Black Hat USA 2011 //speakers
Caesars Palace Las Vegas, NV • July 30 - August 4
Ambassador Cofer Black is an internationally acknowledged, 30-year career U.S. Government leader and expert in counterterrorism and national security. Since 2009 he has been Blackbird Technologies' Vice President for Global Operations. During 2005–2008, he provided strategic guidance and business development as Vice Chairman of Blackwater Worldwide and as Chairman of Total Intelligence Solutions. During 2002–2005, at the Assistant Secretary of State level, he reported to the Secretary of State for developing, coordinating, and implementing American counterterrorism policy as Coordinator. He served a 28-year career at CIA, reaching Senior Intelligence Service (SIS-4) level as Director, Counterterrorist Center (D/CTC), over the 9/11 period. He completed six successful operational CIA tours abroad in field management positions focusing on counterterrorism, but also addressing regional security issues, counterintelligence, and covert action. He is experienced representing the United States at the Head of State level, managing media as a diplomatic spokesperson, and in public speaking as Keynote Speaker both as a senior U.S. Government official and business leader. Some of his achievements have been portrayed in the best-selling books Ghost Wars, Bush at War, First In, Jawbreaker, and At the Center of the Storm. He earned both a BA/MA in international relations from the University of Southern California.
Peiter "Mudge" Zatko: Prior to coming to DARPA, Mr. Zatko was a Division Scientist and Technical Director for BBN Technology's National Intelligence Research and Applications division. Prior to that, Mr. Zatko served as the CEO and Chief Scientist at LHI Technologies, and was Chief Scientist/Executive Vice President for Research and Development at @Stake Inc. He has served on the advisory boards of several organizations, as an R&D Subcommittee Member to the Partnership for Critical Infrastructure Protection, and as a Research Subcommittee Member to the Office of Science and Technology. Mr. Zatko is the inventor of L0phtCrack, a Microsoft password auditing tool; of AntiSniff, a remote promiscuous system detector; of L0phtWatch/Tempwatch; and of SLINT, a tool in automating source code analysis to discover security coding vulnerabilities.
Joshua "Jabra" Abraham joined Rapid7 in 2006 as a Security Consultant. Josh has extensive IT Security and Auditing experience and worked as an enterprise risk assessment analyst for Hasbro Corporation. Josh specializes in penetration testing, web application security assessments, wireless security assessments, and custom code development. He has spoken at BlackHat, DefCon, ShmooCon, The SANS Pentest Summit, Infosec World, SOURCE Barcelona, CSI, OWASP Conferences, LinuxWorld, Comdex and BLUG. In his spare time, he contributes code to open source security projects such as the BackTrack LiveCD, BeEF, Nikto, Fierce, and PBNJ. He is frequently quoted in the media regarding Microsoft Patch Tuesday and web application security by ComputerWorld, DarkReading and SC Magazine. Josh earned his Bachelor of Science degree in Computer Science from Northeastern University.
Carnegie Mellon University
Alessandro Acquisti is an Associate Professor of Information Technology and Public Policy at the Heinz College, Carnegie Mellon University. He is the co-director of the CMU Center for Behavioral Decision Research (CBDR), a member of Carnegie Mellon Cylab, and a fellow of the Ponemon Institute. His work investigates the economic and social impact of IT, and in particular the economics and behavioral economics of privacy and information security, as well as privacy in online social networks. His research has been disseminated through journals (including Proceedings of the National Academy of Science, Marketing Science, Journal of Consumer Research, Marketing Letters, Information Systems Research, IEEE Security & Privacy, Journal of Comparative Economics, Rivista di Politica Economica, and so forth), edited books ("Digital Privacy:Theory, Technologies, and Practices.'' Auerbach, 2007), book chapters, international conferences, and international keynotes. His findings have been featured in media outlets such as NPR, NBC, MSNBC.com, the Washington Post, the New York Times and the New York Times Magazine, the Wall Street Journal, the New Scientist, CNN, Fox News, and Bloomberg TV.
Alessandro has received national and international awards, including the PET Award for Outstanding Research in Privacy Enhancing Technologies, the IBM Best Academic Privacy Faculty Award, the Heinz College Teaching Excellence Award, and various best paper Awards. Two of his manuscripts were selected by the Future of Privacy Forum in their best "Privacy Papers for Policy Makers" competition. He is and has been member of the program committees of various international conferences and workshops, including ACM EC, PET, WEIS, ETRICS, WPES, LOCA, QoP, and the Ubicomp Privacy Workshop at Ubicomp. In 2007 he co-chaired the DIMACS Workshop on Information Security Economics and the WEIS Workshop on the Economics of Information Security. In 2008, he co-chaired the first Workshop on Security and Human Behavior with Ross Anderson, Bruce Schneier, and George Loewenstein. His research has been funded by the National Science Foundation, the Humboldt Foundation, the National Aeronautics & Space Administration, Microsoft Corporation, as well as CMU CyLab and CMU Berkman Fund.
Prior to joining CMU Faculty, Alessandro Acquisti researched at the Xerox PARC labs in Palo Alto, CA, with Bernardo Huberman and the Internet Ecologies Group (as intern), and for two years at RIACS, NASA Ames Research Center, in Mountain View, CA, with Maarten Sierhuis and Bill Clancey (as visiting student). At RIACS, he worked on agent-based simulations of human-robot interaction onboard the International Space Station. While studying at Berkeley, he co-founded with other fellow students a privacy technology company, PGuardian Technologies.
In a previous life, Alessandro worked as classical music producer and label manager (PPMusic.com), as freelance arranger, lyrics writer, and soundtrack composer for theatre, television, and indy cinema productions (including works for BMG Ariola/Universal and RAI 3 National Television), and raced a Yamaha TZ 125 in the USGPRU national championship.
Alessandro Acquisti has lived and studied in Rome (Laurea, Economics, University of Rome), Dublin (M.Litt., Economics, Trinity College), London (M.Sc., Econometrics and Mathematical Economics, LSE), and in the San Francisco bay area, where he worked with John Chuang, Doug Tygar, Florian Zettelmeyer, and Hal Varian and received a Master and a Ph.D. in Information Management and Systems from the University of California at Berkeley.
Bradley is VP of Technical Strategy at M86 Security and spokesperson for all topics relevant to the M86 Security Labs. The M86 Security Labs team of researchers and threat analysts have built an extensive level of expertise in Cybercrime, Web malware, Bot networks and all aspects of Email and Web security. The M86 Security Labs provides 24/7 monitoring of email and Internet traffic to protect customers and publishes findings in the form of alerts or reports on the M86 Security Labs Website. Bradley is a regular speaker on both the business issues and what the industry needs to do to address IT security problem related to policies and technology. He is a 20 year veteran of the IT industry and a leading authority on the topic of Internet threats and cybercrime.
Brad Arkin is the senior director of product security and privacy at Adobe. In his role, Arkin leads the Adobe Secure Software Engineering Team (ASSET) responsible for ensuring Adobe's products are designed, engineered and validated using security best practices, as well as the Product Security Incident Response Team (PSIRT) dedicated to responding to and communicating about security issues. Prior to joining Adobe, Arkin held management positions at StepNexus, Symantec, @Stake and Cigital. He is currently a board member of SAFECode, the Software Assurance Forum for Excellence in Code, and a member of the BSIMM (Building Security In Maturity Model) advisory board. Arkin holds a BS in computer science from the College of William and Mary, an MS in computer science from George Washington University, and an MBA from Columbia University and London Business School.
Push The Stack Consulting
James Arlen, CISA, is Principal at Push The Stack Consulting providing security consulting services to the utility and financial verticals. He has been involved with implementing a practical level of information security in Fortune 500, TSE 100, and major public-sector corporations for more than 15 years. James is also a contributing analyst with Securosis and has a recurring column on Liquidmatrix Security Digest. Best described as:"Infosec geek, hacker, social activist, author, speaker, and parent." His areas of interest include organizational change, social engineering, blinky lights and shiny things.
iSEC Partners, Inc.
Don A. Bailey is a Security Consultant with iSEC Partners, Inc. Don has discovered many unknown security vulnerabilities in well used software, analyzed new and proprietary protocols for design and implementation flaws, and helped design and integrate security solutions for up and coming internet software.
While Don's primary expertise is in developing exploit technologies, he is also well versed at reverse engineering, fuzzing, enterprise and embedded programming, source code auditing, rootkit detection and design, and network penetration testing. In addition, Don has helped develop and enhance risk management programs for several Fortune 500 companies and has been invited to speak about risk management from a CISO perspective at government organized conferences.
For the past six years, Don has presented research at several international security conferences discussing topics such as stealth root-kit design, zero-day exploit technology, DECT, GSM, and embedded security. Most recently, Don spoke at Blackhat Barcelona 2011 and SyScan Singapore 2011 regarding vulnerabilities in embedded architectures and issues in the global telephone network.
Marco Balduzzi holds an MSc. in computer engineering and has been involved in IT-Security for more then 8 years with international experiences in both industrial and academic fields. He worked as security consultant and engineer for different companies in Milan, Munich and Sophia-Antipolis, in south France, before joining EURECOM and the International Secure Systems Lab as Ph.D. researcher.
He attended well-known and high-profile conferences all over (Blackhat, OWASP AppSec, NDSS) and currently speak five different languages. Being a Free Software sympathizer, in the year 2K, he cofounded the Bergamo Linux User Group and the University Laboratory of Applied Computing. In former times, he was an active member of several open-source projects and Italian hacking groups.
Andrea Barisani is an internationally known security researcher. Since owning his first Commodore-64 he has never stopped studying new technologies, developing unconventional attack vectors and exploring what makes things tick...and break.
His experiences focus on large-scale infrastructure administration and defense, forensic analysis, penetration testing and software development, with more than 10 years of professional experience in security consulting. Being an active member of the international Open Source and security community he contributed to several projects, books and open standards. He is now the founder and coordinator of the oCERT effort, the Open Source Computer Emergency Response Team.
He has been a speaker and trainer at BlackHat, CanSecWest, DEFCON, Hack In The Box, PacSec conferences among many others, speaking about TEMPEST attacks, SatNav hacking, 0-days, OS hardening and many other topics.
ElcomSoft Co. Ltd.
Andrey Belenko is a Security researched and software developer at Elcomsoft. Co-invented ThunderTables (which are improved RainbowTables) and was first to bring GPU acceleration to password recovery. M. Sc. IT and CISSP.
Dillon Beresford is an independent security researcher who also works as a security analyst at NSS Labs. He has tested the world's leading Network IPS, IDS, HIPS, AV, and NGFW products. For the last few years Dillon has disclosed vulnerability advisories to US-CERT, ICS-CERT and CN-CERT. In 2011 he developed an exploit for one of the most popular high performance production SCADA/HMI software applications in China which is widely used in power, water conservancy, coalmine, environmental protection, defense and aerospace. In the past Dillon has presented on vulnerabilities affecting industrial control systems, embedded systems, software, and hardware. He has given presentations on a wide array of vulnerabilities primarily targeting devices and software in The People's Republic of China. His presentations have included vulnerabilities in Huawei devices running VxWorks, Beijing based WellinTech KingView SCADA and Beijing based NSFOCUS, Sunway China Unicom, China Telcom, China Railcom and AVCON.
Daniele Bianco began his professional career as a system administrator in scientific organizations. His interest in centralized management and software integration in Open Source environments has focused his work on design and development of suitable R&D infrastructures. One of his passions has always been exploring hardware and electronic devices. Currently he is Inverse Path's resident Hardware Hacker. His primary activities focus on hardware customization, embedded system integration and the design of remote monitoring networks for M2M infrastructures. He is an active contributor to the Open Source community and an invited speaker at many international IT security events.
Technical University Berlin
After finishing masters degree in Security and Mobile computing at TKK & KTH, Ravi works as a researcher in the the Security in Telecommunications department at Technical University Berlin. His research themes are related to mobile telecommunication and involved security threats. This ranges from GSM/UMTS/LTE, network security to end-user device security.
National Security Agency
Kris Britton is the Director for the NSA Center for Assured Software. He has been involved in the Information Assurance discipline for the U.S. DoD for the last 20 years working in areas of operating system security, database security, international security criteria, security engineering and most recently software assurance. As the Director of the NSA Center for Assured Software he leads a government team of analysts to promote software assurance principles and practice to DoD and National Security clients.
Jonathan is a security research engineer holding an Engineering degree and a Master in Computer Science. Born in France, he's been living in Brazil and India, before currently working in Australia. With about 15 years of practice of assembly, he is specialised in low level security, from raw sockets to cryptography and memory corruption bugs. He is well known in the industry for his disruptive research on preboot authentication (breaking all the top tier BIOS passwords, and full disk encryption software - including Truecrypt and Microsoft Bitlocker- with a single exploit in 2008 !) as well as Virtualization software. He is currently working as CEO and security consultant at the Toucan System security company. His clients count some of the biggest Defense and Financial Institutions worldwide. Jonathan is also the co-organiser of the Hackito Ergo Sum conference (HES2011) in France. Jonathan has been a speaker at a number of great intenational conferences including Defcon, HITB (Amsterdam & Kuala Lumpur), Ruxcon (Australia), Hackito Ergo Sum (France), H2HC (Brazil & Mexico) among others.
Stach & Liu, LLC
Francis Brown, CISA, CISSP, MCSE, is a Managing Partner at Stach & Liu, a security consulting firm providing IT security services to the Fortune 500 and global financial institutions as well as U.S. and foreign governments. Before joining Stach & Liu, Francis served as an IT Security Specialist with the Global Risk Assessment team of Honeywell International where he performed network and application penetration testing, product security evaluations, incident response, and risk assessments of critical infrastructure. Prior to that, Francis was a consultant with the Ernst & Young Advanced Security Centers and conducted network, application, wireless, and remote access penetration tests for Fortune 500 clients.
Francis has presented his research at leading conferences such as Black Hat USA, DEFCON, InfoSec World, ToorCon, and HackCon and has been cited in numerous industry and academic publications.
Francis holds a Bachelor of Science and Engineering from the University of Pennsylvania with a major in Computer Science and Engineering and a minor in Psychology. While at Penn, Francis taught operating system implementation, C programming, and participated in DARPA-funded research into advanced intrusion prevention system techniques.
Elie Bursztein is a researcher at the Stanford Security Laboratory. His research is on computer security and applied cryptography with a specific attention to web, game and mobile security. He holds an engineering degree and a Ph.D in computer science Elie's research combines the advances in machine learning, cryptography, data mining and HCI to create more usable and secure systems. Lately, he has been working on improving CAPTCHA security and usability . He is also developing a Chrome extension for safer and more private browsing. Elie blogs at http://elie.im/blog and tweets at @elie.
Jamie Butler is a highly respected member of the information security community with fourteen years of experience in operating system security. He is a recognized leader in attack and detection techniques and has focused in recent years on memory analysis research.
Jamie is the Director of Research and Development at MANDIANT and formerly led its Endpoint Security Team on its enterprise product MANDIANT Intelligent Response®.
Prior to joining MANDIANT, Jamie was the Chief Technology Officer of Komoku, Inc. and Director of Engineering at HBGary. His experience also includes Host Intrusion Detection Systems (HIDS) development at Enterasys Networks and over five years of experience at the National Security Agency.
Jamie is the co-author of the bestseller, Rootkits:Subverting the Windows Kernel. (Addison-Wesley, 2005). In addition, he has authored numerous articles for publication and is a frequent speaker at the foremost computer security conferences. He is the co-author and instructor of the popular security courses Advanced Memory Forensics in Incident Response, Advanced 2nd Generation Digital Weaponry, and Offensive Aspects of Rootkit Technology. Jamie's unique knowledge of Windows' internal structures resulted in the free, cutting edge memory analysis tool Memoryze, which he co-authored with Peter Silberman.
Jamie holds a Master of Computer Science degree from the University of Maryland, Baltimore County. He also holds a Bachelor of Science degree in Computer Science and a Bachelor of Business Administration degree in Computer Information Systems from James Madison University.
Johnny Cache is a world renowned rock star of wireless hacking. In the past few years he has published an award-winning thesis on 802.11 driver fingerprinting, re-written aircrack in C++ (for aesthetics), and published two editions of Hacking Exposed:Wireless. Having written the book on wireless hacking he decided to go the extra mile and create a specification for geo-locating wireless networks. You know, so he could find more networks to hack. He does not yet have his CISSP.
Digital Forensics Solutions
Andrew Case is a researcher at Digital Forensics Solutions where he is responsible for source code audits, penetration testing, and other computer security related tasks. He is also a GIAC-certified digital forensics investigator and has conducted numerous large scale investigations. Andrew's primary research focus is physical memory analysis, and he has published a number of peer-reviewed papers in the field. He has also presented this work at conferences including Blackhat and DFRWS.
Cesar Cerrudo Cesar Cerrudo is CTO at IOActive Labs where he leads the team in producing ongoing cutting edge research in the areas of SCADA, mobile device, application security and more. Formerly the founder and CEO of Argeniss Consulting, acquired by IOActive, Cesar is a world renown security researcher and specialist in application security.
Throughout his career, Cesar is credited with discovering and helping to eliminate dozens of vulnerabilities in leading applications including Microsoft SQL Server, Oracle database server, IBM DB2, Microsoft BizTalk Server, Microsoft Commerce Server, Microsoft Windows, Yahoo! Messenger, etc. In addition, Cesar has authored several white papers on database, application security, attacks and exploitation techniques and he has been invited to present at a variety of companies and conferences including Microsoft, Black Hat, Bellua, CanSecWest, EuSecWest, WebSec, HITB, Microsoft BlueHat, EkoParty, FRHACK, H2HC, Defcon, Infiltrate, etc. Cesar collaborates with and is regularly quoted in print and online publications including eWeek, ComputerWorld, and other leading journals.
Rouge Genius, LLC
George Chamales has spent the last decade working in almost every legal permutation of employer / job the computer security field has to offer. His list of current and former government employers includes DOD, DOE, DHS, and DOI. In the private sector, he's worked as a security architect, member of the Honeynet Project, and corporate pen-tester targeting Fortune 500 companies. He is an active member of the crisis mapping community, where he develops new tools and capabilities, co-founded of the Crisis Mappers Standby Task Force, and has served as the technical lead for numerous deployments including LibyaCrisisMap.net, Pakreport.org, and SudanVoteMonitor.com.
U.S. Army Cyber Command
Robert Clark is currently the operational attorney for the U.S. Army Cyber Command. He is the former Cybersecurity Information Oversight & Compliance Officer with the Office of Cybersecurity and Communications, Department of Homeland Security and former legal advisor to the Navy CIO; United States Computer Emergency Readiness Team; and, the Army's Computer Emergency Response Team. In these positions he has provided advice on all aspect of computer network operations. He interacts regularly with many government agencies and is a past lecture at Black Hat; DEFCON; Stanford Center for Internet and Society and the Berkman Center for Internet & Society at Harvard University -Four TED-TECH Talks 2011; SOURCE Boston 2010; the iapp; and, the DoD's Cybercrimes Conference.
University of Pennsylvania
Sandy Clark (Mouse) has been taking things apart since the age of two, and still hasn't learned to put them back together. An active member of the hacker community, her professional work includes an Air Force Flight Control computer, a simulator for NASA, singing at Carnegie Hall, and a minor in history. She is currently fulfilling a childhood dream, pursuing a Ph.D. in C.S. at the University of Pennsylvania. A founding member of Toool-USA, she also enjoys puzzles, toys, Mao (the card game), and anything that involves night vision goggles. Her research explores human scale security and the unexpected ways that systems interact.
Richard 'Sasha' Costa , MCSE, MCDBA, JD, quit school just 2 credits shy of finishing college to work for Microsoft. He spent the next decade in capacities ranging from a LAN/WAN specialist to a Microsoft Certified Trainer (MCT). An avid DEFCON attendee since 2000, his fascination with the clashes between the Information Security community and the legal system inspired a growing determination to bridge these cultures. In 2008, this lead him to enroll in law school.
He is passionate about using his unique blend of knowledge toward contributing to the recognition of Information Security as a bona fide, ethical, and self-regulated professional community (akin to lawyers, CPAs, architects, etc). He works as a forensic computer and cellphone consultant and expert witness for cases involving electronic evidence.
He earned his Juris Doctor from the University of New Mexico this summer, took the Bar exam last week, and is taking his final step toward the practice of law (the Multi-state Professional Responsibility Exam) the day after Black Hat.
Columbia University Intrusion Detection Systems Lab
Ang Cui is currently a PhD student at Columbia University in the Intrusion Detection Systems Laboratory. His research focuses on the exploitation and defense of embedded devices. Before starting his PhD, Ang worked as a security specialist within various financial institutions.
Dino Dai Zovi
Trail of Bits LLC
Dino Dai Zovi is an information security professional, researcher, and author. Mr. Dai Zovi has been working in information security for over 9 years with experience in red teaming, penetration testing, and software security assessments at Sandia National Laboratories, @stake, Bloomberg, and Matasano Security.
As an independent researcher, he is a regular speaker at industry, academic, and hacker security conferences including presentations of his research on hardware virtualization assisted rootkits using Intel VT-x, the KARMA wireless client security assessment toolkit, and offensive security techniques and tools at BlackHat USA, Microsoft BlueHat, CanSecWest, the USENIX Workshop on Offensive Technology, and DEFCON. He is a co-author of the books, The Mac Hacker's Handbook (Wiley 2009) and The Art of Software Security Testing (Addison-Wesley, 2006). He is perhaps best known in the security and Mac communities for discovering the vulnerability and writing the exploit to win the first PWN2OWN contest at CanSecWest 2007.
Dino has been named one of the 15 Most Influential People in Security by eWEEK and one of the Top Ten Sexy Geeks (NSFW) by Violet Blue.
Tom Daniels is a security researcher/consultant at iSEC Partners, an information security firm specializing in application, network, and mobile security. At iSEC, Tom specializes in web application, mobile application, and network security. Tom's areas of interest and current research include anything Mac OS X, reverse engineering, lock picking and exploit development.
On the other coast Tom was an Information Systems Auditor at PricewaterhouseCoopers in New York City. Tom received a BS in Computer Science with a minor in Japanese from Georgetown University in 2008.
Neil Daswani is responsible for Dasient's long-term product vision and strategy. A highly regarded Internet technology expert, Daswani has served in a variety of research, development, teaching, and managerial roles at Google, Stanford University, DoCoMo USA Labs, Yodlee, and Bellcore (now Telcordia Technologies).
Daswani's areas of expertise include security, wireless data technology, and peer-to-peer systems. He has published extensively in these areas, frequently gives talks at industry and academic conferences, and has been granted several U.S. patents. He is also the author of Foundations of Security:What Every Programmer Needs to Know, which teaches new and current software professionals state-of-the-art software security design principles, methodology, and concrete programming techniques they need to build secure software systems. While at Stanford, he co-founded the Stanford Center for Professional Development's Software Security Certification Program, which has become an important tool for educating software programmers, architects, developers, engineers, IT managers, chief information officers (CIOs), and chief security officers (CSOs) about security issues and designing secure programs.
Daswani earned a bachelor's degree in computer science with honors with distinction from Columbia University and a master's degree and Ph.D. in computer science from Stanford University.
Andy has worked in the Information Security industry for 20 years, performing a range of security functions throughout his career. Prior to joining NGS Secure, Andy held the positions of Head of Security Research at KPMG, UK and Chief Research Officer at IRM Plc. Before working in the private sector he worked for ten years performing various roles in Government. Recently, Andy has been leading security research projects into technologies such as embedded systems and hardware interface technologies and developing new techniques for black-box software vulnerability discovery
Crucial Security Inc.
Nick DePetrillo is a senior security researcher at Crucial Security Inc., a wholly owned subsidiary of Harris Corporation with a focus on hardware reverse engineering, cryptography, mobile security and other areas of interest. Most recently, Nick was a senior security consultant with Industrial Defender performing physical and electronic security assessments for various clients in the energy industry. Nick also researched Smart Grid/AMI hardware and software security issues while at Industrial Defender. Nick was a research and development engineer for Aruba Networks, concentrating on wireless security threats and prototyping new products. Nick has presented new security threats and mitigation techniques at both national and international conferences.
Artem Dinaburg currently works as a security researcher at Raytheon, investigating a broad range of security related topics. Prior to joining Raytheon, Artem worked as a security researcher building automated malware analysis systems, investigating web-based exploit kits, and identifying botnet command-and-control domains. While a graduate student at Georgia Tech he created hypervisor-based dynamic malware analysis platforms under Dr. Wenke Lee
Gal has been hacking since he got his hands on a computer. He started doing it professionally at age 16.
Gal did work for the IDF for a short while. He later worked as an independent consultant on information security while doing a start-up. Following this he went to study and joined Intel, initially as a member of the Pin binary instrumentation engine development team and now he is leading a team doing security evaluation and research @ Intel focusing on FW and touching on SW and HW.
Gal studied math and comp-sci at Israel Institute of Technology (Technion).
Nelson Elhage is a kernel hacker for Ksplice, Inc., where he works on providing rebootless security updates for the Linux kernel. In his spare time, he mines for and occasionally exploits bugs in the Linux kernel and other pieces of open-source systems software
Justin Engler is a Security Consultant for FishNet Security's Application Security practice. His focus is on the security of web applications, web-backed thick clients (desktop and mobile), databases, and industrial control systems. Justin is currently working on the open source RAFT project.
Stefan Esser is best known in the security community as the PHP security guy. Since he became a PHP core developer in 2002 he devoted a lot of time to PHP and PHP application vulnerability research. However in his early days he released lots of advisories about vulnerabilities in software like CVS, Samba, OpenBSD or Internet Explorer. In 2003 he was the first to boot Linux directly from the hard disk of an unmodified XBOX through a buffer overflow in the XBOX font loader. In 2004 he founded the Hardened-PHP Project to develop a more secure version of PHP, known as Hardened-PHP, which evolved into the Suhosin PHP Security System in 2006. Since 2007 he works as head of research and development for the German web application company SektionEins GmbH that he cofounded.
Tom Eston is a Senior Security Consultant for SecureState. Tom is a senior member of SecureState's Profiling team which provides attack and penetration testing services for SecureState's clients. Tom focuses much of his research on new technologies such as social media and mobile devices. He is the founder of SocialMediaSecurity.com which is an open source community dedicated to exposing the insecurities of social media. Tom is also a security blogger, co-host of the Security Justice and Social Media Security podcasts and is a frequent speaker at security user groups and national conferences including Notacon, OWASP AppSec, DefCon and ShmooCon.
Gregory is a Senior Security Consultant in the Application Security practice at FishNet Security. In his spare time, he likes to find and exploit vulnerabilities in web browsers and client-side technologies such as Java and Flash. He has an interest in privacy and anonymity and has worked with The Tor Project to identify potential issues.
EADS Cyber Security Centre
Ivan Fontarensky is an engineer and computer security researcher at Cassidian's Cyber Security Centre. He conducts pentest and forensic analysis on different types of platforms. He served a number of years within the French department of Homeland Security as a computer forensics expert.
Aperture Labs Ltd.
Zac Franken is a freelance consultant based in the UK with over 20 years of computing and security experience. At present he is researching physical access control systems. He started work back in '87 as a Unix Systems Administrator and founded of one of the UK's top Internet development shops in '94. His work has been quoted in international press and he is a frequent speaker at security conferences. Zac has been Operations Director for DefCon so long that he can no longer be officially considered sane.
Athens Information Technology
Thanassis Giannetsos received his BSc degree in computer and telecommunication engineering from the Technical University of Thessaly, Greece in 2006; and MSc degree in information networking from the Carnegie Mellon University, Pittsburgh, Pennsylvania, in 2008. Since 2008, he has been working with Algorithms and Security group in Athens Information Technology (AIT), Greece, as a research engineer.
Since 2008, he has been also pursuing his PhD on sensor networks security at the University of Aalborg, Denmark, under the supervision of Prof. Dr. Neeli R. Prassad (CTiF) and Prof. Dr. Tassos Dimitriou. His research interests include wireless security and privacy, design of intrusion detection and routing protocols of sensor networks, embedded systems and distributed computing.
- Distributed Computing, Embedded Systems
- Data Structures & Parallel Algorithms, Administration of Data Bases
- Security in Wireless Networks, Power Control on Networks
- Sensor Networks
- University of Aalborg, Denmark
- Ph.D student in Sensor Networks Security (expected 2011)
- Carnegie Mellon University, Pittsburgh, Pennsylvania
- MSc. Information Networking (MSIN), March 2008
- University of Thessaly, Greece
- Bachelor in Computer & Communication Engineering
Nico Golde just finished his masters in computer science and is starting off as a researcher at the Technical University Berlin in the department for Security in Telecommunications. He has a strong interest in mobile telecommunication and involved security threats. This ranges from GSM/UMTS, systems security (mostly unix based systems) to end-user device security.
Aleksander Gorkowienko, Senior Information Security Consultant and Penetration Tester at 7Safe Ltd. (UK). In the IT industry since 1997, always being happy to play with various high-tech toys. With wide area of interests and rich business experience (development, design and maintenance of software, dealing with various IT systems) now deeply involved into IT Security area. For everyday helping to strengthen the security of business applications and corporate infrastructure for enterprises across the UK:banks, e-commerce, production, public sector, etc. Specially interested in databases and applications security (web applications and windows apps). Also responsible for preparing and delivering training courses (i.e.:Certified Application Security Tester -CAST or Secure Coding for Web Developers) and creating a variety of hacking challenges.
Datagram has taught about locks, safes, and methods to compromise them for many years, including training to private companies and government agencies. He has spoken many times on physical and digital security at various conferences and is a part-time forensic locksmith. datagram runs the popular lock and security websites lockwiki.com and lockpickingforensics.com. datagram is the leader of "The Motherfucking Professionals", the team that won the first Tamper Evident contest at Defcon 18.
Jennifer Stisa Granick is an attorney at ZwillGenetski PLLC. Jennifer is based in San Francisco. Her practice focuses on computer crime and security, electronic surveillance, consumer privacy, data protection, copyright, trademark and technology regulation under the Digital Millennium Copyright Act.
Before joining ZwillGenetski, Jennifer was the Civil Liberties Director at the Electronic Frontier Foundation. Before EFF, Granick was a Lecturer in Law and Executive Director of the Center for Internet and Society at Stanford Law School where she taught Cyberlaw and Computer Crime Law. Before teaching at Stanford, Jennifer spent almost a decade practicing criminal defense law in California. She was selected by Information Security magazine in 2003 as one of 20 "Women of Vision" in the computer security field. She earned her law degree from University of California, Hastings College of the Law and her undergraduate degree from the New College of the University of South Florida.
Aaron Grattafiori is a Security Consultant with iSEC Partners. With over 7 years of security experience, he utilizes a wide array of skills and a history of independent research to discover vulnerabilities. Prior to working at iSEC Partners, Aaron was a Security Consultant at Security Innovation as well as a Linux Systems Administrator for a statewide ISP. During this time Aaron independently discovered and privately reported major vulnerabilities in widely deployed software and wireless systems. Aaron will be discussing major design flaws in Apple's Enterprise Server Security at SOURCE:Seattle. Aaron's areas of interest include vulnerability research and analysis, exploit development, intelligent fuzzing systems, and reverse engineering.
WhiteHat Security, Inc.
Jeremiah Grossman is the founder and CTO of WhiteHat Security. He is considered a world-renowned expert in Web security, is a co-founder of the Web Application Security Consortium, and was named to InfoWorld's Top 25 CTOs for 2007. Grossman is a frequent speaker at industry events including the Black Hat Briefings, RSA, CSI, HiTB, OWASP, ISSA, and a number of large universities. He has authored dozens of articles and white papers; is credited with the discovery of many cutting-edge attack and defensive techniques and is a co-author of XSS Attacks. Grossman is often quoted in the the business and technical press. Prior to WhiteHat, Grossman was an information security officer at Yahoo!
Nathan Hamiel is a Principal Consultant for FishNet Security's Application Security Practice. He is also an Associate Professor of Software Engineering at the University of Advancing Technology. Nathan is an Information Assurance faculty member that is part of the university's Center of Academic Excellence sponsored by the NSA and DHS. He spends most of his time focusing in the areas of application, Web 2.0, and enterprise security. Nathan has been a speaker at security events around the world including:Black Hat, DefCon, ShmooCon, ToorCon, SecTor, and many others.
Yan Ivnitskiy is a security consultant for Matasano Security with 5 years experience as a security researcher. Prior to Matasano Security, Yan was an analyst for the Department of Defense. Yan received his BS and MS degrees in Computer Science from Polytechnic University.
Riley Hassell is an internationally recognized security professional. He is an industry expert in the fields of application security assessment, software reverse engineering and malware analysis. Mr. Hassell discovered and disclosed many of the most critical software vulnerabilities known. Throughout the year 2000 and 2001 he was responsible for several critical vulnerabilities, each having major repercussions on the security industry at large.
Mr. Hassell was responsible for the discovery of the first critical remote vulnerabilities in Windows 2000 and Windows XP. He also discovered the vulnerability that triggered the Code Red Internet worm. His initial dissection of the worm was used to develop and put in place protective measures to safeguard the network targeted by Code Red, the Whitehouse public network.
Taking his research a step further he forecast future worm technologies and presented during presentations at the Blackhat security conference. During the year 2002 Mr. Hassell performed an assessment of the popular security products. During his assessment he discovered critical vulnerabilities in several leading security products, pushing security vendors to take a second look at their software.
Mr. Hassell spent the following several years working with startup ventures to pioneer product technologies in the patch management, intrusion prevention, vulnerability analysis and malware analysis fields. Riley worked iSEC Partners as a senior associate during the following three years where he was responsible for assisting a variety of major corporations in the auditing, testing and security strategy of their digital assets.
Following his employment at iSEC he founded Privateer Labs and refocused his combined expertise to the emerging threats of the mobile landscape.
Verizon Cybertrust Security
Alex Hutton is a Sr. Analyst in Risk Intelligence with Verizon Business. Mr. Hutton has served as an information risk and security consultant for over 15 years, serving companies from the Fortune 10 to the SMB market. He has also served as Product Manager for security product vendors, and as an executive in two security start-up companies. He is a co-author of the Verizon Data Breach Investigation (2009), writes regularly for the Verizon Security Blog and the New School of Information Security blog. Alex also contributes to the Cloud Security Alliance, ISM3 security management standard, the CIS metrics project and the Open Group Security Forum. In 2007ITSecurity.com named Alex one of the industries 59 most influential people.
Matt Johansen is an Application Security Engineer at WhiteHat Security where he oversees and assesses more than 250 web applications for many Fortune 500 companies across a range of technologies. He was previously a security consultant for VerSprite, where he was responsible for performing network and web application penetration tests. Mr. Johansen is also an instructor of Web Application Security at Adelphi University, where he received his Bachelor of Science in Computer Science, and San Jose State University. He has also been utilized by the SANS Institute as an industry expert for certification review.
John D. Johnson
Dr. Johnson is currently a senior security manager for John Deere. He manages technical security programs across more than 130 John Deere business units in 160 countries worldwide. John has been responsible for architecting solutions that have been critical to maintaining global network security at John Deere. John is a frequent speaker and member of peer groups, industry panels, advisory councils, and has served as board member for several professional societies. John is an adjunct professor, course designer, author and security blogger. Prior to working at John Deere, John was security manager for the Theoretical Division, Los Alamos National Laboratory. John is a frequent lecturer on computer security and member of peer groups, industry panels and advisory councils.
Kevin Johnson is a security consultant with Secure Ideas. Kevin came to security from a development and system administration background. He has many years of experience performing security services for fortune 100 companies, and in his spare time he contributes to a large number of open source security projects. Kevin's involvement in open-source projects is spread across a number of projects and efforts. He is the founder of many different projects and has worked on others. He founded BASE, which is a Web front-end for Snort analysis. He also founded and continues to lead the SamuraiWTF live DVD. This is a live environment focused on Web penetration testing. He also founded Yokoso and Laudanum, which are focused on exploit delivery. Kevin is a senior instructor for SANS and the author of Security 542:Web Application Penetration Testing and Ethical Hacking. He also presents at industry events, including DEFCON and ShmooCon, and for various organizations, like Infragard, ISACA, ISSA, and the University of Florida.
Jatin Kataria, is pursuing MS in Computer Science from Columbia University . He is a Graduate Research Assistant with Intrusion Detection System research group at Columbia. He has published a paper and worked with McAfee for an year in the area of information security.
Mark Kennedy has been with Symantec for 20 years. The first 10 were in the utilities area, while the last 10 have been in anti-malware.
I am also on the Board of Directors of the Anti-Malware Testing Standards Organization (AMTSO), as well as its secretary.
I am also the Chairman of the IEEE Anti-Malware Working Group.
Security Consultant and Researcher, ThinkSec
Khash Kiani is a security consultant with over 13 years of experience in building and securing software applications for large defense, insurance, retail, technology, and health care organizations. He specializes in application security integration, penetration testing, and social-engineering assessments. Khash currently holds the GIAC GWAPT, GCIH, and GSNA certifications. He can be reached at [email protected]
LJ Kushner and Associates
Lee Kushner is the President of LJ Kushner and Associates, LLC, an executive recruitment firm exclusively focused on the information security industry and its professionals. For over a decade, the firm has advised and guided thousands of information security professionals in making informed decisions about their careers. Lee is a co-founder of Infosecleaders.com, an information security career resource. The website provides career advice and guidance for information security professionals as they address the challenges of their information security careers. He is a regular speaker and author on industry topics that include career planning, career management, hiring and retention, and compensation trends. Speaking credits include RSA, Black Hat, the ISSA CISO Forum, OWASP and others.
Adrian is a CTO and Analyst at Securosis, bringing over 24 years of industry experience to the research team, much of it at the executive level. Adrian specializes in database security, data security, and software development. With experience at Ingres, Oracle, and Unisys, he has extensive experience in the vendor community, but brings a pragmatic perspective to selecting and deploying technologies having worked on "the other side" as CIO in the finance vertical. Prior to joining Securosis, Adrian served as the CTO/VP at companies such as IPLocks, Touchpoint, CPMi and Transactor/Brodia. He has been invited to present at dozens of security conferences, and regularly contributes to Dark Reading, Information Security Magazine and other security publications. Adrian is a Computer Science graduate of the University of California at Berkeley with post-graduate work in operating systems at Stanford University.
At FireEye, Alex handles a broad set of responsibilities including engineering, security research, and customer training. Most recently, his security research helped lead the take down of the largest spam botnet in history, Rustock, reducing world-wide spam by 30-50%. His research has been published by The Washington Post, BusinessWeek, The Register, and Cisco Systems. Previously, his work was key in taking down major botnets such as Srizbi and Mega-D. His areas of expertise include malware analysis, client-side exploits, and network security.
Aperture Labs Ltd.
Adam Laurie is a freelance security consultant working the in the field of electronic communications. He started in the computer industry in the late Seventies, working as a computer programmer on PDP-8 and other mini computers, and then on various Unix, Dos and CP/M based micro computers as they emerged in the Eighties. He quickly became interested in the underlying network and data protocols, and moved his attention to those areas and away from programming, starting a data conversion company which rapidly grew to become Europe's largest specialist in that field (A.L. Downloading Services). During this period, he successfully disproved the industry lie that music CDs could not be read by computers, and wrote the world's first CD ripper, 'CDGRAB'. At this point, he and his brother Ben became interested in the newly emerging concept of 'The Internet', and were involved in various early open source projects, the most well known of which is probably their own—'Apache-SSL'—which went on to become the de-facto standard secure web server. Since the late Nineties they have focused their attention on security, and have been the authors of various papers exposing flaws in Internet services and/or software, as well as pioneering the concept of re-using military data centres (housed in underground nuclear bunkers) as secure hosting facilities. Adam has been a senior member of staff at DEFCON since 1997, and also acted as a member of staff during the early years of the Black Hat Briefings, and is a member of the Bluetooth SIG Security Experts Group and speaks regularly on the international conference circuit on matters concerning Bluetooth security. He has also given presentations on forensics, magnetic stripe technology, InfraRed and RFID. He is the author and maintainer of the open source python RFID exploration library 'RFIDIOt', which can be found at http://rfidiot.org. He now works full time for the security research company Aperture Labs Ltd. which he co-founded.
Seth Law is a Principal Consultant for FishNet Security in Application Security. He spends the majority of his time breaking web and mobile applications, but has been known to code when the need arises. Seth is currently involved in multiple open source projects, including RAFT.
Long Le , CISA, is a security manager at one of the largest software outsourcing companies in Vietnam. He has been actively involved in computer security for more than 10 years since he and his friends founded the pioneer Vietnamese security research group VNSECURITY (http://vnsecurity.net). Described as neither a researcher nor a hacker, he loves playing wargames and Capture-The-Flag with the CLGT team in his spare time. He was also a speaker at various conferences including BlackHat USA, HackInTheBox, SyScan..
Aaron LeMasters is a Senior Software Engineer at MANDIANT. His career has spanned a broad range of cyber security disciplines from computer forensics to vulnerability research and exploitation. Aaron spent five years responding to cyber incidents across global DOD networks at DISA and NSA and fighting to improve our nation's security by educating network defenders on advanced threats such as rootkits and providing tools to counter the threat. He most recently worked at Raytheon SI performing vulnerability research. Aaron's research interests include operating system integrity analysis, malware analysis, and reverse engineering.
Lookout Mobile Security
Anthony Lineberry is a security researcher from Oakland who has been active in the security community for many years, specializing in reverse engineering code, researching vulnerabilities, and advanced exploitation development. He has written an open source kernel from scratch, helped with the first iPhone jailbreak, and feels uncomfortable speaking in the 3rd person. Professionally his experience includes working as a security researcher for McAfee, NeuralIQ, and currently with Lookout. He has spoken previously at SCaLE, DefCon, and BlackHat EU/US.
David Litchfield is recognized as one of the world's leading authorities on database security. He is the author of Oracle Forensics, the Oracle Hacker's Handbook, the Database Hacker's Handbook and SQL Server Security and is the co-author of the Shellcoder's Handbook. He is a regular speaker at a number of computer security conferences and has delivered lectures to the National Security Agency, the UK's Security Service, GCHQ and the Bundesamt für Sicherheit in der Informationstechnik in Germany.
Shane Alexander Macaulay is a world class IT Security Specialist. Shane has a deep and broad security view, systems ranging from every major flavor of UNIX, Microsoft and networking operating systems. He has contributed to the security community through various papers, books and revolutionary technical applications. Shane has found a number of compiler bugs (native and managed) over the years; one was used to win the non-obvious source code backdoor contest in Defcon 2010.
Previous work was also published on his personal website as K2 ([email protected]), www.ktwo.ca, of note is ADMmutate, a polymorphic shell code obfuscation API which is designed to defeat pattern matching systems. For the past several years Mr. Macaulay has been working on security products and solutions for the Microsoft platform. His current product BlockWatch is a virtual machine monitoring system that assesses physical memory and validates code sections against a white list database.
Tarjei Mandt is a security researcher at Norman. He holds a Masters degree in Information Security and has previously spoken at security conferences such as Black Hat, Infiltrate, and Hackito Ergo Sum. In his free time, he enjoys spending countless hours challenging security mechanisms and researching intricate issues in low-level system components. Recently, he has done extensive research on modern kernel pool exploitation and discovered several vulnerabilities in the Windows kernel.
CTO, Whisper Systems
Moxie Marlinspike is the CTO of Whisper Systems and a fellow at the Institute for Disruptive Studies. He has more than thirteen years of experience attacking networks, is the author of sslsniff and sslstrip, runs a cloud-based WPA cracking service, manages the GoogleSharing targeted anonymity service, and is the author of the sailing film Hold Fast.
Stanford Computer Security Lab
Matthieu Martin is a student at the Stanford Computer Security Lab. He holds an Engineering degree in computer systems, networks and security. His research focuses on captcha and, offline Windows data extraction and analyze.
Jon McCoy is a .NET Software Engineer that focuses on security and forensics. He has worked on number of Open Source projects ranging from hacking tools to software for paralyzed people. With a deep knowledge of programming under the .NET Framework he has released new attacks on live applications and the .NET Framework itself. He provides consulting to protect .NET applications.
National Forensics Training Center and McGrewSecurity
Robert McGrew is currently a lecturer and researcher at Mississippi State University's National Forensics Training Center, which provides free digital forensics training to law enforcement and wounded veterans. He has interests in both penetration testing and digital forensics, resulting in some interesting combinations of the two. He has written tools useful to both fields (NBNSpoof, msramdmp, GooSweep), and tries to stay involved and interactive with the online infosec community.
South Shore PC Services
John McNabb is an IT pro in the Boston area, principal at South Shore PC Services, and was an elected Water Commissioner for a small local water utility for 13 years.
Charlie Miller is Principal Research Consultant at Accuvant Labs. He was the first with a public remote exploit for both the iPhone and the G1 Android phone. He won the CanSecWest Pwn2Own competition for the last four years. He has authored two information security books and holds a PhD from the University of Notre Dame.
Katie Moussouris leads the Security Community Outreach and Strategy team at Microsoft. Her team's work encompasses Security Ecosystem Strategy programs such as Microsoft's BlueHat conference and worldwide hacker conference engagement, security researcher outreach, and Microsoft's Vulnerability Disclosure Policies. Katie also founded and runs Microsoft Vulnerability Research, which is responsible for Microsoft's research and reporting of vulnerabilities in 3rd party software. Katie recently was voted the editor of a new draft ISO standard on Vulnerability Handling Processes, following her work over the past 4 years as the lead expert in the US National Body on an ISO draft standard on Vulnerability Disclosure.
Prior to working for Microsoft, Katie was a penetration tester for several Fortune 500 companies, as a senior security architect for @stake when it was acquired by Symantec. At Symantec, Katie founded and ran Symantec Vulnerability Research.
Katie has spoken at several security conferences including BlackHat USA 2008, Hack In The Box Amsterdam 2011, GOVCERT.NL 2010, RSA2010, SOURCEBoston, Shmoocon, Toorcon Seattle, and she was a keynote speaker at Shakacon in June 2008.
Justin Murdock is a student at the Rochester Institute of Technology. He will be receiving his Bachelor of Science degree in Computer Science, and has a deep interest in computer security. Currently, he is working as a software engineering co-op at MANDIANT in Washington, DC.
Information Security Leaders
Mike Murray is an information security professional and co-founder of Information Security Leaders. Mike has a passion for the human side of the industry and career development. He co-founded Information Security Leaders with Lee Kushner as an outlet to assist the industry in developing more fulfilling and rewarding careers. As a life-long information security professional and entrepreneur, Mike has held diverse positions in the industry. He has run security research and development teams, served in corporate information security functions, and has helped guide a large number of information security professionals in their career. Mike is part of a wide-ranging set of projects including his "Forget the Parachute, Let Me Fly the Plane" career guide, and his guidance and management of MAD Security / The Hacker Academy, the company that he co-founded.
Rafael and the Technion
Gabi Nakibly is an adjunct lecturer at the Technion (Israel Institute of Technology) and a network security research leader at Israel's National EW Research & Simulation Center (part of Rafael -Advanced Defense Systems) where he is involved in the security analysis of network protocols and the secure deployment of network services. Gabi received his B. Sc. in Information Systems Engineering (summa cum laude) and PhD in Computer Science from the Technion in 1999 and 2008, respectively.
Karsten Nohl is a cryptographer and security researcher. He likes to test security assumptions in proprietary systems and typically breaks them.
Thanh Nguyen is a security researcher with 15+ years of hacking experience in a wide range of technologies from high scalable & distributed architecture to low level OS development, bios, firmware, chipset and micro-architecture. He likes to test security of proprietary systems, algorithms and protocols.
William (B.J.) Snow Orvis is a security researcher and consultant at iSEC Partners, an information security firm specializing in application, network, and mobile security. William's current research interests include Mac OS X security, and mobile application security. Before working at iSEC Partners, William finished a Masters degree in Computer Science from UC Davis, with a focus in computer security.
Kyle Osborn is a web application security specialist working for WhiteHat Security. Other involvements include being Red Team member of Collegiate Cyber Defense Competition and building out a CTF for the US Cyber Challenge Cyber Camps.
As an Security Engineer at CME Group, Greg specializes in application security assessment. He also performs research on topics including kernel-level exploitation, malware development and assessment, anti-forensics, USB device security, and web application vulnerabilities. Prior to joining CME Group, Greg was an Application Security Consultant at Neohapsis Inc., performing application security assessments and internal and external penetration testing. Greg has developed a lightweight security framework for mobile devices and implemented a secure boot and re-imaging infrastructure to enforce data integrity.
Chris Paget is Chief Hacker for Recursion Ventures, and one of the foremost information security experts in the world. Prior to Recursion, Chris was Technical Lead, Global Information Security Research and Testing Team for eBay in which he was responsible for understanding and preventing scams, fraud, malware, hacking, among other security issues, and across all related company properties. Chris came to eBay from IOActive, where he was Director of R&D and responsible to senior management for all departmental activities.
Ming-chieh's (Nanika) major areas of expertise include vulnerability research, exploit techniques, malware detection and mobile security. He has 10+ years of experience on vulnerability research on Windows platform and malicious document and exploit. He has discovered numerous Windows system and document application vulnerabilities, such as Microsoft Office, Adobe PDF, and Flash. He frequently presents his researches at security conferences in Asia, including Syscan Singapore/Taipei/Hong Kong 08/10, Hacks in Taiwan 05/06/07/09/10. Ming-chieh is a senior vulnerability researcher with Net-Hack Inc. He and Sung-ting are members of CHROOT security group in Taiwan.
Tomislav Pericin, Founder, ReversingLabs Tomislav Pericin has been analyzing and developing packing and protection methods for the last 7 years. He is the chief architect for TitanEngine, 400+ function open source platform for file analysis. In addition, he is author of "the Art of Unpacking" and founder of the commercial software protection project RLPack.
Rich Perkins is an avid radio control enthusiast and a senior security engineer supporting the U.S. Government. He has had a 20 year Information Technology career including programming, Enterprise Administration, and Information Security. Hobbies include hiking, SCUBA diving, R/C, computers and electronics, as well as a penchant for voiding warranties.
Jean-Michel Picod is currently working for EADS CyberSecurity Center as the leader of pentests and forensics activities. He has an engineering degree in computer systems, networks and security. Over the past years he has been more focused on windows systems and their security.
Alexander Polyakov aka @sh2kerr, CTO at ERPSCAN, head of DSecRG and architect of ERPSCAN Security scanner for SAP. His expertise covers security of enterprise business-critical software like ERP, CRM, SRM, RDBMS, banking and processing software. He is the manager of OWASP-EAS ( OWASP subproject), a well-known security expert of the enterprise applications of such vendors as SAP and Oracle, who published a significant number of the vulnerabilities found in the applications of these vendors. He is the writer of multiple whitepapers devoted to information security research, and the author of the book "Oracle Security from the Eye of the Auditor:Attack and Defense" (in Russian). He is also one of the contributors to Oracle with Metasploit project. Alexander spoke at the international conferences like BlackHat, HITB (EU/ASIA), Source, DeepSec, CONFidence, Troopers.
Thomas H. Ptacek cofounded Matasano Security with Dave Goldsmith and Jeremy Rauch in 2005.
Jason Raber is Director of the Cyber Research Lab, which focuses on creating novel tools and techniques for automatically decomposing complex systems. He has spent ten years in the world of reverse engineering, preceded by five years working at Texas Instruments developing compiler tools for digital signal processors (DSP) (e.g. code generators, assemblers, linkers, disassemblers, etc). His time spent developing C compilers prior to his reverse-engineering experience provided him a good foundation for understanding machine language and hardware that is commonly utilized in reverse-engineering tasks.
Jason has significant experience in extracting intellectual property from a broad spectrum of software (including user applications, DLLs, drivers, OS kernels, and firmware) across a variety of platforms (including Windows, Linux, Mac, embedded). He has also worked on identifying and analyzing malware in order to characterize it and/or neutralize it. Prior to rejoining Riverside Research, Jason served as team lead for a software assessment team in the Air Force Research Laboratory, providing the Department of Defense (DoD) with specialized software security support. Conferences Spoke at: Blachk Hat three times -Deobfuscator, quiet RRIOT, and reverse engineering with hardware emulators RECON two times -custom Linux driver debugger, hardware debugger Redteam 2007 -Deobfuscator Working Conference on Reverse Engineering (WCRE) 2007 MIT 2010 Anti-Tamper Con 2010
Jay Radcliffe has been working in the computer security field for over twelve years and is currently a Senior Threat Intelligence Analyst for a major computer security organization. He has an extensive public speaking background, going back to middle school, and has spoken on a variety of security and legal topics at major conferences, universities, and other community events. He holds a Masters degree in Information Security Engineering form SANS Technology Institute as well as a bachelor's degree in Criminal Justice/Pre-Law from Wayne State University. His experience with radios and hardware goes back to when he was 12 and earned his Ham Radio license, now with the callsign N8OS.
Stach & Liu, LLC
Rob Ragan, is a Senior Security Associate at Stach & Liu, a security consulting firm providing IT security services to the Fortune 500 and global financial institutions as well as U.S. and foreign governments. Before joining Stach & Liu, Rob served as Software Engineer with the Application Security Center team of Hewlett-Packard (formerly SPI Dynamics) where he developed automated web application security testing tools, performed penetration tests, and researched vulnerability assessment and identification techniques. Rob has presented his research at leading conferences such as InfoSec World, Black Hat USA, and DEFCON. Rob has also published several white papers and is a contributing author to the upcoming Hacking Exposed:Web Applications 3rd edition. Rob holds a Bachelor of Science from the Pennsylvania State University with a major in Information Sciences and Technology and a focus on System Development. While at Penn State, Rob worked as a full-time web application developer for the Office of IT and was an active member of the Information Assurance Club where he gave training on web application security.
Vivek Ramachandran has been working on Wi-Fi security since 2003. He has spoken at conferences such as Defcon and Toorcon on Wireless Security and is the discoverer of the Caffe Latte Client attack. He also broke WEP Cloaking, a WEP protection schema in 2007 publically at Defcon. Vivek is the author of the book "Wireless Penetration Testing using Backtrack" due for release later this year. He was one of the implementers of 802.1x protocol in Cisco's 6500 Catalyst series of switches. Vivek is also one of the winners of Microsoft Security Shootout contest held in India among a reported 65,000 participants. He is best known in the hacker community as the founder of SecurityTube.net where he posts videos on Wi-Fi Security, Exploitation Techniques etc. and which gets over 100,000 unique visitors a month.
Began to study in France, I completed the Bachelor in Scotland. Currently I'm at the Technische Universität Berlin, finishing a Master, with the main domain networking. I work as a researcher in the the Security in Telecommunications department at TU-Berlin/Deutsche Telekom Laboratories (T-labs). The research topics are related to mobile telecommunication and involved security threats. This ranges from GSM/UMTS, smartcards, femtocells to end-user device security.
Ivan Ristić is a respected security expert and author, known especially for his contribution to the web application firewall field and the development of ModSecurity, an open source web application firewall. He is also the author of Apache Security, a comprehensive security guide for the Apache web server, and ModSecurity Handbook. He founded SSL Labs, a research effort focused on the analysis of the real-life usage of SSL and the related technologies. A frequent speaker at computer security conferences, Ivan is a member of the Open Web Application Security Project (OWASP), and an officer of the Web Application Security Consortium (WASC).
Chris Rohlf is a Principal Security Consultant with Matasano Security in NYC. He has spent the last 8 years as a security developer, consultant and a vulnerability researcher for different organizations including the US Department of Defense. Chris has published many security advisories in widely used software, authored reverse engineering tools and won 2nd place in Googles Native Client security contest. Chris has previously spoken at industry conferences including Black Hat 2009.
Thomas Roth is a consultant for security and software engineering from Germany whose main interests are exploiting techniques, low-level programming languages and cryptographic algorithms. Recently he started implementing and optimizing hash algorithms like MD5 and SHA1 on GPUs, using the CUDA and the OpenCL framework. Some of his private work can be found on his Blog (http://stacksmashing.net/) or on Twitter (@stacksmashing).
Mark Russinovich is a Technical Fellow in the Windows Azure group at Microsoft working on Microsoft's datacenter operating system. He is a widely recognized expert in Windows operating system internals as well as operating system security and design. He is author of the recently published cyberthriller Zero Day, co-author of the Microsoft Press Windows Internals books, and co-author of the forthcoming Sysinternals Administrator's Reference. Russinovich joined Microsoft in 2006 when Microsoft acquired Winternals Software, the company he cofounded in 1996, as well as Sysinternals, where he authors and publishes dozens of popular Windows administration and diagnostic utilities. He is a featured speaker at major industry conferences including Microsoft's TechEd, WinHEC, and Professional Developers Conference.
IBM Internet Security Systems
Paul Sabanal is a security researcher on IBM ISS's X-Force Advanced Research Team. He has spent most of his career as a reverse engineer, starting out as a malware researcher, and now does vulnerability analysis and exploit development as well. He has previously presented at Blackhat with Mark Yason on the subject of C++ reversing. His main research interests these days are in protection technologies and automated binary analysis tools. He is currently based in Manila, Philippines.
David is a Computer Science graduate who sort of fell into the security world about 15 years ago when system administration got too boring. In past roles, he has built tools for supporting vulnerability and penetration tests, including findings databases and a crazy multi-user GUI report editor. David joined Intrepidus Group last summer, where he's performed penetration testing, mobile app reverse engineering, web application security reviews. Most recently, he has focused on iOS, including extensive support for large enterprise deployments, and research into various security related issues. David describes himself first and foremost as a "guerilla programmer," writing quick-and-dirty tools to process data, eliminate repetitive drudgery, and generally do nifty things. When he has time, he also likes to Geocache, tinker with his home network, and solve crypto puzzle contests at security cons. David almost never blogs to www.darthnull.org.
Justin Searle is a Senior Security Analyst with InGuardians, specializing in the penetration testing of web applications, networks, and embedded devices, especially those pertaining to the Smart Grid. Justin is an active member of ASAP-SG (Advanced Security Acceleration Project for the Smart Grid) and led the Smart Grid Security Architecture group in the creation of NIST Interagency Report 7628. Previously, Justin served as JetBlue Airwayâ€™s IT Security Architect, and has taught courses in hacking techniques, forensics, networking, and intrusion detection for multiple universities and corporations. Justin has presented at top security conferences including Black Hat, DEFCON, ToorCon, ShmooCon, and SANS. Justin co-leads prominent open source projects including the Samurai Web Testing Framework, Middler, Yokoso!, and Laudnum.
Shreeraj Shah, B.E., MSCS, MBA, CSSLP is the founder of Blueinfy, a company that provides application security services. Prior to founding Blueinfy, he was founder and board member at Net Square. He also worked with Foundstone (McAfee), Chase Manhattan Bank and IBM in security space. He is also the author of popular books like Web 2.0 Security, Hacking Web Services and Web Hacking:Attacks and Defense. In addition, he has published several advisories, tools, and whitepapers, and has presented at numerous conferences including RSA, AusCERT, InfosecWorld (Misti), HackInTheBox, Blackhat, OSCON, Bellua, Syscan, ISACA etc. His articles are regularly published on Securityfocus, InformIT, DevX, O'reilly, HNS. His work has been quoted on BBC, Dark Reading, Bank Technology as an expert.
Tyler Shields is a Senior Researcher with the Veracode Research Lab whose responsibilities include understanding and examining interesting and relevant security and attack methods for integration into the Veracode product offerings.
In the past, Tyler has worked as a consultant for both @Stake and Symantec, delivering security assessments to fortune 500 companies, major financial institutions, institutions of higher education, and the highest levels of the U.S. government.
Tyler has presented at major security conferences internationally including H.O.P.E , Shmoocon, BRUCon, and SOURCE Boston and released numerous security advisories. He also frequently contributes to major media outlets on security relevant topics.
Sumit Siddharth (sid) works as a Principal Security Consultant for 7safe in the UK. He specializes in Web application and database security. Sid has been a speaker at many international conferences such as Blackhat, Defcon, Owasp, Troopers, Sec-T etc. He has been an author of several white-papers, tools and security advisories. Sid holds the prestigious CREST certification and also runs the popular IT security blog www.notsosecure.com
Joe Skehan is Director of Product and Customer Research at Venafi. In this capacity, Skehan performs quantitative and qualitative research to direct the development and direction of Venafi products and security best-practices. In this capacity, he interacts extensively with customers, industry, press and analyst groups and participates in cross-functional initiatives. Prior to Venafi, Skehan worked at Novell where he was responsible for drive the Identity Management and Configuration Management product lines. Skehan holds a Bachelor of Science degree in Electronics Engineering.
Marco Slaviero is an associate at SensePost where he heads up the SensePost Labs team (current headcount:1). He harbours a personal dislike for figs.
Alex Stamos is a co-founder and CTO of iSEC Partners Inc., a strategic digital security organization and part of the NCC Group. Alex is an experienced security engineer specializing in solving difficult problems in application security and is a leading researcher in the field of cloud and mobile security. He has been a featured speaker at top industry conferences such as Black Hat, FS-ISAC, the CIP Congress, Infraguard, Web 2.0 Expo, CanSecWest, DefCon, SyScan, Microsoft BlueHat, Amazon ZonCon and OWASP App Sec. He holds a BSEE from the University of California, Berkeley.
Salvatore J. Stolfo> is Professor of Computer Science at Columbia University. He received his Ph.D. from NYU Courant Institute in 1979 and has been on the faculty of Columbia ever since. He has published over 200 papers and books in the areas of parallel computing, AI knowledge-based systems, data mining and most recently computer security and intrusion detection systems (see www.cs.columbia.edu/ids). He has been granted 27 patents. His research has been supported by DARPA, NSF, ONR, NSA, CIA, IARPA, AFOSR, ARO, DHS and numerous companies and state agencies over the years while at Columbia.
Lookout Mobile Security
Tim Strazzere is a Security Engineer at Lookout Mobile Security. Along with writing security software, he specializes in reverse engineering and malware analysis. Some interesting past projects include having reversing the Android Market protocol, Dalvik decompilers and memory manipulation on mobile devices.
Michael Sutton has spent more than a decade in the security industry conducting leading-edge research, building teams of world-class researchers, and educating others on a variety of security topics. As VP of Security Research, Michael heads Zscaler Labs, the research and development arm of the company. Zscaler Labs is responsible for researching emerging topics in web security and developing innovative security controls, which leverage the Zscaler in-the-cloud model. The team is comprised of researchers with a wealth of experience in the security industry.
Prior to joining Zscaler, Michael was the Security Evangelist for SPI Dynamics where, as an industry expert, he was responsible for researching, publishing, and presenting on various security issues. In 2007, SPI Dynamics was acquired by Hewlett-Packard. Previously, Michael was a Research Director at iDefense where he led iDefense Labs, a team responsible for discovering and researching security vulnerabilities in a variety of technologies. iDefense was acquired by VeriSign in 2005. Michael is a frequent speaker at major information security conferences; he is regularly quoted by the media on various information security topics, has authored numerous articles, and is the co-author of Fuzzing:Brute Force Vulnerability Discovery, an Addison-Wesley publication. Michael holds a Master's degree in Information Systems Technology from George Washington University and a Bachelor of Commerce from the University of Alberta.
Bryan Sullivan is a Senior Security Researcher with Adobe Systems, where he focuses on cloud security issues. Prior to Adobe, he was a program manager on Microsoft's Security Development Lifecycle team, and a development manager at HP, where he helped to design HP's vulnerability scanning tools WebInspect and DevInspect.
Bryan has spoken at security industry conferences such as Black Hat, RSA Conference, BlueHat and TechEd on topics such as RIA architecture, REST, cryptography, denial-of-service defense, URL rewriting, and applying secure development processes to Agile projects. He was the author of the MSDN Magazine column Security Briefs, and is the coauthor of the books Ajax Security (Addison-Wesley, 2007) and the upcoming Secure Web Applications, A Beginner's Guide (McGraw-Hill, 2011).
Chris Tarnovsky is the principal at Flylogic. Their mission is to perform security risk analysis and assessment of semiconductors.
Mike Tassey is a security consultant to Wall Street, and the US Intelligence Community. He spent the majority of his 16 year information security career in support of the Dept. of Defense (both in uniform and out) and now does security consulting for global companies and government. His interests include martial arts, lolcats, danger and putting large things in small airplanes.
Mike Tracy is a senior security consultant at Matasano, the chapter leader for OWASP Chicago, a co-developer of Matasano's crypto-for-pentesters course, and survivor of multiple presentations with Thomas.
Sung-ting (TT) is a staff research engineer in core tech department of Trend Micro. His major areas of interest include document exploit, malware detection, sandbox technologies, system vulnerability and protection, web security, cloud and virtualization technology. He also has been doing document application security research for years, and has presented his researches in Syscan Singapore 10 and Hacks in Taiwan 08. He and Ming-chieh are members of CHROOT security group in Taiwan.
Mario Vuksan, Founder, ReversingLabs Mario Vuksan was the Director of Research at a leading provider of application and device control solutions, where he has founded and built the world's largest collection of actionable intelligence about software. He spoke at CEIC, Black Hat, RSA, Defcon, Caro Workshop, Virus Bulletin and AVAR Conferences. He is author of numerous blogs on security and has most recently authored "Protection in Untrusted Environments" chapter for the "Virtualization for Security" book. Tomislav Pericin, Founder, ReversingLabs Tomislav Pericin has been analyzing and developing packing and protection methods for the last 7 years. He is the chief architect for TitanEngine, 400+ function open source platform for file analysis. In addition, he is author of "the Art of Unpacking" and founder of the commercial software protection project RLPack.
Chuck Willis is a Technical Director with MANDIANT, a full spectrum information security company in Alexandria, Virginia. At MANDIANT, Mr. Willis concentrates in several areas including application security, where he assesses the security of sensitive software applications through external testing and static analysis. He also studies static analysis tools and techniques and strives to identify better ways to evaluate and secure software. Mr. Willis is the leader of the OWASP Broken Web Applications project, which distributes a virtual machine with known vulnerable web applications for testing and training.
Julia Wolf was instrumental in the takedown of the Srizbi botnet in 2008 (at the time, the largest spam botnet by email volume). She reverse engineered every version of the bot, and precalculated all future C&C hostnames, which were then registered and pointed to a sinkhole. She has also reverse engineered several types of ransomware, broke the custom encryption used, and helped victims to recover their data.
More recently, she was involved with the takedown of the Rustock botnet. She has spoken at several conferences; most recently about the security aspects of the PDF syntax itself.
Julia first learned to program on a Commodore PET, and has been involved in computer security for a very long time.
Lookout Mobile Security
Tim Wyatt is a software engineer whose career has focused primarily on security product development. This has led him to Lookout Mobile Security where he leads the Security Engineering team. Prior to Lookout, Tim was a lead engineer for the Vontu Network Data Loss Prevention suite.
Chris Wysopal, Veracode's CTO and Co-Founder, is responsible for the company's software security analysis capabilities. In 2008 he was named one of InfoWorld's Top 25 CTO's and one of the 100 most influential people in IT by eWeek. One of the original vulnerability researchers and a member of L0pht Heavy Industries, he has testified on Capitol Hill in the US on the subjects of government computer security and how vulnerabilities are discovered in software. He published his first advisory in 1996 on parameter tampering in Lotus Domino and has been trying to help people not repeat this type of mistake for 15 years. He is also the author of "The Art of Software Security Testing" published by Addison-Wesley.
Fabian Yamaguchi works as a researcher and security consultant for Recurity Labs in Berlin where he focuses on discovering and analysing vulnerabilities. He has presented his work at a number of security conferences including DEFCON and Chaos Communication Congress. Recently, he received his MSc in computer engineering from Technische Universität Berlin. During his studies, he focused on communication protocols and methods for data analysis from signal processing and machine learning.
Mark Vincent Yason is a security researcher on IBM's X-Force Advanced Research team. Mark's current focus area is vulnerability and exploit research – he analyzes known vulnerabilities, discovers new vulnerabilities, studies exploitation techniques, and creates detection guidance/algorithms which are used in the development of IDS/IPS signatures. He also previously worked on malware research which naturally involved some degree of software protection research. He authored the paper The Art of Unpacking and co-authored the paper Reversing C++, both of which were previously presented at BlackHat.
Paul Youn is a senior security consultant at iSEC Partners, an information security firm specializing in application, network, and mobile security. At iSEC, Paul specializes in web application/web services security, mobile application security, network security/red-team testing, client/server testing, and design review of security architecture. Paul was previously a software engineer at Oracle where he primarily worked on the Transparent Data Encryption feature. Paul studied at MIT where he received BS degrees in math and cs and a masters degree in information security.