segunda-feira, abril 12, 2010

YSTS 4 - Ta chegando




Ok, blog meio morto. Mas de vez em quando, estamos ai...

Vem ai o YSTS 4. Confira a grade:

Cloudifornication: Indiscriminate Information Intercourse Involving Internet Infrastructure

Where and how our data is created, processed, accessed, stored, backed up and destroyed in what are sure to become massively overlaid cloud-based services - and by whom and using whose infrastructure - yields significant concerns related to security, privacy, compliance, and survivability. This presentation discusses how staggering interdependencies and the reliance on both aging technology approaches as well as cloud-on-cloud infrastructure and services exposes flawed assumptions and untested theories as they relate to security, privacy, and confidentiality in the cloud.
Most importantly we will discuss what we should do to prepare for moving to Cloud-based services securely.

Christofer Hoff, CISSP, CISM, CISA, Director, Cloud & Virtualization Solutions, Cisco Systems

Chris is Director of Cloud & Virtualization Solutions at Cisco Systems where he focuses on virtualization and cloud computing security spending most of his time interacting with global enterprises and service providers, governments, and the defense and intelligence communities. Previously, he was Unisys Corporation’s Chief Security Architect, served as Crossbeam Systems' chief security strategist, was the CISO and director of enterprise security at WesCorp, a $25 billion financial services company and was founder/CTO of a national security consultancy. Chris specializes in emerging and disruptive innovation and what it means to security, and is technical advisor to the Cloud Security Alliance. Chris blogs at http://www.rationalsurvivability.com/blog



----------------------------------------

Virtualização e Computação Forense

Virtualização chegou para ficar. Ao passo que cada vez mais empresas aderem à tecnologia, novas perguntas surgem em como seria a relação dos ambientes virtuais e a Computação Forense. Estaríamos criando o ambiente ideal para o crime perfeito ?

Tony Rodrigues é um profissional certificado CISSP, CFCP e Security+, com 20 anos de experiência em TI e 7 anos em Gestão de Segurança de Informações, tendo liderado várias investigações e perícias. Tony é consultor independente em Segurança de Informações e autor/criador do blog forcomp.blogspot.com, sobre Resposta a Incidentes e Forense Computacional.



----------------------------------------

Traceability < Ability to trace

The vision of this presentation is to show best-practices for traceability, crisis management, streamlined incident handling process, procedures and reporting the vulnerable assets.
The attacks perpetrated nowadays are targeted and sophisticated attacks carried out by organized groups against specific information assets over long periods of time. This kind of environment calls for effective traceability to better detect intrusions, and for detailed logging of information that will be relevant in the case of an information technology security breach.

Luiz Firmino, 22 years of information technology and information security experience. 10 years at "Serpro - Serviço Federal de Processamento de Dados" Federal Data Processing Service), the largest public information technology service provider in Brazil. The agency works for the Brazilian federal government maintaining computer systems that manage its budget, help it integrate states accounting, track Brazilian imports and exports, and process electronic income tax returns. 7 years at Roche as the Chief of Telecommunication for Brazil and Security Head for Latin America. Roche is an international leading healthcare company. 2 years at Sara Lee as the Chief of Information Security Officer for Sara Lee Brazil and Regional Security Coordinator for Americas. Sara Lee is a global manufacturer and marketer of high-quality, brand-name products for consumers throughout the world. Currently I am working as the Information Security Manager for HSBC Brazil. HSBC is one of the largest banking and financial services organisations in the world.



----------------------------------------

Top 5 physical ways into a data center
This speech would go over the top 5 most common ways to breach the physical security of a data center. This information has been gathered by the speaker over the course of his career as a physical penetration tester/red teamer. Topics covered will include social engineering, lock picking, and common construction flaws. Example of how these vulnerabilities were and can be used to attack a data center physically as well as solutions to these issues will also be covered.

Ryan Jones, Sr. Security Consultant. Ryan has worked in the information security field for over 14 years. His main focus has been on network, application, and physical security assessments and he has worked in these capacities with over 1000+ clients for a variety of business sectors with the primary the emphasis being on the government, banking, and medical industries. His work included testing web applications, network penetration testing, physical penetration testing, physical security assessments and planning, social engineering testing as well as designing information security remediation programs for these clients. He has spoken at at various events and conferences, including the Defcon Skybox talks. He was a cast member and technical producer of the 2007 TV show "Tiger Team" and is also currently the co-host of the security podcast "Exotic Liability." He is currently a Senior Security Consultant on the Application Security Team of Trustwave's Spiderlabs.



----------------------------------------

SAP and Caipirinha with Pitú

Falar de SAP dispensa introduções, nesta apresentação abordarei as fases de realização de um Pen Test em ambiente SAP em produção utilizando um framework publico e OpenSource: Sapyto.
Hoje em dia se tem pouco conhecimento da realização de Pen Tests em Business Applications. Testes de segurança em ambiente SAP são necessários tendo em vista que implementações do SAP estão contempladas em projetos longos e complexos onde se tem muito capital da empresa envolvido. Dados de 2008 do FBI afirmam que fraudes financeira causadas por incidentes de segurança resultaram em um prejuízo de aproximadamente U$ 470.000 para empresas americanas e para agravar a situação dados da empresa de consultoria em segurança da informação ONAPSIS, mais de 95% dos ambientes SAP avaliados pela empresas estavam propensos a fraudes financeiras causadas por vulnerabilidades técnicas de segurança da informação e que muitas dessas implementações foram qualificadas com SOX/PCI DSS/ISO por quatro grandes empresas de auditoria.

A partir de agora fazendo a saborosa caipirinha Sergipana com Pitú conheceremos as fases de um Pen Test em SAP. O Pen Test aqui abordado segue como “metodologia” fases do Sapyto, framework opensource Free) de realização de Pen Test em ambientes SAP. Temos então 4 fases, sendo elas:

1 – Discovery
2 – Exploration
3 – Vulnerability Assessment
4 – Exploitation

Joaquim Espinhara, Pesquisador Independente de segurança da informação atua como consultor da SecureInfo Security Solutions. Palestrante em alguns eventos internacionais e em diversos regionais. Palestrante na ultima H2HC 6th Edition) com a apresentação de Sniffing de redes remotas.


----------------------------------------

Client-Side Detection Advances
File format and JavaScript-based attacks have become the primary focus of the security landscape over the last several years. These attacks can be sophisticated and difficult to detect at wire speeds by an IPS or IDS. Exploit frameworks, such as Metasploit, Immunity's CANVAS and Core Impact provide simple mechanisms to achieve this complexity. Complicating this already difficult detection is the desire for many IPS users to have low-latency analysis at wire speed. The processing necessary to address ASCII hex encoding, JavaScript obfuscation, PDF object compression and the myriad of other techniques available to attackers means that normalizing a document to the point where it can be analyzed for malicious data is simply unfeasible in an inline deployment for Snort or any other system.

The Snort engine is the most flexible and powerful Network Intrusion Detection System available today. By leveraging the extensibility of the engine, end users can build advanced, customized detection that precisely targets the needs of their environment. Alex Kirk will demonstrate the power and flexibility of the engine by unveiling a new multi-faceted, scalable detection methodology targeted at addressing the most difficult detection problems facing security professionals today.



Alex Kirk, AEGIS (Awareness, Education, Guidance, and Intelligence Sharing) Program Lead. Alex Kirk is a senior researcher with the Sourcefire Vulnerability Research Team (VRT), and the head of that group's Awareness, Education, Guidance, and Intelligence Sharing (AEGIS) program, which is designed to increase direct collaboration between Sourcefire customers, the Snort user community, and the VRT in the interests of improved detection and coverage. In his 6 years with the VRT, Alex has become one of the world's leading experts on Snort rules, and has honed skills in reverse engineering, network traffic analysis, and systems security. He recently contributed a pair of Snort-related chapters to "Practical Intrusion Analysis: Prevention and Detection for the Twenty-First Century," and is a regular contributor to the widely-read VRT blog (http://vrt-sourcefire.blogspot.com/). Outside of Sourcefire, Alex has contributed to the open source community through efforts such as scrubbing entries for OSVDB and writing documentation for running the NetBSD operating system on the Sega Dreamcast.



----------------------------------------

Global Security Report 2010

From January 1, 2009 to December 31, 2009, we performed approximately 2000* penetration tests (network, application, wireless, and physical) for organizations ranging from the largest companies on the planet to nimble start-ups. In addition, we also performed around 200* security incident and compromise investigations for organizations located in nearly 20 different countries around the world.

The data we have gathered from these engagements is substantial and comprehensive. This presentation will be the first viewing of the results of the analysis of the data gathered during 2009. The results will be presented both technical and business impact analysis with an emphasis on technical for the Black Hat audience.

This presentation will coincide with the release of the paper with the same title. The paper will be released after the conclusion of the talk.



Nicholas J. Percoco is Senior Vice President of SpiderLabs at Trustwave. He has more than 14 years of information security experience. In his role at Trustwave, he leads SpiderLabs, the team that has performed more than 500 computer incident response and forensic investigations globally, as well as thousands of penetration and application security tests for clients. Nicholas acts as the lead security adviser to many of Trustwave’s premier clients by assisting them in making strategic decisions around various security compliance regimes. As a speaker, he has provided unique insight around security breaches and trends to public (YSTS, DEFCON, SecTor, etc.) and private audiences throughout North America, South America, Europe, and Asia. Prior to Trustwave, Nicholas ran security consulting practices at both VeriSign and Internet Security Systems. Nicholas hold a Bachelor of Science in Computer Science from Illinois State University.



----------------------------------------

Exploits and Mitigations - EMET (enhanced mitigation evaluation toolkit)

Andrew Cushman, Senior Director, TwC Security - Microsoft Corp. As Sr. Director of Strategy in the Trustworthy Computing Group at Microsoft Corp. Cushman's primary focus is on End to End Trust - Microsoft's initiative for a safer, more trusted Internet, which aims to bring the trustworthiness of the physical world to the cyber world. Cushman is responsible for End to End Trust Outreach and works with teams across Microsoft and the broader security ecosystem.
Cushman previously managed the Microsoft Security Response Center (MSRC). The MSRC leads emergency response to security threats, defines and enforces response policies, and monitors monthly update quality and timeliness. Cushman expanded the MSRC's outreach programs to cover security researchers as well as mainstream security organizations, companies and computer emergency response teams.
Cushman joined the TwC Security team in 2004 as a member of the Security Engineering Group executive leadership team that made security processes an integral part of Microsoft’s engineering culture. Since then he has been a driving force behind the company’s security researcher outreach strategy and execution efforts, formulating the Responsible Disclosure Initiative strategy and initiating the BlueHat security conference franchise.
Since joining Microsoft in January 1990, Cushman has held positions on the Microsoft International Product Group, the Microsoft Money team and the Internet Information Services (IIS) team. He led the IIS product team during the development of IIS 6.0 in Windows Server® 2003. IIS 6.0 was one of the first Microsoft products to fully adopt the security engineering processes that are today embodied in the SDL and remains a “poster child” of Microsoft’s commitment to security engineering and Trustworthy Computing.
Cushman earned a bachelor’s degree in international studies from the University of Washington and a master of international business degree from Seattle University. Away from work, he is an avid skier.

----------------------------------------

Infosec Arena

Anchises Moraes Guimarães de Paula, CISSP, works as Global Threat Intelligence Analyst at iDefense, a VeriSign company. He has almost 15 years of strong experience in Computer Security, and he had been worked as Security Officer in Brazilian telecom companies (Americel and Vivo) and also Security Consultant on local resellers and consulting firms. He has a Computer Science Bachelor degree from Universidade de Sao Paulo (USP) and a master degree in Marketing from ESPM and is CISSP, GIAC (Cutting Edge Hacking Techniques) and ITIL Foundations certified.



----------------------------------------