Lucas Apa and Carlos Penagos uncovered multiple critical vulnerabilities in wireless technologies that are extensively used in the ICS world. Recently, they conducted a security assessment of the next generation deep-sea oil platforms and discovered that a carefully developed security architecture and its careful implementation is essential regardless of the location. In their presentation, Lucas and Carlos reveal the dangers of using poorly implemented and vulnerable communication technologies in facilities that are inherently high profile targets for terrorists where the price of an attack can be catastrophic. Their presentation will help you understand and appreciate the measures that you need to take to mitigate and protect against this new class of threat.

About Lucas Apa
Lucas Apa is a Security Researcher at IOActive, Inc. His main interests are exploitation techniques, embedded reverse engineering, kernel vulnerability research, and cryptography. Focused on offensive security, he publicly discovered critical vulnerabilities in Microsoft® Windows®, Siemens access controls and Apache products. His work has been presented at conferences including Ekoparty, and Black Hat Europe. As a Security Consultant, he provides comprehensive security services working with a majority of Global 500 companies including power and utility, game, hardware, financial, media, retail, aerospace, healthcare, high-tech, social networking, and software development organizations. Lucas is currently pursuing a graduate degree in Computer Engineering.

About Carlos Penagos
Carlos Penagos is a Senior Security Researcher and consultant for IOActive. He has worked around the world doing consulting and security training. His main areas of expertise are exploitation, reverse engineering, bug hunting, and cryptography. Carlos holds a Bachelor’s degree in Computer Science and has been awarded science merit honours for his graduation thesis. In his free time he disclosed several vulnerability advisories to US-CERT, ICS-CERT and CN-CERT for the world’s most used SCADA/HMI. He also likes coding theory, number theory, and ECC.

About PacSec
The PacSec meeting provides an opportunity for foreign specialists to be exposed to Japanese innovation and markets and collaborate on practical solutions to computer security issues. In a relaxed setting with a mixture of material bilingually translated in both English and Japanese, the eminent technologists can socialize and attend training sessions.

About IOActive
IOActive is a comprehensive, high-end information security services firm with a long and established pedigree in delivering elite security services to its customers. Our world-renowned consulting and research teams deliver a portfolio of specialist security services ranging from penetration testing and application code assessment through to semiconductor reverse engineering. Global 500 companies across every industry continue to trust IOActive with their most critical and sensitive security issues. Founded in 1998, IOActive is headquartered in Seattle, USA, with global operations through the Americas, EMEA and Asia Pac regions. Visit www.ioactive.com for more information.

-###-

Utility companies across the globe are replacing existing meters with smart meters and promoting them as tools to manage ever-increasing energy bills. Unfortunately, the increased functionality of these smart devices makes them more vulnerable to attack. IOActive’s presenters will trace the evolution of the smart meter and discuss their security vulnerabilities. Attendees will leave with a deeper understanding of the attack vectors and methods used to hack smart meters and the risks associated with this technology.

About Andy Saunders
As IOActive’s Managing Consultant for Energy Services, Andy Saunders delivers global engagements with a focus on Industrial Control Systems and Smart Grid/Metering. He is also responsible for managing technical operation teams along with risk and governance programs.

Before joining IOActive, Saunders served as the Information Security and Risk Manager at British Gas. While there, he was responsible for leading the Security Consultancy team across multiple disciplines, with his own focus on Smart Meters. Before joining British Gas, Saunders worked at Yellow Pages where he was involved in network design and engineering.

Saunders is a member of the Information Systems Security Association (London Chapter). He is also a member of the Smart Grid GB Security Work Stream Forum and the SGCG-SGIS Working Group. Saunders is OCG Certified for Management of Risk.

About Sofiane Talmat
As Senior Security Consultant for IOActive, Sofiane Talmat has over ten years of experience performing security assessments and reverse engineering engagements. He has identified vulnerabilities and developed exploits for clients in software development, telecommunications, financial services, aviation, and retail. Talmat has proven skills in design, implementation, enhancement, testing, maintenance, and support of myriad software instances. His skills are a valuable asset to assist development teams with implementing software protection mechanisms.

About Kraft IS 2013
Kraft IS is an information conference for the power industry in Norway. The goal of the event is to create a common and increased understanding of threats and the important safeguards related to information security. The event also provides the opportunity to network with others in the same function and industry. The conference is organized by the Norwegian Centre for Information Security (NorSIS) in co-operation with NVE.

Kraft IS 2013 will focus on automated measurement and control systems, the interface between IT and operational control systems and associated challenges. The participating lecturers all have expertise in SCADA, AMS and Smart Grid. Beyond this, there will be a wide range of lectures in a variety of themes, covering topics such as threats, preparedness, training and policy.

About IOActive
IOActive is a comprehensive, high-end information security services firm with a long and established pedigree in delivering elite security services to its customers. Our world-renowned consulting and research teams deliver a portfolio of specialist security services ranging from penetration testing and application code assessment through to semiconductor reverse engineering. Global 500 companies across every industry continue to trust IOActive with their most critical and sensitive security issues. Founded in 1998, IOActive is headquartered in Seattle, USA, with global operations through the Americas, EMEA and Asia Pac regions. Visit www.ioactive.com for more information.

-###-

The original automotive computers, or Electronic Control Units (ECU), were designed and introduced to improve fuel efficiency and reduce tail pipe emissions in the 1970s. They evolved into integral parts of in-car entertainment, safety controls, and enhanced automotive functionality. This presentation examines some of the ECU controls in two modern automobiles from a security researcher’s point of view.

Chris and Charlie first cover the tools and software that you need to analyse a Controller Area Network (CAN) bus. Then, they demonstrate how to use this software to show how data can be read and written to the CAN bus. Next, they show how certain proprietary messages can be replayed by a device that is connected to an ODB-II connection. Using this connection, they take over critical car functionality, such as braking and steering. Finally, they discuss aspects of reading and modifying the ECU firmware that is installed in today’s modern automobile.

About Chris Valasek
Christopher Valasek is the Director of Security Intelligence at IOActive. He specializes in attack methodologies, reverse engineering, and exploitation techniques. Valasek is widely regarded for his research on Windows heap exploitation. He regularly speaks on the security industry conference circuit on a variety of topics. His previous tenures include Coverity, Accuvant LABS, and IBM/ISS. Valasek is also the Chairman of SummerCon, the nation’s oldest hacker conference. Chris holds a B.S. in Computer Science from the University of Pittsburgh.

About Charlie Miller
Charles Miller is a computer security researcher with Twitter. Prior to his current employment, he spent five years working for the National Security Agency. Miller demonstrated his hacks publicly on products manufactured by Apple. In 2008 he won a $10,000 cash prize at the hacker conference Pwn2Own in Vancouver Canada for being the first to find a critical bug in the ultrathin MacBook Air. The next year, he won $5,000 for cracking Safari. In 2009 he also demonstrated an SMS processing vulnerability that allowed for complete compromise of the Apple iPhone and denial-of-service attacks on other phones. In 2011 he found a security hole in an iPhone’s or iPad’s security, whereby an application can contact a remote computer to download new unapproved software that can execute any command that could steal personal data or otherwise using iOS applications functions for malicious purposes. As a proof of concept, Miller created an application called Instastock that got approved by Apple’s App Store. He then informed Apple about the security hole, who then promptly expelled him from the App Store.

About COUNTERMEASURE 
COUNTERMEASURE is Ottawa’s premier annual IT security conference and training event featuring the best of both offensive and defensive tactics. Past speakers have included globally recognized industry security researchers, Government of Canada representatives and seasoned enterprise security experts from the private sector.

About IOActive
IOActive is a comprehensive, high-end information security services firm with a long and established pedigree in delivering elite security services to its customers. Our world-renowned consulting and research teams deliver a portfolio of specialist security services ranging from penetration testing and application code assessment through to semiconductor reverse engineering. Global 500 companies across every industry continue to trust IOActive with their most critical and sensitive security issues. Founded in 1998, IOActive is headquartered in Seattle, USA, with global operations through the Americas, EMEA and Asia Pac regions. Visit www.ioactive.com for more information.

-###-

In this presentation, David Balcar will give attendees the good, the bad, and the ugly of Incident Response (IR). He will cover the successes of Incident Response, as well as the pitfalls with real world examples from the Entertainment, and Banking and Finance industries. In addition to this, David will explain how to integrate cross-functional teams and what tools to use in your investigation.

About David Balcar
As Director of Services for IOActive, David Balcar is responsible for co-ordinating security projects of all sizes in the Banking, Insurance, Management, and Shipping industries across North America. Balcar is a veteran security professional with over 18 years of experience in conducting network testing, penetration testing, web application security testing, and wireless testing. He has extensive experience in security testing, computer forensics of multiple operating systems, policy review, and compliance assessments for HIPAA and PCI DSS. Balcar is also a member of the HTCIA (High Technology Crime Investigation Association), FBI’s InfraGard, and ISSA (Information Systems Security Association) and speaks regularly at IT Security forums.

In addition to providing IT security training, Balcar has presented information relating to security trends, penetration testing, top threats, and network security hardening at several national security conferences. These include HouSecCon, NAISG, Texas Technology Summit, BSidesAustin and BSidesSATX, and SecureWorld.

About FIRST Fall Symposium
The Forum of Incident Response and Security Teams (FIRST) is a global non-profit organization focused on knowledge sharing among computer incident response and security teams. The FIRST Fall Symposium will bring together computer security incident response and security team professionals from all over the world and provide a forum for experts to promote, share, and discuss issues relating to developments in the field of Incident Response relating to the Energy Sector.

The principal objective is to share the latest techniques being used, the latest kinds of attacks that have been seen, ways in which they are carried out and how they are being defended against.

About IOActive
IOActive is a comprehensive, high-end information security services firm with a long and established pedigree in delivering elite security services to its customers. Our world-renowned consulting and research teams deliver a portfolio of specialist security services ranging from penetration testing and application code assessment through to semiconductor reverse engineering. Global 500 companies across every industry continue to trust IOActive with their most critical and sensitive security issues. Founded in 1998, IOActive is headquartered in Seattle, USA, with global operations through the Americas, EMEA and Asia Pac regions. Visit www.ioactive.com for more information.

-###-

In this presentation, David Balcar will give attendees the good, the bad, and the ugly of Incident Response (IR). He will cover the successes of Incident Response, as well as the pitfalls with real world examples from the Entertainment, and Banking and Finance industries. In addition to this, David will explain how to integrate cross-functional teams and what tools to use in your investigation.

About David Balcar
As Director of Services for IOActive, David Balcar is responsible for co-ordinating security projects of all sizes in the Banking, Insurance, Management, and Shipping industries across North America. Balcar is a veteran security professional with over 18 years of experience in conducting network testing, penetration testing, web application security testing, and wireless testing. He has extensive experience in security testing, computer forensics of multiple operating systems, policy review, and compliance assessments for HIPAA and PCI DSS. Balcar is also a member of the HTCIA (High Technology Crime Investigation Association), FBI’s InfraGard, and ISSA (Information Systems Security Association) and speaks regularly at IT Security forums.

In addition to providing IT security training, Balcar has presented information relating to security trends, penetration testing, top threats, and network security hardening at several national security conferences. These include HouSecCon, NAISG, Texas Technology Summit, BSidesAustin and BSidesSATX, and SecureWorld.

About BSides
Each BSides is a community-driven framework for building events for and by information security community members. The goal is to expand the spectrum of conversation beyond the traditional confines of space and time. It creates opportunities for individuals to both present and participate in an intimate atmosphere that encourages collaboration. It is an intense event with discussions, demos, and interaction from participants. It is where conversations for the next-big-thing are happening.

The principal objective is to share the latest techniques being used, the latest kinds of attacks that have been seen, ways in which they are carried out and how they are being defended against.

About IOActive
IOActive is a comprehensive, high-end information security services firm with a long and established pedigree in delivering elite security services to its customers. Our world-renowned consulting and research teams deliver a portfolio of specialist security services ranging from penetration testing and application code assessment through to semiconductor reverse engineering. Global 500 companies across every industry continue to trust IOActive with their most critical and sensitive security issues. Founded in 1998, IOActive is headquartered in Seattle, USA, with global operations through the Americas, EMEA and Asia Pac regions. Visit www.ioactive.com for more information.

-###-

This presentation from Cesar will show how reality is catching up with hacking scenes from Hollywood movies, where hacking is often shown as mysterious and producing amazing results. Various types of attacks will be discussed and, despite the fact that some of these attacks are difficult or complex, Cesar will show you how they are technically feasible. He will demonstrate exploits such as making things explode, how to harm a person because of a hacking attack, how to cause panic in a large city, and so on.

About Cesar Cerrudo
Cesar Cerrudo is CTO at IOActive Labs, where he leads the team in producing ongoing, cutting-edge research in the areas of SCADA, mobile device, and application security, to name a few. Formerly the founder and CEO of Argeniss Consulting−which was acquired by IOActive−Cesar is a world-renowned security researcher and specialist in application security.

Throughout his career, Cesar is credited with discovering and helping to eliminate dozens of vulnerabilities in leading applications including Microsoft® SQL Server®, Oracle® Database Server, IBM® DB2®, Microsoft® BizTalk® Server, Microsoft® Commerce Server®, Microsoft® Windows®, and Yahoo! Messenger®. Cesar also has authored several white papers on database and application security, and attacks and exploitation techniques. He has been invited to present at a variety of companies and conferences including Black Hat, CanSecWest, EuSecWest, HITB, Microsoft BlueHat, EkoParty, FRHACK, H2HC, and Defcon. Cesar collaborates with, and is regularly quoted in, print and online publications including eWeek, ComputerWorld, and other leading journals.

About 8dot8 Security Conference
A group of security professionals in Chile were bored with the typical “computer security conferences” oriented towards management or organized for commercial purposes. To this end we decided to organize a conference that is intended to be 100% technical and focused principally on sharing knowledge and experience.

The principal objective is to share the latest techniques being used, the latest kinds of attacks that have been seen, ways in which they are carried out and how they are being defended against.

About IOActive
IOActive is a comprehensive, high-end information security services firm with a long and established pedigree in delivering elite security services to its customers. Our world-renowned consulting and research teams deliver a portfolio of specialist security services ranging from penetration testing and application code assessment through to semiconductor reverse engineering. Global 500 companies across every industry continue to trust IOActive with their most critical and sensitive security issues. Founded in 1998, IOActive is headquartered in Seattle, USA, with global operations through the Americas, EMEA and Asia Pac regions. Visit www.ioactive.com for more information.

-###-

In this presentation, Ruben will provide the audience with a detailed explanation of the technical approaches required to measure and identify components that may put critical infrastructures at risk.

About Ruben Santamarta 
Ruben Santamarta is a Security Researcher for IOActive, specializing in offensive security, he is currently focused on the ICS security field, reporting, and releasing flaws on industrial software and hardware. He has discovered dozens of vulnerabilities on products from leading companies such as Microsoft, Apple, and Oracle. One of his recent successes was presenting a way to remotely hack into the Large Hadron Collider at CERN. He recently was a featured presenter at AppSec DC and Black Hat USA 2012.

About ENISE
ENISE has established itself as a reference event for the Spanish information security industry. The aim of the 4th ENISE is to become an important meeting for the main players in the ICT security sector (industry, R&D, public administrations, users, etc.), both in the EU and in Latin America.

About IOActive
IOActive is a comprehensive, high-end information security services firm with a long and established pedigree in delivering elite security services to its customers. Our world-renowned consulting and research teams deliver a portfolio of specialist security services ranging from penetration testing and application code assessment through to semiconductor reverse engineering. Global 500 companies across every industry continue to trust IOActive with their most critical and sensitive security issues. Founded in 1998, IOActive is headquartered in Seattle, USA, with global operations through the Americas, EMEA and Asia Pac regions. Visit www.ioactive.com for more information.

-###-

In this talk from Ian Amit, he will try to address things from a more tactical (read: practical) perspective for application development. What ’we’ see, or want, from a security practitioner perspective is nice, but enabling it from an application view isn’t trivial. He’ll cover the aspects that the attendees can gain from having applications designed and implemented in certain manners, while of course not changing the way things are being practiced these days (too much). He will also show how logging (yes… plain old boring logging) can go a long way, and how applications that are a bit more self conscience to their state can be utilised to detect attacks before they actually happen.

About Ian Amit
Ian Amit is the Director of Services at the leading global security consulting company IOActive. Ian oversees the northeast US services practice including the financial and healthcare sectors, as well as leading the red team division. Ian brings a mixture of Software development, OS, Network and web security to work on a daily basis. He is also a regular speaker at leading security conferences around the world (including BlackHat, DefCon, OWASP, and InfoSecurity), and has published numerous articles and research material in print, online, and through broadcast media. Ian is one of the founders of the Penetration Testing Execution Standard (PTES), its counterpart – the SexyDefense initiative, and a core member of the DirtySecurity crew. Ian holds a Bachelor’s Degree in Computer Science and Business Administration from the Interdisciplinary Center at Herzlya.

About OWASP NYC
OWASP New York City Chapter is the local chapter for the OWASP Foundation. Software powers the world, but inadequately secured software threatens safety, trust, and economic growth. The Open Web Application Security Project (OWASP) is dedicated to making application security visible by empowering individuals and organisations to make informed decisions about true software security risks.

OWASP supports 30,000+ participants, more than 65 organisational supporters, and more than 60 academic supporters. OWASP’s most notable corporate members include ADP, Akamai, Amazon, Best Buy, Nokia, Oracle, Salesforce.com, UPS and other leading service providers. OWASP also includes nearly 200 local chapters across 6 continents in 75+ countries.

About IOActive
IOActive is a comprehensive, high-end information security services firm with a long and established pedigree in delivering elite security services to its customers. Our world-renowned consulting and research teams deliver a portfolio of specialist security services ranging from penetration testing and application code assessment through to semiconductor reverse engineering. Global 500 companies across every industry continue to trust IOActive with their most critical and sensitive security issues. Founded in 1998, IOActive is headquartered in Seattle, USA, with global operations through the Americas, EMEA and Asia Pac regions. Visit www.ioactive.com for more information.

-###-

Automotive computers, or Electronic Control Units (ECU), were originally introduced to help with fuel efficiency and emissions problems of the 1970s but evolved into integral parts of in-car entertainment, safety controls, and enhanced automotive functionality. This presentation will examine some controls in two modern automobiles from a security researcher’s point of view.

Chris and Charlie will first cover the requisite tools and software needed to analyse a Controller Area Network (CAN) bus. Secondly, they will demo software to show how data can be read and written to the CAN bus. They will then show how certain proprietary messages can be replayed by a device that is hooked up to an ODB-II connection to perform critical car functionality, such as braking and steering. Finally, they will discuss aspects of reading and modifying the firmware of ECUs installed in today’s modern automobile.

About Chris Valasek
Christopher Valasek is the Director of Security Intelligence at IOActive. He specializes in attack methodologies, reverse engineering, and exploitation techniques. Valasek is widely regarded for his research on Windows heap exploitation. He also regularly speaks on the security industry conference circuit on a variety of topics. His previous tenures include Coverity, Accuvant LABS, and IBM/ISS. Valasek is also the Chairman of SummerCon, the nation’s oldest hacker conference. Chris holds a B.S. in Computer Science from the University of Pittsburgh.

About Charlie Miller
Charles Miller is a computer security researcher with Twitter. Prior to his current employment, he spent five years working for the National Security Agency. Miller demonstrated his hacks publicly on products manufactured by Apple. In 2008 he won a $10,000 cash prize at the hacker conference Pwn2Own in Vancouver Canada for being the first to find a critical bug in the ultrathin MacBook Air. The next year, he won $5,000 for cracking Safari. In 2009 he also demonstrated an SMS processing vulnerability that allowed for complete compromise of the Apple iPhone and denial-of-service attacks on other phones. In 2011 he found a security hole in an iPhone’s or iPad’s security, whereby an application can contact a remote computer to download new unapproved software that can execute any command that could steal personal data or otherwise using iOS applications functions for malicious purposes. As a proof of concept, Miller created an application called Instastock that got approved by Apple’s App Store. He then informed Apple about the security hole, who then promptly expelled him from the App Store.

About H2HC
Hackers To Hackers Conference (H2HC) is a conference organized by people who work or who are directly involved in research and development in the area of information security, whose main objective is to enable the dissemination, discussion and exchange of knowledge about information security among participants and also among the companies involved in the event. With training and lectures presented by respected members of the corporate world, research groups and underground community, this year’s conference promises to demonstrate techniques that have never been seen or discussed with the public before.

About IOActive
IOActive is a comprehensive, high-end information security services firm with a long and established pedigree in delivering elite security services to its customers. Our world-renowned consulting and research teams deliver a portfolio of specialist security services ranging from penetration testing and application code assessment through to semiconductor reverse engineering. Global 500 companies across every industry continue to trust IOActive with their most critical and sensitive security issues. Founded in 1998, IOActive is headquartered in Seattle, USA, with global operations through the Americas, EMEA and Asia Pac regions. Visit www.ioactive.com for more information.

-###-

London, UK ― October 1, 2013 ― IOActive, Inc., the leading global provider of specialist information security services, announced today that Chief Technology Officer, Gunter Ollmann, will present Applying Big Data and Machine Learning to Corporate Defense at the ISSS Information Security Switzerland Conference in Switzerland today.

Gunter’s presentation will outline the challenges that organisations face in threat detections and mitigation strategies. He will also provide attendees with an understanding of how to manage big data and the automated analysis of unstructured data. Gunter will talk about how to combine this analysis with machine learning to demonstrate how this combination can provide new opportunities in dealing with complex information security problems.

Details of the presentation:

WHAT:             Applying Big Data and Machine Learning to Corporate Defense
WHERE:           Hotel Lausanne Palace, Lausanne, Switzerland
WHEN:             Tuesday October 1, 2013 at 1:30pm
INFO:               https://www.isss.ch/veranstaltungen/2013/1-isss-information-security-switzerland-conference/#c1088

About ISSS Information Security Switzerland Conference
ISSS Information Security Switzerland Conference is pursuing the proven path of offering decision-makers, managers, experts and anyone involved in the field of ICT security an independent, high-calibre and inspiring discussion platform for transferring and exchanging ideas and expertise. And now it has a new format: a conference in Lausanne, in the heart of French-speaking Switzerland, for guests from both French and German-speaking parts of Switzerland, with English-speaking, internationally renowned speakers. ISSS has succeeded in inviting many eminent experts from research and industry, who will communicate their knowledge and give their views on relevant and current ICT security challenges for Switzerland. They include distinguished speakers, successful ICT security users and top-class specialists, as well as visionaries.

About Gunter Ollmann
As IOActive’s Chief Technology Officer Gunter Ollmann plays a key role in shaping IOActive’s services strategy as the company embarks on its next phase of growth and leadership in innovative service offerings in semiconductor security, embedded software risks and device threats. Prior to joining IOActive, Ollmann served as the vice president of research and CTO at Damballa, where he focused on inventing new crimeware mitigation technologies and the identification of criminal operators behind botnets and other advanced persistent threats. Before joining Damballa, Ollmann held several strategic positions at IBM Internet Security Systems (IBM ISS), most recently as chief security strategist. In this role, he was responsible for predicting the evolution of future threats and helping guide IBM’s overall security research and protection strategy, as well as serving as the key IBM spokesperson on evolving threats and mitigation techniques. He also held the role of director of X-Force and was former head of X-Force security assessment services for EMEA while at ISS (which was acquired by IBM in 2006).

About IOActive
IOActive is a comprehensive, high-end information security services firm with a long and established pedigree in delivering elite security services to its customers. Our world-renowned consulting and research teams deliver a portfolio of specialist security services ranging from penetration testing and application code assessment through to semiconductor reverse engineering. Global 500 companies across every industry continue to trust IOActive with their most critical and sensitive security issues. Founded in 1998, IOActive is headquartered in Seattle, USA, with global operations through the Americas, EMEA and Asia Pac regions. Visit www.ioactive.com for more information.

-###-