eluded our production deployment of Sophos, a state-ofthe-art email filtering tool today.

Human Centric Security

Improving the Biometric Data Collection Process through Six Sigma

Rylan C. Chong, T. Grant Goe, Dr. Chad Laux

http://www.cerias.purdue.edu/assets/symposium/2015-posters/1F1-36B.pdf

Since Six Sigma’s applications have been maturing and expanding into other industries, can Six Sigma be applied to the biometric industry? An area Six Sigma could be applied too is the process of improving quality of data collection. An example utilized to discuss Six Sigma application was through a case study approach using Brockly’s study (2013). Brockly’s study investigated what effect biometric multimodal data collection procedures and the test administrators had on the quality of data collected.

Information Alignment and Visualization for Security Operations Center Teams

Omar Eldardiry, Mallorie Bradlau, Barrett Caldwell

http://www.cerias.purdue.edu/assets/symposium/2015-posters/2DA-870.pdf

The development of cyber network operations centers (NOC) has created new needs to support human sensemaking via improved information alignment and visualization. This poster focuses on information needs and gaps involving network operations centers (NOCs) and security operations centers (SOCs) analyst personnel. Our goal is to enhance analyst sensemaking and usability of tools to assist security analysts in monitoring, managing and protecting their networks from suspicious activities. This project has proceeded in several stages. Based on previous interview findings, an in depth investigation and job shadowing was conducted with different SOC teams. The findings highlighted three promising areas of improvements for NOC and SOC tools to improve network operations sensemaking, team performance, and organizational information alignment.

Meaning-Based Machine Learning

Courtney Falk, Lauren Stuart

http://www.cerias.purdue.edu/assets/symposium/2015-posters/B24-2EA.pdf

Meaning-Based Machine Learning (MBML) is a research program intended to show how training machine learning (ML) algorithms on meaningful data produces more accurate results than that of using unstructured data.

Natural Language IAS: Style Metrics from Semantic Analysis

Lauren M. Stuart, Julia M. Taylor, Victor Raskin

http://www.cerias.purdue.edu/assets/symposium/2015-posters/F99-DDB.pdf

Stylometry is the quantification of author style such that authorship of a text can be posited, verified, or obfuscated. Style features currently in use capture the surface features of texts (such as punctuation use, misspellings, words or parts of words, and morphology), but some qualities of author style may be better captured by, or in conjunction with, meaning-based features. This poster outlines ongoing work in positing and evaluating author style quantification using meaning representation structures.

Password Coping Mechanisms

Austin Klasa, Dr. Melissa Dark

http://www.cerias.purdue.edu/assets/symposium/2015-posters/2D3-257.pdf

Passwords are the most common means of authenticating users, and the number of passwords a user must remember is increasing. This leads to the need to classify and study password coping mechanisms. This research project is a literature review and analysis of past research to classify password coping mechanisms and create a password coping mechanism taxonomy.

Network Security

A Visual Analytics based approach on identifying Server Redirections and Data Exfiltration

Weijie Wang, Baijian Yang, Yingjie Chen

http://www.cerias.purdue.edu/assets/symposium/2015-posters/180-154.pdf

How to better find potential cyber attacks is the billion question facing security researchers and practitioners. In recently years, visualization have being applied in the field of information technology but most work have not being able to provide better than non-visualization based techniques. In this work, we innovatively designed a graphic based system overview that can make suspicious activities related to server redirection attack and data exfiltration easier to identify. Due to the nature of the problem, the overview design must be scalable, accurate, and fast. This demands the system to visualize data that can reveal security events rather than simply plotting the raw data. The approach adopted in this work is to visualize aggregated traffic characteristics. The system is evaluated with the test data sets from VAST 2013 mini-challenge 3. The results are very encouraging and shed more positive lights on applying visual analytics in information Security.

Evaluating Public Cloud Providers

Courtney Falk

http://www.cerias.purdue.edu/assets/symposium/2015-posters/5DD-E79.pdf

Security for public cloud providers is an ongoing concern. Programs like FedRAMP look to certify a minimum level of compliance. This project aims to build a tool to help decision makers compare different clouds solutions and weigh the risks against their own organizational needs.

Fast and Scalable Authentication for Vehicular Internet of Things

Ankush Singla, Anand Mudgeri, Ioannis Papapanagiotou, Atilla Yavuz

http://www.cerias.purdue.edu/assets/symposium/2015-posters/B37-A94.pdf

Modern vehicles are being equipped with advanced sensing and communication technologies, which enable them to support innovative services in the Internet of Vehicles (IoV) era such as autonomous driving. These services can be effective through the spatial and temporal synchronization of the vehicle with the other entities in the environment. Hence, the communication in IoVs must be delay-aware, reliable, scalable and secure to (a) prevent an attacker from injecting/manipulating messages; (b) minimize the impact (e.g., delay, communication overhead) introduced by crypto operations. For instance, consider a group of vehicles driving on a highway with high speed. Once a vehicle brakes suddenly, this is broadcasted to other vehicles to avoid collision. If the delay introduced by the crypto operations negatively affects the braking distance, then a car may not be able to stop in time. The current vehicular communication standards mandate the use of Public Key Infrastructures (PKI) to protect critical messages. However, existing crypto mechanisms introduce significant computation and bandwidth overhead, which creates critical safety problems. It is a vital research problem to develop security mechanisms that can meet the requirements of emerging IoVs. The overall goal of this research is to develop a new suite of cryptographic mechanisms, supported with time-valid framework and hardware-acceleration, to ensure secure and reliable operation IoVs. This project develops, analyzes and implements new authentication methods and then pushes the performance to the edge via cryptographic hardware-acceleration.

Hardware to Virtual Firewall Migration Heuristic Rules

Ibrahim Waziri Jr

http://www.cerias.purdue.edu/assets/symposium/2015-posters/9AB-546.pdf

In this era of cloud computing, many data centers rely on a composite security framework consisting of hardware and virtual firewalls. Hardware firewalls are optimized for greater throughput while virtualized firewalls can only scale to match DoS attempts. To maximize the utility of each form factor, we developed an in-line firewall scheme with variable filtering point. The primary filtering point changes between hardware and virtual firewalls based on realtime conditions. The architecture incorporates heuristic-based migration logic. To define the heuristics, a performance evaluation was conducted following two test scenarios: spike tests and endurance test. Packet throughput was also assessed using JMeter. The results indicate that a threshold approach to filter-point migration maximizes network throughout while offering the insurance of on-demand scalability.

How Secure and Quick is QUIC? Provable Security and Performance Analyses

Robert Lychev, Samuel Jero, Alexandra Boldyreva, and Cristina Nita-Rotaru

http://www.cerias.purdue.edu/assets/symposium/2015-posters/D58-DCA.pdf

QUIC is a secure transport protocol developed by Google and implemented in Chrome in 2013, currently representing one of the most promising solutions to decreasing latency while intending to provide security properties similar with TLS. In this work we shed some light on QUIC’s strengths and weaknesses in terms of its provable security and performance guarantees in the presence of attackers. We introduce a security model for analyzing performance-driven protocols like QUIC and prove that QUIC satisfies our definition under reasonable assumptions on the protocol’s building blocks. Our analyses also reveal that with simple replay and manipulation attacks on some public parameters exchanged during the handshake, an adversary could easily prevent QUIC from achieving minimal latency by causing connection failure, probably resulting in fallback to TLS.

MIRROR: Automated Race Bug Detection for the Web via Network Events Replay

Sze Yiu Chau, Hyojeong Lee, Byungchan An, Julian Dolby and Cristina Nita-Rotaru

http://www.cerias.purdue.edu/assets/symposium/2015-posters/9FA-4B9.pdf

Many web applications are written in an asynchronous style, in which logic is triggered in response to network and user events. While this approach has performance benefits and can provide improved user experience, it also makes applications more error prone since the most used languages such as HTML and JavaScript do not provide any explicit support for concurrency control. We present MIRROR, a minimally-invasive race detector for client-side web applications which leverages recording and automated replaying of network events. Our tool uses a static approximation of happens-before ordering to automatically generate different testing scenarios by changing the order of these network events. Our tool is browser agnostic and can be used for both debugging and race finding as it does not require repeated interaction with the production server. We evaluate MIRROR using a benchmark of eight applications, where each captures a representative buggy coding pattern. Out of the eight applications, MIRROR was able to manifest and detect the bug for seven of them.

Network Forensics of Covert Channels in IPv6

Lourdes Gino D and Prof. Raymond A Hansen

http://www.cerias.purdue.edu/assets/symposium/2015-posters/961-F17.pdf

According to Craig H. Rowland, “A covert channel is described as, any communication channel that can be exploited by a process to transfer information in a manner that violates the systems security policy. Essentially, it is a method of communication that is not part of an actual computer system design, but can be used to transfer information to users or system processes that normally would not be allowed access to the information”. Covert channels in IPv4 has been existing for a while and there has been various detection mechanisms. But the advent of IPv6 requires new research to identify covert channels and be able to perform forensics on such attacks. The current study aims at exploring the possibilities of performing forensics on such covert channels in IPv6.

Security Business Intelligence (SBI) Curriculum – Blazing the Trail

Kelley Misata, Dr. Marcus Rogers

http://www.cerias.purdue.edu/assets/symposium/2015-posters/346-6EE.pdf

The vision for this project was to create an undergraduate, multi-disciplinary security business intelligence (SBI) curriculum aimed at preparing students for the future of security business intelligence in enterprises. Students will navigate through basic processes, life cycles and data gathering and analysis tools in alignment with SBI critical in an organizational setting. Learning for this course will be conducted through lectures, lab based homework assignments, examinations and a presentation project.

Policy, Law and Management

Cyber Forensics: The Need For An Official Governing Body

Ibrahim Waziri Jr, Rachel Sitarz

http://www.cerias.purdue.edu/assets/symposium/2015-posters/595-B62.pdf

In this study we identified and addressed some of the key challenges in digital forensics. An intensive review was conducted of the major challenges that have already been identified. At the end, the findings proposed a solution and how having a standardized body that governs the digital forensics community could make a difference.

Digital Forensics in Law Enforcement: A Needs Based Analysis of Indiana Agencies

Teri Flory, Rachel Sitarz

http://www.cerias.purdue.edu/assets/symposium/2015-posters/369-D48.pdf

Many national needs assessments were conducted in the late 1990’s and early 2000’s by the Department of Justice and the National Institute of Justice, which all indicated that State and Local Law Enforcement did not have the training, tools, or staff to effectively conduct digital investigations (Institute for Security and Technology Studies [ISTS], 2002; National Institute of Justice [NIJ], 2004). Some of these needs assessments have also been conducted at a state level, but Indiana is not one of those states (Gogolin & Jones, 2010). Further, there are multiple training opportunities and publications that are available at no cost to state and local law enforcement, but it is not clear how many agencies use these resources (https://www.fletc.gov/ state-local-tribal; https://www.ncfi.usss.gov). This pilot study will provide a more up to date and localized assessment of the ability of Indiana Law Enforcement Agencies to effectively investigate when a crime that involves digital evidence is alleged to have occurred.

U.S. Bank of Cyber

Danielle Crimmins, Courtney Falk, Susan Fowler, Caitlin Gravel, Michael Kouremetis, Erin Poremski, Rachel Sitarz Nick Sturgeon, Yulong Zhang and Dr. Sam Liles

http://www.cerias.purdue.edu/assets/symposium/2015-posters/EF2-253.pdf

The technical report looked at past cyber attacks on the United States financial industry for analysis on attack patterns by individuals, groups, and nation states to determine if the industry really is under attack. An analysis explored attack origination from individuals, groups, and/or nation states as well as type of attacks and any patterns seen. After gathering attacks and creation of a timeline, a taxonomy of attacks is then created from the analysis of attack data. A Strengths, Weakness, Opportunities, and Threats (S.W.O.T.) analysis is then applied to the case study Heartland Payment Systems.

Web Based Cyber Forensics Training

Nick Sturgeon and Dr. Marcus Rogers

http://www.cerias.purdue.edu/assets/symposium/2015-posters/4EC-8A2.pdf

There is a specific need for high availability, high quality and low cost training for Law Enforcement officers in the Cyber Forensics Domain.

What Lies Beneath? The Forensics of Online Dating

Dheeraj Gurugubelli, Lourdes Gino and Dr. Marcus K Rogers

http://www.cerias.purdue.edu/assets/symposium/2015-posters/440-484.pdf

If you are an overworked, 25-year-old professional, working through the clock, even dating websites can seem uninteresting and too time consuming. Thanks to the slide, scroll and swipe-based online dating smartphone apps. One can just scroll through pictures, and connect or pass profiles with a swipe on a smartphone. Value added features like geo-location based user filtering, college-based user matches, megaflirt and user-to-user messaging are available for a small premium subscription fees. This is exactly the phenomenon behind dating apps like Tinder, CoffeemeetsBagel, DateMySchool, Zoosk and many others. Such platorms that allow information storage and sharing, open doors to cybercriminals, who pry on the users. This research aims to discover the digital evidence from such apps in smartphones.

Prevention, Detection and Response

A Tool For Interactive Visual Threat Analytics and Intelligence, based on OpenSOC Framework

Lourdes Gino D, Dheeraj Gurugubelli and Dr. Marcus Rogers

http://www.cerias.purdue.edu/assets/symposium/2015-posters/9E8-4EE.pdf

Cyber Threat Intelligence is a booming area in the field of Information Security that deals with aggregation, processing, evaluation and reporting of reliable information in real-time pertaining to threats posed on the cyber world that encompasses computers, smartphone, tablets and any device that’s connected to the Internet. The imminent need for threat intelligence is growing rapidly as the data flowing through the cyber world is growing gargantuan and as we are moving towards Internet of Things where almost any thing is connected to the Internet. Visual Threat Intelligence takes the threat intelligence to the next step where the data is presented in a human-perceivable way so as to help in making right and quick decisions to avert the cyber threat. The OpenSOC framework provides a unified platform for ingest, storage and analytics. The purpose of this research is to build a open-source visual threat intelligence tool based on the OpenSOC framework built over the Hadoop framework.

Achieving a Cyber-Secure Smart Grid through Situation Aware Visual Analytics

Dheeraj Gurugubelli, Dr. Chris Foreman and Dr. David Ebert

http://www.cerias.purdue.edu/assets/symposium/2015-posters/BE7-5C6.pdf

Utilities face enormous pressure to streamline their operations and provide consumption information to the consumers for better energy management. Smart meters have been instrumental to achieve better energy management. But alike any new deployment of technology, smart meters are prone to cyber attacks. Except, in this case they are part of critical infrastructure of the nation. The goal of this project would be to leverage visual analytics for delivering near-to-real-time visual insights on smart meter data that will help make quicker in times of a cyber response need. Cybersecurity of the Advanced Metering Infrastructure (AMI) continues to be one of the top research priorities in the industry right now. Securing the smart grid is about managing a continuum of risk across all the components in the grid within the right timeline. Performing analytics and making decisions based on large volumes of network data in real-time would boost the response time significantly. This research aims at visualizing network data obtained from processing the end-component profile data and network data from the AMI networks through a distributed data processing model.

Assessing Risk and Cyber Resiliency

Corey T. Holzer and James E. Merritt

http://www.cerias.purdue.edu/assets/symposium/2015-posters/4A5-418.pdf

The project is a review of existing risk assessment models and the newly created resiliency frameworks in order to assess how risk is being calculated and incorporated into cyber resiliency and to research the underlying assumptions that have been made in the forming of the current body of knowledge surrounding risk management and analysis in the field of cyber resilience. By comparing current quantitative and qualitative risk solutions we hope to identify any discrepancies, fallacies, or oversights that may have been working into the current orthodoxy of cyber risk management. We intend to use these identified short comings to adapt and strengthen the current risk management process used to analyze risk in the field of cyber resilience.

Basic Dynamic Processes Analysis of Malware in Hypervisors: Type I & II

Ibrahim Waziri Jr

http://www.cerias.purdue.edu/assets/symposium/2015-posters/AAC-65E.pdf

This study compares, analyze and study the behavior of a malware processes within both Type 1 & Type 2 virtualized environments. In other to achieve this we set up two different virtualized environments and thoroughly analyze each malware processes behavior. The goal is to see if there is a difference between the behaviors of malware within the 2 different architectures. At the end we achieved a result and realized there is no significant difference on how malware processes run and behave on either virtualized environment. However our study is limited to basic analysis using basic tools. An advance analysis with more sophisticated tools could prove otherwise.

ErsatzPasswords – Ending Password Cracking

Christopher N. Gutierrez, Mohammed H. Almeshekah, Mikhail J. Atallah, and Eugene H. Spafford

http://www.cerias.purdue.edu/assets/symposium/2015-posters/0D5-AED.pdf

In this work we present a simple, yet effective and practical, scheme to improve the security of stored password hashes rendering their cracking detectable and insuperable at the same time. We utilize a machine-dependent function, such as a physically unclonable function (PUF) or a hardware security module (HSM) at the authentication server. The scheme can be easily integrated with legacy systems without the need of any additional servers, changing the structure of the hashed password file or any client modifications. When using the scheme the structure of the hashed passwords file, etc/shadow or etc/master.passwd, will appear no different than in the traditional scheme.1 However, when an attacker exfiltrates the hashed passwords file and tries to crack it, the only passwords he will get are the ersatzpasswords — the “fake passwords”. When an attempt to login using these ersatzpasswords is detected an alarm will be triggered in the system that someone attempted to crack the password file. Even with an adversary who knows the scheme, cracking cannot be launched without physical access to the authentication server. The scheme also includes a secure backup mechanism in the event of a failure of the hardware dependent function. We discuss our implementation and provide some discussion in comparison to the traditional authentication scheme.

Increasing robustness and resilience: assessing disruptions and dependencies in analysis of System-of-Systems alternatives

Daniel Delaurentis, Karen Marais, Navindran Davendralingam, Zhemei Fang, Cesare Guariniello, Payuna Uday

http://www.cerias.purdue.edu/assets/symposium/2015-posters/46B-19D.pdf

This poster describes a multi-disciplinary effort, funded by the DoD’s Systems Engineering Research Center (SERC), towards establishing a System of Systems Analytic Workbench of computational tools to facilitate better-informed decision-making on SoS architectures. The work seeks to map relevant questions in system-of-system architectural decision to an appropriate set of quantitative methods that can provide analytical outputs to directly support decisions. Such an integrated approach is suitable to address the problem of increasing robustness and resilience in complex systems, with the goal of preventing or mitigating the effect of disruptions on the overall behavior of the system.

JagWarz Junior: Cyber Security for Young Adolescents​

Jasmine Herbert, Rushabh Vyas, Connie Justice, Vicky Smith

http://www.cerias.purdue.edu/assets/symposium/2015-posters/2C8-2DF.pdf

Currently there are few methodologies for introducing cyber security to young adolescents. This area of research will examine the importance of teaching cyber security at an early age as well as the significance of introducing cyber security through the use of digital game based learning. Within this study, cyber security will be taught to a sample of young adolescents through the use of a capture the flag style game, JagWaRz Junior. The effectiveness of JagWaRz Junior will be quantitatively measured through a pretest and posttest presented to the participants. Overall, this game will encompass ways to handle many of the risks that come with Internet usage at an early age. These risks include but are not limited to cyber bullying, pornography, online predators, personal privacy, and password protection. The results of this study will contribute to our understanding of the effectiveness of digital game based pedagogic learning. ​

Malware Defense with Access Control Policy and Integrity Levels

Nicole Hands, Harish Kumaravel

http://www.cerias.purdue.edu/assets/symposium/2015-posters/128-25A.pdf

With the persistent threat of cyber attacks of many, ever-changing forms, the need for computer systems to have a comprehensive protection schema that can provide security against unknown, known, and polymorphic threats becomes apparent. Working under the premise that compromise is inevitable, the system should be able to detect that it has been compromised and respond in such a way that functionality degrades incrementally. This study represents a synthesis of multiple fields of research from integrity levels of operation to malware detection methods to access control policy. The system function of FTP will be used as a model and broken down into discrete computational units which will each be assigned attributes from which access control policy can be created. Upon change in the state of the attribute based on the premise that this change was caused by malware infection, the system would respond by lowering its integrity level, with processes continuing to function under modified rules. Preliminary work from the study will be presented.

Modeling Deception In Information Security As A Hypergame – A Primer

Christopher N. Gutierrez, Mohammed H. Almeshekah, Jeff Avery, Saurabh Bagchi, and Eugene H. Spafford

http://www.cerias.purdue.edu/assets/symposium/2015-posters/B4B-3D9.pdf

Hypergames are a branch of game theory to model and analyze game theoretic conflicts between multiple players who may have misconceptions of other player’s actions, preferences, and/or knowledge. They have been used to model military conflicts such as the Allied invasion of Normandy in 1945, the fall of France in WWII, the Cuban missile crisis, and etc. Unlike traditional game theory models, hypergames give us the ability to model misperception that results from the use of deception, mimicry, and misinformation. There is little work that analyzes the use of deception as a strategic defensive mechanism in computing systems. This poster will present a hypergame model to analyze computer security conflicts. We discuss how can hypergames be used to model the interaction between adversaries and system defender. We discuss a specific example where we modele the interaction between adversaries, who wish to steal some confidential data from an enterprise, and security administrators, who protect the system. We show the advantages of incorporating deception as a defenses mechanism as part of the hypergame model.

Risk Assessment in Layered Solutions

Christopher Martinez, Robert Haverkos

http://www.cerias.purdue.edu/assets/symposium/2015-posters/AB5-6F7.pdf

The transmission of classified (or highly sensitive) data requires a high degree of assurance. This project presents a meaningful method of combining risk assessments for individual security mechanisms into a risk assessment for the overall capability package (the layered solution).

Using Syntactic Features for Phishing Detection

Students: Gilchan Park / Advisor: Julia M. Taylor

http://www.cerias.purdue.edu/assets/symposium/2015-posters/4D4-975.pdf

The purpose of this research is to explore whether the syntactic structures and subjects and objects of verbs can be distinguishable features for phishing detection. To achieve the objective, we have conducted two series of experiments: the syntactic similarity for sentences, and the subject and object of verb comparison. The results of the experiments indicated that both features can be used for some verbs, but more work has to be done for others. The phishing corpora is comprised of old and up-to-date phishing emails, and the gap between them is over 10 years. To observe whether the pattern in phishing emails have changed over time with respect to subject and object of the verbs, we additionally compared between the two phishing corpora. The results showed us that most of subjects and objects were still identical, or similar from semantic perspective.

Cyber Security Club Archive Presentations and Slides


Cyber Security Club Archive

from: http://www.isis.poly.edu/cyber-security-club and http://www.isis.poly.edu/cyber-security-club/archive

March 11, 2015 So you want to be a Hacker? Nick Freeman Notes RH 227
April 8, 2015 How to Score an Awesome Security Internship Emily Wicki Presentation RH 227
April 23, 2014 Rahil Parikh Presentation
April 16, 2014 Advanced Python Kevin Chung Presentation
April 2, 2014 Smashing the Ether for Fun and Profit iSEC Partners Presentation 
February 5, 2014 Intro to Web Pentesting Kevin Chung Presentation RH227
November 27, 2013 Finding Bugs for Profit and Fun Kevin Chung Presentation
November 20, 2013 Active Directory Nicholas Anderson Presentation
October 30, 2013 Physical Access Threats To Workstations Brad Antoniewicz Presentation
October 23, 2013 Keynote: Unsolved Problems in Computer Security Julian Cohen Presentation
September 18, 2013 How to play CSAW CTF Kevin Chung Presentation JAB 774
September 11, 2013 Intro to NFC Robert Portvliet Presentation JAB 774
April 24, 2013 Finding Bugs for Fun, Profit, and Cocaine Omar http://omar.li/ 
April 10, 2013 InfoSec Management Erik Cabetas Presentation 
March 13, 2013 Mobile Application Security Corey Benninger Presentation 
March 6, 2013 Building organizational policy that enhances security Sean Brooks Resources 
February 20, 2013 Malware Detection Ryan Van Antwerp Presentation 
December 5, 2012 Understanding Why Your Neighbor’s Wi-Fi is Vulnerable Kevin Chung Understanding Why Your Neighbor’s Wi-Fi is Vulnerable 
November 7, 2012 Clearing the Red Forest Michael Sikorski Clearing the Red Forest 
October 24, 2012 Passive Web Forensics: Monitoring, Logging and Analyzing Web Traffic with Net Sensor Boris Kochergin Passive Web Forensics 
October 3, 2012 IPv6 Security Invited Expert: Keith O’Brien, Cisco IPv6 Security 
September 19, 2012 Keynote: Raphael Mudge, Armitage Raphael Mudge, Armitage Armitage 
September 12, 2012 The Mobile Exploit Intelligence Project Dan Guido, Co-Founder and CEO, Trail of Bits The Mobile Exploit Intelligence Project 
April 11, 2012 Invited Expert: IPv6 Security Keith O’Brien IPv6 Security 
April 4, 2012 All About vtrace/Pin Phil Da Silva vtrace_internals 
March 28, 2012 Cross-Origin Resource Inclusion Julian Cohen Cross-Origin Resource Inclusion 
March 7, 2012 Keynote: The purpose of InfoSec is to support a business…O’RLY? YA’RLY! Erik Cabetas The Role of InfoSec in Business 
February 8, 2012 Introduction to x86 Julian Cohen Introductory Intel x86: Architecture, Assembly, Applications, & Alliteration 
February 1, 2012 Greyhat Ruby: A Stephen Ridley Talk Luis Garcia Greyhat Ruby 
April 13, 2011 IPv6 Security Keith O’Brien IPv6 Security 
April 6, 2011 Applied Application Security Julian Cohen Applied Application Security 
March 30, 2011 Legal Developments in Information Security Rob Widham Secrecy, Surveillance and FISA: A Legal Overview 
March 23, 2011 Hardware Security Part 2 Jeyavijayan Rajendran Hardware Security 
March 9, 2011 Hardware Security Part 1 Jeyavijayan Rajendran Hardware Security 
March 2, 2011 Computer Crimes and Investigations John Koelzer Developments in Cyber Crime ACH Fraud 
February 16, 2011 Windows Active Directory Part 2 Jonathan Livolsi Windows Active Directory 
February 9, 2011 Windows Active Directory Part 1 Jonathan Livolsi Windows Active Directory 
February 2, 2011 Malware Research Jonathan Chittenden Malware Research 
December 1, 2010 Enterprise-Wide Incident Response James Carder and Justin Prosco Enterprise-Wide Incident Response  LC400
November 24, 2010 Introduction to Memory Corruption Part 3 Luis E. Garcia II and Julian Cohen Introduction To Memory Corruption 
November 17, 2010 Introduction to Memory Corruption Part 2 Luis E. Garcia II and Julian Cohen Introduction To Memory Corruption 
November 10, 2010 Introduction to Memory Corruption Part 1 Luis E. Garcia II and Julian Cohen Introduction To Memory Corruption 
October 27, 2010 Layer 2 Network Security Boris Kochergin Layer 2 Network Security 
October 20, 2010 Applied Application Security: How we secured boxes against the best hackers in the world for the 2010 CSAW CTF Julian Cohen Applied Application Security 
October 6, 2010 2010 CSAW CTF Challenges and Solutions Part 2 Julian Cohen and Luis E. Garcia II 2010 CSAW CTF 
September 29, 2010 2010 CSAW CTF Challenges and Solutions Part 1 Julian Cohen and Luis E. Garcia II 2010 CSAW CTF 
September 22, 2010 DLL Hijacking Julian Cohen DLL Hijacking 

TROOPERS 15 – Video Footage


TROOPERS15 Video Footage

Troopers15 is the eight edition of the great IT-Security Conference, where the world’s leading IT-Security experts and Hackers present their latest research.

Troopers provides a networking platform for Security interested people from all over the world and enables security folks from the industry, academia and the research community to exchange knowledge and talk about their work. Again, Troopers15 is going to be an event unlike most other “security conferences”: No pointless marketing talks, just high-end workshops with hands-on experiences and most importantly: You’ll get real answers and practical benefits to meet today’s and tomorrow’s threats.

OWASP Video Collection


  • 1 Welcome to the OWASP Video Collection
    • 1.1 OWASP Global Webinars
    • 1.2 OWASP AppSecUSA 2014 Conference
    • 1.3 OWASP AppSec Europe 2014 Conference
    • 1.4 OWASP AppSec California 2014 Conference
    • 1.5 OWASP AppSecUSA 2013 Conference
    • 1.6 OWASP AppSec EU Research 2013 Conference
    • 1.7 OWASP AppSec Video Tutorial Series w/ Jerry Hoff
    • 1.8 OWASP AppSecUSA 2012 Conference
    • 1.9 OWASP AppSecUSA 2011 Conference
    • 1.10 OWASP Summit 2011
    • 1.11 OWASP Appsec DC 2010 Conference
    • 1.12 OWASP USA 2010 Conference
    • 1.13 OWASP EU 2010 Conference
    • 1.14 OWASP FROC 2010 Conference
    • 1.15 OWASP USA 2009 Conference
    • 1.16 OWASP AppSecEMEA 2009 Conference
    • 1.17 OWASP Israel 2008
    • 1.18 OWASP AppSecUSA 2008 Conference
    • 1.19 OWASP SnowFROC
    • 1.20 OWASP Minneapolis/St. Paul (OWASP MSP)
    • 1.21 Black Hat 2006
    • 1.22 AppSec Washington 2005

OWASP Global Webinars

YouTube Playlist

OWASP AppSecUSA 2014 Conference

YouTube Playlist

OWASP AppSec Europe 2014 Conference

YouTube Playlist

OWASP AppSec California 2014 Conference

YouTube Playlist

OWASP AppSecUSA 2013 Conference

YouTube Playlist

OWASP AppSec EU Research 2013 Conference

news entry “Video Recordings online”

https://www.its.fh-muenster.de/owasp-appseceu13/rooms/Grosser_Saal

[VID] OWASP-AppsecEU13-AmirAlsbih-ExperiencemadeinTechnicalDueDiligence_720p.mp4 01-Sep-2013 12:28 376M
[VID] OWASP-AppsecEU13-AngelaSasse-KeynoteBustingTheMythofDancingPigsAngelasTop10listofreasonswhyusersbypasssecuritymeasures_720p.mp4 28-Aug-2013 14:20 517M
[VID] OWASP-AppsecEU13-BenStock-EradicatingDNSRebindingwiththeExtendedSame-OriginPolicy_720p.mp4 28-Aug-2013 13:44 447M
[VID] OWASP-AppsecEU13-ChrisEngRyanOBoyle-FromtheTrenchesReal-WorldAgileSDLC_720p.mp4 28-Aug-2013 12:15 518M
[VID] OWASP-AppsecEU13-DavidRoss-InsaneintheIFRAME–Thecaseforclient-sideHTMLsanitization_720p.mp4 28-Aug-2013 15:11 478M
[VID] OWASP-AppsecEU13-DirkWetter-Welcomenoteandamanualfortheconferenceandeverythingelse_720p.mp4 28-Aug-2013 13:52 141M
[VID] OWASP-AppsecEU13-ErlendOftedal-SecuringamodernJavaScriptbasedsinglepagewebapplication_720p.mp4 28-Aug-2013 14:45 429M
[VID] OWASP-AppsecEU13-FlorianStahlJohannesStroeher-SecurityTestingGuidelinesformobileApps_720p.mp4 28-Aug-2013 13:20 353M
[VID] OWASP-AppsecEU13-FrederikBraun-OriginPolicyEnforcementinModernBrowsers_720p.mp4 28-Aug-2013 16:18 284M
[VID] OWASP-AppsecEU13-JimManico-OWASPTop10ProactiveControls_720p.mp4 28-Aug-2013 12:36 403M
[VID] OWASP-AppsecEU13-KrzysztofKotowicz-Iminurbrowserpwningyourstuff-AttackingwithGoogleChromeextensions_720p.mp4 28-Aug-2013 16:36 329M
[VID] OWASP-AppsecEU13-NickNikiforakisLievenDesmetStevenVanAcker-SandboxingJavascript_720p.mp4 28-Aug-2013 16:54 317M
[VID] OWASP-AppsecEU13-OWASPBoard-OWASPIntroduction_720p.mp4 28-Aug-2013 11:04 160M
[VID] OWASP-AppsecEU13-SebastianLekiesBenStock-ClickjackingProtectionUnderNon-trivialCircumstances_720p.mp4 28-Aug-2013 16:03 345M
[VID] OWASP-AppsecEU13-StefanoDiPaola-JavascriptlibrariesinsecurityAshowcaseofrecklessusesandunwittingmisuses_720p.mp4 28-Aug-2013 15:44 634M
[VID] OWASP-AppsecEU13-TarasIvashchenko-ContentSecurityPolicy-thepanaceaforXSSorplacebo_720p.mp4 28-Aug-2013 13:01 459M
[VID] OWASP-AppsecEU13-ThomasRoessler-KeynoteSecureallthethingsfictionfromtheWebsimmediatefuture_720p.mp4 28-Aug-2013 17:19 466M
[VID] OWASP-AppsecEU13-TobiasGondrom-OWASP-CISOGuideandCISOreport2013formanagers_720p.mp4 28-Aug-2013 11:47 419M

https://www.its.fh-muenster.de/owasp-appseceu13/rooms/Aussichtsreich_+_Freiraum

[VID] OWASP-AppsecEU13-AbrahamAranguren-IntroducingOWASPOWTF5x5_720p.mp4 27-Aug-2013 04:28 211M
[VID] OWASP-AppsecEU13-AchimHoffmannOferShezaf-WAFEC-contentandhistoryofanunbiasedprojectchallenge_720p.mp4 27-Aug-2013 04:14 299M
[VID] OWASP-AppsecEU13-BastianBraunJoachimPoseggaChristianV.Pollak-ADoormanforYourHome-Control-FlowIntegrityMeansinWebFrameworks_720p.mp4 27-Aug-2013 00:54 327M
[VID] OWASP-AppsecEU13-ColinWatsonDennisGroves-OWASPAppSensorInTheoryInPracticeandInPrint_720p.mp4 27-Aug-2013 05:29 322M
[VID] OWASP-AppsecEU13-DanCornell-DoYouHaveaScanneroraScanningProgram_720p.mp4 27-Aug-2013 03:54 353M
[VID] OWASP-AppsecEU13-DaveWichers-OWASPTop10-2013_720p.mp4 31-Aug-2013 12:02 474M
[VID] OWASP-AppsecEU13-DieterGollmann-ClosingNoteAccessControloftheWeb-TheWebofAccessControl_720p.mp4 27-Aug-2013 06:40 479M
[VID] OWASP-AppsecEU13-DirkWetter-ClosingCeremony_720p.mp4 27-Aug-2013 06:53 206M
[VID] OWASP-AppsecEU13-EduardoVela-Matryoshka_720p.mp4 26-Aug-2013 23:26 324M
[VID] OWASP-AppsecEU13-ErlendOftedal-RESTfulsecurity_720p.mp4 26-Aug-2013 22:36 435M
[VID] OWASP-AppsecEU13-FredDonovan-Q-BoxandH-BoxRaspberryPIfortheInfrastructureandHacker_720p.mp4 27-Aug-2013 01:18 350M
[VID] OWASP-AppsecEU13-JrgSchwenk-KeynoteCryptographyinWebSecurityStupidBrokenandmaybeWorking_720p.mp4 26-Aug-2013 17:50 213M
[VID] OWASP-AppsecEU13-KonstantinosPapapanagiotouSpyrosGasteratos-OWASPHackademicapracticalenvironmentforteachingapplicationsecurity_720p.mp4 27-Aug-2013 05:08 319M
[VID] OWASP-AppsecEU13-LucaViganLucaCompagna-TheSPaCIoSToolproperty-drivenandvulnerability-drivensecuritytestingforWeb-basedapplicationscenarios_720p.mp4 27-Aug-2013 05:50 311M
[VID] OWASP-AppsecEU13-MarcoBalduzziVincenzoCiangagliniRobertMcArdle-HTTPS-BasedClusteringforAssistedCybercrimeInvestigations_720p.mp4 26-Aug-2013 23:05 450M
[VID] OWASP-AppsecEU13-MarioHeiderich-TheinnerHTMLApocalypse-HowmXSSattackschangeeverythingwebelievedtoknowsofar_720p.mp4 27-Aug-2013 00:33 584M
[VID] OWASP-AppsecEU13-MicheleOrr-RootingyourinternalsInter-ProtocolExploitationcustomshellcodeandBeEF_720p.mp4 26-Aug-2013 18:16 406M
[VID] OWASP-AppsecEU13-MiltonSmith-MakingtheFutureSecurewithJava_720p.mp4 27-Aug-2013 02:55 559M
[VID] OWASP-AppsecEU13-NickNikiforakis-WebFingerprintingHowWhoandWhy_720p.mp4 27-Aug-2013 01:51 490M
[VID] OWASP-AppsecEU13-NicolasGrgoire-BurpPro-Real-lifetipsandtricks_720p.mp4 26-Aug-2013 20:30 562M
[VID] OWASP-AppsecEU13-PaulStone-PrecisionTiming-AttackingbrowserprivacywithSVGandCSS_720p.mp4 26-Aug-2013 19:22 518M
[VID] OWASP-AppsecEU13-PhilippeDeRyckLievenDesmetFrankPiessensWouterJoosen-ImprovingtheSecurityofSessionManagementinWebApplications_720p.mp4 26-Aug-2013 23:54 427M
[VID] OWASP-AppsecEU13-RetoIschi-AnAlternativeApproachforReal-LifeSQLiDetection_720p.mp4 27-Aug-2013 04:47 286M
[VID] OWASP-AppsecEU13-RobertoSuggiLiverani-AugmentedRealityinyourWebProxy_720p.mp4 26-Aug-2013 21:34 505M
[VID] OWASP-AppsecEU13-SahbaKazerooni-NewOWASPASVS2013_720p.mp4 27-Aug-2013 06:09 269M
[VID] OWASP-AppsecEU13-SaschaFahlMarianHarbachMatthewSmith-MalloDroidHuntingDownBrokenSSLinAndroidApps_720p.mp4 26-Aug-2013 22:06 498M
[VID] OWASP-AppsecEU13-SaschaFahlMatthewSmithHenningPerlMichaelBrenner-QualitativeComparisonofSSLValidationAlternatives_720p.mp4 26-Aug-2013 18:49 512M
[VID] OWASP-AppsecEU13-SimonBennetts-OWASPZAPInnovations_720p.mp4 27-Aug-2013 03:31 524M
[VID] OWASP-AppsecEU13-TalBeEry-APerfectCRIMEOnlytimewilltell_720p.mp4 26-Aug-2013 21:00 463M
[VID] OWASP-AppsecEU13-ThomasHerleaNelisBouckJohanPeeters-RecipesforenablingHTTPS_720p.mp4 26-Aug-2013 19:53 483M
[VID] OWASP-AppsecEU13-YvanBoilyMinion-MakingSecurityToolsaccessibleforDevelopers_720p.mp4 27-Aug-2013 02:17 390M

OWASP AppSec Video Tutorial Series w/ Jerry Hoff

OWASP Appsec Tutorial Series Click Here

OWASP AppSecUSA 2012 Conference

Vimeo







OWASP AppSecUSA 2011 Conference

Videos and Slides

Thursday, September 22, 2011

TIME ATTACKS &
DEFENSES
CLOUD MOBILE THOUGHT
LEADERSHIP
0730-0830 CONTINENTAL BREAKFAST
0830-0920 KEYNOTE
Mark Curphey
Community – The Killer App (Video – starts at time marker 5:30, PDF)
0920-0930 BREAK
0930-1020 Andrés Riancho

Web Application Security Payloads(Video, PDF)

Andy Murren

SwA and the Cloud – Counting the Risks (Video,PPTX)

Patrick Tatro

Principles of Patrolling: Applying Ranger School to Information Security (Video,PPTX)

* Thank you to Patrick who, true to form, willingly stepped forward as an alternate

Arian Evans

Six Key Metrics: A look at the future of appsec (Video, sorry – no slides)

1020-1040 COFFEE BREAK
1040-1130 Jim Manico

Ghosts of XSS Past, Present and Future(Video, PDF)

Shankar Babu Chebrolu, PhD, CISSP

Top Ten Risks with Cloud that will keep you Awake at Night(Video, PPTX)

Ryan W Smith

STAAF: An Efficient Distributed Framework for Performing Large-Scale Android Application Analysis (Video,PDF)

Charles Henderson

Global Security Report (PDF)

1130-1140 BREAK
1140-1230 Shreeraj Shah

Next Generation Web Attacks – HTML 5, DOM(L3) and XHR(L2) (Video,PDF)

Scott Matsumoto

Threat Modeling in the Cloud: What You Don’t Know Will Hurt You!(Video, PDF)

Tom Fischer

Lessons Learned Building Secure ASP.NET Applications(Video, PDF)

* Moved from Patterns Track for scheduling purposes

John Benninghoff

Behavioral Security Modeling: Eliminating Vulnerabilities by Building Predictable Systems (Video,PDF)

1230-1330 LUNCH & OWASP FOUNDATION BOARD DISCUSSION
Jeff Williams (Chair), Tom Brennan, Eoin Keary, Matt Tesauro, Dave Wichers, and incoming board member Michael Coates (Video, PDF)* Sebastien Deleersnyder was unable to attend due to a scheduling conflict.
1330-1420 Javier Marcos de Prado, Juan Galiana Lara

Pwning intranets with HTML5 (Video,PDF)

Dan Cornell

The Self Healing Cloud: Protecting Applications and Infrastructure with Automated Virtual Patching (Video,PDF)

Mike Park

Android Security, or This is not the Kind of “Open” I Meant… (Video,PPTX)

Rafal Los, Mike McCormick,Christophe Veltsos, Jeff Williams

Making it in Information Security and Application Security (Video,PPT)

1420-1430 BREAK
1430-1520 Ganesh Devarajan,Todd Redfoot

Keeping up with the Web-Application Security (Video,PPTX)

Matt Tesauro

Testing from the Cloud: Is the Sky Falling? (Video,PDF)

Kevin Stadmeyer,Garrett Held

Hacking (and Defending) iPhone Applications(Video, PPTX)

John B. Dickson, CISSP

Software Security: Is OK Good Enough?(Video, PDF)

1520-1540 COFFEE BREAK
1540-1630 Jon McCoy (DigitalBodyGuard)

Hacking .NET (C#) Applications: The Black Arts (Video,PDF)

Adrian Lane

CloudSec 12-Step(Video, PDF)

Ashkan Soltani,Gerrit Padgham

When Zombies Attack – a Tracking Love Story (Video, PDF)

Jeff Williams

AppSec Inception – Exploiting Software Culture(Video, Prezi [Flash])

1630-1700 UNIVERSITY CHALLENGE WINNERS TALK! (Video, PPT)
1700-1800 HAPPY HOUR

Friday, September 23, 2011

TIME SOFTWARE
ASSURANCE
OWASP PATTERNS SECURE SDLC
0730-0830 CONTINENTAL BREAKFAST
0830-0920 KEYNOTE
Ira Winkler (Video, PPT)
0920-0930 BREAK
0930-1020 Richard Struse

Software Assurance Automation throughout the Lifecycle (Video,PPTX)

Michael Coates

Pure AppSec, No Fillers or Preservatives – OWASP Cheat Sheet Series(Video, PDF)

Colin Watson

OWASP Codes of Conduct (PDF)

Dr. Bill Chu, Jing Xie

Secure Programming Support in IDE(Video, PDF)

Brian Chess

Gray, the New Black: Gray-Box Web Penetration Testing (Video,PPTX)

1020-1040 COFFEE BREAK
1040-1130 Ryan Stinson

Improve your SDLC with CAPEC and CWE (Video,PPTX)

Jack Mannino,Zach Lanier,Mike Zusman

OWASP Mobile Top 10 Risks(Video, PPTX)

Aditya K Sood,Richard Enbody

The Good Hacker – Dismantling Web Malware (Video,PDF)

Chris Wysopal

Application Security Debt and Application Interest Rates (Video, PPT)

1130-1140 BREAK
1140-1230 Chuck Willis,Kris Britton

Sticking to the Facts: Scientific Study of Static Analysis Tools(Video, PDF)

Simon Bennetts

Introducing the OWASP Zed Attack Proxy(Video, PPTX)

Justin Collins,Tin Zaw

Brakeman and Jenkins: The Duo Detect Defects in Ruby on Rails Code (Video,PPTX)

Mike Ware

Simplifying Threat Modeling (Video,PDF)

1230-1330 LUNCH & KEYNOTE Moxie Marlinspike (Video, PDF)
1330-1420 Adam Meyers

Mobile Applications Software Assurance (Video,PDF)

Anthony J. Stieber

How NOT to Implement Cryptography for the OWASP Top 10 (Video, PDF)

Michael Coates

Security Evolution – Bug Bounty Programs for Web Applications(Video, PDF)

Wendy Nather (moderator),Dinis Cruz, Chris Eng, Jerry Hoff,Darren Meyer,John Steven,Sean Fay

Speeding Up Security Testing Panel (Video,PPTX)

1420-1430 BREAK
1430-1520 Charles Schmidt

You’re Not Done (Yet) – Turning Securable Apps into Secure Installations using SCAP (Video,PPTX)

Beef (Chris Schmidt), Kevin Wall

ESAPI 2.0 – Defense Against the Dark Arts(Video, PPT)

Jason Li

OWASP Projects Portal Launch! (5-10 Minutes)(Video, PPTX)

Srini Penchikala

Messaging Security using GlassFish 3.1 and Open Message Queue (Video,PDF)

Glenn Leifheit (moderator), Andreas Fuchsberger,Ajoy Kumar,Richard Tychansky,Alessandro Moretti

Application Security Advisory Board SDLC Panel(Video, PPTX)

1520-1540 COFFEE BREAK
1540-1630 Michelle Moss,Nadya Bartol

Why do developers make these dangerous software errors?(Video, PPTX)

Ryan Barnett

OWASP CRS and AppSensor Project(Video, Prezi [Flash])

Alex Smolen

Application Security and User Experience (Video,PDF)

Gunnar Peterson

Mobile Web Services (Video, sorry – no slides)

* Moved from Mobile Track for scheduling purposes

1630-1640 BREAK
1640-1730 RECAP AND LOOKING AHEAD TO THE NEXT TEN YEARS AND APPSEC USA 2012

OWASP Summit 2011

OWASP Summit 2011 Vimeo videos are available at

OWASP Appsec DC 2010 Conference

OWASP Appsec DC 2010 Click Here




  1. Cloudy with a Chance of Hack! with Lars Ewe, Cenzic

OWASP USA 2010 Conference

OWASP USA 2010 Click Here

  1. HD Moore, Keynote Speaker

    23.3K Plays

  2. Jeremiah Grossman, Breaking Web Browsers

    2,220 Plays

  3. Samy Kamkar, How I Met Your Girlfriend

    2,033 Plays

  4. Keith Turpin: The Secure Coding Practices Quick Reference Guide

    1,625 Plays

  5. Dan Cornell, Smart Phones with Dumb Apps: Threat Modeling for Mobile Applications

    1,244 Plays

  6. Robert Zigweid: Threat Modeling Best Practices

    998 Plays

  7. Peleus Uhley, Assessing, Testing & Validating Flash Content

    829 Plays

  8. Joe Basirico, Reducing Web Application Vulnerabilities: Moving from a Test-Dependent to Design-Driven Development.

    789 Plays

  9. Michael Coates, Real Time Application Defenses – The Reality of AppSensor & ESAPI

    767 Plays

  10. Adrian Lane, Agile + Security = FAIL

    646 Plays

  11. David Rice, Keynote Speaker

    546 Plays

  12. Paul Judge, The Dark Side of Twitter, Measuri



  1. OWASP: AppSec 2010 Promo

    411 Plays

  2. Rafal Los, Into the Rabbit Hole: Execution Flow-based Web Application Testing

    303 Plays

  3. Panel Discussion: Vulnerability Lifecycle for Software Vendors with Kelly FitzGerald, Katie Moussouris, John Steven & Daniel Hol

    202 Plays

  4. Aditya K. Sood, Bug-Alcoholic 2.0 – Untamed World of Web Vulnerabilities

    198 Plays

  5. Lars Ewe, Session Management Security Tips and Tricks

    198 Plays

  6. Panel Discussion: Security Trends with Jeremiah Grossman, Robert Hansen, Jeff Williams & Eric Chen

    197 Plays

  7. David Bryan & Michael Anderson, Cloud Computing, A Weapon of Mass Destruction?

    187 Plays

  8. Gunter Ollmann, P0w3d for Botnet CNC

    181 Plays

  9. Chenxi Wang

    167 Plays

  10. Chris Schmidt: Solving Real-World Problems with an Enterprise Security API (ESAPI)

    161 Plays

  11. Dinis Cruz: Tour of OWASP Projects & Using the OWASP 02 Platform

    132 Plays

  12. Bill Cheswick

    121 Plays



  1. Jeff Williams

    116 Plays

  2. Panel Discussion: Characterizing Software Security as a Mainstream Business risk with Ed Pagett, Richard Greenberg, John Sapp &

    116 Plays

  3. Ivan Ristic, State of SSL on the Internet – 2010 Survey

    112 Plays

  4. Antti Rantasaari & Scott Sutherland, Escalating Privileges through Database Trusts

    88 Plays

  5. Alex Stamos

    85 Plays

  6. Peleus Uhley, Unraveling Cross-Technology, Cross-Domain Trust Relations

    83 Plays

  7. Panel Discussion: Defining the Identity Management Framework with Mano Paul, Richard Tychansky, Jeff Williams & Hord Tipton

    82 Plays

OWASP EU 2010 Conference

OWASP Stockholm Sweden 2010 Click Here and Click Here

Conference Day 1 – June 23, 2010OWASP AppSec Research 2010 Research R.gif = Research paper OWASP AppSec Research 2010 Demo D.gif = Demo OWASP AppSec Research 2010 Presentation P.gif = Presentation
Track 1 Track 2 Track 3
08:00-08:50 Registration and Breakfast + Coffee
08:50-09:00 Welcome to OWASP AppSec Research 2010 Conference (John Wilander & OWASP Global Board Members) (pdf)
09:00-10:00 #Keynote: Cross-Domain Theft and the Future of Browser Security (pdf) (video)Chris Evans, Information Security Engineer, and Ian Fette, Product Manager for Chrome Security, Google
10:10-10:45 OWASP AppSec Research 2010 Research R.gif #BitFlip: Determine a Data’s Signature Coverage from Within the Application (pdf) (video)Henrich Christopher Poehls, University of Passau OWASP AppSec Research 2010 Presentation P.gif #CsFire: Browser-Enforced Mitigation Against CSRF (pdf) (video)Lieven Desmet and Philippe De Ryck, Katholieke Universiteit Leuven OWASP AppSec Research 2010 Presentation P.gif #Deconstructing ColdFusion (pdf) (video)Chris Eng, Veracode
10:45-11:10 Break – Expo – CTF kick-off, Coffee break sponsoring position open ($2,000)
11:10-11:45 OWASP AppSec Research 2010 Research R.gif #Towards Building Secure Web Mashups (pdf) (video)M Decat, P De Ryck, L Desmet, F Piessens, W Joosen, Katholieke Universiteit Leuven OWASP AppSec Research 2010 Presentation P.gif #New Insights into Clickjacking (pdf) (video)Marco Balduzzi, Eurecom

OWASP AppSec Research 2010 Presentation P.gif #How to Render SSL Useless (pdf) (video)Ivan Ristic, Qualys
11:55-12:30 OWASP AppSec Research 2010 Research R.gif #Busting Frame Busting (pdf) (video)

Gustav Rydstedt, Stanford Web Security Research

OWASP AppSec Research 2010 Presentation P.gif #Web Frameworks and How They Kill Traditional Security Scanning (pdf) (video)Christian Hang and Lars Andren, Armorize Technologies OWASP AppSec Research 2010 Demo D.gif #The State of SSL in the World (pdf) (video without sound :()Michael Boman, Omegapoint
12:30-13:45 Lunch – Expo – CTF, Lunch sponsor: OWASP AppSec Research 2010 IIS logo for program.png
13:45-14:20 OWASP AppSec Research 2010 Research R.gif #(New) Object Capabilities and Isolation of Untrusted Web Applications (pdf) (video)Sergio Maffeis, Imperial College, London OWASP AppSec Research 2010 Presentation P.gif #Beyond the Same-Origin Policy (pdf) (video)Jasvir Nagra and Mike Samuel, Google
OWASP AppSec Research 2010 Demo D.gif #SmashFileFuzzer – a New File Fuzzer Tool(pdf) (video)Komal Randive, Symantec
14:30-15:05 OWASP AppSec Research 2010 Demo D.gif #Security Toolbox for .NET Development and Testing (pdf) (video)Johan Lindfors and Dag König, Microsoft OWASP AppSec Research 2010 Demo D.gif #Cross-Site Location Jacking (XSLJ) (not really)(pdf) (video)David Lindsay, Cigital
Eduardo Vela Nava, sla.ckers.org
OWASP AppSec Research 2010 Demo D.gif #Owning Oracle: Sessions and Credentials (pdf) (video)Wendel G. Henrique and Steve Ocepek, Trustwave
15:05-15:30 Break – Expo – CTF, Coffee break sponsoring position open ($2,000)
15:30-16:05 OWASP AppSec Research 2010 Demo D.gif #Value Objects a la Domain-Driven Security: A Design Mindset to Avoid SQL Injection and Cross-Site Scripting (pdf) (video)Dan Bergh Johnsson, Omegapoint OWASP AppSec Research 2010 Presentation P.gif #Automated vs. Manual Security: You Can’t Filter “The Stupid” (pdf not available yet) (video)
David Byrne and Charles Henderson, Trustwave
OWASP AppSec Research 2010 Research R.gif #Session Fixation – the Forgotten Vulnerability?(pdf) (video)Michael Schrank and Bastian Braun, University of Passau
Martin Johns, SAP Research
16:15-17:00 Panel Discussion: “Is Application Security a Losing Battle?” (video, partly poor sound)
19:00-23:00 Stockholm City Hall, photo by Yanan Li Gala Dinner at Stockholm City Hall
Sponsored by
OWASP AppSec Research 2010 Google logo for program.png
The Golden Hall, photo by Yanan Li
Conference Day 2 – June 24, 2010OWASP AppSec Research 2010 Research R.gif = Research paper OWASP AppSec Research 2010 Demo D.gif = Demo OWASP AppSec Research 2010 Presentation P.gif = Presentation
Track 1 Track 2 Track 3
08:00-08:50 Breakfast + Coffee
08:50-09:00 Three Announcements from OWASP (video)
09:00-10:00 #Keynote: The Security Development Lifecycle – The Creation and Evolution of a Security Development Process (pdf) (video)
Steve Lipner, Senior Director of Security Engineering Strategy, Microsoft Corporation
10:10-10:45 OWASP AppSec Research 2010 Presentation P.gif #The Anatomy of Real-World Software Security Programs (pdf) (video)

Pravir Chandra, Fortify

OWASP AppSec Research 2010 Demo D.gif #Promon TestSuite: Client-Based Penetration Testing Tool (pdf not available yet) (video)

Folker den Braber and Tom Lysemose Hansen, Promon

OWASP AppSec Research 2010 Research R.gif #A Taint Mode for Python via a Library (pdf) (video)

Juan José Conti, Universidad Tecnológica Nacional
Alejandro Russo, Chalmers Univ. of Technology

10:45-11:10 Break – Expo – CTF, Coffee sponsor: OWASP AppSec Research 2010 MyNethouse logo for program.png
11:10-11:45 OWASP AppSec Research 2010 Presentation P.gif #Microsoft’s Security Development Lifecycle for Agile Development (pdf) (video)

Nick Coblentz, OWASP Kansas City Chapter and AT&T Consulting

OWASP AppSec Research 2010 Presentation P.gif #Detecting and Protecting Your Users from 100% of all Malware – How? (pdf) (video)

Bradley Anstis and Vadim Pogulievsky, M86 Security

OWASP AppSec Research 2010 Research R.gif #OPA: Language Support for a Sane, Safe and Secure Web (pdf) (video without sound :( )

David Rajchenbach-Teller and François-Régis Sinot, MLstate

11:55-12:30 OWASP AppSec Research 2010 Presentation P.gif #Secure Application Development for the Enterprise: Practical, Real-World Tips (pdf) (video)

Michael Craigue, Dell

OWASP AppSec Research 2010 Presentation P.gif #Responsibility for the Harm and Risk of Software Security Flaws (pdf) (video)

Cassio Goldschmidt, Symantec

OWASP AppSec Research 2010 Research R.gif #Secure the Clones: Static Enforcement of Policies for Secure Object Copying (pdf) (video)

Thomas Jensen and David Pichardie, INRIA Rennes – Bretagne Atlantique

12:30-13:45 Lunch – Expo – CTF, Lunch break sponsoring position open ($4,000)
13:45-14:20 OWASP AppSec Research 2010 Presentation P.gif #Product Security Management in Agile Product Management (pdf) (video)

Antti Vähä-Sipilä, Nokia

OWASP AppSec Research 2010 Presentation P.gif #Hacking by Numbers (pdf) (video)

Tom Brennan, WhiteHat Security and OWASP Foundation

OWASP AppSec Research 2010 Research R.gif #Safe Wrappers and Sane Policies for Self Protecting JavaScript (pdf) (video)

Jonas Magazinius, Phu H. Phung, and David Sands, Chalmers Univ. of Technology

14:30-15:05 OWASP AppSec Research 2010 Presentation P.gif #OWASP_Top_10_2010 (pdf) (video)

Dave Wichers, Aspect Security and OWASP Foundation

OWASP AppSec Research 2010 Presentation P.gif #Application Security Scoreboard in the Sky(pdf) (video)

Chris Eng, Veracode

OWASP AppSec Research 2010 Research R.gif #On the Privacy of File Sharing Services (pdf & video not available because of potential zero-day)

N Nikiforakis, F Gadaleta, Y Younan, and W Joosen, Katholieke Universiteit Leuven

15:05-15:30 Break – Expo – CTF, Coffee break sponsoring position open ($2,000)
15:30-16:00 CTF Price Ceremony, Announcement of OWASP AppSec EU 2011, Closing Notes (pdf)

OWASP FROC 2010 Conference

FROC 2010 – Click Here

JUNE 2, 2010
07:30-08:30 Registration and Continental Breakfast in the Sponsor Expo Room
08:30-08:35 Welcome to FROC 2010 ConferenceDavid Campbell, OWASP Denver
08:35-09:35 Keynote: “Watching Software Run: Software Security Beyond Defect Elimination”Brian Chess, Fortify Software

Presentation Video

09:35-10:00 OWASP: State of the UnionTom Brennan, OWASP Board – BIO

Video

10:00-10:20 Cloud Security Alliance: State of the UnionRandy Barr, Cloud Security Alliance

Video

10:20-10:30 Break – Expo – CTF
AppSec/Technical Track: Room 1 Cloud/Mobile/Emerging Track: Room 2 Management / Exec Track: Room 3
10:30-11:15 2010: Web Hacking Odyssey – The Top Hacks of the YearJeremiah Grossman

Presentation Video Note the blip version seems broken, so linked to WhiteHatSec webex.

“Building a Secure, Compliant Cloud for the Enterprise”Matt Ferrari, Hosting.com “Anatomy of a Logic Flaw”David Byrne and Charles Henderson, Trustwave
11:15-12:00 Advanced MITM Techniques for Security TestersMike Zusman, Raj Umadas and Aaron Rhodes, Intrepidus Group

Presentation

“YOU are the weakest link”Chris Nickerson, Lares Consulting

Presentation

“Effectively marketing security as a win for both the business and the customer”Ben Whaley, Applied Trust Engineering and Jeff Smith, Rally Software

Presentation

12:00-13:00 Lunch – Expo – CTF
13:00-13:50 Vulnerabilities in Secure Code: Now and BeyondAlex Wheeler and Ryan Smith, Accuvant

Video

“Real life CSI – Data Mining and Intelligence Gathering for the masses”Chris Roberts, Cyopsis

Presentation

“The Permanent Campaign: Driving a Secure Software Initiative in the Enterprise”John Dickson, Denim Group

Presentation

13:50-14:40 Beware of Serialized GUI Objects Bearing DataDavid Byrne and Rohini Sulatycki, Trustwave

Video

“What’s Old Is New Again: An Overview of Mobile Application Security”Zach Lanier and Mike Zusman, Intrepidus Group “Fundamental Practices and Tools to implement a security development lifecycle”Cassio Goldschmidt, Symantec

Presentation

14:40-15:00 BREAK
15:00-15:50 Solving Real-World Problems with an Enterprise Security APIChris Schmidt

Presentation Video

“Cloudy with a chance of hack”Lars Ewe, Cenzic

Presentation

“Application Security Program Management with Vulnerability Manager”Bryan Beverly, Denim Group

Presentation

15:50-16:30 Panel Discussion: Topic: “Security successes are like Six legged calves: unnatural, but they happen.” Moderator: John Dickson, Denim Group.Panelists: Randy Barr, CSO @ Qualys. Jeremiah Grossman, CTO @ WhiteHat Security, Chris Nickerson, Principal @ Lares Consulting, Andy Lewis, CSO @ New Frontier Media
16:30-17:30 Wrap up, vendor raffles, CTF awards, FREE BEER!

OWASP USA 2009 Conference

APPSEC DC 2009 – Click Here

Training 11/10

Day 1 – Nov 10th 2009
Room 154A Room 149B Room 149A Room 154B Room 155
09:00-12:00 Day 1:
Assessing and Exploiting Web Applications with the open source Samurai Web Testing Framework
Justin Searle
Day 1:
Java EE Secure Code Review
Sahba Kazerooni
Security Compass
Threat Modeling Express
Krishna Raja
Security Compass
Foundations of Web Services and XML Security
Dave Wichers
Aspect Security
Live CD
Matt Tesauro
12:00-13:00 Lunch
13:00-17:00 Assessing and Exploiting Web Applications with the open source Samurai Web Testing Framework
Justin Searle
Java EE Secure Code Review
Sahba Kazerooni
Security Compass
Threat Modeling Express
Krishna Raja
Security Compass
Foundations of Web Services and XML Security
Dave Wichers
Aspect Security
Live CD
Matt Tesauro

Training 11/11

Day 2 – Nov 11th 2009
Room 154A Room 149B Room 149A Room 154B
09:00-12:00 Day 2:
Assessing and Exploiting Web Applications with the open source Samurai Web Testing Framework
Justin Searle
Day 2:
Java EE Secure Code Review
Sahba Kazerooni
Security Compass
WebAppSec.php: Developing Secure Web Applications
Robert Zakon
Leader and Manager Training – Leading the Development of Secure Applications
John Pavone
Aspect Security
12:00-13:00 Lunch
13:00-17:00 Assessing and Exploiting Web Applications with the open source Samurai Web Testing Framework
Justin Searle
Java EE Secure Code Review
Sahba Kazerooni
Security Compass
WebAppSec.php: Developing Secure Web Applications
Robert Zakon
Leader and Manager Training – Leading the Development of Secure Applications
John Pavone
Aspect Security

Talks 11/12

Day 1 – Nov 12th 2009
OWASP (146A) Tools (146B) Web 2.0 (146C) SDLC (152A)
07:30-08:50 Registration
08:50-09:00 Welcome and Opening Remarks
09:00-10:00 Keynote: Joe Jarzombek
Video | Slides
10:00-10:30 All about OWASP OWASP Board
Video | Slides
10:30-10:45 Coffee Break sponsored by AppSecDC2009-Sponsor-denim.gif
10:45-11:30 OWASP ESAPI
Jeff Williams

Video | Slides

Clubbing WebApps with a Botnet
Gunter Ollmann

Video | Slides

Understanding the Implications of Cloud Computing on Application Security
Dennis Hurst

Video | Slides

Enterprise Application Security – GE’s approach to solving root cause
Darren Challey

Video | Slides

11:30-12:30 Hosted Lunch
12:30-1:15 Software Assurance Maturity Model (SAMM)
Pravir Chandra

Video | Slides

The Case of Promiscuous Parameters and Other Ongoing Capers in Web Security
Jacob West

Video | Slides

Transparent Proxy Abuse
Robert Auger

Video | Slides

Software Development The Next Security Frontier
Jim Molini

Video | Slides

1:15-1:20 Break
1:20-2:05 DISA’s Application Security and Development STIG: How OWASP Can Help You
Jason Li

Video | Slides

OWASP ModSecurity Core Rule Set Project
Ryan C. Barnett

Video | Slides

Development Issues Within AJAX Applications: How to Divert Threats
Lars Ewe

Video | Slides

Secure SDLC Panel: Real answers from real experience
Panelists:
Dan Cornell
Michael Craigue
Dennis Hurst
Joey Peloquin
Keith Turpin

Moderator:
Pravir Chandra

Video | Slides

2:05-2:10 Break
2:10-2:55 Defend Yourself: Integrating Real Time Defenses into Online Applications
Michael Coates

Video | Slides

Finding the Hotspots: Web-security testing with the Watcher tool
Chris Weber

Video | Slides

Social Zombies: Your Friends Want to Eat Your Brains
Tom Eston/Kevin Johnson

Video | Slides

2:55-3:10 Coffee Break sponsored by AppSecDC2009-Sponsor-denim.gif
3:10-3:55 The ESAPI Web Application Firewall
Arshan Dabirsiaghi

Video | Slides

One Click Ownage
Ferruh Mavituna

Video | Slides

Cloudy with a chance of 0-day
Jon Rose/Tom Leavey

Video | Slides

The essential role of infosec in secure software development
Kenneth R. van Wyk

Video | Slides

Web Application Security Scanner Evaluation Criteria
Brian Shura

Video | Slides

3:55-4:00 Break
4:00-4:45 OWASP Live CD: An open environment for Web Application Security
Matt Tesauro / Brad Causey

Video | Slides

Learning by Breaking: A New Project Insecure Web Apps
Chuck Willis

Video | Slides

Attacking WCF Web Services
Brian Holyfield

Video | Slides

Vulnerability Management in an Application Security World
Dan Cornell

Video | Slides

Synergy! A world where the tools communicate
Josh Abraham

Video | Slides

4:45-4:50 Break
4:50-5:55 The Entrepreneur’s Guide to Career Management
Lee Kushner

Video | Slides

Advanced SSL: The good, the bad, and the ugly
Michael Coates

Video | Slides

When Web 2.0 Attacks – Understanding Security Implications of AJAX Flash and Highly Interactive Technologies
Rafal Los

Video | Slides

Threat Modeling
John Steven

Video | Slides

User input piercing for Cross Site Scripting Attacks
Matias Blanco

Video | Slides

6:00-8:00 Cocktails and hors d’oeuvres in the EXPO Room (151)
Sponsored by AppSecDC2009-Sponsor-cenzic.gif

Talks 11/13

Day 2 – Nov 13th 2009
Process (146A) Attack & Defend (146B) Metrics (146C) Compliance (152A)
8:00-9:00 Registration & Coffee sponsored by AppSecDC2009-Sponsor-fyrm.gif
9:00-9:45 The Big Picture: Web Risks and Assessments Beyond Scanning
Matt Fisher

Video | Slides

Securing the Core JEE Patterns
Rohit Sethi/Krishna Raja

Video | Slides

The Web Hacking Incidents Database
Ryan C. Barnett

Video | Slides

Business Logic Automatons: Friend or Foe?
Amichai Shulman

Video | Slides

9:45-9:50 Break
9:50-10:35 Scalable Application Assessments in the Enterprise
Tom Parker/Lars Ewe

Video | Slides

Malicious Developers and Enterprise Java Rootkits
Jeff Williams

Video | Slides

Application security metrics from the organization on down to the vulnerabilities
Chris Wysopal

Video | Slides

SCAP: Automating our way out of the Vulnerability Wheel of Pain
Ed Bellis

Video | Slides

10:35-10:40 Break
10:40-11:25 Secure Software Updates: Update Like Conficker
Jeremy Allen

Video | Slides

Unicode Transformations: Finding Elusive Vulnerabilities
Chris Weber

Video | Slides

OWASP Top 10 – 2010
Release Candidate
Dave Wichers

Video | Slides

Secure SDLC: The Good, The Bad, and The Ugly
Joey Peloquin

Video | Slides

11:25-12:30 Hosted Lunch
12:30-1:15 Improving application security after an incident
Cory Scott

Video | Slides

The 10 least-likely and most dangerous people on the Internet
Robert Hansen

Video | Slides

Hacking by Numbers
Tom Brennan

Video | Slides

Federal CISO Panel

Video

1:15-1:20 Break
1:20-2:05 Deploying Secure Web Applications with OWASP Resources
Sebastien Deleersnyder / Fabio Cerullo

Video | Slides

Automated vs. Manual Security: You can’t filter The Stupid
David Byrne/Charles Henderson

Video | Slides

Building an in-house application security assessment team
Keith Turpin

Video | Slides

2:05-2:20 Coffee break sponsored by AppSecDC2009-Sponsor-fyrm.gif
2:20-3:05 OWASP O2 Platform – Open Platform for automating application security knowledge and workflows
Dinis Cruz

Video | Slides

Injectable Exploits: Two New Tools for Pwning Web Apps and Browsers
Kevin Johnson, Justin Searle, Frank DiMaggio

Video | Slides

The OWASP Security Spending Benchmarks Project
Dr. Boaz Gelbord

Video | Slides

Promoting Application Security within Federal Government
Sarbari Gupta

Video | Slides

3:05-3:10 Break
3:10-3:55 Custom Intrusion Detection Techniques for Monitoring Web Applications
Matthew Olney

Video | Slides

Manipulating Web Application Interfaces, a new approach to input validation
Felipe Moreno-Strauch

Video | Slides

SANS Dshield Webhoneypot Project
Jason Lam

Video | Slides

Techniques in Attacking and Defending XML/Web Services
Mamoon Yunus/Jason Macy

Video | Slides

3:55-4:00 Break
4:00-4:15 Closing Remarks (146B)
Mark Bristow, Rex Booth, Doug Wilson
Video | Slides

OWASP AppSecEMEA 2009 Conference

OWASP EU 2009 – Here and Here

Conference – May 13

DAY 1 – MAY 13, 2009
Track 1: room Alfa 1 Track 2: room Alfa 2 Track 3: room Beta
08:00-08:50 Registration and Coffee
08:50-09:00 Welcome to OWASP AppSec 2009 Conference (PPT)Sebastien Deleersnyder, OWASP Foundation
09:00-10:00 Web App Security – The Good, the Bad and the Ugly (PPT)Ross Anderson, Professor in Security Engineering, University of Cambridge
10:00-10:45 OWASP State of the Union (PPT|video)Dinis Cruz, Dave Wichers & Sebastien Deleersnyder, OWASP Foundation
10:45-11:05 Break – Expo CTF Kick-OffAndrés Riancho
11:05-11:50 OWASP Live CD: An open environment for Web Application Security (PPT)Matt Tesauro, OWASP Live CD Project Leveraging agile to gain better security (PPT|video)Erlend Oftedal, Bekk Consulting The OWASP Orizon project: new static analysis in HiFi (PPT|video)Paolo Perego, Spike Reply
11:55-12:40 OWASP Application Security Verification Standard (ASVS) Project (PPT)Dave Wichers, Aspect Security Tracking the effectiveness of an SDL program: lessons from the gym (PPT|video)Cassio Goldschmidt, Symantec Corporation The Bank in the Browser – Defending web infrastructures from banking malware (PDF|video)Giorgio Fedon, Minded Security
12:40-14:00 Lunch – Expo – CTF
14:00-14:45 Threat Modeling (PPT)John Steven, Cigital Web Application Harvesting (PPT|video)Esteban Ribičić, tbd Maturing Beyond Application Security Puberty (PPT)David Harper, Fortify
14:50-15:35 Exploiting Web 2.0 – Next Generation Vulnerabilities (PDF)Shreeraj Shah, Blueinfy O2 – Advanced Source Code Analysis Toolkit (video)Dinis Cruz, Ounce Labs The Truth about Web Application Firewalls: What the vendors do not want you to know (PPT)Wendel Guglielmetti Henrique, Trustwave & Sandro Gauci, EnableSecurity
15:35-15:55 Break – Expo – CTF
15:55-16:40 The Software Assurance Maturity Model (SAMM)(PPT)Pravir Chandra, Cognosticus Advanced SQL injection exploitation to operating system full control (PDF|video)Bernardo Damele Assumpcao Guimaraes, lead developer of sqlmap When Security Isn’t Free: The Myth of Open Source Security (PPT|video)David Harper, Fortify
16:45-17:45 Panel: SDLC: where do they work well, where do they fail? (PPT)Moderator: Cassio Goldschmidt – Panelists: Pravir Chandra, Bart De Win, John Steven, Dave Wichers

Conference- May 14

DAY 2 – MAY 14, 2009
Track 1: room Alfa 1 Track 2: room Alfa 2 Track 3: room Beta
08:00-09:00 Registration and Coffee
09:00-09:00 Fixing Internet Security by Hacking the Business ClimateBruce Schneier, Chief Security Technology Officer, BT
10:00-10:45 OWASP Projects (PPT|video)Dave Wichers & Dinis Cruz, OWASP Foundation
10:45-11:05 Break – Expo – CTF
11:05-11:50 OWASP “Google Hacking” Project (video)Christian Heinrich, OWASP “Google Hacking” Project Lead Deploying Secure Web Applications with OWASP ResourcesKuai Hinojosa, New York University (video) Beyond security principles approximation in software architectures (PPT|video)Bart De Win, Ascure
11:55-12:40 OWASP Enterprise Security API (ESAPI) Project(PPT|video)Dave Wichers, Aspect Security w3af, A framework to 0wn the web (PPT|Video)Andrés Riancho, Bonsai Information Security Brain’s hardwiring and its impact on software development and secure software (PDF|video)Alexandru Bolboaca & Maria Diaconu, Mosaic Works
12:40-14:00 Lunch – Expo – CTF
14:00-14:45 OWASP ROI: Optimize Security Spending using OWASP (PPT)Matt Tesauro, OWASP Live CD Project CSRF: the nightmare becomes reality? (PPT|video)Lieven Desmet, University Leuven I thought you were my friend Evil Markup, browser issues and other obscurities (PDF /PPT|video)Mario Heiderich, Business-IN
14:50-15:35 HTTP Parameter Pollution (PDF|video)Luca Carettoni, Independent Researcher & Stefano Di Paola, MindedSecurity OWASP Source Code Flaws Top 10 Project (PPT|video)Paolo Perego, Spike Reply Business Logic Attacks: Bots and Bats (PPT|video)Eldad Chai, Imperva
15:35-15:55 Break – Expo – CTF
15:55-16:40 Factoring malware and organized crime in to Web application security (PDF1PDF2|video)Gunter Ollmann, Damballa Real Time Defenses against Application Worms and Malicious Attackers (PPT|video),Michael Coates, Aspect Security Can an accessible web application be secure? Assessment issues for security testers, developers and auditors (PPT|video)Colin Watson, Watson Hall Ltd
16:45-17:45 Panel: The Future of web application security (video)Moderator: Christian Heinrich, Panelists: tbd
17:45-18:00 Conference Wrap-Up & CTF AwardsDave Wichers, OWASP Foundation

Venue: Park Inn Hotel, Krakow

OWASP Israel 2008

Click Here

Room #1 Room #2
Management Track Fundamentals Track
9:15-10:00 Web Application Security and Search Engines – Beyond Google Hacking (ppt, video part 1, video part 2)
Amichai Shulman, Imperva
Application Security – The code analysis way (download ppt)
Maty Siman, Checkmark
10:00-10:45 No More Signatures: Defending Web Applications from 0-Day Attacks with ModProfiler Using Traffic Profiling (watch video, download video)
Ivan Ristic, Breach Security
Black Box vs. White Box – pros and cons (download ppt)
Adi Sharabani & Yinnon Haviv, IBM
10:45-11:00 Break
11:00-11:45 Trends in Web Hacking: What’s hot in 2008 (ppt, watch video, download video)
Ofer Shezaf, Breach Security
AJAX – new technologies new threats (download ppt)
Dr. David Movshovitz, IDC
11:45-12:30 Testin g the Tester – Measuring Quality of Security Testing (ppt, download video)
Ofer Maor, Hacktics
GreenSQL – an open source database security gateway (download ppt)
Yuli Stremovsky
12:30-13:15 Lunch
Advanced Technology Track Practical Technology Track
13:15-14:00 Achilles’ heel – Hacking Through Java Protocols (ppt, watch video, download video)
Shai Chen, Hacktics
Defending against Phishing without Client-side Code (ppt, watch video, download video)
Prof. Amir Herzberg, Bar-Ilan University
14:00-14:45 Cryptographic elections – how to simultaneously achieve verifiability and privacy (download pdf)
Dr. Alon Rosen, IDC
.NET Framework rootkits – backdoors inside your Framework (download ppt)
Erez Metula, 2Bsecure
14:45-15:00 Break
15:00-15:45 Automated Crawling & Security Analysis of Flash/Flex based Web Applications (download ppt)
Ronen Bachar, IBM
Korset: Code-based Intrusion Detection System for Linux (download pdf)
Ohad Ben-Cohen
15:45-16:30 Turbo talks (Rump Session), Currently scheduled presentations:

  • Yossi Oren, Automatic Patch-Based Exploit Generation (APEG) (download ppt)
  • Avi Weissman, Introduction to the Israeli Forum for Information Security (ISIF)
  • Robert Moskovitch, Detection of Unknown Malicious Code via Machine Learning (download pdf)
  • Yaniv Miron, Comsec, UTF7 XSS (download ppt)
  • Shay Zalalichin & Avi Douglen, Comsec, Breaking CAPTCHA Myths (download ppt)

Closing Words, Ofer Shezaf

OWASP AppSecUSA 2008 Conference

Click Here

DAY 1 – SEPT 24TH, 2008

Track 1: BALLROOM Track 2: SKYLINE Track 3: TIMESQUARE
07:30-08:50 Doors Open for Attendee/Speaker Registrationavoid lines come early get your caffeine fix and use free wifi
09:00-09:45 OWASP Version 3.0 who we are, how we got here and where we are going?
OWASP Foundation: Jeff Williams, Dinis Cruz, Dave Wichers, Tom Brennan, Sebastien Deleersnyder

Dave Wicher’s Slides / Jeff William’s Slides / Dinis Cruz’s Slides

10:00-10:45 Analysis of the Web Hacking Incidents Database (WHID)
Ofer Shezaf
VIDEO / SLIDES
Web Application Security Road Map
Joe White
VIDEO / SLIDES
DHS Software Assurance Initiatives
Stan Wisseman & Joe Jarzombek
VIDEO / SLIDES
11:00-11:45 Http Bot Research
Andre M. DiMino – ShadowServer Foundation
VIDEO / SLIDES
OWASP “Google Hacking” Project
Christian Heinrich
VIDEO / SLIDES
MalSpam Research
Garth Bruen
VIDEO / SLIDES
12:00-13:00 Capture the Flag Sign-UpLUNCH – Provided by event sponsors @ TechExpo
12:00-12:45 Get Rich or Die Trying – Making Money on The Web, The Black Hat Way
Trey Ford, Tom Brennan, Jeremiah Grossman
VIDEO / SLIDES
Framework-level Threat Analysis: Adding Science to the Art of Source-code review
Rohit Sethi & Sahba Kazerooni
VIDEO / SLIDES
Automated Web-based Malware Behavioral Analysis
Tyler Hudak
VIDEO / SLIDES
13:00-13:45 New 0-Day Browser Exploits: Clickjacking – yea, this is bad…
Jeremiah Grossman & Robert “RSnake” Hansen
VIDEO / SLIDES
Web Intrusion Detection with ModSecurity
Ivan Ristic
VIDEO / SLIDES
Using Layer 8 and OWASP to Secure Web Applications
David Stern & Roman Garber
VIDEO / SLIDES
14:00-14:45 Application Security Industry Outlook Panel:
Jim Routh CISO DTCC,
Sunil Seshadri CISO NYSE-Euronet,
Joe Bernik SVP, RBS Americas,
Jennifer Bayuk Infosec Consultant,
Philip Venables CISO, Goldman Sachs,
Carlos Recalde SVP, Lehman Brothers,
Moderator: Mahi Dontamsetti
VIDEO / SLIDES
Security Assessing Java RMI
Adam Boulton
VIDEO / SLIDES
JBroFuzz 0.1 – 1.1: Building a Java Fuzzer for the Web
Yiannis Pavlosoglou
VIDEO / SLIDES
15:00-15:45 OWASP Testing Guide – Offensive Assessing Financial Applications
Daniel Cuthbert
VIDEO / SLIDES
Flash Parameter Injection (FPI)
Ayal Yogev & Adi Sharabani
VIDEO / SLIDES / PAPER
w3af – A Framework to own the web
Andrés Riancho
VIDEO / VIDEO
16:00-16:45 OWASP Enterprise Security API (ESAPI) Project
Jeff Williams
VIDEO / SLIDES
Cross-Site Scripting Filter Evasion
Alexios Fakos
VIDEO / SLIDES
Multidisciplinary Bank Attacks
Gunter Ollmann
VIDEO / SLIDES
17:00-17:45 Open Discussion On Application Security
Joe Bernik & Steve Antoniewicz
VIDEO / SLIDES
Mastering PCI Section 6.6
Taylor McKinley and Jacob West
VIDEO / SLIDES
Case Studies: Exploiting application testing tool deficiencies via “out of band” injection
Vijay Akasapu & Marshall Heilman
VIDEO / SLIDES
18:00-18:45 Spearfishing and the OWASP Live CD
Joshua Perrymon
VIDEO / SLIDES
Phundamental Security – Coding Secure w/PHP
Hans Zaunere
VIDEO / SLIDES
Payment Card Data Security and the new Enterprise Java
Dr. B. V. Kumar & Mr. Abhay Bhargav
VIDEO / SLIDES
19:00-20:00 OWASP Chapter Leader / Project Leader working session
OWSAP Board/Chapter Leaders
(ISC)2 Cocktail Hour
All welcome to attend for a special announcement presented by:
W. Hord Tipton, Executive Director of (ISC)2
Technology Movie Night
Sneakers, WarGames,HackersArePeopleToo,TigerTeam
from 19:00 – 23:00
20:00-23:00+ OWASP Event Party/Reception
Event badge required for admission
Food, Drinks w/ New & Old Friends – break out the laptop and play capture the flag for fun and prizes.
Location: HOTEL BALLROOM

DAY 2 – SEPT 25TH, 2008

08:00-10:00 BREAKFAST – Provided by event sponsors @ TechExpo
08:00-08:45 Software Development and Management: The Last Security Frontier
W. Hord Tipton, CISSP-ISSEP, CAP, CISA, CNSS and former Chief Information Officer for the U.S. Department of the Interior Executive Director and member of the Board of Directors, (ISC)²
VIDEO / SLIDES
Best Practices Guide for Web Application Firewalls
Alexander Meisel
VIDEO / SLIDES
The Good The Bad and The Ugly – Pen Testing VS. Source Code Analysis
Thomas Ryan
VIDEO / SLIDES
09:00-09:45 OWASP Web Services Top Ten
Gunnar Peterson
VIDEO / SLIDES
Red And Tiger Team Application Security Projects
Chris Nickerson
VIDEO / SLIDES
OpenSource Tools
Prof. Li-Chiou Chen & Chienitng Lin, Pace Univ
VIDEO / SLIDES
10:00-10:45 Building a tool for Security consultants: A story of a customized source code scanner
Dinis Cruz
VIDEO / SLIDES
“Help Wanted” 7 Things You Need to Know APPSEC/INFOSEC Employment
Lee Kushner
VIDEO / SLIDES
Industry Analysis with Forrester Research
Chenxi Wang
VIDEO / SLIDES
11:00-11:45 Software Assurance Maturity Model (SAMM)
Pravir Chandra
VIDEO / SLIDES
Security in Agile Development
Dave Wichers
VIDEO / SLIDES
Secure Software Impact
Jack Danahy
VIDEO / SLIDES
12:00-12:45 Next Generation Cross Site Scripting Worms
Arshan Dabirsiaghi
VIDEO / SLIDES
Security of Software-as-a-Service (SaaS)
James Landis
VIDEO / SLIDES
Open Reverse Benchmarking Project
Marce Luck & Tom Stracener
VIDEO / SLIDES
12:00-13:00 Capture the Flag StatusLUNCH – Provided @ TechExpo
13:00-13:45 NIST and SAMATE Static Analysis Tool Exposition (SATE)
Vadim Okun
VIDEO / SLIDES
Lotus Notes/Domino Web Application Security
Jian Hui Wang
VIDEO / SLIDES
Shootout @ Blackbox Corral
Larry Suto
VIDEO / SLIDES
14:00-14:45 Practical Advanced Threat Modeling
John Steven
VIDEO / SLIDES
The OWASP Orizon Project: towards version 1.0
Paolo Perego
VIDEO / SLIDES
Building Usable Security
Zed Abbadi
VIDEO / SLIDES
15:00-15:45 Off-shoring Application Development? Security is Still Your Problem
Rohyt Belani
VIDEO / SLIDES
OWASP EU Summit Portugal
Dinis Cruz
VIDEO / SLIDES
A Security Architecture Case Study
Johan Peeters
VIDEO / SLIDES
16:00-16:45 Vulnerabilities in application interpreters and runtimes
Erik Cabetas
VIDEO / SLIDES
Cryptography For Penetration Testers
Chris Eng
VIDEO / SLIDES
Memory Corruption and Buffer Overflows
Dave Aitel
VIDEO / SLIDES
17:00-17:45 Event Wrap-Up / Speaker & CTF Awards and Sponsor Raffles
VIDEO
18:30-19:30 OWASP Foundation, Chapter Leader Meeting – to collect ideas to make OWASP better!

OWASP SnowFROC

OWASP SnowFROC from Denver, CO 2009
MARCH 5, 2009
07:30-08:30 Registration and Continental Breakfast in the Sponsor Expo Room
08:30-08:35 Welcome to SnowFROC AppSec 2009 ConferenceDavid Campbell, OWASP Denver
08:35-09:45 Keynote: “Top Ten Web Hacking Techniques of 2008: What’s possible, not probable”Jeremiah Grossman, Whitehat Security

Video

09:45-10:15 OWASP State of the UnionTom Brennan, OWASP Board
10:15-10:30 Break – Expo – CTF – Beatz by DJ Jackalope
Management / Executive Track: Room 1 Deep Technical Track: Room 2
10:30-11:15 Doing More with Less: Automate or DieEd Bellis, Orbitz

Video

“Poor Man’s Guide to Breaking PKI: Why You Don’t Need 200 Playstations”Mike Zusman, Intrepidus Group
11:15-12:00 “A Legal Minimum Standard of Due Care: The CAG and the Top 25 Most Dangerous Programming Errors”Alan Paller, SANS “Adobe Flex, AMF 3 and BlazeDS: An Assessment”Kevin Stadmeyer, Trustwave

Video

12:00-13:00 Lunch – Expo – CTF – Beatz by DJ Jackalope
Management / Executive Track: Room 1 Deep Technical Track: Room 2
13:00-13:50 “Building an Effective Application Security Program”Joey Peloquin, Fishnet Security

Video

“Bad Cocktail: Spear Phishing + Application Hacks”Rohyt Belani, Intrepidus Group

Video

13:50-14:50 “Automated vs. Manual Security: You can’t filter The Stupid”David Byrne & Charles Henderson, Trustwave

Video

“SQL injection: Not only AND 1=1”Bernardo Damele Assumpcao Guimaraes, Portcullis Computer Security Ltd.

Video

14:50-15:00 Break – Expo – CTF – Beatz by DJ Jackalope
15:00-15:50 “Security Policy Management: Best Practices for Web Services and Application Security”Ray Neucom, IBM

Video

“Vulnerability Management in an Application Security World”Dan Cornell & John Dickson, Denim Group

Video

15:50-16:30 Panel: Emerging Threats and Enterprise CountermeasuresModerator: John Dickson
Panelists: Alan Paller, Joey Peloquin, Rohyt Belani, Ed Bellis, Laz, Ray Neucom
16:30-17:30 Conference Wrap Up, CTF Awards & Sponsor Raffles – CTF – Beatz by DJ Jackalope
17:30-21:00 OWASP Social Gathering: Dinner and Drinks @ TBD

OWASP Minneapolis/St. Paul (OWASP MSP)

Presentations from the OWASP Minneapolis-St. Paul (OWASP MSP) chapter events hosted in the Twin Cities area of Minnesota are now on their own page. Please visit OWASPMSP_Videos page for links to them. Some of the presenters include Pravir Chandra, Bruce Schneier, Jeremiah Grossman, Ryan Barnett, and many others.

Black Hat 2006

From Black Hat 2006:

Dinis Cruz @ BlackHat 2006 with FSTV
Dinis Cruz, leader of the OWASP.NET project joins us to talk about .NET, web security tools, the future of OWASP, and Open Source Software. OWASP – 30 min – Aug 30, 2006

AppSec Washington 2005

From the 2nd U.S. OWASP Conference held Oct 11-12, 2005 – Day 1:

OWASP_Intro_DaveWichers_Key_JoeJarzombek_RonRoss.mp4
OWASP Intro: Dave Wichers – Key Note Day 1: Joe Jarzombek – Dir. of Software Assurance – DHS – Software Assurance: Considerations for Advancing a National Strategy to Secure Cyberspace & Ron Ross -FISMA Project Lead – NIST – Status of the Federal Information Security Management Act (FISMA) Project. OWASP – 2 hr 7 min – Oct 11, 2005
OWASP_JackDanahy_The_Business_Case_for_Software_Security_Assurance.mp4
OWASP Jack Danahy – The Business Case for Software Security Assurance. OWASP – 1 hr 2 min – Oct 11, 2005
OWASP_ArianEvans_Tools_SurveyProject.mp4
OWASP Arian Evans – The OWASP Tools Survey Project. OWASP – 1 hr 18 min – Oct 11, 2005
OWASP_DinizCruz_Rooting_the_CLR.mp4
OWASP Diniz Cruz – Rooting the CLR. OWASP – 1 hr 22 min – Oct 11, 2005
OWASP_PaulBlack_RickKuhn.mp4
OWASP Paul Black – NIST – Developing a Reference Dataset & Rick Kuhn – NIST – Software Fault Interactions. OWASP – 1 hr 9 min – Oct 11, 2005
OWASP_AlexSmolen_Application_Logic_Defense.mp4
OWASP Alex Smolen – Application Logic Defense. OWASP – 36 min – Oct 11, 2005
OWASP_DanielCuthbert_Evolution_WebAppPenTest.mp4
OWASP Daniel Cuthbert – OWASP Testing Guide Lead – The Evolution Web App Pen Testing. OWASP – 1 hr 11 min – Oct 11, 2005

The 2nd U.S. OWASP Conference Day 2:

OWASP_IraWinkler_Secrets_of_Superspies.mp4
OWASP Ira Winkler – Keynote Day 2: Secrets of Superspies & Jeremy Poteet – In the Line of Fire: Defending Highly Visible Targets. OWASP – 2 hr 2 min – Oct 12, 2005
OWASP_JeffWilliams_OWASP_Guide_and_Membership.mp4
OWASP Jeff Williams – OWASP Development Guide and OWASP Membership Plan. OWASP – 1 hr 12 min – Oct 12, 2005
OWASP_DinizCruz_DotNet_Tools_Project.mp4
OWASP Diniz Cruz – The .Net Tools Project. OWASP – 1 hr 15 min – Oct 12, 2005
OWASP_MattFisher_WormsNowTargetingWebApps.mp4
OWASP Matt Fisher – Worms Now Targeting Web Applications. OWASP – 49 min – Oct 12, 2005
OWASP_RoganDawes_AdvancedFeaturesofWebScarab.mp4
OWASP Rogan Dawes – Advanced Features of OWASP WebScarab. OWASP – 1 hr 24 min – Oct 12, 2005
OWASP_JohnSteven_Building_a_Scalable_Software_Security_Practice.mp4
OWASP John Steven – Building a Scalable Software Security Practice. OWASP – 1 hr 19 min – Oct 12, 2005
OWASP_GunnerPeterson_IntegratingIdentityServicesintoWebApps.mp4
OWASP Gunnar Peterson – Integrating Identity Services into Web Apps. OWASP – 35 min – Oct 12, 2005

Central Ohio Infosec Summit 2015 Videos


Keynotes

We’re At War – Why Aren’t You Wearing A Helmet?
Bill Sieglein

Ghost In The Shadows – Identifying Hidden Threats Lurking On Our Networks
Deral Heiland

Rebuilding and Transforming and Information Security Function
Susan Koski

InfoSec’s Midlife Crisis & Your Future…
Tsion Gonen

Current Cyber Threats: An Ever-Changing Landscape
Kevin Rojek


Tech 1

IT Isn’t Rocket Science
David Mortman

Mind On My Money, Money On My Malware
Dustin Hutchison

Private Cloud Security Best Practices
Mike Greer

Cyber Espianoge – Attack & Defense
Michael Mimoso

Three Years of Phishing – What We’ve Learned
Mike Morabito

Piercing Your Perimeter, Dodging Detection, and Other Mayhem! a.k.a. Pen Tester Voodoo 101
Mick Douglas

Physical Penetration Testing: You Keep a Knockin’ But You Can’t Come In!
Phil Grimes


Tech 2

Honeypots for Active Defense – A Practical Guide to Deploying Honeynets Within the Enterprise
Greg Foss

Building Security Awareness Through Social Engineering
Valerie Thomas & Harry Regan

Open Source Threat Intelligence: Building A Threat Intelligence Program Using Public Sources & Open Source Tools
Edward McCabe

Modern Approach to Incident Response
James Carder and Jessica Hebenstreit

Having your cake and eating it too! Deploying DLP services in a Next Generation Firewall Environment
Mike Spaulding

Using Machine Learning Solutions to Solve Serious Security Problems
Ryan Sevy & Jason Montgomery

Electronic Safe Fail
Jeff Popio

Emerging Trends in Identity & Access Management
Robert Block

Building a Successful Insider Threat Program
Daniel Velez

A New Mindset Is Needed – Data Is Really the New Perimeter!
Jack Varney


OWASP

Software Security Cryptography
Aaron Bedra

Threat Analytics 101: Designing A “Big Data” Platform For Threat Analytics
Michael Schiebel

Developers Guide to Pen Testing (Hack Thyself First)
Bill Sempf f

OWASP 2014 – Top 10 Proactive Web Application Controls
Jason Montgomery


GRC

IAM Case Study: Implementing A User Provisioning System
Keith Fricke

Measuring the Maturity of Your Security Operations Capabilities
Clarke Cummings

Exploring the Relationship between Compliance and Risk Management
Mark Curto

Data Loss Prevention – Are You Prepared?
Jason Samide

Compliance vs. Security – How to Build a Secure Compliance Program
Jeff Foresman

Overview and Analysis of NIST Cybersecurity Framework
Sarah Ackerman

The Explosion of Cybercrime – The 5 Ways IT May Be an Accomplice
Mark Villinski

GRC: Governance, Ruses & Confusion
Shawn Sines

Security Directions and Best Practices
Kevin Dempsey


Executive

Data Breach: If You’re Not Prepared, You Can’t Be Responsive
John Landolfi

Ten Practical Ideas For Creating An Attentive and Supportive Organization: Sales & Marketing For the Security Team
Glenn Miller

Strengthening Your Security Program
Chad Robertson

Presenting Security Metrics to the Board
Nancy Edwards

DREAMR – Obtain Business Partnerships
Jessica Hebenstreit

Security Talent In Ohio – A Discussion
Helen Patton

Silos to Seamless: Creating a Comprehensive Security Program
Jeremy Wittkop

Ascending Everest: Managing Third-Party Risk in the Modern Enterprise
Thomas Eck

And Then The World Changed…Again
Jason Harrell

Corporate Uses for Anonymity Networks
Adam Luck

Going To The Dark Side: A Look Into My Transition From Technologist To Salesman
Aaron Ansari

Building An Industrial Controls Cybersecurity Framework (Critical Infrastructure)
Ernie Hayden

Panel Discussion Insourcing Outsourcing and Hybrid
Helen Patton, Louis Lyons, Greg Franz, Jeffery Sweet, Sassan Attari, Carla Donev, Kent King

Closing


Download: https://archive.org/details/CentralOhioInfoSecSummit2015

BSides Tampa 2015 Videos


Track 1

Bug Bounties and Security Research
Kevin Johnson

Securing The Cloud
Alan Zukowski

Hacking
Chris Berberich

Vendor Induced Security Issues
Dave Chronister

Pentest Apocalypse
Beau Bullock

Kippo and Bits and Bits
Chris Teodorski

The Art of Post-infection Response & Mitigation
Caleb Crable

The Need for Pro-active Defense and Threat Hunting Within Organizations
Andrew Case


Track 2

Finding Common Ground within the Industry and Beyond
David Shearer

Ways to Identify Malware on a System
Ryan Irving

Android Malware and Analysis
Shane Hartman

Teaching Kids (and Even Some Adults) Security Through Gaming
Le Grecs

Evaluating Commercial Cyber Threat Intelligence
John Berger


Track 3

Cyber Geography and the Manifest Destiny of the 21st Century
Joe Blankenship

Mitigating Brand Damage From A Cyber Attack
Guy Hagen

What is a security analyst and what job role will they perform
James Risler

Live Forensic Acquisition Techniques
Joe Partlow

Cyber Security Awareness for Healthcare Professionals
Marco Polizzi


Download from: https://archive.org/download/BSidesTampa2015

Wiki-like CTF write-ups repositories, maintained by the community. 2013, 2014 and 2015


CTF write-ups 2013-2014-2015

There are some problems with CTF write-ups in general:

  • they’re scattered across the interwebs
  • they don’t usually include the original files needed to solve the challenge
  • some of them are incomplete or skip ‘obvious’ parts of the explanation, and are therefore not as helpful for newcomers
  • often they disappear when the owner forgets to renew their domain or shuts down their blog

This repository aims to solve those problems.

It’s a collection of CTF source files and write-ups that anyone can contribute to. Did you just publish a CTF write-up? Let us know, and we’ll add a link to your post — or just add the link yourself and submit a pull request. Spot an issue with a solution? Correct it, and send a pull request.

Archive

  • Write-ups for CTFs that occurred in 2013https://github.com/ctfs/write-ups-2013
  • backdoorctf-2013
    csaw-quals-2013
    hack-lu-ctf-2013
  • Write-ups for CTFs that occurred in 2014https://github.com/ctfs/write-ups-2014
  • 31c3-ctf-2014
    9447-ctf-2014
    asis-ctf-finals-2014
    asis-ctf-quals-2014
    boston-key-party-2014
    codegate-preliminary-2014
    confidence-ds-ctf-teaser
    csaw-ctf-2014
    d-ctf-2014
    def-con-ctf-qualifier-2014
    defkthon-ctf
    ectf-2014
    ghost-in-the-shellcode-2014
    ghost-in-the-shellcode-2015-teaser
    gpn-ctf-2014
    hack-in-the-box-amsterdam-2014
    hack-lu-ctf-2014
    hack-you-2014
    hitcon-ctf-2014
    ncn-ctf-2014
    ncn-ctf-quals-2014
    notsosecure-ctf-2014
    nuit-du-hack-ctf-qualifications
    olympic-ctf-2014
    phdays-iv-finals
    phdays-iv-quals
    pico-ctf-2014
    plaid-ctf-2014
    pwnium-ctf-2014
    qiwi-ctf-2014
    ructf-2014-quals
    ructfe-2014
    seccon-ctf-2014
    secuinside-ctf-prequal-2014
    stripe-ctf3
    su-ctf-quals-2014
    tinyctf-2014
    volga-quals-2014
  • Write-ups for CTFs that occurred in 2015https://github.com/ctfs/write-ups-2015
  • 0ctf-2015
    backdoor-ctf-2015
    bctf-2015
    boston-key-party-2015
    break-in-ctf-2015
    bsides-vancouver-ctf-2015
    codegate-ctf-2015
    codegate-ctf-junior-2015
    cyber-security-challenge-2015
    ghost-in-the-shellcode-2015
    ibteam-blackvalentine-ctf-2015
    insomni-hack-ctf-2015
    insomni-hack-ctf-teaser-2015
    nuit-du-hack-ctf-quals-2015
    nullcon-hackim-2015
    opentoall-ctf-2015
    pragyan-ctf-2015
    sCTF-2015
    securinets-ctf-2015
    th3jackers-ctf-2015
    uiuctf-2015

A collection of tools used to maintain and create CTF writeup folders:
https://github.com/ctfs/write-ups-tools

Generate a CTF directory/skeleton

Use this tool to generate a CTF skeleton.

This is how I usually maintain a new CTF directory/skeleton

  • Create an empty directory for the CTF, ending with the current year, e.g. example-ctf-2015/
  • Create an empty directory in this new CTF directory for each task category, e.g. mkdir crypto web misc trivia
  • Create an empty for each task in the according category folder, e.g. mkdir crypto/{rsalot, rsanne}
  • Download all CTF files during the CTF and save the description, points, original task name, solves and task category for each file in a file named info, e.g. crypto/rsalot/info and crypto/rsanne/info
  • Generate a README.md for each info file in the CTF directory using the genctf.py tool, e.g. python genctf.py example-ctf-2015/ info 'Example CTF'
  • Remove all info files (make a backup of your CTF directory just in case) using find example-ctf-2015 -name info -delete
  • Tell git to ignore all files that are bigger than 10MBytes with cd example-ctf-2015; find . -size +10M >> .gitignore
  • Edit each README.md to fill in missing information (e.g. Authors, references and solves)
  • Move the CTF directory to the write-ups-$YEAR repo, making sure that it not yet exist

A general collection of information, tools, and tips regarding CTFs and similar security competitions:
http://ctfs.github.io/resources

CTF Resources

(https://github.com/ctfs/resources)

This repository aims to be an archive of information, tools, and references regarding CTF competitions.

CTFs, especially for beginners, can be very daunting and almost impossible to approach. With some general overviews of common CTF topics and more in-depth research and explanation in specific technologies both beginners and veterans can learn, contribute, and collaborate to expand their knowledge.

Quick Start

  1. First time? READ THIS! and then the section below. Once you understand the basics, use the resources in the topics directory to try to solve challenges on websites like OverTheWire orCanYouHack.it.
  2. Beginner? Use the guides found in the topics directory to try to find out what type of challenges you are presented with and participate in some of the CTFs on ctftime.
  3. Intermediate? Navigate straight to the topic you are interested in to find extra online resources to help you solve more complex challenges.
  4. Master? Help improve this repository! Have a new type of vulnerability you want to explain? Write about it and how to use it! Have a new tool people can use? add it to the tools directory!

What are CTFs?

CTFs are computer security/hacking competitions which generally consist of participants breaking, investigating, reverse engineering and doing anything they can to reach the end goal, a “flag” which is usually found as a string of text.

DEF CON hosts what is the most widely known and first major CTF, occurring annually at the hacking conference in Las Vegas. Many different competitions have branched off since then, and numerous ones are available year round. One of the best places to see when CTFs are being scheduled isCTFTime, an active website with calendars and team rankings.

Example

A very simple type of CTF challenge consists of looking at the source code of websites or programs to find flags and/or hints. For example, can you find the flag hidden on this page?

Moving On

You may be able to solve some CTF challenges after looking through the documents in this repository and understanding the basics of the technologies and subjects covered, but you won’t be very proficient or successful for long. To be an adept CTF competitor you have to be able to combine many different strategies and tools to find the flag. Developing the ability to find flags quickly takes practice more than anything, and participating in numerous CTFs will allow you to expand your understanding and abilities, leading you to success. Spend some time on CTFTime working through CTFs to truly improve and learn.

Conclusion

Now that you know the basics of CTFs, you can visit ctftime and try out a CTF! Using your background knowledge and the information on this page you’ll be able to develop a solid basis in computer security.


Cryptography

Cryptography is the practice and study of techniques for secure communication in the presence of third parties. – Wikipedia

In the case of CTFs, the goal is usually to crack or clone cryptographic objects or algorithms to reach the flag.

Example

If you look around the folders in this page you should be able to find a suitable way to solve this simple cipher:

Hint: Julius Caesar's favorite cipher

kxn iye lbedec

Getting Started

To-Do

Sources/See More

Introduction to Cryptography


Caesar Cipher

The Caesar Cipher is a very simple and common encryption method which does not appear often in full-fledged CTFs but forms part of the basis of cryptography. It simply shifts a string of letters a certain number of positions up or down the alphabet.

Let’s say we want to encrypt the string hello world to give to our friend whose favorite number is 3. We will shift our string left 3.

Taking the first letter h in our string and going 3 places up the alphabet(as it is a left shift) gives us the letter e. We then start our new, encrypted string with the letter.

Doing so for the whole original string creates a jumbled mess of incomprehensible letters to anyone but the reader with the proper decryption shift:

Original: hello world

Final: ebiil tloia

To let our friend read this, we would send him the final string with the instructions right 3, and either by hand, with a website, or with a script, he would be able to extract our message.

Detecting

Caesar ciphers are usually presented in very low-point tasks, if at all, and can be easy to detect and check for. Strings containing incomprehensibly jumbled letters are possible Caesar ciphers and should be checked.

Solving

There are many approaches to cracking Caesar ciphers, but usually the best way to solve them is to write a script or run the string through a website which will print out all the possible shifts of a string. From those results the most comprehensible and logical solution can be chosen.

CTF Example

To-do

Sources/See More

Brute force caeser cipher cracker


Vigenère Cipher

The Vigenère Cipher is a method of encrypting alphabetic text by using a series of different Caesar ciphers based on the letters of a keyword – Wikipedia.

Please read the article on Caesar Ciphers if you haven’t already because the Vigenère Cipher is a direct derivative of the former. The Vigenère cipher takes a keyword and applies a certain caeser cipher to it multiple times according to the letters of a keyword.

To-Do Example

Detecting

Vigenère Ciphers appear to be identical to any other substitution cipher, but trying to solve it as Caesar Cipher will not work. Check for this type of cipher if the Caesar Cipher crack does not work.

Solving

To-Do

CTF Example

DEKTHON 2014 had a simple vigenère cipher with no hints and only a line of text:

ucoizsbtkxhtadcg

Solution can be found here.

Sources/See More

Online Vigenère cracker


MD5 Hashing

MD5 is a widely used cryptographic hash function producing a 128-bit (16-byte) hash value, typically expressed in text format as a 32 digit hexadecimal number –Wikipedia.

This system is commonly used to check the integrity of files (like downloads). The way MD5 hashes are created, any slight variation in a file creates a new hash that is completely different than the previous, making changes in files (e.g. corruption in download or tampering) very apparent.

Creating an MD5 hash is very simple, as there are multiple online tools like md5-creatorand even a command line tool md5sum which will quickly create a sum from input.

Detecting

MD5 hashes are very standard, as they are always 128 bits, or 32-character strings.

Solving

To-Do

Sources/See More

Easy MD5 cracker


RSA

To-do

Detecting

To-do

Solving

To-do

CTF Example

BackdoorCTF 2014 had an RSA challenge which simply provided a public key and encrypted text file.

The solution can be found here.

Sources/See More

CTF Write-up


Steganography

Steganography is the art or practice of concealing a message, image, or file within another message, image, or file. – Wikipedia

In the context of CTFs steganography usually involves finding the hints or flags that have been hidden with steganography. Most commonly a media file will be given as a task with no further instructions, and the participants have to be able to uncover the message that has been encoded in the media.

Example

Images are a very common medium for steganography, as they are easy to manipulate and simple to view and transport. Files in Images give a good introduction for beginner steganography.

Getting Started

A rudimentary knowledge of media filetypes (e.g. jpg, bmp, png for pictures and wav, mp3 for sound) is essential to steganography, as understanding in what ways files can be hidden and obscured is crucial. Also, understanding basic linux is important, as a multitude of tools are specifically for bash.

Sources/See More


Hiding a file in an image

One of the most common steganography tricks is to hide a file inside of an image. The file will open normally as an image but will also hold hidden files inside, commonly zip, text, and even other image files.

The reason this works is because when an image file is read it has starting and ending bytes dictating the size of the image. The image viewer that you use will use the information between these bytes to present an image to you, ignoring anything after the terminating byte.

For example, The terminating byte for a JPEG is FF D9 in hex, so using a hex viewer (xxdis good for linux, or something like HxD for windows) you can find out where the image finishes. These bytes are sometimes hard to find in a sea of numbers though, so looking at the dump of the hex (the text representing the hex bytes) can also help you find hidden .txt or .zip files.

Example

A very simple implementation of this strategy is used in the example.jpg file in this directory. If you save it to your computer and open it up with an image viewer, you should be presented with a simple jpg image.

Now lets try to find the flag. Open up the image in your favorite hex editor and start looking around for something odd (You may find the flag itself from the dump at this point, but for the sake of example try extracting it). Near the bottom of the file you should see the terminating byte of a jpg ffd9:

01e17a0: 685c 7fab 8eb4 5b32 61f1 c4ff d950 4b03 h\....[2a....PK.

Another important part of this line is the PK near the end. PK are the initials of Phil Katz, the inventor of the zip file, and indicate that a zip file starts at that point.

Using this information we can use another handy linux tool, dd). The dd command is very versatile and allows for the copying and converting of a multitude of files. In our case, we are going to be using it to extract the zip file.

We know where the location of the zip file is, but dd only takes decimal values, so we convert the hexadecimal location 0x01e17ad from hex to decimal to get 1972141.

Pluging this into dd:

dd if=example.jpg bs=1 skip=1972141 of=foo.zip

This takes in the image example.jpg, the ‘in file’ if, reads one block at a time, ‘block size’ bs, skips to block 1972141, skip, and writes it to the ‘out file’ zip we call foo.zip. When this completes you should have a zip file you can easily unzip to access the text file inside.

This is the long way of solving a simple steganography problem but shows how the strategy works. In the Solving section more concise and efficient methods are described.

Detecting

These challenges are usually presented as a simple picture with no other instructions, and it is up to the competitor to run it through a hex editor to find out if it involves steganography. If you are presented with an image and no instructions, your safest bet is that is has something hidden after the closing tags of the image.

Solving

Although it is possible and at times practical to solve these tasks using linux tools likedd, there are some tools that make it much easier. Binwalk is an immensely useful tool which automatically detects and extracts files hidden with steganography tools

CTF Example

Steganography of this type is usually not scored very highly but is decently widespread. BackdoorCTF 2014 created one which is generally straightforward, ctfexample.jpg, but involves multiple layers.

Sources/See More

XXD

HxD

DD

Binwalk


Hidden Text in Images

A simple steganography trick that is often used for watermarks instead of outright steganography is the act of hiding nearly invisible text in images. The text can be hidden by making it nearly invisible (turning down it’s opacity to below 5%) or using certain colors and filters on it. Although the text is undiscernable to the naked eye, it is still there, and there are a variety of tools which allow the text to be extracted.

Example

Using the tactics detailed below, can you find the flag in this image?

flag

Detecting

Detecting this type of steganography can be somewhat challenging, but once you know it is being used there are a multitude of tools you can use to find the flag. If you find that there are no other files hidden in the image (e.g. .zip files), you should try to find flags hidden with this method.

Solving

There are multiple ways to find flags hidden in this manner:

  • GIMP or Photoshop can be used to uncover the flag by using different filters and color ranges. This tutorial works remarkably well for finding hidden text.
  • Stegsolve is an immensly useful program for many steganography challenges, allowing you to go through dozens of color filters to try to uncover hidden text.
  • There are many scripts that have been written to substitute certain colors and make hidden the text legible, for example this Ruby script highlights colors passed to it in the image.

CTF Example

PlaidCTF 2014 had a steganography challenge recently with this image:

ctf-example

The write-up for this challenge can be found here

Sources/See More


Web

Web challenges in CTF competitions usually involve the use of HTTP (or similar protocols) and technologies involved in information transfer and display over the internet like PHP, CMS’s (e.g. Django), SQL, Javascript, and more. There are many tools used to access and interact with the web tasks, and choosing the right one is a major facet of the challenges. Although web browsers are the most common and well known way of interacting with the internet, tools like curl and nc allow for extra options and parameters to be passed and utilized.

Example

To-Do (need a website/server)

Getting Started

Command Line and the Web

If you are running linux and want extended functionality (like passing custom headers) in web challenges, bash (terminal) commands are your best bet. cURL is a simple but extensible command-line tool for transferring data using various protocols, and allows users to use HTTP to interact with servers, including POST and GET methods.

Example

To see curl at work, you can simply run curl 8.8.8.8 (Google), and the html of Google’s home page should appear.

There are many other options and flags that can be passed to curl, making it an extremely useful tool in CTFs

Sources/See More

HTTP

cURL


HTTP (Hypertext Transfer Protocol)


PHP

PHP is a server-side scripting language designed for web development.

Sources/See More

PHP


SQL Injections


Miscellaneous

Many challenges in CTFs will be completely random and unprecedented, requiring simply logic, knowledge, and patience to be solved. There is no sure-fire way to prepare for these, but as you complete more CTFs you will be able to recognize and hopefully have more clues on how to solve them.

Examples

In recent CTFs the sheer variety of miscellaneous tasks has been highly exemplified, for example:

Sources/See More

CTF Write-Ups

CTFTime

Video’s from RuxCon 2012


 

Video’s from Louisville Metro InfoSec 2013

Video’s from BruCon 2013

Video’s from LinuxCon North America 2013


 

Documents from Hack In The Box Security Conference (HITBSECCONF) 2013


 

Documents from Virus Bulletin 2013


Corporate stream

  • Andreas Lindh (‘Surviving 0-days – reducing the window of exposure’)
  • Sabina Datcu (‘Targeted social engineering attacks. Sensitive information, from a theoretical concept to a culturally defined notion’)
  • Michael Johnson (‘Make it tight, protect with might, and try not to hurt anyone’)
  • Randy Abrams & Ilya Rabinovich (‘Windows 8 SmartScreen application control – what more could you ask for?’)
  • Axelle Apvrille (‘Analysis of Android in-app advertisement kits’)
  • Vanja Svajcer (‘Classifying PUAs in the mobile environment’)
  • Roman Unuchek (‘Malicious redirection of mobile users’)
  • Craig Schmugar (‘Real-world testing, the good, the bad, and the ugly’)
  • Ciprian Oprisa & George Cabau (‘The ransomware strikes back’)
  • Jarno Niemela (‘Statistically effective protection against APT attacks’)
  • Sergey Golovanov (‘Hacking Team and Gamma International in “business-to-government malware”‘)

Technical stream

  • Carsten Willems & Ralf Hund (‘Hypervisor-based, hardware-assisted system monitoring’)
  • James Wyke (‘Back channels and bitcoins: ZeroAccess’ secret C&C communications’)
  • Xinran Wang (‘An automatic analysis and detection tool for Java exploits’)
  • Rowland Yu (‘GinMaster: a case study in Android malware’)
  • Samir Mody (‘”I am not the D’r.0,1d you are looking for”: an analysis of Android malware obfuscation’)
  • Farrukh Shazad (‘The Droid Knight: a silent guardian for the Android kernel, hunting for rogue smartphone malware applications’)
  • Fabio Assolini (‘PAC – the Problem Auto-Config (or “how to steal bank accounts with a 1KB file”)’)
  • Samir Patil (‘Deciphering and mitigating Blackhole spam from email-borne threats’)
  • Evgeny Sidorov (‘Embedding malware on websites using executable webserver files’)
  • Amr Thabet (‘Security research and development framework’)

‘Last-minute’ technical papers

 

Documents and Video’s from EkoParty 2013


  • Droid Rage: Android exploitation on steroids – Pablo Solé – PDFVideo
  • Modification to the Android operating system´s resource control – Joaquín Rinaudo – ZIPVideo
  • Compromising industrial facilities from 40 miles away – Carlos Mario Penagos – PDFPDFVideo
  • Atacando IPv6 con Evil FOCA – Chema Alonso – PPTVideo
  • String allocations in Internet Explorer – Chris Valasek – PPTVideo
  • Compilador ROP – Christian Heitman – PDFVideo
  • BIOS Chronomancy – Corey Kallenberg – PPTVideo
  • Defeating Signed BIOS Enforcement – Corey Kallenberg – PPTVideo
  • ERP Security: how hackers can open the box and take the jewels – Jordan Santasieri – PDFVideo
  • Shoulder surfing 2.0 – Federico Pacheco – PPTVideo
  • A symbolic execution engine for amd64 binaries – Felipe Manzano – PDFVideo
  • Do you know who is watching you? – Nahuel Riva – PPTVideo
  • Ahí va el capitán Beto por el espacio – Gera Richarte – PDFVideo
  • Vote early and vote often – Harri Hursti – PDFVideo
  • Sandboxing Linux code to mitigate exploiattion – Jorge Lucangeli Obes – PDFVideo
  • All your sextapes are belong to us – Patricio Palladino – tgz – Video
  • Debbugers are really powerful – Pwning all of the Android things – Mathew Rowley – PDFVideo
  • Wighing in on issues with “Cloud Scale”: Hacking the Withings WS-30 – Michael Coppola – PDFVideo
  • Sentinel – Nicolás Economou – PDFVideo
  • Uncovering your trails. Privacy issues of Bluetooth devices – Verónica Valeros – PDFVideo
  • A mystery trip to the origin of Bitcoin – Sergio Demián Lerner – PDFVideo
 

Documents from RuxCon 2013

Documents from Hack.Lu 2013

Documents from Zero Nights 2013


Documents from: http://2013.zeronights.org/materials