Ag3nt47 Security – Shmoocon 2013 – Ka-Ching – How To Make Real Money

Description: Margaret Russell
Emerging security technology –your technology—is overlooked, undersold, and underutilized partly because big customers often procure from big companies. Start up and young companies face stiff sales competition from established companies that have large marketing and sales organizations. This talk provides the secrets to winning competitive sales scenarios when the written response to an RFP is the key to being competitive.

Successful sales to businesses or governments usually rely on qualifying rounds of requests for information, proposals, quotes, and oftentimes demonstrations. For a startup or young company that concentrates on technology over marketing, this standard process can be exclusionary. Here’s how to manage a sales process that is dependent on response documents to win the business. And make money. Real Money.

Ms. Russell is a marketing professional with over 30 years experience in networking software, secure networks, and SaaS. She has written and managed hundreds of technical software and services proposals for very large, insanely large, and ginormous multi-national companies. She has run projects that have brought in billions of dollars to her corporate masters. It’s time for the little guys to know the secrets, too. She holds a BA from New York University and a Master’s from Cornell. This is her first ShmooCon talk.


Ag3nt47 Security – Carolinacon – 9 – 2013 – Iphone Data Reconnaissance Without Physical Access To The Device.

Description: Abstract:

I’ll explore methodologies for iOS data reconnaissance without physical access to the device. Using a non jailbroken iPhone, I’ll show how to use a local network to use common settings on devices to remotely backup the device to its paired instance of iTunes (assuming network or physical access to the computer), find the backup on disk, and extract things like the TXT/iMessage raw sqlite database to the recent calls list.
These tactics can be used to automate backups of your own device for safekeeping of data or for more nefarious things like recovering text message logs from a spouse’s phone to see what they’ve ben up to behind your back. I’ll show example SQL queries to adjust date/timestamps and account for an Apple bug that made it into production with iMessage database records which will make it easier to work with the data. I’ll also show a simple way to protect against this sort of data reconnaissance by others.

Jarrick is a software engineer by trade and manages the engineering department of a small custom web application development company. He also has a successful side business developing iOS apps for the masses. Jarrick is a member of the FALE Association of Locksport Enthusiasts.

Ag3nt47 Security – Carolinacon – 9 – 2013 – Search Engine Hacking: Finding Credit Cards, Social Security Numbers, And Frighteningly More

Description: Abstract:

Brief Topic Abstract: This presentation is for anyone interested in learning the true power of search. While the vast majority of people think of search engines as gateways to movie times, shopping deals, and a little fact-checking, the reality is that advanced search queries are being used via the most popular search engines every day to find unbelievable types of information. Search has proven time and again that even the most paranoid and cautious individuals can find themselves on the business end of identity theft, and they’d never know how it happened. If you don’t know how to use a search engine to find credit card scans, Social Security numbers, usernames and passwords, VPN credentials, back-up images, virtual machine installs, software licenses, confidential documents, private image/video dumps, or similarly fascinating/frightening data, then I’m offering you the chance to take the red pill and see just how deep the search engine rabbit hole really goes…

Stephen is a freelance writer and investigative researcher who is head-over-heels in love with search. Whether it’s tirelessly refining advanced search queries, unearthing awesome niche search engines, Internet marketing (SEO, social media, etc.), or just about anything Web-related, Stephen is passionate about it. Such passion allows him to touch on various facets of competitive research, Web security, search-related “fun and profit,” and much more. Currently, Stephen writes for CBS Interactive / ZDNet on topics related to search, security, hardware, software, gaming, and other tech-related subjects. He speaks at conferences regarding search engine hacking and is also in the process of writing a book regarding advanced search querying with Google. Connect with Stephen via his Web site, LinkedIn, Twitter, or Facebook!

Ag3nt47 Security – Carolinacon – 9 – 2013 – Getting Shells When Metasploit Fails

Description: Penetration Tests aren’t new, and most companies have figured out how to eliminate the low hanging fruit. Some have even gone above and beyond and deployed technologies like Network AV, IPS, and egress filtering. In 50 minutes, this talk is going to go through different ways of getting access to systems on the network without exploits and working around common hardening. Leveraging configuration weaknesses, common hardening oversights, and more, we’ll go through ways to get around difficult AV systems, network AV, using open source and commonly available tools to get access to boxes were the standard stuff fails. Join us for a adventure with few slides and lots of shells, just make sure to keep your hands and feet inside the ride at all times.

Ryan Linn is a Senior Consultant with Trustwave’s SpiderLabs – the advanced security team focused on penetration testing, incident response, and application security. Ryan is a penetration tester, an author, a developer, and an educator. He comes from a systems administration and Web application development background, with many years of IT security experience. Ryan currently works as a full-time penetration tester and is a regular contributor to open source projects including Metasploit and BeEF, the Browser Exploitation Framework.

Ag3nt47 Security – Carolinacon – 9 – 2013 – The Maru Architecture Design: A Proposed Byod Architecture For An Evolving Threat Landscape

Description: Abstract:

Abstract: BYOD has been a strong growing trend in information technology over the last few years. Proponents cite the benefits of cost savings, employee productivity, and worker satisfaction when pushing for adoption. As organizations explore accepting this paradigm shift, IT faces a future reality where devices are no longer under their complete control. This loss of control, along with a rapidly evolving security landscape focused on data breaches through attacking the user, is enough to keep IT staff and management awake at night with the fear that a breach of their network will soon make headlines.
Despite these fears and objections, the growing thought among industry experts is that BYOD acceptance is inevitable for most organizations. A shift in strategic thinking towards accepting BYOD in the enterprise and mitigating its potential risks is needed. This talk focuses on a proposed architecture blueprint for BYOD enterprises. The goal of this design, when part of a proper BYOD program, will be to help reduce many of the risks associated with BYOD, while allowing users and organizations to enjoy the many benefits.

Michael Smith is a consultant for ePlus Security. A ten-year veteran of the industry, he has a diverse IT background, although his true passion remains security. Michael is currently a Doctoral candidate at Capital College, researching attack prediction and discovery using predictive analytics. He holds several certifications including his CISSP, OSCP, and GPEN. When not testing or securing the enterprise, Michael enjoys spending time with his family, pursuing his many geeky interests, and traveling… especially to see the Mouse.

Ag3nt47 Security – Carolinacon – 9 – 2013 – How The West Was Pwned

Description: Abstract:

Can you hear it? The giant sucking sound to the East? With it are going more than just manufacturing jobs — it’s our manufacturing know-how, intellectual property, military secrets, and just about anything you can think of. If we’re the most advanced technological nation on Earth, how are the People’s Republic of China (PRC) and others able to continue to pull this off? Why do we keep getting pwned at our own game? Last year I talked about “Hacking as an Act of War.” This year we’ll look at some specifics, including (published) documents that outline the plan of attack against America, (unclassified) details about what operations have been run against us, and efforts to create an international legal framework for cyberwar before the bits really start flying.

G. Mark Hardy, CISSP, CISM, GSLC, is a retired U.S. Navy captain, and president and founder of National Security Corporation. He writes crypto contests for hacker conferences, and now that he’s sort-of retired he can break 100 on the front 9.