Subscribe to the RSS Feed

Subscribe to the RSS Feed


Amade Nyirak – Social Engineering Prevention for the Masses
Chi Barnett – The Ethical Spy
Dan Tentler – How Not to InfoSec
David Khudaverdyan & Matthew Hoy – Smartphone Security and Privacy for the General Public
Ghostwood – Another Year, Another DDoS (Talk)
HotelBravo – Let’s talk about sec baby, let’s talk about it in healthcare
John Norman – Enterprise IT on the Cheap
Jos Weyers – Showing Keys in Public – What could possibly go wrong?
machinist – Practical 3D Scanning – No More Crappy Garden Gnomes
Robert Rowley – An 0Day in the life (of a researcher.)
Dr. Tran – Insurance for your Cyber Assets
Sam Bowne – How to Trojan Financial Android Apps
Stealth – The Death of Privacy

Social Engineering Prevention for the Masses

Amade Nyirak, Psy.D

Social engineering prevention materials can be hard to come by, long, outdated, overly complicated, too vague, beyond the readers’ reading level or even flat out wrong. This presentation offers to simplify the concepts and provide concrete practicals on the role of individuals and organizations in preventing breaches in the face of social engineering attacks. No advanced degrees or supreme intellectual functioning is required in order to improve your defensive posture. Attendees can take lessons learned in this presentation and directly apply them in their every day lives while passing the information on to others in their organizations.

Trained in the art and science of clinical psychology, Dr. Nyirak is dedicated to patching and hardening the “human operating system” against social engineering based attacks.


The Ethical Spy

Chi Barnett

Data-driven features enable a tailored experience for personalized internet services. For many fields (dating, home automation) removing the data-driven elements makes products clunky and/or useless, yet to deliver a personally-appropriate experience the provider must collect and retain user data, and assume responsibility for its privacy. Key points:

  • Informed consent: how do we make sure the user understands what we’re keeping, for how long, and what we’ll use it for? How do we keep this flexible enough to allow for innovation without bothering the user?
  • Opt-out: many services require that you give carte blanche access to all desired data or else not use the service. How do we hand control back to the user, while effectively messaging how and why their withheld data may degrade the service?
  • Safety on intrusion: we must always assume that any data source will eventually suffer an intrusion. How do we provide the user with confidence that their retained data, if exposed, will not put them at risk? What kinds of data CAN’T we keep?

Chi is a large-scale analytics and machine learning scientist with 5 years working in the diverse fields of web search, dating, and home automation. Currently, he’s busy helping people turn their houses into robots.


How Not to InfoSec

Dan Tentler

There are many organizations that conduct penetration testing and red team consulting engagements. Concurrently, there are many which also conduct remediation and professional services engagements. In every circumstance mistakes can be made, and there are lessons to be learned – however rarely if ever are they communicated back and forth between client and vendor. When people make mistakes, they are concealed so that egos and reputations do not suffer. There are also many speakers who articulate “what to do” on a variety of topics and in some cases “how to do it”, but I challenge you to name one occurrence of “what not to do” on a security conference docket. Few people speak of their mistakes.

When we fail, we learn. We learn what not to do in a given circumstance. If we do not pass this information on to others, then we are destined to watch others make the same mistakes we have made over and over again. After 8 years in nearly every facet of information security, I’ve compiled a colorful and entertaining compendium of mistakes that I’ve made, in addition to mistakes that I’ve watched and encountered in the line of duty during my information security career. Everything from configuration problems, to destroying networks with nmap, to tipping over firewalls with masscan, to using masscan as a load testing aperatus, to talking about public breaches and being visited by law enforcement, and more.

This talk will cover several topics and articulate what I’ve come to call ‘land mines’ in an effort to educate the audience in unforseen consequences – specifically, within the context of pentesters, red teams, blueteams, and site reliability engineers / sysadmins.

Dan Tentler is a Co-Founder of Carbon Dynamics, a boutique Red Team and security services firm. Previously, Dan has been the sole proprietor of Aten Labs, a freelance Information Security consultancy firm in San Diego. He is routinely parachuted into various clients in the continental United States, as well as speaking engagements abroad in Australia, the UK and Amsterdam. Dan carries a wide breadth of clients and engagements, ranging from threat intelligence, to wireless site surveys and penetration testing, to full blown social engineering campaigns, to lockpicking and threat & vulnerability assessments. Dan has presented at 44con, BreakPoint, DefCon, BlackHat, ShakaCon, Hack In The Box: Amsterdam, various BarCamps, Toorcon San Diego, ToorCon Seattle, regional OWASP meetings Refresh San Diego and SDSU computer security advanced lecture classes. Dan has been interviewed by the BBC, CNN, The San Diego Reader and a variety of information security blogs and publications. Dan is skilled in the arts of the professional bad guy.


Smartphone Security and Privacy for the General Public

David Khudaverdyan & Matthew Hoy

It seems that we are doomed to use “consumer grade” smartphones with little choice between phone operating systems – Android OS and iOS are the clear market leaders. This is not a hardware talk and we are open to having a panel with others that might be hardware or reverse experts. Our talk aims to help a consumer secure either device and provide some guidance and caveats to working with each operating system. The talk will provide “consumer” hardening steps for each platform for the general public (e.g. parents or non tech friends). The talk will also investigate shrink wrapped Tailored Access Operations (TAO) and provide some general guidance to ensure that you have a clean operating system to start with. Matt will cover applications and cloud use since we are going to be “connected”. David will also rant about end user stupidity, which is the obvious reason why we can’t have nice things

Matthew Hoy (@mattrix_) is a Principal Security Consultant with Accuvant Labs Technology Services team. Matthew has worked in the Information Security world for over 15 years in various Information Security roles from Security Analyst, Architect, Incident Response, Consultant and Management. Matt currently holds CISSP and SANS GCIH Certifications. Matt has recently presented at Seattle Toorcon, B-Sides Los Angeles, Toorcon San Diego, Derbycon and Grrcon.

David Khudaverdyan (@deltaflyerzero) is an Operations System Administrator with DreamWorks Animation. David has been involved with the Information Security world for over 7 years both attending and being involved with a multitude of conferences including DefCon, ToorCon San Diego, ToorCamp, LayerOne, and others. He enjoys long walks on the beach and yelling at people that knowingly deploy platforms with security holes.


Another Year, Another DDoS (Talk)


This is a continuation of the DDoS series I do for LayerOne. Traditionally this talk focuses on the DDoS threat landscape and how it has evolved over the past year. As reported attacks exceed 400 Gbps, tactics are changing to exploit common infrastructure to deliver higher impact attacks. This year the focus will be on some of the new infrastructure approaches the DDoS operators are adopting and focus on DNS, NTP and SSDP reflection. In addition to that there will be more practical examples of mitigation configurations.

In the past G has worked for companies like Cisco, Google and Yahoo in network operations as well as DoS mitigation.


Let’s talk about sec baby, let’s talk about it in healthcare


Healthcare is a growing market when it comes to integration with technology. With the passing of the Affordable Care Act patient health records must now be available digitally. This talk is going to be a broad overview of healthcare as a whole. We are going to look at it all, the threat actors, the stolen PHI market, biotech companies, hospitals and Doctors. We are going to discuss some emerging threats, some past breaches and what we can possibly do as an industry to fix this.

Born from a pack of fierce Timberwolves HotelBravo was destined for greatness. But he was the runt of the litter and no one wanted him in the hunting party (what a bunch of bitches). Now he does sec work for one of the largest healthcare providers in Los Angeles. HotelBravo enjoys swimming, horseback riding, long walks on the beach and figuring out different ways to make M.D’s feel stupid.


Enterprise IT on the Cheap

John Norman

Join Arclight as he walks you through setting up an Enterprise-grade wired and wireless network, NAS and virtual server farm on zero budget. With 10 years of experience doing enterprise infrastructure for a living, Arclight applied the same approach to the major tech refresh at 23b Shop, O.C.’s local hacker space.

John Norman is a founding member of the 23b Shop in Fullerton, CA. He’s been involved in IT Security, resilient systems design and most recently, embedded security electronics. He currently ACCX Products Inc., a company that started from the hacker space community’s need for a modular, open-source access control system. Other projects include industrial controls, 3D Printer hacking, alarm and automation systems, and high-altitude balloon trackers.


Showing Keys in Public – What could possibly go wrong?

Jos Weyers

A password shouldn’t be on a post-it note. In plain view. On the console.

The password to a locked door is called a key. So, if a reporter wants to get the point across that certain people shouldn’t have access to a particular key, would it be wise for said reporter to show that key to the world? This talk will show how not to run this story, why we should care and maybe make you rethink your physical security a bit.

Jos Weyers (@josweyers) is a world-record holder in the field of lock impressioning and a mainstay participant at LockSport events around the world. A long-time member of TOOOL in the Netherlands and a key figure at the Hack42 hackerspace in Arnhem, Jos recently became the Vice-President of and now helps to oversee that organization and the LockCon conference. Most people know him as the Dutch Kilt guy.


Practical 3D Scanning – No More Crappy Garden Gnomes


We’ll explore the more useful utilities available for developing a 3D model from scanned data. Some provisions need to be made for colorization, remeshing, and parameterization of the resulting model, depending on the target output. In the market, scanners are available from $100-$10,000+, and I’ll give some insight to the process to make more informed choices on the technology.

machinist is a machine that knows how to machine.


An 0Day in the life (of a researcher.)

Robert Rowley

Join this talk to follow a series of web application vulnerabilities from their inception to their death. I will show you common tools and reverse engineering tactics to tease out the vulnerability from the applications, then show how to grow it into a full fledged PoC (proof of concept), ready to make it’s mark in the world. Finally, I will close with examples of defense mechanisms and patches that will end this lowly vulnerability’s days on your network … that is until the next one is born.

Robert is a Security Researcher for Trustwave’s elite SpiderLab research team. When he isn’t reviewing new vulnerabilities, he spends his time with family, getting outdoors, or brewing beer (and enjoying said brewed beer.) He has been a part of the Southern California hacker and information security scene for over 10 years, as a founder of Irvine Underground and has presented many times in the past at Defcon, many b-sides, HitCon and best of all: Layer One.


Insurance for your Cyber Assets

Dr. Tran

Major insurance companies are now offering cyber insurance products, but what do these products cover and how do they work? This presentation will go into how the traditional insurance business works before going into how these new cyber insurance products are different. Cyber insurance products can also come with a long list of due diligence requirements that can leave insured customers ineligible for a claim. Understanding how these products work will help one decide whether taking out a policy is worth the cost.

Dr. Tran is a security professional by day when he’s not driving fast cars and picking locks. He works for a major European company in the financial services industry. He is also a member of TOOOL and has taught lockpicking at various conferences and events around the country.


How to Trojan Financial Android Apps

Sam Bowne

In Feb., 2015, I tested three major financial Android apps, and found that they were completely unprotected. It was easy to add Smali code to the app, re-sign it with my own certificate, and use it for real financial transactions. Powerful defenses are available to prevent this, such as verifying the signature when the app contacts the server and obfuscating the code, but these apps are unprotected. I notified the companies and they did nothing. Customers who use Android for financial transactions are exposed to serious risks for no good reason.

I’ll demonstrating the process live, and encourage the audience to test more apps and notify more companies. If we shame them enough, they may eventually fix this.

Sam Bowne has been teaching at CCSF since 2000. He spoke at DEFCON, HOPE, BayThreat, LayerOne, & Toorcon. He has BS, PhD, CISSP, CEH, WCNA, CCENT & a partridge in a pear tree.


The Death of Privacy


Over the years our individual freedoms and personal privacy rights have steadily been eroded. But it is not just the fault of the government or the NSA. Many of our own choices and changes in cultural norms have helped allow this to happen. In this talk I will explore how things got out of hand and why. While it may be too late to go back to that age of innocence, we can face the future better informed and prepared to protect our security and reclaim our rights to personal privacy.

While many security talks focus on protecting the corporate information systems and infrastructure, this talk will focus on hardening the weakest link, the individual. I will discuss how to perform a Personal Security Audit to assess your own situation and identify what you need to protect and how. We will discuss ways the bad guys get to you and what techniques can be used to recognize, anonymize and protect yourself from the current variations of scams, cons, cybercrimes and other bad stuff you or your loved ones may be exposed to.

The threat landscape is changing and you need to understand where you fit in the big picture. Knowledge is power and awareness helps you be better prepared. Whether you’re a noob or uber-1337, learn personal risk management strategies for a more secure lifestyle both online and IRL.

Stealth: Involved in computers since the dark ages (before WWW). The first computer I hacked was an IBM 1130 mainframe. Designed and built my first personal computer running CPM on a Z80 in the late 70s. Built large scale WANs for Fortune 500 companies during the 80s. Founded the Association of Internet Professionals (1993-2003) The first trade association for individuals working with these new technologies. An Information security and computer forensics expert with a lifetime of experience to share in many aspects of the tech industry. A Defcon goon for 22 years and longtime privacy advocate.