Loading…
This event has ended. Create your own event on Sched.

Sign up or log in to bookmark your favorites and sync them to your phone or calendar.

Tuesday, April 5
 

9:00am

Web Application Hacking for Beginners

Starting at the very basics of how a web browser communicates with servers on the internet, we will first learn what the major vulnerabilities in web applications are. Covering cross-site scripting, SQL injections, and remote command execution, we will exploit vulnerabilities in an intentionally vulnerable web application. By the end of the class, students should have a good understanding of why vulnerabilities work the way they do in web applications, as well as the tools used to exploit them.

Student Requirements (equipment): Laptop
Student Requirements (prerequisite skills): How to use a web browser
Lunch: Included (vegetarian options available upon request by 3/25/16).
Minimum attendance threshold: This class may be cancelled unless attendance reaches a minimum of 10 students by 3/7/16.
Date: Tuesday, April 05, 2016 9:00 AM – 5:00 PM (Central Time)
Location: Austin Convention Center
Price: $500.00


Speakers
avatar for Brandon Perry

Brandon Perry

Brandon Perry specializes in web application security.


Tuesday April 5, 2016 9:00am - 5:00pm
TBA
 
Friday, April 8
 

8:00pm

Reception
Friday April 8, 2016 8:00pm - 10:00pm
Ballroom BC
 
Saturday, April 9
 

9:00am

Caffeine Break
Need caffiene? 

Saturday April 9, 2016 9:00am - 10:00am
Ballroom BC

9:30am

Amazon Oasis Orange Juice and Champagne Bar provided by the Amazon Information Security Team
Join us for some morning mimosas compliments of the Amazon Information Security Team!

Saturday April 9, 2016 9:30am - 10:30am
Ballroom BC

10:00am

How did we get here, and where are we going?
We cannot understand where we are going unless we know where we are and how we got here, this applies to road trips as well as careers and technologies.

This talk will begin with a look back at some of the people and ideas which helped to found the practice of information security to build an understanding of our past. From history to the present, the focus will then shift to a discussion of the state of information (in)security and also look at the evolving hacker culture, and close by venturing into a conversation about the future of InfoSec and hacking.

Speakers


Saturday April 9, 2016 10:00am - 10:40am
Ballroom A

11:00am

Monitoring & Analysis 101: N00b to Ninja in 60 Minutes
Knowing how to perform basic monitoring and analysis can go a long way in helping infosec analysts do some foundation analysis to either crush the mundane or recognize when it's time to pass the more serious attacks on to the the big boys. This presentation covers environment options for making your network monitor-able, three quick steps to triage and analyze alerts, and integrated distros that allows almost anyone with a general technical background to go from n00b to ninja (;)) in no time. Well... maybe not a "ninja" per se but the closing does address follow-on resources on the cheap for those wanting to dive deeper into the dark world of network monitoring and analysis.

Speakers
avatar for grecs

grecs

NovaInfosec Consulting
grecs has two decades of industry experience, undergraduate and graduate engineering degrees, and a really well known security certification. Despite his formal training, grecs has always been more of a CS person at heart going back to his VIC­20, Commodore 64, and high school... Read More →


Saturday April 9, 2016 11:00am - 11:40am
Ballroom A

12:00pm

Alamo Drafthouse Turbo Talks

During our two-hour lunch breaks on both days of the conference, InfoSec Southwest holds a completely open forum for lightning and turbo-talks that is not constrained by a speaker selection process, mirroring our wildly successful local AHA! hacker meeting format. This forum is open to anyone attending the conference to attend and/or to speak on any topic they wish in a first-come, first-speak order. As such, we invite everyone to attend and participate. Those who come and speak during the open forum will receive a complimentary drink ticket and speaker badge.

The Alamo Drafthouse is an Austin movie-going staple experience, and we’ve taken over one of the theaters in their downtown Ritz location for our open forum lunches. The Alamo will have their full kitchen and bar open so we hope you’ll consider spending some or all of your lunch break with us at the Alamo.


Speakers
E

EVERYONE

This is you! You should talk at this!


Saturday April 9, 2016 12:00pm - 2:00pm
Alamo Drafthouse Ritz

2:30pm

IoT on Easy Mode (Reversing Embedded Devices)
As technology matures we are seeing a trend of products that are now “smart.” The problem is that once we discover how these devices are programmed we can see the flaws but unfortunately the hardware aspect scares some people away. This talk is to show people how easy it really is to get into embedded device hacking while also expanding their knowledge outside of the x86/x86_64 space. By the end of this talk the audience will be encouraged to go out and start their journey into the embedded device world while having the tools that they need without the need of spending money unless absolutely necessary. This talk will also cover the reasoning behind purchasing products such as a logic analyzer and the bricks walls I personally went through to justify the needs.

Speakers
avatar for Elvis Collado

Elvis Collado

Praetorian
Elvis Collado is a Security Researcher with a focus in embedded electronics. Elvis gotinto electronics ever since he discovered his first vulnerabilities in the devices he owned. He decided to migrate his research from the desktop space to the embedded space and wants to share what... Read More →


Saturday April 9, 2016 2:30pm - 3:10pm
Ballroom A

3:00pm

Caffeine Break
Need caffeine?

Saturday April 9, 2016 3:00pm - 4:00pm
Ballroom BC

3:00pm

Pandora's Soapbox

Up to 60 people will each be given 60 seconds to pitch themselves, their business, their startup, their job posting, or whatever to the masses during Pandora’s Soapbox. You could read your resume or politely list bullet points from a job posting or you can get creative. How much do you want to stand out in the crowd?

Do what you have to do to recruit employees, make a career change, or look for a new business partner, but do it fast because there’s no time between the pitches and we’re not going to stop the next person from jumping on stage to claim their minute in the spotlight.

Sign up, stand up, and stand out.


Speakers
E

EVERYONE

This is you! You should talk at this!


Saturday April 9, 2016 3:00pm - 4:00pm
Ballroom BC

3:30pm

Speak Security and Enter: Better Ways to Communicate with Non-Technical Users
Every day, security professionals encounter a common problem: after bringing a student or colleague up to speed on security basics, it feels like nothing stuck. Why does this happen? And how can we change up the ways we educate security to encourage better outcomes for the average user? This talk will help IT and security professionals find common ground with non-technical users. In addition to sharing people-friendly metaphors, it will give attendees a solid set of communication strategies and approaches to educate the average user about the mindset behind security to develop secure behaviors. And yes–spoiler alert–there will definitely be some Lord of the Rings involved!

Speakers
avatar for Jessy Irwin

Jessy Irwin

AgileBits
Jessy Irwin lives in San Francisco, and is Security Empress at AgileBits, makers of 1Password. Her work focuses on security awareness and end­user education for non­technical audiences. She is an prolific writer, regular speaker, and outspoken advocate for stronger privacy and... Read More →



Saturday April 9, 2016 3:30pm - 4:10pm
Ballroom A

4:30pm

Basic and Advanced SQL injection techniques
This talk covers the very basics of how SQL injections work and how to exploit advanced vulnerabilities, and is divided into two parts. The first half goes over the minimum to know about SQL injections and the various techniques available to hackers to exploit them. Once they are covered and demonstrated, advanced techniques on real world applications will be demoed in the latter half. Lot’s of demos.

Speakers
avatar for Brandon Perry

Brandon Perry

Brandon Perry specializes in web application security.


Saturday April 9, 2016 4:30pm - 5:10pm
Ballroom A

5:30pm

Lessons Learned from Researching and Exploiting Stagefright
Android is currently the most popular operating system worldwide. Such popularity garnered increased attention from malicious actors and security researchers alike. The potential impact of widespread exploitation of over one and half billion devices is truly daunting. Several vulnerabilities in Android's Stagefright multimedia library were proven to be usable to realize this potential.

This presentation looks back at the author's time spent researching and attacking Android devices via Stagefright vulnerabilities. It covers various technical facts and interesting tidbits gleaned throughout the exploit development process. Apart from a walkthrough of two exploits, this presentation also discusses Android OS internals and summarizes the body of research published on the topic by the larger security community.

After attending this presentation, you will better understand how vulnerabilities in Android can be exploited. Joshua will show you what has been done to improve the overall security of the Android operating system and what challenges lie ahead.

Speakers
avatar for Joshua Drake

Joshua Drake

Zimperium Enterprise Mobile Security
Joshua J. Drake is the VP of Platform Research and Exploitation at Zimperium EnterpriseMobile Security and lead author of the Android Hacker's Handbook. Joshua focuses on original research such as reverse engineering and the analysis, discovery, and exploitation of security vulnerabilities... Read More →


Saturday April 9, 2016 5:30pm - 6:10pm
Ballroom A

10:00pm

Project MAYHEM
Project Mayhem is a combination scavenger hunt and pub crawl taking place Saturday night in the heart of downtown Austin’s nightlife. This is not to be missed.

Saturday April 9, 2016 10:00pm - Sunday April 10, 2016 1:00am
Buffalo Billiards Rec Room 201 E 6th St, Austin, TX 78701
 
Sunday, April 10
 

9:00am

Caffeine Break
Need caffeine?

Sunday April 10, 2016 9:00am - 10:00am
Ballroom BC

10:00am

Automating Scambaiting with Markov Chains
We’ve taken a novel approach to automating the determination of a phisher’s geographic location. With the help of Markov chains, we craft honeypot responses to phishers’ emails in an attempt to beat them at their own game. We’ll examine the underlying concepts, implementation of the system, and reveal some of the results from our ongoing experiment.

Speakers
avatar for Robbie Gallagher

Robbie Gallagher

Robbie Gallagher is a security engineer with Atlassian in Austin, Texas. He received his bachelor’s degree in applied computing technology from Colorado State University, and has spent the past few years focusing on web application security and static analysis. In his free time... Read More →


Sunday April 10, 2016 10:00am - 10:20am
Ballroom A

10:30am

Leaking Windows Kernel Pointers
As part of reversing win32k.sys to understand the User-Mode Callback mechanism, I found several kernel information leaks. As it turns out, there were several situations where the kernel was readily returning kernel pointers to user land. This talk will be a brief introduction into how user-mode callbacks operate, a description of the information leaks vulnerability and how prevalent they are, and then a detailed description of how to take advantage of CVE-2015-0094.

Speakers
avatar for WanderingGlitch

WanderingGlitch

Zero Day Initiative
WanderingGlitch is a vulnerability analyst and exploit developer for the Zero Day Initiative (ZDI) program. His primary role involves performing root cause analysis on ZDI submissions to determine exploitability, followed by developing exploits for accepted cases. Prior to being... Read More →


Sunday April 10, 2016 10:30am - 10:50am
Ballroom A

11:00am

'We’re from the government and we’re here to help... No, really.'
There is an undeniable intersection between computer security researchers' efforts to identify and disclose security vulnerabilities and federal law enforcement's efforts to counter emerging cyber threats and prevent cybercrime. Both engage in activities intended to eliminate cyber threats and to help secure information systems and the personal, financial, and otherwise sensitive data stored on those systems. But for some researchers, there is an abiding concern that the intersection between their work and federal law enforcement's will become a collision that may subject them to investigation or prosecution.

This talk will delve into how federal law enforcement uses Computer Fraud and Abuse Act (CFAA), provide some suggestions to computer security researchers intended to make encounters with law enforcement less likely, and discuss how some recently enacted laws -- and proposed amendments to existing laws -- benefit research. Its goal is to encourage and promote legitimate computer security research.

Speakers
avatar for Leonard Bailey

Leonard Bailey

U.S. Department of Justice, Computer Crime & Intellectual Property Section
Mr. Bailey joined the Department of Justice’s Terrorism and Violent Crime Section in 1991 and served as Special Counsel and Special Investigative Counsel to the Department’s Inspector General in the late 1990’s.  In 2000, he joined the Computer Crime and Intellectual Property Section... Read More →


Sunday April 10, 2016 11:00am - 11:40am
Ballroom A

12:00pm

Alamo Drafthouse Turbo Talks

During our two-hour lunch breaks on both days of the conference, InfoSec Southwest holds a completely open forum for lightning and turbo-talks that is not constrained by a speaker selection process, mirroring our wildly successful local AHA! hacker meeting format. This forum is open to anyone attending the conference to attend and/or to speak on any topic they wish in a first-come, first-speak order. As such, we invite everyone to attend and participate. Those who come and speak during the open forum will receive a complimentary drink ticket and speaker badge.

The Alamo Drafthouse is an Austin movie-going staple experience, and we’ve taken over one of the theaters in their downtown Ritz location for our open forum lunches. The Alamo will have their full kitchen and bar open so we hope you’ll consider spending some or all of your lunch break with us at the Alamo.


Speakers
E

EVERYONE

This is you! You should talk at this!


Sunday April 10, 2016 12:00pm - 2:00pm
Alamo Drafthouse Ritz

2:30pm

Contextual Detection of Related Executables and Coding Similarities
Using computer vision techniques (CVT) it may be possible to determine how related different binary format files (executables, binary Office formats, etc) are to others of the same format. I wish to present a set of functions, code, and sample corpus which demonstrates comparisons using CVT.

Speakers
avatar for Angelo

Angelo "vesh" Vescio

San Antonio Hackers Association
Moderator for the San Antonio hackers association and longtime Infosec professional. Former Expert Witness (Federal litigation, retained by defense). Founded a company once, I think that’s worth something right? Former researcher and developerprofit firms. Currently an engineer... Read More →



Sunday April 10, 2016 2:30pm - 3:10pm
Ballroom A

3:00pm

Caffeine Break
Need caffeine?

Sunday April 10, 2016 3:00pm - 4:00pm
Ballroom BC

3:30pm

PCT - Practical Code Triage
Source code auditing is a common bug finding method for both offensive and defensive security practitioners. In the security consulting game, coming up to speed quickly on a large, unfamiliar code base is paramount to successful source audits. Tracking source code coverage - which source files and functions have been audited, which still need attention, and which should be avoided - is a useful way to track source audits. This can scale out to assist teams of people in collaboration.

This talk presents a number of source auditing methods and tools. Standard techniques such as bug-clairvoyance, plaintext note taking, `grep strcpy`, and pen-to-paper will be covered. Additional tips and techniques Todd has learned along life’s journey will also be shared. He will cover more formal methods involving C language parsers, relational and graph databases, and other tools of his own divination. Finally, the talk shall present a suite of tools and techniques to apply deeper analysis to function execution, data handling, attack surface identification, and security boundary mapping.

Speakers
avatar for Todd Manning

Todd Manning

Optiv
Todd Manning lives in Austin, Texas. He is currently working in the Applied Research team at Optiv, where he performs source auditing, reverse engineering, and other security auditing for  a diverse set of customers. Todd’s indy research tends toward embedded systems and the mobile... Read More →


Sunday April 10, 2016 3:30pm - 4:10pm
Ballroom A

4:30pm

LibreSSL, (almost) two years later
Wait, those LibreSSL​ guys are still around? Does it work on anything other than OpenBSD yet? What's the point, everyone just uses OpenSSL anyway, right? In this talk, I'll discuss how the LibreSSL came about, how the portable version was developed, road-bumps along the way, technical and practical differences between OpenSSL forks, things that make LibreSSL special. I'll also shed some light on how things work behind the scenes in the LibreSSL development community, what it's like to be an OpenBSD committer, and how you can help.

Speakers
avatar for Brent Cook

Brent Cook

Rapid7
As the president of the Magnolia Texas Computer Clubin 1994,Brent Cookenjoyed setting up Netware over 10­base2 networks and BBQing MicroVAXes scrounged from the NASA surplus warehouse. Since, he has developed custom firmware, bespoke network stacks, and all manner of proprietary... Read More →


Sunday April 10, 2016 4:30pm - 5:10pm
Ballroom A

5:30pm

Cleaning up Magical Crypto Fairy Dust with Cryptanalib and FeatherDuster
The gap between academic development of cryptanalysis techniques and their practical application is wide. The application security community was in awe in 2010 when Duong and Rizzo were able to apply Vaudenay's 2002 padding oracle attack technique to not one but three major frameworks, ASP.NET, Ruby on Rails, and Java Server Faces. There are various tools being developed for certain applications of these attacks, but they tend to implement at most a handful of different attacks. One of the difficulties is that flawed cryptography can exist in lots of different kinds of technologies; cryptography can exist in pretty much any place normal data can! As a result, performing practical cryptographic attacks often requires writing your own custom tool. This can be beyond the scope of a pen test due to time restrictions. It may also be beyond the skill of a tester to implement a given attack.

Enter Cryptanalib: A library implementing various crypto attacks to make writing crypto attack tools easier! But how do you use it if you can't write code?

Enter FeatherDuster: A modular, wizard-like interface to make using cryptanalib as simple as possible, sometimes even requiring the user to write no code whatsoever!

This talk will discuss some common cryptographic mistakes and show how to use cryptanalib and featherduster to exploit them.

Speakers
avatar for Daniel Crowley

Daniel Crowley

NCC Group
Daniel Crowley is a Security Engineer for NCC Group, tasked with finding and exploiting flaws in everything from Web applications and cryptosystems to ATMs, smart homes, and industrial control systems. Daniel denies all allegations of unicorn smuggling and questions your character... Read More →



Sunday April 10, 2016 5:30pm - 6:10pm
Ballroom A

6:30pm

Closing Ceremonies & Raffle
Sunday April 10, 2016 6:30pm - 7:00pm
Ballroom A