Presentations

Protecting the Player – iGNA 2014

While there is the potential for sites and operators to be attacked, the easier target is the player.  This presentation was part of a panel discussion I was part of at iGNA 2014.  It focused on security controls operators could implement to better protect their customers.

Defcon 19 and Hack3rcon II- Getting F***** on the River

Online poker is a multi-million dollar industry that is rapidly growing, but is not highly regulated. There have been “hacks” recently (i.e. weak SSL implementation, superuser account) that have drawn more attention to security in the poker industry, especially as it moves to full regulation in the United States. This talk will cover the technical architecture of online poker, existing security controls, examples of past vulnerabilities, new weaknesses we have discovered in the poker clients and surrounding infrastructure, and next steps of research we are performing in this area.

Derbycon II – Hacked Hollywood

This informative and entertaining presentation will highlight movie scenes that deal with information security scenarios that make it look so easy but is nothing like the real thing. We all watched a movie where “that-guy” who only speaks in code is asked to break into some high-level government/bank/company to steal their money/information and does it all in 2 minutes – from an unmarked white van. For each scenario we will play the movie clip, laugh, explain why it is inaccurate, laugh some more, and then cover what could have been done make it more realistic. A few examples will also be included where Hollywood gets it right. We will conclude with a funny, short homemade video that shows how this hacking stuff really goes down. The presentation will cover quotes and scenes from movies such as Swordfish, Hackers, The Matrix, War Games, 24 and others.

RVASEC 2013 – How to Defend Against FISMA

There are many talks on how to protect against SQL injection, implementing wireless IDS, and mobile threats. However, one of the biggest threats facing an organization is FISMA and the current C&A process. This presentation will discuss how a commercial organization that hosts government systems had to make sacrifices in order to comply with NIST controls that do little to enhance the security posture of the systems. Andrew will give the perspective from the security operation staff on what steps had to be taken to comply with some of the standards. He will also show how certain controls were implemented according to NIST guidelines but were still vulnerable to real attacks. He will then show how his organization implemented security controls above and beyond FISMA that add real value to the organization. Gus will give the perspective from a company that performs C&A assessments. He will provide real examples (redacted) that show FISMA’s shortcomings and provide recommendation on how the process could be improved.

Fairfax County Library, January 2013 – Hacked. How to protect yourself from phishing and other social engineering attacks.

The presentation focused on basic information to make user’s aware of phishing and social engineering attacks and how to protect against them.

Library of Congress, August 2011 – Social Engineering and Phishing (Fish are not the only things that need to be concerned.)

The subject was social engineering and phishing attacks.  The presentation covered PII attack vectors, social engineering, phishing and spear phishing attacks, the Social Engineering Toolkit (SET) and Metasploit, case studies, and more.

NASPL 2015 – Information Security in the Lottery Sector

This was presented at the NASPL professional development seminar in Seattle.  The focus was on what lotteries need to be aware of regarding information security.