As technology advances, the health care critical infrastructure sector comprises much of the potential attack surface of the national security landscape. Medical devices are being fitted with “smart” technology in order to better serve patients and stay at the forefront of health technology. However, medical devices that enable connectivity, like all other computer systems, incorporate software that is vulnerable to threats. Medical device recalls increased 126% in the first quarter of 2018, mostly due to software issues and vulnerabilities.
Talking to kids about online safety and careers in InfoSec seems like a no-brainer and only a matter of carving out time to get your materials together and showing up, amirite? Having tried (and tried, and tried), and failed and somewhat succeeded in getting in front of high school students, I’d like to share some of the challenges, gatekeepers and pitfalls in engaging educators and parents in what would seem like a slam dunk.
InfoSuck: The Nasty Bits Of The Industry We Want To Tell Noobs But Aren't Allowed To In Polite Company.
There are hundreds of blogs, papers, tweets, etc that give the lowdown on “How to break into Infosec.” There aren’t any that help to guide these poor sheep past the offer letter. We’re not allowed to talk about getting laid off or fired. We’re told to not discuss our salaries with each other because its “impolite”. We’re discouraged from discussing these things for fear of being blacklisted or being thought of as “unprofessional”, damaged goods.
Infosec in middle school? It’s less likely than you think! Security education initiatives and curricula are being creating and piloted in various school districts all over the country. However, many of those initiatives are currently focused in either high school or post-secondary education. There are few security education initiatives that target middle school students. In this talk, I will briefly explain about computer science and security initiatives in the United States.
The speaker, a former Cryptographer for the National Security Agency (NSA), has previously presented “Tales from the Crypt…Analyst” where he shared some of his experiences as both a designer of and breaker of cryptographic systems. “More Tales from the Crypt…analyst” picks up with the speaker’s third “tour of duty” at NSA where he became one of the founding members of NSA’s first penetration testing or Red Team. While the thought of NSA hiring hackers or engaging in cyber warfare might be fairly common today, it was not always the case.
Cross-origin resource sharing (CORS) is extremely common on modern web apps, but scanning tools are terrible at analyzing CORS policy. If testers really understand CORS policy, a damaging exploit is often not far away. Is it possible to force a user to do something significant? Does using a GUID offer any protection? Does the authentication mechanism really protect against cross-origin attacks? Is it really risky to allow all origins? Do pre-flight requests always help?
“Who said something? What did they say? Where did they say it? What can I do with it?” These are the questions people have when working with unknown radio systems. This is the art and science of Signals Intelligence (SigInt). We discuss the basic requirements for working with SigInt, along with a sample platform using a Raspberry Pi and a RTLSDR radio receiver. The discussion will then briefly touch on other hardware that can enable SigInt work, that are not incorporated in the demo platform.
The recent security events over the past year have proven that technology is not enough in defending against cyber-attacks. Attack techniques such as BGP and DNS Hijacking, and privacy issues such as unauthorized Electronic Medical Record accesses don’t get detected by traditional tools and techniques. Our best weapon in this case is our end users. In this session, Mitch Parker, Executive Director of Information Security and Compliance at IU Health will discuss the training and education techniques used to inform a team of over 34,500 and build two-way communication.
We present a high-level overview of how data science is used to extract insights from security data. Data science is an interdisciplinary field encompassing math, statistics, information science and computer science that gleans actionable information from data. With cybersecurity, data science often attempts to differentiate between the normal and the malicious. Data science has been applied to network security monitoring and malware analysis. We discuss some general principles and terminology and walk through examples.
Millions of people rely on mobile e-ticketing applications to get from Point A to Point B every day. These applications serve as vital components for mass transit and essentially power America’s major cities. But thanks to Frida – a well-known but not very popular dynamic instrumentation framework – you can easily reverse engineer mobile e-ticketing applications. In this talk, we’ll explore new application-specific attack avenues using Frida. We will be leaving the jailbreak bypasses and SSL pinning bypasses of yesteryear by the wayside as we explore a new attack vector.