@KseniaDmitrieva

Ksenia Peguero is a Sr. Research Lead within Synopsys Software Integrity Group. She has eight years of experience in application security and five years in software development. Ksenia is a subject matter expert in static analysis and JavaScript frameworks and technologies. Before diving into research, she worked in a variety of software security practices including penetration testing, threat modeling, code review, static analysis tool design, customization, and deployment. Over the years, she performed numerous engagements for clients in financial services, entertainment, telecommunications, energy, and enterprise security industries. Throughout her consulting career, Ksenia has established and evolved secure coding guidance for many different firms, and has delivered numerous software security training sessions. Ksenia speaks regularly at events around the world, such as BSides Security in London, Nullcon in India, RSA in Singapore, and AppSec Europe in Italy. She has also served on review boards of AppSec USA and AppSec EU conferences.

How to REACT to JavaScript [In]Security

According to a StackOverflow survey, JavaScript is the most commonly used programming language on earth. Today just the client-side JavaScript ecosystem has over 50 frameworks available, and JavaScript is successfully conquering the server-side space. The amount of application logic that is executed in the browser is growing every year, which means the attack surface is growing as well. Which security issues are most common in JavaScript applications? Do new frameworks provide the security controls needed to protect the growing amount of client-side code? In this talk we will answer these questions and, as an example, we will look at one of the hottest JavaScript frameworks today – React. We will discuss its new features like components and server-side DOM rendering, analyze React’s security posture and demonstrate existing vulnerabilities.

Come see Ksenia at RVAsec. Register Now.

www.ecrimelabs.com

@DennisRand

Dennis Rand is a security researcher from Denmark. He specializes in vulnerability research, network analysis, penetration testing and incident response. Dennis has over seventeen years of experience in various security roles including researcher, consultanting, and simply loves breaking stuff. In his spare time (Of what is left), he loves to observe and capture the world through photography.

So you think IoT DDoS botnets are dangerous – Bypassing ISP and Enterprise Anti-DDoS with 90’s technology

Stressers/Booter services is providing “DDoS as A Service” and they are getting more and more powerfull, measured in amount of traffic, but the current resources they use could be improved, and optimized, and perform a much more
dangerous and advanced attack patterns that can bypass large Anti-DDoS solutions through pre-analysis and data-mining with big data analysis and OSINT informaiton as source.
The research will show a framework on how attackers can optimize attacks based on a combination of big-data analysis and pre-attack analysis, that will show that terabit attacks are not necessarily needed, and why 90’s technology is prefered over IoT Worms and other fancy gadgets.

Come see Dennis at RVAsec! Register Now.

www.blackhillsinfosec.com

@0xderuke

@dafthack

Derek Banks: Derek is a Senior Security Analyst at Black Hills Information Security and has over 20 years of experience in the IT industry as a systems administrator for multiple operating system platforms, and monitoring and defending those systems from potential intruders. He has worked in the aerospace, defense, banking, manufacturing, and software development industries. Derek has experience with creating custom host and network based monitoring solutions.

Beau Bullock: Beau is a Senior Security Analyst at Black Hills Information Security where he performs penetration tests and red team assessments. He is the author of various red team/pentest tools such as MailSniper, PowerMeta, HostRecon, and DomainPasswordSpray. Beau is a host of the web shows Tradecraft Security Weekly & Hack Naked TV, and is a frequent speaker at industry events including Black Hat, DerbyCon, Wild West Hackin’ Fest, SANS, and various BSides events.

Red Team Apocalypse

TABLETOP SCENARIO: Your organization regularly patches, uses application whitelisting, has NextGen-NG™ firewalls/IDS’s, and has the latest Cyber-APT-Trapping-Blinky-Box™. You were just made aware that your entire customer database was found being sold on the dark web. Go.

Come see Derek and Beau at RVAsec! Register Now.

www.privacyref.com

@PrivacyRef

Bob Siegel is the president and founder of Privacy Ref. Starting Privacy Ref in 2012, Bob took his experience as the Senior Manager of Worldwide Privacy and Compliance at Staples, Inc. and applied that to assisting companies implement and maintain strong privacy programs. Bob has worked with many different organizations, dealing with programs of all sizes and regulatory needs. Seeking to always improve his own understanding of all things privacy, Bob has earned certifications from the International Association of Privacy Professionals. These include certifications in US private sector, European, and Canadian privacy laws. Bob has also earned certifications in Information Technology privacy and privacy program management. Bob Siegel has also been recognized as a Fellow of Information Privacy by the IAPP for his outstanding dedication to the privacy community. He has also served on the IAPP’s Certification Advisory Board for the CIPM program and the IAPP’s Publication Advisory Board. Bob Siegel currently maintains his blog at Privacy Ref, but is also a writer at CISO.com. You can find his blog, Operational Privacy on CISO.com

GDPR and you

The General Data Protection Regulation is the new law of the land for protecting personal information from the EU. The law has placed many US-based businesses in scope requiring compliance. In this talk we will review some of the challenges for compliance that you may encounter.

Come see Bob at RVAsec! Register Now.

@CraneHassold / PhishLabs

Crane Hassold is the Threat Intelligence Manager at PhishLabs based out of Charleston, SC, where he has overseen Threat Research team since 2015. Prior to joining PhishLabs, Crane served as an Analyst at the FBI for more than 11 years, providing strategic and tactical analytical support to cyber, financial crime, and violent crime cases.  For most of his career with the FBI, Crane worked in the Behavioral Analysis Units in Quantico, Virginia, where he provided analytical and behavioral support to intelligence community and law enforcement partners against national security adversaries and serial criminals.  In 2012, Crane helped create the FBI’s Cyber Behavioral Analysis Center, which takes an asymmetric approach to examining cyber threats by combining the traditional behavioral concepts used for decades in the violent crime world with technical expertise to gain a holistic understanding of adversary TTPs.

Doxing Phishers: Analyzing Phishing Attacks from Lure to Attribution

This presentation will cover the various pieces of intelligence that can be collected from each stage of a phishing attack (lure, phishing site, phish kit) and discuss how each piece allows us to progress an investigation. We will look at various analytical techniques that can be performed to track phishing campaigns and enhance detection. The second half of the presentation will cover an in-depth, real-world case study of the practical application of these techniques, starting with a single phishing lure and ending with the identification of a primary phishing threat actor.

Come see Crane at RVAsec! Register Now.

www.ptsecurity.com

@L_AGalloway

@a66at

Leigh-Anne Galloway is the Cyber Security Resilience Lead at Positive Technologies where she advises organizations on how best to secure their applications and infrastructure against modern threats. She is an expert in the Application Security Unit, specializing in ATM and POS Security and is the author of security research in account recovery processes on social media websites. She has spoken at many conferences including DevSecCon, BSides, InfoSec Europe, Hacktivity, 8dot8, Blackhat EU and Troopers.

Timur Yunusov – Senior Expert of Banking systems security and author of multiple researches in field of application security including “Apple Pay replay attacks” showed at the BlackHat USA 2017, “Bruteforce of PHPSESSID”, rated in Top Ten Web Hacking Techniques by WhiteHat Security and “XML Out-Of-Band” showed at the BlackHat EU. Professional application security researcher.
Timur has previously spoken at CanSecWest, BlackHat USA, BlackHat EU, HackInTheBox, Nullcon, NoSuchCon, Hack In Paris, ZeroNights and Positive Hack Days.

Demystifying Payments: Payment Technologies and Security Risks

Have you ever wanted to learn how payment technologies work? What happens when you pay for something on a website or using a cell phone? Payment technologies are a transparent part of our lives. They enable us pay for everything from a coffee to a car. In this talk we take a look at payment technologies past, present and future, and look at the security risks associated with them. Learn how payments have evolved and what transactions look like today.

Come see Leigh-Anne and Timur at RVAsec! Register Now.