Never Ending Security

It starts all here

Category Archives: Presentation Slides

NISTFOIA: FOIA for NIST documents related to the design of Dual EC DRBG



nistfoia


Results of a recent FOIA for NIST documents related to the design of Dual EC DRBG.

These FOIA results are the combined result of two separate requests. Thanks to the following requestors:

  • Matthew Stoller and Rep. Alan Grayson
  • Andrew Crocker and Nate Cardozo of EFF

I have contributed only OCR and hosting. Happy hunting,

Matt Green, 6/5/2014


1.15.2015 production/9.1.2 Keyless Hash Function DRBG.pdf
1.15.2015 production/ANSI X9.82 Discussions.pdf
1.15.2015 production/ANSI X9.82, Part 3 DRBGs Powers point July 20, 2004.pdf
1.15.2015 production/Appendix E_ DRBG Selection.pdf
1.15.2015 production/Comments on X9.82, Part 4_Constructions.pdf
1.15.2015 production/E1 Choosing a DRBG Algorithm.pdf
1.15.2015 production/Five DRBG Algorithms Kelsey, July 2004.pdf
1.15.2015 production/Hash Funciton chart.pdf
1.15.2015 production/Letter of transmittal 1.15.2015 .pdf
1.15.2015 production/Part 4_Constructions for Building and Validating RBG Mechanisms.pdf
1.15.2015 production/Scan_2015_01_27_13_05_55_026.pdf
1.15.2015 production/Validation Testing and NIST Statistical Test Suite July 22, 2004.pdf
1.22.2015 production/10.1.2 Hash function DRBG Using HMAC.pdf
1.22.2015 production/10.1.3 KHF_DRBG.pdf
1.22.2015 production/8.6.7 Nonce.pdf
1.22.2015 production/8.7 Prediction Resistance and Backtracking Resistance.pdf
1.22.2015 production/ANSI X9.82 Part 3 Draft July 2004.pdf
1.22.2015 production/Annex G_Informative DRBG mechanism Security Properties.pdf
1.22.2015 production/Appendix G Informative DRBG Selection.pdf
1.22.2015 production/Comments on X9.82 Part 1, Barker May 18, 2005.pdf
1.22.2015 production/Cryptographic security of Dual_EC_DRBG.pdf
1.22.2015 production/D.1 Choosing a DRBG Algorithm.pdf
1.22.2015 production/DRBG Issues Power Point July 20, 2004.pdf
1.22.2015 production/Draft X9.82 Part 3 Draft May 2005.pdf
1.22.2015 production/E.1 Choosing a DRBG Algorithm (2).pdf
1.22.2015 production/E.1 Choosing a DRBG Algorithm.pdf
1.22.2015 production/Final SP 800-90 Barker May 26, 2006.pdf
1.22.2015 production/Fwd_Final SP 800-90 Barker May 26, 2006.pdf
1.22.2015 production/Kelsey comments on SP April 12, 2006.pdf
1.22.2015 production/Latest SP 800-90 Barker May 5, 2006.pdf
1.22.2015 production/Letter of transmittal 1.22.2015.pdf
1.22.2015 production/SP 800-90 Barker June 28, 2006.pdf
1.22.2015 production/SP 800-90_pre-werb version> Barker May 9, 2006.pdf
1.22.2015 production/Terse Description of two new hash-based DRGBs Kelsey, January 2004.pdf
1.22.2015 production/Two New proposed DRBG Algorithms Kelsey January 2004.pdf
1.22.2015 production/X9.82, RGB, Issues for the Workshop.pdf
6.4.2014 production/001 – Dec 2005 -NIST Recomm Random No. Gen (Barker-Kelsey).pdf
6.4.2014 production/002 – Dec 2005 – NIST Recomm Random No. Gen (Barker-Kelsey)(2).pdf
6.4.2014 production/003 – Sept 2005 – NIST Recomm Random No. Gen (Barker-Kelsey).pdf
6.4.2014 production/004 – Jan 2004 – Terse Descr. of Two New Hash-Based DRBGs.pdf
6.4.2014 production/005 – Proposed Changes to X9.82 Pt. 3 (Slides).pdf
6.4.2014 production/006 – NIST Chart 1.pdf
6.4.2014 production/007 – RNG Standard (Under Dev. ANSI X9F1) – Barker.pdf
6.4.2014 production/008 – Random Bit Gen. Requirements.pdf
6.4.2014 production/009 – Seed File Use.pdf
6.4.2014 production/010 – NIST Chart 2.pdf
6.4.2014 production/011 – 9.12 Choosing a DRBG Algorithm.pdf
6.4.2014 production/012 – May 14 2005 – Comments on ASC X9.82 Pt. 1 – Barker.pdf
6.4.2014 production/013 – X9.82 Pt. 2 – Non-Deterministic Random Bit Generators.pdf

More info you can find on: https://github.com/matthewdgreen/nistfoia


CERIAS Security Symposium 26&27 March 2014


We’re living in a time of transition. Cyberthreats are increasing and becoming more sophisticated, victimized organizations are cooperating with competitors and fighting back, and the discussion of expected privacy has become front-page news. These topics, and more, were explored at the 15th Annual CERIAS Security Symposium.

Welcome and Opening Keynote

Watch on Youtube

Welcome: Mitch Daniels

President, Purdue University

Keynote: Amy Hess

Executive Assistant Director of Science and Technology, FBI

Fireside Chat

Watch on Youtube

At the Table

  • Prof. Eugene Spafford
    Executive Director, CERIAS – Purdue University
  • George Kurtz
    President/CEO and Co-Founder, CrowdStrike
  • Josh Corman
    Chief Technology Officer, Sonatype
  • Amy Hess
    Executive Assistant Director of Science and Technology, FBI

Featured Technical Speaker

Watch on Youtube

Josh Corman

Chief Technology Officer, Sonatype

Keynote #2

Watch on Youtube

George Kurtz

President/CEO and Co-Founder, CrowdStrike

Security Plus (not Versus) Privacy

Watch on Youtube

Mark Rasch

Former Chief Privacy Officer at SAIC and Principal at Rasch Technology and Cyber Law

David Medine

Chairman, Privacy and Civil Liberties Oversight Board

CERIAS Awards

Watch on Youtube

Awards Given

  • Diamond & Pillar Awards
  • Poster Presentation Winners

Panel: Sharing Incidence Data While Under Attack

Watch on Youtube

On the Panel

  • Dave Fiore
    Senior Systems Engineer, CyberPoint
  • Paul Baltzell
    Chief Information Officer at State of Indiana
  • Kevin Nauer
    Cyber Security Researcher, Sandia National Laboratories
  • Prof. Sam Liles
    Associate Professor, Cyber Forensics Laboratory – Purdue University
  • Michael West
    Vice President, Cyber Investigations – Fidelity Investments

Panel: APT, Threat Actors, and Trends in Cybercrime

Watch on Youtube

On the Panel

  • Ben Anderson
    Sandia National Laboratories
  • Kevin Alejandro Roundy
    Symantec
  • Marc Brooks
    MITRE Corporation
  • Prof. Marcus Rogers
    Purdue College of Technology

Posters & Presentations 2014

Page Content

  • Consumer Privacy Architecture for Power Grid Advanced metering infrastructure
  • Privacy Preserving Access Control in Service Oriented Architecture
  • pSigene: Generalizing Attack Signatures
  • Resilient and Active Authentication and User-Centric Identity Ecosystems
  • Semantic Anonymization of Medical Records
  • The Password Wall — A Better Defense against Password Exposure
  • Top-K Frequent Itemsets via Differentially Private FP-trees
  • VeryBioIDX: Privacy Preserving Biometrics-Based and User Centric Authentication Protocol
  • A Framework for Service Activity Monitoring
  • A Key Management Scheme in BYOD Environment
  • FPGA Password Cracking
  • A Study of Probabilistic Password Models
  • Analysis of Coping Mechanisms in Password Selection
  • Detecting Tic-Tac-Stego: Anomaly Detection for Steganalysis in Games
  • Enhancing Analyst Situation Awareness and Event Response in Cyber Network Operations Centers
  • Finland’s Cyber Warfare Capabilities
  • Mutual Restraining Voting Involving Multiple Conflicting Parties
  • Natural Language IAS: The Problem of Phishing
  • Using social network data to track information and make decisions during a crisis
  • A Framework to Find Vulnerabilities Using State Characteristics in Transport Protocol Implementations
  • Divide & Recombine for Big Data Analysis for Cybersecurity – Application of DNS Blacklist Query Study
  • Confidentiality Guidelines for Cloud Storage
  • Cyber 9/12 Student Challenge: Team Purdue Cyber Forensics
  • DC3 Digital Forensics Challenge
  • Implementing Bayesian Statistics from an Analysis of Competing Hypothesis Framework
  • Netherland’s Cyber Capabilities
  • Saudi Arabian Policy on Cyber Capabilities
  • South Korea ICT Index Leader Cyber Assessments
  • Technological Impact of Criminal Enterprises: The Impact of Cloud Computing:
  • The Efficacy of Case Studies for Teaching Policy in Engineering and Technology Courses
  • The Impact of University Provided Nurse Electronic Medical Record (EMR)Training on Hospital Provider Systems: A Computer Simulation Approach
  • The Irish Economy’s Vulnerability to Cyber Conflict
  • Threats, Vulnerabilities, and Security Controls in Cloud Computing
  • A Critical Look at Steganographic Investigations
  • Analysis of Cyberattacks on UASs in Simulation
  • Communications, Information, and Cybersecurity in Systems-of-Systems
  • Distributed Fault Detection and Isolation for Kalman Consensus Filter
  • End to End Security in Service Oriented Architecture
  • INSuRE — Information Security Research and Education
  • Log-Centric Analytics for Advanced Persistent Threat Detection
  • Making the Case of Digital Forensics Field Training for Parole Services
  • Periodic Mobile Forensics
  • Robust Hybrid Controller Design: Cyber Attack Mitigation Strategy for Cyber-Physical Systems
  • Text-based Approaches to Detect Phishing Attacks
  • The Case of Using Negative (Deceiving) Information in Data Protection

Assured Identity and Privacy

Consumer Privacy Architecture for Power Grid Advanced metering infrastructure

Dheeraj Gurugubelli, Dr. Chris Foreman and Dr. Melissa Dark

http://www.cerias.purdue.edu/assets/symposium/2014-posters/616-591.pdf

Utilities install smart meters in homes. These smart meters allow the tracking and management of the energy consumption of the consumers. This will enable the utility companies to increase increase efficiency, lower costs, and reduce pollution. But the advanced meters, which use wireless and digital technologies to send frequent consumption data to utilities, face opposition from customers and others who see them as a threat to health, privacy, and security. From a utility company perspective, collection and management of such huge volumes of data at an individual level is not an essential business function. The goal of this research is to create an architecture preserving privacy of the consumer in the power grid advanced metering infrastructure while helping the utility company better manage data.

Privacy Preserving Access Control in Service Oriented Architecture

Rohit Ranchal, Ruchith Fernando, Zhongjun Jin, Pelin Angin, Bharat Bhargava

http://www.cerias.purdue.edu/assets/symposium/2014-posters/955-3C4.pdf

Service Oriented Architecture (SOA) comprises of a number of loosely-coupled services, which collaborate, interact and share data to accomplish a task. A service invocation can involve multiple services, where each service generates, shares, and interacts with the client’s data. These interactions may share data with unauthorized services and violate client’s policies. The client has no means of identifying if a violation occurred and has no control or visibility on interactions beyond its trust domain. Such interactions introduce new security challenges which are not present in the traditional systems. We propose a data-centric approach for privacy preserving access control in SOA based on Active Bundles. This approach transforms passive data into an active entity that is able to protect itself. It enables dynamic data dissemination decisions and protects data throughout its lifecycle. The granularity of the data being shared with a service is determined by the client’s data dissemination policy.

pSigene: Generalizing Attack Signatures

Jeff Avery, Gaspar Modelo-Howard, Fahad Arshad, Saurabh Bagchi, Yuan Qi

http://www.cerias.purdue.edu/assets/symposium/2014-posters/F74-76F.pdf

Intrusion detection systems (IDS) are an important component to effectively protect computer systems. Misuse detection is the most popular approach to detect intrusions, using a library of signatures to find attacks. The accuracy of the signatures is paramount for an effective IDS, still today’s practitioners rely on manual techniques to improve and update those signatures. We present a system, called pSigene, for the automatic generation of intrusion signatures by mining the vast amount of public data available on attacks. It follows a four step process to generate the signatures, by first crawling attack samples from multiple public cyber security web portals. Then, a feature set is created from existing detection signatures to model the samples, which are then grouped using a biclustering algorithm which also gives the distinctive features of each cluster. Finally the system automatically creates a set of signatures using regular expressions, one for each cluster. We tested our architecture for the prevalent class of SQL injection attacks and found our signatures to have a True and False Positive Rates of over 86% and 0.03%, respectively and compared our findings to other SQL injection signature sets from popular IDS and web application firewalls. Results show our system to be very competitive to existing signature sets.

Resilient and Active Authentication and User-Centric Identity Ecosystems

Yan Sui, Xukai Zou

http://www.cerias.purdue.edu/assets/symposium/2014-posters/621-AD0.pdf

Existing proxy based authentication approaches have problems (e.g., non-binding, susceptible to theft and dictionary attack, burden on end-users, re-use risk). Biometrics, which authenticates users by intrinsic biological traits, arises to address the drawbacks. However, the biometrics is irreplaceable once compromised and leak sensitive information about the human user behind it. In this research, we propose a usable, privacy-preserving, secure biometrics based identity verification and protection system. Specifically, we propose a novel biometric authentication token called Bio-Capsule (BC) which is generated by a secure fusion of user biometrics and a (selected) reference subject biometrics. The fusion process preserves the biometric robustness and accuracy in the sense that the BC can be used in place of the original user’s biometric template without sacrificing the system’s acceptability for the same user and distinguishability between different users. There are more potential applications on this research: a user-centric identity ecosystem – a highly resilient, privacy-preserving, revocable, interoperable, and efficient user-centric identity verification and protection ecosystem; and an active authentication system – a provably secure, privacy-preserving, biometric active authentication system to support continuous and non-intrusive authentication.

Semantic Anonymization of Medical Records

Tatiana Ringenberg, Julia M. Taylor, Victor Raskin

http://www.cerias.purdue.edu/assets/symposium/2014-posters/79D-5DB.pdf

With the availability of large amounts of data in the medical industry, it is becoming necessary, due to both regulatory and ethical concerns, to find unique ways of protecting patient identities. A name and social security number are no longer the only fields in a patient’s record that can identify them. Data under HIPAA requires the removal of several Protected Health Information Identifiers. Symptoms themselves can also distinctly identify an individual in a large group. To prevent this, the Purdue OST Anonymization Project is using semantics to determine the degree to which any patient record is identifiable from others in a system. Our approach combines the conceptual mapping of Ontological Semantic Technology with the anonymity principles of K-Anonymity to semantically anonymize patient data for compliance with regulatory and research policies.

The Password Wall — A Better Defense against Password Exposure

Mohammed Almeshekah, Mikhail Atallah and Eugene Spafford

http://www.cerias.purdue.edu/assets/symposium/2014-posters/356-E8E.pdf

We present an authentication scheme that better protects users’ passwords than in currently deployed password-based schemes, without taxing the users’ memory or damaging the user-friendliness of the login process. Our scheme maintains comparability with traditional password-based authentication, without any additional storage requirements, giving service providers the ability to selectively enroll users and fall-back to traditional methods if needed. The scheme utilizes the ubiquity of smartphones, however, unlike previous proposals it does not require registration or connectivity of the used phones. In addition, no long-term secrets are stored in the user’s phone, mitigating the consequences of losing it. The scheme significantly increases the difficulty of launching a phishing attack; by automating the decisions of whether a website should be trusted and introducing additional risk at the adversary side of being detected and deceived. In addition, the scheme is resilient against Man-in-the-Browser (MitB) attacks and compromised client machines. Finally, we incorporate a user-friendly covert communication between the user and the service provider giving the user the ability to have different levels of access (instead of the traditional all-or-nothing), and the use of deception (honeyaccounts) that make it possible to dismantle a large-scale attack infrastructure before it succeeds (rather than after the painful and slow forensics that follow a successful phishing attack). As an added feature, the scheme gives service providers the ability to have full-transaction authentication.

Top-K Frequent Itemsets via Differentially Private FP-trees

Jaewoo Lee and Chris Clifton

http://www.cerias.purdue.edu/assets/symposium/2014-posters/026-59A.pdf

Frequent itemset mining is a core data mining task and has been studied extensively. Although by their nature, frequent itemsets are aggregates over many individuals and would not seem to pose a privacy threat, an attacker with strong background information can learn private individual information from frequent itemsets. This has lead to differentially private frequent itemset mining, which protects privacy by giving inexact answers. We give an approach that first identifies top-k frequent itemsets, then uses them to construct a compact, differentially private FP-tree. Once the noisy FP-tree is built, the (privatized) support of all frequent itemsets can be derived from it without access to the original data. Experimental results show that the proposed algorithm gives substantially better results than prior approaches, especially for high levels of privacy.

VeryBioIDX: Privacy Preserving Biometrics-Based and User Centric Authentication Protocol

Hasini Gunasinghe, Elisa Bertino

http://www.cerias.purdue.edu/assets/symposium/2014-posters/642-A07.pdf

We propose a privacy preserving biometric based authentication protocol by which user can authenticate to different service providers from mobile phone, without involving identity provider in transactions, thus enhancing privacy. Authentication is based on a cryptographic identity token which embeds a unique, repeatable and revocable identifier generated from the user’s biometric image and a random secret, supporting two-factor authentication based on zero-knowledge proofs of knowledge. Our approach for generating biometric identifiers from users’ biometric is based on perceptual hashing and SVM classification techniques.

End System Security

A Framework for Service Activity Monitoring

Ruchith Fernando, Rohit Ranchal, Pelin Angin, Bharat Bhargava

http://www.cerias.purdue.edu/assets/symposium/2014-posters/10E-9E2.pdf

In a service-oriented architecture (SOA) environment, a service can dynamically select and invoke any service from a group of services to offload part of its functionality. This is very useful to build large systems with existing services and dynamically add services to support new features. One of the main problems with such a system is that, it is very difficult to trust the service interaction lifecycle and assume that the services behave as expected and respect the system policies. We propose a centralized service monitor, that audits and detects malicious activity or compromised services by analyzing information collected via monitoring agents. The service monitor includes two modes of operation – active and passive – where one can evaluate service topologies with various policies.

A Key Management Scheme in BYOD Environment

Di Xie, Baijian Yang

http://www.cerias.purdue.edu/assets/symposium/2014-posters/953-6AD.pdf

Bring-Your-Own-Device (BYOD) refers to an IT policy that encourages and allows employees to use their personal devices to access privileged corporate network resources. Current BYOD practices are not sufficient to provide both flexible and secure access to data stored on personal devices and are likely to cause privacy infringement issues and incur high management cost. This research presents an Innovative Key Management Scheme (IKMS) approach that employs a hierarchical and time-bounded key management system to battle the security and privacy issues in BYOD deployment.

FPGA Password Cracking

Max DeWees, Michael Kouremetis, Matthew Riedle, Craig West

http://www.cerias.purdue.edu/assets/symposium/2014-posters/AB6-C90.pdf

Field Programmable Gate Arrays (FPGAs) are a unique hardware component that allows for dynamic prototyping design and implementation of hardware logic. FPGAs provide the advantages of dedicated hardware functionality and parallelization for specific tasks. In this research, we look to apply these advantages of FPGAs to breaking cryptographic functions, primarily hash functions and encryption passwords. While this has been done successfully in the past to older functions like MD5, it has not been thoroughly analyzed for more complex systems such as TrueCrypt, Windows BitLocker, or Mac OS X FileVault. Our focus is to analyze the feasibility, scalability, and success of using one or more FPGAs to crack these systems.

Human Centric Security

A Study of Probabilistic Password Models

Jerry Ma, Weining Yang, Min Luo, Ninghui Li

http://www.cerias.purdue.edu/assets/symposium/2014-posters/293-790.pdf

A probabilistic password model assigns a probability value to each string. Such models are useful for research into understanding what makes users choose more (or less) secure passwords, and for constructing password strength meters and password cracking utilities. Guess number graphs generated from password models are a widely used method in password research. In this paper, we show that probability-threshold graphs have important advantages over guess-number graphs. They are much faster to compute, and at the same time provide information beyond what is feasible in guess-number graphs. We also observe that research in password modeling can benefit from the extensive literature in statistical language modeling. We conduct a systematic evaluation of a large number of probabilistic password models, including Markov models using different normalization and smoothing methods, and found that, among other things, Markov models, when done correctly, perform significantly better than the Probabilistic Context-Free Grammar model, which has been used as the state-of-the-art password model in recent research.

Analysis of Coping Mechanisms in Password Selection

Brian Curnett, Paul Duselis, Teri Flory

http://www.cerias.purdue.edu/assets/symposium/2014-posters/ED9-F1E.pdf

Do more stringent password policies actually create stronger and more secure passwords? Do humans reach a threshold when creating passwords that follow policies but fail to provide an adequate level of protection? Previous work has focused on password strength and the effectiveness of password defeating tools, but has only briefly touched on user frustration with policies, or the coping mechanisms that may be employed by the users to satisfy those stringent policies. Our work will utilize the information available from previous studies and expand on that to include user frustration and coping methods. Our examination will include multiple policies that are currently accepted and in use by organizations and companies from a wide variety of backgrounds. This will attempt to show the true measure of protection that the industry standard policies provide. It will be necessary to review processes of data collection, and determine the most effective procedures to gather this information. We will then develop a method, utilizing this plan, and propose this to the partners for future review and use. We will propose an analytic procedure to be used in determining an optimal relationship between password policy’s strength and coping mechanisms. And finally a set of repeatable statistical procedures that can be applied toward data sets of passwords to ensure the policy’s strength.

Detecting Tic-Tac-Stego: Anomaly Detection for Steganalysis in Games

Philip C. Ritchey, Vernon J. Rego

http://www.cerias.purdue.edu/assets/symposium/2014-posters/EF2-A3A.pdf

Motivated by the identification of potential areas in the broader field of information security where the study of human behavior can be used to enhance and improve information security, we investigated methods for detecting information hiding in games. This work builds on previous work which presented Tic-Tac-Stego, a general methodology for hiding information in games. The focus of this work is to understand and experiment with three steganalysis techniques for detecting steganography in games: rules-based, feature-based, and probabilistic model-based detectors. Under the assumption that the adversary is unable to predict the play style of the stego-agent, we find that a feature-based steganalysis method performs the best at detecting usage of the covert channel, capable of achieving accuracy greater than 97% against all stego-agents tested. On the other hand, under the assumption that the adversary is able to predict the play style of the stego-agent, the rules-based method is more accurate and requires fewer games per example than the feature-based method. The probabilistic-based method is found to be overall less accurate than both the feature-based and rules-based methods.

Enhancing Analyst Situation Awareness and Event Response in Cyber Network Operations Centers

Omar Eldardiry, Barrett Caldwell

http://www.cerias.purdue.edu/assets/symposium/2014-posters/BA8-C6C.pdf

The development of cyber network operations centers has created new needs to support human sense-making and situation awareness in a cyber network common operating picture (CNCOP). The goal of this research is to identify critical features that support expert analysts in event detection, identification, and response to cyber events (emergency scenarios, hardware breakdowns or other sources of degraded performance). The goal is to improve information visualization to support recognition and response to cyber- and cyber-physical network events. The results of this research project will be used to improve operational capability and analyst situation awareness in NOC environments and provide design guidance to improve analyst event monitoring and response in other cyber-physical infrastructure operations centers.

Finland’s Cyber Warfare Capabilities

Filipo Sharevski

http://www.cerias.purdue.edu/assets/symposium/2014-posters/B76-BC6.pdf

In light of the discussion on cyber intelligence, the content of this paper includes analysis of open source data in respect to a methodical assessment of Finland’s cybersecurity and cyberwarfare capabilities. The information related to Finland’s cyber preparedness and cybersecurity awareness is analyzed together with the relevant statistical factors in order to outline the relative stage of cyber capability development in the military context. Finland’s cybersecurity strategy, Finnish security and defense policy, and Finland’s academia perspectives on cyber operations realms are elaborated in parallel with the conceptualization on military doctrine adaptation in the cyber domain in order to describe Finland’s posture relative to potential cyberwarfare conflict engagements. In addition to this, the key stakeholders in cybersecurity governance are also enlisted, providing insight into the practical aspects of the nations’ efforts for cybersecurity maintenance and constant improvement.

Mutual Restraining Voting Involving Multiple Conflicting Parties

Dr. Xukai Zou (xkzou@cs.iupui.edu), Yan Sui, Huian Li, Wei Peng, and Dr. Feng Li

http://www.cerias.purdue.edu/assets/symposium/2014-posters/CFF-BFE.pdf

Scrutinizing current voting systems including existing e-voting techniques, one can discern that there exists a gap between casting secret ballots and tallying & verifying individual votes. This gap is caused by either disconnection between the vote-casting process and the vote-tallying process or opaque transition (e.g., due to encryption) from vote-casting to vote-tallying and damages voter assurance, i.e., any voter can be assured that the vote he/she has cast is verifiably counted in the final tally. We propose a groundbreaking e-voting protocol that fills this gap and provides a fully transparent election. In this fully transparent internet voting system, the transition from vote-casting to vote-tallying is seamless, viewable, verifiable, and privacy-preserving. As a result, individual voters will be able to verify their own votes and are technically and visually assured that their votes are indeed counted in the final tally, the public will be able to verify the accuracy of the count, and political parties will be able to catch fraudulent votes. And all this will be achieved while still retaining what is perhaps the core value of democratic elections–the secrecy of any voter’s vote. The new protocol is the first fully transparent e-voting protocol which technologically enables open and fair elections and delivers full voter assurance, even for the voters of minor or weak political parties.

Natural Language IAS: The Problem of Phishing

Lauren M. Stuart, Gilchan Park, Julia M. Taylor, Victor Raskin

http://www.cerias.purdue.edu/assets/symposium/2014-posters/568-98B.pdf

Phishing emails solicit personal and sensitive information while masquerading as legitimate messages from financial institutions. Automatic detection of phishing emails will help reduce the financial losses incurred by their victims. Computer understanding of message meaning and other hallmarks of legitimate and illegitimate emails can improve detection, and continue the expansion of natural language understanding techniques and processes into information assurance and security applications.

Using social network data to track information and make decisions during a crisis

Student: David Hersh Advisors: Julia Taylor, Victor Raskin

http://www.cerias.purdue.edu/assets/symposium/2014-posters/63B-A51.pdf

Social network use has dramatically increased in recent years, causing a surge in the amount of data people publicly share. Many share events of their lives on a daily basis, and get much of their news from social networks. So when a crisis occurs, such as a school shooting, many people in the affected area report what is going on through their social networks, allowing others to get firsthand accounts of the situation as it progresses. This information is often available before official information is, making it a valuable resource for anyone who needs to know the most up-to-date information on the crisis. In this research, we take the first steps toward the development of a system that extracts crisis information from social networking data in real time, allowing the system’s users to have a consistently up-to-date version of the situation.

Network Security

A Framework to Find Vulnerabilities Using State Characteristics in Transport Protocol Implementations

Sam Jero, Hyojeong Lee and Cristina Nita-Rotaru

http://www.cerias.purdue.edu/assets/symposium/2014-posters/0CA-1EC.pdf

We propose a platform for automatically finding attacks in transport protocol implementations. Our platform uses virtual machines connected with a network emulator to run unmodified target implementations, ensuring realism. We focus on attacks involving the manipulation or injection of protocol messages and build a framework to perform these basic malicious actions. To mitigate state-space explosion resulting from numerous combinations of malicious actions and protocol messages, we leverage protocol states. First, we build a state tracker that can infer the current state of the target system from message traces. Using the state tracker and a benign execution, we classify states based on observable characteristics. We then associate basic attack actions with characteristics of states and compose attack strategies based on this information. We monitor the effect of these attack strategies and determine which actions are effective for which states. We use this information to focus or prune our attack strategies for states with similar characteristics.

Divide & Recombine for Big Data Analysis for Cybersecurity – Application of DNS Blacklist Query Study

Ashrith Barthur, Dr. William S. Cleveland, John Gerth

http://www.cerias.purdue.edu/assets/symposium/2014-posters/1D1-D96.pdf

D&R is a statistical approach to big data that provides comprehensive, detailed analysis. This is achieved because almost any analytic method from machine learning, statistics, and visualization can be applied to the data at their finest level of granularity. D&R also enables feasible, practical computation because the computations are largely embarrassingly parallel. Our work has two core threads. 1. Tailor the D&R environment to analyse big data in cybersecurity. 2 Apply this tailored environment the Spamhaus traffic at the Stanford University mirror.

Policy, Law and Management

Confidentiality Guidelines for Cloud Storage

Joseph Beckman, Matthew Riedle, Hans Vargas

http://www.cerias.purdue.edu/assets/symposium/2014-posters/638-07D.pdf

As cloud computing is becoming more popular among the average user, and even governments, the question arises of how secure the data stored in the cloud. Guidelines have been established by FedRAMP that evaluate certain security protocols for cloud providers like Google Drive and Amazon Web Services. This project will examine the confidentiality and access control guidelines for Amazon’s S3 data storage, looking to see if they are sufficient for current and future markets.

Cyber 9/12 Student Challenge: Team Purdue Cyber Forensics

Rachel Sitarz, Eric Katz, Nick Sturgeon, & Jake Kambic

http://www.cerias.purdue.edu/assets/symposium/2014-posters/125-226.pdf

The four Purdue Cyber Forensics graduate students competed in the Cyber 9/12 Student Challenge. They were asked to take on the role of the Cyber Security Directorate of the National Security Staff. They had to create four policy response alternatives, to a fcitional major cyber incident, that affected the US National Security. They were tasked with creating the four policies, then presenting the policies to experts in Cyber Security policy in Washington DC.

DC3 Digital Forensics Challenge

Will Ellis, Jake Kambic, Eric Katz, Sydney Liles

http://www.cerias.purdue.edu/assets/symposium/2014-posters/06E-C7C.pdf

This poster is designed to show the accomplishments of team or11–, winners of the 2013 Defense Cyber Crime Center’s Cyber Forensics Challenge. This is the largest and most prestigious cyber forensics competition in the world. Going up against over 1,200 competing teams, Purdue’s team took 1st place in US and global graduate division.

Implementing Bayesian Statistics from an Analysis of Competing Hypothesis Framework

Brian Curnett and Samuel Liles

http://www.cerias.purdue.edu/assets/symposium/2014-posters/423-BAF.pdf

The Analysis of Competing Hypotheses system is a decision analysis tool developed by the intelligence community to aid analysts in decision making. It was first developed by Richards J. Heuer to help analysts keep their biases in check when making important decisions. This system’s effectiveness can be furthered to counter forms of deception and cultural bias by implementing a Bayesian Belief Network and by quantifying cultural trends.

Netherland’s Cyber Capabilities

Hans Vargas

http://www.cerias.purdue.edu/assets/symposium/2014-posters/5C4-B69.pdf

The purpose of this study was to perform a OSINT analysis of the Netherlands capabilities to protect itself from cyber-attacks. A list of all possible and typical Actors were identified as they represent different levels of threats to this nation, the table at the left explains in detail who those actors are, what their intentions might be, the level of expertise they are expected to have, and finally the more likely targets that they might attack. The Netherlands has a population of close to 18 million people with as estimated GDP of 696 billion USD and a per capita of 41,000 USD, which represents in the world rank, 23rd and 12th respectively. It comes as not surprise that its ICT rank is also high, occupying 7th place in the word from 2012.

Saudi Arabian Policy on Cyber Capabilities

Brian Curnett and Samuel Liles

http://www.cerias.purdue.edu/assets/symposium/2014-posters/736-4CD.pdf

Saudi Arabia is a major player in the arena of world politics. However they are only a fledgling nation in the field of cyber arena and is still trying to bring itself into the modern era. It is the Saudi Arabian policy of replacing cyber security with cyber censorship which led to the vulnerabilities which exposed then nation’s oil industry to attack. As a compensatory mechanism foreign nation’s contractors to solve technical problems rather than developing a domestic knowledge base. This has made the nation of Saudi Arabia more vulnerable for the long term.

South Korea ICT Index Leader Cyber Assessments

Faisal Alaskandrani, Dr. Samuel Liles

http://www.cerias.purdue.edu/assets/symposium/2014-posters/889-AE7.pdf

did South Korea neglect the security aspect while developing its telecommunication infrastructure?

Technological Impact of Criminal Enterprises: The Impact of Cloud Computing:

Rachel Sitarz, Sam Liles

http://www.cerias.purdue.edu/assets/symposium/2014-posters/C58-160.pdf

Cloud computing is an abstract term, which is often difficult for people to understand, yet most are moving to the cloud to store data. Criminal organizations are also utilizing the cloud of data storage, transmission, and communications, which led to the research question of, how are current criminal organizations structuring their criminal enterprises, and how does technology impact the structure? The current project is exploratory, making comparison of current criminal organizations with historical groups and maintains that those groups that are utilizing the cloud are no different than historical criminals. They simply are utilizing a new medium to facilitate their criminal activity. Criminal organizations have typically maintained a hierarchal and organizational structure. With the developments of technology, such as the cloud, groups are continuing to maintain enterprise structure, but allowing for geographically disparate transmission of data. This also leads to the potential problem of remote destruction of evidence, when Law Enforcement executes searches on a party or parties, within the organization. Criminals have taken to the technological advancements for many reasons, such as the anonymity factor, the expertise needed by law enforcement to apprehend criminals, and the ease of access. Technological advancements are often taken for granted, but is something that needs to be considered in the apprehension of criminals and the combat of criminal activity.

The Efficacy of Case Studies for Teaching Policy in Engineering and Technology Courses

Rylan Chong, Dr. Melissa Dark, Dr. Ida Ngambeki, and Dr. Dennis Depew

http://www.cerias.purdue.edu/assets/symposium/2014-posters/A5D-F63.pdf

Public policy is an increasingly important topic in the engineering and technology curriculum as it has been recognized by a community of experts, National Research Council of the National Academies (NRCNA), Accreditation Board for Engineering and Technology (ABET), American Association for the Advancement of Science (AAAS), and the National Academy of Engineering (NAE). The purpose of this study was to extend the work of Chong, Depew, Ngambeki, and Dark “Teaching social topics in engineering: The case of energy policy and social goals” by exploring a method to introduce public policy using a case study approach to undergraduate engineering technology students in the engineering economics course in the College of Technology at Purdue University. The substantive contribution of this study addressed the following questions: 1) did the students understand and identify the policy context, 2) how effective was the use of case studies to introduce the students to policy, and 3) areas of improvement to enhance efficacy of the case studies to introduce students to policy?

The Impact of University Provided Nurse Electronic Medical Record (EMR)Training on Hospital Provider Systems: A Computer Simulation Approach

James Anderson, Elizabeth Borycki, Andre Kushniruk, Shannon Malovec, Angela Espejo, Marilyn Anderson

http://www.cerias.purdue.edu/assets/symposium/2014-posters/67A-535.pdf

Hospitals lose valuable productivity when nurses are off of the unit for electronic medical record system (EMR) training. Universities lose valuable clinical training hours when students are required to learn various EMR systems at clinical sites during clinical rotations. Centralizing EMR training within the university classroom curriculum could provide the hospital with trained new hires while preserving student clinical time for bedside care. Through this study we investigated the cumulative influence of integrating EMR training in nursing classroom curriculum on hospital nurse time away from caregiving and number of EMR trained nurses. A computer simulation model was specified using the STELLA program. The model simulated once a year hiring of nurses over a 4 year period for a total of 500 new hires. The model predicted the number of new hires that need EMR training, the number of new hires that arrive trained by the University, and the time away from caregiving to train new hires in terms of change in University curriculum to include EMR training. Findings indicate that efficiency of clinical training can be potentially improved by centralizing EMR training within the nursing curriculum. Integrating EMR training in nursing classroom curriculum potentially results in more available time for nurse bedside care and reduced cost in health organization training of new nurses. Further investigation is needed to assess the cost impact of curricular integration.

The Irish Economy’s Vulnerability to Cyber Conflict

Courtney Falk

http://www.cerias.purdue.edu/assets/symposium/2014-posters/68A-4A1.pdf

Information technology comprises a quarter of Ireland’s GDP. This project aims to answer the question of whether or not the Irish government is adequately prepared to protect this vulnerable sector of their economy.

Threats, Vulnerabilities, and Security Controls in Cloud Computing

Hans Vargas, Temitope Toriola

http://www.cerias.purdue.edu/assets/symposium/2014-posters/47D-18C.pdf

In cloud computing, information is not stored on your personal computer it is stored on the cloud. The cloud is a metaphor for the Internet. The cloud can be accessed by any computer anywhere in the world. This includes devices such as cell phone and kindle. Personal computers have limited space and often run out of resources. The equipment cannot keep up with the demand and the service slows down. The cloud can do anything it has no limits. The cloud takes the work off of one computer and puts the software into one database that many people can access at once from different computers. However there is risk in using cloud computing. Unauthorized people such as hackers may be able to get to your data as well. Cloud providers are companies that host cloud services and are in charge of protecting your data. They use many methods to protect your data in the cloud and keep it from hackers. This research investigates cloud providers to see if they are protecting cloud data like they claim to be.

Prevention, Detection and Response

A Critical Look at Steganographic Investigations

Michael Burgess

http://www.cerias.purdue.edu/assets/symposium/2014-posters/6DA-2BF.pdf

Steganography, the practice of hiding hidden information in plain sight, has been a threat for hundreds of years in different medium. In today’s world, hiding files and information digitally inside of images, audio, programs, and most any other file-type could pose a very real danger when two individuals are communicating without anyone knowing they are doing so. Researcher Michael Burgess designed a process and made a tool that takes any file and injects (and extracts) it inside of any mono wave file, as long as the wave file is approximately double the size of the target hidden file. The resulting file has the same size and properties of the original wave file, and no difference can be heard by the human ear. Alongside, all current anti-stego tools have a difficult time detecting that anything is hidden. With a tool as simple as this being able to pass by detection, steganographic investigations need to be taken much more seriously, and include more discovery of these tools rather than the files themselves.

Analysis of Cyberattacks on UASs in Simulation

Scott Yantek, James Goppert, Nandagopal Sathyamoorthy, Inseok Hwang

http://www.cerias.purdue.edu/assets/symposium/2014-posters/60D-1F6.pdf

Unmanned aerial systems (UASs) have attained widespread use in military and research applications, and with recent court rulings their commercial use is rapidly expanding. Because of their dependence on computer systems, their high degree of autonomy, and the danger posed by a loss of vehicle control, it is critical that the proliferation of UASs be accompanied by a thorough analysis of their vulnerabilities to cyberattack. We approach the issue from a controls perspective, assuming the attacker has already gained some amount of control over the system. We then investigate vulnerabilities to certain types of attacks.

Communications, Information, and Cybersecurity in Systems-of-Systems

Cesare Guariniello, Dr. Daniel DeLaurentis

http://www.cerias.purdue.edu/assets/symposium/2014-posters/762-07D.pdf

The analysis of risks associated with communications, and information security for a system-of-systems is a challenging endeavor. This difficulty is due to the interdependencies that exist in the communication and operational dimensions of the system-of-systems network, where disruptions on nodes and links can give rise to cascading failure modes. In this research, we propose the application of a functional dependency analysis tool, as a means of analyzing system-of-system operational and communication architectures. The goal of this research is to quantify the impact of attacks on communications, and information flows on the operability of the component systems, and to evaluate and compare different architectures with respect to their robustness and resilience following an attack. The model accounts for partial capabilities and partial degradation. By comparing architectures based on their sensitivity to attacks, the method can be used to guide decision both in architecting the system-of-systems and in planning updates and modifications, accounting for the criticality of nodes and links on the robustness of the system-of-systems. Synthetic examples show conceptual application of the method

Distributed Fault Detection and Isolation for Kalman Consensus Filter

Kartavya Neema, Daniel DeLaurentis

http://www.cerias.purdue.edu/assets/symposium/2014-posters/5B1-A88.pdf

This research deals with the problem of developing a distributed fault detection methodology for recently developed distributed estimation algorithm called Kalman Consensus Filter (KCF). We extended the residual covariance matching techniques, developed for detecting faults in centralized Kalman filters, and use it for distributed fault detection in KCF. Faults present due to faulty sensor measurements are diagnosed and isolated from the system. Specifically, faults due to change in sensor noise statistics and outliers in the sensor measurements are considered. We further develop a Robust Kalman Consensus Filter algorithm and demonstrate the effectiveness of the algorithm using simulation results.

End to End Security in Service Oriented Architecture

Mehdi Azarmi, Bharat Bhargava

http://www.cerias.purdue.edu/assets/symposium/2014-posters/AB0-BBB.pdf

With the explosion of web-based services and increasing popularity of cloud computing, Service-Oriented Architecture is becoming a key architectural style for the development of distributed applications. However, there are numerous security challenges in SOA that need to be addressed. In this poster, we discuss the key security challenges in SOA and propose two solutions. These solutions are: a framework for end to end policy monitoring and enforcement; and secure and adaptive service composition.

INSuRE — Information Security Research and Education

PI: Dr. Melissa Dark, CoPI: Brandeis Marshall, Project Team: Courtney Falk, L. Allison Roberts, Filipo Sharevski

http://www.cerias.purdue.edu/assets/symposium/2014-posters/B4D-540.pdf

The INSuRE project is an attempt to pilot and scale, and then again pilot and scale a sustainable research network that 1) connects institution-level resources, University enterprise systems, and national research networks; 2) enables more rapid discovery and recommendation of researchers, expertise, and resources; 3) supports the development of new collaborative science teams to address new or existing research challenges; 4) exposes and engages graduate students in research activity of national priority at participating institutions; 5) provides for the development and sharing of tools that support research, and, 6) facilitates evaluation of research, scholarly activity, and resources, especially over time.

Log-Centric Analytics for Advanced Persistent Threat Detection

Shiqing Ma, Xiangyu Zhang, Dongyan Xu

http://www.cerias.purdue.edu/assets/symposium/2014-posters/DC5-04B.pdf

Today’s enterprises face increasingly significant threats such as advanced persistent threats(APTs). Unfortunately, current cyber attack defense technologies are not catching up with the attack trends. Meanwhile, enterprises continue to generate large volume of logs and traces at system, application, and network levels and they remain under-utilized in cyber attack detection. We present an integrated framework for advanced targeted attack detection. Our framework consists of two major components: LogIC(Log-based Investigation of Causality): a fine-grain system logging and causal analysis tool which enables high-accuracy causal analysis of system log generated by an individual machine, and LogAn(Log Analytics): a “Big Data” analyzer and correlator on end-system and network logs which enables advanced targeted attack detection by querying and correlating logs across machines in an enterprise. The key idea behind LogIC is to partition the execution of a long-running application process into multiple finer-grain “execution units” for high causal analysis accuracy, without application source code. The key idea behind LogAn is to leverage the single-host causal analysis results to detect an enterprise-wide APT, via causal graph recognition and context correlation.

Making the Case of Digital Forensics Field Training for Parole Services

Chris Flory

http://www.cerias.purdue.edu/assets/symposium/2014-posters/F1A-504.pdf

The purpose of my research is to provide insight into the need for digital forensic field training for parole services. The current system utilized by most parole agencies is inefficient, costly, and disadvantageous to public safety. Basic forensic field training and digital equipment for parole agents could reduce arrest times, taxpayer costs, and increase public safety.

Periodic Mobile Forensics

Eric Katz

http://www.cerias.purdue.edu/assets/symposium/2014-posters/137-661.pdf

Android devices are becoming more pervasive. Currently there are few enterprise methods to identify and measure malicious user and application behavior in order to detect when a compromise has occurred. Research being conducted at MITRE in conjunction with Purdue is looking at over the air (OTA) methods to determine when a phone has been compromised and how it can best be detected.

Robust Hybrid Controller Design: Cyber Attack Mitigation Strategy for Cyber-Physical Systems

Cheolhyeon Kwon and Inseok Hwang

http://www.cerias.purdue.edu/assets/symposium/2014-posters/531-FF5.pdf

This paper considers the controller design for Cyber-Physical Systems (CPSs) that is robust to various types of cyber attacks. While the previous studies have investigated a secure control by assuming a specific types of attack strategy, in this paper we propose a hybrid robust control scheme that contains multiple sub-controllers, each matched to a different type of cyber attacks. Then the system can be adapted to various cyber attacks (including those that are not assumed for sub-controller design) by switching its sub-controllers to achieve the best performance. We propose a method for designing the secure switching logic to counter all possible cyber attacks and mathematically verify the system’s performance and stability as well. The performance of the proposed control scheme is demonstrated by an example of the hybrid H 2 – H infinity controller applied to a CPS subject to cyber attacks.

Text-based Approaches to Detect Phishing Attacks

Gilchan Park, Lauren Stuart, Julia M. Taylor, Victor Raskin

http://www.cerias.purdue.edu/assets/symposium/2014-posters/410-0E0.pdf

The purpose of the first research is to report on an experiment into text-based phishing detection. The developed algorithm uses previously published work on the, so-called PhishNet-NLP, a content based phishing detection system. In particular, this research aims to analyze the keywords that lead used to do some actions in email texts. The algorithm produced the considerable results in filtering out malicious emails (TPR); however, the rate of text falsely identified as phishing (FPR) needed to be addressed. To solve the FPR problem, tradeoff between TPR and FPR was performed to reduce the FPR while minimizing the decrease in the phishing detection accuracy. The second research’s aim is to compare the results of computer and human ability to detect phishing attempts. Two series of experiments were conducted, one for machine and the other one for humans, using the same dataset, and both were asked to categorize the emails into phishing or legitimate. The results prove that machine and human subjects differ in classification of phishing emails. This comparison suggests that humans intelligence to detect some types of phishing emails that machine could not recognize needs to be semantically computerized so as to ameliorate the machine’s phishing detection ability.

The Case of Using Negative (Deceiving) Information in Data Protection

Mohammed Almeshekah, Mikhail Atallah and Eugene Spafford

http://www.cerias.purdue.edu/assets/symposium/2014-posters/822-479.pdf

In this paper we develop a novel taxonomy of methods and techniques that can be used to protect digital information. We explore complex relationships among these protection techniques grouped into four categories. We present analysis of these relationships and discuss how can they be applied at different scales within organizations. We map these protection techniques against the cyber kill-chain model and discuss some findings. Moreover, we identify the use of deceit as a useful protection technique that can significantly enhance the security of computer systems. We posit how the well-known Kerckhoffs’s principle has been misinterpreted to drive the security community away from deception-based mechanisms. We examine advantages these techniques can have when protecting our information in addition to traditional methods of denial and hardening. We show that by intelligently introducing deceit in information systems, we not only lead attackers astray, but also give organizations the ability to detect leakage; create doubt and uncertainty in leaked data; add risk at the adversaries’ side to using the leaked information; and significantly enhance our abilities to attribute adversaries. We discuss how to overcome some of the challenges that hinder the adoption of deception-based techniques.

CERIAS Security Symposium 24&25 March 2015


Cybersecurity discussions have moved from the server room, to the board room, to the talking heads of the media — but all this new found mass awareness has not translated to being more secure. Major intrusions are now common place and a “standard operating procedure” within many industries. Join us for the 16th Annual CERIAS Security Symposium as we examine the current state and emerging trends in information assurance and security; and share some of the breaking research addressing the new landscape. Topical keynotes from government and industry, and in-depth panel discussions addressing current trends and needs, will highlight the two-day event. CERIAS research will be highlighted in faculty technical talks and poster sessions.


Videos

Invited Talk: Sam Curry, Arbor Networks

  • Eugene Spafford, Executive Director CERIAS, Purdue University
  • Debasish (Deba) Dutta, Provost – Purdue University
  • Sam Curry, CTO and CSO, Arbor Networks

Security Fireside Chat

  • Eugene Spafford, Executive Director at CERIAS
  • Sam Curry
  • John Walsh – President Sypris Electronics
  • Dave Toomey – AVP Cyber Business at SRC

CERIAS Program Overview: INSuRE, Melissa Dark

  • Melissa Dark, W.C. Furnas Professor in the College of Technology, Purdue University

Panel Discussion: Advanced Persistent Gullibility

  • Barrett Caldwell, Professor of Industrial Engineering, Purdue University
  • Ellen Powers, MITRE
  • Howard Sypher, Professor; Faculty Fellow, Purdue University, Brian Lamb School of Communication
  • David White, Senior Manager, Computer Security R&D, Sandia National Laboratories
  • Hongxia Jin, Senior Director, Advanced Technology Lab, Samsung Research America

CERIAS TechTalk: Vijay Raghunathan, Purdue University

  • Vijay Raghunathan, Associate Professor of Electrical and Computer Engineering

Invited Talk: Deborah Frincke, Director of Research, NSA/CSS

Video to be Available Soon
  • Deborah Frincke, Director of Research, NSA/CSS

CERIAS Awards: Pillar, Diamond and Poster Awards

  • Eugene Spafford, Executive Director, CERIAS, Purdue University

CERIAS Program Overview: CERIAS / Sypris Cyber Range

  • Joel Rasmus, Director of Strategic Relations, CERIAS
  • Scott Peters, Sypris Electronics

Michelle Finneran Dennedy, McAfee/Intel Security

  • Michelle Finneran Dennedy, VP and CPO McAfee/Intel Security

Download (for free!) Michelle Finneran Dennedy’s book “The Privacy Engineer’s Manifesto: Getting from Policy to Code to QA to Value”

Google Play

iTunes – Books

Barnes & Noble

Panel Discussion: Financial Sector Security

  • Sarath Geethakumar, Senior Director of Mobile & Product Security, Visa Inc
  • Jackie Rees Ulmer, Associate Professor, Management Information Systems, Purdue University
  • Ralph Spencer Poore, PCIP, CFE, CISA, CISSP, CHS-III, Director, Emerging Standards at PCI Security Standards Council
  • Blake Self, Principal Security Architect, US Bank

Firewall Policy Language and Complexity

  • CERIAS TechTalk: Ninghui Li, Professor of Computer Science, Purdue University

Trustworthy Data from Untrusted Services

  • Sunil Prabhakar, Professor and Department Head, Dept. of Computer Science, Purdue University

Indiana – Information Sharing and Analysis Center

  • CERIAS Program Overview: Indiana ISAC, Hans Vargas, CERIAS Alumnus

Closing Comments

Eugene Spafford, Executive Director, CERIAS, Purdue University


Posters & Presentations 2015

Assured Identity and Privacy

A Taxonomy of Privacy-protecting Tools to Browse the World Wide Web

Kelley Misata, Raymond Hansen, Baigan Yang

http://www.cerias.purdue.edu/assets/symposium/2015-posters/1AE-1EA.pdf

There is a growing public concern regarding big data and intelligence surveillance on unsuspecting Internet users, and an increase in public conversation around what does privacy really mean in the digital realm. Although technologies have been developed to help generate public protect their privacy, average users found the tools complex and difficult to decipher. This research aims to weed through some of these complexities by reviewing 6 publicly recognized technologies promoted to help users protect their privacy while browsing the web. The scope will be broad in order to touch on the important aspects each technology including promises, privacy realities, technical construct, ease of use and drawbacks average users should be aware of before using.

Data Spillage in Hadoop Clusters

Joe Beckman, Tosin Alabi, Dheeraj Gurugubelli

http://www.cerias.purdue.edu/assets/symposium/2015-posters/8A5-562.pdf

Data spillage is the undesired transfer of classified information into an unauthorized compute node or memory media. The loss of control over sensitive and protected data can become a serious threat to business operations and national security (NSA Mitigation Group, 2012. We seek to understand if classified data leaked, by user error, into an unauthorized Hadoop Distributed File System (HDFS), be located, recovered, and removed completely from the server.

Deception in Computing – Where and how it has been used

Jeffrey Avery, Chris Guterriez, Mohammed Almeshekah, Saurabh Bagchi, Eugene H. Spafford

http://www.cerias.purdue.edu/assets/symposium/2015-posters/494-E03.pdf

Deception is defined as “presenting an altered view of reality” and has been used by mankind for thousands of years to influence other’s behavior and decision making. More recently, deception has also been applied to computing in a variety of areas, such as human computer interaction and digital communities. This work surveys different areas of computing to determine where and how they use deception. One area we study in particular is how deception is applied to security practices. This work also shows that while security is a growing field, deceptive practices have not been as readily adopted to improve defense.

FIDO Password Replacement: Spoofing a Samsung Galaxy S5 and PayPal Account Using a Latent Fake Fingerprint

Rylan Chong, Chris Flory, Jim Lerums, David Long, Prof Melissa Dark, and Prof Chris Foreman

http://www.cerias.purdue.edu/assets/symposium/2015-posters/1A8-BC8.pdf

Fingerprints are the most common biometric means of authentication. This project was to de-termine if the Samsung Galaxy S5 and PayPal FIDO Ready implementation was vulnerable to latent fake fingerprint spoofing using Brown’s (1990) and Smith’s (2014) approaches. Latent fake fingerprints could allow an illegitimate user access to secure information.

INSuRE

Melissa Dark

http://www.cerias.purdue.edu/assets/symposium/2015-posters/CF2-F2E.pdf

The INSuRE project is an attempt to pilot and scale a sustainable research network that: 1. Connects institution-level resources, University enterprise systems, and national research networks; 2. Enables more rapid discovery and recommendation of researchers, expertise, and resources; 3. Supports development of new collaborative science teams addressing new or existing research challenges; 4. Exposes and engages graduate students in research activity of national priority at participating institutions; 5. Provides development and sharing of tools that support research, and, 6. Facilitates evaluation of research, scholarly activity, and resources, especially over time.

Malware in Medical Devices

Susan Fowler

http://www.cerias.purdue.edu/assets/symposium/2015-posters/B6D-644.pdf

Health care facilities are increasingly adopting computers and medical devices into patient care regimens and therapies. Medical devices have evolved to become popular for many purposes, including prolonged managed care including implantable medical devices. Wireless communications are becoming popular for these IMDs as well as for networking medical devices in a clinical setting. Along with these progressions in technology, security and privacy must be considered to ensure patient privacy and safety. Malware can be introduced in many of the same ways traditional computer systems suffer compromises, with wireless technology compounding these vulnerabilities. Regulations and practices must recognize these threats to security, availability and privacy to both health care entities and patients. Keywords: Medical device, malware, information security

Monitoring DBMS Activity for Detecting Data Exfiltration by Insiders

Elisa Bertino, Lorenzo Bossi, Syed Rafiul Hussain, Asmaa Sallam

http://www.cerias.purdue.edu/assets/symposium/2015-posters/C52-5A9.pdf

Data represents one of the most important assets of an organization. The undesired release (exfiltration) of sensitive or proprietary data outside of the organization is one of the most severe threats of insider cyber-attacks. A malicious insider who has the proper credentials to access organizational databases may, over time, send data outside the organizations network through a variety of channels, such as email, file transfer, web uploads, or specialized HTTP requests that encapsulate the data. Existing security tools for detecting cyber-attacks focus on protecting the boundary between the organization and the outside world. While such tools may be effective in protecting an organization from external attacks, they are less suitable if the data is being transmitted from inside the organization to the outside by an insider who has the proper credentials to access, retrieve, and transmit data. The “Monitoring DBMS Activity for Detecting Data Exfiltration by Insiders” (MDBMS) project is a research effort developing mechanisms to detect and counter efforts on the part of insiders to extract and exfiltrate sensitive data from government and enterprises.

Privacy-Enhancing Features of Identidroid

Daniele Midi, Oyindamola Oluwatimi, Bilal Shebaro, Elisa Bertino

http://www.cerias.purdue.edu/assets/symposium/2015-posters/65B-48E.pdf

As privacy today is a major concern for mobile systems, network anonymizers are widely available on smartphones systems, such as Android. However, in many cases applications are still able to identify the user and the device by means different from the IP address. Our work provides two solutions that address this problem by providing application-level anonymity. The first solution shadows sensitive data that can reveal the user identity. The second solutions dynamically revokes Android application permissions associated with sensitive information at run-time. In addition, both solutions offer protection from applications that identify their users through traces left in the application’s data storage or by exchanging identifying data messages. We developed IdentiDroid, a customized Android operating system, to deploy these solutions, and built IdentiDroid Profile Manager, a profile-based configuration tool for setting different configurations for each installed Android application.

Private Information Retrieval

Michael Kouremetis, Craig West

http://www.cerias.purdue.edu/assets/symposium/2015-posters/C67-802.pdf

Private Information Retrieval(PIR) is an important subject in the field of Information Retrieval. PIR allows two parties to communicate without revealing the information to one of the parties. The goal of our project is to implement a Private Information Retrieval proof of concept utilizing a robust protocol by I. Goldberg (Goldberg’s Protocol). By implementing a proof of concept we will look at the underlying structures and cryptographic protocols used in Private Information Retrieval. With a greater understanding of Private Information Retrieval, and the underlying protocols, we would potentially be able to help develop systems which need certain privacy based queries, an extension beyond just index retrieval.

The Deep Web: An Exploratory Study of Social Networks

Rachel Sitarz and Kelly Cole

http://www.cerias.purdue.edu/assets/symposium/2015-posters/89B-BFD.pdf

The purpose of the current study was to investigate the reason one would use an anonymous .onion social network. The current study surveyed users on various Tor social networks (n=200), through the use of an unstructured, open ended questionnaire. Data was analyzed using a Thematic Analysis method. The top 5 themes and demographics were recorded and presented below.

End System Security

Car Hacking: Determining the Relative Risk of Vehicle Compromise

David Hersh

http://www.cerias.purdue.edu/assets/symposium/2015-posters/D27-C0C.pdf

In recent years, cars have gone through a technological renaissance, with each generation containing more features than the previous one. One of the features becoming increasingly common is built-in wireless connectivity, such as Bluetooth, Wi-Fi and 3G. While this added functionality is beneficial to the consumer, this opens up a new avenue of attack for hackers and criminals. But unlike a personal computer, if a car is hacked, the potential negative consequences are much higher. If an adversary can wirelessly exploit a car, they may be able to eavesdrop on conversations, turn off warning lights, and even control brakes and steering. Although multiple groups of researchers have shown that there are major security problems in common consumer vehicles, there is little experimental research on vehicle security. To encourage further research in this area, this work introduces a methodology for assessing the relative risk level of a vehicle (i.e., the risk associated with adding specific features to a vehicle and how they’re implemented).

Data Confidentiality and Integrity

Scott Carr, Mathias Payer

http://www.cerias.purdue.edu/assets/symposium/2015-posters/212-C85.pdf

The root cause of most security vulnerabilities is memory corruption. Previous research focused on preventing memory corruptions attackers use to change the program’s intended control-flow. As these protections become more refined and widely deployed, attackers will resort to non-control data attacks. Non-control data attacks do not divert the intended control-flow, but simply read or write data in unintended ways by abusing a temporal or spatial memory safety error or a type error. A recent example of this is the HeartBleed bug where a buffer overflow allows an attacker to read the server’s private key. This example shows that non-control data attacks can be just as damaging as control-flow hijack attacks. Data Confidentiality and Integrity (DCI) augments the C programming language with a small set of annotations which allow the programmer to select protected data types. The compiler and runtime system prevent illegal reads and writes to variables of these types. The programmer selects types that contain information such as password lists, cryptographic keys, or identification tokens. Allowing the programmer to choose the protected data reduces overhead. Total memory protection mechanisms have been proposed, but have not been widely adopted due to prohibitively high overhead. With DCI, the programmer can specify the subset of security critical data and only pay the protection overhead cost of that subset – rather than all the data in the program. Our prototype shows the practicality of our approach. It effectively protects benchmarks and large programs.

PD3: Policy–based Distributed Data Dissemination

Rohit Ranchal, Denis Ulybyshev, Pelin Angin, Bharat Bhargava

http://www.cerias.purdue.edu/assets/symposium/2015-posters/A61-FBE.pdf

Modern distributed systems (such as composite web services, cloud solutions) comprise of a number of hosts, which collaborate, interact and share data. One of the main requirements of these systems is policy-based distributed data dissemination (PD3). In the PD3 problem, the data owner wants to share data with a set of hosts. Each host is only authorized to access a subset of data. Data owner can directly interact only with a subset of hosts and relies on these hosts to disseminate data to other hosts. In order to ensure correct delivery of appropriate data to each host, it is necessary that each host shares entire data even though the hosts are only authorized for certain subset of data. We provide a formal description of the problem and propose a data-centric approach to address PD3. The approach enables policy-based secure data dissemination and protects data throughout their lifecycle. It is independent of trusted third parties, does not require source availability and has the ability to operate in unknown environments. The approach is demonstrated through its application to composite web services.

SNIPE: Signature Generation for Phishing Emails

Jeff Avery, Christopher Gutierrez, Paul Wood, Raffaele Della Corte, Jon Fulkerson Gaspar Modelo-Howard, Brian Berndt, Keith McDermott, Saurabh Bagchi, Dan Goldwasser, Marcello Cinque

http://www.cerias.purdue.edu/assets/symposium/2015-posters/79F-4F7.pdf

Phishing attacks continue to pose a major headache for defenders of computing systems, often forming the first step in a multi-stage attacks. There have been great strides made in phishing detection and email servers have gotten good at flagging potentially phishing messages. However, some insidious kinds of phishing messages appear to pass through filters by making seemingly simple structural and semantic changes to the messages. We tackle this problem in this paper, through the use of machine learning algorithms operating on a large corpus of phishing messages and legitimate messages. By understanding common phishing features, we design a system to extract features and extrapolate out values of such features. The algorithms are specialized for phishing detection, such as, the use of synonyms or change in sentence structure. The insights and algorithms are instantiated in a system called SNIPE (Signature geNeratIon for Phishing Emails). To evaluate SNIPE, we collect the largest known corpus of phishing messages (used in any publicly known study) from the central IT organization at a tier-1 research university. We run SNIPE on the dataset and it exposes some hitherto unknown insights about phishing campaigns directed at university users. SNIPE is able to detect 100% of phishing messages that had eluded our production deployment of Sophos, a state-ofthe-art email filtering tool today.

Human Centric Security

Improving the Biometric Data Collection Process through Six Sigma

Rylan C. Chong, T. Grant Goe, Dr. Chad Laux

http://www.cerias.purdue.edu/assets/symposium/2015-posters/1F1-36B.pdf

Since Six Sigma’s applications have been maturing and expanding into other industries, can Six Sigma be applied to the biometric industry? An area Six Sigma could be applied too is the process of improving quality of data collection. An example utilized to discuss Six Sigma application was through a case study approach using Brockly’s study (2013). Brockly’s study investigated what effect biometric multimodal data collection procedures and the test administrators had on the quality of data collected.

Information Alignment and Visualization for Security Operations Center Teams

Omar Eldardiry, Mallorie Bradlau, Barrett Caldwell

http://www.cerias.purdue.edu/assets/symposium/2015-posters/2DA-870.pdf

The development of cyber network operations centers (NOC) has created new needs to support human sensemaking via improved information alignment and visualization. This poster focuses on information needs and gaps involving network operations centers (NOCs) and security operations centers (SOCs) analyst personnel. Our goal is to enhance analyst sensemaking and usability of tools to assist security analysts in monitoring, managing and protecting their networks from suspicious activities. This project has proceeded in several stages. Based on previous interview findings, an in depth investigation and job shadowing was conducted with different SOC teams. The findings highlighted three promising areas of improvements for NOC and SOC tools to improve network operations sensemaking, team performance, and organizational information alignment.

Meaning-Based Machine Learning

Courtney Falk, Lauren Stuart

http://www.cerias.purdue.edu/assets/symposium/2015-posters/B24-2EA.pdf

Meaning-Based Machine Learning (MBML) is a research program intended to show how training machine learning (ML) algorithms on meaningful data produces more accurate results than that of using unstructured data.

Natural Language IAS: Style Metrics from Semantic Analysis

Lauren M. Stuart, Julia M. Taylor, Victor Raskin

http://www.cerias.purdue.edu/assets/symposium/2015-posters/F99-DDB.pdf

Stylometry is the quantification of author style such that authorship of a text can be posited, verified, or obfuscated. Style features currently in use capture the surface features of texts (such as punctuation use, misspellings, words or parts of words, and morphology), but some qualities of author style may be better captured by, or in conjunction with, meaning-based features. This poster outlines ongoing work in positing and evaluating author style quantification using meaning representation structures.

Password Coping Mechanisms

Austin Klasa, Dr. Melissa Dark

http://www.cerias.purdue.edu/assets/symposium/2015-posters/2D3-257.pdf

Passwords are the most common means of authenticating users, and the number of passwords a user must remember is increasing. This leads to the need to classify and study password coping mechanisms. This research project is a literature review and analysis of past research to classify password coping mechanisms and create a password coping mechanism taxonomy.

Network Security

A Visual Analytics based approach on identifying Server Redirections and Data Exfiltration

Weijie Wang, Baijian Yang, Yingjie Chen

http://www.cerias.purdue.edu/assets/symposium/2015-posters/180-154.pdf

How to better find potential cyber attacks is the billion question facing security researchers and practitioners. In recently years, visualization have being applied in the field of information technology but most work have not being able to provide better than non-visualization based techniques. In this work, we innovatively designed a graphic based system overview that can make suspicious activities related to server redirection attack and data exfiltration easier to identify. Due to the nature of the problem, the overview design must be scalable, accurate, and fast. This demands the system to visualize data that can reveal security events rather than simply plotting the raw data. The approach adopted in this work is to visualize aggregated traffic characteristics. The system is evaluated with the test data sets from VAST 2013 mini-challenge 3. The results are very encouraging and shed more positive lights on applying visual analytics in information Security.

Evaluating Public Cloud Providers

Courtney Falk

http://www.cerias.purdue.edu/assets/symposium/2015-posters/5DD-E79.pdf

Security for public cloud providers is an ongoing concern. Programs like FedRAMP look to certify a minimum level of compliance. This project aims to build a tool to help decision makers compare different clouds solutions and weigh the risks against their own organizational needs.

Fast and Scalable Authentication for Vehicular Internet of Things

Ankush Singla, Anand Mudgeri, Ioannis Papapanagiotou, Atilla Yavuz

http://www.cerias.purdue.edu/assets/symposium/2015-posters/B37-A94.pdf

Modern vehicles are being equipped with advanced sensing and communication technologies, which enable them to support innovative services in the Internet of Vehicles (IoV) era such as autonomous driving. These services can be effective through the spatial and temporal synchronization of the vehicle with the other entities in the environment. Hence, the communication in IoVs must be delay-aware, reliable, scalable and secure to (a) prevent an attacker from injecting/manipulating messages; (b) minimize the impact (e.g., delay, communication overhead) introduced by crypto operations. For instance, consider a group of vehicles driving on a highway with high speed. Once a vehicle brakes suddenly, this is broadcasted to other vehicles to avoid collision. If the delay introduced by the crypto operations negatively affects the braking distance, then a car may not be able to stop in time. The current vehicular communication standards mandate the use of Public Key Infrastructures (PKI) to protect critical messages. However, existing crypto mechanisms introduce significant computation and bandwidth overhead, which creates critical safety problems. It is a vital research problem to develop security mechanisms that can meet the requirements of emerging IoVs. The overall goal of this research is to develop a new suite of cryptographic mechanisms, supported with time-valid framework and hardware-acceleration, to ensure secure and reliable operation IoVs. This project develops, analyzes and implements new authentication methods and then pushes the performance to the edge via cryptographic hardware-acceleration.

Hardware to Virtual Firewall Migration Heuristic Rules

Ibrahim Waziri Jr

http://www.cerias.purdue.edu/assets/symposium/2015-posters/9AB-546.pdf

In this era of cloud computing, many data centers rely on a composite security framework consisting of hardware and virtual firewalls. Hardware firewalls are optimized for greater throughput while virtualized firewalls can only scale to match DoS attempts. To maximize the utility of each form factor, we developed an in-line firewall scheme with variable filtering point. The primary filtering point changes between hardware and virtual firewalls based on realtime conditions. The architecture incorporates heuristic-based migration logic. To define the heuristics, a performance evaluation was conducted following two test scenarios: spike tests and endurance test. Packet throughput was also assessed using JMeter. The results indicate that a threshold approach to filter-point migration maximizes network throughout while offering the insurance of on-demand scalability.

How Secure and Quick is QUIC? Provable Security and Performance Analyses

Robert Lychev, Samuel Jero, Alexandra Boldyreva, and Cristina Nita-Rotaru

http://www.cerias.purdue.edu/assets/symposium/2015-posters/D58-DCA.pdf

QUIC is a secure transport protocol developed by Google and implemented in Chrome in 2013, currently representing one of the most promising solutions to decreasing latency while intending to provide security properties similar with TLS. In this work we shed some light on QUIC’s strengths and weaknesses in terms of its provable security and performance guarantees in the presence of attackers. We introduce a security model for analyzing performance-driven protocols like QUIC and prove that QUIC satisfies our definition under reasonable assumptions on the protocol’s building blocks. Our analyses also reveal that with simple replay and manipulation attacks on some public parameters exchanged during the handshake, an adversary could easily prevent QUIC from achieving minimal latency by causing connection failure, probably resulting in fallback to TLS.

MIRROR: Automated Race Bug Detection for the Web via Network Events Replay

Sze Yiu Chau, Hyojeong Lee, Byungchan An, Julian Dolby and Cristina Nita-Rotaru

http://www.cerias.purdue.edu/assets/symposium/2015-posters/9FA-4B9.pdf

Many web applications are written in an asynchronous style, in which logic is triggered in response to network and user events. While this approach has performance benefits and can provide improved user experience, it also makes applications more error prone since the most used languages such as HTML and JavaScript do not provide any explicit support for concurrency control. We present MIRROR, a minimally-invasive race detector for client-side web applications which leverages recording and automated replaying of network events. Our tool uses a static approximation of happens-before ordering to automatically generate different testing scenarios by changing the order of these network events. Our tool is browser agnostic and can be used for both debugging and race finding as it does not require repeated interaction with the production server. We evaluate MIRROR using a benchmark of eight applications, where each captures a representative buggy coding pattern. Out of the eight applications, MIRROR was able to manifest and detect the bug for seven of them.

Network Forensics of Covert Channels in IPv6

Lourdes Gino D and Prof. Raymond A Hansen

http://www.cerias.purdue.edu/assets/symposium/2015-posters/961-F17.pdf

According to Craig H. Rowland, “A covert channel is described as, any communication channel that can be exploited by a process to transfer information in a manner that violates the systems security policy. Essentially, it is a method of communication that is not part of an actual computer system design, but can be used to transfer information to users or system processes that normally would not be allowed access to the information”. Covert channels in IPv4 has been existing for a while and there has been various detection mechanisms. But the advent of IPv6 requires new research to identify covert channels and be able to perform forensics on such attacks. The current study aims at exploring the possibilities of performing forensics on such covert channels in IPv6.

Security Business Intelligence (SBI) Curriculum – Blazing the Trail

Kelley Misata, Dr. Marcus Rogers

http://www.cerias.purdue.edu/assets/symposium/2015-posters/346-6EE.pdf

The vision for this project was to create an undergraduate, multi-disciplinary security business intelligence (SBI) curriculum aimed at preparing students for the future of security business intelligence in enterprises. Students will navigate through basic processes, life cycles and data gathering and analysis tools in alignment with SBI critical in an organizational setting. Learning for this course will be conducted through lectures, lab based homework assignments, examinations and a presentation project.

Policy, Law and Management

Cyber Forensics: The Need For An Official Governing Body

Ibrahim Waziri Jr, Rachel Sitarz

http://www.cerias.purdue.edu/assets/symposium/2015-posters/595-B62.pdf

In this study we identified and addressed some of the key challenges in digital forensics. An intensive review was conducted of the major challenges that have already been identified. At the end, the findings proposed a solution and how having a standardized body that governs the digital forensics community could make a difference.

Digital Forensics in Law Enforcement: A Needs Based Analysis of Indiana Agencies

Teri Flory, Rachel Sitarz

http://www.cerias.purdue.edu/assets/symposium/2015-posters/369-D48.pdf

Many national needs assessments were conducted in the late 1990’s and early 2000’s by the Department of Justice and the National Institute of Justice, which all indicated that State and Local Law Enforcement did not have the training, tools, or staff to effectively conduct digital investigations (Institute for Security and Technology Studies [ISTS], 2002; National Institute of Justice [NIJ], 2004). Some of these needs assessments have also been conducted at a state level, but Indiana is not one of those states (Gogolin & Jones, 2010). Further, there are multiple training opportunities and publications that are available at no cost to state and local law enforcement, but it is not clear how many agencies use these resources (https://www.fletc.gov/ state-local-tribal; https://www.ncfi.usss.gov). This pilot study will provide a more up to date and localized assessment of the ability of Indiana Law Enforcement Agencies to effectively investigate when a crime that involves digital evidence is alleged to have occurred.

U.S. Bank of Cyber

Danielle Crimmins, Courtney Falk, Susan Fowler, Caitlin Gravel, Michael Kouremetis, Erin Poremski, Rachel Sitarz Nick Sturgeon, Yulong Zhang and Dr. Sam Liles

http://www.cerias.purdue.edu/assets/symposium/2015-posters/EF2-253.pdf

The technical report looked at past cyber attacks on the United States financial industry for analysis on attack patterns by individuals, groups, and nation states to determine if the industry really is under attack. An analysis explored attack origination from individuals, groups, and/or nation states as well as type of attacks and any patterns seen. After gathering attacks and creation of a timeline, a taxonomy of attacks is then created from the analysis of attack data. A Strengths, Weakness, Opportunities, and Threats (S.W.O.T.) analysis is then applied to the case study Heartland Payment Systems.

Web Based Cyber Forensics Training

Nick Sturgeon and Dr. Marcus Rogers

http://www.cerias.purdue.edu/assets/symposium/2015-posters/4EC-8A2.pdf

There is a specific need for high availability, high quality and low cost training for Law Enforcement officers in the Cyber Forensics Domain.

What Lies Beneath? The Forensics of Online Dating

Dheeraj Gurugubelli, Lourdes Gino and Dr. Marcus K Rogers

http://www.cerias.purdue.edu/assets/symposium/2015-posters/440-484.pdf

If you are an overworked, 25-year-old professional, working through the clock, even dating websites can seem uninteresting and too time consuming. Thanks to the slide, scroll and swipe-based online dating smartphone apps. One can just scroll through pictures, and connect or pass profiles with a swipe on a smartphone. Value added features like geo-location based user filtering, college-based user matches, megaflirt and user-to-user messaging are available for a small premium subscription fees. This is exactly the phenomenon behind dating apps like Tinder, CoffeemeetsBagel, DateMySchool, Zoosk and many others. Such platorms that allow information storage and sharing, open doors to cybercriminals, who pry on the users. This research aims to discover the digital evidence from such apps in smartphones.

Prevention, Detection and Response

A Tool For Interactive Visual Threat Analytics and Intelligence, based on OpenSOC Framework

Lourdes Gino D, Dheeraj Gurugubelli and Dr. Marcus Rogers

http://www.cerias.purdue.edu/assets/symposium/2015-posters/9E8-4EE.pdf

Cyber Threat Intelligence is a booming area in the field of Information Security that deals with aggregation, processing, evaluation and reporting of reliable information in real-time pertaining to threats posed on the cyber world that encompasses computers, smartphone, tablets and any device that’s connected to the Internet. The imminent need for threat intelligence is growing rapidly as the data flowing through the cyber world is growing gargantuan and as we are moving towards Internet of Things where almost any thing is connected to the Internet. Visual Threat Intelligence takes the threat intelligence to the next step where the data is presented in a human-perceivable way so as to help in making right and quick decisions to avert the cyber threat. The OpenSOC framework provides a unified platform for ingest, storage and analytics. The purpose of this research is to build a open-source visual threat intelligence tool based on the OpenSOC framework built over the Hadoop framework.

Achieving a Cyber-Secure Smart Grid through Situation Aware Visual Analytics

Dheeraj Gurugubelli, Dr. Chris Foreman and Dr. David Ebert

http://www.cerias.purdue.edu/assets/symposium/2015-posters/BE7-5C6.pdf

Utilities face enormous pressure to streamline their operations and provide consumption information to the consumers for better energy management. Smart meters have been instrumental to achieve better energy management. But alike any new deployment of technology, smart meters are prone to cyber attacks. Except, in this case they are part of critical infrastructure of the nation. The goal of this project would be to leverage visual analytics for delivering near-to-real-time visual insights on smart meter data that will help make quicker in times of a cyber response need. Cybersecurity of the Advanced Metering Infrastructure (AMI) continues to be one of the top research priorities in the industry right now. Securing the smart grid is about managing a continuum of risk across all the components in the grid within the right timeline. Performing analytics and making decisions based on large volumes of network data in real-time would boost the response time significantly. This research aims at visualizing network data obtained from processing the end-component profile data and network data from the AMI networks through a distributed data processing model.

Assessing Risk and Cyber Resiliency

Corey T. Holzer and James E. Merritt

http://www.cerias.purdue.edu/assets/symposium/2015-posters/4A5-418.pdf

The project is a review of existing risk assessment models and the newly created resiliency frameworks in order to assess how risk is being calculated and incorporated into cyber resiliency and to research the underlying assumptions that have been made in the forming of the current body of knowledge surrounding risk management and analysis in the field of cyber resilience. By comparing current quantitative and qualitative risk solutions we hope to identify any discrepancies, fallacies, or oversights that may have been working into the current orthodoxy of cyber risk management. We intend to use these identified short comings to adapt and strengthen the current risk management process used to analyze risk in the field of cyber resilience.

Basic Dynamic Processes Analysis of Malware in Hypervisors: Type I & II

Ibrahim Waziri Jr

http://www.cerias.purdue.edu/assets/symposium/2015-posters/AAC-65E.pdf

This study compares, analyze and study the behavior of a malware processes within both Type 1 & Type 2 virtualized environments. In other to achieve this we set up two different virtualized environments and thoroughly analyze each malware processes behavior. The goal is to see if there is a difference between the behaviors of malware within the 2 different architectures. At the end we achieved a result and realized there is no significant difference on how malware processes run and behave on either virtualized environment. However our study is limited to basic analysis using basic tools. An advance analysis with more sophisticated tools could prove otherwise.

ErsatzPasswords – Ending Password Cracking

Christopher N. Gutierrez, Mohammed H. Almeshekah, Mikhail J. Atallah, and Eugene H. Spafford

http://www.cerias.purdue.edu/assets/symposium/2015-posters/0D5-AED.pdf

In this work we present a simple, yet effective and practical, scheme to improve the security of stored password hashes rendering their cracking detectable and insuperable at the same time. We utilize a machine-dependent function, such as a physically unclonable function (PUF) or a hardware security module (HSM) at the authentication server. The scheme can be easily integrated with legacy systems without the need of any additional servers, changing the structure of the hashed password file or any client modifications. When using the scheme the structure of the hashed passwords file, etc/shadow or etc/master.passwd, will appear no different than in the traditional scheme.1 However, when an attacker exfiltrates the hashed passwords file and tries to crack it, the only passwords he will get are the ersatzpasswords — the “fake passwords”. When an attempt to login using these ersatzpasswords is detected an alarm will be triggered in the system that someone attempted to crack the password file. Even with an adversary who knows the scheme, cracking cannot be launched without physical access to the authentication server. The scheme also includes a secure backup mechanism in the event of a failure of the hardware dependent function. We discuss our implementation and provide some discussion in comparison to the traditional authentication scheme.

Increasing robustness and resilience: assessing disruptions and dependencies in analysis of System-of-Systems alternatives

Daniel Delaurentis, Karen Marais, Navindran Davendralingam, Zhemei Fang, Cesare Guariniello, Payuna Uday

http://www.cerias.purdue.edu/assets/symposium/2015-posters/46B-19D.pdf

This poster describes a multi-disciplinary effort, funded by the DoD’s Systems Engineering Research Center (SERC), towards establishing a System of Systems Analytic Workbench of computational tools to facilitate better-informed decision-making on SoS architectures. The work seeks to map relevant questions in system-of-system architectural decision to an appropriate set of quantitative methods that can provide analytical outputs to directly support decisions. Such an integrated approach is suitable to address the problem of increasing robustness and resilience in complex systems, with the goal of preventing or mitigating the effect of disruptions on the overall behavior of the system.

JagWarz Junior: Cyber Security for Young Adolescents​

Jasmine Herbert, Rushabh Vyas, Connie Justice, Vicky Smith

http://www.cerias.purdue.edu/assets/symposium/2015-posters/2C8-2DF.pdf

Currently there are few methodologies for introducing cyber security to young adolescents. This area of research will examine the importance of teaching cyber security at an early age as well as the significance of introducing cyber security through the use of digital game based learning. Within this study, cyber security will be taught to a sample of young adolescents through the use of a capture the flag style game, JagWaRz Junior. The effectiveness of JagWaRz Junior will be quantitatively measured through a pretest and posttest presented to the participants. Overall, this game will encompass ways to handle many of the risks that come with Internet usage at an early age. These risks include but are not limited to cyber bullying, pornography, online predators, personal privacy, and password protection. The results of this study will contribute to our understanding of the effectiveness of digital game based pedagogic learning. ​

Malware Defense with Access Control Policy and Integrity Levels

Nicole Hands, Harish Kumaravel

http://www.cerias.purdue.edu/assets/symposium/2015-posters/128-25A.pdf

With the persistent threat of cyber attacks of many, ever-changing forms, the need for computer systems to have a comprehensive protection schema that can provide security against unknown, known, and polymorphic threats becomes apparent. Working under the premise that compromise is inevitable, the system should be able to detect that it has been compromised and respond in such a way that functionality degrades incrementally. This study represents a synthesis of multiple fields of research from integrity levels of operation to malware detection methods to access control policy. The system function of FTP will be used as a model and broken down into discrete computational units which will each be assigned attributes from which access control policy can be created. Upon change in the state of the attribute based on the premise that this change was caused by malware infection, the system would respond by lowering its integrity level, with processes continuing to function under modified rules. Preliminary work from the study will be presented.

Modeling Deception In Information Security As A Hypergame – A Primer

Christopher N. Gutierrez, Mohammed H. Almeshekah, Jeff Avery, Saurabh Bagchi, and Eugene H. Spafford

http://www.cerias.purdue.edu/assets/symposium/2015-posters/B4B-3D9.pdf

Hypergames are a branch of game theory to model and analyze game theoretic conflicts between multiple players who may have misconceptions of other player’s actions, preferences, and/or knowledge. They have been used to model military conflicts such as the Allied invasion of Normandy in 1945, the fall of France in WWII, the Cuban missile crisis, and etc. Unlike traditional game theory models, hypergames give us the ability to model misperception that results from the use of deception, mimicry, and misinformation. There is little work that analyzes the use of deception as a strategic defensive mechanism in computing systems. This poster will present a hypergame model to analyze computer security conflicts. We discuss how can hypergames be used to model the interaction between adversaries and system defender. We discuss a specific example where we modele the interaction between adversaries, who wish to steal some confidential data from an enterprise, and security administrators, who protect the system. We show the advantages of incorporating deception as a defenses mechanism as part of the hypergame model.

Risk Assessment in Layered Solutions

Christopher Martinez, Robert Haverkos

http://www.cerias.purdue.edu/assets/symposium/2015-posters/AB5-6F7.pdf

The transmission of classified (or highly sensitive) data requires a high degree of assurance. This project presents a meaningful method of combining risk assessments for individual security mechanisms into a risk assessment for the overall capability package (the layered solution).

Using Syntactic Features for Phishing Detection

Students: Gilchan Park / Advisor: Julia M. Taylor

http://www.cerias.purdue.edu/assets/symposium/2015-posters/4D4-975.pdf

The purpose of this research is to explore whether the syntactic structures and subjects and objects of verbs can be distinguishable features for phishing detection. To achieve the objective, we have conducted two series of experiments: the syntactic similarity for sentences, and the subject and object of verb comparison. The results of the experiments indicated that both features can be used for some verbs, but more work has to be done for others. The phishing corpora is comprised of old and up-to-date phishing emails, and the gap between them is over 10 years. To observe whether the pattern in phishing emails have changed over time with respect to subject and object of the verbs, we additionally compared between the two phishing corpora. The results showed us that most of subjects and objects were still identical, or similar from semantic perspective.

Cyber Security Club Archive Presentations and Slides


Cyber Security Club Archive

from: http://www.isis.poly.edu/cyber-security-club and http://www.isis.poly.edu/cyber-security-club/archive

March 11, 2015 So you want to be a Hacker? Nick Freeman Notes RH 227
April 8, 2015 How to Score an Awesome Security Internship Emily Wicki Presentation RH 227
April 23, 2014 Rahil Parikh Presentation
April 16, 2014 Advanced Python Kevin Chung Presentation
April 2, 2014 Smashing the Ether for Fun and Profit iSEC Partners Presentation 
February 5, 2014 Intro to Web Pentesting Kevin Chung Presentation RH227
November 27, 2013 Finding Bugs for Profit and Fun Kevin Chung Presentation
November 20, 2013 Active Directory Nicholas Anderson Presentation
October 30, 2013 Physical Access Threats To Workstations Brad Antoniewicz Presentation
October 23, 2013 Keynote: Unsolved Problems in Computer Security Julian Cohen Presentation
September 18, 2013 How to play CSAW CTF Kevin Chung Presentation JAB 774
September 11, 2013 Intro to NFC Robert Portvliet Presentation JAB 774
April 24, 2013 Finding Bugs for Fun, Profit, and Cocaine Omar http://omar.li/ 
April 10, 2013 InfoSec Management Erik Cabetas Presentation 
March 13, 2013 Mobile Application Security Corey Benninger Presentation 
March 6, 2013 Building organizational policy that enhances security Sean Brooks Resources 
February 20, 2013 Malware Detection Ryan Van Antwerp Presentation 
December 5, 2012 Understanding Why Your Neighbor’s Wi-Fi is Vulnerable Kevin Chung Understanding Why Your Neighbor’s Wi-Fi is Vulnerable 
November 7, 2012 Clearing the Red Forest Michael Sikorski Clearing the Red Forest 
October 24, 2012 Passive Web Forensics: Monitoring, Logging and Analyzing Web Traffic with Net Sensor Boris Kochergin Passive Web Forensics 
October 3, 2012 IPv6 Security Invited Expert: Keith O’Brien, Cisco IPv6 Security 
September 19, 2012 Keynote: Raphael Mudge, Armitage Raphael Mudge, Armitage Armitage 
September 12, 2012 The Mobile Exploit Intelligence Project Dan Guido, Co-Founder and CEO, Trail of Bits The Mobile Exploit Intelligence Project 
April 11, 2012 Invited Expert: IPv6 Security Keith O’Brien IPv6 Security 
April 4, 2012 All About vtrace/Pin Phil Da Silva vtrace_internals 
March 28, 2012 Cross-Origin Resource Inclusion Julian Cohen Cross-Origin Resource Inclusion 
March 7, 2012 Keynote: The purpose of InfoSec is to support a business…O’RLY? YA’RLY! Erik Cabetas The Role of InfoSec in Business 
February 8, 2012 Introduction to x86 Julian Cohen Introductory Intel x86: Architecture, Assembly, Applications, & Alliteration 
February 1, 2012 Greyhat Ruby: A Stephen Ridley Talk Luis Garcia Greyhat Ruby 
April 13, 2011 IPv6 Security Keith O’Brien IPv6 Security 
April 6, 2011 Applied Application Security Julian Cohen Applied Application Security 
March 30, 2011 Legal Developments in Information Security Rob Widham Secrecy, Surveillance and FISA: A Legal Overview 
March 23, 2011 Hardware Security Part 2 Jeyavijayan Rajendran Hardware Security 
March 9, 2011 Hardware Security Part 1 Jeyavijayan Rajendran Hardware Security 
March 2, 2011 Computer Crimes and Investigations John Koelzer Developments in Cyber Crime ACH Fraud 
February 16, 2011 Windows Active Directory Part 2 Jonathan Livolsi Windows Active Directory 
February 9, 2011 Windows Active Directory Part 1 Jonathan Livolsi Windows Active Directory 
February 2, 2011 Malware Research Jonathan Chittenden Malware Research 
December 1, 2010 Enterprise-Wide Incident Response James Carder and Justin Prosco Enterprise-Wide Incident Response  LC400
November 24, 2010 Introduction to Memory Corruption Part 3 Luis E. Garcia II and Julian Cohen Introduction To Memory Corruption 
November 17, 2010 Introduction to Memory Corruption Part 2 Luis E. Garcia II and Julian Cohen Introduction To Memory Corruption 
November 10, 2010 Introduction to Memory Corruption Part 1 Luis E. Garcia II and Julian Cohen Introduction To Memory Corruption 
October 27, 2010 Layer 2 Network Security Boris Kochergin Layer 2 Network Security 
October 20, 2010 Applied Application Security: How we secured boxes against the best hackers in the world for the 2010 CSAW CTF Julian Cohen Applied Application Security 
October 6, 2010 2010 CSAW CTF Challenges and Solutions Part 2 Julian Cohen and Luis E. Garcia II 2010 CSAW CTF 
September 29, 2010 2010 CSAW CTF Challenges and Solutions Part 1 Julian Cohen and Luis E. Garcia II 2010 CSAW CTF 
September 22, 2010 DLL Hijacking Julian Cohen DLL Hijacking 

OWASP Video Collection


  • 1 Welcome to the OWASP Video Collection
    • 1.1 OWASP Global Webinars
    • 1.2 OWASP AppSecUSA 2014 Conference
    • 1.3 OWASP AppSec Europe 2014 Conference
    • 1.4 OWASP AppSec California 2014 Conference
    • 1.5 OWASP AppSecUSA 2013 Conference
    • 1.6 OWASP AppSec EU Research 2013 Conference
    • 1.7 OWASP AppSec Video Tutorial Series w/ Jerry Hoff
    • 1.8 OWASP AppSecUSA 2012 Conference
    • 1.9 OWASP AppSecUSA 2011 Conference
    • 1.10 OWASP Summit 2011
    • 1.11 OWASP Appsec DC 2010 Conference
    • 1.12 OWASP USA 2010 Conference
    • 1.13 OWASP EU 2010 Conference
    • 1.14 OWASP FROC 2010 Conference
    • 1.15 OWASP USA 2009 Conference
    • 1.16 OWASP AppSecEMEA 2009 Conference
    • 1.17 OWASP Israel 2008
    • 1.18 OWASP AppSecUSA 2008 Conference
    • 1.19 OWASP SnowFROC
    • 1.20 OWASP Minneapolis/St. Paul (OWASP MSP)
    • 1.21 Black Hat 2006
    • 1.22 AppSec Washington 2005

OWASP Global Webinars

YouTube Playlist

OWASP AppSecUSA 2014 Conference

YouTube Playlist

OWASP AppSec Europe 2014 Conference

YouTube Playlist

OWASP AppSec California 2014 Conference

YouTube Playlist

OWASP AppSecUSA 2013 Conference

YouTube Playlist

OWASP AppSec EU Research 2013 Conference

news entry “Video Recordings online”

https://www.its.fh-muenster.de/owasp-appseceu13/rooms/Grosser_Saal

[VID] OWASP-AppsecEU13-AmirAlsbih-ExperiencemadeinTechnicalDueDiligence_720p.mp4 01-Sep-2013 12:28 376M
[VID] OWASP-AppsecEU13-AngelaSasse-KeynoteBustingTheMythofDancingPigsAngelasTop10listofreasonswhyusersbypasssecuritymeasures_720p.mp4 28-Aug-2013 14:20 517M
[VID] OWASP-AppsecEU13-BenStock-EradicatingDNSRebindingwiththeExtendedSame-OriginPolicy_720p.mp4 28-Aug-2013 13:44 447M
[VID] OWASP-AppsecEU13-ChrisEngRyanOBoyle-FromtheTrenchesReal-WorldAgileSDLC_720p.mp4 28-Aug-2013 12:15 518M
[VID] OWASP-AppsecEU13-DavidRoss-InsaneintheIFRAME–Thecaseforclient-sideHTMLsanitization_720p.mp4 28-Aug-2013 15:11 478M
[VID] OWASP-AppsecEU13-DirkWetter-Welcomenoteandamanualfortheconferenceandeverythingelse_720p.mp4 28-Aug-2013 13:52 141M
[VID] OWASP-AppsecEU13-ErlendOftedal-SecuringamodernJavaScriptbasedsinglepagewebapplication_720p.mp4 28-Aug-2013 14:45 429M
[VID] OWASP-AppsecEU13-FlorianStahlJohannesStroeher-SecurityTestingGuidelinesformobileApps_720p.mp4 28-Aug-2013 13:20 353M
[VID] OWASP-AppsecEU13-FrederikBraun-OriginPolicyEnforcementinModernBrowsers_720p.mp4 28-Aug-2013 16:18 284M
[VID] OWASP-AppsecEU13-JimManico-OWASPTop10ProactiveControls_720p.mp4 28-Aug-2013 12:36 403M
[VID] OWASP-AppsecEU13-KrzysztofKotowicz-Iminurbrowserpwningyourstuff-AttackingwithGoogleChromeextensions_720p.mp4 28-Aug-2013 16:36 329M
[VID] OWASP-AppsecEU13-NickNikiforakisLievenDesmetStevenVanAcker-SandboxingJavascript_720p.mp4 28-Aug-2013 16:54 317M
[VID] OWASP-AppsecEU13-OWASPBoard-OWASPIntroduction_720p.mp4 28-Aug-2013 11:04 160M
[VID] OWASP-AppsecEU13-SebastianLekiesBenStock-ClickjackingProtectionUnderNon-trivialCircumstances_720p.mp4 28-Aug-2013 16:03 345M
[VID] OWASP-AppsecEU13-StefanoDiPaola-JavascriptlibrariesinsecurityAshowcaseofrecklessusesandunwittingmisuses_720p.mp4 28-Aug-2013 15:44 634M
[VID] OWASP-AppsecEU13-TarasIvashchenko-ContentSecurityPolicy-thepanaceaforXSSorplacebo_720p.mp4 28-Aug-2013 13:01 459M
[VID] OWASP-AppsecEU13-ThomasRoessler-KeynoteSecureallthethingsfictionfromtheWebsimmediatefuture_720p.mp4 28-Aug-2013 17:19 466M
[VID] OWASP-AppsecEU13-TobiasGondrom-OWASP-CISOGuideandCISOreport2013formanagers_720p.mp4 28-Aug-2013 11:47 419M

https://www.its.fh-muenster.de/owasp-appseceu13/rooms/Aussichtsreich_+_Freiraum

[VID] OWASP-AppsecEU13-AbrahamAranguren-IntroducingOWASPOWTF5x5_720p.mp4 27-Aug-2013 04:28 211M
[VID] OWASP-AppsecEU13-AchimHoffmannOferShezaf-WAFEC-contentandhistoryofanunbiasedprojectchallenge_720p.mp4 27-Aug-2013 04:14 299M
[VID] OWASP-AppsecEU13-BastianBraunJoachimPoseggaChristianV.Pollak-ADoormanforYourHome-Control-FlowIntegrityMeansinWebFrameworks_720p.mp4 27-Aug-2013 00:54 327M
[VID] OWASP-AppsecEU13-ColinWatsonDennisGroves-OWASPAppSensorInTheoryInPracticeandInPrint_720p.mp4 27-Aug-2013 05:29 322M
[VID] OWASP-AppsecEU13-DanCornell-DoYouHaveaScanneroraScanningProgram_720p.mp4 27-Aug-2013 03:54 353M
[VID] OWASP-AppsecEU13-DaveWichers-OWASPTop10-2013_720p.mp4 31-Aug-2013 12:02 474M
[VID] OWASP-AppsecEU13-DieterGollmann-ClosingNoteAccessControloftheWeb-TheWebofAccessControl_720p.mp4 27-Aug-2013 06:40 479M
[VID] OWASP-AppsecEU13-DirkWetter-ClosingCeremony_720p.mp4 27-Aug-2013 06:53 206M
[VID] OWASP-AppsecEU13-EduardoVela-Matryoshka_720p.mp4 26-Aug-2013 23:26 324M
[VID] OWASP-AppsecEU13-ErlendOftedal-RESTfulsecurity_720p.mp4 26-Aug-2013 22:36 435M
[VID] OWASP-AppsecEU13-FredDonovan-Q-BoxandH-BoxRaspberryPIfortheInfrastructureandHacker_720p.mp4 27-Aug-2013 01:18 350M
[VID] OWASP-AppsecEU13-JrgSchwenk-KeynoteCryptographyinWebSecurityStupidBrokenandmaybeWorking_720p.mp4 26-Aug-2013 17:50 213M
[VID] OWASP-AppsecEU13-KonstantinosPapapanagiotouSpyrosGasteratos-OWASPHackademicapracticalenvironmentforteachingapplicationsecurity_720p.mp4 27-Aug-2013 05:08 319M
[VID] OWASP-AppsecEU13-LucaViganLucaCompagna-TheSPaCIoSToolproperty-drivenandvulnerability-drivensecuritytestingforWeb-basedapplicationscenarios_720p.mp4 27-Aug-2013 05:50 311M
[VID] OWASP-AppsecEU13-MarcoBalduzziVincenzoCiangagliniRobertMcArdle-HTTPS-BasedClusteringforAssistedCybercrimeInvestigations_720p.mp4 26-Aug-2013 23:05 450M
[VID] OWASP-AppsecEU13-MarioHeiderich-TheinnerHTMLApocalypse-HowmXSSattackschangeeverythingwebelievedtoknowsofar_720p.mp4 27-Aug-2013 00:33 584M
[VID] OWASP-AppsecEU13-MicheleOrr-RootingyourinternalsInter-ProtocolExploitationcustomshellcodeandBeEF_720p.mp4 26-Aug-2013 18:16 406M
[VID] OWASP-AppsecEU13-MiltonSmith-MakingtheFutureSecurewithJava_720p.mp4 27-Aug-2013 02:55 559M
[VID] OWASP-AppsecEU13-NickNikiforakis-WebFingerprintingHowWhoandWhy_720p.mp4 27-Aug-2013 01:51 490M
[VID] OWASP-AppsecEU13-NicolasGrgoire-BurpPro-Real-lifetipsandtricks_720p.mp4 26-Aug-2013 20:30 562M
[VID] OWASP-AppsecEU13-PaulStone-PrecisionTiming-AttackingbrowserprivacywithSVGandCSS_720p.mp4 26-Aug-2013 19:22 518M
[VID] OWASP-AppsecEU13-PhilippeDeRyckLievenDesmetFrankPiessensWouterJoosen-ImprovingtheSecurityofSessionManagementinWebApplications_720p.mp4 26-Aug-2013 23:54 427M
[VID] OWASP-AppsecEU13-RetoIschi-AnAlternativeApproachforReal-LifeSQLiDetection_720p.mp4 27-Aug-2013 04:47 286M
[VID] OWASP-AppsecEU13-RobertoSuggiLiverani-AugmentedRealityinyourWebProxy_720p.mp4 26-Aug-2013 21:34 505M
[VID] OWASP-AppsecEU13-SahbaKazerooni-NewOWASPASVS2013_720p.mp4 27-Aug-2013 06:09 269M
[VID] OWASP-AppsecEU13-SaschaFahlMarianHarbachMatthewSmith-MalloDroidHuntingDownBrokenSSLinAndroidApps_720p.mp4 26-Aug-2013 22:06 498M
[VID] OWASP-AppsecEU13-SaschaFahlMatthewSmithHenningPerlMichaelBrenner-QualitativeComparisonofSSLValidationAlternatives_720p.mp4 26-Aug-2013 18:49 512M
[VID] OWASP-AppsecEU13-SimonBennetts-OWASPZAPInnovations_720p.mp4 27-Aug-2013 03:31 524M
[VID] OWASP-AppsecEU13-TalBeEry-APerfectCRIMEOnlytimewilltell_720p.mp4 26-Aug-2013 21:00 463M
[VID] OWASP-AppsecEU13-ThomasHerleaNelisBouckJohanPeeters-RecipesforenablingHTTPS_720p.mp4 26-Aug-2013 19:53 483M
[VID] OWASP-AppsecEU13-YvanBoilyMinion-MakingSecurityToolsaccessibleforDevelopers_720p.mp4 27-Aug-2013 02:17 390M

OWASP AppSec Video Tutorial Series w/ Jerry Hoff

OWASP Appsec Tutorial Series Click Here

OWASP AppSecUSA 2012 Conference

Vimeo







OWASP AppSecUSA 2011 Conference

Videos and Slides

Thursday, September 22, 2011

TIME ATTACKS &
DEFENSES
CLOUD MOBILE THOUGHT
LEADERSHIP
0730-0830 CONTINENTAL BREAKFAST
0830-0920 KEYNOTE
Mark Curphey
Community – The Killer App (Video – starts at time marker 5:30, PDF)
0920-0930 BREAK
0930-1020 Andrés Riancho

Web Application Security Payloads(Video, PDF)

Andy Murren

SwA and the Cloud – Counting the Risks (Video,PPTX)

Patrick Tatro

Principles of Patrolling: Applying Ranger School to Information Security (Video,PPTX)

* Thank you to Patrick who, true to form, willingly stepped forward as an alternate

Arian Evans

Six Key Metrics: A look at the future of appsec (Video, sorry – no slides)

1020-1040 COFFEE BREAK
1040-1130 Jim Manico

Ghosts of XSS Past, Present and Future(Video, PDF)

Shankar Babu Chebrolu, PhD, CISSP

Top Ten Risks with Cloud that will keep you Awake at Night(Video, PPTX)

Ryan W Smith

STAAF: An Efficient Distributed Framework for Performing Large-Scale Android Application Analysis (Video,PDF)

Charles Henderson

Global Security Report (PDF)

1130-1140 BREAK
1140-1230 Shreeraj Shah

Next Generation Web Attacks – HTML 5, DOM(L3) and XHR(L2) (Video,PDF)

Scott Matsumoto

Threat Modeling in the Cloud: What You Don’t Know Will Hurt You!(Video, PDF)

Tom Fischer

Lessons Learned Building Secure ASP.NET Applications(Video, PDF)

* Moved from Patterns Track for scheduling purposes

John Benninghoff

Behavioral Security Modeling: Eliminating Vulnerabilities by Building Predictable Systems (Video,PDF)

1230-1330 LUNCH & OWASP FOUNDATION BOARD DISCUSSION
Jeff Williams (Chair), Tom Brennan, Eoin Keary, Matt Tesauro, Dave Wichers, and incoming board member Michael Coates (Video, PDF)* Sebastien Deleersnyder was unable to attend due to a scheduling conflict.
1330-1420 Javier Marcos de Prado, Juan Galiana Lara

Pwning intranets with HTML5 (Video,PDF)

Dan Cornell

The Self Healing Cloud: Protecting Applications and Infrastructure with Automated Virtual Patching (Video,PDF)

Mike Park

Android Security, or This is not the Kind of “Open” I Meant… (Video,PPTX)

Rafal Los, Mike McCormick,Christophe Veltsos, Jeff Williams

Making it in Information Security and Application Security (Video,PPT)

1420-1430 BREAK
1430-1520 Ganesh Devarajan,Todd Redfoot

Keeping up with the Web-Application Security (Video,PPTX)

Matt Tesauro

Testing from the Cloud: Is the Sky Falling? (Video,PDF)

Kevin Stadmeyer,Garrett Held

Hacking (and Defending) iPhone Applications(Video, PPTX)

John B. Dickson, CISSP

Software Security: Is OK Good Enough?(Video, PDF)

1520-1540 COFFEE BREAK
1540-1630 Jon McCoy (DigitalBodyGuard)

Hacking .NET (C#) Applications: The Black Arts (Video,PDF)

Adrian Lane

CloudSec 12-Step(Video, PDF)

Ashkan Soltani,Gerrit Padgham

When Zombies Attack – a Tracking Love Story (Video, PDF)

Jeff Williams

AppSec Inception – Exploiting Software Culture(Video, Prezi [Flash])

1630-1700 UNIVERSITY CHALLENGE WINNERS TALK! (Video, PPT)
1700-1800 HAPPY HOUR

Friday, September 23, 2011

TIME SOFTWARE
ASSURANCE
OWASP PATTERNS SECURE SDLC
0730-0830 CONTINENTAL BREAKFAST
0830-0920 KEYNOTE
Ira Winkler (Video, PPT)
0920-0930 BREAK
0930-1020 Richard Struse

Software Assurance Automation throughout the Lifecycle (Video,PPTX)

Michael Coates

Pure AppSec, No Fillers or Preservatives – OWASP Cheat Sheet Series(Video, PDF)

Colin Watson

OWASP Codes of Conduct (PDF)

Dr. Bill Chu, Jing Xie

Secure Programming Support in IDE(Video, PDF)

Brian Chess

Gray, the New Black: Gray-Box Web Penetration Testing (Video,PPTX)

1020-1040 COFFEE BREAK
1040-1130 Ryan Stinson

Improve your SDLC with CAPEC and CWE (Video,PPTX)

Jack Mannino,Zach Lanier,Mike Zusman

OWASP Mobile Top 10 Risks(Video, PPTX)

Aditya K Sood,Richard Enbody

The Good Hacker – Dismantling Web Malware (Video,PDF)

Chris Wysopal

Application Security Debt and Application Interest Rates (Video, PPT)

1130-1140 BREAK
1140-1230 Chuck Willis,Kris Britton

Sticking to the Facts: Scientific Study of Static Analysis Tools(Video, PDF)

Simon Bennetts

Introducing the OWASP Zed Attack Proxy(Video, PPTX)

Justin Collins,Tin Zaw

Brakeman and Jenkins: The Duo Detect Defects in Ruby on Rails Code (Video,PPTX)

Mike Ware

Simplifying Threat Modeling (Video,PDF)

1230-1330 LUNCH & KEYNOTE Moxie Marlinspike (Video, PDF)
1330-1420 Adam Meyers

Mobile Applications Software Assurance (Video,PDF)

Anthony J. Stieber

How NOT to Implement Cryptography for the OWASP Top 10 (Video, PDF)

Michael Coates

Security Evolution – Bug Bounty Programs for Web Applications(Video, PDF)

Wendy Nather (moderator),Dinis Cruz, Chris Eng, Jerry Hoff,Darren Meyer,John Steven,Sean Fay

Speeding Up Security Testing Panel (Video,PPTX)

1420-1430 BREAK
1430-1520 Charles Schmidt

You’re Not Done (Yet) – Turning Securable Apps into Secure Installations using SCAP (Video,PPTX)

Beef (Chris Schmidt), Kevin Wall

ESAPI 2.0 – Defense Against the Dark Arts(Video, PPT)

Jason Li

OWASP Projects Portal Launch! (5-10 Minutes)(Video, PPTX)

Srini Penchikala

Messaging Security using GlassFish 3.1 and Open Message Queue (Video,PDF)

Glenn Leifheit (moderator), Andreas Fuchsberger,Ajoy Kumar,Richard Tychansky,Alessandro Moretti

Application Security Advisory Board SDLC Panel(Video, PPTX)

1520-1540 COFFEE BREAK
1540-1630 Michelle Moss,Nadya Bartol

Why do developers make these dangerous software errors?(Video, PPTX)

Ryan Barnett

OWASP CRS and AppSensor Project(Video, Prezi [Flash])

Alex Smolen

Application Security and User Experience (Video,PDF)

Gunnar Peterson

Mobile Web Services (Video, sorry – no slides)

* Moved from Mobile Track for scheduling purposes

1630-1640 BREAK
1640-1730 RECAP AND LOOKING AHEAD TO THE NEXT TEN YEARS AND APPSEC USA 2012

OWASP Summit 2011

OWASP Summit 2011 Vimeo videos are available at

OWASP Appsec DC 2010 Conference

OWASP Appsec DC 2010 Click Here




  1. Cloudy with a Chance of Hack! with Lars Ewe, Cenzic

OWASP USA 2010 Conference

OWASP USA 2010 Click Here

  1. HD Moore, Keynote Speaker

    23.3K Plays

  2. Jeremiah Grossman, Breaking Web Browsers

    2,220 Plays

  3. Samy Kamkar, How I Met Your Girlfriend

    2,033 Plays

  4. Keith Turpin: The Secure Coding Practices Quick Reference Guide

    1,625 Plays

  5. Dan Cornell, Smart Phones with Dumb Apps: Threat Modeling for Mobile Applications

    1,244 Plays

  6. Robert Zigweid: Threat Modeling Best Practices

    998 Plays

  7. Peleus Uhley, Assessing, Testing & Validating Flash Content

    829 Plays

  8. Joe Basirico, Reducing Web Application Vulnerabilities: Moving from a Test-Dependent to Design-Driven Development.

    789 Plays

  9. Michael Coates, Real Time Application Defenses – The Reality of AppSensor & ESAPI

    767 Plays

  10. Adrian Lane, Agile + Security = FAIL

    646 Plays

  11. David Rice, Keynote Speaker

    546 Plays

  12. Paul Judge, The Dark Side of Twitter, Measuri



  1. OWASP: AppSec 2010 Promo

    411 Plays

  2. Rafal Los, Into the Rabbit Hole: Execution Flow-based Web Application Testing

    303 Plays

  3. Panel Discussion: Vulnerability Lifecycle for Software Vendors with Kelly FitzGerald, Katie Moussouris, John Steven & Daniel Hol

    202 Plays

  4. Aditya K. Sood, Bug-Alcoholic 2.0 – Untamed World of Web Vulnerabilities

    198 Plays

  5. Lars Ewe, Session Management Security Tips and Tricks

    198 Plays

  6. Panel Discussion: Security Trends with Jeremiah Grossman, Robert Hansen, Jeff Williams & Eric Chen

    197 Plays

  7. David Bryan & Michael Anderson, Cloud Computing, A Weapon of Mass Destruction?

    187 Plays

  8. Gunter Ollmann, P0w3d for Botnet CNC

    181 Plays

  9. Chenxi Wang

    167 Plays

  10. Chris Schmidt: Solving Real-World Problems with an Enterprise Security API (ESAPI)

    161 Plays

  11. Dinis Cruz: Tour of OWASP Projects & Using the OWASP 02 Platform

    132 Plays

  12. Bill Cheswick

    121 Plays



  1. Jeff Williams

    116 Plays

  2. Panel Discussion: Characterizing Software Security as a Mainstream Business risk with Ed Pagett, Richard Greenberg, John Sapp &

    116 Plays

  3. Ivan Ristic, State of SSL on the Internet – 2010 Survey

    112 Plays

  4. Antti Rantasaari & Scott Sutherland, Escalating Privileges through Database Trusts

    88 Plays

  5. Alex Stamos

    85 Plays

  6. Peleus Uhley, Unraveling Cross-Technology, Cross-Domain Trust Relations

    83 Plays

  7. Panel Discussion: Defining the Identity Management Framework with Mano Paul, Richard Tychansky, Jeff Williams & Hord Tipton

    82 Plays

OWASP EU 2010 Conference

OWASP Stockholm Sweden 2010 Click Here and Click Here

Conference Day 1 – June 23, 2010OWASP AppSec Research 2010 Research R.gif = Research paper OWASP AppSec Research 2010 Demo D.gif = Demo OWASP AppSec Research 2010 Presentation P.gif = Presentation
Track 1 Track 2 Track 3
08:00-08:50 Registration and Breakfast + Coffee
08:50-09:00 Welcome to OWASP AppSec Research 2010 Conference (John Wilander & OWASP Global Board Members) (pdf)
09:00-10:00 #Keynote: Cross-Domain Theft and the Future of Browser Security (pdf) (video)Chris Evans, Information Security Engineer, and Ian Fette, Product Manager for Chrome Security, Google
10:10-10:45 OWASP AppSec Research 2010 Research R.gif #BitFlip: Determine a Data’s Signature Coverage from Within the Application (pdf) (video)Henrich Christopher Poehls, University of Passau OWASP AppSec Research 2010 Presentation P.gif #CsFire: Browser-Enforced Mitigation Against CSRF (pdf) (video)Lieven Desmet and Philippe De Ryck, Katholieke Universiteit Leuven OWASP AppSec Research 2010 Presentation P.gif #Deconstructing ColdFusion (pdf) (video)Chris Eng, Veracode
10:45-11:10 Break – Expo – CTF kick-off, Coffee break sponsoring position open ($2,000)
11:10-11:45 OWASP AppSec Research 2010 Research R.gif #Towards Building Secure Web Mashups (pdf) (video)M Decat, P De Ryck, L Desmet, F Piessens, W Joosen, Katholieke Universiteit Leuven OWASP AppSec Research 2010 Presentation P.gif #New Insights into Clickjacking (pdf) (video)Marco Balduzzi, Eurecom

OWASP AppSec Research 2010 Presentation P.gif #How to Render SSL Useless (pdf) (video)Ivan Ristic, Qualys
11:55-12:30 OWASP AppSec Research 2010 Research R.gif #Busting Frame Busting (pdf) (video)

Gustav Rydstedt, Stanford Web Security Research

OWASP AppSec Research 2010 Presentation P.gif #Web Frameworks and How They Kill Traditional Security Scanning (pdf) (video)Christian Hang and Lars Andren, Armorize Technologies OWASP AppSec Research 2010 Demo D.gif #The State of SSL in the World (pdf) (video without sound :()Michael Boman, Omegapoint
12:30-13:45 Lunch – Expo – CTF, Lunch sponsor: OWASP AppSec Research 2010 IIS logo for program.png
13:45-14:20 OWASP AppSec Research 2010 Research R.gif #(New) Object Capabilities and Isolation of Untrusted Web Applications (pdf) (video)Sergio Maffeis, Imperial College, London OWASP AppSec Research 2010 Presentation P.gif #Beyond the Same-Origin Policy (pdf) (video)Jasvir Nagra and Mike Samuel, Google
OWASP AppSec Research 2010 Demo D.gif #SmashFileFuzzer – a New File Fuzzer Tool(pdf) (video)Komal Randive, Symantec
14:30-15:05 OWASP AppSec Research 2010 Demo D.gif #Security Toolbox for .NET Development and Testing (pdf) (video)Johan Lindfors and Dag König, Microsoft OWASP AppSec Research 2010 Demo D.gif #Cross-Site Location Jacking (XSLJ) (not really)(pdf) (video)David Lindsay, Cigital
Eduardo Vela Nava, sla.ckers.org
OWASP AppSec Research 2010 Demo D.gif #Owning Oracle: Sessions and Credentials (pdf) (video)Wendel G. Henrique and Steve Ocepek, Trustwave
15:05-15:30 Break – Expo – CTF, Coffee break sponsoring position open ($2,000)
15:30-16:05 OWASP AppSec Research 2010 Demo D.gif #Value Objects a la Domain-Driven Security: A Design Mindset to Avoid SQL Injection and Cross-Site Scripting (pdf) (video)Dan Bergh Johnsson, Omegapoint OWASP AppSec Research 2010 Presentation P.gif #Automated vs. Manual Security: You Can’t Filter “The Stupid” (pdf not available yet) (video)
David Byrne and Charles Henderson, Trustwave
OWASP AppSec Research 2010 Research R.gif #Session Fixation – the Forgotten Vulnerability?(pdf) (video)Michael Schrank and Bastian Braun, University of Passau
Martin Johns, SAP Research
16:15-17:00 Panel Discussion: “Is Application Security a Losing Battle?” (video, partly poor sound)
19:00-23:00 Stockholm City Hall, photo by Yanan Li Gala Dinner at Stockholm City Hall
Sponsored by
OWASP AppSec Research 2010 Google logo for program.png
The Golden Hall, photo by Yanan Li
Conference Day 2 – June 24, 2010OWASP AppSec Research 2010 Research R.gif = Research paper OWASP AppSec Research 2010 Demo D.gif = Demo OWASP AppSec Research 2010 Presentation P.gif = Presentation
Track 1 Track 2 Track 3
08:00-08:50 Breakfast + Coffee
08:50-09:00 Three Announcements from OWASP (video)
09:00-10:00 #Keynote: The Security Development Lifecycle – The Creation and Evolution of a Security Development Process (pdf) (video)
Steve Lipner, Senior Director of Security Engineering Strategy, Microsoft Corporation
10:10-10:45 OWASP AppSec Research 2010 Presentation P.gif #The Anatomy of Real-World Software Security Programs (pdf) (video)

Pravir Chandra, Fortify

OWASP AppSec Research 2010 Demo D.gif #Promon TestSuite: Client-Based Penetration Testing Tool (pdf not available yet) (video)

Folker den Braber and Tom Lysemose Hansen, Promon

OWASP AppSec Research 2010 Research R.gif #A Taint Mode for Python via a Library (pdf) (video)

Juan José Conti, Universidad Tecnológica Nacional
Alejandro Russo, Chalmers Univ. of Technology

10:45-11:10 Break – Expo – CTF, Coffee sponsor: OWASP AppSec Research 2010 MyNethouse logo for program.png
11:10-11:45 OWASP AppSec Research 2010 Presentation P.gif #Microsoft’s Security Development Lifecycle for Agile Development (pdf) (video)

Nick Coblentz, OWASP Kansas City Chapter and AT&T Consulting

OWASP AppSec Research 2010 Presentation P.gif #Detecting and Protecting Your Users from 100% of all Malware – How? (pdf) (video)

Bradley Anstis and Vadim Pogulievsky, M86 Security

OWASP AppSec Research 2010 Research R.gif #OPA: Language Support for a Sane, Safe and Secure Web (pdf) (video without sound :( )

David Rajchenbach-Teller and François-Régis Sinot, MLstate

11:55-12:30 OWASP AppSec Research 2010 Presentation P.gif #Secure Application Development for the Enterprise: Practical, Real-World Tips (pdf) (video)

Michael Craigue, Dell

OWASP AppSec Research 2010 Presentation P.gif #Responsibility for the Harm and Risk of Software Security Flaws (pdf) (video)

Cassio Goldschmidt, Symantec

OWASP AppSec Research 2010 Research R.gif #Secure the Clones: Static Enforcement of Policies for Secure Object Copying (pdf) (video)

Thomas Jensen and David Pichardie, INRIA Rennes – Bretagne Atlantique

12:30-13:45 Lunch – Expo – CTF, Lunch break sponsoring position open ($4,000)
13:45-14:20 OWASP AppSec Research 2010 Presentation P.gif #Product Security Management in Agile Product Management (pdf) (video)

Antti Vähä-Sipilä, Nokia

OWASP AppSec Research 2010 Presentation P.gif #Hacking by Numbers (pdf) (video)

Tom Brennan, WhiteHat Security and OWASP Foundation

OWASP AppSec Research 2010 Research R.gif #Safe Wrappers and Sane Policies for Self Protecting JavaScript (pdf) (video)

Jonas Magazinius, Phu H. Phung, and David Sands, Chalmers Univ. of Technology

14:30-15:05 OWASP AppSec Research 2010 Presentation P.gif #OWASP_Top_10_2010 (pdf) (video)

Dave Wichers, Aspect Security and OWASP Foundation

OWASP AppSec Research 2010 Presentation P.gif #Application Security Scoreboard in the Sky(pdf) (video)

Chris Eng, Veracode

OWASP AppSec Research 2010 Research R.gif #On the Privacy of File Sharing Services (pdf & video not available because of potential zero-day)

N Nikiforakis, F Gadaleta, Y Younan, and W Joosen, Katholieke Universiteit Leuven

15:05-15:30 Break – Expo – CTF, Coffee break sponsoring position open ($2,000)
15:30-16:00 CTF Price Ceremony, Announcement of OWASP AppSec EU 2011, Closing Notes (pdf)

OWASP FROC 2010 Conference

FROC 2010 – Click Here

JUNE 2, 2010
07:30-08:30 Registration and Continental Breakfast in the Sponsor Expo Room
08:30-08:35 Welcome to FROC 2010 ConferenceDavid Campbell, OWASP Denver
08:35-09:35 Keynote: “Watching Software Run: Software Security Beyond Defect Elimination”Brian Chess, Fortify Software

Presentation Video

09:35-10:00 OWASP: State of the UnionTom Brennan, OWASP Board – BIO

Video

10:00-10:20 Cloud Security Alliance: State of the UnionRandy Barr, Cloud Security Alliance

Video

10:20-10:30 Break – Expo – CTF
AppSec/Technical Track: Room 1 Cloud/Mobile/Emerging Track: Room 2 Management / Exec Track: Room 3
10:30-11:15 2010: Web Hacking Odyssey – The Top Hacks of the YearJeremiah Grossman

Presentation Video Note the blip version seems broken, so linked to WhiteHatSec webex.

“Building a Secure, Compliant Cloud for the Enterprise”Matt Ferrari, Hosting.com “Anatomy of a Logic Flaw”David Byrne and Charles Henderson, Trustwave
11:15-12:00 Advanced MITM Techniques for Security TestersMike Zusman, Raj Umadas and Aaron Rhodes, Intrepidus Group

Presentation

“YOU are the weakest link”Chris Nickerson, Lares Consulting

Presentation

“Effectively marketing security as a win for both the business and the customer”Ben Whaley, Applied Trust Engineering and Jeff Smith, Rally Software

Presentation

12:00-13:00 Lunch – Expo – CTF
13:00-13:50 Vulnerabilities in Secure Code: Now and BeyondAlex Wheeler and Ryan Smith, Accuvant

Video

“Real life CSI – Data Mining and Intelligence Gathering for the masses”Chris Roberts, Cyopsis

Presentation

“The Permanent Campaign: Driving a Secure Software Initiative in the Enterprise”John Dickson, Denim Group

Presentation

13:50-14:40 Beware of Serialized GUI Objects Bearing DataDavid Byrne and Rohini Sulatycki, Trustwave

Video

“What’s Old Is New Again: An Overview of Mobile Application Security”Zach Lanier and Mike Zusman, Intrepidus Group “Fundamental Practices and Tools to implement a security development lifecycle”Cassio Goldschmidt, Symantec

Presentation

14:40-15:00 BREAK
15:00-15:50 Solving Real-World Problems with an Enterprise Security APIChris Schmidt

Presentation Video

“Cloudy with a chance of hack”Lars Ewe, Cenzic

Presentation

“Application Security Program Management with Vulnerability Manager”Bryan Beverly, Denim Group

Presentation

15:50-16:30 Panel Discussion: Topic: “Security successes are like Six legged calves: unnatural, but they happen.” Moderator: John Dickson, Denim Group.Panelists: Randy Barr, CSO @ Qualys. Jeremiah Grossman, CTO @ WhiteHat Security, Chris Nickerson, Principal @ Lares Consulting, Andy Lewis, CSO @ New Frontier Media
16:30-17:30 Wrap up, vendor raffles, CTF awards, FREE BEER!

OWASP USA 2009 Conference

APPSEC DC 2009 – Click Here

Training 11/10

Day 1 – Nov 10th 2009
Room 154A Room 149B Room 149A Room 154B Room 155
09:00-12:00 Day 1:
Assessing and Exploiting Web Applications with the open source Samurai Web Testing Framework
Justin Searle
Day 1:
Java EE Secure Code Review
Sahba Kazerooni
Security Compass
Threat Modeling Express
Krishna Raja
Security Compass
Foundations of Web Services and XML Security
Dave Wichers
Aspect Security
Live CD
Matt Tesauro
12:00-13:00 Lunch
13:00-17:00 Assessing and Exploiting Web Applications with the open source Samurai Web Testing Framework
Justin Searle
Java EE Secure Code Review
Sahba Kazerooni
Security Compass
Threat Modeling Express
Krishna Raja
Security Compass
Foundations of Web Services and XML Security
Dave Wichers
Aspect Security
Live CD
Matt Tesauro

Training 11/11

Day 2 – Nov 11th 2009
Room 154A Room 149B Room 149A Room 154B
09:00-12:00 Day 2:
Assessing and Exploiting Web Applications with the open source Samurai Web Testing Framework
Justin Searle
Day 2:
Java EE Secure Code Review
Sahba Kazerooni
Security Compass
WebAppSec.php: Developing Secure Web Applications
Robert Zakon
Leader and Manager Training – Leading the Development of Secure Applications
John Pavone
Aspect Security
12:00-13:00 Lunch
13:00-17:00 Assessing and Exploiting Web Applications with the open source Samurai Web Testing Framework
Justin Searle
Java EE Secure Code Review
Sahba Kazerooni
Security Compass
WebAppSec.php: Developing Secure Web Applications
Robert Zakon
Leader and Manager Training – Leading the Development of Secure Applications
John Pavone
Aspect Security

Talks 11/12

Day 1 – Nov 12th 2009
OWASP (146A) Tools (146B) Web 2.0 (146C) SDLC (152A)
07:30-08:50 Registration
08:50-09:00 Welcome and Opening Remarks
09:00-10:00 Keynote: Joe Jarzombek
Video | Slides
10:00-10:30 All about OWASP OWASP Board
Video | Slides
10:30-10:45 Coffee Break sponsored by AppSecDC2009-Sponsor-denim.gif
10:45-11:30 OWASP ESAPI
Jeff Williams

Video | Slides

Clubbing WebApps with a Botnet
Gunter Ollmann

Video | Slides

Understanding the Implications of Cloud Computing on Application Security
Dennis Hurst

Video | Slides

Enterprise Application Security – GE’s approach to solving root cause
Darren Challey

Video | Slides

11:30-12:30 Hosted Lunch
12:30-1:15 Software Assurance Maturity Model (SAMM)
Pravir Chandra

Video | Slides

The Case of Promiscuous Parameters and Other Ongoing Capers in Web Security
Jacob West

Video | Slides

Transparent Proxy Abuse
Robert Auger

Video | Slides

Software Development The Next Security Frontier
Jim Molini

Video | Slides

1:15-1:20 Break
1:20-2:05 DISA’s Application Security and Development STIG: How OWASP Can Help You
Jason Li

Video | Slides

OWASP ModSecurity Core Rule Set Project
Ryan C. Barnett

Video | Slides

Development Issues Within AJAX Applications: How to Divert Threats
Lars Ewe

Video | Slides

Secure SDLC Panel: Real answers from real experience
Panelists:
Dan Cornell
Michael Craigue
Dennis Hurst
Joey Peloquin
Keith Turpin

Moderator:
Pravir Chandra

Video | Slides

2:05-2:10 Break
2:10-2:55 Defend Yourself: Integrating Real Time Defenses into Online Applications
Michael Coates

Video | Slides

Finding the Hotspots: Web-security testing with the Watcher tool
Chris Weber

Video | Slides

Social Zombies: Your Friends Want to Eat Your Brains
Tom Eston/Kevin Johnson

Video | Slides

2:55-3:10 Coffee Break sponsored by AppSecDC2009-Sponsor-denim.gif
3:10-3:55 The ESAPI Web Application Firewall
Arshan Dabirsiaghi

Video | Slides

One Click Ownage
Ferruh Mavituna

Video | Slides

Cloudy with a chance of 0-day
Jon Rose/Tom Leavey

Video | Slides

The essential role of infosec in secure software development
Kenneth R. van Wyk

Video | Slides

Web Application Security Scanner Evaluation Criteria
Brian Shura

Video | Slides

3:55-4:00 Break
4:00-4:45 OWASP Live CD: An open environment for Web Application Security
Matt Tesauro / Brad Causey

Video | Slides

Learning by Breaking: A New Project Insecure Web Apps
Chuck Willis

Video | Slides

Attacking WCF Web Services
Brian Holyfield

Video | Slides

Vulnerability Management in an Application Security World
Dan Cornell

Video | Slides

Synergy! A world where the tools communicate
Josh Abraham

Video | Slides

4:45-4:50 Break
4:50-5:55 The Entrepreneur’s Guide to Career Management
Lee Kushner

Video | Slides

Advanced SSL: The good, the bad, and the ugly
Michael Coates

Video | Slides

When Web 2.0 Attacks – Understanding Security Implications of AJAX Flash and Highly Interactive Technologies
Rafal Los

Video | Slides

Threat Modeling
John Steven

Video | Slides

User input piercing for Cross Site Scripting Attacks
Matias Blanco

Video | Slides

6:00-8:00 Cocktails and hors d’oeuvres in the EXPO Room (151)
Sponsored by AppSecDC2009-Sponsor-cenzic.gif

Talks 11/13

Day 2 – Nov 13th 2009
Process (146A) Attack & Defend (146B) Metrics (146C) Compliance (152A)
8:00-9:00 Registration & Coffee sponsored by AppSecDC2009-Sponsor-fyrm.gif
9:00-9:45 The Big Picture: Web Risks and Assessments Beyond Scanning
Matt Fisher

Video | Slides

Securing the Core JEE Patterns
Rohit Sethi/Krishna Raja

Video | Slides

The Web Hacking Incidents Database
Ryan C. Barnett

Video | Slides

Business Logic Automatons: Friend or Foe?
Amichai Shulman

Video | Slides

9:45-9:50 Break
9:50-10:35 Scalable Application Assessments in the Enterprise
Tom Parker/Lars Ewe

Video | Slides

Malicious Developers and Enterprise Java Rootkits
Jeff Williams

Video | Slides

Application security metrics from the organization on down to the vulnerabilities
Chris Wysopal

Video | Slides

SCAP: Automating our way out of the Vulnerability Wheel of Pain
Ed Bellis

Video | Slides

10:35-10:40 Break
10:40-11:25 Secure Software Updates: Update Like Conficker
Jeremy Allen

Video | Slides

Unicode Transformations: Finding Elusive Vulnerabilities
Chris Weber

Video | Slides

OWASP Top 10 – 2010
Release Candidate
Dave Wichers

Video | Slides

Secure SDLC: The Good, The Bad, and The Ugly
Joey Peloquin

Video | Slides

11:25-12:30 Hosted Lunch
12:30-1:15 Improving application security after an incident
Cory Scott

Video | Slides

The 10 least-likely and most dangerous people on the Internet
Robert Hansen

Video | Slides

Hacking by Numbers
Tom Brennan

Video | Slides

Federal CISO Panel

Video

1:15-1:20 Break
1:20-2:05 Deploying Secure Web Applications with OWASP Resources
Sebastien Deleersnyder / Fabio Cerullo

Video | Slides

Automated vs. Manual Security: You can’t filter The Stupid
David Byrne/Charles Henderson

Video | Slides

Building an in-house application security assessment team
Keith Turpin

Video | Slides

2:05-2:20 Coffee break sponsored by AppSecDC2009-Sponsor-fyrm.gif
2:20-3:05 OWASP O2 Platform – Open Platform for automating application security knowledge and workflows
Dinis Cruz

Video | Slides

Injectable Exploits: Two New Tools for Pwning Web Apps and Browsers
Kevin Johnson, Justin Searle, Frank DiMaggio

Video | Slides

The OWASP Security Spending Benchmarks Project
Dr. Boaz Gelbord

Video | Slides

Promoting Application Security within Federal Government
Sarbari Gupta

Video | Slides

3:05-3:10 Break
3:10-3:55 Custom Intrusion Detection Techniques for Monitoring Web Applications
Matthew Olney

Video | Slides

Manipulating Web Application Interfaces, a new approach to input validation
Felipe Moreno-Strauch

Video | Slides

SANS Dshield Webhoneypot Project
Jason Lam

Video | Slides

Techniques in Attacking and Defending XML/Web Services
Mamoon Yunus/Jason Macy

Video | Slides

3:55-4:00 Break
4:00-4:15 Closing Remarks (146B)
Mark Bristow, Rex Booth, Doug Wilson
Video | Slides

OWASP AppSecEMEA 2009 Conference

OWASP EU 2009 – Here and Here

Conference – May 13

DAY 1 – MAY 13, 2009
Track 1: room Alfa 1 Track 2: room Alfa 2 Track 3: room Beta
08:00-08:50 Registration and Coffee
08:50-09:00 Welcome to OWASP AppSec 2009 Conference (PPT)Sebastien Deleersnyder, OWASP Foundation
09:00-10:00 Web App Security – The Good, the Bad and the Ugly (PPT)Ross Anderson, Professor in Security Engineering, University of Cambridge
10:00-10:45 OWASP State of the Union (PPT|video)Dinis Cruz, Dave Wichers & Sebastien Deleersnyder, OWASP Foundation
10:45-11:05 Break – Expo CTF Kick-OffAndrés Riancho
11:05-11:50 OWASP Live CD: An open environment for Web Application Security (PPT)Matt Tesauro, OWASP Live CD Project Leveraging agile to gain better security (PPT|video)Erlend Oftedal, Bekk Consulting The OWASP Orizon project: new static analysis in HiFi (PPT|video)Paolo Perego, Spike Reply
11:55-12:40 OWASP Application Security Verification Standard (ASVS) Project (PPT)Dave Wichers, Aspect Security Tracking the effectiveness of an SDL program: lessons from the gym (PPT|video)Cassio Goldschmidt, Symantec Corporation The Bank in the Browser – Defending web infrastructures from banking malware (PDF|video)Giorgio Fedon, Minded Security
12:40-14:00 Lunch – Expo – CTF
14:00-14:45 Threat Modeling (PPT)John Steven, Cigital Web Application Harvesting (PPT|video)Esteban Ribičić, tbd Maturing Beyond Application Security Puberty (PPT)David Harper, Fortify
14:50-15:35 Exploiting Web 2.0 – Next Generation Vulnerabilities (PDF)Shreeraj Shah, Blueinfy O2 – Advanced Source Code Analysis Toolkit (video)Dinis Cruz, Ounce Labs The Truth about Web Application Firewalls: What the vendors do not want you to know (PPT)Wendel Guglielmetti Henrique, Trustwave & Sandro Gauci, EnableSecurity
15:35-15:55 Break – Expo – CTF
15:55-16:40 The Software Assurance Maturity Model (SAMM)(PPT)Pravir Chandra, Cognosticus Advanced SQL injection exploitation to operating system full control (PDF|video)Bernardo Damele Assumpcao Guimaraes, lead developer of sqlmap When Security Isn’t Free: The Myth of Open Source Security (PPT|video)David Harper, Fortify
16:45-17:45 Panel: SDLC: where do they work well, where do they fail? (PPT)Moderator: Cassio Goldschmidt – Panelists: Pravir Chandra, Bart De Win, John Steven, Dave Wichers

Conference- May 14

DAY 2 – MAY 14, 2009
Track 1: room Alfa 1 Track 2: room Alfa 2 Track 3: room Beta
08:00-09:00 Registration and Coffee
09:00-09:00 Fixing Internet Security by Hacking the Business ClimateBruce Schneier, Chief Security Technology Officer, BT
10:00-10:45 OWASP Projects (PPT|video)Dave Wichers & Dinis Cruz, OWASP Foundation
10:45-11:05 Break – Expo – CTF
11:05-11:50 OWASP “Google Hacking” Project (video)Christian Heinrich, OWASP “Google Hacking” Project Lead Deploying Secure Web Applications with OWASP ResourcesKuai Hinojosa, New York University (video) Beyond security principles approximation in software architectures (PPT|video)Bart De Win, Ascure
11:55-12:40 OWASP Enterprise Security API (ESAPI) Project(PPT|video)Dave Wichers, Aspect Security w3af, A framework to 0wn the web (PPT|Video)Andrés Riancho, Bonsai Information Security Brain’s hardwiring and its impact on software development and secure software (PDF|video)Alexandru Bolboaca & Maria Diaconu, Mosaic Works
12:40-14:00 Lunch – Expo – CTF
14:00-14:45 OWASP ROI: Optimize Security Spending using OWASP (PPT)Matt Tesauro, OWASP Live CD Project CSRF: the nightmare becomes reality? (PPT|video)Lieven Desmet, University Leuven I thought you were my friend Evil Markup, browser issues and other obscurities (PDF /PPT|video)Mario Heiderich, Business-IN
14:50-15:35 HTTP Parameter Pollution (PDF|video)Luca Carettoni, Independent Researcher & Stefano Di Paola, MindedSecurity OWASP Source Code Flaws Top 10 Project (PPT|video)Paolo Perego, Spike Reply Business Logic Attacks: Bots and Bats (PPT|video)Eldad Chai, Imperva
15:35-15:55 Break – Expo – CTF
15:55-16:40 Factoring malware and organized crime in to Web application security (PDF1PDF2|video)Gunter Ollmann, Damballa Real Time Defenses against Application Worms and Malicious Attackers (PPT|video),Michael Coates, Aspect Security Can an accessible web application be secure? Assessment issues for security testers, developers and auditors (PPT|video)Colin Watson, Watson Hall Ltd
16:45-17:45 Panel: The Future of web application security (video)Moderator: Christian Heinrich, Panelists: tbd
17:45-18:00 Conference Wrap-Up & CTF AwardsDave Wichers, OWASP Foundation

Venue: Park Inn Hotel, Krakow

OWASP Israel 2008

Click Here

Room #1 Room #2
Management Track Fundamentals Track
9:15-10:00 Web Application Security and Search Engines – Beyond Google Hacking (ppt, video part 1, video part 2)
Amichai Shulman, Imperva
Application Security – The code analysis way (download ppt)
Maty Siman, Checkmark
10:00-10:45 No More Signatures: Defending Web Applications from 0-Day Attacks with ModProfiler Using Traffic Profiling (watch video, download video)
Ivan Ristic, Breach Security
Black Box vs. White Box – pros and cons (download ppt)
Adi Sharabani & Yinnon Haviv, IBM
10:45-11:00 Break
11:00-11:45 Trends in Web Hacking: What’s hot in 2008 (ppt, watch video, download video)
Ofer Shezaf, Breach Security
AJAX – new technologies new threats (download ppt)
Dr. David Movshovitz, IDC
11:45-12:30 Testin g the Tester – Measuring Quality of Security Testing (ppt, download video)
Ofer Maor, Hacktics
GreenSQL – an open source database security gateway (download ppt)
Yuli Stremovsky
12:30-13:15 Lunch
Advanced Technology Track Practical Technology Track
13:15-14:00 Achilles’ heel – Hacking Through Java Protocols (ppt, watch video, download video)
Shai Chen, Hacktics
Defending against Phishing without Client-side Code (ppt, watch video, download video)
Prof. Amir Herzberg, Bar-Ilan University
14:00-14:45 Cryptographic elections – how to simultaneously achieve verifiability and privacy (download pdf)
Dr. Alon Rosen, IDC
.NET Framework rootkits – backdoors inside your Framework (download ppt)
Erez Metula, 2Bsecure
14:45-15:00 Break
15:00-15:45 Automated Crawling & Security Analysis of Flash/Flex based Web Applications (download ppt)
Ronen Bachar, IBM
Korset: Code-based Intrusion Detection System for Linux (download pdf)
Ohad Ben-Cohen
15:45-16:30 Turbo talks (Rump Session), Currently scheduled presentations:

  • Yossi Oren, Automatic Patch-Based Exploit Generation (APEG) (download ppt)
  • Avi Weissman, Introduction to the Israeli Forum for Information Security (ISIF)
  • Robert Moskovitch, Detection of Unknown Malicious Code via Machine Learning (download pdf)
  • Yaniv Miron, Comsec, UTF7 XSS (download ppt)
  • Shay Zalalichin & Avi Douglen, Comsec, Breaking CAPTCHA Myths (download ppt)

Closing Words, Ofer Shezaf

OWASP AppSecUSA 2008 Conference

Click Here

DAY 1 – SEPT 24TH, 2008

Track 1: BALLROOM Track 2: SKYLINE Track 3: TIMESQUARE
07:30-08:50 Doors Open for Attendee/Speaker Registrationavoid lines come early get your caffeine fix and use free wifi
09:00-09:45 OWASP Version 3.0 who we are, how we got here and where we are going?
OWASP Foundation: Jeff Williams, Dinis Cruz, Dave Wichers, Tom Brennan, Sebastien Deleersnyder

Dave Wicher’s Slides / Jeff William’s Slides / Dinis Cruz’s Slides

10:00-10:45 Analysis of the Web Hacking Incidents Database (WHID)
Ofer Shezaf
VIDEO / SLIDES
Web Application Security Road Map
Joe White
VIDEO / SLIDES
DHS Software Assurance Initiatives
Stan Wisseman & Joe Jarzombek
VIDEO / SLIDES
11:00-11:45 Http Bot Research
Andre M. DiMino – ShadowServer Foundation
VIDEO / SLIDES
OWASP “Google Hacking” Project
Christian Heinrich
VIDEO / SLIDES
MalSpam Research
Garth Bruen
VIDEO / SLIDES
12:00-13:00 Capture the Flag Sign-UpLUNCH – Provided by event sponsors @ TechExpo
12:00-12:45 Get Rich or Die Trying – Making Money on The Web, The Black Hat Way
Trey Ford, Tom Brennan, Jeremiah Grossman
VIDEO / SLIDES
Framework-level Threat Analysis: Adding Science to the Art of Source-code review
Rohit Sethi & Sahba Kazerooni
VIDEO / SLIDES
Automated Web-based Malware Behavioral Analysis
Tyler Hudak
VIDEO / SLIDES
13:00-13:45 New 0-Day Browser Exploits: Clickjacking – yea, this is bad…
Jeremiah Grossman & Robert “RSnake” Hansen
VIDEO / SLIDES
Web Intrusion Detection with ModSecurity
Ivan Ristic
VIDEO / SLIDES
Using Layer 8 and OWASP to Secure Web Applications
David Stern & Roman Garber
VIDEO / SLIDES
14:00-14:45 Application Security Industry Outlook Panel:
Jim Routh CISO DTCC,
Sunil Seshadri CISO NYSE-Euronet,
Joe Bernik SVP, RBS Americas,
Jennifer Bayuk Infosec Consultant,
Philip Venables CISO, Goldman Sachs,
Carlos Recalde SVP, Lehman Brothers,
Moderator: Mahi Dontamsetti
VIDEO / SLIDES
Security Assessing Java RMI
Adam Boulton
VIDEO / SLIDES
JBroFuzz 0.1 – 1.1: Building a Java Fuzzer for the Web
Yiannis Pavlosoglou
VIDEO / SLIDES
15:00-15:45 OWASP Testing Guide – Offensive Assessing Financial Applications
Daniel Cuthbert
VIDEO / SLIDES
Flash Parameter Injection (FPI)
Ayal Yogev & Adi Sharabani
VIDEO / SLIDES / PAPER
w3af – A Framework to own the web
Andrés Riancho
VIDEO / VIDEO
16:00-16:45 OWASP Enterprise Security API (ESAPI) Project
Jeff Williams
VIDEO / SLIDES
Cross-Site Scripting Filter Evasion
Alexios Fakos
VIDEO / SLIDES
Multidisciplinary Bank Attacks
Gunter Ollmann
VIDEO / SLIDES
17:00-17:45 Open Discussion On Application Security
Joe Bernik & Steve Antoniewicz
VIDEO / SLIDES
Mastering PCI Section 6.6
Taylor McKinley and Jacob West
VIDEO / SLIDES
Case Studies: Exploiting application testing tool deficiencies via “out of band” injection
Vijay Akasapu & Marshall Heilman
VIDEO / SLIDES
18:00-18:45 Spearfishing and the OWASP Live CD
Joshua Perrymon
VIDEO / SLIDES
Phundamental Security – Coding Secure w/PHP
Hans Zaunere
VIDEO / SLIDES
Payment Card Data Security and the new Enterprise Java
Dr. B. V. Kumar & Mr. Abhay Bhargav
VIDEO / SLIDES
19:00-20:00 OWASP Chapter Leader / Project Leader working session
OWSAP Board/Chapter Leaders
(ISC)2 Cocktail Hour
All welcome to attend for a special announcement presented by:
W. Hord Tipton, Executive Director of (ISC)2
Technology Movie Night
Sneakers, WarGames,HackersArePeopleToo,TigerTeam
from 19:00 – 23:00
20:00-23:00+ OWASP Event Party/Reception
Event badge required for admission
Food, Drinks w/ New & Old Friends – break out the laptop and play capture the flag for fun and prizes.
Location: HOTEL BALLROOM

DAY 2 – SEPT 25TH, 2008

08:00-10:00 BREAKFAST – Provided by event sponsors @ TechExpo
08:00-08:45 Software Development and Management: The Last Security Frontier
W. Hord Tipton, CISSP-ISSEP, CAP, CISA, CNSS and former Chief Information Officer for the U.S. Department of the Interior Executive Director and member of the Board of Directors, (ISC)²
VIDEO / SLIDES
Best Practices Guide for Web Application Firewalls
Alexander Meisel
VIDEO / SLIDES
The Good The Bad and The Ugly – Pen Testing VS. Source Code Analysis
Thomas Ryan
VIDEO / SLIDES
09:00-09:45 OWASP Web Services Top Ten
Gunnar Peterson
VIDEO / SLIDES
Red And Tiger Team Application Security Projects
Chris Nickerson
VIDEO / SLIDES
OpenSource Tools
Prof. Li-Chiou Chen & Chienitng Lin, Pace Univ
VIDEO / SLIDES
10:00-10:45 Building a tool for Security consultants: A story of a customized source code scanner
Dinis Cruz
VIDEO / SLIDES
“Help Wanted” 7 Things You Need to Know APPSEC/INFOSEC Employment
Lee Kushner
VIDEO / SLIDES
Industry Analysis with Forrester Research
Chenxi Wang
VIDEO / SLIDES
11:00-11:45 Software Assurance Maturity Model (SAMM)
Pravir Chandra
VIDEO / SLIDES
Security in Agile Development
Dave Wichers
VIDEO / SLIDES
Secure Software Impact
Jack Danahy
VIDEO / SLIDES
12:00-12:45 Next Generation Cross Site Scripting Worms
Arshan Dabirsiaghi
VIDEO / SLIDES
Security of Software-as-a-Service (SaaS)
James Landis
VIDEO / SLIDES
Open Reverse Benchmarking Project
Marce Luck & Tom Stracener
VIDEO / SLIDES
12:00-13:00 Capture the Flag StatusLUNCH – Provided @ TechExpo
13:00-13:45 NIST and SAMATE Static Analysis Tool Exposition (SATE)
Vadim Okun
VIDEO / SLIDES
Lotus Notes/Domino Web Application Security
Jian Hui Wang
VIDEO / SLIDES
Shootout @ Blackbox Corral
Larry Suto
VIDEO / SLIDES
14:00-14:45 Practical Advanced Threat Modeling
John Steven
VIDEO / SLIDES
The OWASP Orizon Project: towards version 1.0
Paolo Perego
VIDEO / SLIDES
Building Usable Security
Zed Abbadi
VIDEO / SLIDES
15:00-15:45 Off-shoring Application Development? Security is Still Your Problem
Rohyt Belani
VIDEO / SLIDES
OWASP EU Summit Portugal
Dinis Cruz
VIDEO / SLIDES
A Security Architecture Case Study
Johan Peeters
VIDEO / SLIDES
16:00-16:45 Vulnerabilities in application interpreters and runtimes
Erik Cabetas
VIDEO / SLIDES
Cryptography For Penetration Testers
Chris Eng
VIDEO / SLIDES
Memory Corruption and Buffer Overflows
Dave Aitel
VIDEO / SLIDES
17:00-17:45 Event Wrap-Up / Speaker & CTF Awards and Sponsor Raffles
VIDEO
18:30-19:30 OWASP Foundation, Chapter Leader Meeting – to collect ideas to make OWASP better!

OWASP SnowFROC

OWASP SnowFROC from Denver, CO 2009
MARCH 5, 2009
07:30-08:30 Registration and Continental Breakfast in the Sponsor Expo Room
08:30-08:35 Welcome to SnowFROC AppSec 2009 ConferenceDavid Campbell, OWASP Denver
08:35-09:45 Keynote: “Top Ten Web Hacking Techniques of 2008: What’s possible, not probable”Jeremiah Grossman, Whitehat Security

Video

09:45-10:15 OWASP State of the UnionTom Brennan, OWASP Board
10:15-10:30 Break – Expo – CTF – Beatz by DJ Jackalope
Management / Executive Track: Room 1 Deep Technical Track: Room 2
10:30-11:15 Doing More with Less: Automate or DieEd Bellis, Orbitz

Video

“Poor Man’s Guide to Breaking PKI: Why You Don’t Need 200 Playstations”Mike Zusman, Intrepidus Group
11:15-12:00 “A Legal Minimum Standard of Due Care: The CAG and the Top 25 Most Dangerous Programming Errors”Alan Paller, SANS “Adobe Flex, AMF 3 and BlazeDS: An Assessment”Kevin Stadmeyer, Trustwave

Video

12:00-13:00 Lunch – Expo – CTF – Beatz by DJ Jackalope
Management / Executive Track: Room 1 Deep Technical Track: Room 2
13:00-13:50 “Building an Effective Application Security Program”Joey Peloquin, Fishnet Security

Video

“Bad Cocktail: Spear Phishing + Application Hacks”Rohyt Belani, Intrepidus Group

Video

13:50-14:50 “Automated vs. Manual Security: You can’t filter The Stupid”David Byrne & Charles Henderson, Trustwave

Video

“SQL injection: Not only AND 1=1”Bernardo Damele Assumpcao Guimaraes, Portcullis Computer Security Ltd.

Video

14:50-15:00 Break – Expo – CTF – Beatz by DJ Jackalope
15:00-15:50 “Security Policy Management: Best Practices for Web Services and Application Security”Ray Neucom, IBM

Video

“Vulnerability Management in an Application Security World”Dan Cornell & John Dickson, Denim Group

Video

15:50-16:30 Panel: Emerging Threats and Enterprise CountermeasuresModerator: John Dickson
Panelists: Alan Paller, Joey Peloquin, Rohyt Belani, Ed Bellis, Laz, Ray Neucom
16:30-17:30 Conference Wrap Up, CTF Awards & Sponsor Raffles – CTF – Beatz by DJ Jackalope
17:30-21:00 OWASP Social Gathering: Dinner and Drinks @ TBD

OWASP Minneapolis/St. Paul (OWASP MSP)

Presentations from the OWASP Minneapolis-St. Paul (OWASP MSP) chapter events hosted in the Twin Cities area of Minnesota are now on their own page. Please visit OWASPMSP_Videos page for links to them. Some of the presenters include Pravir Chandra, Bruce Schneier, Jeremiah Grossman, Ryan Barnett, and many others.

Black Hat 2006

From Black Hat 2006:

Dinis Cruz @ BlackHat 2006 with FSTV
Dinis Cruz, leader of the OWASP.NET project joins us to talk about .NET, web security tools, the future of OWASP, and Open Source Software. OWASP – 30 min – Aug 30, 2006

AppSec Washington 2005

From the 2nd U.S. OWASP Conference held Oct 11-12, 2005 – Day 1:

OWASP_Intro_DaveWichers_Key_JoeJarzombek_RonRoss.mp4
OWASP Intro: Dave Wichers – Key Note Day 1: Joe Jarzombek – Dir. of Software Assurance – DHS – Software Assurance: Considerations for Advancing a National Strategy to Secure Cyberspace & Ron Ross -FISMA Project Lead – NIST – Status of the Federal Information Security Management Act (FISMA) Project. OWASP – 2 hr 7 min – Oct 11, 2005
OWASP_JackDanahy_The_Business_Case_for_Software_Security_Assurance.mp4
OWASP Jack Danahy – The Business Case for Software Security Assurance. OWASP – 1 hr 2 min – Oct 11, 2005
OWASP_ArianEvans_Tools_SurveyProject.mp4
OWASP Arian Evans – The OWASP Tools Survey Project. OWASP – 1 hr 18 min – Oct 11, 2005
OWASP_DinizCruz_Rooting_the_CLR.mp4
OWASP Diniz Cruz – Rooting the CLR. OWASP – 1 hr 22 min – Oct 11, 2005
OWASP_PaulBlack_RickKuhn.mp4
OWASP Paul Black – NIST – Developing a Reference Dataset & Rick Kuhn – NIST – Software Fault Interactions. OWASP – 1 hr 9 min – Oct 11, 2005
OWASP_AlexSmolen_Application_Logic_Defense.mp4
OWASP Alex Smolen – Application Logic Defense. OWASP – 36 min – Oct 11, 2005
OWASP_DanielCuthbert_Evolution_WebAppPenTest.mp4
OWASP Daniel Cuthbert – OWASP Testing Guide Lead – The Evolution Web App Pen Testing. OWASP – 1 hr 11 min – Oct 11, 2005

The 2nd U.S. OWASP Conference Day 2:

OWASP_IraWinkler_Secrets_of_Superspies.mp4
OWASP Ira Winkler – Keynote Day 2: Secrets of Superspies & Jeremy Poteet – In the Line of Fire: Defending Highly Visible Targets. OWASP – 2 hr 2 min – Oct 12, 2005
OWASP_JeffWilliams_OWASP_Guide_and_Membership.mp4
OWASP Jeff Williams – OWASP Development Guide and OWASP Membership Plan. OWASP – 1 hr 12 min – Oct 12, 2005
OWASP_DinizCruz_DotNet_Tools_Project.mp4
OWASP Diniz Cruz – The .Net Tools Project. OWASP – 1 hr 15 min – Oct 12, 2005
OWASP_MattFisher_WormsNowTargetingWebApps.mp4
OWASP Matt Fisher – Worms Now Targeting Web Applications. OWASP – 49 min – Oct 12, 2005
OWASP_RoganDawes_AdvancedFeaturesofWebScarab.mp4
OWASP Rogan Dawes – Advanced Features of OWASP WebScarab. OWASP – 1 hr 24 min – Oct 12, 2005
OWASP_JohnSteven_Building_a_Scalable_Software_Security_Practice.mp4
OWASP John Steven – Building a Scalable Software Security Practice. OWASP – 1 hr 19 min – Oct 12, 2005
OWASP_GunnerPeterson_IntegratingIdentityServicesintoWebApps.mp4
OWASP Gunnar Peterson – Integrating Identity Services into Web Apps. OWASP – 35 min – Oct 12, 2005

Documents from Hack In The Box Security Conference (HITBSECCONF) 2013


 

Documents from Virus Bulletin 2013


Corporate stream

  • Andreas Lindh (‘Surviving 0-days – reducing the window of exposure’)
  • Sabina Datcu (‘Targeted social engineering attacks. Sensitive information, from a theoretical concept to a culturally defined notion’)
  • Michael Johnson (‘Make it tight, protect with might, and try not to hurt anyone’)
  • Randy Abrams & Ilya Rabinovich (‘Windows 8 SmartScreen application control – what more could you ask for?’)
  • Axelle Apvrille (‘Analysis of Android in-app advertisement kits’)
  • Vanja Svajcer (‘Classifying PUAs in the mobile environment’)
  • Roman Unuchek (‘Malicious redirection of mobile users’)
  • Craig Schmugar (‘Real-world testing, the good, the bad, and the ugly’)
  • Ciprian Oprisa & George Cabau (‘The ransomware strikes back’)
  • Jarno Niemela (‘Statistically effective protection against APT attacks’)
  • Sergey Golovanov (‘Hacking Team and Gamma International in “business-to-government malware”‘)

Technical stream

  • Carsten Willems & Ralf Hund (‘Hypervisor-based, hardware-assisted system monitoring’)
  • James Wyke (‘Back channels and bitcoins: ZeroAccess’ secret C&C communications’)
  • Xinran Wang (‘An automatic analysis and detection tool for Java exploits’)
  • Rowland Yu (‘GinMaster: a case study in Android malware’)
  • Samir Mody (‘”I am not the D’r.0,1d you are looking for”: an analysis of Android malware obfuscation’)
  • Farrukh Shazad (‘The Droid Knight: a silent guardian for the Android kernel, hunting for rogue smartphone malware applications’)
  • Fabio Assolini (‘PAC – the Problem Auto-Config (or “how to steal bank accounts with a 1KB file”)’)
  • Samir Patil (‘Deciphering and mitigating Blackhole spam from email-borne threats’)
  • Evgeny Sidorov (‘Embedding malware on websites using executable webserver files’)
  • Amr Thabet (‘Security research and development framework’)

‘Last-minute’ technical papers

 

Documents and Video’s from EkoParty 2013


  • Droid Rage: Android exploitation on steroids – Pablo Solé – PDFVideo
  • Modification to the Android operating system´s resource control – Joaquín Rinaudo – ZIPVideo
  • Compromising industrial facilities from 40 miles away – Carlos Mario Penagos – PDFPDFVideo
  • Atacando IPv6 con Evil FOCA – Chema Alonso – PPTVideo
  • String allocations in Internet Explorer – Chris Valasek – PPTVideo
  • Compilador ROP – Christian Heitman – PDFVideo
  • BIOS Chronomancy – Corey Kallenberg – PPTVideo
  • Defeating Signed BIOS Enforcement – Corey Kallenberg – PPTVideo
  • ERP Security: how hackers can open the box and take the jewels – Jordan Santasieri – PDFVideo
  • Shoulder surfing 2.0 – Federico Pacheco – PPTVideo
  • A symbolic execution engine for amd64 binaries – Felipe Manzano – PDFVideo
  • Do you know who is watching you? – Nahuel Riva – PPTVideo
  • Ahí va el capitán Beto por el espacio – Gera Richarte – PDFVideo
  • Vote early and vote often – Harri Hursti – PDFVideo
  • Sandboxing Linux code to mitigate exploiattion – Jorge Lucangeli Obes – PDFVideo
  • All your sextapes are belong to us – Patricio Palladino – tgz – Video
  • Debbugers are really powerful – Pwning all of the Android things – Mathew Rowley – PDFVideo
  • Wighing in on issues with “Cloud Scale”: Hacking the Withings WS-30 – Michael Coppola – PDFVideo
  • Sentinel – Nicolás Economou – PDFVideo
  • Uncovering your trails. Privacy issues of Bluetooth devices – Verónica Valeros – PDFVideo
  • A mystery trip to the origin of Bitcoin – Sergio Demián Lerner – PDFVideo
 

Documents from RuxCon 2013

Documents from Hack.Lu 2013

Documents from Zero Nights 2013


Documents from: http://2013.zeronights.org/materials

 

Documents from SyScan 2014

Documents from Mobile Security Technologies 2014


Data Driven Authentication: On the Effectiveness of User Behaviour Modelling with Mobile Device Sensors [Paper] [Slides]
Gunes Kayacik, Mike Just, Lynne Baillie (Glasgow Caledonian University), David Aspinall (University of Edinburgh) and Nicholas Micallef (Glasgow Caledonian University)

Differentially Private Location Privacy in Practice [Paper] [Slides]
Vincent Primault, Sonia Ben Mokhtar (LIRIS / Université de Lyon), Cédric Lauradoux (INRIA) and Lionel Brunie (LIRIS / Université de Lyon)

Location Privacy without Carrier Cooperation [Paper] [Slides]
Keen Sung, Brian Neil Levine and Marc Liberatore (University of Massachusetts Amherst)

An Application Package Configuration Approach to Mitigating Android SSL Vulnerabilities [Paper] [Slides]
Vasant Tendulkar and William Enck (North Carolina State University)

Two Novel Defenses against Motion-Based Keystroke Inference Attacks [Paper] [Slides]
Yihang Song, Madhur Kukreti, Rahul Rawat and Urs Hengartner (University of Waterloo)

Sprobes: Enforcing Kernel Code Integrity on the TrustZone Architecture [Paper] [Slides]
Xinyang Ge, Hayawardh Vijayakumar and Trent Jaeger (The Pennsylvania State University)

Enter Sandbox: Android Sandbox Comparison [Paper] [Slides]
Sebastian Neuner (SBA Research), Victor van der Veen (VU University Amsterdam), Martina Lindorfer (Vienna University of Technology), Markus Huber, Georg Merzdovnik, Martin Mulazzani and Edgar Weippl (SBA Research)

Andlantis: Large-scale Android Dynamic Analysis [Paper] [Slides]
Michael Bierma (Sandia National Laboratories), Eric Gustafson (University of California, Davis), Jeremy Erickson, David Fritz and Yung Ryn Choe (Sandia National Laboratories)

A Systematic Security Evaluation of Android’s Multi-User Framework [Paper] [Slides]
Paul Ratazzi, Yousra Aafer, Amit Ahlawat, Hao Hao, Yifei Wang and Wenliang Du (Syracuse University)

A First Look at Firefox OS Security [Paper] [Slides]
Daniel Defreez (University of California, Davis), Bhargava Shastry (Technische Universität Berlin), Hao Chen (University of California, Davis) and Jean-Pierre Seifert (Technische Universität Berlin)

Code Injection Attacks on HTML5-based Mobile Apps [Paper] [Slides]
Xing Jin, Tongbo Luo, Derek G. Tsui and Wenliang Du (Syracuse University)

 

Documents and Video’s from CONFidence 2014


  • 50 Shades of RED: Stories from the “Playroom” – Video
  • NSA for dummies …methods to break RSA – Video
  • Scaling Security – Video
  • ATMs – We kick their ass – VideoSlides
  • Bitcoin Forensics: Fact or Fiction? – VideoSlides
  • Shameful secrets of proprietary protocols – VideoSlides
  • Evaluation of Transactional Controls in e-Banking Systems – VideoSlides
  • All your SAP P@$$w0ЯdZ belong to us – VideoSlides
  • Protecting Big Data at Scale – VideoSlides
  • Security Implications of the Cross-Origin Resource Sharing – VideoSlides
  • Asymmetric Defense “Using your home-field advantage” – VideoSlides
  • Preventing violation of memory safety in C/C++ software – VideoSlides
  • On the battlefield with the Dragons – the interesting and surprising CTF challenges – VideoSlides
  • SCADA deep inside: protocols and security mechanisms – VideoSlides
  • Exploring treasures of 77FEh – VideoSlides
  • The Tale of 100 CVE’s – VideoSlides
  • Hacking the Czech Parliament via SMS – Video
.

Documents from Presentations at Crypto Rump 19 August 2014


Four minutes of fast talking about order-preserving encryption

Documents from Presentations at LinuxCon North America 20-22 August 2014


6 Months of the Eudyptula Challenge, Lessons Learned
SMR impact on Linux Storage Subsystem
How Docker Enablement makes Linux Container easy to deploye on Enterprise Linux
Coming Soon, an Open Source Project Near You – the Linaro LNG Open Data Plane Initiative
Universal Tux: Accessibility For Our Future Selves
Ever Growing CPU States: Context Switch with Less Memory and Better Performance
Open Source Governance Round Table: What’s hot ?
Fork and Ignore: Fighting a GPL Violation By Coding Instead
Kernel Debugging and Tracing
NFV in the embedded world: Yocto Project and OpenStack
Replacing HW Raid with Twitter Cache and Persistent Memory
Explaining and Accessing the SPDX License List
kpatch: Have Your Security And Eat It Too!
Raspberry Pi Hacks and Projects
Hacking the Kernel, Hacking Myself
Linux Performance Tools
An Overview of Kernel Lock Improvements
Object-Based Storage – NAS support through NFS-Ganesha.
The Architecture of Linux Traffic Control
Better Integration of Systems Management Hardware with Linux
Compressing strings of the kernel
Kernel Internship Report (OPW)
Make your own usb gadget
Why Linux rules Chicago
Tux On Top: Open Source at the Top of the Rack
How Linux Distros Became Boring (and Fedora’s Plan to Put Boring Where It Belongs)
New Views on your Source Code History with “git replace”
Open Source Policy: OpenDaylight and OpFlex
Kernel features for reducing power consumption on embedded devices
Getting More Out Of System Suspend In Linux
Simulating the Internet using unprivileged LXC containers
Linux Kernel Power Management (PM) Framework for ARM 64-bit processors
devicetree: kernel internals and practical troubleshooting
LLVMLinux: Embracing the dragon
Building Linux support for Digital TV
Kpatch without Stop Machine
RAS Enhancement Activities for Mission-critical Linux Systems
Why you should consider using btrfs, real COW snapshots and file level incremental server OS upgrades like Google does.
You know, for kids! 7 ideas for improving tech education in schools
Lessons about Community from Science Fiction
Troubleshooting as a Service
Testing Video4Linux Applications and Drivers

Documents from Def Con 22 (7 to 10-08-2014)


  • Protecting SCADA From the Ground Up – PDF
  • Detecting Bluetooth Surveillance Systems – PDF
  • Dropping Docs on Darknets: How People Got Caught – PDF
  • Hacking 911: Adventures in Disruption, Destruction, and Death – PDF
  • How to Disclose an Exploit Without Getting in Trouble – PDF
  • Reverse Engineering Mac Malware – PDF
  • NSA Playset: PCIe – PDF
  • The Monkey in the Middle: A pentesters guide to playing in traffic. – PDF
  • Investigating PowerShell Attacks – PDF
  • Is This Your Pipe? Hijacking the Build Pipeline. – PDF
  • Screw Becoming A Pentester – When I Grow Up I Want To Be A Bug Bounty Hunter! – PDF
  • Home Alone with localhost: Automating Home Defense – PDF
  • Meddle: Framework for Piggy-back Fuzzing and Tool Development – PDF
  • Instrumenting Point-of-Sale Malware: A Case Study in Communicating Malware Analysis More Effectively – PDF White Paper
  • One Man Shop: Building an effective security program all by yourself – PDF
  • RF Penetration Testing, Your Air Stinks – PDF
  • Touring the Darkside of the Internet. An Introduction to Tor, Darknets, and Bitcoin – PDF
  • USB for all! – PDF
  • ShareEnum: We Wrapped Samba So You Don’t Have To – PDF
  • An Introduction to Back Dooring Operating Systems for Fun and Trolling – PDF
  • Android Hacker Protection Level 0 – PDF
  • Anatomy of a Pentest; Poppin’ Boxes like a Pro – PDF
  • Bug Bounty Programs Evolution – PDF Extras
  • Practical Foxhunting 101 – PDF
  • Client-Side HTTP Cookie Security: Attack and Defense – PDF
  • Bypass firewalls, application white lists, secure remote desktops under 20 seconds – PDF
  • PropLANE: Kind of keeping the NSA from watching you pee – PDF
  • Getting Windows to Play with Itself: A Hacker’s Guide to Windows API Abuse – PDF
  • Weaponizing Your Pets: The War Kitteh and the Denial of Service Dog – PDF
  • Through the Looking-Glass, and What Eve Found There – PDF White Paper
  • Summary of Attacks Against BIOS and Secure Boot – PDF
  • I am a legend: Hacking Hearthstone with machine learning – PDF
  • The Secret Life of Krbtgt – PDF
  • The $env:PATH less Traveled is Full of Easy Privilege Escalation Vulns – PDF
  • Hacking US (and UK, Australia, France, etc.) traffic control systems – PDF
  • The Cavalry Year[0] & a Path Forward for Public Safety – PDF
  • NSA Playset: DIY WAGONBED Hardware Implant over I2C – PDF
  • Abuse of Blind Automation in Security Tools – PDF
  • Why Don’t You Just Tell Me Where The ROP Isn’t Suppose To Go – PDF
  • Steganography in Commonly Used HF Radio Protocols – PDF Extras
  • Saving Cyberspace by Reinventing File Sharing – PDF
  • Empowering Hackers to Create a Positive Impact – PDF
  • Just What The Doctor Ordered? – PDF
  • Check Your Fingerprints: Cloning the Strong Set – PDF
  • Shellcodes for ARM: Your Pills Don’t Work on Me, x86 – PDF
  • Blowing up the Celly – Building Your Own SMS/MMS Fuzzer – PDF
  • Mass Scanning the Internet: Tips, Tricks, Results – PDF
  • Deconstructing the Circuit Board Sandwich: Effective Techniques for PCB Reverse Engineering – PDF
  • Saving the Internet (for the Future) – PDF
  • Burner Phone DDOS 2 dollars a day : 70 Calls a Minute – PDF
  • Hack All The Things: 20 Devices in 45 Minutes – PDF
  • Stolen Data Markets: An Economic and Organizational Assessment – PDF
  • Raspberry MoCA – A recipe for compromise – PDF White Paper 1 White Paper 2
  • Girl… Fault-Interrupted. – PDF
  • Extreme Privilege Escalation On Windows 8/UEFI Systems – PDF White Paper
  • NinjaTV – Increasing Your Smart TV’s IQ Without Bricking It – PDF
  • Oracle Data Redaction is Broken – PDF
  • Weird-Machine Motivated Practical Page Table Shellcode & Finding Out What’s Running on Your System – PDF
  • Catching Malware En Masse: DNS and IP Style – PDF White Paper
  • Attacking the Internet of Things using Time – PDF
  • Open Source Fairy Dust – PDF
  • Learn how to control every room at a luxury hotel remotely: the dangers of insecure home automation deployment – PDF White Paper
  • Generating ROP payloads from numbers – PDF
  • DEF CON Comedy Jam Part VII, Is This The One With The Whales? – PDF
  • The NSA Playset: RF Retroreflectors – PDF 1 PDF 2
  • VoIP Wars: Attack of the Cisco Phones – PDF
  • Playing with Car Firmware or How to Brick your Car – PDF
  • Measuring the IQ of your Threat Intelligence feeds – PDF
  • Secure Because Math: A Deep Dive On Machine Learning-Based Monitoring – PDF
  • Abusing Software Defined Networks – PDF
  • NSA Playset : GSM Sniffing – PDF
  • Cyberhijacking Airplanes: Truth or Fiction? – PDF
  • Am I Being Spied On? Low-tech Ways Of Detecting High-tech Surveillance – PDF
  • Detecting and Defending Against a Surveillance State – PDF
  • Acquire current user hashes without admin privileges – PDF
  • You’re Leaking Trade Secrets – PDF
  • Veil-Pillage: Post-exploitation 2.0 – PDF
  • From Raxacoricofallapatorius With Love: Case Studies In Insider Threat – PDF
  • Don’t DDoS Me Bro: Practical DDoS Defense – PDF
  • Advanced Red Teaming: All Your Badges Are Belong To Us – PDF
  • I Hunt TR-069 Admins: Pwning ISPs Like a Boss – PDF
  • The Only Way to Tell the Truth is in Fiction: The Dynamics of Life in the National Security State – PDF
  • A Journey to Protect Points-of-sale – PDF
  • Impostor — Polluting Tor Metadata – PDF
  • Domain Name Problems and Solutions – PDF White Paper
  • Optical Surgery; Implanting a DropCam – PDF
  • Manna from Heaven: Improving the state of wireless rogue AP attacks – PDF
  • The Open Crypto Audit Project – PDF
  • Practical Aerial Hacking & Surveillance – PDF White Paper
  • From root to SPECIAL: Pwning IBM Mainframes – PDF
  • PoS Attacking the Traveling Salesman – PDF
  • Don’t Fuck It Up! – PDF

Documents from Black Hat USA 2-7 August 2014


All the presentations from WOOT’14 the 23rd USENIX Security Symposium


On August 19 a new edition of the USENIX was in San Diego, starting with workshops (WOOT ’14), followed by the 23 edition of the USENIX Security Symposium, within three days, from 20 to 22.

Here is the list of workshops held at the USENIX Workshop On Offensive Technology (WOOT) 2014. Can you click on each link to learn more about the workshop and get off material itself, or if you you want to download all the material blow, you can do from here.

PDFs
USENIX Security ’14 Full Proceedings (PDF)
USENIX Security ’14 Proceedings Interior (PDF, best for mobile devices)

ePub (para iPad y otros eReaders)
USENIX Security ’14 Full Proceedings (ePub)

Mobi (Kindle)
USENIX Security ’14 Full Proceedings (Mobi)