Registration for RVAs3c ends at 11:55 PM Eastern time today!
We only have a few tickets left, and since there are no sales at the door, don’t wait–just register to guarantee yourself entry.
Our amazingly cheap training classes are still open, as all four still have spots available.
Hey, RVASec! I’m Schuyler, physical security guy, lockpicker, researcher, etc. I’ve been very honored to run trainings at RVASec the past 2 years, and while I feel confident that I’ve been able to bring a lot of material and hands-on experience to folks who took my classes, this year I’m trying to take a big leap forward.
We are pleased to announce that Rapid7, LogRhythm and FishNet Security have all come together to sponsor the RVAsec after party!
The after party will be held at Postbellum on Thursday, June 5th at 6:30pm!
The event takes place shortly after day one of the conference ends–and it is a quick walk over so you can head right from VCU for some cocktails and food!
If you plan to attend, please register to ensure we have enough staff & space reserved!
https://www.surveymonkey.com/s/7QF3PT9
Thursday June 5th 6:30pm-8:30PM (maybe longer!)
1323 West Main Street Richmond, VA 23220
(804) 353-7678
Thanks again to our sponsors for making sure RVAsec attendees will be well taken care of this year!
Gene Fishel currently serves as Senior Assistant Attorney General and Chief of the Computer Crime Section in Virginia Attorney General Mark Herring’s Office. In this capacity he directs prosecutions of computer fraud, identity theft, and child exploitation cases in state courts across Virginia, and serves as a Special Assistant United States Attorney in both the Eastern and Western Districts of Virginia where he prosecutes computer crime cases in federal court. He additionally oversees the office’s recently established Computer Forensics Unit which conducts investigations and computer forensic analyses for criminal cases across the Commonwealth. He also monitors organizations’ compliance with Virginia’s database breach notification laws, drafts legislation for the Virginia General A
ssembly, trains law enforcement and prosecutors statewide, and educates the public on issues involving computer crimes.
During his eleven-year tenure at the Attorney General’s Office, Gene has helped to draft and enact sweeping reforms to computer crime and child exploitation laws in Virginia, and has been involved in numerous novel and complex federal and state prosecutions, including the nation’s first, felony prosecution for illicit spamming in 2004. He has served on numerous boards and committees including the Board of Governors for the Criminal Law Section of the Virginia State Bar, the National White Collar Crime Center’s Cybercrime Advisory Board, the Virginia General Assembly’s Joint Committee on Technology and Science Advisory Committee, and the Governor’s Office of Substance Abuse Advisory Committee. He has also lectured and presented on data breach issues and computer crimes to various agencies, organizations, and conferences across the country including the Federal Trade Commission, the Central Intelligence Agency, the United States Capitol Staff, and United States Attorney conferences. In 2007, Gene was appointed as Senior Assistant Attorney General. Prior to his time at the Attorney General’s Office, Gene served as law clerk for the Second Judicial Circuit in Virginia Beach, VA. He received his JD from Wake Forest University and his BA, magna cum laude, from James Madison University.
Regular registration for RVAs3c ends at 11:55 PM Eastern time today!
We may have late registration tickets for $150 (yes, that’s $50 more than right now)… but no guarantee!
And since there are no sales at the door, don’t wait–just register to guarantee yourself entry.
Our amazingly cheap training classes will remain open for now, as all four still have spots available.
The team has worked hard to keep the “every man or woman” feel of the CTF from last year in effect. There are challenges of different varieties that should satisfy every skill level.
This year we are again going for the wireless competition, which allows a little bit of freedom as far as cables go. There will be a dedicated space setup in the vendor area, with some seating on first come basis. Please confirm in advance with the survey you will receive from the RVAs3c organizers soon to help us make sure we have enough space and can better guarantee you’ll be counted when that space is divided up.
We plan to have staff walking around to assist folks in case of any major issues, as well as to answer questions, within reason. We can’t give you the answers of course, unless you happen to have some massive dogecoin wallets laying around (kidding!).
There are some awesome prizes lined up.
First place is a HackRF Pre-order, which is a really great way to learn about wireless beyond the standard 2.4 and 5GHz most are used to from mainstream access points.
Second place is a Pineapple courtesy of Hak5, for all your pwning needs.
Third place is the Android Hacker’s Handbook, to assist you in understanding all sorts of wonderfully evil things you can do to your phone or tablet, or anything else running Android!
If you have any questions please let us know!
We asked Pete Herzog to tell us more about what people can expect at his OSSTMM class at RVAsec and he provided us a great response!
As humans, we like secrets as long as they don’t harm us for knowing them. We like knowing the dirt on people and the stories behind things. We like to know we’re right and they’re wrong and justifiably so. That’s what this workshop is about. It’s that feel-good, bad-ass workshop full of secrets, dirt, and indignation. Here’s why:
You may have been thrown by the word OSSTMM in the full title, “Secrets of Security with the OSSTMM.” Don’t worry. It’s not about the OSSTMM the way you might be wary that it’s about the OSSTMM. What this workshop won’t do is show you OSSTMM slides and tell you about it. Because that wouldn’t be bad-ass. It’s more about the bad-ass stuff not in the OSSTMM and why we can’t put it in.
For a moment, let me re-introduce you to ISECOM, our organization. Our mission is to make sense of security but how we do it is by not limiting contributors or ideas and we take any profession or hobbyist who wants to partake. And that’s where it gets weird. We’re a research organization with people all over the world working virtually so there are very few constraints to what we can actually research. So we try to reign it in around our mission but sometimes we just do things because somebody was curious. It’s that last part where things get really bad-ass because there’s no context.
When there’s no context that means anything can happen since we’re not constraining it to test a specific theory for security. What happens then is we might learn something spooky or strange or strangely true. Even when we end up with a security truth it can’t just be disseminated as is. It takes a lot of eloquence to take it from from a finding to practical use that can go into one of our publications like the OSSTMM. So sometimes we can’t. That’s also why we struggle to release a coherent document full of cool stuff re-written as practical steps but then it reads like stereo instructions. So in the workshop I’ll show you the behind-the-scenes footage, the stuff we refer to as the “Dark OSSTMM” which is the stuff without context so you can be equally interested or freaked out. Then I’ll show you with context. This is a bit of what it looks like behind the scenes:
| Topics | Research Without Context | Adding Context for Practical Use |
| Vulnerability Management | What would a defense look like that blocked every kind of attack all the time? | How to measure an attack surface. How to classify threats based on operations instead of risk. |
| Electromagnetic Waves | How electromagnetic waves affect personality, behavior, and health. | Best ways to test large spectrum EM waves. Using EM waves in Social Engineering. Correlating HR data with EM maps. Analyzing EM wave collisions with business processes also using EM frequencies. |
| Sound waves | Using HF sound waves to cause visual hallucinations. | Ways to test for HF sound waves. Visual mapping of sound waves. Implementing high frequency sound waves above human perception for machine to machine communication. Using sound waves to causing chaos, confusion, and disruption within the workplace for social engineering and physical attacks. |
| Neurohacking | Using electric signals to modify brain function. | ??? We’ve got nothing yet but there’s some pretty cool stuff we can do from enhancing vision contrast to improving working memory to learning skills really quickly. |
| Trust | What are the logical reasons we have to trust someone or something? | Testing and measuring trust in people, things, third parties like Vendors and Clouds. Improving social engineering tests to include manipulated trusts. Expanding attack surface calculations to include people. |
| Perception | Can we manipulate how people experience time with external signals or electrical impulses? | ??? We’ve got no security context here yet but in some tests we found with direct contact we can increase or decrease physiological responses to hunger, wakefullness, sex, and the speed in which we perceive something. |
This research is so bad-ass that it’s sometimes too bad-ass to go in the OSSTMM until we can find further context. So we share it with team members, classes, and subscribers who like to know about stuff like this, groups like: NIST, NSA, NASA, the Whitehouse, CERN, and even the Vatican.
But the point of this workshop is to make you a better security professional as well as more aware of what’s being done out there in security that’s not afraid to challenge concepts we’ve grown up with. So you can expect there will be a good deal of discussion.
Think of it this way:
If doctors worked like today’s security professionals, they’d know everything about all the ways a person could be killed and still use blood letting and leeches to heal us.
And this is what can you do with the stuff from the workshop:
a) vastly increase the length of validity for the snapshot
b) analyze points of interaction
c) manage operational security controls including devops
Additionally, for fun, I’ll show you how Heartbleed attacks and the latest Target hack look like according to some of our older research.
Finally, I’ll bring some neurohacking gear for workshop attendees to play with. So over-all, I can tell you this will be a bad-ass workshop.
About the Instructor
Pete Herzog is the lead security researcher and creator of the OSSTMM. His analysis of security, hacking, trust, fraud, and neuro-hacking have shown up in thousands of research papers, books, and government documents around the world. He’s passionate about hacking and figuring out how things (and people) work.
Title: The Secrets of Security with the OSSTMM
Instructor: Pete Herzog
Date: 6/4/2014, 9AM-5PM
Cost: $250
@dystonica / dystoni.ca
Genesys Telecommunications
Sarah Clarke is a Senior Security Engineer at Genesys Telecommunications. She has 12 years of experience in IT, seven of which have specialized in Security. She has worked with nonprofit, government contracting, ISP, financial sector, and telecommunications organizations; currently, she is enjoying serving as application security testing and vulnerability management SME for Genesys Cloud, a global SaaS IVR and virtual call center PCI (and etc) compliant service provider.
Sarah’s passion for application security began with the Toyota break failure bug and continued with the work by Barnaby Jack and Jay Radcliffe on poor software design causing fatal error conditions in pacemakers and insulin pumps. She chooses to focus on helping teams make better software, to protect the innocent, save lives and identities.
Sarah is a member of Infraguard, holds four industry certifications, recently presented at Shmoocon Firetalks 2014, and volunteers to support the security community whenever possible.
Lessons Learned Implementing a SDLC
Developers and Quality Engineers are wonderful people who understand how to create, test, and validate features. They frequently aren’t, however, educated in school on architecting applications to prevent security failures, coding to not introduce security bugs, and testing to validate secure functionality.
The language of development – features, releases, agile – is not the same as security – XSS, CSRF, managing session state.
We have to communicate better with our developers and QEs, to inspire them to care, in their language; we have to work with senior management to identify how security fits into their needs to get buy-in and support.
This is a discussion on how that communication works best; overcoming cultural sticking points, and iterating through creating a process that creates better code without slowing down business.
Here are the speakers for the 2014 RVAs3c conference!
| David Kennedy – Keynote | |
| David J. Bianco | Evan Booth |
| Sarah Clarke | Jonathan Dambrot |
| Inga Goddijn | Seth Hanford |
| Pete Herzog | Dan Holden & Elizabeth Martin |
| Ray Kelly | Jack Mannino & Abdullah Munawar |
| mubix | Kizz MyAnthia |
| Kimberley Parsons & Carmen Sullo | Joey Peloquin |
| Nick Popovich | David Sharpe & Katherine Trame |
| Jayson E. Street | Ben Tomhave |
| Schuyler Towne | Steve Werby |
Head to the Speaker’s Page to see information about each speaker and the topics they will be presenting!
