What does Phishing, DEFCON, and Metasploit Have In Common?

Pat Cain (Boston College)

This talk consists of three parts. First up, a short talk on what the Anti-Phishing Working Group (APWG) has recently been seeing on online crime. This is not a “how to do electronic crime”, but rather things you may want to watch out for. Second, a short “Interesting things I learned at DefCon17”. The talk concludes with a little introduction to the MetaSploit Framework (MSF). Some of you may have heard of it, but if you haven’t recently used it, this talk will bring you up to speed on why you need to know about it. Bring coffee.

Slides From the Presentation (pdf)

Wireless Pen Testing : TNG

Kurt Keville (MIT) and Mike Kershaw (Aruba Networks)

Wireless Internet access has been broadened nationwide in recent years due to a number of (mostly) Municipal wireless initiatives primarily incentivised by bills like the Broadband Technology Opportunities Program. As more networks are built around wireless, a predictable increase in exploit activity will follow in lockstep. In this overview, we attempt to describe the depth and breadth of the contemporary problems, both demonstrable and potential, and suggested partial social defenses.

Slides From the Presentation (OpenOffice Impress)

Slides From the Presentation (pdf)

Scrambling for Compliance in Data Privacy: Retooling Your Contracts

John J. Smith, Esquire (VistaLaw International, LLC)

Regulations relating to the protection of personal data are burgeoning. Evolving federal, state and private industry standards are becoming increasingly prescriptive, requiring e-commerce businesses handling sensitive “private” data to deploy very concrete information security programs. This article focuses on one aspect of such a program –effective vendor contract management, and suggests a number of practical steps to address the most problematic, risk laden situations and renegotiate arrangements as necessary.

Slides From the Presentation (pdf, as presented at camp)

Slides From the Presentation (pdf, updated for August 17th amendments to regulations)

Web Application Security & Vulnerability Management Tools

Roy Wattanasin (Children’s Hospital Boston)

“79% of breached records are web application attacks” as stated from the 2009 Data Breach Investigations Report conducted by Verizon Business Risk Team. “30% of the 57 attacks were carried out by SQL injection” from the 2008 Web Hacking Incidents Database Annual Report conducted by Breach Security.

The importance of web application security is often underestimated until an application faces a major security breach which causes major downtime or serious loss. Today, it is mandatory to develop a proactive security approach during the application development lifecycle that identifies critical security aspects. Architects, developers and security professionals must work together to design and implement security in to their applications proactively. Join Roy in this discussion as he talks about some valuable steps in integrating security in to the application development lifecycle. Use tools and templates to your advantage! We’ll also talk about other vulnerability management tools in the later half of the presentation. Remember to bring your own questions and scenarios regarding your own issues.

Slides From the Presentation (pdf)

Developments in Public Safety Technology: Information Sharing; Consolidation and Ubiquitous Broadband

John Grossman (Commonwealth of Massachusetts Executive Office of Public Safety and Security)

Public Safety in Massachusetts has long talked about how to best leverage technology to better protect and serve the Commonwealth. Less has been done with most of the progress occurring in isolated pockets. We are still nowhere near what viewers of 24 expect but for the first time we are now pursuing a strategic plan for technology and implementing statewide solutions that make a difference on the street. The three pillars that our work is built on are: information-sharing; consolidation of IT resources; and developing public safety access to broadband.

Slides From the Presentation (pdf, 5MB)

PCI Q&A LOL

Daniel Adinolfi (Cornell University)

The Payment Card Industry Data Security Standard (PCIDSS) is a huge, complex, and mandatory set of technical and administrative requirements dictated by the credit card industry upon anyone who is involved in credit card transactions.  The requirements create an environment very foreign to those found in most higher education institutions.  Also, some of the requirements demand a degree of interpretation and nuance that complicates any efforts to achieve compliance.  Join Dan Adinolfi of Cornell University in a discussion of the PCIDSS and bring your questions and scenarios regarding your own compliance issues.

Slides From the Presentation (pdf)

The Columbia PAIRS (Bayesian IDS) system

Joel Rosenblatt (Columbia University)

The Columbia PAIRS system is our Bayesian IDS system for a decentralized IT environment that runs off of only netflow data

Slides From the Presentation (pdf)