iSEC Open Security Forum

About the iSEC Open Security Forum

The iSEC Open Security Forum is an informal and open venue for the discussion and presentation of security related research and tools, and an opportunity for San Francisco and Seattle area security researchers from all fields to get together and share work and ideas. Forum agendas are crafted with the specific needs/interests of its members in mind and consist of brief 20-30 minute talks. Talks are not product pitches or strongly vendor preferential. Attendance is by invite only and is limited to engineers and technical managers. Any area of security is welcome including reversing, secure development, new techniques or tools, application security, cryptography, etc.

Upcoming Meetings:

-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=

iSEC Open Forum Bay Area

-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=

DATE: Thursday, June 4, 2009
TIME: 6:00pm-9:00pm
LOCATION: Cisco Building 24 (1st Floor)
510 McCarthy Blvd.
MILPITAS, CALIFORNIA 95035

Please RSVP to rsvp@isecpartners.com if you wish to attend!

***technical managers and engineers only please*** ****food and beverage provided****

-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=

AGENDA

-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=

SPEAKER: Chris Paget / Team Lead, eBay Infosec Research and Testing
PRESO TITLE: RFID Countermeasures
PRESO SUMMARY: It's commonly known that most RFID tags can be copied. What isn't commonly known is that most commercial RFID shielding products don't actually work. In this presentation I'll demonstrate RFID cloners for a range of different tag types, show how poorly the most common types of RFID shield perform, and explain how to kill unwanted RFID tags with a disposable camera, a switch, and a few turns of wire.

SPEAKER: Kate McKinley / Senior Security Consultant / iSEC Partners
PRESO TITLE: Cleaning Up After Cookies
PRESO SUMMARY: Modern web browsers and plugins are rapidly expanding web developers’ ability to store data on users’ systems, while simultaneously adding features which allow users the perception of more control over that data. Users need to be confident that their perceptions match reality. Unfortunately, the privacy modes offered by browsers are still evolving (several are only available as betas), and none remove all the tracking data users might expect them to block. A tool was created to set and report on different data stores. This talk presents the findings from running this tool using several major browsers with two plug-ins across three common operating systems. Current browsers are unable to extend tracking protection to third party plug-ins such as Google Gears and Adobe Flash. Some of these require no user prompting under common configurations and even expose tracking data saved with one browser when visited by a different browser. We also recommend approaches for solving these problems.

SPEAKER: Brandon Sterne / Security Program Manager / Mozilla
PRESO TITLE: Content Security Policy: XSS Mitigation and more...
PRESO SUMMARY: XSS is possible because browsers cannot differentiate between a website's legitimate content and any content injected or modified by an attacker. Content Security Policy provides a mechanism for sites to explicitly state what should be treated as valid sources for JavaScript, images, CSS and other types of content.

Interested in presenting at a future Forum? Email forum@isecpartners.com. Talks should be 20-30 minutes max.

Past Meetings:

Date: Thursday, April 23rd, 2009
Location: iSEC Seattle Office (1st Floor Conference Room)
Andreas Junestam / Partner / iSEC Partners PRESENTATION TITLE: “Win32 Userland Anti-Debugging: A walk in the valley of the less known”
Michael Eddington / Principal Security Consultant / Leviathan PRESENTATION TITLE: “A Can of Peaches”

Date: Thursday, March 5, 2009
Location: iSEC San Francisco Office
Chris Evans / Information Security Engineer / Google Cookie Forcing In this presentation, we'll see that cross-domain issues are still relatively common in browsers
Jesse Burns / Partner / iSEC Partners The new Android mobile phone platform, its security model, and the novel IPC and security mechanisms it implements
Peter Eckersley / Staff Technologist / Electronic Frontier Foundation "Switzerland" is a free/open source software tool for testing the integrity of data communications over networks

Date: Thursday, January 22nd, 2009
Location: iSEC Seattle Office (1st Floor Conference Room)
Billy Rios / Security Engineer / Microsoft Corp. “Cross domain leakiness: Divulging sensitive information and attacking SSL sessions”
Rachel Engel / Security Consultant / iSEC Partners “Why I wrote my own web proxy (when there are so many already available).”
Ian Hellen / Senior Security Engineer in Windows Security Assurance / Microsoft Corp. “Probing the Far Corners of Windows – Using Code Characteristics to Find Security Bugs”

Date: Thursday, December 11, 2008
Location: iSEC San Francisco Office
Riley Hassell / Senior Security Consultant / iSEC Partners / "Exploiting Rich Content - An assessment of file formats used by Rich Internet Applications"
Jennifer Granick / Civil Liberties Director / Electronic Frontier Foundation / "The DMCA, computer security, cell phones and you"
Alex Vidergar / Security Consultant / iSEC Partners / "Concurrency Attacks in Web Application Controls"

Date: Thursday, August 28
Location: iSEC Partners Seattle Office
Scott Stender / Co-Founder and VP / iSEC Partners / "Concurrency Attacks in Web Applications"
Richard Johnson / Computer Security Specialist / Microsoft/ "Visualizing Software Security"
John Heasman / VP of Research / NGS Software/ “Who needs Java in a world of Ajax, Flash and Silverlight? The Bad Guys do.”

Date: Thursday, August 21
Location: eBay Town Hall, San Jose, CA
Alex Stamos / Co-Founder and VP / iSEC Partners/ "Living in the RIA World:
Gordon Lyon "Fyodor" / Hacker / Insecure.Org / "The New Nmap"
Chris Paget / Distinguished Engineer / eBay / "Real World Malware"

Date: Wednesday, April 30
Location: iSEC Partners Seattle Office
Bruce Dang / Security Software Engineer / Security Windows Initiative Group, Microsoft - “Methods for analyzing malicious Office documents used in targeted attacks”
Felix Von Leitner / Co-Founder / Code Blau - “Complier Optimizations”
Alex Stamos / Co-Founder and Vice President / iSEC Partners - “Breaking Forensics”

Date: Thursday, April 10
Location: San Francisco
Meeting Agenda:
Tal Garfinkel, VMWare - "Virtual Machine Monitor (VMM) Security: Current Research on Virtual Machine Security"
Luis Miras, RingZero – “Developing IDA Pro Plugins”
Scott Stender, iSEC Partners - “Attacking Internationalized Software”

Date: Thursday, January 10
Location: San Francisco
Meeting Agenda:
Rich Cannings - “Cross Site Scripting and Common ActionScript Coding Practices”
Fred Bret-Mounet - "How to use asp.net's pipeline model to insert an application firewall in front of your web server. This talk will cover the requirements, options, lessons learnt and areas of improvement."Nate Lawson - "Recent Attacks on SSL/TLS"
Seth David Schoen- "Pcapdiff"

Date: Thursday, October 18
Location: San Francisco
Meeting Agenda:
Luis Miras- "RF Wireless Vulnerabilities"
Josha Bronson - "Fenum: a tool to enumerate HTML filtering in web applications"
Zane Lackey and Alex Garbutt - "Point, Click, RTPInject"

WORK WITH iSEC PARTNERS

iSEC Partners is always looking to expand its team of experienced technical professionals and continue to provide best-of-breed security solutions to its Fortune-100 customers.

If you are an experienced security researcher, developer, or consultant, please send an ASCII, PDF, or HTML resume to:

careers@isecpartners.com