shakacon 2008 - issa hawaii

Event Pricing (Full Week): For the whole week of Events, including the conference and all Training sessions (best deal!):

$1,200 Event Pricing (Al a carte):

Hack the Planet $500

Shakacon 2-day Conference $300

WebApp Security Training (both days) $1000

Event Pricing (Multiple Training Sessions-Only): All Three Trainings (w/o Conference) $1050 **5% discount for Early Registration (before May 20, 2008) ***Hawaii General Excise Tax will be applied MORE INFO OR TO REGISTER: [email protected]

SSHHAAKKAACCOONN 22000088 It's here! Once again, we're calling upon Hawaii's vast knowledge-pool of information security, IT audit and compliance professionals; studentsinterested in learning real-world security applications, technologies, andmethodologies; ethical hackers (emphasis on ethical); and otherwisesecurity enthusiasts. Hawaii's first and only security conference of itskind - is back for another week of training, education, and information dedicated to the security community within Hawaii and Globally.

Date:

The week of June 9-13, 2008

Where:

Dole Cannery Ballroom, 650 Iwilei Road, Honolulu, HI, 96817

Monday June 9 Hack the Planet - Logical and Physical

Asset Penetration (See pg 2)

Tuesday June 10

Wednesday June 11

Shakacon Day 1

Shakacon Day 2

Featuring: • Speaker Presentations from industry

experts! (See pg 4 and on) • Lock-picking Village • Lock-picking Contest • Capture the Flag • Meals Provided • Bar Service • After-hour Events

Thursday June 12

WebApp Security Training Day 1 (See pg 3)

Friday June 13 WebApp Security Training Day 2

PPrreesseennttss……

SShhaakkaaccoonn 22000088 iinn hhoonnoolluulluu,, hhaawwaaiiii

Sun. Surf. C Shells.

Sponsored by:

Featuring the return of Hawaii’s first and

only Hacker contest – Shakacon’s Capture the Flag

hack the Planet

A f t e r n o o n S e s s i o n - L o c k p i c k i n g

Hacking techniques and methodologies from world - renowned penetration testers! Course will cover:

1. Passive information gathering – soft information on your target

2. Active information gathering – scanning and service/app identification

3. Vulnerability identification – Nessus, other toolkits 4. Exploitation – Metasploit, brute force attacks, others 5. Host pilfering – what to do once you have

root/admin/host privileges 6. Escalating privileges 7. Easter egg hunting 8. Exploiting trust – how to abuse what you have to get

on other hosts 9. Hiding your tracks

Expert lockpicking tools and techniques taught from one of the world’s foremost experts in lockpicking. About the trainer, Deviant Ollam:

Deviant Ollam's first love has always been teaching. A graduate of the New Jersey Institute of Technology's "Science, Technology, & Society" program, he is always fascinated by the interplay that connects human values and social trends to developments in the technical world. A fanatical supporter of First Amendment rights who believes that the best way to increase security is to publicly disclose vulnerabilities, Deviant has given lockpick demonstrations / classes at ShmooCon, DefCon, ToorCon, HOPE, HITB, HackCon, SecVest, and the United States Military Academy at West Point.

Monday June 9, 2008 Dole Cannery Ballroom, 650 Iwilei Rd, Honolulu, HI 96817 www.shakacon.org for details

M o r n i n g S e s s i o n – H a c k e r T e c h n i q u e s

In conjunction with SShhaakkaaccoonn 22000088

logical and physical asset penetration

Information Technology Solutions2-Day Web Application Security Training: building and testing secure web applications

Course Overv iew Most developers, IT professionals, and auditors learn what they know about application security on the

job, usually by making mistakes. Application security is not a part of many computer science curricula

today and most organizations have not focused on instituting a culture that includes application security

as a core part of their IT security efforts.

This powerful two day course focuses on the most common web application security problems, including

the OWASP Top Ten. The course will introduce and demonstrate hacking techniques, illustrating how

application vulnerabilities can be exploited so students really understand how to avoid introducing such

vulnerabilities into their code.

Deta i ls This course starts with a module designed to raise awareness of just how insecure most web applications

are. We demonstrate how easily hackers are able to attack web applications, and what some of the most

common and most significant vulnerabilities are. The course then provides an overview of how web

applications work from a security perspective.

The next modules detail a number of specific security areas. We describe common vulnerabilities, present

best practices, and discuss recommended approaches for avoiding such vulnerabilities. This course

includes coverage of the following web application security areas (which encompass the entire OWASP

Top 10 plus more): Authentication and Session Management; Access Control; Cross-Site Request

Forgery; Cross-Site Scripting; Input Validation; Protecting Sensitive Data; Caching, Pooling, and Reuse

Errors; Database Security; Error Handling and Logging; Denial of Service; Code Quality; Accessing

Services Securely; Setting Security Policy; Integrating Security into the SDLC.

For each area, the course covers the following: theoretical foundations, recommended security policies,

common pitfalls when implementing, details on historical exploits, best practices for implementation.

This course teaches developers how to avoid all of the common pitfalls in building critical web

applications, including all of the OWASP Top Ten. The course uses hands-on exercises and group

discussions to change the way developers think about security.

A B OU T A SP EC T SE CUR I T Y Aspect is the leading provider of application security training courses. Aspect understands that education and training is one of the critical building blocks to achieving application security in an organization. Since 1998, they've taught thousands of developers, architects, testers, and managers how to build and test applications to ensure security. Featuring: Hands-on Lab! To cement the principles delivered via the lecture portion of the course, students can participate in a number of hands-on security testing exercises. During the hands-on exercises students will attack a live web application that has been seeded with common web application vulnerabilities. The students will use proxy tools commonly used by the hacker community to complete the exercises. If you are interested in participating in the hands-on portion, please bring along a Windows based laptop. www.shakacon.org for details

building and testing secure web applications course trainer: Jim Manico, Aspect Security

In conjunction with SShhaakkaaccoonn 22000088

Dole Cannery Ballroom 650 Iwilei Road

Honolulu, HI, 96817 www.shakacon.org

SShhaakkaaccoonn 22000088 SSppeeaakkeerr TTooppiiccss // BBiiooss ((aallpphhaabbeettiiccaallllyy))

Speakers will continue to be added all the way up until Shakacon

//visit www.shakacon.org for regular updates on speakers / topics / and schedules

Speaker: Francisco Amato, InfoByte Security Research

Bio: Francisco amato is a security researcher & consultant specialised in vulnerability development, blackbox testing, reverse engineering. Francisco is running his own company, [ISR] ‐ Infobyte Security Research www.infobyte.com.ar, where many of the developments include audit tools and vulnerabilities in several Novell and IBM products. He is one of the organizers of the ekoparty security conference. www.ekoparty.com.ar

Topic: evilgrade – “You have pending upgrades”

Speaker: Andrea Barisani, InversePath

Bio: Andrea Barisani is a security researcher and consultant. His professional career began 8 years ago but all really started when a Commodore‐64 first arrived in his home when he was 10. Now, 17 years later, Andrea is having fun with large‐scale IDS/Firewalls deployment and administration, forensic analysis, vulnerability assessment, penetration testing, security training and his Open Source projects. He eventually found that system and security administration are the only effective way to express his need for paranoia. Being an active member of the international Open Source and security community he's maintainer/author of the tenshi, ftester projects as well as the founder and project coordinator of the oCERT effort, the Open Source Computer Emergency Reponse Team. He has been involved in the Gentoo project, being a member of the Gentoo Security and Infrastructure Teams, and the Open Source Security Testing Methodology Manual, becoming an ISECOM Core Team member. Outside the community he has been a security consultant for Italian firms and he's now the co‐founder and Chief Security Engineer of Inverse Path Ltd. He has been a speaker and trainer at PacSec, CanSecWest, BlackHat and DefCon conferences among many others, speaking about SatNav hacking, 0‐days, LDAP and other pretty things.

Topic: oCert & Practical Linux Hardening

http://www.infobyte.com.ar/






Speaker Kenneth K. Fukunaga, Fukunaga Matayoshi Hershey & Ching LLP

Bio: Mr. Fukunaga graduated from the University of San Francisco School of Law with Honors and from the University of Hawaii with an M.A. and a PH.D. in psychology. While in law school, he was nominated and elected to the McAuliffe Honor Society. While in graduate school, he was nominated and elected to Sigma Xi, the scientific research honorary. He is a past recipient of the Association of Information and Image Management International’s Distinguished Service Award and past president of the local chapter. He is currently a senior partner with Fukunaga Matayoshi Hershey and Ching, where he specializes in complex litigation and health care law. He is currently the president of the Hawaii Defense Lawyers Association.

Topic: Update on E‐Discovery

Speaker Gary Kahn, Territorial Savings Bank

Bio: Our speaker, Gary Kahn, is a recognized expert and community resource in Information Security. He is a Certified Information Systems Security Professional (CISSP); a Certified Information Security Manager (CISM); and holds a Bachelors of Science in Computer Science from Hofstra University in Hempstead, New York. While in New York, he worked for large and small companies including Montgomery Ward; J. Walter Thompson; Chase Manhattan Bank; and Eastern States Bankcard Association in the areas of software development and project management. During the past 25 years in Hawaii, he managed software engineering departments for Electronic Data Systems where he received EDS’s Excellence Achievement Award for Customer Satisfaction; and Hawaii Medical Services Association (HMSA) where he managed 25 systems and programming professionals. On the hardware side of the shop, Kahn managed Kaiser Permanente’s data center operations at their Moanalua facility. At Bank of Hawaii, his career turned towards information security in 1996 when he was promoted to vice president and manager of their information security department. In 2004, Mr. Kahn was hired by Territorial Savings Bank as their ISO to implement a comprehensive information security program. In 2006, he was promoted to vice president. Mr. Kahn is past president and a current member of the Information Systems






Security Association (ISSA); a member of the Information Security and Audit Control Association (ISACA); member of the Computer Security Institute (CSI); past treasurer for the Association of Information Technology Professionals (AITP); and a member of the American Motorcycle Association (AMA).

Topic: Policies, Standards, and Procedures – What’s the difference & Why are they so hard to create

Speaker Mike Kemp, Orthus

Bio: Michael is an experienced UK based security consultant, with a specialization in the penetration testing of web applications and the testing of compiled code bases and DB environments to destruction. As well as the day job, Michael has been published in a range of journals and magazines, including heise, Network Security, Inform IT and Security Focus, and is currently preparing his first book length technical manuscript. To date, Michael has worked for NGS Software, CSC (Computer Sciences Corporation), and a host of freelance clients throughout the globe. Presently, Mike is working in a day job for UK security consultancy, Orthus Ltd, and planning on touting his shoddy wares via a new start up, which keeps not starting up thanks to life getting in the way. When not breaking things, Michael enjoys loud music, bad movies, weird books and writing about himself in the third person.

Topic: Virtualization

Speaker John Lokka, L‐3 Enterprise Information Technology Systems

Bio: John Lokka, CISSP, works for L‐3 Enterprise Information Technology Systems at Theatre Network Operations Center ‐ Pacific, NetDefense. He conducts research during the course of maintaining trend awareness and activity indicators. He has worked in computer security for 7 years performing tasks ranging from network monitoring to security policy and implementation. He also holds the GREM and GEIT certificates.






Topic: War Walking Waikiki

Speaker Jim Manico, Aspect Security

Bio: Jim has 11 years of experience developing Java‐based data‐driven web applications for organization such as FoxMedia (MySpace), GE, CitiBank and Sun Microsystems. For more information, see manico.net

Topic: ESAPI (OWASP Enterprise Security API project)

Presentation Experience:

In addition to Jim's application development experience, Jim also has 4 years experience as an Application/Software Security educator and presenter. Jim was previously a SANS Application Security Instructor and author. He has recently changed focus to on‐site Application Security instruction for Fortune 100 organizations through Aspect Security. (Topics include PHP Application Security, Java Application Security and Application Security for Managers).

Speaker Morgan Marquis‐Bore, Security‐Assessment.com

Bio: Morgan Marquis‐Boire is a Principal Security Consultant at Security‐Assessment.com where he specialises in Unix, forensics, and network security. He has a degree in Philosophy and enjoys big kit and forgotten networks. Prior to his present incarnation as a corporate security guy, he's worked doing cluster computing, government infrastructure, Linux security appliances, and a security start‐up in Japan. He has penned articles for magazines, written whitepapers, and presented at conferences both national and international on a diverse range of subjects from SAN Security to Anonymous Network Technologies.

Topic: Fear, Uncertainty and the Digital Armageddon






Speaker Deviant Ollam

Bio: While paying the bills as a network engineer and security consultant, Deviant Ollam's first and strongest love has always been teaching. A graduate of the New Jersey Institute of Technology's "Science, Technology, & Society" program, he is always fascinated by the interplay that connects human values and social trends to developments in the technical world. A fanatical supporter of First Amendment rights who believes that the best way to increase security is to publicly disclose vulnerabilities, Deviant has given lockpick demonstrations at DefCon, Black Hat, ShmooCon, ToorCon, HOPE, HackInTheBox, HackCon, SecVest, and the United States Military Academy at West Point.

Topic: Ten Things Everyone Should Know About Lockpicking & Physical Security

Speaker Paul Proctor, Gartner

Bio: Mr. Proctor has been involved in information security since 1985. He was founder and CTO of two security technology companies and developed both first‐ and second‐generation, host‐based intrusion‐detection technologies. Mr. Proctor is a recognized expert in the field of information security and associated regulatory compliance issues surrounding the Health Insurance Portability and Accountability Act (HIPAA), Sarbanes‐Oxley, and the Gramm‐Leach‐Bliley Act (GLBA). He has authored two Prentice Hall books and many white papers and articles. Mr. Proctor is an accomplished public speaker and was recognized for his expertise by being appointed to the original Telecommunications Infrastructure Protection working group used by Congress to understand critical infrastructure protection issues prior to the terrorist attack of Sept. 11. Previously, he worked for SAIC, Centrax, CyberSafe, Network Flight Recorder and Practical Security.

Topic: Risk Management Overview


About 30 presentations a year at Gartner events with audiences of 50‐500. High presentation score.






Speaker David Rair, Chun Rair & Yoshimoto LLP

Bio: David K. Rair is a partner in the law firm of Chun Rair & Yoshimoto LLP, focusing in banking, financial services and commercial lending, including compliance with Hawaii and federal laws governing the development and delivery of financial services and products. Mr. Rair represents Hawaii and mainland based commercial banks, savings banks, diversified financial services companies, finance companies, and mortgage lenders in a variety of matters including consumer credit regulation and transactions, licensing requirements, privacy, commercial financing transactions, deposit products, and regulatory matters. Mr. Rair also represents commercial lenders in developing business lending programs; commercial real estate loans; and acquisition, development and construction financing. Mr. Rair is named in Best Lawyers in America in banking law, and is a member of the Conference on Consumer Finance Law and the American Bar Association – Business Law Section, and the Consumer Financial Services, Banking Law and Commercial Financial Services Committees. Mr. Rair has given numerous presentations on banking and financial services to the Hawaii Financial Services Regulatory Compliance Association and the Real Property and Financial Services Section of the Hawaii State Bar Association.

Topic: Federal & State Information Privacy/Protection Laws

Speaker Alberto Revelli, Portcullis Security

Bio: Alberto Revelli (aka icesurfer) lives and works in London, where he enjoys the bad weather and the astronomically expensive cost of living. He is a senior penetration tester for Portcullis Computer Security, where he mostly deals with web applications and anything else that happens to tickle his passion for breaking things. Much to his surprise, he has been invited as a speaker to several conferences (EuSecWest, OwaspDay, CONFidence, Infosecurity, ...). He is the Technical Director of the Italian Chapter of OWASP, has co‐authored the OWASP Testing Guide 2.0, and he has developed sqlninja (http://sqlninja.sf.net), probably believing that there were not enough SQL Injection tools out there, already.

Topic: Building the bridge between the Web Application and the OS: GUI access through

http://sqlninja.sf.net/






SQL Injection


EuSecWest 2007 ‐ London, UK Owasp Day I (2007) ‐ Rome, Italy Owasp Day II (2008) ‐ Rome, Italy Infosecurity Italy (2006 and 2007) ‐ Milan, Italy Confidence (Upcoming May 2008) ‐ Krakow, Poland

Speaker Stefano Zanero, Politecnico di Milano

Bio: Stefano Zanero received a Ph.D. degree in Computer Engineering from the Politecnico of Milano technical university, where he is currently spending his post‐doc. His current research interests include the development of Intrusion Detection Systems based on unsupervised learning algorithms, security of web applications and computer virology. He has been a speaker at international scientific and technical conferences, and he is the author and co‐author of books and articles published in international, peer reviewed journals and conferences. He is a member of the board of the "Journal in Computer Virology", and acts as a reviewer for the "ACM Computing Reviews" and "IEEE Security&Privacy", as well as various primary international conferences. He is a member of the IEEE (Institute of Electrical and Electronics Engineers), the ACM (Association for Computing Machinery), and a founding member of the Italian Chapter of ISSA (Information Systems Security Association). He has also been a columnist for Computer World Italy, and has been awarded a journalism award in 2003. Since 2004 he is a partner and CTO of Secure Network, a firm specializing in information security training and consulting, based in Milan.

Topic: In this talk we will recapitulate the main challenges we are going to address in order to build an automatic, global network which can perform early warning, automatic classification and analysis of malware and exploits as they propagate, or are used, worldwide. This talk is also an open call for cooperation within the framework of the European research project WOMBAT, which has just started at the beginning of 2008.

shakacon 2008 - issa hawaii

Documents