Schedule

Please note that you can save a list of the sessions you would like to attend by using the “Bookmark” button. You can see your saved sessions by clicking this link or at the bottom of the page. Enjoy!

Badge Assembly
Car Hack Village
CTF
Escape Room
Flight Simulator
Lock Pick Village
Resume Review

Electronic Badge Assembly

Hosted By Tampa Hackerspace

CTF

Hosted By ReliaQuest

Microsoft IoT Development Kit using the MXChip Technologies

Blain will discuss the new MXChip development kit being used in an IoT Flight Simulator Application. The MXChip Azure development kit enables you to use Microsoft Azure’s IoT Hub, Stream Analytics, Event hubs and Visual Studio for building your own airplane simulation.
Blain Barton

Resume Review

Hosted By ClearedJobs
Career Track
Track 1
Track 2 - Room 136
Track 3 - Room 135
Track 4
Track 5

Opening Announcement

Joe Partlow - ReliaQuest  

Opening Keynote – Cyber Assurance – Testing for Success

How do you know your investments in security controls are effective? Many traditional Red Team exercises and Penetration Tests provide a valuable service by exposing your weaknesses; however, they suffer a number of shortfalls. First, they are often point in time exercises that do not provide comprehensive controls testing. Second, Red and Blue team objectives are seldom aligned to “get better together” and therefore, little if any collaboration, learning, or improvement takes place. The speaker will discuss the current status of enterprise security programs and different testing approaches and new technologies to facilitate meaningful security posture improvements. After all, isn’t the overall objective of testing to not only test, but improve the effectiveness of your security investments?
Col John Burger

Hacking College 102 – More on Cheap/Fast College Educations

Cheap and Free ways to get college credits, and possibly even a degree.
Gene Cronk

Using Your Super Powers Beyond the Bits – People are essential to your effectiveness & career advancement – You have an awesome set of tools

You have Super Powers you use to: * assess complex situations * meet challenges from many perspectives at once * develop a plan to reach the goal * implement the plan * adjust to the changing situation and repeat We use these Super Powers in technical situations almost without thinking. When facing challenges with people, we forget these Super Powers and “wing it.” The results are often less than super. Using your Super Powers with people will allow you to be more effective AND allow you to advance beyond your peers who think it is only about the bits. Key Takeaways: * You have Super Powers * You can use these Super Powers to connect with and influence people * The goal may be shared, but the point of view can be very different. The Super Hero who teleports their awareness into other points of view makes deeper connections with people, is more effective, and advances their career.
Jeff Hicks

Advanced Social Engineering and OSINT for Penetration Testing

Today, we keep hearing about massive data breaches and companies being hacked. While some of the bigger breaches do not have a Social Engineering angle, many do and do not even know it! The presentation will provide attendees with advanced tools and techniques to use in penetration testing to help save them plenty of time in data gathering and increase the success rate of phishing and pretexting. The goal of a penetration test is to gain access, the techniques in this presentation and demonstration will help take your penetration tests to the next level. Also discussed are the ethical considerations of OSINT and Social Engineering as well as how to train users to prevent these attacks from happening.
Joe Gray

Leadership’s Role in Cybersecurity and Data Breaches

All members of leadership play a big role in the success or failure of security policy and practices. Experience level along with leadership experience have been a significant contributor to the management, response, and recovery of the most notorious breaches in the last several years–including but not limited to OPM, Target, Equifax, and Uber.
Felice Flake

Recruiter Panel – Navigating a Career Search

Recruiter Panel with Mike Wolford, Kristen Renner, Milicent Reed and Derek Porter

Just like a pirate is always looking for their next treasure, a job seeker should always be looking for their next opportunity.  According to the Department of Labor, most professionals will have at least 15 jobs in their lifetime, and in our community, that number is almost double.  What are tools and strategies to always have on hand so that you can navigate your career search. A frank discussion about career search strategies and fails.

Read more here!

Going Savage: Strategies for Taking Control of your Cybersecurity Fate

When it comes to security programs, the average organization spends 80% of its energy on buying products. The hope is that some combination of firewalls, antivirus and other security products will keep them safe. The flaw in this approach is that it overlooks the importance of people in helping to mitigate the damage from a cyberattack and their roles and needs in the midst of an attack. Join Todd O’Boyle, co-founder and CTO of Strongarm, for a lively talk focusing on real-life security scenarios and better ways to approach security. You’ll learn how to proactively plan and sanely respond when an actual attack takes place. The session will include: 1) Communication and preparation strategies for the most common types of cyberattacks: 2) Real-world examples of both successful and failed cyberattacks and 3) A guide to incident response planning to help prevent fire drills by standardizing processes ahead of time.
Todd O’Boyle

A Very Particular Set Of Skills

Approaching technology skills as tradeskills, from the standpoint that approaching ourselves not as “smart people” -vs- “lusers”, but rather more like mechanics can encourage much better incident reporting. The main point is two-fold: there is a fair bit of ego in many areas of tech, and as security becomes more of a constant concern for everyone, we need to be able to create an environment where users feel comfortable reporting incidents or breaches. The key point: we’re like mechanics, and no one likes to talk to a mechanic that talks down to and belittles them.
Dorian Kelley

Closing Remarks

EC Council Award - Wesley Alvarez BSI - Dan Doyle
Wesley Alvarez

Closing Keynote – Fraud; Should you worry?

How I tracked down carders, and infiltrate criminal communities to discover the techniques used to launder money. (includes live communication to underground where live carders are chit chatting.) What I’ve tried doing to stop them, and the outcome of such things. How our govt, and credit card companies fail. Should you be worries if your a victim? How to get your life back when your identity is used against you. Could you go to jail over someone using your tax returns?
Greg Hanis

Opening Announcement

Joe Partlow - ReliaQuest  

Opening Keynote – Cyber Assurance – Testing for Success

How do you know your investments in security controls are effective? Many traditional Red Team exercises and Penetration Tests provide a valuable service by exposing your weaknesses; however, they suffer a number of shortfalls. First, they are often point in time exercises that do not provide comprehensive controls testing. Second, Red and Blue team objectives are seldom aligned to “get better together” and therefore, little if any collaboration, learning, or improvement takes place. The speaker will discuss the current status of enterprise security programs and different testing approaches and new technologies to facilitate meaningful security posture improvements. After all, isn’t the overall objective of testing to not only test, but improve the effectiveness of your security investments?
Col John Burger

You Can Run..but you Can’t Hide!

More than ever cyber criminals are utilizing the internet to hide their schemes of fraud, extortion, stalking, harassment, hacking, defamation and counterfeiting. This presentation will be a real world look at how Cyber Investigators track down and prosecute criminals all over the world utilizing the marriage of investigations, technology and legal.
Bruce Anderson

Red Team Apocalypse

TABLETOP SCENARIO: Your organization regularly patches, uses application whitelisting, has NextGen-NG™ firewalls/IDS’s, and has the latest Cyber-APT-Trapping-Blinky-Box™. You were just made aware that your entire customer database was found being sold on the dark web. Go. Putting too much trust in security products alone can be the downfall of an organization. In the 2015 BSides Tampa talk “Pentest Apocalypse” Beau discussed 10 different pentesting techniques that allow attackers to easily compromise an organization. These techniques still work for many organizations but occasionally more advanced tactics and techniques are required. This talk will continue where “Pentest Apocalypse” left off and demonstrate a number of red team techniques that organizations need to be aware of in order to prevent a “Red Team Apocalypse” as described in the tabletop scenario above.
Derek Banks and Beau Bullock

Advanced Persistent Security

Any attack against significant organizations is labeled "Sophisticated" by default. The reality is that most of these attacks, such as Target, the OPM, and the DNC, result from inadequate security programs. This presentation reviews recent notable incidents to highlight the root vulnerabilities. The reality is that the vulnerabilities compromised were basic, and as opposed to the attackers being “Advanced”, they are more “Adaptive”. These attacks are then compared to defensive information warfare principles of protection, detection, and reaction. I then utilize those principles to define an adaptive security strategy to prevent incidents, but more importantly to detect and respond to such incidents before loss can be realized.
Ira Winkler

Adding Simulated Users to Your Pentesting Lab with PowerShell

Pentesting labs tend to have isolated boxes representing specific vulnerabilities. This doesn’t do a great job of mimicking real world networks which have active users and network activity. We’ve created a tool set to introduce simulated users to a lab environment which enables us to accurately model real world corporate networks and allows for additional attack vectors to be explored in a safe setting. During this talk we’ll go over the major functions of the tool and showcase its capabilities with a live demonstration.
Barrett Adams and Chris Myers

The Shoulders of InfoSec

“If I have seen further it is by standing on the shoulders of giants” Most famously attributed to Sir Isaac Newton, this quote reflects the sentiment of this project. All of us in the field of information security stand on the shoulders of giants, this project is dedicated to shining a light on those shoulders- the known and unknown. In this presentation I will tell the stories some foundation figures in our industry and communities, some famous, some infamous, some unknown.
Jack Daniels

Blockchain: The New Digital Swiss Army Knife?

Blockchain as a technology has been proposed as a solution to everything from frictionless currency transfer to tracking cargo on ships. With over one billion dollars in venture funds invested and several hundred patents filed, every security professional must know the impact on organizations in terms of risk, volatility, and competitiveness. This talk will explore alternative uses for blockchain technology other than cryptocurrency, and provide a framework for utilizing and securing a technology considered as disruptive as the Internet was in the 1990s.”

Modern Day Vandals and Thieves: Wireless Edition

There’s many reasons people may want to know about what’s in your home, be it people or things. Few of them are good. This talk will examine ways to determine what is inside your home without ever entering, and possibly how to enter it. Wireless networking detection is well known — and we will cover it — but this talk will go more in depth into other sources of information from your lights, your TV… even your security system, and even the power that is running these devices.
Jonathan Echavarria and David Switzer

Closing Remarks

EC Council Award - Wesley Alvarez BSI - Dan Doyle
Wesley Alvarez

Closing Keynote – Fraud; Should you worry?

How I tracked down carders, and infiltrate criminal communities to discover the techniques used to launder money. (includes live communication to underground where live carders are chit chatting.) What I’ve tried doing to stop them, and the outcome of such things. How our govt, and credit card companies fail. Should you be worries if your a victim? How to get your life back when your identity is used against you. Could you go to jail over someone using your tax returns?
Greg Hanis

Opening Announcement

Joe Partlow - ReliaQuest  

Opening Keynote – Cyber Assurance – Testing for Success

How do you know your investments in security controls are effective? Many traditional Red Team exercises and Penetration Tests provide a valuable service by exposing your weaknesses; however, they suffer a number of shortfalls. First, they are often point in time exercises that do not provide comprehensive controls testing. Second, Red and Blue team objectives are seldom aligned to “get better together” and therefore, little if any collaboration, learning, or improvement takes place. The speaker will discuss the current status of enterprise security programs and different testing approaches and new technologies to facilitate meaningful security posture improvements. After all, isn’t the overall objective of testing to not only test, but improve the effectiveness of your security investments?
Col John Burger

A Security Look at Voice-Based Assistants

Rapid developments in the field of artificial intelligence (AI) have resulted in a spate of new products and services. Without these advances, voice-based assistants like the Amazon Echo, Apple’s Siri, Microsoft’s Cortana, and others, could not exist. But just like too many other technologies of the past, voice-based assistants are being integrated into our daily lives without a complete understanding of the security risks they pose. In this presentation, attendees will be introduced to the security issues surrounding voice-based assistants with a particular focus on the Amazon Echo. Attendees will be given a high level overview of voice-based assistants and their evolving role as part of the Internet of Things (IoT). After a quick survey of the Amazon Echo family of products, there will be a discussion of the listening capabilities of voice-based assistants, which is currently the largest area of concern by those who are familiar with the technology. Included will be a discussion of a 2017 proof-of-concept attack where researchers were able to pwn an Echo and turn it into a covert snooping device. It is well known that the more popular a technology becomes, the more interest it receives from attackers. The presentation will introduce attendees to several successful attacks on the Amazon Echo, including one that allowed Chinese researchers to deliver remote commands to the Echo using frequencies not hearable by the human ear.
David Vargas

Hackers Interrupted

Examining hacker’s motivations is not an easy task. We need to step away from a “defender” mentality and try to understand what drives a hacker. Beyond technology, business drivers, and compliance, there is a human factor that is always present in an attack. On a practical example, understanding true motivations of a hacker Ree4 who was behind Target breach. What made him write “Kartoxa” malware? What drove Iranian hackers to disguise themselves as Russians during Ransomware attack against San Francisco’s Light Rail system? Hacker Tessa88 held the entire world hostage by selling billions of stolen records from the largest breaches including LinkedIn, Yahoo, and many others. What motivates him? Based on these real examples we draw a conclusion that knowing hackers’ motivation is one of the keys of stopping them.
Alex Holden

Insane in the Mainframe: Taking Control of Azure Security

Everybody’s moving to the cloud these days. If you’re not already on Office365/Azure, odds are you’re considering it. But what are the security implications of doing this versus rolling your own thing on-premises? As a security consultant and architect, Jeremy set out to learn more about the Microsoft Azure security framework. After reading 700+ pages of documentation and consulting on a number of cloud security projects, he has now attained cloud enlightenment — the tl;dr version of which he’ll present in this talk. In particular, he’ll cover the following: * How Azure identity & access management work * How Azure data access control & encryption work * How Azure virtualization, isolation, firewalls, logging & monitoring work * Best practices you should take for dealing with Azure security
Jeremy Rasmussen

MiFare lady: Teaching an old RFID new tricks

My presentation analyzes the MiFare Classic and Plus EV1 specifications. I cover some history and known attacks. Then, I suggest a few improvements that can be used during reader implementation to enhance security. Finally, I will conclude with a couple of demos I have written in Python using cheap ubiquitous hardware.
Daniel Reilly

Medical Device Security: State of the Art in 2018

Over the past several years, medical device security has emerged from a unrecognized shadowy security issue to the forefront of concern by healthcare providers, vendors, media and patients. This presentation provides a history of medical device security issues, key challenges we face, recent regulatory changes with FDA guidance, and a forward look at emerging threats well beyond ransomware. Attendees will gain an insights to the challenges, learn about the threats and have common medical device security myths dispelled.

Shawn Merdinger

Weaponizing IoT – NOT!

This talk opens with brief introduction to IoT types of attacks and vulnerabilities, over the five IoT verticals of 1. wearables 2. connected cars 3. connected homes 4. connected cities 5. industrial

Example attacks are given for each of the verticals. Expand on the IoT specifics of how devices are developed, including issues such as reused code, crypto limitations as well as re-used firmware. The talk continues with connection to how IoT utilizes the cloud for data storage, type of data and how the cloud is overlooked in most IoT security issues. Scripted (or live) demos are now shown with several IoT devices, exploring attack methodologies and details of the attack surface presented by most IoT devices. Connect with IoT security development and OWASP methodologies, especially related to APIs and Big Data (in the cloud). Examples are shown using live data and Shodan (recorded scripts in case of live demo failure or connectivity issues) Final section of talk expands on IoT honeypots with several examples showing SCADA devices, routers and webcams. A recorded example of “Iot_Reaper” was actually caught by a custom honeypot and will be shown in this part of the talk. Conclusions of better methods for development of IoT but at the same time, how to better protect against weaponized IoT devices when your company is the target. The entire talk uses live examples or recorded scripts and shows real-world scenarios with a variety of devices. A win-win for this talk is that attendees not only learn, but they walk away with tools and methods that are practical and can be put into use immediately.
Kat Fitzgerald

Blue Team’s Tool Dump

I will be going over a list of definitions, tools that fit each category, and open source variants that fit each (if available). I will be also going over the good, bad, and ugly of new/emerging technology.

Alex Kot

Closing Remarks

EC Council Award - Wesley Alvarez BSI - Dan Doyle
Wesley Alvarez

Closing Keynote – Fraud; Should you worry?

How I tracked down carders, and infiltrate criminal communities to discover the techniques used to launder money. (includes live communication to underground where live carders are chit chatting.) What I’ve tried doing to stop them, and the outcome of such things. How our govt, and credit card companies fail. Should you be worries if your a victim? How to get your life back when your identity is used against you. Could you go to jail over someone using your tax returns?
Greg Hanis

Opening Announcement

Joe Partlow - ReliaQuest  

Opening Keynote – Cyber Assurance – Testing for Success

How do you know your investments in security controls are effective? Many traditional Red Team exercises and Penetration Tests provide a valuable service by exposing your weaknesses; however, they suffer a number of shortfalls. First, they are often point in time exercises that do not provide comprehensive controls testing. Second, Red and Blue team objectives are seldom aligned to “get better together” and therefore, little if any collaboration, learning, or improvement takes place. The speaker will discuss the current status of enterprise security programs and different testing approaches and new technologies to facilitate meaningful security posture improvements. After all, isn’t the overall objective of testing to not only test, but improve the effectiveness of your security investments?
Col John Burger

Exploiting Zillow “Zestimate” for Reckless Profit

This talk looks at Zillow’s Zestimate, which provides homeowners, sellers, and realestate agents residential price estimates. I have found a way to exploit this tool. This provides a way for an attacker to inflate/deflate the Zestimate and cause home values to rise or decline depending on the attacker objective. With a little work this provides the attacker the ability to manipulate the markets in large areas, regions or entire counties given enough work. The implication are extensive given how more and more we rely on alorightms to decide what has value. In this case the popularity of this tool is effecting home appraisals directly and being used by buyers and Realestate agents to make real decisions. I will show everyone how they can do this and directly impact the markets in their area.
Robert – RJ Burney

Self Healing Cyber Weapons

My topic will cover legeraging cloud technology to create self healing and self expanding cyber weapons by leveraging technology like openstack and salt

Logan Hicks

Ransomware: A Declining Force in Today’s Threat Landscape

In recent years, ransomware has been a notable theme in news reports of malicious Internet activity. However, even with such notable cases as WannaCry, Petya, and Bad Rabbit in 2017, the overall volume of ransomware has dropped significantly during the past year. This presentation discusses recent trends and provides a counterpoint to media reporting that tends to sensationalize ransomware. To understand today’s trends, we also review a history of ransomware to show how current samples lack the innovation of previous years. These trends indicate ransomware has become less of an overall danger in today’s threat landscape.
Brad Duncan

Modern web application security

It is 2018 and your websites are still getting targeted on a daily basis. Your WAF rules are so complex no one wants to touch them, and every time you’re done reviewing the next javascript framework, a new one has popped up on Hackers News, and shipped in production. Your bug bounty program alerts you of a new XSS every other week, and there’s no end in sight. Meanwhile, your boss keeps asking if you’re on the latest version of Apache Struts, terrified to become the next Equifax. Suffice to say, web application security is hard, and often feels like a losing battle.

But you’re not alone in fighting that battle. An entire community of security engineers is continuously modernizing web browsers, certificate tooling, dependency tracking and security testing tools that you can leverage to make your life easier, and your web applications safer. In this talk, we will cover seven modern web application security techniques that you can use today to better protect your websites. They are: 1. XSS & Content Security Policy 2. Isolating origins when accepting user generated content 3. Leveraging cookie security 4. Authenticating users securely 5. Controling the supply chain 6. Applying strong HTTPS 7. Testing security in Continuous Integration We will discuss how each area can be integrated into your environments, and share the knowledge acquired at Mozilla while doing this work on Firefox’s backend services. This is a tactical presentation, and the audience will be given hands-on tools and techniques they can apply in their own environments straight away.
Julien Vehent

Advanced Social Engineering and OSINT for Penetration Testing

Today, we keep hearing about massive data breaches and companies being hacked. While some of the bigger breaches do not have a Social Engineering angle, many do and do not even know it! The presentation will provide attendees with advanced tools and techniques to use in penetration testing to help save them plenty of time in data gathering and increase the success rate of phishing and pretexting. The goal of a penetration test is to gain access, the techniques in this presentation and demonstration will help take your penetration tests to the next level. Also discussed are the ethical considerations of OSINT and Social Engineering as well as how to train users to prevent these attacks from happening.
Joe Gray

Critical Infrastructure & SCADA Security 101 for Cybersecurity Professionals

Critical infrastructure is realizing tremendous growth and integration of technology-enabled solutions to improve system performance, reduce costs related to both operational and life-cycle maintenance, reduce environmental impact, improve the fidelity and accuracy of measurements and monitoring, integrate renewable energy and associated energy resources, and improve overall system reliability. Despite these improvements, numerous cyberattack events (e.g., Stuxnet, Black Energy, Triton) highlight the fragility and increased attack surface of critical infrastructure as a consequence of technology outgrowth. Presented here are insights with various examples to guide cybersecurity professionals gain an appreciation and comprehend how to best align established security principles from Information Technology (IT) with Operational Technology (OT) in order to support operational functionality, reliability, and safety.
Juan Lopez

Exothermic Data Destruction: Defeating Drive Recovery Forensics

With rogue data harvesting from discarded devices an ever-present risk, the question of how to safely dispose of data storage components ranging from hard and solid state drives to SD cards and flash drives should be at the forefront whenever old equipment is being upgraded, not just to foil adversarial access to sensitive internal information, but to comply with data handling legislation. Any number of software solutions exist which advocate wholesale drive encryption (for instance, via open source tools such as VeraCrypt and LUKS)–so as to make the data unreadable even if it were recovered–as well as subsequent wholesale drive erasure (for example, via open tools such as DBAN). But software solutions are woefully inadequate for the task, given the possibility of encryption keys being forcibly or incidentally divulged, drive wiping solutions being ineffective against new solid state drives, and any number of other attacks. After outlining the various privacy risks inherent in insecure data disposal, this talk will then present a case study demonstrating the pitfalls inherent in the TRIM and Secure Erase operations of solid state drives, pointing to the need for a more comprehensive data erasure protocol. The talk will then present a pragmatic hardware solution: secure device destruction via an open source chemical recipe, presenting the principle of exothermic data destruction. Health and safety concerns will be addressed, and the most expedient acquisition of the various necessary ingredients will also be presented.
Kenneth Brown and Nikita Mazurov

Closing Remarks

EC Council Award - Wesley Alvarez BSI - Dan Doyle
Wesley Alvarez

Closing Keynote – Fraud; Should you worry?

How I tracked down carders, and infiltrate criminal communities to discover the techniques used to launder money. (includes live communication to underground where live carders are chit chatting.) What I’ve tried doing to stop them, and the outcome of such things. How our govt, and credit card companies fail. Should you be worries if your a victim? How to get your life back when your identity is used against you. Could you go to jail over someone using your tax returns?
Greg Hanis

Opening Announcement

Joe Partlow - ReliaQuest  

Opening Keynote – Cyber Assurance – Testing for Success

How do you know your investments in security controls are effective? Many traditional Red Team exercises and Penetration Tests provide a valuable service by exposing your weaknesses; however, they suffer a number of shortfalls. First, they are often point in time exercises that do not provide comprehensive controls testing. Second, Red and Blue team objectives are seldom aligned to “get better together” and therefore, little if any collaboration, learning, or improvement takes place. The speaker will discuss the current status of enterprise security programs and different testing approaches and new technologies to facilitate meaningful security posture improvements. After all, isn’t the overall objective of testing to not only test, but improve the effectiveness of your security investments?
Col John Burger

Building a Predictive Pipeline to Rapidly Detect Phishing Domains

Registering a phishing domain, requesting an SSL certificate, and installing it on the server got much cheaper for threat actors thanks to the LetsEncrypt Certificate Authority. Detecting these new domains has always been a reactive process for security teams; just like malware, one cannot provide threat intelligence on phishing domains before they’re registered and operationalized. The recent development of the Certificate Log Transparency Network adds an interesting dimension for how this process can be improved. New SSL certificates, and the fully qualified domains for which they are issued, can now be monitored in real-time. Security analysts have intuition on what a phishing domain looks like when they see it. Building a predictive pipeline to detect SSL certs issued to new phishing domains can be accomplished very simply using supervised machine learning. In this talk, I’ll introduce a Python-based framework for building this predictive pipeline from scratch.
Wesley Connell

Eating the Elephant: Leveraging Data Analytics to Tackle Everyday Security Tasks and Provide Actionable Intelligence

During this talk, we will analyze real data, discuss and apply various methods, data frameworks and tools coupled with the Python programming language to tackle this obstacle. Along the way identifying methods to triage and process the data. Unearthing the golden nuggets of information that can and will help the analyst better defend the network, and find the proverbial needle in a haystack. It’s time to make the data work for the analyst instead of the analyst being held at its mercy. Even the simplest data sets can yield promising results, we just need to know what to ask, how to look, and enrich the data.
Ramece Cave

Health IT – The “New” Information Security Area

From mainly using IT in supporting processes, IT is now a primary tool in many core clinical processes. This has changed many processes and introduced new type of risks and opportunities related to patient safety and quality of care. The security aspect has been highlighted for many years with HIPAA and HITECH. Now we see a more intense focus on the data integrity, availability, and patient safety aspects of the electronic clinical information and medical records. Office of the National Coordinator for Health Information Technology (ONC) under the Department of Health and Human Services (HHS) issued in 2015 The Health IT Strategic Plan addresses the role of health IT within HHS’s commitment to patient safety and reduce cost through the use of information and technology. This strategy together with other development provide a critical need to enhance the risk management related to Health IT. Therefore, the role of IT and Security is critical to understand the organization’s risk management, plans and maturity in this core operational area. Several studies been performed and new guidance are produced on a regular basis based on the analysis of reported patient safety incidents related to IT. This session will cover the risks and opportunities with Health IT, current regulatory guidance (HHS, ONC, TJC, FDA, etc.), common best practices (ISO, AHIMA, AAMI, etc.) common issues, critical success factors, and provide information of key security risk areas related to Health IT.
Johan Lidros

What Do Pirates Know about Innovating for Cyberwarfare? Much More than You Think—Providing the Defense with a Way to Gain a Step Ahead of the Attacker

Since the origins of the Republic, the American people have shown a strong speculative knack that lead to novel ideas for tackling tough problems. From the first American colonists who made do with limited resources, to NASA astronauts who boldly explored space with minimal supplies in order to break free of gravity, Americans have a proud history of advancing new and effective ways of getting the job done. However, the Internet’s rapid growth has meant that the tools for operating in cyberspace are constantly changing. In such a fluid environment, does America still have the capacity to gain the advantages necessary to out-hack those who attack us in the cyber domain? In order to survive, pirates had learned to develop and employ revolutionary methods to plunder the seas. Initially, the kings and queens with all their material wealth were not prepared to deal with piracy, and their navies despite having greater numbers and better arms were ill-equipped to combat this threat. Eventually kingdoms resorted to privateers to track and hunt down pirates. Perhaps by learning more about this development which ended the pirate threat on the seven seas may help to progress how our nation can develop more effective cyber tools for defeating our cyber threats.
Ernest Wong

Pwning Evolution or The Hitchhiker’s Guide To Hacking Meatspace

During this talk, we will provide the traditional hacking community with information, details, plans, and an introduction to the biohacking ideology. By applying the hacker mindset to humanity and our biological capabilities and experiences, we believe we can improve our existence in a great many ways. As hackers ourselves, we understand that curiosity, exploration, and exposing and exploiting vulnerabilities are critical in creating change. We apply this mentality to biology and meatspace to create change and evolution in our existence. Whether it is something as simple as creating an ability for a deaf person to "hear" through haptic feedback, or the ability to "heal" genetic wounds, we are always seeking ways of improving our existence and extending humanity beyond its current constraints. This talk is merely an introduction to the subject and should appeal to anyone with a curious or hacking mindset. It is not controversial, yet raises important questions that our community should address. How important are hackers to our world? How can we change it for the better? What is the extent of our capabilities? These are all questions that should be addressed, but first we need to understand what possibilities exist. What can we do to make sure our futures are both rich and abundant, yet secure? This is a question unique to the BSides Tampa audience, and we are eager to explore the response together.
Jennifer Szkatulski

Network traffic analysis via packet-to-note sound translation.

TLDR: Nifty Python tool to play music corresponding to network traffic that contains the potential for an accessibility function for the visually-impaired. Originally conceived of as a cool idea to examine network traffic generated by penetration testing in lieu of reviewing tcpdump or Wireshark output, p@quetr@quet turned into a technically valid means for creating music from network traffic patterns. Also, by creating a sound-based representation of network traffic, the utility provides insight into normal traffic patterns as opposed to oddities such as ICMP ping or UDP/TCP port scans. Anyone, whether an analyst or tester, interested in keeping track of the network can listen to the sounds of the packets instead of scrolling through Wireshark or tcpdump output. As an example, if a port scan was observed by the monitoring interface, those packets would correspond to different sounds, thereby yielding an aural experience matching that traffic pattern. Visually-impaired individuals could be trained as to the notes and corresponding packets and be empowered to conduct hitherto inaccessible network analysis. The project is at a very basic level, albeit with a functioning proof of concept script to demonstrate both live traffic examples and previously recorded packet captures.
Killian Ditch

Crash Course to Building Decentralized Blockchain Applications

ICOs and DApps are all the hype this year and they are about to have a massive impact on the state of the tech and cybersecurity industries, but do we really understand how they work? Let’s take a closer look at the inner workings of Blockchain and Ethereum from ‘What is a blockchain?’ all the way to ‘How do Merkle Patricia Hash Trees work?’. We’ll then take a closer look at the stack used to build some of the most popular DApps on the market today. Once we get the fundamentals out of the way, we’ll then fire up Emacs and launch our own decentralized app and ICO B-Sides Coin!
Kevin Hodges

Closing Remarks

EC Council Award - Wesley Alvarez BSI - Dan Doyle
Wesley Alvarez

Closing Keynote – Fraud; Should you worry?

How I tracked down carders, and infiltrate criminal communities to discover the techniques used to launder money. (includes live communication to underground where live carders are chit chatting.) What I’ve tried doing to stop them, and the outcome of such things. How our govt, and credit card companies fail. Should you be worries if your a victim? How to get your life back when your identity is used against you. Could you go to jail over someone using your tax returns?
Greg Hanis

Opening Announcement

Joe Partlow - ReliaQuest  

Opening Keynote – Cyber Assurance – Testing for Success

How do you know your investments in security controls are effective? Many traditional Red Team exercises and Penetration Tests provide a valuable service by exposing your weaknesses; however, they suffer a number of shortfalls. First, they are often point in time exercises that do not provide comprehensive controls testing. Second, Red and Blue team objectives are seldom aligned to “get better together” and therefore, little if any collaboration, learning, or improvement takes place. The speaker will discuss the current status of enterprise security programs and different testing approaches and new technologies to facilitate meaningful security posture improvements. After all, isn’t the overall objective of testing to not only test, but improve the effectiveness of your security investments?
Col John Burger

The Lexicon Project, Risk Management, and You

This session will be conducted by (ISC)2’s very own Director for Cybersecurity Advocacy. It will cover important new initiatives at (ISC)2 to expand our association’s role in the cybersecurity profession, and provide critical new guidance and support for our membership. You will learn how we are engaging with Congress and legislative leaders, helping veterans and retraining workers, while knocking down barriers to entry into the cybersecurity profession. In addition to these exciting new programs, the session will also provide a detailed overview of risk management principles outlining why our new Lexicon Project is so important. You will learn the underpinnings of our profession, and how elements such as risk, vulnerabilities, ad threat are mathematically related. Join us to get an in-depth look at how your association with (ISC)2 will be paying you even bigger dividends soon.
John McCumber

An Introduction to the “SOC for Cybersecurity” Report

Most may be familiar with SOC 2 reports, which is “System and Organization Controls” (was “Service Organization Controls”, and not Security Operations Center), and is an audit report about security, availability, and the like, usually done for data centers. There also exist SOC 1 and SOC 3 reports. SOC2 reports are done by accountants, based on standards set down by the AICPA. Well, the AICPA has pushed further into cybersecurity, providing advisory and assurance services, and has released a new Cybersecurity Risk Program, covered in a new Guide for reporting on an organization’s cyber risk program, which some are calling “SOC for Cybersecurity”. What is this new “SOC for Cybersecurity” and what impact will it have on us, good or bad? How qualified are CPAs to be assessing a cybersecurity program vs cybersecurity professionals? We will take an overall look at this program from the AICPA, the components and criteria that make it up and examine what the program does. At the end, participants will have a better understanding of it and see if this is something that would be a value to their organizations.
Michael Brown

GDPR: The Impact of EU Privacy Law

The GDPR will become effective on May 25, 2017. It specifies the security and information governance requirements of the handling of information of any EU resident with which a US company (or any global company) does business, or whose internet activity is monitored from anywhere. The fines are capped at 20 million Euros or 4% of global turnover, whichever is larger. I will discuss the most pressing aspects of the law on how information is managed and the changes required to most businesses’ information infrastructures. I will compare EU law to US law and show the increasing liability for failure to meet privacy and security protection expectations. I can determine the most pressing issues of the audience and focus on their legal implications. I can also discuss certifications currently required to show competence in privacy management.
Teresa Schoch

Git Gud

I will begin with the basics of how git stores commits and uses hash pointers to keep the integrity of the files and history. I will then go into how the hash pointers work and how they are generated, including the metadata saved about each commit. I will end with creating a Git commit from scratch without using any Git commands.
Tyler Hoyt

Fostering Corporate Security Culture: Make Your Employees Hard Cyber Targets

Employees are the largest vulnerability to any cyber security program. Just as systems must be updated to the latest version or security patch, employees should receive ongoing training to maintain an awareness of the various forms of security risk (cyber, social engineering, etc.). Nielsen’s presentation will discuss the scope of threats employees face – in the office or at home – and how to increase their overall cyber security posture.
Rosa Smothers

High Performance Leadership……………….Maximizing the IT Work Force

To achieve maximum effectiveness and efficiency, IT organizations need to be agile. In a highly technical environment with a strict governance structure, it is difficult for managers and leaders to attain agility and maximize the resident talent within their organizations. Steve Corcoran a retired Marine Colonel with 28 years of experience in critical organizations and currently the serving Chief of Cyber Strategy for a top 25 cyber company brings a fresh perspective on how to achieve maximum effectiveness and efficiency. Steve’s military and civilian experience in innovative organizations with critical support functions provides for an interesting and insightful way for organizations to structure their leadership practices to become a high performing organization. In his presentation he brilliantly presents:

What is a high performing IT organization?

Why is agility so important for IT?

What is a high performing IT leader?

How can organizations adopt high performing IT leader skills?

What are some of the barriers to implementation?

What are the results of high performing IT leadership?

At the end of his presentation, audiences are always left with a lot to consider and useful practices and techniques to adopt immediately that will have an immediate effect on morale and productivity.

Using Domain Fronting to Abuse Content Delivery Networks

This presentation will show a new technique for domain fronting, which enables attackers to abuse Content Delivery Networks (CDNs) to mask malware command and control (C2) traffic. While many CDNs are potentially impacted, Akamai is one of the largest. During our research we identified tens of thousands of high reputation domains served by Akamai’s CDN that can be used for domain fronting. This research demonstrates a new technique for hiding a C2 channel completely within a CDN. We will show POC tools that utilize this technique.
Andy Givens

Closing Remarks

EC Council Award - Wesley Alvarez BSI - Dan Doyle
Wesley Alvarez

Closing Keynote – Fraud; Should you worry?

How I tracked down carders, and infiltrate criminal communities to discover the techniques used to launder money. (includes live communication to underground where live carders are chit chatting.) What I’ve tried doing to stop them, and the outcome of such things. How our govt, and credit card companies fail. Should you be worries if your a victim? How to get your life back when your identity is used against you. Could you go to jail over someone using your tax returns?
Greg Hanis

My Sessions

      No Saved Sessions