Today’s IT environment increasingly employs a variety of devices that are intelligent and Internet-connected – but are not computers or phones. What’s the best strategy for securing these devices as they are added to your corporate computing environment? What can you do during the deployment phase to ensure that attackers don’t use these devices as a means to compromise your corporate data? A top IoT security expert offers some insight.

About Daniel Miessler
Daniel Miessler is the Director of Advisory Services at IOActive and has 17 years of experience in information security. His background is in technical security testing and enterprise defense, including network, web, application, mobile, IoT testing, and adversary-based risk management. He is the leader of the OWASP IoT Security project and speaks regularly at conferences, on panels, and to the media on the topics of information security and technology trends. He also produces a blog, podcast, and newsletter with similar themes.

About Dark Reading Cyber Security Crash Course
Every day, your IT organization is abuzz with news of new hacks, breaches, and cybersecurity vulnerabilities and it’s up to your IT organization to prevent them from affecting your business. In practice, however, many IT departments work in silos. You might know a great deal about IT, but do you really know everything you should about the current cybersecurity environment and emerging threats?

In this two-day Interop ITX Summit program, the Dark Reading editorial team and some of the industry’s top cybersecurity experts will offer a crash course in what you need to know about data security and the dangers faced by your organization. You’ll get “speed reads” on each key area of security, providing you with the essential elements your organization should know about cyber defense, as well as an overview of the latest exploits. You’ll get insight on how to detect a compromise of your IT environment, and recommendations on how to respond. Best of all, you’ll have an opportunity to ask the experts the key questions you must answer in your environment – in a supportive, collegial setting where there are no dumb questions.

About IOActive
IOActive is the industry’s only research-driven, high-end information security services firm with a proven history of better securing our customers through real-world scenarios created by our security experts. Our world-renowned consulting and research teams deliver a portfolio of specialist security services ranging from penetration testing and application code assessment to chip reverse engineering across multiple industries. IOActive is the only security services firm that has a dedicated practice focusing on Smart Cities and the transportation and technology that connects them. Global 500 companies across every industry continue to trust IOActive with their most critical and sensitive security issues. Founded in 1998, IOActive is headquartered in Seattle, US, with global operations through the Americas, EMEA, and Asia Pac regions. Visit www.ioactive.com for more information. Follow IOActive on Twitter: http://twitter.com/ioactive.

Corey Thuen, Senior Security Consultant for IOActive, will present “Your Car is Trying to Kill You, and Other Reality Checks”

There is a widely known concept called “Peak Oil,” that essentially says there’s a limit to how much oil we can produce, after which point production must decline and new energy sources must be found. This presentation by Daniel Miessler applies a similar methodology in exploring the concept of “Peak Prevention,” as it relates to cybersecurity. The idea is that there is only so much prevention that can be done to protect systems from attack and when putting defenses in place, you do eventually reach diminishing returns, at which point other methods of risk reduction must be identified and employed.

Daniel will explore the question of how close we are to Peak Prevention in cybersecurity currently, and what other approaches to risk reduction are available to consider.

About Daniel Miessler
Daniel Miessler is the Director of Advisory Services at IOActive and has 17 years of experience in information security. His background is in technical security testing and enterprise defense, including network, web, application, mobile, IoT testing, and adversary-based risk management. He is the leader of the OWASP IoT Security project and speaks regularly at conferences, on panels, and to the media on the topics of information security and technology trends. He also produces a blog, podcast, and newsletter with similar themes.

About AppSec California
OWASP’s 4th Annual AppSec California Conference is a unique opportunity for information security professionals, developers, pentesters, and QA and testing professionals, as they converge to learn and share experiences about secure systems and secure development methodologies. Attendees will hear from world-renowned speakers, as well as participate in trainings and networking events. OWASP Los Angeles Chapter teamed up with the Orange County, Santa Barbara and San Diego chapters to host the conference.

About IOActive
IOActive is the industry’s only research-driven, high-end information security services firm with a proven history of better securing our customers through real-world scenarios created by our security experts. Our world-renowned consulting and research teams deliver a portfolio of specialist security services ranging from penetration testing and application code assessment to chip reverse engineering across multiple industries. IOActive is the only security services firm that has a dedicated practice focusing on Smart Cities and the transportation and technology that connects them. Global 500 companies across every industry continue to trust IOActive with their most critical and sensitive security issues. Founded in 1998, IOActive is headquartered in Seattle, US, with global operations through the Americas, EMEA, and Asia Pac regions.  Visit www.ioactive.com for more information. Follow IOActive on Twitter: http://twitter.com/ioactive.

There is a widely known concept called “Peak Oil,” that essentially says there’s a limit to how much oil we can produce, after which point production must decline and new energy sources must be found. This presentation by Daniel Miessler applies a similar methodology in exploring the concept of “Peak Prevention,” as it relates to cybersecurity. The idea is that there is only so much prevention that can be done to protect systems from attack and when putting defenses in place, you do eventually reach diminishing returns, at which point other methods of risk reduction must be identified and employed.

Daniel will explore the question of how close we are to Peak Prevention in cybersecurity currently, and what other approaches to risk reduction are available to consider.

About Daniel Miessler
Daniel Miessler is the Director of Advisory Services at IOActive and has 17 years of experience in information security. His background is in technical security testing and enterprise defense, including network, web, application, mobile, IoT testing, and adversary-based risk management. He is the leader of the OWASP IoT Security project and speaks regularly at conferences, on panels, and to the media on the topics of information security and technology trends. He also produces a blog, podcast, and newsletter with similar themes.

About AppSec California
OWASP’s 4th Annual AppSec California Conference is a unique opportunity for information security professionals, developers, pentesters, and QA and testing professionals, as they converge to learn and share experiences about secure systems and secure development methodologies. Attendees will hear from world-renowned speakers, as well as participate in trainings and networking events. OWASP Los Angeles Chapter teamed up with the Orange County, Santa Barbara and San Diego chapters to host the conference.

About IOActive
IOActive is the industry’s only research-driven, high-end information security services firm with a proven history of better securing our customers through real-world scenarios created by our security experts. Our world-renowned consulting and research teams deliver a portfolio of specialist security services ranging from penetration testing and application code assessment to chip reverse engineering across multiple industries. IOActive is the only security services firm that has a dedicated practice focusing on Smart Cities and the transportation and technology that connects them. Global 500 companies across every industry continue to trust IOActive with their most critical and sensitive security issues. Founded in 1998, IOActive is headquartered in Seattle, US, with global operations through the Americas, EMEA, and Asia Pac regions.  Visit www.ioactive.com for more information. Follow IOActive on Twitter: http://twitter.com/ioactive.

The Antikernel – Hardware and Unprivileged Software
Dr. Andrew Zonenberg, January 10, 2017 – 10:30 am ET
Modular design has long been used in critical systems in order to ease verification and contain damage in the event of a failure (whether accidentally or maliciously induced). Truly compartmentalized real-time operating systems, however, have remained elusive. We present Antikernel, a novel decentralized operating system architecture composed entirely of hardware and unprivileged software, and discuss the applicability of the architecture to SCADA systems.

Tools for Practical Attacks on Analog-to-Digital Converter
Alexander Bolshev, January 10, 2017 – 2:30 pm ET
While we live in the analog world, we program and develop digital systems. The key element connecting these two worlds are ADCs (analog-to-digital converters), small integrated circuits (IC) that transform physical variables (amperage or voltage) into a bunch of bytes. It is important for the ADC to interpret and transform its data correctly. Ignoring this fact, especially in the ICS and embedded worlds, could lead to significant safety issues, and in the worst case, could have catastrophic consequences.

Due to the nature of the ADC’s conversion mechanisms it is possible to generate special signals (with arbitrary waveform, frequency and amplitude) that could be interpreted differently by devices on the same fieldbus. These “features” could be used for attacking or hiding attacks against ICS infrastructures. This session will demonstrate how to use AA-filters for attack and defense, and cover other types of ADCs, such as flash and pipeline. The main part of the talk will be about tools that could be used for such attacks: custom hardware boards for modeling and experimenting, and special firmwares for PLCs, sensors and transmitters.

Automatic Generation of Process Models Using Motion Acceleration Algorithms
Jason Larsen, January 11, 2017 – 10:45 am ET
Trivial disruption of a process is easy. Almost anything can cause a process to shut down. But to really cause more non-trivial damage, the attacker typically needs the process to stay up while it’s manipulated. This requires a model of the process, and is one of the least understood parts of ICS hacking. After the attack, focus is placed on why the payload worked and little is discovered about the process the attacker used to generate the physics payload.

In general, signals that are related by physics tend to move together. Bumping into the side of a table not only makes the table shake, but all the items on the table shake as well. They also tend to move at the same frequencies. Recent advances in motion acceleration algorithms have the potential to revolutionize this step. If those algorithms are applied to process data, a basic model of the process can be built with little or no human interaction. This presentation will take data from a water treatment plant and use it to show how a process model can be built directly from process data using motion acceleration algorithms.

About Andrew Zonenberg
Dr. Andrew Zonenberg is a senior security consultant at IOActive. He received a PhD and BS in computer science from Rensselaer Polytechnic Institute, where he designed and taught the first ever full-semester course on semiconductor reverse engineering.

His primary research focuses are integrated circuit (IC) security, IC reverse engineering, and embedded/hardware security. Other research interests include computer and system on chip (SoC) architecture, programmable logic, and operating system security. He is an active contributor to siliconpr0n.org and a regular speaker at industry and academic conferences in both the USA and Canada.

About Alexander Bolshev
Alexander Bolshev is a Security Consultant for IOActive. He holds a PhD in computer security and his research interests lie in distributed systems, mobile, hardware, and industrial protocols security. He is the author of several whitepapers on topics of heuristic intrusion detection methods, SSRF attacks, OLAP systems, hardware, mobile, and ICS security. He has presented at conferences including Black Hat USA/EU/UK/Asia, ZeroNights, t2.fi, S4, CONFIdence, and others.

About Jason Larsen
Jason Larsen is Principal Security Consultant for IOActive, focusing primarily on SCADA systems and the security of critical infrastructure. Jason joined IOActive from Idaho National Labs (INL) where he performed security assessments of the software and hardware that runs the planet’s critical infrastructure. During his tenure at INL, he conducted full-scope assessments of all major power control system vendors. In addition to laboratory tests, he has performed live power grid penetrations in multiple countries, allowing him to gain control of electric power for a short period of time. Jason has worked in other sectors including chemical manufacturing, pharmaceutical, petroleum, and water.

Before his career in SCADA security, Jason explored numerous other fields, including modelling neutron beams for use in treating brain tumors and writing software to analyze nerve impulses. He has also acted as the analyst of last resort for critical infrastructure malware and served on the Windows 7 penetration testing team.

About s4x17
s4x17 entails three days of advanced ICS cybersecurity on three stages with the top 500 people in ICS security. This is is the event for people who understand the basics and want to learn and discuss advanced content with their peers. Topics will include ICS certification, machine learning, securing IoT, industrial drones, and more.

About IOActive
IOActive is the industry’s only research-driven, high-end information security services firm with a proven history of better securing our customers through real-world scenarios created by our security experts. Our world-renowned consulting and research teams deliver a portfolio of specialist security services ranging from penetration testing and application code assessment to chip reverse engineering across multiple industries. IOActive is the only security services firm that has a dedicated practice focusing on Smart Cities and the transportation and technology that connects them. Global 500 companies across every industry continue to trust IOActive with their most critical and sensitive security issues. Founded in 1998, IOActive is headquartered in Seattle, WA, with global operations through the Americas, EMEA, and Asia Pac regions. Visit www.ioactive.com for more information. Follow IOActive on Twitter: http://twitter.com/ioactive.

On October 21, Internet connectivity in parts of the United States slowed to a crawl as thousands of net-connected, malware infected devices unwittingly staged a massive denial of service attack. By 2020, there will be anywhere from 20 billion to 50 billion internet-connected devices, including about one in five cars, according to industry forecasts. This panel will discuss what can be done to leverage the growing power of the Internet of Things without further spreading vulnerabilities.

About John Sheehy
John Sheehy is the Vice President of Strategic Services for IOActive. He has over 20 years of system architecture, systems integration and information security experience and holds over thirty technical certifications in various disciplines. John has overseen multiple client projects in identity management, threat modeling, industrial control systems security, risk assessment, security policy, secure device design, and incident & breach simulation and response services.

About Defense One Summit
At the 4th Annual Defense One Summit, global security leaders will gather to explore three themes — Crisis, Conflict, and Continuity — as the American presidency shifts to a new commander in chief. As the war on terrorism rages on, senior officials will sit with national security journalists to discuss their views, goals, and predictions about a range of issues, from daily combat in Iraq to the grand-strategy games of the great powers, and the challenges of managing budgets, equipment, and people as they shift to a new administration.

About IOActive
IOActive is the industry’s only research-driven, high-end information security services firm with a proven history of better securing our customers through real-world scenarios created by our security experts. Our world-renowned consulting and research teams deliver a portfolio of specialist security services ranging from penetration testing and application code assessment to chip reverse engineering across multiple industries. IOActive is the only security services firm that has a dedicated practice focusing on Smart Cities and the transportation and technology that connects them. Global 500 companies across every industry continue to trust IOActive with their most critical and sensitive security issues. Founded in 1998, IOActive is headquartered in Seattle, US, with global operations through the Americas, EMEA, and Asia Pac regions. Visit www.ioactive.com for more information. Follow IOActive on Twitter: http://twitter.com/ioactive.

We are used to working with digital systems, but the world around us is analog. Digital devices use tools to transform data from analog to digital (the most simple one is an analog-digital converter) to deliver some intended impact on something in the world, or on the contrary, to gather information about it. Various AD converters interpret analog signals differently with certain features, even if they are connected to the same line. This may lead to a false perception of the state of a system managing a process or incorrect data in the sensor output, which also affects the process. This presentation will cover various tools and methods for impacting the analog-to-digital transformation, which enables us to attack SCADA and other systems.

About Alexander Bolshev
Alexander Bolshev is a Security Consultant for IOActive. He holds a Ph.D. in computer security and works as an assistant professor at Saint-Petersburg State Electrotechnical University. His research interests lie in distributed systems, as well as mobile, hardware, and industrial protocol security. He is the author of several whitepapers on topics of heuristic intrusion detection methods, Server Side Request Forgery attacks, OLAP systems, and ICS security. He is a frequent presenter at security conferences around the world, including Black Hat USA/EU/UK, ZeroNights, t2.fi, CONFIdence, and S4.

About ZeroNights 2016
ZeroNights is an international conference devoted to practical aspects of cybersecurity. It is a perfect place to discuss new attack methods and threats. ZeroNights is intended to show attendees ways to both attack and defend, as well as suggest unorthodox approaches to solving cybersecurity problems.

About IOActive
IOActive is the industry’s only research-driven, high-end information security services firm with a proven history of better securing our customers through real-world scenarios created by our security experts. Our world-renowned consulting and research teams deliver a portfolio of specialist security services ranging from penetration testing and application code assessment to chip reverse engineering across multiple industries. IOActive is the only security services firm that has a dedicated practice focusing on Smart Cities and the transportation and technology that connects them. Global 500 companies across every industry continue to trust IOActive with their most critical and sensitive security issues. Founded in 1998, IOActive is headquartered in Seattle, US, with global operations through the Americas, EMEA, and Asia Pac regions. Visit www.ioactive.com for more information. Follow IOActive on Twitter: http://twitter.com/ioactive.

The latest version of Windows 10 (Anniversary Update) has raised the bar again when it comes to successfully exploiting a kernel vulnerability. Microsoft made a step forward by killing the GDI Objects kernel pointers leakage which was widely used after the infamous hacking team exploit. Also, with the randomization of the paging structures, the system now boosts full KASLR, which leads to the requirement of a memory disclosure bug in order to get control of RIP either by ROPing or DKOM techniques.

This presentation will show the side-channel attack called DrK aka “De-randomizing Kernel Address Space” applied to the randomization of the PML4 structure. By combining the TSX instructions and several tricks to get reliability, one is able to determine the exact location of the “PML4 SelfRef Entry”. After this point, all the known attacks against the paging structures can be carried out as if the KASLR never existed.

About Enrique Nissim
Enrique Nissim is a Senior Consultant at IOActive. His experience and interests include reverse engineering, exploit development, programming and application security. He has also been a regular speaker at other international cybersecurity conferences, including Ekoparty and CansecWest, where he’s recently presented research on OS kernel exploitation.

About ZeroNights 2016
ZeroNights is an international conference devoted to practical aspects of cybersecurity. It is a perfect place to discuss new attack methods and threats. ZeroNights is intended to show attendees ways to both attack and defend, as well as suggest unorthodox approaches to solving cybersecurity problems.

About IOActive
IOActive is the industry’s only research-driven, high-end information security services firm with a proven history of better securing our customers through real-world scenarios created by our security experts. Our world-renowned consulting and research teams deliver a portfolio of specialist security services ranging from penetration testing and application code assessment to chip reverse engineering across multiple industries. IOActive is the only security services firm that has a dedicated practice focusing on Smart Cities and the transportation and technology that connects them. Global 500 companies across every industry continue to trust IOActive with their most critical and sensitive security issues. Founded in 1998, IOActive is headquartered in Seattle, US, with global operations through the Americas, EMEA, and Asia Pac regions. Visit www.ioactive.com for more information. Follow IOActive on Twitter: http://twitter.com/ioactive.

Finding the Balance between Privacy and Security
As cities wire up with more smart sensors to measure everything from flood water to human traffic, security efforts have to overcome various challenges to protect the critical infrastructure. Yet collecting, correlating and acting upon mountains of digital data can be considered an unjustified invasion of privacy undermining civil liberties. This panel will discuss how governments can enjoy the benefits of Big Data while respecting privacy and security.

Making Our Cities a Safer Place to Live
Insecurity has moved from being a social issue to being a serious development constraint as it discourages local investment and prevents the participation of people in active life, while restricting their access to services. Governments should take the lead in building safer communities. This panel will discuss how governments can ensure that investments and activities are delivered in close consultation with citizens and relevant stakeholders.

About Cesar Cerrudo
Cesar Cerrudo is Chief Technology Officer for IOActive Labs, where he leads the team in producing cutting-edge research. Cesar manages IOActive’s responsible disclosure process and is the main liaison between IOActive and CERT. Cesar is a world-renowned security researcher and specialist in application security. He is credited with discovering and helping to eliminate dozens of vulnerabilities in leading applications, including Microsoft SQL Server, Oracle database server, IBM DB2, Microsoft Windows, Yahoo! Messenger, and Twitter. Cesar has authored several papers on database and application security, as well as attacks and exploitation techniques based on his research. More recently he’s conducted research on the Internet of Things (IoT) and traffic control systems.

About Smart City Expo World Congress
Smart City Expo World Congress (SCEWC) is the international summit of discussion about the link between urban reality and technological revolution. Since its first edition in 2011, it has succeeded to become a referential global event to support the development of our cities. This professional, institutional and social meeting point is a leading platform of ideas, networking, experiences and international business deals that gathers together the highest level of stakeholders, in the context of urban development.

About IOActive
IOActive is the industry’s only research-driven, high-end information security services firm with a proven history of better securing our customers through real-world scenarios created by our security experts. Our world-renowned consulting and research teams deliver a portfolio of specialist security services ranging from penetration testing and application code assessment to chip reverse engineering across multiple industries. IOActive is the only security services firm that has a dedicated practice focusing on Smart Cities and the transportation and technology that connects them. Global 500 companies across every industry continue to trust IOActive with their most critical and sensitive security issues. Founded in 1998, IOActive is headquartered in Seattle, US, with global operations through the Americas, EMEA, and Asia Pac regions. Visit www.ioactive.com for more information. Follow IOActive on Twitter: http://twitter.com/ioactive.

In a data-driven world, city planners are increasingly considering cybersecurity a key focus in their critical infrastructure. Today’s hackers can strike from anywhere. Thus it is crucial to protect infrastructures and beef up defenses. Managers may also consider how to recover from a situation where systems are compromised. This panel will discuss how cities can develop a robust strategy for protecting all that the new connectedness offers to ensure digital safety.

About Alfredo Pironti
Alfredo Pironti is a Managing Consultant at IOActive’s Madrid hardware lab, helping IOActive’s clients to assess and improve their security posture by identifying security-critical assets and designing effective test plans. His prior experience includes teaching at Italian and French universities, leading research on cryptographic protocols and the development of miTLS, the first formally verified implementation of Transport Layer Security (TLS).

About Smart City Expo World Congress
Smart City Expo World Congress (SCEWC) is the international summit of discussion about the link between urban reality and technological revolution. Since its first edition in 2011, it has succeeded to become a referential global event to support the development of our cities. This professional, institutional and social meeting point is a leading platform of ideas, networking, experiences and international business deals that gathers together the highest level of stakeholders, in the context of urban development.

About IOActive
IOActive is the industry’s only research-driven, high-end information security services firm with a proven history of better securing our customers through real-world scenarios created by our security experts. Our world-renowned consulting and research teams deliver a portfolio of specialist security services ranging from penetration testing and application code assessment to chip reverse engineering across multiple industries. IOActive is the only security services firm that has a dedicated practice focusing on Smart Cities and the transportation and technology that connects them. Global 500 companies across every industry continue to trust IOActive with their most critical and sensitive security issues. Founded in 1998, IOActive is headquartered in Seattle, US, with global operations through the Americas, EMEA, and Asia Pac regions. Visit www.ioactive.com for more information. Follow IOActive on Twitter: http://twitter.com/ioactive.

This is a wake-up call for vendors implementing brain wave technologies. Security needs to be built into the design of these products in order to prevent a repeat of what happened with SCADA/ICS ~10 years ago. This talk will demonstrate how many brain wave technologies are prone to well-known attacks.

Alejandro will provide a brief introduction of BCIs (Brain-Computer Interfaces) and EEG (electroencephalography) will be given to convey the risks involved in brain signals processing, storage and transmission.

Live demos including sniffing and modification of brain signals over TCP/IP will be given during this presentation.

About Alejandro Hernandez
With more than 13 years immersed in bits and bytes related to security, Alejandro is currently a Security Consultant at IOActive, where he has contributed to various projects with Fortune 500 companies on multiple continents. His areas of expertise include code failures, corporate security (standards, compliance, audit), physical security, OSINT, fuzzing and many more topics. He is the author of fuzzer Melkor and co-author of the fuzzer Dotdotpwn, both of which are projects he presented at Black Hat Arsenal in Las Vegas, and has also presented other research at DEF CON in the village of Bio Hacking; BruCON in Belgium; Campus Party in Colombia and Mexico; AlligatorCON in Poland, and BugCON in all editions.

About BugCon
BugCON is a computer security event that is purely technical and aimed at bringing together researchers, professionals, industry, universities and government agencies. The conference aims to show latest investigations in the field of computer security and technology, through interaction with the great exponents of the world of computer security.

About IOActive
IOActive is the industry’s only research-driven, high-end information security services firm with a proven history of better securing our customers through real-world scenarios created by our security experts. Our world-renowned consulting and research teams deliver a portfolio of specialist security services ranging from penetration testing and application code assessment to chip reverse engineering across multiple industries. IOActive is the only security services firm that has a dedicated practice focusing on Smart Cities and the transportation and technology that connects them. Global 500 companies across every industry continue to trust IOActive with their most critical and sensitive security issues. Founded in 1998, IOActive is headquartered in Seattle, US, with global operations through the Americas, EMEA, and Asia Pac regions. Visit www.ioactive.com for more information. Follow IOActive on Twitter: http://twitter.com/ioactive.