CONFERENCE KICKOFF ᛫ AUGUST 24 2018
KEYNOTE SPEAKER: ANNE MARIE ZETTLEMOYER
ANNE MARIE ZETTLEMOYER
is a security thought leader with a business background, analytics expertise, and 19 years of experience across 8 industries. She is a highly skilled cyber strategist with expertise in cybersecurity risk and operations, decision science, metrics, and performance measurement. Her work experience includes senior management positions at large financial institutions such as Freddie Mac and Capital One, cybersecurity companies like FireEye, and service at the United States Secret Service. She holds an MBA degree from the University of Michigan and she has CISSP (Certified Information Systems Security Professional) and CEH (Certified Ethical Hacker) certifications.
CONFERENCE DAY 2 ᛫ AUGUST 25 2018
KEYNOTE SPEAKER: DEBORAH SNYDER
MBA, GCIS, CISSP, CRISC, PMP Chief Information Security Officer NYS Office of Information Technology Services Chief Information Security Office
Deborah A. Snyder serves as Chief Information Security Officer (CISO) for New York State, in the Office of Information Technology Services (ITS). In her role, she oversees the Enterprise Information Security Office, and directs a comprehensive program of governance, risk management and compliance functions, vulnerability management, threat intelligence, cyber incident response, and training and exercise services. She provides strategic leadership and vision, and assuring business-aligned, risk-based investments that maximize business opportunity and minimize information and cyber security risk.
Ms. Snyder has extensive experience in government program administration, information technology and cyber security policy. She actively supports the State’s efforts to engage citizens and enhance the delivery of government services. She is an acknowledged industry thought-leader, and has been recognized for excellence and outstanding contributions in public programs and the field of cyber security.
She serves on the NYS Forum Board of Directors, NY CISO Executive Summit Governing Board, is a State Academy for Public Administration Fellow, and member of the Project Management Institute, InfraGard, Information Systems Security Association (ISSA), Information Systems Audit and Control Association (ISACA), and the Institute of Internal Auditors (IIA). She teaches graduate-level courses, has published numerous articles, and co-authored “SECURE – Insights From The People Who Keep Information Safe,” which offers industry leadership insights and perspective. She is a highly regarded speaker on topics critical to executive-level business and IT professionals.
1) offensive track
The red side of Security. Talks, discussions, demonstrations on breaking, bypassing, or otherwise hacking security controls and systems.
Abhijith B R · ernst & young
Working as a Senior security analyst at EY (Ernst & Young), 8 years of experience in the Information Security industry, Cyber Security researcher, blogger, maker and adventure motorcycle traveler. Mostly researching in intelligent penetration testing automation and red teaming tactics. Presented at BSides Delhi, and a few other national cyber security events. Lead organizer of local Defcon group (DC0471), Founder of Red team village community.
Presentation: The Evolution of PentestoBots - Intelligent automation of penetration testing and vulnerability assessments with the help of AI/NLP/ML powered chat bots
"We are coining a new area of interest; a new genre! - PentestoBots AKA Penetration testing Automation Chat Bots! PentestoBots can be considered as a context aware; Artificial Intelligence / Natural language processing based platform which can be used to incorporate penetration testing automation use cases, scripts, Services and reporting frameworks. The interface to the Bot will a chat application. Users can ask the bot to do automation activities using natural language queries. Chat bots are there for a long time, and using it for penetration testing and vulnerability assessment seemed to be a good idea! DevSecOps is an emerging technology and PentestoBots can be integrated with the same workflow. This presentation is all about customizing hubot chat bot from GitHub, making it a powerful virtual assistant to help us in security assessment or penetration testing; and interacting with it using natural language (NLP) instead of commands. The platform would be powered by Machine learning / Artificial intelligence framework. So that the chat bot can understand user’s sophisticated queries and do certain automation tasks by the help of Deep learning methods/machine learning and responds to the queries. We can treat this bot as a person with huge amount of knowledge about information security; it can do so many things it was trained to do, in a human like behavior. This can be very helpful for; not only penetration testers, but also project teams and developers who needs help with secure development, information security policies or perform security assessments themselves. The end goal is to perform an initial security assessment or penetration testing using the chat bot including report generation and vulnerability management. PentestoBot can be used by both Blue teams and red teams. For blue teams or internal vulnerability assessment teams, a cube server with much processing power can be used. All the enterprise scanning tools and services can be integrated with it. Place it in your office and connect it to the network. That’s it. And integrating the chat bot aka PentestoBot to a portable Raspberry Pi IoT device; which can be carried in the backpack, so that it will help Red teamers, External pentesters to perform sophisticated testing with simple chat with the bot. The chat interface can be accessed from the smart phones / Smart watches, which makes the life much easier! Just imagine, you are (Let it be a security tester or project team member) asking the chat bot to perform an initial penetration test or security assessment against a web application or host. It’ll perform an initial assessment using various security tools, services, scanners, automated manual testing etc and comes back to you with a consolidated report! We believe, the idea of PentestoBots are going to make a big difference in the cyber security world."
Alex Ivanov · mbl technologies
Alex is the lead Penetration Tester for MBL Technologies, based in NYC. Alex specializes in medical records systems, embedded systems, mainframe technologies, and large scale computing installations. In her spare time, Alex collects vintage electronics including off brand and bespoke gaming technology.
Presentation: CPR for EMR - Tearing apart electronic medical records systems
'Medical records systems present a large threat surface that may expose sensitive patient data. Alarmingly, many legacy protocols, programs, and systems still are wide use today. In this talk, Security Expert Alex Ivanov will discuss a threat model for healthcare related computer systems, touching on common sources of vulnerability in electronic model record systems, and their associated protocols.'
Ben Sadeghipour · hackerone
Ben is the Hacker Operations Lead at HackerOne, the #1 bug bounty platform by day, and a hacker by night. Prior to joining HackerOne, he has helped identify and exploit over 500 security vulnerabilities across 100s of web and mobile applications for companies such as Yahoo, Airbnb, Snapchat, The US Department of Defense, Yelp, Github, and more. He also invested time in the security community, by creating Bug Bounty Forum, a community of 200+ active hackers who share ideas and their experience. He has also held free workshops and training courses to teach others about security and web application hacking.
Presentation: It's the Little Things
"Reconnaissance plays a huge role in finding [high-level and critical bugs] efficiently. While there are 100s of different tools available to make this process easier, you may not be maximizing your recon process without a working methodology. This talk details successful methodologies for creating an automated process that will actively surface vulnerabilities using OSINT and other well known recon tools. I use real-life examples from companies such as Airbnb, Snapchat, Yahoo, etc with total of $40k raised in 90 days!"
chad furman ·
Presentation: Map the Webapp (with Burp Suite)
"Interested in a brief 30 minute overview of how to map a website attack surface using Burp Suite? We will setup the proxy, inspect headers, use both automated and passive spidering to build a sitemap, check for hidden files and directories with Burp Intruder, and build a functional path diagram."
Cory Kujawski · lookingglass cyber
Security Researcher in the Cyber Threat Intelligence Unit of LookingGlass Cyber
Presenting: IP You P, We All P on UPnP
"Never fear, I is here. Enter a nation state worthy cyber war weapon. There is no right and wrong. There's only fun and boring. In 30 minutes you are about to go from being a Hapless Technoweenie to a Spartan ready to take the internet by storm. This UPnP tool will let you change the DNS settings, set port forwarding, become the DHCP Relay, force terminations, on millions of devices, pre-scanned just for you baby. Just select the country. Scada, home routers, and IoT are all vulnerable to this. The UI is made to please with an anyone can do it mindset. Come be a nation state threat actor!"
Jake Valletta · mandiant
Jake Valletta is a manager, researcher, and instructor on Mandiant’s Global Services and Intelligence team based in San Francisco, CA. Jake has over seven years of experience in Information Security and his areas of expertise include mobile security, red teaming, penetration testing, and incident response. He regularly assists Fortune 100 and Fortune 500 companies protect their assets and defend against advanced attacks. He speaks frequently at industry-recognized conferences on mobile security topics and has published articles and CVEs related to Android exploitation. Jake also develops, maintains, and delivers Mandiant’s network forensics and security training to commercial and federal customers. In his free time, he maintains a website and blog dedicated to mobile security and research called “The Cobra Den.”
Presenting: Navigating SEAndroid Trust Relationships – Exploitation Techniques for Modern Android Devices
"Over the past five years, the security model of modern Android devices (particularly Marshmallow and newer) has continued to grow and mature, largely due to key security controls implemented by Google. One such security feature is the SELinux port for Android, “SEAndroid”. SEAndroid has drastically influenced the process used for exploiting Android devices and has forced attackers to develop a methodology resembling a Rube Goldberg machine. This often requires mapping out SEAndroid contexts and abusing trust relationships in order to achieve privileged code execution. In this talk, I will discuss my encounters with SEAndroid, demonstrate how SEAndroid mitigates previously popular exploitation techniques, and discuss modern methods that can be used to compromise Android devices."
John Dunlap · gotham digital science
John Dunlap is a security Engineer at Gotham Digital Science specializing in static analysis and code review. Gotham Digital science is a boutique penetration testing firm specializing in testing of unusual or otherwise bespoke software systems. John’s main research interests include concolic execution, reverse engineering and advanced exploitation techniques. John has done security research revolving around embedded systems, novel forms of software exploitation and presented at major United States conferences including Defcon, and Derbycon.
Presenting: The Exploit Factory: Building a home exploit mining cluster.
"The field of smart fuzzing has opened up serious bug hunting to a whole new generation of hackers. Tools like AFL allow for speedy discovery of once subtle parsing bugs in software, often leading to serious exploitation opportunities. While AFL’s genetic algorithm based approach is fast for what it is, ultimately the fuzzing of such software is slower than it needs to be for quick software validation.
In this talk John Dunlap will present a method for building a small scale compute cluster oriented toward large scale smart fuzzing on a home budget. John will present methods for converting performance concepts normally reserved for scientific computing applications into practical “fuzz farm” techniques. Topics such as high speed multithreading, vectorization, process management, and cluster node management will be discussed in a manner friendly to those new to scientific computing.
A basic fuzzer management program will also be presented."
thomas richards · synopsys
Thomas Richards, Associate Principal Consultant, has been with Cigital (now Synopsys) since 2012. His primary areas of expertise include Red Teaming and Mobile Security. He is an Offensive Security Certified Professional (OSCP). Thomas spends his days guiding working with clients on red teaming activities and initiatives. In his free time, he enjoys playing guitar, camping, and spending time with his wife and five kids.
Presenting: Security Tool Misconfiguration and Abuse
"As any security program matures, it will use tools and techniques to automate processes to improve the security posture of the organization. This includes asset management and discovery, patch management, deploying software, and vulnerability discovery. However, if the these tools are improperly configured, they can lead to a total compromise of your network by an attacker. In this talk we will go over a few case studies of abusing these tools while on penetration tests as well as remediation methods to prevent these attacks from occurring."
2) defensive track
The blue side of Security. Talks, discussions, demonstrations on preventing, detecting or deterring hacking and other security incidents.
Adam Dean · greycastle security
Adam Dean is a Security Specialist with GreyCastle Security and Practice Manager of Incident Response. Adam has over 4 years of proactive and reactive incident response experience in a wide range of industries, including healthcare, higher education, critical infrastructure, and other prominent industries. Adam consults with clients who are experiencing security incidents ranging from malicious infections to data breaches. Adam is a graduate of the University of Advancing Technology with a Bachelor’s degree in Technology Forensics.
Presentation: Learn How to Expect the Unexpected: Unusual & Unexpected Findings in Incident Response
"The pace of data-breaches has reached epic proportions. Organizations large and small, in every industry are falling victim to hackers, hacktivists and nation states. Incident Response is a dynamic process where the unsuspected often becomes the root cause. From insider threats to unauthorized access with a bit of extortion, it isn’t always what it seems. Take a walk with us down some seemingly normal paths that lead to the unexpected. Real security incidents, unusual situations."
Dan Didier · GreyCastle Security
Dan Didier (MSIA, CCSP, TSS) is an entrepreneur, speaker and Vice President of Services for GreyCastle Security. With nearly 20 years of security experience in a wide range of industries including critical infrastructure,
finance, healthcare, manufacturing and other prominent industries, Dan brings extensive expertise as a technical security engineer and business-focused risk manager. Dan's unique background allows him to bridge the gap between people, process and technology and adapt to the unique cyber security challenges that organizations face today.
Presentation: Performing Effective Risk Assessments; Dos and Don'ts
"In today’s risky environment, it’s not if, but when. At some point, your organization will be the target of a cyber attack or the victim of cyber crime, insider misuse, fraud or theft. Understanding risk is the only way to build an effective security strategy while utilizing finite resources. We will also bring you back in time to World War II to study the successful and unsuccessful risk management strategies that have altered our history as we know it today. This presentation will cover the standards and compliance regulations from NIST to FISMA, HIPAA and PCI-DSS. Join GreyCastle Security as we demystify risk management 101 and provide attendees with practical tactics focused on risk mitigation."
Gary Braglia · greycastle security
Gary Braglia is a Senior Security Specialist at GreyCastle Security with over 10 years of experience as an IT professional. Gary began his career as an application developer with the NYS Office of Information Technology Services (ITS), is a graduate of SUNY Albany with a Master’s degree in Information Science (M.S.I.S.) He holds industry-recognized certifications including Tenable Certified Network Auditor (TCNA) and GIAC Penetration Tester.
At GreyCastle, Gary consults with clients in a wide range of security domains, including penetration testing, awareness training, vulnerability assessments, network security, application security and social engineering.
Presentation: Hackers, Leaks and Losers: How to Not Fail at Pen Testing
"You're storing and transmitting everything from educational records and medical records to PII and credit card data, and you're making large wire transfers. In addition, you’re not even sure if your incident response plan works.
Let's face it - your organization is a big target.
There are threats from external attackers, malicious insiders, unaware and apathetic employees - and you want to understand how prepared you are. But not all pen tests are created equal; what do you need to know and how do you get what you need?"
Jason Baczynski ·
Jaded Security Professional, CISSP, CISM
Presenting: Defeating ERE's and APT's with AI & Blockchain
How the Common Vulnerability Scoring System (CVSS) and vulnerability prioritization could have helped Equifax and the NHS.
Patrick Matthews · NETTITUDE
Currently a Security consultant for the Nettitude. Overall, I'm just an IT jack of all trades with having roles as: Programmer, IT Manager, Network Admin, System Admin, SOC Analysis. All of which have strengthen my roles as Security Consultant focusing on physicals, Social Engineering and internals. However, my most enjoyable role is Part time Farmer
Presenting: Hacking tools to strengthen cyber security program.
"This talks focus is about penetration tools that can be use by IT Managers or IT Professionals to strengthen a cyber security program. The tools available that can be and how they can be used to strengthen a Cyber Security footprint."
Philippe Langlois · CIS
Philippe Langlois is currently a Technical Product Manager for the CIS Critical Security Controls. In this role he leads an international community of cyber security experts who develop best practices known as the CIS Critical Security Controls for Effective Cyber Defense, a set of actions proven to mitigate 85% of the most prevalent cyber threats. He manages the production, writing, and publication of a range of cyber security resources. Working in collaboration with users of the CIS Critical Security Controls, he ensures the quality and utility of the Critical Controls guidance plus the availability of tools, scripts, and other resources aiding users with implementation of the Controls.
Previously he served as a Program Manager at the Multi-State Information Sharing and Analysis Center (MS-ISAC), within the Center for Internet Security. He managed the Nationwide Cybersecurity Review, establishing unique expertise in State, Local, Tribal and Territorial cyber security practice and assessment; co-chaired the Metrics, and Business Continuity/Recovery/Cyber Exercise Work Groups, and planned MS-ISAC sponsored exercises. He holds a Masters of Infrastructure Protection and International Security, a BA in Criminology and certifications as a Global Industrial Cyber Security Professional (GICSP), GIAC Penetration Tester (GPEN), GIAC Critical Security Controls Certification (GCCC) and GIAC Web Application Penetration Tester (GWAPT).
Presenting: [Insert Sun Tzu Quote]: Creating an Offense-informed Cybersecurity Program
"Often times we as defenders seem to focus too much on the individual pieces of an attacker’s overall methodology, such as their staging servers, their tools and their country of residence, sometimes at the cost of failing to examine their larger processes and methodology. This talk will provide models for how organizations can understand attacker methodologies as part of a sequence of events, actions and conditions that must be met for attackers to achieve their mission. Using these models, you can better understand how you as a defender can disrupt the attacker’s process. Join me as we fight cybersecurity nihilism by leveraging threat informed models and the cybersecurity community."
shikole struber · atec group
Shikole has been helping businesses improve their security posture through IT and operational optimizations for over 7 years, between adventures to exotic lands. She earned her Bachelor’s Degree from American University and her MBA from Hult International Business School, both of which have improved her ability to identify threats and protect against cybersecurity risks businesses face. These experiences also may have addicted her to crossword puzzles and espresso. She hopes to continue to learn about how people can work together better in business and in life.
Presenting: Catch Me if You Can - Cybersecurity and Human Nature
"Former Equifax CEO Richard Smith testified to Congress that the security failure causing the 2017 breach was caused by one person. WannaCry Ransomware had such a disastrous effect around the world because people did not manage their system patching properly. How much time have you personally spent trying to clean a virus or recover a backup because an employee clicked on something they shouldn’t have? The biggest cybersecurity risks companies face lie within people that work there. Your company may have the absolute best protection in place, from NextGen Firewalls to Multi-Factor Authentication to SIEM tools, but these tools often create a false sense of security! An employee could still leave their password on a post-it note or provide server room access to someone who claims to be a Spectrum repair man. Let’s talk through how we can incorporate both the strengths and weaknesses of human nature into company policies around cybersecurity."
Todd Brasel & Michele Warner · nystec
Todd Brasel is a Principal Consultant with NYSTEC's Information Security practice, where he manages complex security projects and performs vulnerability and risk assessments. Todd has 18 years of experience in software development. He is an ISC-2 Systems Security Certified Practitioner and is pursuing an MBA in IT Management from SUNY Albany.
Michele Warner is a Senior Consultant with NYSTEC's Information Security practice. She currently assists the NYS DOH Bureau of Information Security and Privacy with defining data sharing agreements. She is an attorney with more than five years of hands-on experience in document management, quality assurance, and other areas of information technology. She holds a JD from Albany Law School.
Presenting: Security Issues with Personal Medical Devices
Personal medical devices (PMDs) – which can be implanted or wearable – are complex devices with powerful computing and communication capabilities, and their use is increasing, especially among the working population. In the US, for example, there are currently about 2.9 million people who have implantable cardiac devices. Along with the growing use and sophistication of PMDs, new threats to both users and organizations are also emerging. This presentation will describe the unique characteristics of PMDs that make them and their users vulnerable, outline some of the most significant threats to patients and organizations from the devices, and cover emerging trends in attacks and countermeasures related to PMDs.
Chaim Sanders ·
Presenting: Social Media Security Policies, the Art of Herding Cats
"With billions of users logging into social media networks, it’s no surprise that most organizations and their employees have to consider how to securely leverage their online personas. We’ll go in depth on the best practices and many of the challenges that that Information Security teams face on a daily basis and discuss how to build an effective Social Media Security Policy.Information Security teams face on a daily basis and discuss how to build an effective Social Media Security Policy."
3) EDUCATION TRACK
There is a huge discrepancy in the number of open cyber security positions and the available candidates to fill these positions, and it looks like it's only getting worse.
We want to inspire the next generation of hackers. Encourage individuals to pursue education in Cyber Security and obtain a rewarding career in the field. Individual talks geared towards K-12 students, Higher Education and Workforce Development.
Alexander Muentz · linode
Alex Muentz is a security architect for Linode and a lawyer. He's spoken at a bunch of conferences you've heard of (HOPE, Defcon, ShmooCon) and a few you might not have.
Presenting: US & EU Legal updates: Keeping up to date with Privacy, Security and Regulatory Requirements
"We're seeing a lot of changes in privacy law and security regulations in both the EU and US. Some of these are beneficial while
others may make us less safe and free. I'll discuss the current state of GDPR compliance and enforcement (The EU's General Data Protection Regulation) and recent US SEC guidance on reporting security breaches."
Ernest "Cozy Panda" Wong · us army (retd).
Ernest "Cozy Panda" Wong is a retired US Army Officer who recently served as a Research Scientist with the Army Cyber Institute and an Assistant Professor with the Department of Systems Engineering at West Point. He graduated from the United States Military Academy with a B.S. in economics, and he holds a M.S. in management science and engineering from Stanford University, a M.A. in education from Stanford University, and a Master of Military Science from the Mubarak al-Abdullah Joint Command and Staff College in Kuwait. He had the opportunity to work as a NASA Summer Faculty Fellow and has served in overseas deployments to Iraq, Kuwait, and the Republic of Korea. His research interests include revolutionary innovations, cyber resiliency, and the application of systems engineering tools for solving real-world problems.
Presenting: West Point Cybersecurity Cadet Capstone Projects: A Beginners' Guide to Teaching and Learning about Cybersecurity
"As part of their senior year capstone engineering experience at the United States Military Academy, fifteen Cadets worked on cyber-related projects to help the US Army better understand the prominent role the cyber domain will have on tomorrow’s battlefields. Despite the apprehension each had when they discovered they would be working on these unfamiliar tasks, the Cadets leveraged their individual strengths, talents, and aptitudes across their varied academic majors (including Russian, Mathematics, Defense Strategy, Sociology, Management, and Psychology) and developed into cohesive teams that gained both an improved understanding of our nation’s cybersecurity challenges and greater insights into how our Army is tackling the challenges. Recognizing that in order to produce value-added solutions to complex problems, the Cadets needed to gain as many insights as they could from differing perspectives. Through their own diverse backgrounds and unique insights, the Cadets were able to apply a systems engineering problem-solving methodology to advance our Army’s approach to cybersecurity. This presentation focuses on how we engineered the team composition, leveraged Army needs to craft the research problems, developed learning outcomes for this capstone experience, and introduced key cybersecurity concepts to undergraduate Cadets."
Gotham Sharma · exeltek consulting group
Gotham Sharma is an information security adviser, educator, trainer, and writer. He presently serves as the Managing Director of the Exeltek Consulting Group, a New York City based cybersecurity and digital privacy firm. For his extensive work with high school and college students, Gotham has been nominated for the 'Cybersecurity Educator of the Year' Award.
Presenting: The Hacker as an Artist
"Contrary to what the media will have you believe, hackers aren't criminals: they're artists. Most security professionals around the world embrace the title with honor and pride. Like the artist, students and aspiring professionals alike need portfolios to break into the world of Infosec. Find out what goes in a hacker's portfolio and how to start building yours today."
michael smith · symantec cyber security group
Mike a Lead Investigator for the Symantec Cyber Security Group, working specifically in the area of Incident Response. He is also a part-time lecturer in the Department of Information Security & Digital Forensics, University at Albany, State University of New York. His current research interests include applied artificial intelligence, data modelling, network defense and response, and security operations center design.
Presenting: Security Analytics with Elastic
"A look at a the set of X-Pack Machine Learning Recipes as well as a few examples of what else is possible when using Elastic as part of a solution for Incident Detection & Response."
Patrick Biernat & Markus Gaasedelen · Ret2 systems
Patrick Biernat is a Security Researcher and Co-founder at Ret2 Systems. He received his Masters Degree in Computer Science from Rensselaer Polytechnic Institute in December of 2016. Prior to Ret2, he helped develop and teach the original Modern Binary Exploitation course at RPI, served as President of RPISEC, and worked as a consultant with NCC Group.
Markus Gaasedelen is a Co-founder & CEO of Ret2 Systems. His background and interests revolve around low-level systems work in reverse engineering, binary exploitation, and vulnerability research. Previously, Markus worked as a Security Engineer at the heart of the Microsoft Security Response Center where he would root cause externally reported vulnerabilities, reverse engineer captured 0days, and drive projects in advanced forms of dynamic analysis. As an alumnus of RPISEC, Markus is an avid supporter of Capture The Flag and enabling security education for future generations.
Presenting: Building Cyber Armies at Scale: Methods and Means for Advancing Security Education
"While nations quietly wage war over the internet, the number of qualified attackers (and defenders!) are few and far between. This can be attributed to the pace at which the field is evolving, its rising complexity, and the lack of effective and scalable security education. It should come as no surprise that cybersecurity has been among the fastest growing industries for the past several years. But this begs the question: How do we efficiently build “Cyber Armies”: medium-to-large sized groups with the skills, passion, and motivation necessary to effectively tackle the increasingly difficult problems in this space?
Through cooperation with Rensselaer Polytechnic Institute, we were provided opportunities to refine the mechanics of teaching some the most challenging categories of cybersecurity. The caliber and growth of the RPI CTF team, RPISEC, is a testament to these efforts.
In this talk, we will enumerate the difficulties of teaching a diverse group of students the niche subject of binary exploitation. Innovating on past experience, we share how we dampened the subject’s steep learning curve through a gamified, in-browser ‘wargame platform’ developed explicitly for the Spring 2018 ‘Modern Binary Exploitation’ class at RPI. We will speculate on how student-autonomy in these niche subjects can be furthered, and extrapolate on how such educational technologies can be applied effectively to larger, less specialized demographics."
rob olson · RIT
Rob Olson has been in the field of higher education for ten years and has spent much of that time involved with curriculum development. He is currently a lecturer in the Rochester Institute of Technology’s Department of Computing Security, where he teaches classes in security auditing, penetration testing, and application security. In addition to lecturing, he is also the technical director for RIT's Security Assessment and Forensics Examination Lab.
Presenting: An Analysis of Cybersecurity Educational Standards
"No one doubts that cybersecurity has become an enormously important discipline and there is a significant demand in industry for new security professionals. There is not, however, much open discussion about the curricula higher education is developing to meet this demand. This talk will provide a detailed analysis of the major standards influencing security curricula in higher education and propose some metrics by which those standards can be compared. Based these comparisons, some recommendations will be made as to how higher education, accrediting bodies, and industry may wish to move forward."
Steve thomas ·
Steve Thomas is a Senior Cyber Security Professional with over 27 years of experience hardening, defending and attacking networks, endpoints and applications for Clients and Businesses locally as well as across the country. He’s worked with various law enforcement agencies in capturing Hackers and Cyber Malicious People. Having received various awards, certifications and kudos he likes to stay humble and think of himself as a traveler in an ever changing Cyber Landscape.
Presenting: So you think you are a hacker, what makes you a hacker?
"A talk focusing on what constitutes someone who considers themselves a hacker. This will include a comparison of various people in various lifestyles who may not ever realize that they fall into the terminology that the media considers malicious. Is “Hacker” an appropriate term in today's Cyber Landscape?"
CAPTURE THE FLAG
A hacking challenge for every skill level. This CTF is open to all attendees, there is no qualifier or pre-registration required. Just show up with a laptop and have fun. Teams of any size are encouraged.
We guarantee this is a CTF like you've never seen before!
Prizes for the top five teams will be announced.
HARDWARE HACKING VILLAGE
Over the years, hackers have been creating custom hardware for the purposes of hacking. Using Kickstarter, the inventors were able to create wireless tools such as the famous Software defined radio HackRF, and RFID badge cloners such as the 125khz RFIDler, and the 13.56 MHz Chameleon-Mini.
Then there’s hardware designed to hack hardware, such as the Chip Whisperer-Lite which does side-channel attacks, and debuggers such as Goodfet, and BlackMagic Probe. We’ve got all of these and more. We’ve also have a BusPirate, Chikra, FTDI-Friend, logic analyzers, voltage meters, an oscilloscope, soldering irons, cables, jumpers and other goodies. Here’s your chance to learn about existing hardware, bring in your own hardware, and your questions. Try your hand at hardware hacking.
Remember, if you can’t open it, you don’t own it.
PING PONG TOURNAMENT
The name pretty much says it all! Depending on the number of entrants this will be a double elimination tournament with prizes for the top four finishers. Games will be spread out during the conference. We'll schedule flexible game times for all entrants to participate and have fun!