Panel: All Your Sploits (and Servers) Are Belong To Us: Vulnerabilities Don't Matter (And Neither Does Your Security)

Presented at DEF CON 16 (2008), Unknown date/time (Unknown duration)

Think that latest buffer overflow or XSS exploit matters? It doesn't. Think your network is secure because you have the latest and greatest IPS? It isn't. The truth is all exploits or defenses on their own are worthless; it's how you use your tools and respond to incidents that really matters. This panel, composed of top vulnerability and security researchers, will roll through a rapid-fire series of demonstrations as they smash through the security of popular consumer and enterprise devices and systems, often using simple techniques rather than the latest 0day exploits (but we'll see a few of those too). They'll then debate the value of any single attack vector or defense, and show how it's the practical application of attacks, defenses, and (more importantly) responses that really matters. From iPhones to browsers to SCADA, it isn't your advanced attack or defensive tool that matters, it's what you do with it.

Presenters:

  • David Maynor - CTO, Errata Security
    David Maynor is a founder of Errata Security and serves as the Chief Technical Officer. Mr. Maynor is responsible for day-to-day technical decisions of Errata Security and also employs a strong background in reverse engineering and exploit development to produce Hacker Eye View reports. Mr. Maynor has previously been the Senior Researcher for Secureworks and a research engineer with the ISS Xforce R&D team where his primary responsibilities included reverse engineering high risk applications, researching new evasion techniques for security tools, and researching new threats before they become widespread. Before ISS Maynor spent the 3 years at Georgia Institute of Technology (GaTech), with the last two years as a part of the information security group as an application developer to help make the sheer size and magnitude of security incidents on campus manageable.
  • Robert David Graham - CTO, Errata Security   as Robert Graham
    Robert Graham is the co-founder and CTO of Errata Security, a firm specializing in cybersecurity consulting and product verification. Mr. Graham learned hacking as a toddler from his grandfather, a WW-II codebreaker. His first IDS was written more than 10 years ago designed to catch Morris-worm copycats. He is the author of several pending patents in the IDS field. He is the author of well-regarded security-related documents and is a frequent speaker at conferences. Previously he was the chief scientists of Internet Security Systems. Before that he was the co-founder, CTO, and chief-architect of Network ICE which was acquired by Internet Security Systems.
  • Robert Hansen / RSnake - CTO, SecTheory   as Robert "RSnake" Hansen
    Robert "RSnake" Hansen (CISSP) is the Chief Executive Officer of SecTheory. SecTheory is a web application and network security consulting firm. Robert has been working with web application security since the mid 90's, beginning his career in banner click fraud detection at ValueClick. Robert has worked for Cable & Wireless heading up managed security services, and at eBay as Sr. Global Product Manager of Trust and Safety, focusing on anti-phishing, anti-cross-site scripting, and anti virus strategies. Robert also sits on the technical advisory board of ClickForensics and contributes to the security strategy of several startup companies. Robert is best known for founding the web application security lab at ha.ckers.org and co-authoring XSS Exploits and Defense. Robert is a member of WASC, IACSP, and ISSA, and contributed to the OWASP 2.0 guide.
  • Chris Hoff - Unisys
  • Rich Mogull - Securosis
  • David Mortman - CSO in Residence, Echelon One
    As CSO-in-Residence, David Mortman is responsible for Echelon One's research and analysis program. Formerly the Chief Information Security Officer for Siebel Systems, Inc., David and his team were responsible for Siebel's worldwide IT security infrastructure, both internal and external. He also worked closely with Siebel's product groups and the company's physical security team and is leading up Siebel's product security and privacy efforts. Previously, Mr. Mortman was Manager of IT Security at Network Associates, where, in addition to managing data security, he deployed and tested all of NAI's security products before they were released to customers. Before that, Mortman was a Security Engineer for Swiss Bank. A CISSP, member of USENIX/SAGE and ISSA, and an invited speaker at RSA 2002 and 2005 security conferences, Mr. Mortman has also been a panelist and speaker at RSA 2007, InfoSecurity 2003, Blackhat 2004, 2005, 2006 and 2007, Defcon 2005, 2006 and 2007 and Information Security Decisions 2007 as well. Mr. Mortman sits on a variety of advisory boards including Qualys, Applied Identity and Reflective amongst others. He holds a BS in Chemistry from the University of Chicago.

Links: