Director of Security Intelligence to present findings of research on Microsoft’s web browser

Seattle, WA ― April 10, 2013. – IOActive, Inc., a leading provider of application security, compliance and smart grid security services, today announced that its director of security intelligence, Christopher Valasek, will present An Examination of String Allocations in Internet Explorer 9 at SOURCE Boston 2013.

Allocation of memory, specifically user_controlled strings, has played a major role in browser exploitation, especially with regards to heap spraying. The underlying knowledge of JavaScript string allocations were widely understood from Internet Explorer 6 through 7. However, while heap spray attacks adapted to changes in Internet Explorer 8–9, public foundational knowledge did not keep pace.

Valasek’s presentation will discuss a brief history of string allocations from Internet Explorer 6 to Internet Explorer 8 then explore current memory management methods for Internet Explorer 9. The presentation will conclude with a look at how newly acquired knowledge can be useful for browser exploitation.

WHAT: An examination of string allocations in IE9
WHERE: SOURCE Boston, Marriott Tremont, Boston, MA, USA
WHEN: April 16, 2013 at 13:00

About SOURCE The SOURCE Conference has been created to bridge the gap between technical excellence and business acumen within the security industry. SOURCE fosters a community of learning where business and security professionals come together to gain knowledge and skills, network with peers, and advance their careers and professional development. SOURCE enables individuals, teams, and organizations to leverage information to improve decision-making, optimize performance, and achieve business objectives.

About Christopher Valasek Christopher Valasek is the Director of Security Intelligence at IOActive. He specializes in attack methodologies, reverse engineering, and exploitation techniques. Valasek is widely regarded for his research on Windows heap exploitation, he also regularly speaks on the security industry conference circuit on a variety of topics. His previous tenures include Coverity, Accuvant LABS, and IBM/ISS. Valasek is also the Chairman of SummerCon, the nation’s oldest hacker conference. Chris holds a B.S. in Computer Science from the University of Pittsburgh.

About IOActive
Established in 1998, IOActive is an industry leader that offers comprehensive computer security services with specializations in smart grid technologies, software assurance, and compliance. Boasting a well-rounded and diverse clientele, IOActive works with a majority of Global 500 companies including power and utility, hardware, retail, financial, media, aerospace, healthcare, high-tech, and software development organizations. As a home for highly skilled and experienced professionals, IOActive attracts talented consultants who contribute to the growing body of security knowledge by speaking at such elite conferences as Black Hat, Ruxcon, Defcon, BlueHat, CanSec, and WhatTheHack. For more information, visit www.ioactive.comor call +1.866.760.0222.

-###-

Managing Consultant to give keynote address on ’Collaborative Approach to Modern Threats’ and moderate panel discussion on ’Can we Secure the Unsecurable’

London, UK ― March 21, 2013. – IOActive, Inc., a leading provider of application security, compliance and smart grid security services, today announced that Wim Remes, managing consultant for the company, will be giving the keynote address on Collaborative Approach to Modern Threats at the Secure Abu Dhabi Conference 2013. Additionally, Remes will moderate the panel discussion on Can we Secure the Unsecurable.

Remes’ keynote address will focus on:
• the digital arms race;
• what this means and doesn’t mean for commercial organizations;
• how critical infrastructure should be at the center of everyone’s attention;

Secure Abu Dhabi Conference 2013 is a unique collaboration between (ISC)2 and the Abu Dhabi Polytechnic Institute. The event brings together practitioners, researchers, industry and government experts, solution providers and other prominent figures to explore the scope and nature of the latest Emerging Threats & Trends to help get ahead of the attackers. It is designed to arm delegates with the instincts for understanding how to anticipate and pre-empt attack, assess the adequacy of not only our defenses, but also the strategy behind them; and clarify the requirements for the analysis of risk.

WHAT: Collaborative Approach to Modern Threats
WHERE: Abu Dhabi Polytechnic, Mohammad Bin Zayed City, Abu Dhabi
WHEN: March 26, 2013 at 09:45
INFO: www.adpoly.ac.ae/sad2013/

About Wim Remes

As a Managing Consultant at IOActive, Wim Remes leverages his 15 years of security leadership experience to advise clients on reducing their risk posture by solving complex security problems and by building resiliency into their organization. Remes delivers expert guidance on reducing the high cost of IT security failures, both financially and in terms of brand reputation with his deep expertise in network security, identity management, policy design, risk assessment and penetration testing. Before joining the IOActive team Remes was a Manager of Information Security for Ernst and Young and a Security Consultant for Bull, where he gained valuable experience building security programs for enterprise class clients.

Remes has been engaged in various infosec community initiatives such as the co-development of the Penetration Testing Execution Standard (PTES), InfosecMentors, The Eurotrash Security Podcast and organizing the BruCON security conference. Wim has been a featured speaker at international conferences such as Excaliburcon (China), Blackhat Europe, Source Boston, Source Barcelona and SecZone (Colombia). He is also a Member of the Board of Directors at (ISC)2.

About IOActive
Established in 1998, IOActive is an industry leader that offers comprehensive computer security services with specializations in smart grid technologies, software assurance, and compliance. Boasting a well-rounded and diverse clientele, IOActive works with a majority of Global 500 companies including power and utility, hardware, retail, financial, media, aerospace, healthcare, high-tech, and software development organizations. As a home for highly skilled and experienced professionals, IOActive attracts talented consultants who contribute to the growing body of security knowledge by speaking at such elite conferences as Black Hat, Ruxcon, Defcon, BlueHat, CanSec, and WhatTheHack. For more information, visit www.ioactive.co.uk.

-###-

London, UK — August 21, 2012. IOActive, a leading provider of application security, compliance, and smart grid security services, today announced that Éireann Leverett, one of their Security Researchers, will host the workshop SHODAN: Global Logfile of Insecurity, at Hack.lu 2012. (more…)

IOActive Security Consultant to present Inside the Mind of a Social Engineer

Seattle, WA—November 21, 2011. IOActive, a leading provider of application security, compliance, and smart grid security services, today announced that Ryan O’Horo will present the webcast Inside the Mind of a Social Engineer. O’Horo, an expert in the field of social engineering who has performed dozens of SE ruses on numerous engagements, will explain how the social engineer’s mind works. He’ll bring his personal experience and awareness to bear on the ease with which people in every type of workplace environment can be manipulated into willingly providing sensitive information.

WHAT  Inside the Mind of a Social Engineer

WHEN  November 29, 2011. 10:00 am PDT.

HOW  Reserve your spot for this free webcast at the BrightTALKwebsite.

About Ryan O’Horo
As a Security Consultant at IOActive, Ryan O’Horo performs penetration testing, social engineering, training, and is highly experienced with assessing modern web applications. Mr. O’Horo also is a Maker and DIY hobbyist of many years. He is a member of the Board of Directors for the THINK Cooperative in New York City, promoting technology education and regularly conducting seminars on information security. He has most recently presented talks at multiple BSides events and Hacker Halted.

About IOActive
Established in 1998, IOActive is an industry leader that offers comprehensive computer security services with specializations in smart grid technologies, software assurance, and compliance. Boasting a well-rounded and diverse clientele, IOActive works with a majority of Global 500 companies including power and utility, hardware, retail, financial, media, aerospace, high-tech, and software development organizations. As a home for highly skilled and experienced professionals, IOActive’s talented team continuously contribute to the growing body of security knowledge by speaking at such elite conferences as Black Hat, Ruxcon, Defcon, BlueHat, CanSec, and WhatTheHack. For more information, visit www.ioactive.com.

-###-

IOActive’s Founder and President to present There’s an App for That: Evolving Mobile Security into a Business Advantage

London, UK—November 9, 2011. IOActive, a leading provider of application security, compliance, and smart grid security services, today announced that Joshua Pennell will present There’s an App for That: Evolving Mobile Security into a Business Advantage at SOURCE Barcelona 2011.

Mr. Pennell, a security veteran who has cracked multiple mobile platforms, will review what companies should do when deploying a mobile strategy. From wiring money and accepting deposits to buying cars, mobile device apps are the desired platform for the go-generation. With around 54 million smart phones and an average of 22 applications per device, analysts predict smart phone sales to exceed PC sales in 2011. Pennell will present his findings on which platforms are the most trustworthy and which parts of these platforms can be the most lucrative or exploitable target for malware, hackers, and fraudsters.

WHAT  There’s an App for That: Evolving Mobile Security into a Business

WHERE  Museu Nacional D’art de Catalunya

WHEN  November 17, 2011. 11:00–11:50 am.

HOW  For more information, visit the SOURCE Barcelona website.

About Joshua Pennell
As IOActive’s Founder and President, Joshua Pennell enjoys a proven, 12-year entrepreneurial track record of creating and maintaining a multimillion-dollar, customer-focused, independent global security services organization. Through Pennell’s leadership, IOActive has emerged as one of the world’s longest standing, highly technical boutique security consultancies with a history based on cutting-edge research and meritocratic governance.

Pennell serves on the advisory boards of Source, Vantos, and SiteScout. He also is the Chairman of IOActive’s advisory board, which includes such computer industry venerables as Steve Wozniak, Jim Reavis, and Jason Larsen. In years past, Pennell played an integral role in helping his team win DefCon’s Capture the Flag competition for three consecutive years, followed by another three of technically revolutionizing the competition before handing it over to Kenshoto.

About IOActive
Established in 1998, IOActive is an industry leader that offers comprehensive computer security services with specializations in smart grid technologies, software assurance, and compliance. Boasting a well-rounded and diverse clientele, IOActive works with a majority of Global 500 companies including power and utility, hardware, retail, financial, media, aerospace, high-tech, and software development organizations. As a home for highly skilled and experienced professionals, IOActive attracts talented consultants who contribute to the growing body of security knowledge by speaking at such elite conferences as Black Hat, Ruxcon, Defcon, BlueHat, CanSec, and WhatTheHack. For more information, visit www.ioactive.com.

-###-

IOActive’s Security Consultant to present SSL Traffic Analysis Attacks

Seattle, Wash—November 4, 2011. IOActive, a leading provider of application security, compliance, and smart grid security services, today announced that Vincent Berg will present SSL Traffic Analysis Attacks at Ruxcon 2011. Ruxcon is a computer security conference that aims to bring together the best and brightest security talent. It’s a mixture of live presentations, activities, and demonstrations presented by security experts from the Australia-Pacific region and invited guests from around the world. Ruxcon is widely regarded as one of Australia’s leading computer security conferences and attacts all facets of the security landsacpe including industry, academia, and enthusiasts.

Mr. Berg’s presentation will focus on modern SSL traffic analysis attacks. Although this attack class is well known and great papers have been published about it, most people still are not aware of the lengths to which an attacker can go to extract useful information from SSL sessions. By showing some large targets and useful programs, Berg hopes the audience will gain a better understanding of what SSL traffic analysis is (a real threat, depending on the attacker’s skill) and some knowledge about how to avoid these attack types. Mr. Berg also will present research tools, with at least one being a proof of concept on how to perform traffic analysis of Google Maps.

WHAT  SSL Traffic Analysis Attacks

WHERE  CQ Function Centre; Melbourne, Australia

WHEN  November 19–20, 2011. Time TBD.

HOW  For more information, visit the Ruxcon website.

About Vincent Berg
As a Security Consultant at IOActive, Vincent Berg performs penetration tests, identifies system vulnerabilities, and performs code reviews for companies ranging from the small to Fortune 500 businesses.Involved in the computer security field for over a decade, he enjoys looking for exploitable vulnerabilities in new software and network protocols, and creating prevention techniques around both. Berg has authored numerous white papers and speaks at security conferences around the world including previous Outerbrains, PH-Neutral, EUSecWest, the FST IT Security Conference, and 44Con.

About IOActive
Established in 1998, IOActive is an industry leader that offers comprehensive computer security services with specializations in smart grid technologies, software assurance, and compliance. Boasting a well-rounded and diverse clientele, IOActive works with a majority of Global 500 companies including power and utility, hardware, retail, financial, media, aerospace, high-tech, and software development organizations. As a home for highly skilled and experienced professionals, IOActive attracts talented consultants who contribute to the growing body of security knowledge by speaking at such elite conferences as Black Hat, Ruxcon, Defcon, BlueHat, CanSec, and WhatTheHack. For more information, visit www.ioactive.com.

-###-

IOActive’s Security Consultants to present Social Engineering PenTest: Using the Dreaded Telephone

Seattle, Wash—November 2, 2011. IOActive, a leading provider of application security, compliance, and smart grid security services, today announced that Mike Ridpath and Matias Brutti will present Social Engineering PenTest: Using the Dreaded Telephone at the second annual BayThreat security conference in San Francisco. This year BayThreat’s focus is straightforward: building and breaking security, with one track devoted to each topic, tackling opposite sides of the security fence. “As Security Professionals, it’s up to us to take that dichotomy and mold it into the shades of gray we use to protect our environment.”

What could be worse than making a cold call? Socially engineering someone over the phone can have the same effect as talking to a chat-bot if you know what you’re doing. Ridpath and Brutti will review the psychology and sociology of the cold call and share personal techniques that have worked for them on over 100 engagements. They will present their findings on the difference between male and female targets, and play sanitized examples of successful calls to highlight the challenges and advantages of social engineering over the phone, instructing the audience on ways to protect themselves and their companies.

WHAT  Social Engineering PenTest: Using the Dreaded Telephone

WHERE  Hacker Dojo. 140A South Whitsman Road, Mountain View, CA 94041

WHEN  December 9, 2011. 11:00 am.

HOW  For more information, visit the BayThreat website.

About Mike Ridpath
Mike Ridpath has worked at IOActive for only two years, but during that time his talent has lead to his becoming an experienced security consultant, working with platinum-level clients on network and application penetration tests, PCI compliance, and general consulting engagements. Prior to IOActive, Ridpath was in senior management as a product developer and on governing boards for multiple training and process improvement companies, where he worked with risk analysis and various process improvement methodologies. He has recently presented at Black Hat USA, ToorCon Seattle, BSides Portland, and the WSCPA of Seattle.

About Matias Brutti
Matias Brutti is a Senior Security Consultant at IOActive, where he uses his deep experience in enterprise-level application and network assessment/consultation. At IOActive he performs penetration testing, identifies system vulnerabilities, and designs custom security solutions for clients in software development, telecommunications, financial services, and professional services. Mr. Brutti has performed security assessments and PCI DSS security support services for companies in the Fortune 100, and has five years’ experience working on all manner of compliance projects. He most recently presented talks at ToorCon Seattle, BSides Portland, and at the WSCPA of Seattle.

About IOActive
Established in 1998, IOActive is an industry leader that offers comprehensive computer security services with specializations in smart grid technologies, software assurance, and compliance. Boasting a well-rounded and diverse clientele, IOActive works with a majority of Global 500 companies including power and utility, hardware, retail, financial, media, aerospace, high-tech, and software development organizations. As a home for highly skilled and experienced professionals, IOActive attracts talented consultants who contribute to the growing body of security knowledge by speaking at such elite conferences as Black Hat, Ruxcon, Defcon, BlueHat, CanSec, and WhatTheHack. For more information, visit www.ioactive.com.

-###-

IOActive’s Senior Security Consultant to present The Security Trifecta: Platforms, Apps, and Stores

Seattle, Wash—October 31, 2011 – IOActive, a leading provider of application security, compliance, and smart grid security services, today announced that Matias Brutti, one of their Senior Security Consultants, will present The Security Trifecta: Platforms, Apps, and Stores at Microsoft’s BlueHat Redmond Security Briefings during the main Security Ecosystems session. The primary objective of the BlueHat Conference Series is to build bridges between Microsoft developers and executives, key security program partners, and members of the research community while educating the greater Microsoft population on security threats and mitigations. This year’s conference will see leading external security researchers presenting timely presentations, and showcasing ongoing research projects, state-of-the-art security tools and techniques, and emerging security threats.

Mobile application delivery is shifting rapidly toward a distributed model that heavily utilizes online and mobile app stores. As a result, the security landscape around the applications, the platforms on which they run, and the stores from which they’re sold is becoming more complex every day. Until recently this had been an issue relevant only to the mobile realm; however, the desktop and tablet markets are quickly adopting these models and their risks. Mr. Brutti will review the gambles, traps, and other commonly-overlooked mobile application issues in an effort to raise awareness and present solutions that make the app world a safer place.

WHAT  The Security Trifecta: Platforms, Apps, and Stores

WHERE  Microsoft Redmond Campus; Redmond, WA

WHEN  November 4, 2011.

HOW  For more information, visit the BlueHat event site.

About Matias Brutti
Matias Brutti is a Senior Security Consultant at IOActive, where he uses his deep experience in enterprise-level application and network assessment/consultation. At IOActive he performs penetration testing, identifies system vulnerabilities, and designs custom security solutions for clients in software development, telecommunications, financial services, and profesional services. Mr. Brutti has performed security assessments and PCI DSS security support services for companies in the Fortune 100, and has five years’ experience working on all manner of compliance projects. He most recently presented talks at ToorCon Seattle, BSides Portland, and at the WSCPA of Seattle.

About IOActive
Established in 1998, IOActive is an industry leader that offers comprehensive computer security services with specializations in smart grid technologies, software assurance, and compliance. Boasting a well-rounded and diverse clientele, IOActive works with a majority of Global 500 companies including power and utility, hardware, retail, financial, media, aerospace, high-tech, and software development organizations. As a home for highly skilled and experienced professionals, IOActive attracts talented consultants who contribute to the growing body of security knowledge by speaking at such elite conferences as Black Hat, Ruxcon, Defcon, BlueHat, CanSec, and WhatTheHack. For more information, visit www.ioactive.com.

###

Feeling social?
IOActive in LinkedIn
IOActive on Facebook
IOActive on YouTube
IOActive on Crunchbase
IOActive on Github

IOActive’s Security Consultants to present Automating Social Engineering

Seattle, WA—September 26, 2011. IOActive, a leading provider of application security, compliance, and smart grid security services, today announced that Mike Ridpath and Matias Brutti, two of their security consultants, will present the webcast Automating Social Engineering.

Since the initial conceptualization of computer security, and perhaps even before, social engineering has existed; in fact, one could say that social engineering began with society, whether it was realized or not. It is now time to give some of this work to scripts and applications and make things a little more interesting.

WHAT  Automating Social Engineering

WHEN  September 29, 2011. 10:00 am PDT.

HOW  Reserve your spot for this free webcast at the BrightTALKwebsite.

About Mike Ridpath
Mike Ridpath has worked at IOActive for only two years, but during that time his talent has lead to his becoming an experienced security consultant, working with platinum-level clients on network and application penetration tests, PCI compliance, and general consulting engagements. Prior to IOActive, Ridpath was in senior management as a product developer and on governing boards for multiple training and process improvement companies, where he worked with risk analysis and various process improvement methodologies. He has most recently presented talks at Black Hat USA 2011 and ToorCon Seattle 2011.

About Matias Brutti
Matias Brutti is a Senior Security Consultant at IOActive, where he deploys his deep experience in enterprise-level application and network assessment/consultation. He performs penetration testing, identifies system vulnerabilities, and designs custom security solutions for clients in software development, telecommunications, financial services, and professional services. Mr. Brutti has performed security assessments and PCI-DSS security support services for companies in the Fortune 100, and has five years’ experience working on all manner of compliance projects.

About IOActive
Established in 1998, IOActive is an industry leader that offers comprehensive computer security services with specializations in smart grid technologies, software assurance, and compliance. Boasting a well-rounded and diverse clientele, IOActive works with a majority of Global 500 companies including power and utility, hardware, retail, financial, media, aerospace, high-tech, and software development organizations. As a home for highly skilled and experienced professionals, IOActive’s talented team continuously contribute to the growing body of security knowledge by speaking at such elite conferences as Black Hat, Ruxcon, Defcon, BlueHat, CanSec, and WhatTheHack. For more information, visit www.ioactive.com.

-###-