SOURCE Boston 2013
April 16-18, 2013
Marriott Tremont
Boston, MA, USA
CFP Status: CLOSED
SOURCE Seattle 2013
TBA

Seattle, WA, USA
CFP Status: CLOSED
SOURCE Barcelona 2013
TBA

Barcelona, Spain
CFP Status: CLOSED
SOURCE Barcelona 2011 - Speakers And Publications

WEDNESDAY, NOVEMBER 16th, 2011

GENERAL TRACK (talks will be in English)

SPANISH TRACK (talks will be in Spanish)

10:00am - 10:50am

Adapting to the Age of Anonymous
Joshua Corman, Akamai TechnologiesVIDEO

Wfuzz para Penetration Testers
Christian Martorella & Xavier Mendez, Verizon Business VIDEO

11:00am - 11:50am

Advanced (Persistent) Binary Planting
Mitja Kolsek, ACROS d.o.o. VIDEO

All Your Crimeware Are Belong To Us!
Manu Quintans - Frank Ruiz.VIDEO

12:00pm - 12:50pm

Are Agile and Secure Development Mutually Exclusive?
Matt Bartoldus, Gotham Digital ScienceVIDEO

Canales Cubiertos en Redes Sociales
Jose Selvi, S21secVIDEO

1:00pm - 2:30pm

LUNCH

 

2:30pm - 3:20pm

Metasploit: Hacker's Swiss Army Knife
Jonathan Cran, Rapid7
Joshua Smith, JHUAPLVIDEO

Show Me Your Kung-Fu
Sebastián Guerrero Selma VIDEO

3:30pm - 4:20pm

RESTful Services, the Web Security Blind Spot
Ofer Shezaf, Hewlett PackardVIDEO

Steganography
Jordi Serra, UOC UniversityVIDEO

4:30pm - 5:20pm

Men in the server meets the Man In The Browser
Amichai Shulman, Imperva VIDEO

Security Goodness with Ruby on Rails
Daniel Pelaez, Gotham Digital Science

5:30pm - 6:20pm

Security Convergence - Goldmines & Pitfalls
Ryan Jones,TrustwaveVIDEO

La calificación y su aplicación al cloud computing
Antonio RamosVIDEO

9:00pm

Barcelona Bar Crawl

 

 

THURSDAY, NOVEMBER 17th, 2011

GENERAL TRACK

10:00am - 10:50am

How NOT to do a Penetration Test
Stefan Friedli, scip AGVIDEO

11:00am - 11:50am

There’s an App for That: Evolving Mobile Security into a Business Advantage
Josh Pennell, IOActiveVIDEO

12:00pm - 12:50pm

Data Exfiltration - the way Q would have done it
Iftach Ian Amit, Security ArtVIDEO

1:00pm - 2:30pm

LUNCH

2:30pm - 3:20pm

Legal/technical strategies addressing data risks as perimeter shifts to Cloud
David Snead, W. David Snead, P.C. & Nadeem Bukhari, Kinamik VIDEO

3:30pm - 4:20pm

Gaining Acceptance for a New Approach to Software Development
Josh Kebbel-Wyen, AdobeVIDEO

4:30pm - 5:20pm

Guerrillero: How SPAIN taught the BlackHat community to WIN
Chris Nickerson, Lares ConsultingVIDEO

5:20pm - 5:30pm

Closing Remarks

 

 

 

 

Gaining Acceptance for a New Approach to Software Development
Josh Kebbel-Wyen, Adobe

In 2008 and 2009, the number of exploits targeted at Adobe products grew exponentially. The Adobe Secure Software Engineering Team (ASSET) needed a more efficient way to reach the developers and quality engineers on the product teams and get them to consider secure development practices as part of their every effort. In essence, we needed to speak a common language. To this end, ASSET developed the Security Certification Program. The program includes a suite of online training sessions, a tiered "belt" level system for participants and, at the highest levels, an experiential component. Adobe has created an environment where secure engineering capabilities have increased value and subsequently changed Adobe's culture in regards to security awareness. This Presentation will demonstrate how participation in this program motivates people and product teams to change not only their attitudes, but also their development and incident response practices.

Josh Kebbel-Wyen is a program manager at Adobe. He manages Adobe's Secure Product Lifecycle (SPLC) and other strategic security initiatives. In 2009, Josh conceptualized the highly successful Adobe Security Certification Program. Josh came to Adobe as part of the Macromedia acquisition. Like President Obama, Josh has also worked as a community organizer in Chicago.

 

Metasploit: Hacker's Swiss Army Knife
(Jonathan Cran, Rapid7 / Joshua Smith JHUAPL)

Metasploit is a well-known exploit development and pentesting framework, but its power is not limited to only those domains. Taking a shotgun approach to the presentation, the speakers will show attendees how to tap metasploit to automate and simulate attacker actions, create and automate a test lab, perform network device (such as ips/ids) testing, schedule regular regression tests, train defenders, and generally how to bend Metasploit to your will. Attendees are encouraged to bring a helmet, this is a demo- and code-heavy presentation!

Jonathan Cran (jcran) is the Director of Quality Assurance and an engineer with the Rapid7 Metasploit team. He's consulted and performed technical security assessment for a wide range of verticals and maintains a blog at www.pentestify.com. Joshua Smith (kernelsmith) is a security engineer at the Johns Hopkins University Applied Physics Laboratory (JHUAPL) , performed penetration testing for the US military for 3 years, and is an active member of the Metasploit community.

 

Are Agile and Secure Development Mutually Exclusive?
Matt Bartoldus, Gotham Digital Science

Can you develop using Agile AND be secure? Agile development methodologies have been increasingly adopted by organisations in recent times. Organisations believe Agile development can bring more speed and flexibility to teams when delivering development projects. However, if not performed correctly, Agile methods can come across as a mask for 'do as fast as you can with a vague plan and little documentation.' We will look into the fundamental concepts of Agile development and explore security frameworks that can potentially be used to integrate consistent security practices into Agile development processes. In addition, we will explore the concepts around Agile Project Management and whether these concepts can be applied to the information security world.

Lastly, we will answer the question: Are Agile and Secure Development Mutually Exclusive?

Matt Bartoldus is an information professional with over 12 years of experience managing and delivering information security projects. Service delivery experience spans the scope of IT audit; security penetration and vulnerability assessments; regulatory compliance and information security governance consulting; and security business transformation. Matt has several years of experience advising multi-national organisations around information security within software development methods and processes. Matt is a Co-Founder of and Director at Gotham Digital Science in London.


Security Convergence - Goldmines & Pitfalls
Ryan Jones,Trustwave

Security convergence evolved from the realization that information-based assets are increasingly critical to organizations, and that there is a need for these assets to be protected physically as much as they are logically. However, this is not a simple plug and play solution and without proper planning and design, companies are opening themselves up for additional vulnerabilities and organizational problems. This speech will review the benefits of reaching "convergence", but also bring to light the financial, employee, and network and physical security issues that can arise from an implementation that is supposed to make security stronger.

Ryan has spent fifteen years at the cutting edge of computer security. As Director of the physical security and social engineering practice, he focuses on business intelligence, red team testing, and social engineering. Ryan has addressed major industry conferences, including SOURCE Boston, You Shot the Sheriff in Brazil, and THOTCON in Chicago. He is the co-producer and co-host of the Exotic Liability podcast, providing unique insight and analysis on computer security issues.

 

Data Exfiltration - the way Q would have done it
Iftach Ian Amit, Security Art

Data exfiltration has been a hot topic on the past year, in light of the "APT" attacks that took frontstage in the media. However, the attacks that we keep seeing are not even close to what really is going on behind the scenes, where sophisticated exfiltartion techniques are being used to grab data out of highly secure networks. This talk will cover both the infiltration techniques used in red-team engagements, and government related cyber-preparedness capability building, as well as the command & control mechanisms for such attack software. On top of that, the talk will show innovative exfiltration techniques that go much beyond the case-studies shown over the past year as "advanced" and will challenge the industry with how it perceives its data monitoring and security.

With over a decade of experience in the information security industry, Iftach Ian Amit brings a mixture of software development, OS, network and Web security expertise as Vice President Consulting to the top-tier security consulting firm Security-Art. Prior to Security-Art, Ian was the Director of Security Research leading web security firms, and a founder and CTO of an IPS/IDS startup. Ian is a frequent speaker at leading industry conferences such as BlackHat, DefCon, BruCon, SOURCE.


Men in the server meets the Man In The Browser
Amichai Shulman, Imperva

Client side attacks, as much as they are directed at the consumers are actually affecting the businesses. In order to thwart the impact of these attacks on enterprises, businesses must take charge of securing the interaction with their clients and confronting client side attacks.The presentation describes two new techniques that can be used by web applications to detect infected clients

Amichai Shulman is Co-Founder and CTO of Imperva, where he heads the Application Defense Center (ADC), Imperva's research organization focused on security and compliance. Prior to Imperva, Mr. Shulman was founder and CTO of Edvice Security Services Ltd., a consulting group that provided application and database security services to major financial institutions. Mr. Shulman served in the Israel Defense Forces, where he led a team that identified new computer attack and defense techniques.


Legal/technical strategies addressing data risks as perimeter shifts to Cloud
David Snead, W. David Snead, P.C. & Nadeem Bukhari, Kinamik

We all know that security is more than simply deploying a firewall and keeping the bad guys at bay. Security involves a mixture of legal, technical and philosophical tactics designed to ensure that data is protected throughout your organization. In this presentation, the presenters will use case studies illustrating methods you can use to ensure the security of your business and data meets regulatory, evidentiary and technical requirements. Attendees learn:• Laws, regulations and philological preferences that require organic security practices;
• Creating strategies to demonstrate and maintain trustworthy insights of auditable user and machine activity;
• Addressing transnational data security, forensics and litigation issues.

Presented by an industry leading lawyer and a technical expert on data integrity who will detail the importance of trustworthy audit and activity data integrity.

Attendees will leave with real world technical advice and contract examples useful to create business and regulatory stability.

David is an attorney in Washington. His practice focuses exclusively on representing companies and other entities active in the internet infrastructure. In his 17 years in this area, he has represented these companies both in-house and as outside counsel.

Nadeem has over 12 years of information security experience, eight in management consulting firms. He has provided information security and risk management consultancy to blue chip organizations and has held senior positions within technology software start-ups.


How NOT to do a Penetration Test
Stefan Friedli, scip AG

Penetration Testing is an important part of the security service landscape. You can put a lot of effort to secure your environment, to harden your system and improve your business processes. But at some point, you will want to know if it all adds up and works in a REAL
attack scenario. Doing a penetration test helps you, to figure out what works and what needs work. But what makes a good penetration test and what are the common problems? Do you really need Threat Modelling? What about metrics? And is a Nessus scan really a pentest as the last shop claimed? This talk will tell you about the DO's and DONT's of penetration testing.

Stefan Friedli is a senior security consultant and leads the red team at scip AG in Switzerland. He is also one of the founders of the PTES (Penetration Testing Execution Standard, http://www.pentest-standard.org) which, much like this talk, tries to fix penetration testing. He also organizes the hashdays conference inSwitzerland.


Adapting to the Age of Anonymous
Joshua Corman, Akamai Technologies

Anonymous is here to stay. While some see these chaotic actors like Anon, LulzSec, and derivatives, as Chaotic Good like Robin Hood... other see these actors as Chaotic Evil like the Joker. Most of the Security community has sustained a cognitive dissonance about them. At DEFCON 19, a few of us confronted the issue (and active participants). We found the current narratives fails to understand the varied motives, permutations, evolutions, and growing pains of these pockets of chaotic actors. Every action has reaction, so we must be conscientious and deliberate about how we adapt to the age of Anonymous. Together we'll frame this Renaissance of Hacktivitism with specifics about incidents, outcomes, victims and collateral damage left in the wake of those attacks. We'll explore "Building a Better Anonymous". Last, we'll explore how organizations can intelligently adjust their threat models and risk postures in the face of this developing reality.

Joshua Corman is the Director of Security Intelligence for Akamai Technologies. Corman's research cuts to the industry's core security challenges and won him the title of Top Influencer of IT by NetworkWold in 2009. Corman is a coveted speaker for leading industry events such as RSA, DEFCON, Interop, ISACA, and SANS. An advocate for CISOs, Corman also serves as a Ponemon Institute Fellow, on the IANS Faculty, and co-founded Rugged Software.

 

Guerrillero: How SPAIN taught the BlackHat community to WIN
Chris Nickerson, Lares Consulting

From 6000 BCE to today we have been schooled in war. Human kind has endured endless attacks, leveraging every tool as a weapon and every weapon as a tool. Throughout this 8000+ year history there have been superpowers which dominated the battlefield and conquered those with far less resources than they possessed. BUT..... Every one of the conquering was eventually beaten. Even the most impressive of military forces have been completely dismantled through the use of tactics and sheer will. In 1809 these tactics were given a name "Guerrilla Warfare" . Juan Martin Diez, with only a few thousand men/woman, used these tactics to beat the invading forces of Napoleon time after time. No matter how many resources, soldiers, and tactics the french threw at the problem... the Guerrillero never gave in. This talk will look at an 8000yr old problem through a historical lens and attempt to provide insight on WHERE WE ARE TODAY and WHERE TO GO FROM HERE. In order to do this, we must discuss if your inflated security budget, mass of troops and BLOCKS of defensive measure make you a Superpower or just another sitting duck?

Chris is a security guy. He has a bunch of certifications and a whole lot of experience to put into slide decks to make you say "wow.... he MUST know what he is talking about!" He likes to ask questions, play different roles, stand on the desk, and rant about his passions. Chris likes to get to the point and do work! He's worked at Fortune 100 companies and ran a few businesses of his own. When he speaks at conferences be ready for war... but as the Spanish say "En guerra avisada no muere soldado."


RESTful services, the web security blind spot
Ofer Shezaf, Hewlett Packard

As a light weight alternative to web services, RESTful services are fast becoming a leading technology for developing mobile applications and web 2.0 sites. At first glance, RESTful services seem very different than web services and suspiciously similar to regular web technology. The similarity of RESTful services to regular web leads to the mis-conception that RESTful services are secured in the same way. However, RESTful services share many of the security risks of web services without the compensating Web Services security controls.

The presentation will describe RESTful services and their use, the complexities in protecting them and common attack vectors that specific to REST services such as ULR embedded attacks. The presentation concludes with a discussion of the challenges of security testing for RESTful services and present novel approaches for automated testing of RESTful services using grey-box testing, a method combining a client attack tool and a server based monitor.

Ofer Shezaf, an internationally recognized application security expert, is chief architect for HP ArcSight risk and vulnerability management products. Ofer is an OWASP (Open Web Application Security Project) leader and the founder of the OWASP Israeli chapter and a WASC (Web Application Security Consortium) officer. Some open source projects Ofer has led are the ModSecurity core rule set, WASC web hacking incident database and the Web Application Firewall Evaluation criteria project.


Advanced (Persistent) Binary Planting
Mitja Kolsek, ACROS d.o.o.

Those of you familiar with our binary planting research (www.binaryplanting.com) already know that Windows applications can be tricked into downloading and executing malicious code from remote servers. There is, however, quite some confusion among developers and researchers when it comes to technical details of this vulnerability class. Some researchers are reporting false positives; many developers lack the awareness or understanding to avoid creating new bugs of this type; and penetration testers don't seem to be aware of the many possible ways to efficiently utilize binary planting in their attacks. This session will attempt to clear up the conundrum and provide concrete tips and instructions to developers, researchers and whitehats. As a result, we hope to see fewer newly-coded binary planting bugs, more fixed ones in existing products, more researchers looking for badly-behaved products, fewer false positives reported, and binary planting becoming a standard technique in penetration tests.

In over 12 years of security addiction, Mitja has perforated an array of business-critical products, computer systems and protocols by leading software vendors, searching for atypical vulnerabilities and effective ways of fixing them. His passion is security research, discovering new types of security problems, such as "session fixation", and new twists on the known ones, such as "binary planting".

 

SPANISH TRACK

 

All Your Crimeware Are Belong To Us!
Manu Quintans - Frank Ruiz.

El propósito de la presentación es el de transmitir al publico, de como funcionan las bandas criminales en internet desde un punto de vista técnico.

La presentación tratara uno de los proveedores Offshore más activos e situado en Europa del este. Dicho ISP constituye uno de los recursos más activos del Crimeware mediante el cual se distribuyen una importante cantidad de códigos maliciosos, malware, crimepacks, botnets, iframers, tdsSystems y un largo ETC.

Trataremos de realizar un enfoque del cual se desprenderá la siguiente
información:
- Un poco de Historia
- Infraestructura enumerando máquinas, dominios, etc…
- Dibujo de la organización, responsabilidades, rangos, AS, etc...
- Donde compran ellos su infraestructura (es realmente offshore??)
- ¿Que cuesta ser malo? Poco dinero (Kids Don't do it!)
- Donde venden y compran servicios.
- Servicios más relevantes que ofrecen, trafico, vps, vpn, marketplaces, mulas, etc..
- Tendencias de crimeware
- Análisis de los crimewares encontrados más relevantes y conocidos.
- Análisis de los crimewares más raros y privados encontrados.
- Como contactar con ellos si quieres ser un chico malo? (Don't do it!)
- Como repercute y que perdidas económicas provoca un ISP de este tipo.
El contenido de la ponencia será completamente 100% real. Hasta la fecha no se han expuesto datos en ningún medio y se mantendrá la frescura de los datos en exclusiva para la Source Conference. Por otro lado se sombraren los datos que se considere que puedan perjudicar y causar un impacto negativo sobre los mismos.
Toda la información que se cite durante la ponencia será con fines educacionales y a pesar de los títulos en ningún momento se incitara a cometer actos delictivos. Todos los datos adquiridos han sido fruto de colaboración empresas y autoridades que nos facilitan la publicación de los datos.

Ponentes:
Manu Quintans - Frank Ruiz.

Bio Manu Quintans - Crimeware Researcher Vinculado desde ya hace muchos años a la escena como colaborador de grupos como DTFZine(SP), DC4420 (UK), Hacktimes.com, MalwareIntelligence ha desarrollado su experiencia en diferentes sectores tecnológicos adquiriendo conocimientos en diversas disciplinas. En la actualidad se dedica a investigar temas relacionados con Phishing, Malware, Hacking, Botnets en el grupo de investigación Malware Intelligence y en su aspecto profesional es el responsable del servicio de eCrime para la compañía Suiza Section9 Security.
http://hacktimes.com
http://malwareint.com
http://section9security.com


Bio Frank Ruiz - - Crimeware Researcher Frank Ruiz, investigador independiente que colabora activamente con el grupo Malware Intelligence.Durante estos años Frank se ha visto involucrado en la investigación de diversas botnets y su círculo delictivo. En la web de Malware Intelligence podemos ver algunos de los trabajos que ha realizado Frank y cabe resaltar una de sus más exitosas investigaciones sobre el misterioso Crimeware Carberp.
http://malwareint.com

Security Goodness with Ruby on Rails
Daniel Pelaez - Gotham Digital Science

Enfocado al desarrollo con metodologías agiles, evitando la repetición y
enfatizando el uso de los principios de convención sobre configuración,
Ruby on Rails (RoR) ha sido adoptado rápidamente por un creciente número
de compañías para crear aplicaciones empresariales. Aunque el desarrollo
de una aplicación web con RoR puede ser sencillo, asegurarse de que la
aplicación es segura requiere tanto de un profundo conocimiento de
sutiles vulnerabilidades, como de la inclusión precisa de comprobaciones
de seguridad.

En esta charla se discutirán estrategias para escribir aplicaciones más
seguras utilizando este popular framework. En el proceso, veremos
diferentes conceptos y técnicas incluyendo: mejores prácticas,
herramientas y APIs de seguridad, o como identificar y solventar las
vulnerabilidades más comunes.

Daniel Peláez trabaja en Londres como profesional de la seguridad TI
para Gotham Digital Science, donde contribuye a proporcionar servicios
de seguridad a diferentes clientes europeos. Cuenta con una amplia
trayectoria profesional, habiendo ocupado puestos de consultoría en
diferentes empresas líderes de la seguridad en España. Daniel se
especializa en tests de intrusión, auditorias de redes inalámbricas,
auditorias de seguridad de aplicaciones web, y revisiones de código
fuente. Sus principales áreas de interés incluyen el desarrollo web con
RoR, la ingeniería inversa y la creación de exploits.

 

Canales Cubiertos en Redes Sociales
Jose Selvi - S21sec

Existen algunas formas de encapsular información en algunos campos de
protocolos como IP, TCP y otros, con el fin de enviar y recibir
información de forma oculta. Hoy en día, los programadores de malware
están usando https cmo medio para ocultar las comunicaciones de sus
creaciones, pero técnicas como los DNS Sinkhole pueden ayudar a los
administradores de red a parar algunos de ellos.

El siguiente paso en el uso de canales cubiertos es usar aplicaciones
conocidas en las que encapsular la información, siendo idóneo en el caso
de las redes socales. Al usar nombres de dominio ampliamente usados, es
difícil diferencia las comunicaciones legítimas de las maliciosas.

En esta charla, revisaremos algunas formas de encapsular información en
redes sociales, y como esto puede afectar a la seguridad personal y
corporativa. Como prueba de concepto, se ha desarrollado una herramienta
llamada "FaceCat" (FaceBook NetCat). Con esta herramienta podemos
redirigir un puerto usando un muro de facebook como tubería, con lo que
sería posible obtener una conexión a través de proxies y otras
protecciones de red.

Jose Selvi, actualmente Pentester en S21sec y escritor del blog
http://www.pentester.es, lleva dedicándose a la seguridad durante los
últimos 8 años, en los cuales se ha dedicado a la realización de test de
intrusión, gestiones de incidentes y detección de intrusiones. Es
también Mentor del SANS Institute y ponente habitual en las conferencias
españolas.

Jose es Ingeniero en Informática e Ingeniero Técnico en
Telecomunicaciones, y ostenta las certificaciones CISA, CISSP, CNAP,
GSEC, GCIH, GCIA y GPEN. Actualmente se encuentra preparando su Tesis
Doctoral.

Show Me Your Kung-Fu
Sebastián Guerrero Selma

Versará como resumen de las investigaciones realizadas sobre la plataforma Android, donde se analizará y se mostrará paso a paso cómo realizar el reversing de un malware,
apoyándonos en el análisis estático y dinámico de las aplicaciones.

Se explicarán las actuales medidas de seguridad aplicadas a nuestros datos, comunicaciones, etc. Y se mostrará cómo de sencillo puede resultar realizar un análisis forense del dispositivo y obtener toda la información almacenada en la memoria interna del mismo.

Se mostrará cómo es el mecanismo de protección impuesto por Google para proteger las aplicaciones del market y se enseñará cómo es posible vulnerarla y saltársela.

Así mismo se mostrará en directo una vulnerabilidad de TapJacking supuestamente corregida por Google, que a día de hoy puede seguir explotada afectando al 98.6% de dispositivos móviles Android. Y probablemente alguna sorpresa más.

El objetivo de la ponencia es introducir de lleno a investigadores y apasionados por la seguridad en el mundo de la seguridad en teléfonos Android.

· Público Objetivo: Auditores de seguridad, auditores forense, desarrolladores

· Biografía: Investigador independiente, miembro activo del grupo de seguridad Painsec, ha participado en CTF de prestigio. Colaborador en la comunidad privada de Malware Intelligence como crimeware/mobile researcher realizando labores de investigación y
reversing para exploit kits y malware. Participa en blogs de prestigio como Security By Default escribiendo artículos e investigaciones relacionadas con la seguridad móvil. Ha sido ponente en la pasada edición de la NCN 2011

 

Wfuzz para Penetration Testers

Christian Martorella, Xavier Mendez, Verizon Business

Wfuzz es una herramienta de fuerza bruta de aplicaciones web, que
permite realizar ataques complejos de fuerza bruta en distintos puntos
de una petición HTTP: Parámetros, autenticación, formularios,
cabeceras, etc.
En esta charla, se mostraran escenarios de ataque, ejemplos prácticos
y la creación de nuevas "payloads" y "encoders" mediante pequeños
scripts en python mostrando la flexibilidad de la herramienta para
afrontar escenarios complejos y novedosos.

Algunas funcionalidades destacables:
• Multiple proxy support (each request through a different proxy)
• SOCK support
• Hide results by return code, word numbers, line numbers, regex.
• Time delays between requests
• HEAD scan (faster for resource discovery)
• Multiple encoders per payload
• Payload combinations with iterators
• Baseline request (to filter results against)
• Brute force HTTP methods

Xavier Mendez es consultor senior en equipo de Threat and Vulnerability Consulting en Verizon Business EMEA con larga trayectoria en auditorías de test de intrusión, de redes inalámbricas, aplicaciones web, análisis forense y revisiones de código fuente. Xavier es miembro activo del grupo Edge-Security donde participa fuertemente en el desarrollo de Wfuzz.

Christian Martorella es Practice Lead en el equipo de Threat and Vulnerability Consulting en Verizon Business EMEA. Christian tiene mas de 10 años de experiencia en el campo de la seguridad informática, realizando Test de Intrusion, análisis de aplicaciones web, consultoria de seguridad y liderando equipos de consultores de seguridad. Christian es fundador del grupo Edge-Security donde ha publicado herramientas de seguridad como Metagoofil, Wfuzz, theHarvester, etc.

 

La calificación y su aplicación al cloud computing

Antonio Ramos

Brevemente, se explicaría el concepto de la calificación de riesgos de
servicios TIC y como se puede aplicar al modelo de cloud computing
para solventar diversos problemas: cumplimiento normativo por parte
del proveedor, diferentes necesidades en materia de confidencialidad,
integridad y disponibilidad, adecuación al proceso de negocio del
cliente y también su aplicación a la segmentación de la oferta por
parte del proveedor.

 

Steganography

Jordi Serra, UOC University

La esteganografía se ha convertido últimamente en el mejor tipo de
comunicación entre delincuentes. Estos se envían mensajes ocultos, ya sea en
fotografías, sonido, vídeo o incluso en simples mensajes escritos, entre
ellos para poder organizarse y no levantar sospechas con mensajes cifrados.
Haremos un repaso a la esteganografía desde sus inicios documentados, allá
por el año 400 AC. hasta hoy, en los que existen ya un gran número de
técnicas para ocultar información en documentos digitales.

Jordi Serra-Ruiz es Doctor en Informática por la UOC, e Ingeniero
Informático por la UAB. Es profesor de la UOC desde 2002 y anteriormente fué
profesor de la UAB.  Pertenece al grupo de investigación KISON
(K-ryptography and Information Security for Open
Networks)  de la UOC  sobre seguridad informática sobre redes y protección
del contenido digital. Tiene diversos trabajos presentados sobre
watermarking, tanto en imágenes como en audio, y diversos artículos sobre la
protección del contenido en imágenes.

 

 

 

 

 

 

 


Keep In Touch

Mailing List Sign-Up

Email
Name
 


Barcelona 2011 Sponsors