Category: Announcement

Gene Fishel, Chief Of The Computer Crime Section In Virginia Attorney General’s Office To Keynote!

Gene FishelGene Fishel currently serves as Senior Assistant Attorney General and Chief of the Computer Crime Section in Virginia Attorney General Mark Herring’s Office. In this capacity he directs prosecutions of computer fraud, identity theft, and child exploitation cases in state courts across Virginia, and serves as a Special Assistant United States Attorney in both the Eastern and Western Districts of Virginia where he prosecutes computer crime cases in federal court. He additionally oversees the office’s recently established Computer Forensics Unit which conducts investigations and computer forensic analyses for criminal cases across the Commonwealth. He also monitors organizations’ compliance with Virginia’s database breach notification laws, drafts legislation for the Virginia General AGene Fishelssembly, trains law enforcement and prosecutors statewide, and educates the public on issues involving computer crimes.

During his eleven-year tenure at the Attorney General’s Office, Gene has helped to draft and enact sweeping reforms to computer crime and child exploitation laws in Virginia, and has been involved in numerous novel and complex federal and state prosecutions, including the nation’s first, felony prosecution for illicit spamming in 2004. He has served on numerous boards and committees including the Board of Governors for the Criminal Law Section of the Virginia State Bar, the National White Collar Crime Center’s Cybercrime Advisory Board, the Virginia General Assembly’s Joint Committee on Technology and Science Advisory Committee, and the Governor’s Office of Substance Abuse Advisory Committee. He has also lectured and presented on data breach issues and computer crimes to various agencies, organizations, and conferences across the country including the Federal Trade Commission, the Central Intelligence Agency, the United States Capitol Staff, and United States Attorney conferences. In 2007, Gene was appointed as Senior Assistant Attorney General. Prior to his time at the Attorney General’s Office, Gene served as law clerk for the Second Judicial Circuit in Virginia Beach, VA. He received his JD from Wake Forest University and his BA, magna cum laude, from James Madison University.


Regular Registration Ends TODAY!

restricted_area_-_authorized_personnel_only_sign_lRegular registration for RVAs3c ends at 11:55 PM Eastern time today! 

We may have late registration tickets for $150 (yes, that’s $50 more than right now)… but no guarantee!

And since there are no sales at the door, don’t wait–just register to guarantee yourself entry.

Our amazingly cheap training classes will remain open for now, as all four still have spots available.


RVAs3c Capture The Flag Update and Prizes Announced!

RVAs3c Capture The Flag:
The RVAsec Capture The Flag (CTF) is getting close! Below are details that are meant to ensure participants are prepared for the event. We’re excited to invite anyone and everyone who is interested in learning and exploring using different tools and techniques with hands on practical exercises to join us.

The team has worked hard to keep the “every man or woman” feel of the CTF from last year in effect. There are challenges of different varieties that should satisfy every skill level.

This year we are again going for the wireless competition, which allows a little bit of freedom as far as cables go. There will be a dedicated space setup in the vendor area, with some seating on first come basis. Please confirm in advance with the survey you will receive from the RVAs3c organizers soon to help us make sure we have enough space and can better guarantee you’ll be counted when that space is divided up.

We plan to have staff walking around to assist folks in case of any major issues, as well as to answer questions, within reason. We can’t give you the answers of course, unless you happen to have some massive dogecoin wallets laying around (kidding!).

When: Friday, 06/06/2014 – Start time will be near 10am EST, and end time will be at or prior to 4pm EST; announcements will be made onsite. Also, note that we have CTF prep time on Day 1 if you have questions or need helping getting setup. The first 10 people that show up to the prep session will get a custom SecuraBit USB case. The RVAsec schedule also reflects this: http://rvasec.com/schedule/
Where: Same location as the con itself (http://rvasec.com/location/) in the main vendor room.
Who: Living humanoid-ish… seriously, this is for everyone from hobbyists, sys/net admins, infosec pro’s, tinkerers, makers, fixers and breakers… come out and play. We’ll all teach, learn and grow together!
What: …to do. See below:
DO bring a wireless network enabled laptop. This will be primarily wireless access so make sure you have that capability.
DO have the ability to run Backtrack 5r3 (http://www.backtrack-linux.org/downloads/), Pentoo (http://www.pentoo.ch/) or Kali Linux (http://www.kali.org/) either as a virtual machine, from bootable media (CD/DVD flash drive), or installed as your OS. Most of the scenarios in the CTF can be completed with the tools within these security-centric Linux distributions. Not a requirement per se, but a BIG suggestion.
DO understand that the CTF network is a closed private network, and will not have Internet access. CTF Participants will have the ability to connect to a separate guest wireless network with internet access for research, tool downloads, etc. during the event, but will have to disconnect from the CTF network to do so. Do not rely on this entirely though, if that wireless goes down it may be beneficial to bring your own hotspot.
DO listen to and respect any instructions and guidance provided at the event. We want to provide an environment that is conducive to learning, tinkering, exploring and having a good time.
What: …NOT to do. See below:
DON’T use words or phrases like “irregardless”, “all of the sudden” or “cybergeddon”.
DON’T feed or pet any of the conference organizers or volunteers.
DON’T attack any other CTF participants (logically or physically).
Pre-Register: If you plan to participate in the CTF we ask that you check the CTF option when registering for RVAsec or if you’re unsure if you did already, email us atfeedback@securabit.com and we’ll make sure you’re accounted for.
************  What you can win? *******************

There are some awesome prizes lined up.

First place is a HackRF Pre-order, which is a really great way to learn about wireless beyond the standard 2.4 and 5GHz most are used to from mainstream access points.

Second place is a Pineapple courtesy of Hak5, for all your pwning needs.

Third place is the Android Hacker’s Handbook, to assist you in understanding all sorts of wonderfully evil things you can do to your phone or tablet, or anything else running Android!

If you have any questions please let us know!

 

 


Speaker feature: Steve Werby

Steve Werby

@stevewerby / justifiableparanoia.com
Befriend / [OBFUSCATED]

Steve Werby is an independent security consultant and researcher at Befriend and a security architect at a Fortune 2^8 company. He’s held consultant, architect, and CISO roles in the information security field over the last 15 years.

 

Bad Advice, Unintended Consequences, and Broken Paradigms – Think & Act Different!

20 years ago information security was a low corporate priority that was the realm of technical geeks. Factors such as the rapidly-evolving threat environment and increased corporate impact have elevated it to a multidisciplinary risk management discipline…which sometimes has a seat at the table. This talk explores what we’re doing wrong, why it’s ineffective (or worse), and better ways of thinking and doing. You will learn to question the status quo, rethink existing paradigms, and leverage better approaches from information security and other disciplines. Think different! Act different!


Speaker feature: Schuyler Towne

Schuyler Towne

@shoebox

Schuyler Towne is obsessed with locks. While he got his start picking locks competitively, his interest has since exploded into every aspect of their history, design and manipulation. He’s taught hackers, authors, cops and even toy designers. There is nothing Schuyler loves more than to talk locks with anyone who will listen. His interests in the history of physical security and design of locks provides a passionate background to his lectures and workshops on lockpicking. Currently he is attempting to recover lock patents lost in the 1836 patent office fire.

How to Make a Lock

Locks were one of the earliest complex mechanical devices. They are ubiquitous, yet remain very regional in concept. In this talk we’ll explore the process of inventing a lock. We’ll cover examples from around the world, some that persist to this day, some that failed before coming to market, and some that were , until recently, lost to history.


Ticket Transfers & Cancellations

Did you know you can transfer an RVAsec ticket to a co-worker or friend directly in Eventbrite?

Log in to your account and go to My Tickets (you may need to create an account using the email address you registered).

Then you can view your Current Orders (select RVAsec), and “Edit details” for the ticket. Changing the “Contact Information” will update the name of the person registered to check in at the conference. You can also change the questions asked at registration, which will help us plan for parking, catering and other items.

Also, please note that no refunds will be issued after May 16th when registration closes.


Speaker feature: Ben Tomhave

Ben Tomhave

@falconsview / blogs.gartner.com/ben-tomhave/
Gartner

Ben Tomhave is a Research Director with Gartner for Technical Professionals. He holds a Master of Science in Engineering Management (Information Security Management concentration) from The George Washington University. He is a Certified Information Systems Security Professional (CISSP), co-chair of the American Bar Association Information Security Committee within the Section of Science & Technology, former board member at large for SIRA (www.societyinforisk.org), and a member of ISSA (NoVA chapter). He is a published author and an experienced public speaker, including recent speaking engagements with RSA USA, the ISSA International Conference, Secure360, RVAsec and RMISC.

How to Achieve Success with Cyber Risk Assessment and Analysis

Technical professionals are frequently asked to lead or participate in risk assessments or risk analysis, as well as to provide recommendations for the best approach an enterprise should adopt. Unfortunately, there has been little guidance (outside of expensive consultants) on how exactly to achieve success in this area. Until now. On the basis of recent Gartner research, this session provides guidance for achieving success with cyber risk assessment and analysis.


Speaker Feature: Jayson E. Street

Jayson E. Street

@jaysonstreet / f0rb1dd3n.com
Krypton Security

Jayson E. Street is an author of “Dissecting the hack: The F0rb1dd3n Network” from Syngress. Also creator of http://dissectingthehack.com He has also spoken at DEFCON, DerbyCon, UCON and at several other ‘CONs and colleges on a variety of Information Security subjects. His life story can be found on Google under “Jayson E. Street” *He is a highly carbonated speaker who has partaken of Pizza from Beijing to Brazil. He does not expect anybody to still be reading this far but if they are please note he was chosen as one of Time’s persons of the year for 2006. 😉

The hacker in the fun house mirror (A talk on skewed perspectives)

This is a talk on perspectives. Hackers, and hacking, are perceived
differently around the world and, in turn, some view our community and
what we do with different eyes than ours. I believe most
reports/papers about that topic are skewed and never give a quite
accurate global image. It’s all about perspectives, and these are what
I will explore in this talk. Being a foreign hacker attending a con,
or delivering an engagement, in an alien land often led to unexpected
situations that I will also recount. I am not only looking to
enlighten and entertain attendees with this talk, but also to have
them take a step back and look at the big picture, at what they are
part of; a global community that spreads beyond borders and
continents. My hope is that the contents of this talk will circulate
wider than just Con attendees so family, friends and co-workers get a
better understanding of who we are, what we stand for, and what that
thing is that brings us all together globally under one banner.


Speaker feature: David Sharpe and Katherine Trame

David Sharpe and Katherine Trame

GE – GE-CIRT

David Sharpe and Katherine Trame are currently incident responders in GE-CIRT’s Advanced Threats team. The GE-CIRT Advanced Threats team provides world class incident response services for APT-related matters for the entire GE organization. David has a wide range of IT experience spanning 19 years. He has served in a variety of roles in Fortune 10 and Fortune 500 companies, ranging from systems programmer writing device drivers and operating system components, to large scale systems administration, to IT security. David joined GE-CIRT in 2011. Katherine served as an intelligence analyst with the Hampton, VA Police Division for five years during which she gained experience in tactical/operational intelligence and computer forensics. Katherine joined GE-CIRT in 2013.

Real World Intrusion Response – Lessons from the Trenches

Two battle-scarred, sleep-deprived GE-CIRT incident responders share lessons learned from the trenches, from their daily duties repelling real world, high-end network intrusions globally. This talk will include fresh thinking and innovative ideas in: intrusion response, intrusion detection, effective use of intel, and defensive operations. We will cover roughly a dozen (time permitting) cutting edge ideas and techniques that you can take back to your own organizations and put into practice right away.


How Bad-Ass is the “Secrets of Security” Workshop?

We asked Pete Herzog to tell us more about what people can expect at his OSSTMM class at RVAsec and he provided us a great response!


As humans, we like secrets as long as they don’t harm us for knowing them. We like knowing the dirt on people and the stories behind things. We like to know we’re right and they’re wrong and justifiably so. That’s what this workshop is about. It’s that feel-good, bad-ass workshop full of secrets, dirt, and indignation. Here’s why:

You may have been thrown by the word OSSTMM in the full title, “Secrets of Security with the OSSTMM.” Don’t worry. It’s not about the OSSTMM the way you might be wary that it’s about the OSSTMM. What this workshop won’t do is show you OSSTMM slides and tell you about it. Because that wouldn’t be bad-ass. It’s more about the bad-ass stuff not in the OSSTMM and why we can’t put it in.

For a moment, let me re-introduce you to ISECOM, our organization. Our mission is to make sense of security but how we do it is by not limiting contributors or ideas and we take any profession or hobbyist who wants to partake. And that’s where it gets weird. We’re a research organization with people all over the world working virtually so there are very few constraints to what we can actually research. So we try to reign it in around our mission but sometimes we just do things because somebody was curious. It’s that last part where things get really bad-ass because there’s no context.

When there’s no context that means anything can happen since we’re not constraining it to test a specific theory for security. What happens then is we might learn something spooky or strange or strangely true. Even when we end up with a security truth it can’t just be disseminated as is. It takes a lot of eloquence to take it from from a finding to practical use that can go into one of our publications like the OSSTMM. So sometimes we can’t. That’s also why we struggle to release a coherent document full of cool stuff re-written as practical steps but then it reads like stereo instructions. So in the workshop I’ll show you the behind-the-scenes footage, the stuff we refer to as the “Dark OSSTMM” which is the stuff without context so you can be equally interested or freaked out. Then I’ll show you with context. This is a bit of what it looks like behind the scenes:

 

Topics Research Without Context Adding Context for Practical Use
Vulnerability Management What would a defense look like that blocked every kind of attack all the time? How to measure an attack surface. How to classify threats based on operations instead of risk.
Electromagnetic Waves How electromagnetic waves affect personality, behavior, and health. Best ways to test large spectrum EM waves. Using EM waves in Social Engineering. Correlating HR data with EM maps. Analyzing EM wave collisions with business processes also using EM frequencies.
Sound waves Using HF sound waves to cause visual hallucinations. Ways to test for HF sound waves. Visual mapping of sound waves. Implementing high frequency sound waves above human perception for machine to machine communication. Using sound waves to causing chaos, confusion, and disruption within the workplace for social engineering and physical attacks.
Neurohacking Using electric signals to modify brain function. ??? We’ve got nothing yet but there’s some pretty cool stuff we can do from enhancing vision contrast to improving working memory to learning skills really quickly.
Trust What are the logical reasons we have to trust someone or something? Testing and measuring trust in people, things, third parties like Vendors and Clouds. Improving social engineering tests to include manipulated trusts. Expanding attack surface calculations to include people.
Perception Can we manipulate how people experience time with external signals or electrical impulses? ??? We’ve got no security context here yet but in some tests we found with direct contact we can increase or decrease physiological responses to hunger, wakefullness, sex, and the speed in which we perceive something.

 

This research is so bad-ass that it’s sometimes too bad-ass to go in the OSSTMM until we can find further context. So we share it with team members, classes, and subscribers who like to know about stuff like this, groups like: NIST, NSA, NASA, the Whitehouse, CERN, and even the Vatican.

But the point of this workshop is to make you a better security professional as well as more aware of what’s being done out there in security that’s not afraid to challenge concepts we’ve grown up with. So you can expect there will be a good deal of discussion.

Think of it this way:

If doctors worked like today’s security professionals, they’d know everything about all the ways a person could be killed and still use blood letting and leeches to heal us.

And this is what can you do with the stuff from the workshop:

  1. Bring more value to a penetration test and vulnerability scans

a) vastly increase the length of validity for the snapshot
b) analyze points of interaction
c) manage operational security controls including devops

  1. Enhance vulnerability management
  2. Identify the points of attack or points where interactions can cause problems
  3. Increase office and network efficiency by identifying unnecessary interactions
  4. Analyze third party services and vendors, including cloud using trust
  5. Be more smug for having more security dirt to dish at the watercoolers than your colleagues.

 

Additionally, for fun, I’ll show you how Heartbleed attacks and the latest Target hack look like according to some of our older research.

Finally, I’ll bring some neurohacking gear for workshop attendees to play with. So over-all, I can tell you this will be a bad-ass workshop.

About the Instructor

Pete Herzog is the lead security researcher and creator of the OSSTMM. His analysis of security, hacking, trust, fraud, and neuro-hacking have shown up in thousands of research papers, books, and government documents around the world. He’s passionate about hacking and figuring out how things (and people) work.

 


Title: The Secrets of Security with the OSSTMM
Instructor: Pete Herzog
Date: 6/4/2014, 9AM-5PM
Cost: $250

Register for this Class