07:30 |
ARRIVAL AND REGISTRATION |
|
|
08:30 |
Opening Address from the Conference Chair |
|
|
08:40 |
Perspectives from the L0pht
Joe Grand, President, Grand Idea Studio |
|
This session is a look back at Joe's experiences growing up in one of the most recognised hacker groups in the world during the burgeoning days of the computer security industry and how the industry has changed, or stayed the same, since then. For nearly a decade, Joe Grand (aka Kingpin) was a member of the infamous hacker collective known as L0pht Heavy Industries in Boston, Massachusetts.
Starting in the early 1990s as a clubhouse for local hackers to store computer equipment, tinker with projects, and just hang out, the L0pht ended up as seven close-knit friends changing the face of computer security vulnerability research and disclosure. The group would discover security flaws in software applications and hardware products and challenge the vendors to not only acknowledge the problems, but to fix them - a feat practically unheard of at the time.
In 1998, they gained public attention testifying before the United States Senate Governmental Affairs Committee and were praised as "modern day Paul Reveres" for their warnings of computer security weaknesses. In an anticlimactic ending in 2000, the L0pht was sold to a security consulting start-up and the original members eventually went their separate ways.
|
|
• |
A look back at the early days of the computer security industry |
• |
Perspectives on how the industry has changed, or stayed the same |
|
|
|
09:25 |
A Web Hacking Odyssey – The Top Ten Hacks of the Year
Jeremiah Grossman, Founder & CTO, White Hat Security |
|
Every year, powerful new Web hacking techniques are revealed, many of which are highly sophisticated and esoteric. Staying up-to-date on these threats is a full-time job. This session separates the best from the rest and selects the top 10 to cover in technical detail. The session will explore how Web security is impacted, the business risks posed, which are likely to be used maliciously and some of the prevalent security issues emerging in 2010. |
|
• |
The top 10 Web hacking techniques |
• |
How Web security is impacted |
• |
The business risks posed |
• |
The prevalent security issues emerging in 2010 |
|
|
|
10:10 |
MORNING REFRESHMENTS & NETWORKING |
|
|
10:40 |
Smartphone security: The past, present and the future
Charlie Miller, Principal Analyst, Software Security, Independent Security Evaluators |
|
Charlie will discuss smartphone security from a historical perspective. He will begin by outlining the threats posed by smartphones and what makes smartphone payloads unique. Then, he will discuss the security architectures of a few platforms. Finally, Charlie will demonstrate attacks that have been successful in the past and how they worked. He will end by making wild speculations about the future of smartphone security. |
|
• |
The smartphone threat evolution |
• |
Security architectures of a new platforms |
• |
Successful smartphone attacks and how they worked |
• |
The future of smartphone security |
|
|
|
|
PANEL: The ultimate defence - think like a hacker |
11:25 |
PANELLISTS: Felix FX Lindner, Recurity Labs; Dino Dai Zovi, Independant security reasearcher; Charlie Miller, Independent Security Evaluators; Moxie Marlinspike, Independent Computer Security Researcher |
|
|
|
|
Sometimes it seems like the criminals will always have the upper hand. No matter what we do and how much we spend they still steal our data, our credit cards and even our identities. Why does this happen? It’s because criminals know how to “think outside the box” - to automatically look for the back door or the hidden weaknesses. We'll ask our panel of experts to think like a hacker and offer their ideas for defending against them effectively in 2010. |
|
|
|
|
|
|
TRACK 1: Technical Hands-on |
|
 |
(T1) |
Exploiting Windows DEP using Return-Oriented Programming
Dino Dai Zovi, Independent security researcher |
|
|
• |
The importance of preventing malicious computations |
• |
Practical applications of return-oriented techniques |
|
|
|
(T1) |
Encoding, character sets and security
Marco Slaviero, SensePost |
|
|
• |
The impact of poor encoding support and security implications |
• |
Methods for resolving character set issues and common bugs |
• |
Practical advice for developers for future application development |
|
|
|
(T1) |
Hardware is the new software: High-profile attacks against electronic devices
Joe Grand, President, Grand Idea Studio |
|
|
• |
Understanding the hardware hacking process |
• |
A look at high-profile attacks against electronic devices |
|
|
|
(T1) |
Some tricks for defeating SSL in practice
Moxie Marlinspike, Independent Computer Security Researcher |
|
|
• |
How to exploit BasicConstraints vulnerabilities |
• |
How to exploit SSL stripping |
• |
How to exploit null-prefix attacks on X.509 certificates |
|
|
|
(T1) |
Attacking web application servers
Ian de Villiers, Associate Security Analyst, Sensepost |
|
|
• |
Shortcomings within web application frameworks and portal applications |
• |
Scenarios where remote attackers can exploit vulnerable applications |
|
|
|
|
TRACK 2: Technical/Operations |
|
 |
(T2) |
Security is easy, in theory
Felix FX Lindner, Owner, Recurity Labs and Computer & Network Security Consultant |
|
|
• |
Fault-free Software |
• |
Global Authentication |
• |
Common Interface Formats |
• |
Encryption and Integrity |
• |
Authorization |
• |
Availability |
|
|
|
(T2) |
Security as a service: Hands-on? Hands-off?..or somewhere in-between?
Jonathan Wilkinson, Director, Hosted Security, Websense |
|
|
• |
Learn what’s driving the growing demand for SaaS and hybrid security offerings |
• |
Hear how other organisations have implemented SaaS security, what lessons they learned and how they’ve managed to reduce costs without sacrificing security |
• |
Discover which traditional security applications make sense as a SaaS offering and which do not |
|
|
|
(T2) |
Change Happens: Building security with a business roadmap
Maeson Maherry, Director, L@Wtrust |
|
• |
A case study of fraud management |
• |
The principles of business, law and information security |
• |
Mitigating risks and building a secure business foundation |
• |
From PKI to compliance and process streamlining |
|
|
|
(T2) |
Securing the mobile enterprise
Samresh Ramjith, CTO, Dimension Data Security |
|
|
• |
Policy and strategy development to create a secure mobile workplace |
• |
A proactive plan to address mobile security challenges |
• |
The benefits once a secure mobile workforce is achieved |
|
|
|
(T2) |
Seamless and compliant management of your encryption keys |
|
Tony Acharia, senior pre-sales consultant, Becrypt UK |
|
• |
Standards and technologies for encryption key management |
• |
Best practice management of encryption keys to ensure regulatory compliance |
• |
Compliance requirements in accordance with the PCI DSS Standard |
• |
The importance of key management to maintain data confidentiality |
• |
Key management as an element of corporate governance and the relevance to King III |
|
|
|
|
TRACK 3: Technology Insight |
|
 |
(T3) |
Cleaning up Africa as we join the 21st century: Botnets and the new economy
Barry Irwin, Department of Computer Science, Rhodes University |
|
|
• |
Security challenges facing African countries in the coming years |
• |
Skills and user education required to deal with the threats |
• |
Emerging and future risks for the African continent |
• |
Possible means of remediation and prevention |
|
|
|
(T3) |
From infection to cashout - how the new breed of trojans operate
Etay Maor, Project Manager, RSA FraudAction Research Lab |
|
|
• |
Trojan discussions in the fraudster underground |
• |
New infection methods (including infection rate statistics) |
• |
MITB Trojans w/w.o session hijacking (OTP bypassing) |
• |
Different types of HTML injection |
• |
Auto transfers to static and dynamic mules |
• |
A short discussion about Mobile Trojans |
• |
How to fight back |
|
|
|
(T3) |
Putting the trust back into email & web
Ed Rowley, field product manager EMEA, M86 Security |
|
|
• |
Understanding and identifying critical Web and email security risks |
• |
Steps to take to reduce overall cost and minimise the risks of gateway security breaches |
|
|
|
(T3) |
Why in-the-cloud security technologies are the answer
Rik Ferguson, Senior Security Advisor, Trend Micro |
|
|
• |
Why is security moving into-the-cloud? |
• |
How is security evolving to address the new threat landscape and is the Cloud solution the best? |
• |
Does an In-The-Cloud security strategy reduce your risk and can it reduce your TCO? |
• |
Integrating an In-The-Cloud security strategy into your business. |
|
|
|
(T3) |
Security in the virtualised environment
|
|
Justin Lee, Territory Manager-Africa, Juniper Networks |
|