http://www.secuobs.com Observatoire de la securite Internet fr webmaster@secuobs.com 2016-04-15 17:49:57 - Security Bloggers Network : The California assemblyman said encryption is risking our national security, but would nevertheless tweet from his encrypted iPhone http://www.secuobs.com/revue/news/603887.shtmlhttp://www.secuobs.com/revue/news/603887.shtml 2016-04-15 16:16:03 - Office of Inadequate Security : Bradley Barth reports A proposed California legislation imposing specific penalties for ransomware took a step forward http://www.secuobs.com/revue/news/603805.shtmlhttp://www.secuobs.com/revue/news/603805.shtml 2016-04-08 15:40:30 - Slashdot Your Rights Online : Bruce66423 writes Uber has agreed to a settlement of 10 million for misleading advertising about the quality of its background checks for drivers One particular concern was its absence of fingerprint-based checkingUber has agreed to no longer use such terms as safest drive on the road in its advertising Prosecutors said Uber failed to prevent 25 people with criminal records from becoming drivers, including several sex offenders and a convicted murderer Another language change included renaming its safe ride fee as a booking fee Uber has agreed to make the 10 million payment within 60 days to settle the agreement, otherwise they will be forced to pay an additional 15 million in two years IMAGE IMAGE Share on Google Read more of this story at Slashdot http://www.secuobs.com/revue/news/603262.shtmlhttp://www.secuobs.com/revue/news/603262.shtml 2016-04-01 01:14:05 - Slashdot Your Rights Online : An anonymous reader writes Los Angeles Assemblyman Mike Gatto has introduced a bill that would allow Californians to cancel their internet or cable services online with 'one click' The bill reads, ''AB 2867 allows Californians to conveniently unsubscribe from a service with a simple click of the mouse,' said Assemblyman Gatto 'It just makes sense, that if you are able to sign-up for a service online, you should also be able to cancel it the same way' Rapid advancements in technology grant consumers a wide variety of cable, internet and phone service products from which they may choose, and while companies make it simple to buy or upgrade services, a cancellation request is usually a prolonged ordeal where customers are sometimes pressured into extending their contracts AB 2867 provides a convenient and consumer-friendly option for Californians to remove unwanted services without a long phone call' Bill AB 2867 would in theory spare you from an 18-minute call with a Comcast representative in regard to cancelling your service IMAGE IMAGE Share on Google Read more of this story at Slashdot http://www.secuobs.com/revue/news/602597.shtmlhttp://www.secuobs.com/revue/news/602597.shtml 2016-03-31 15:31:16 - SecurityTube.Net : Snapchat does not offer a public API to access its service Motivated third parties have taken great lengths to reverse-engineer our protocol and build applications on top of it, which could put our users at greater risk of account compromise In 2014, one such third party was breached and exposed some user data they d collected from Snapchatters Their breach reinforced our desire to continue to do more to protect our users from third-party abuse In this talk we cover a number of defenses we have put in place both client and server-side since then, in a long-running cat and mouse game with determined third parties We ll expand on what worked, what didn t, and what we learned from our efforts -- which we believe are unique in the social networking space Jad Boutros Snapchat Director of Information Security Jad Boutros joined Snapchat in 2014, where he serves as director of information security He is responsible for security, spam and abuse as well as privacy engineering Prior to joining Snapchat, Jad worked at Google for over nine years and led the security efforts for Google since the project s inception Jad holds a bachelor s degree in computer engineering from McGill University and a master s degree in computer science from Stanford University For More Information Please Visit - https 2016appseccaliforniaorg http://www.secuobs.com/revue/news/602545.shtmlhttp://www.secuobs.com/revue/news/602545.shtml 2016-03-31 15:31:16 - SecurityTube.Net : The talent gap in security is huge and growing Tools compensate in some cases, but skilled people are critical to managing security risk With nearly half of security roles vacant, organizations must develop talent inside and out This session offers practical steps you can take today ranging from adopt-a-professor to highlighting security in every job description that will help close the gap Jacob West NetSuite Chief Architect, Security Products Jacob West is Chief Architect for Security Products at NetSuite In his role, West leads research and development for technology to identify and mitigate security threats Prior to this role, West served as CTO for Enterprise Security Products at HP where he founded and led HP Security Research, which drives innovation through research publications, threat briefings, and actionable security intelligence A world-recognized expert, West co-authored the book, Secure Programming with Static Analysis in 2007 West co-authors the Building Security in Maturity Model BSIMM , serves as a founding member of both the IEEE Center for Secure Design CSD and the ISC 2 Application Security Advisory Council ASAC , and is a frequent keynote speaker at industry events worldwide For More Information Please Visit - https 2016appseccaliforniaorg http://www.secuobs.com/revue/news/602544.shtmlhttp://www.secuobs.com/revue/news/602544.shtml 2016-03-31 15:31:16 - SecurityTube.Net : Many progressive IT organizations have already adopted agile methodologies and run in a CI CD mode, while security processes and a level of security automation are still behind and can easily become a bottleneck if not changed We ll show in our presentation how to convert the old approach to application security to a more progressive and a faster one You will also learn how to extend a leverage of a small security team by utilizing QA regression unit tests for security processes Achieving a greater level of productivity and security automation by utilizing open source and commercial tools will be also covered in our talk Oleg Gryb Samsung Strategy and Innovation Center Sr Manager, Security Engineering Oleg Gryb is Security Architect working in the application security domain at Samsung Electronics Innovation Center He was previously Security Architect at Intuit, where he was creating architecture for mission critical financial and business applications Gryb participates actively in creating open source software in a security, identity management and other domains He has a lot of passion around embedding security to all SDLC stages, threat modeling, enforcing security in web service fabric, security tools, cloud, IoT and mobile security He s also interested in building data protection solutions based on security appliances, such as Secure Elements for devices, nCipher, DataPower, Ingrian, Safenet Sanjay Tambe Samsung Strategy and Innovation Center Security Architect Sanjay Tambe is working as Security Architect at Samsung Strategy Innovation Center He is working on security of cloud based SAMI Internet of Things IoT platform Previously he worked as Core Security Champion at Intuit, where he ensured security of applications such as Mint running in AWS cloud Prior to that he worked for Wells Fargo Bank as Security Specialist, VP where he ensured security of high volume customer facing web mobile applications He is very passionate about application security using Architectural reviews and Security Automation He conducted Security Training workshops for Architects, Developers, QA, and managers He has 12 years of experience in security domain and 12 years of handson experience in design development of software applications For More Information Please Visit - https 2016appseccaliforniaorg http://www.secuobs.com/revue/news/602543.shtmlhttp://www.secuobs.com/revue/news/602543.shtml 2016-03-30 14:33:12 - SecurityTube.Net : Cloud service adoption is increasing across organizations, from startups to massive enterprises Managing and auditing the security around cloud services is oftentimes difficult given the myriad of unknowns around connectivity and complexity We ve developed a completely mutable infrastructure for managing a traditionally critical piece of infrastructure, active directory identity management This infrastructure eliminates many of the problems associated with traditional domain controller exploitation with ad hoc network routes, extremely restrictive access controls and the ability to destroy any complete domain controller compromise via automation technologies Will Bengston Nuna Health Senior Security Program Manager Will Bengtson is the punisher of security at Nuna Health and has been blowing cyber criminals away for years His experience across industries in low level implementation, architecture risk analysis, red teaming, and penetration testing among others has allowed him to partner up with the dark knight in investigations in cloud security and automation Robert Wood Nuna Health Head of Security Robert Wood is the dark knight of security at Nuna Health and has been fighting cyber crime for years Robert has experience with threat modeling, red teaming, incident response, static analysis, and penetration testing Having been engaged in these capacities across many industries and business types For More Information Please Visit - https 2016appseccaliforniaorg http://www.secuobs.com/revue/news/602424.shtmlhttp://www.secuobs.com/revue/news/602424.shtml 2016-03-30 14:33:12 - SecurityTube.Net : Organization are exposed to breaches and unnecessary risk because security is often a secondary concern during software requirements development Many times organizational culture or politics can present more daunting challenges than purely technical issues when implementing a software security initiative You can change the way your organization builds software by learning the principles, processes, and pitfalls of building a software security initiative in the enterprise A five step disciplined approach of Characterizing the Landscape, Securing Champions, Defining Standards and Strategy, Executing the Initiative and Sustaining the Effort, tailored to your organization, will help ensure that your corporate-wide efforts to secure applications are as productive as possible John Dickson Principal, Denim Group John Dickson is an internationally recognized security leader, entrepreneur and Principal at Denim Group, Ltd He has nearly 20 years hands-on experience in intrusion detection, network security and application security in the commercial, public and military sectors As a Denim Group Principal, he helps executives and Chief Security Officers CSO s of Fortune 500 companies and government organizations launch and expand their critical application security initiatives His leadership has been instrumental in Denim Group being honored by Inc Magazine as one of the fastest growing companies in the industry for five years in a row A former US Air Force officer, Dickson served in the Air Force Information Warfare Center AFIWC and was a member of the Air Force Computer Emergency Response Team AFCERT Since his transition to the commercial arena, he has played significant client-facing roles with companies such as Trident Data Systems, KPMG and SecureLogix Corporation Dickson is a popular speaker on security at industry venues including the RSA Security Conference, the SANS Institute, the Open Web Application Security Project OWASP and at other international security conferences He is a sought-after security expert and regularly contributes to Dark Reading and other security publications He also regularly contributes to the Denim Group blog where he writes about key security industry issues such as software security and cyber security policy A Distinguished Fellow of the International Systems Security Association, he has been a Certified Information Systems Security Professional CISSP since 1998 Dickson is currently the Chairman of the San Antonio Chamber of Commerce Cyber Security Committee where economic development, workforce and advocacy issues involving San Antonio s growing cyber security industry are coordinated Dickson is also a member of the prestigious Texas Business Leadership Council, the only statewide CEO-based public policy organization that serves as a united voice for the state s senior executives to participate in the legislative and regulatory process Most recently, he was the past Chairman of the Texas Lyceum, a leadership group that prepares leaders for the State of Texas and served as Chairman of the North San Antonio Chamber of Commerce He also served as the local President of the Information Systems Security Association and was an honorary commander of the 67th Cyber Space Wing which organizes, trains and equips cyberspace forces to conduct network defense, attack and exploitation He holds a Bachelor of Science degree from Texas A M University, a Master of Science degree from Trinity University and a Masters in Business Administration from the University of Texas in Austin Dickson resides in San Antonio, Texas where he is married with two children For More Information Please Visit - https 2016appseccaliforniaorg http://www.secuobs.com/revue/news/602423.shtmlhttp://www.secuobs.com/revue/news/602423.shtml 2016-03-30 14:33:12 - SecurityTube.Net : In this talk Eoin shall discuss approaches to maintaining a secure full-stack posture at scale in a continuously changing environment How it can be approached and the pitfalls to be aware of How accuracy of testing is not mutually exclusive to scale, depth and speed The use of analytics in managing a continuous security environment What items in the OWASP Top 10 can be tested for using automation and what still requires the human How do we scale using human validation and intelligence Eoin Keary Edgescan Founder CTO Eoin previously was on the international board member of OWASP 2009-2014 , The Open Web Application Security Project During his time in OWASP he has lead the OWASP Testing Guide and founded the Security Code Review Guide and also contributed to OWASP SAMM, was the original author of the CISO Survey and contributor to the OWASP Cheat Sheet Series Eoin is a well-known technical leader in industry in the area of software security and penetration testing, and has led global security engagements for some of the world's largest financial services and consumer products companies He is the CTO and founder of edgescancom a managed web vulnerability and threat detection service which is a listed sample vendor and 'Noteable vendor in the Gartner Application Security Hypecycle and MQ for Managed Security Services For More Information Please Visit - https 2016appseccaliforniaorg http://www.secuobs.com/revue/news/602422.shtmlhttp://www.secuobs.com/revue/news/602422.shtml 2016-03-30 14:33:12 - SecurityTube.Net : Diversity in teams produces better results What are the challenges barriers that might not be visible to the general population What are the factors that make women successful in Security Technology What can organizations, teams do to encourage and retain talent What are the biggest industry challenges today We ll have a lively discussion on challenges, and what actions can help today and tomorrow Lisa Napier NetApp Sr Product Security Program Manager Lisa Napier, Sr Product Security Program Manager at NetApp currently leads the Product Security program for NetApp She previously led various Product Security initiatives including Secure Development Lifecycle at Cisco Systems, as well as organizing the internal Secure Development conference called SecCon for many years She was the first Security CCIE at Cisco, and one of the founding members of the Cisco PSIRT Wei Lin Symantec Senior Director Wei Lin, Senior Director, heads the E-Commerce Engineering organization at Symantec Lin has led various engineering groups within Symantec, including the Security Technology Group and the Norton brand consumer product groups, played a key role in the success of both Consumer and Enterprise security products Lin has been co-chair of various leadership committees for the Grace Hopper Conference planning She was the General Co-Chair of Grace Hopper 2014 Conference Before entering into the computer and network security field, Lin led software development in computer 3D graphics and reconstruction applied to aerospace and biomedical research She holds a Bachelor of Science degree from Fudan University, and a PhD in Medical Imaging from University of Paris Emily Stark Google Software Engineer Emily is a software engineer on the Google Chrome security team, where she focuses on efforts to make TLS SSL more usable and secure Previously, she was a core developer at Meteor Development Group, where she worked on web framework security and internal infrastructure, and a graduate student researching client-side cryptography in web browsers Emily has a master's degree from MIT and a bachelor's degree from Stanford, both in computer science Caroline Wong Cigital, Inc Director of Strategic Security Initiatives Caroline Wong, CISSP, is the Director of Strategic Security Initiatives at Cigital, the world's largest consulting firm specializing in software security Prior to this role, Caroline led a product management team at Symantec and security teams at Zynga and eBay Caroline is the author of Security Metrics A Beginner s Guide and is well known as a thought leader on the topics of security strategy, operations, and metrics She has been a featured speaker at industry conferences including RSA USA and Europe , ITWeb Summit South Africa , Metricon, the Executive Women's Forum, ISC2 and the Information Security Forum Caroline contributed as a technical reviewer to the Center for Information Security Consensus Metrics Definitions She graduated from UC Berkeley with a BS in Electrical Engineering and Computer Sciences, has a Certificate in Finance and Accounting from Stanford's Executive Education Program, and is CISSP certified Caroline was awarded the 2010 Women of Influence One to Watch Award by the Executive Women's Forum For More Information Please Visit - https 2016appseccaliforniaorg http://www.secuobs.com/revue/news/602421.shtmlhttp://www.secuobs.com/revue/news/602421.shtml 2016-03-30 14:33:12 - SecurityTube.Net : Some vulnerabilities are just unfixable You can t block them because there s no clear pattern to the attack You can t fix the code because they re buried in libraries and frameworks And you can t live with them because they re incredibly dangerous Java s deserialization vulnerabilities are a perfect example where organizations are left with no good choices and a huge window of exposure In this talk, Jeff will explore the use of runtime application self protection RASP to fix this type of problem Jeff will talk about various approaches to RASP, including dynamic software instrumentation He ll also introduce a free and open source RASP agent designed to completely neuter deserialization attacks across the entire Java stack He ll show you how RASP agents can enable quick and effective defenses across an entire application portfolio, and should be part of your application security strategy today Jeff Williams Contrast Security CTO A pioneer in application security, Jeff Williams has more than 20 years of experience in software development and security Jeff is the CTO and co-founder of Contrast Security, a revolutionary application security product that enhances software with the power to defend itself, check itself for vulnerabilities, and join a security command and control infrastructure Jeff also served as the Global Chairman of the OWASP Foundation for eight years, where he created many open-source standards, tools, libraries, and guidelines - including the OWASP Top Ten For More Information Please Visit - https 2016appseccaliforniaorg http://www.secuobs.com/revue/news/602420.shtmlhttp://www.secuobs.com/revue/news/602420.shtml 2016-03-30 14:33:12 - SecurityTube.Net : Hacking of websites and stolen passwords continue to plague people conducting business on the internet Most enterprise networks, e-commerce sites and online communities require only a user name and static password for logon and access to personal and sensitive data this may be convenient but it is not secure because online identity theft phishing, keyboard logging, man-in-the-middle attacks and other methods continue to grow at unsurpassed rates Strong authentication systems address the limitations of static passwords by incorporating an additional security credential, for example, a temporary one-time password OTP , to protect network access and end-users digital identities This adds an extra level of protection and makes it extremely difficult to access unauthorized information, networks or online accounts One-time passwords can be generated in several ways and each one has trade-offs in term of security, convenience, cost and accuracy Simple methods such as transaction numbers lists and grid cards can provide a set of one-time passwords These methods offer low investment costs but are slow, difficult to maintain, easy to replicate and share, and require the users to keep track of where they are in the list of passwords A more convenient way for users is to use an OTP token which is a hardware device capable of generating one-time passwords Some of these devices are PIN-protected, offering an additional level of security The user enters the one-time password with other identity credentials typically user name and password and an authentication server validates the logon request Although this is a proven solution for enterprise applications, the deployment cost can make the solution expensive for consumer applications Because the token must be using the same method as the server, a separate token is required for each server logon, so users need a separate token for each Web site or network they use The difficulty with these methods comes down to cost while being more secure than simple passwords, the cost to financial institutions and enterprises are still very high and keep many small organizations from implementing them The Initiative for Open Authentication was created to bring an open source approach to strong authentication The organization has developed a number of algorithms which have been approved as standards by the IETF and are available for any organization to download LSExperts has taken these algorithms and provide them freely on a server This free download reduces the cost of authentication significantly and allows any organization to implement strong authentication No longer do companies need to pay high amounts to authenticate their employees and customers this is a revolutionary move in the authentication space and is receiving high level of acceptance in the marketplace Donald Malloy LSExperts Business Development Director, North America For More Information Please Visit - https 2016appseccaliforniaorg http://www.secuobs.com/revue/news/602419.shtmlhttp://www.secuobs.com/revue/news/602419.shtml 2016-03-30 14:33:12 - SecurityTube.Net : As the ever-growing billions of internet-connected devices shape our lives, through things like smart homes, connected cars, and the Industrial Internet, these devices and services need security However, the security they must have is radically different from the security needed in traditional information technology In contrast, IoT devices can t have security bolted on after the device reaches a customer Instead, IoT devices must have security built in from the start Unfortunately, this is harder than it sounds, and not much guidance exists on how to do it right We ll present four simple cornerstones of security for IoT We ll describe how each of these must be adapted to work, both practically AND effectively, in the often very challenging environments of IoT and the Industrial Internet We ll describe how these cornerstones mitigate an extremely wide range of threats We ll present performance data on how newer implementations of newer algorithms now make legitimate security possible even in seriously constrained environments, such as 8-bit, 8 MHz micro-controllers with only 30kb flash, and battery-constrained devices that depend on energy harvesting Brian Witten Symantec Sr Director of Internet of Things Brian Witten is Senior Director of Internet of Things IoT at Symantec Over the past few years, Brian has led engineering on Android, Symantec Endpoint Protection SEPcloud , and reputation-based security for enterprise, as well as encryption and identity technologies Prior to that, Brian created Symantec Government Research Labs and Symantec Research Labs Europe, as well as several new technologies now used in Symantec s enterprise and Norton consumer offerings An experienced information security expert, Brian has worked closely with leading universities, government organizations, and industry partners in information security for 19 years Prior to joining Symantec, Witten worked at the Defense Advanced Research Projects Agency DARPA , the US military s central research and development organization charged with sponsoring revolutionary, high-payoff research, where he managed an R D investment portfolio of more than 150 million in US and international efforts - For More Information Please Visit - https 2016appseccaliforniaorg http://www.secuobs.com/revue/news/602418.shtmlhttp://www.secuobs.com/revue/news/602418.shtml 2016-03-30 14:33:12 - SecurityTube.Net : Dave Lenoe, Director of Secure Software Engineering, has been working in the security community for 10 years, focusing for the majority of his time, on response As a veteran, Dave will talk about his perspective on the security landscape, reflect on the evolution of response and application security, and look at the way that we all interact with each other now versus a decade ago He ll also discuss what the future may bring Dave Lenoe Adobe Systems, Inc David Lenoe is Director, Secure Software Engineering at Adobe In his role, Lenoe manages the Product Security Incident Response Team PSIRT dedicated to responding to and communicating about security issues, as well as the Adobe Secure Software Engineering Team ASSET responsible for ensuring Adobe's products are designed, engineered and validated using security best practices Lenoe is also responsible for Adobe s vulnerability information sharing via the Microsoft Active Protections Program MAPP Lenoe represents Adobe on SAFECode's Board of Directors and acts as SAFECode s Treasurer Lenoe joined Adobe as part of the Macromedia acquisition in 2004 At Macromedia, Lenoe held several management and engineering positions in the areas of product security, product management and quality assurance Lenoe earned a BA in Japanese language and literature from Connecticut College For More Information Please Visit - https 2016appseccaliforniaorg http://www.secuobs.com/revue/news/602417.shtmlhttp://www.secuobs.com/revue/news/602417.shtml 2016-03-30 14:33:12 - SecurityTube.Net : This presentation will cover various topics involved with hacking video games It will start off with how hacking video games can lead to a career in the security industry It will then dive into various activities involved with hacking video games from higher level topics such as analyzing relevant business risks and threat modeling down to lower level things like how to change values in memory to gain unlimited ammo in a first-person shooter Both client side attacks and network-based attacks will be discussed Common attacks and corresponding protection mechanisms will be covered Overall, this presentation will cover assessment topics and techniques relevant to assessing many types of software, both related to the video game industry as well as many other industries This presentation has a decent amount of higher level material aimed more at the business level audience members, but will also cover some lower level material that more technical people should enjoy Carter Jones Cigital Senior Security Consultant Carter Jones is a senior security consultant at Cigital, who has experience both as a consultant and a security researcher He has worked with clients from a broad range of industries, both private and public sector While he has experience performing a range of security assessment activities thick client, web app, network, and red teaming , he also enjoys assessing the security of video games In his spare time, Mr Jones plays video games and spends time with his wife For More Information Please Visit - https 2016appseccaliforniaorg http://www.secuobs.com/revue/news/602416.shtmlhttp://www.secuobs.com/revue/news/602416.shtml 2016-03-29 14:25:03 - SecurityTube.Net : Every site on the web should be HTTPS-enabled, but setting up HTTPS can be harder than we'd like it's easy to misconfigure, and even when a site is HTTPS-enabled, it might not be working as effectively as it could be In this talk, I'll explain the work that Chrome and other browser teams are doing to make high-quality HTTPS more widespread developer tools to help debug problems, reporting mechanisms to roll out strong HTTPS safely, and more Emily Stark Software Engineer, Google Emily is a software engineer on the Google Chrome security team, where she focuses on efforts to make TLS SSL more usable and secure Previously, she was a core developer at Meteor Development Group, where she worked on web framework security and internal infrastructure, and a graduate student researching client-side cryptography in web browsers Emily has a master's degree from MIT and a bachelor's degree from Stanford, both in computer science For More Information Please Visit - https 2016appseccaliforniaorg http://www.secuobs.com/revue/news/602292.shtmlhttp://www.secuobs.com/revue/news/602292.shtml 2016-03-29 14:25:03 - SecurityTube.Net : Attack tree vignettes for Containers as a Service applications and risk centric threat models Tony UcedaVélez VerSprite Security CEO Tony UcedaVélez is CEO at VerSprite, an Atlanta based security services firm assisting global multi-national corporations on various areas of cyber security, secure software development, threat modeling, application security, security governance, and security risk management Tony has worked and led teams in the areas of application security, penetration testing, security architecture, and technical risk management for various organizations in Utility, Banking, Government, Retail, Healthcare, and Information Services He recently finished his latest book, Risk Centric Threat Modeling with Wiley Life Sciences and has spoken at conferences across 13 countries, 4 continents on the subject matter For More Information Please Visit - https 2016appseccaliforniaorg http://www.secuobs.com/revue/news/602291.shtmlhttp://www.secuobs.com/revue/news/602291.shtml 2016-03-29 14:25:03 - SecurityTube.Net : In this talk I'll introduce radio hacking, and take it a few levels into hacking real world devices like wirelessly controlled gates, garages, and cars Many vehicles are now controlled from mobile devices over GSM and the web, while even more can be unlocked and ignitions started from wireless keyfobs over RF All of these are subject to attack with low-cost tools such as RTL-SDR, GNU Radio, HackRF, Arduino, and even a Mattel toy We'll investigate how these features work, and of course, how they can be exploited I'll be going from start to finish on new tools and vulnerabilities in this area, such as key-space reduction attacks on fixed-codes, advanced code grabbers using RF attacks on encrypted and rolling codes, exploiting mobile devices and poor SSL implementations, and how to protect yourself against such issues By the end of this talk you ll understand not only how vehicles and the wirelessly-controlled physical access protecting them can be exploited and secured, but also learn about various tools for hardware, car and RF research, as well as how to use and build your own inexpensive devices for such investigation Samy Kamkar Samy Kamkar is an independent security researcher, best known for creating The MySpace worm, one of the fastest spreading viruses of all time His open source software and research highlights the insecurities and privacy implications in every day technologies, from the Evercookie which produces virtually immutable respawning cookies, SkyJack, the drone that wirelessly hijacks other drones, and KeySweeper, a wireless keyboard sniffer camouflaged as a USB wall charger He continues to release new tools and hardware, for examples most recently the ProxyGambit, OpenSesame and ComboBreaker tools For More Information Please Visit - https 2016appseccaliforniaorg http://www.secuobs.com/revue/news/602290.shtmlhttp://www.secuobs.com/revue/news/602290.shtml 2016-03-29 14:25:03 - SecurityTube.Net : Though still an imperfect science in many ways, penetration testing is often our only way of assessing the effectiveness of our security programs against actual attackers As mobile devices enter the enterprise en masse, much focus has been on securing them and limiting the risk of BYOD using EMM, MDM, MIM, pick your favorite security control acronym While many shops are engaging in code review, static analysis, pentesting, etc against custom mobile applications built in house, even enterprises with mature security programs are often ignoring mobile devices and the surrounding infrastructure in their security testing It seems like common sense to provide adequate security testing for all devices on corporate networks, particularly when spending large chunks of budget on security controls around BYOD If we have a DoS protection, we put it in front of staging and hit it with DoS attacks If it falls down, the control is not providing return on investment If we have a patch management practice we make sure there are no missing patches leading to compromise during our penetration tests, and if there are, we augment our security program accordingly We need to be doing the same around mobile How secure are these devices really against attack If they are compromised what data on the device is in jeopardy What other assets in the enterprise are now at risk of attack from the compromised mobile device By using traditional penetration testing techniques augmented for the unique attack vectors for mobile devices we can assess these risks and get a clear picture of the risk of BYOD in the environment In this talk we will discuss techniques along with live demonstration scenarios of penetration tests on mobile devices and the surrounding infrastructure From mobile phishing to undermining security controls to using compromised mobile devices as pivot points, the mobile risk is real and we need to be simulating it in our security testing We will discuss how these techniques can augment and extend penetration testing and how they can be seamlessly integrated into your existing security program Georgia Weidman Founder and CEO, Bulb Security and Shevirah Inc Georgia Weidman is a penetration tester, security researcher, and trainer She holds a MS in computer science as well as holding CISSP, CEH, and OSCP certifications Her work in the field of smartphone exploitation has been featured in print and on television internationally She has provided training at conferences such as Blackhat USA, Brucon, and Security Zone to excellent reviews Georgia founded Bulb Security LLC, a security consulting firm specializing in security assessments penetration testing, security training, and research development She was awarded a DARPA Cyber Fast Track grant to continue her work in mobile device security culminating in the release of the open source project the Smartphone Pentest Framework SPF Georgia is a member of the spring 2015 cohort at the Mach37 cyber accelerator, founding Shevirah Inc to create product solutions for assessing and managing the risk of mobile devices in the enterprise and testing the effectiveness of enterprise mobility management solutions She is the author of Penetration Testing A Hands-on Introduction to Hacking from No Starch Press For More Information Please Visit - https 2016appseccaliforniaorg http://www.secuobs.com/revue/news/602289.shtmlhttp://www.secuobs.com/revue/news/602289.shtml 2016-03-29 14:25:03 - SecurityTube.Net : More often than not, company executives ask the wrong questions about software security This session will discuss techniques for changing the conversation about software security in order to encourage executives to ask the right questions and provide answers that show progress towards meaningful objectives Caroline will discuss a progression of software security capabilities and the metrics that correspond to different levels of maturity She ll discuss an approach for developing key metrics for your unique software security program and walk through a detailed example Caroline Wong Cigital, Inc Director of Strategic Security Initiatives Caroline Wong, CISSP, is the Director of Strategic Security Initiatives at Cigital, the world's largest consulting firm specializing in software security Prior to this role, Caroline led a product management team at Symantec and security teams at Zynga and eBay Caroline is the author of Security Metrics A Beginner s Guide and is well known as a thought leader on the topics of security strategy, operations, and metrics She has been a featured speaker at industry conferences including RSA USA and Europe , ITWeb Summit South Africa , Metricon, the Executive Women's Forum, ISC2 and the Information Security Forum Caroline contributed as a technical reviewer to the Center for Information Security Consensus Metrics Definitions She graduated from UC Berkeley with a BS in Electrical Engineering and Computer Sciences, has a Certificate in Finance and Accounting from Stanford's Executive Education Program, and is CISSP certified Caroline was awarded the 2010 Women of Influence One to Watch Award by the Executive Women's Forum For More Information Please Visit - https 2016appseccaliforniaorg http://www.secuobs.com/revue/news/602288.shtmlhttp://www.secuobs.com/revue/news/602288.shtml 2016-03-29 14:25:03 - SecurityTube.Net : A web security model entirely predicated on applying pattern matching is at best a zero-sum game Probabilistically, pattern matching regular expressions cannot prevent attacks generated by tools such as fuzzers This talk will explore language security LANGSEC as an alternative methodology This talk will lay the foundation via informal and formal theory how lexers, tokenizers and parsers work We ll move onto constructing an open source toolchain to analyzing data and exploring interactive data visualizations Along the way, we ll cover performance tradeoffs and discuss the challenges of modern application security By the end of this talk, you ll know more about implementing LANGSEC to help analyze and prevent specific security attacks Kunal Anand Prevoty A web security model entirely predicated on applying pattern matching is at best a zero-sum game Probabilistically, pattern matching regular expressions cannot prevent attacks generated by tools such as fuzzers This talk will explore language security LANGSEC as an alternative methodology This talk will lay the foundation via informal and formal theory how lexers, tokenizers and parsers work We ll move onto constructing an open source toolchain to analyzing data and exploring interactive data visualizations Along the way, we ll cover performance tradeoffs and discuss the challenges of modern application security By the end of this talk, you ll know more about implementing LANGSEC to help analyze and prevent specific security attacks For More Information Please Visit - https 2016appseccaliforniaorg http://www.secuobs.com/revue/news/602287.shtmlhttp://www.secuobs.com/revue/news/602287.shtml 2016-03-29 14:25:03 - SecurityTube.Net : We begin by taking a high level view of the vulnerability landscape over the past year, from anonymized data gathered from the edgescan vulnerability management SaaS This data-set provides a snapshot of vulnerabilities in thousands of servers and web applications across the globe From this data, we provide our opinion and insight on why we think some of the trends are present and that traditional static approaches to dynamic problems, is producing diminishing results We ask, what is the ultimate goal, application security or risk Protecting applications or protecting businesses and data We note the trend towards a continual approach to application security and see the benefits of pushing left Rahim Jina Edgescan Director Co-Founder Rahim is a director and co-founder of edgescan , a SaaS-based managed service based in Ireland Rahim is responsible for operational excellence and has extensive experience delivering penetration testing services to a wide range of organizations globally across many industry verticals Prior to this, Rahim was Head of Product Operational Security for Fonality, a VOIP provider based in Los Angeles and was also a senior security consultant for a Big 4 consultancy firm for many years Rahim has been an OWASP contributor and volunteer since 2007 and was part of the Dublin chapter board for a number of years Rahim graduated in 2002 from Trinity College Dublin Ireland , with a Bachelor s degree in Computer Science and in 2006, he completed a Master s in Security Forensic Computing from Dublin City University Ireland For More Information Please Visit - https 2016appseccaliforniaorg http://www.secuobs.com/revue/news/602286.shtmlhttp://www.secuobs.com/revue/news/602286.shtml 2016-03-29 14:25:03 - SecurityTube.Net : Adaptive Testing Methodology Crowdsourced Testing Methodology Customized to the Target Stack Testing methodology is a sore subject for most pentesters Everyone has their own way to do things, and 3 people testing the same thing often end up with different results especially when constrained for time The ASTM project has two goals 1 allow testers to consistently find the best vulnerabilities in the shortest amount of time, and 2 provide a framework for community improvement of the methodologies ASTM combines a time restraint with a quick technology detection step to build a customized testing methodology for that specific website given how much time you have to test it IOActive Director of Client Advisory Services Daniel Miessler is a Director of Client Advisory Services with IOActive, based out of San Francisco, California Daniel has 15 years of experience in information security with a focus on web, mobile, and IoT, and is a project leader for the OWASP IoT and OWASP Mobile Top Ten projects In his spare time, he enjoys reading, writing, programming, and table tennis For More Information Please Visit - https 2016appseccaliforniaorg http://www.secuobs.com/revue/news/602285.shtmlhttp://www.secuobs.com/revue/news/602285.shtml 2016-03-29 14:25:03 - SecurityTube.Net : For the last 20 years, assessment of the security of proposed systems has been a standard Indeed, NIST-14 1996 states, Security requirements should be developed at the same time system planners define the requirements of the system Yet, threat modeling remains something of a black art , understood solely by the innercognoscenti, security architects Indeed, at most companies, threat models are regarded as highly classified, need-to-know materials This secretive approach hasn t served the industry, nor the 10 s of thousands of systems that get developed each year Join author and Distinguished Engineer, Brook Schoenfield, for a participatory session unlocking the shrouded mysteries of threat modeling, revealing the inner secrets, initiating participants into the society of practitioners We will grapple with thorny issues like assessing risk, decomposition of the architecture, and appropriate architectural views For More Information Please Visit - https 2016appseccaliforniaorg http://www.secuobs.com/revue/news/602284.shtmlhttp://www.secuobs.com/revue/news/602284.shtml 2016-03-29 14:25:03 - SecurityTube.Net : Bitcoin is not only a currency It's a system, a platform and an invention Many human activities that previously required centralized institutions or organizations to function as authoritative or trusted points of control can now be decentralized This has profound implications for security To take full advantage of this new paradigm, traditional security concepts need to be redefined This presentation will review and dissect some of bitcoin s core components and their security controls The speaker will analyze and explain the controls and how they could be repurposed in other domains Cassio Goldschmidt Cassio Goldschmidt, CBP, is a globally recognized information security leader, known for his contributions toOWASP, SAFECode, CWE SANS Top 25 Most Dangerous Software Errors, along with contributing to the security education curriculum of numerous universities Cassio was one of the three finalist in the ISC ² ISLA Awards 2011 in the Information Security Practitioner category and endowed with the special Community Service Star award during the same occasion In 2012, Cassio was one of the finalists in the Web Application Security Person of the Year WASPY awards He holds a number of US patents and is a regular speaker at conferences worldwide Cassio holds a BSCS from PUC RS, a MS in software engineering from SCU, and a MBA from the USC - For More Information Please Visit - https 2016appseccaliforniaorg http://www.secuobs.com/revue/news/602283.shtmlhttp://www.secuobs.com/revue/news/602283.shtml 2016-03-29 14:25:03 - SecurityTube.Net : How can we really automate secure coding Agile, DevOps, Continuous Integration, Orchestration, Static, Dynamic - There's an endless feed of Buzzwords, but how can we turn this into a practice that really works In this session we will review real world examples of building a successful automation process for delivery of secure software in fast paced development environments Ofer Maor Synopsys Director of Security Strategy Ofer Maor is a security expert and entrepreneur with over 20 years of experience in information and application security Ofer has been involved in application security from its early days, through research, penetration testing, consulting, and product development As the founder and CTO of Seeker, Ofer pioneered IAST, the next generation of application security testing technology, currently used by some of the largest organizations in the world to continuously improve their software security Ofer joined Synopsys when it acquired Seeker in July 2015 Prior to Seeker, Ofer was the Founder and CTO of Hacktics He led Imperva's Application Defense Center research group and has also served as the Chairman of OWASP Israel and in the OWASP Global Membership Committee For More Information Please Visit - https 2016appseccaliforniaorg http://www.secuobs.com/revue/news/602282.shtmlhttp://www.secuobs.com/revue/news/602282.shtml 2016-03-29 14:25:03 - SecurityTube.Net : Jeremiah Grossman Founder WhiteHat Security Jeremiah Grossman is the founder of WhiteHat Security Jeremiah possesses a unique combination of technology savvy, customer advocacy and personal passion for application security A world-renowned web security expert, sought-after speaker and influential blogger, Jeremiah brings a literal lifetime of information security experience, both homegrown and from his days as Yahoo s information security engineer, to the role The ultimate WhiteHat, Jeremiah is also founder of the Web Application Security Consortium In his spare time, Jeremiah practices Brazilian Jiu jitsu and has earned a black belt For More Information Please Visit - https 2016appseccaliforniaorg http://www.secuobs.com/revue/news/602281.shtmlhttp://www.secuobs.com/revue/news/602281.shtml 2016-03-29 14:25:03 - SecurityTube.Net : Every industry faces the challenge of securing software, so why do some industries get it while others struggle to manage the problem at scale In this session, we will share data drawn from over 200,000 application assessments performed via Veracode s cloud platform over an 18-month period This is the largest data set of its kind, and it provides unique insight into the state of software security Attendees can use this information to benchmark their AppSec program against peers, answering key questions such as Do I have more serious vulnerabilities than my peers What percentage of vulnerabilities do my peers remediate How many of our applications should pass the OWASP Top 10 when initially assessed What are the most common vulnerabilities in our vertical How do coding vulnerabilities manifest across different programming languages Chris Eng Veracode Chris Eng has over 15 years of application security experience As Vice President of Research at Veracode, he leads the team responsible for integrating security expertise into Veracode s technology Throughout his career, he has led projects breaking, building, and defending web applications and commercial software for some of the world s largest companies Chris is a frequent speaker at premier industry conferences, such as BlackHat, RSA, OWASP, and CanSecWest, where he has presented on a diverse range of application security topics, including cryptographic attacks, agile security, mobile application security, and security metrics Chris holds a BS in Electrical Engineering and Computer Science from the University of California For More Information Please Visit - https 2016appseccaliforniaorg http://www.secuobs.com/revue/news/602280.shtmlhttp://www.secuobs.com/revue/news/602280.shtml 2016-03-29 14:25:03 - SecurityTube.Net : Are the threat modeling myths keeping you from initiating this key secure design activity Join us to get the facts find out how easy it is to get started We will attempt to debunk 6 recurring myths Hopefully you will agree with us once you have a few of the facts We aim to place participants onto a path to successful threat modeling Please join Jim DelGrosso and Brook Schoenfield as we squash misunderstandings and industry accepted disinformation Jim DelGrosso Cigital, Inc Senior Principal Consultant Jim DelGrosso, Principal Consultant, has been with Cigital since 2006 In addition to his overarching knowledge of software security, he specializes in Architecture Analysis, Threat Modeling and Secure Design In fact, he was a catalyst for creating Cigital s current Architecture Analysis practice Jim is also the Executive Director for IEEE Computer Society Center for Secure Design CSD Are the threat modeling myths keeping you from initiating this key secure design activity Join us to get the facts find out how easy it is to get started We will attempt to debunk 6 recurring myths Hopefully you will agree with us once you have a few of the facts We aim to place participants onto a path to successful threat modeling Please join Jim DelGrosso and Brook Schoenfield as we squash misunderstandings and industry accepted disinformation Brook Schoenfield Intel Security For More Information Please Visit - https 2016appseccaliforniaorg http://www.secuobs.com/revue/news/602279.shtmlhttp://www.secuobs.com/revue/news/602279.shtml 2016-03-29 14:25:03 - SecurityTube.Net : The Beatles once sang, I've got to admit it's getting better, a little better all the time, because it can't get more worse and that applies directly to the field application security The successes in building security into common application development frameworks is remarkable and has, in some ways, made secure coding less of an effort to the developer While much needs to be done in this area, there are many very positive examples of security characteristics built correctly into frameworks This talk with bring the positive vibe to AppSec California and highlight that things really are getting better in AppSec - all time - if you look in the right places Jim Manico Manicode Security Jim Manico is the founder of Manicode Security where he trains software developers on secure coding and security engineering He is also the founder of Brakeman Security, Inc and is a investor advisor for Signal Sciences Jim is a frequent speaker on secure software practices and is a member of the JavaOne rockstar speaker community Jim is also a Global Board Member for the OWASP foundation where he helps drive the strategic vision for the organization He is the author of Iron-Clad Java Building Secure Web Applications from McGraw-Hill For More Information Please Visit - https 2016appseccaliforniaorg http://www.secuobs.com/revue/news/602278.shtmlhttp://www.secuobs.com/revue/news/602278.shtml 2016-03-28 14:39:47 - SecurityTube.Net : Security practitioners constantly bemoan their difficulty in communicating effectively with business units or senior management The key, of course, is using the right language - namely, metrics In this presentation we'll outline a bunch of useful things you should know about setting up your own metrics process Marcus Ranum Tenable Network Security Chief Security Officer Marcus J Ranum works for Tenable Security, Incand is a world-renowned expert on security system design and implementation He has been involved in every level of the security industry from product coder to CEO of a successful start-up He is an ISSA fellow and holds achievement and service awards from several industry groups For More Information Please Visit - https 2016appseccaliforniaorg http://www.secuobs.com/revue/news/602184.shtmlhttp://www.secuobs.com/revue/news/602184.shtml 2016-03-28 14:39:47 - SecurityTube.Net : Security addresses across the internet are experiencing a surge in activity as organizations embrace collaboration with the security researcher community through vulnerability disclosure programs In our journey to uncover the perfect approach, one thing became certain every organization is wildly unique and there is no one size fits all answer To understand what exactly contributes to a successful program, we've analyzed aggregate Security data from over 500 organizations and devised a weighted index across six dimensions Researcher Breadth Researcher Depth Vulnerabilities Found Response Efficiency Reward Competitiveness Signal Ratio The result is an advanced framework for quantifying impact and assessing the performance of these programs Whether you already run an active bug bounty program or still have a security address that bounces, you can expect this talk to help you shed blind dogma and walk away armed with an analytical approach to running an effective Security Alex Rice Alex Rice is a co-founder and the Chief Technology Officer at HackerOne, providing a platform that enables organizations to build strong relationships with a community of security experts Alex is responsible for developing the HackerOne technology vision, driving engineering efforts and counseling customers as they build world-class security programs In addition to his role at HackerOne, Alex also serves on the board for the Internet Bug Bounty, a nonprofit organization focused on rewarding friendly hackers who contribute to a more secure Internet Prior to HackerOne, Alex founded the product security team at Facebook, built one of the industry s most successful security programs and introduced new transport layer encryption used by more than a billion users For More Information Please Visit - https 2016appseccaliforniaorg http://www.secuobs.com/revue/news/602183.shtmlhttp://www.secuobs.com/revue/news/602183.shtml 2016-03-28 14:39:47 - SecurityTube.Net : A software security initiative SSI often gets started via one of three common capabilities - penetration testing, code review, or some sort of secure design review eg, threat modeling This talk will discuss the benefits and drawbacks of each capability and show how they fit as part of a mature SSI Jim DelGrosso Cigital, Inc Senior Principal Consultant Jim DelGrosso, Principal Consultant, has been with Cigital since 2006 In addition to his overarching knowledge of software security, he specializes in Architecture Analysis, Threat Modeling and Secure Design In fact, he was a catalyst for creating Cigital s current Architecture Analysis practice Jim is also the Executive Director for IEEE Computer Society Center for Secure Design CSD Are the threat modeling myths keeping you from initiating this key secure design activity Join us to get the facts find out how easy it is to get started We will attempt to debunk 6 recurring myths Hopefully you will agree with us once you have a few of the facts We aim to place participants onto a path to successful threat modeling Please join Jim DelGrosso and Brook Schoenfield as we squash misunderstandings and industry accepted disinformation - For More Information Please Visit - https 2016appseccaliforniaorg http://www.secuobs.com/revue/news/602182.shtmlhttp://www.secuobs.com/revue/news/602182.shtml 2016-03-28 14:39:47 - SecurityTube.Net : Millions of cars with tens of millions of lines of code are already on the road talking to servers and very soon, talking to each other Clearly a lot can go wrong Connectivity carries significant risks which must be addressed as soon as possible This session will address the trade-off between safety, security and convenience as well as the steps that need be taken by the automotive manufacturers before we can trust our cars to let the transportation ecosystem deliver the promised benefits of connected services Key Take-Aways - Examples and a deeper appreciation of the security and privacy challenges of connected vehicular commerce - Insights into the growing role being played by the US government - Some comfort that many of the lessons learned in the traditional IT world are applicable to cars Ed Adams CEO, Security Innovation Ed Adams is a software executive with successful leadership experience in various-sized organizations that serve the IT security and quality assurance industries As CEO, Mr Adams applies his security and business skills, as well as his pervasive industry experience in the software quality space, to direct application security experts to help organizations understand the risks in their software systems and develop programs to mitigate those risks The company has delivered high-quality risk solutions to the most recognizable companies in the world including Microsoft, IBM, Fedex, ING, Nationwide and HP Mr Adams is a Ponemon Institute Fellow and founded the Application Security Industry Consortium, Inc AppSIC , a non-profit association of industry analysts, enterprise technologists, and security leaders established to define cross-industry application security metrics and best practices that eventually morphed into SAFECode at which point Mr Adams got more engaged with other industry initiatives, including OWASP Mr Adams is on the board of the National Association of Information Security Groups NAISG , and the International Secure Software Engineering Council ISSECO In February of 2014, Mr Adams was named a Privacy by Design Ambassador, which is a group of privacy thought-leaders committed to ensuring the ongoing protection of personal information by following the Principles of PbD For More Information Please Visit - https 2016appseccaliforniaorg http://www.secuobs.com/revue/news/602181.shtmlhttp://www.secuobs.com/revue/news/602181.shtml 2016-03-28 14:39:47 - SecurityTube.Net : How many applications are in your company s portfolio What s the headcount for your AppSec team Whatever your situation is, I am sure the numbers are not in your favor Its not time to find a new career, it's time to up your game This talk will cover how to take your small merry band of AppSec professionals and scale it up to a virtual army By taking the best of DevOps, Agile and CI CD, you can iteratively up your AppSec game over time and begin your ascent out of the security hole you are in The talk covers real world experiences running AppSec groups at two different companies Rackspace with approximately 4,000 employees and Pearson with 40,000 Both have an international presence and far more apps and developers that AppSec staff The talk covers the key principles to speed and scale up AppSec programs using an AppSec Pipeline as well as practical examples of these practices put into use Start early and begin to buy down the technical security dept which feels inevitable with more traditional AppSec program thinking Matt Tesauro Founder, Infinitiv Matt has been involved in the information technology and application development for more than 15 years He is currently the Senior Software Security Engineer at Pearson He is also an Adjunct Professor for the University of Texas Computer Science department teaching the next generation of CS students about Application Security Previously, he was the Senior Product Security Engineer at Rackspace Prior to joining Rackspace, Matt spent time as a application security consultant, spent several years as the appsec guy at a government agency and started out as a web app developer Matt's focus has been in application security including testing, code reviews, design reviews and training His background in web application development and system administration helped bring a holistic focus to Secure SDLC efforts he's driven He has taught both graduate level university courses and for large financial institutions Matt has presented and provided training a various industry events including DHS Software Assurance Workshop, Agile Austin, AppSec EU, AppSec US, AppSec Academia, and AppSec Brazil Matt is currently active with the OpenStack Security Group OSSG and a fomer board member of the OWASP Foundation He is highly involved in many OWASP projects and committees Matt is the project leader of the OWASP OpenStack Security project - a project to bring the OpenStack and OWASP communities together He has also run the OWASP WTE Web Testing Environment since 2008 which is the source of the OWASP Live CD Project and Virtual Machines pre-configured with tools and documentation for testing web applications - all running on Linux of course Industry designations include the RHCE, Linux , Certified Information Systems Security Professional CISSP and Certified Ethical Hacker CEH Matt Tesauro has a BS in Economics and a MS in Management Information Systems from Texas A M University For More Information Please Visit - https 2016appseccaliforniaorg http://www.secuobs.com/revue/news/602180.shtmlhttp://www.secuobs.com/revue/news/602180.shtml 2016-03-28 14:39:47 - SecurityTube.Net : Many common application-level security defects, such as SQL Injection and Cross-Site-Scripting XSS , have proven difficult to eradicate in large-scale software development projects In our view, the root cause for the prevalence of these classes of vulnerabilities is that underlying APIs and frameworks such as, SQL query APIs, HTML templating systems, and Web Platform APIs a-priori permit vulnerable application code to be written, thus placing the onus for avoiding vulnerabilities primarily on the developer Since developers are human, and the APIs in question are often widely used in large applications, the presence of some number of mistakes and hence vulnerabilities is almost guaranteed At the same time, it is unlikely that existing bugs in a large system can be exhaustively identified through testing, code review or static analysis In this talk, we propose to instead place the burden on API designers Our goal is to design alternative APIs that are similarly expressive, but are also sufficiently constrained to make it essentially impossible to write vulnerable application code using the API We describe designs for injection-proof SQL query APIs and XSS-proof HTML rendering APIs, combined with machine-checked coding guidelines ensuring their correct usage These APIs have been successfully adopted in several flag-ship application development projects at Google, and have resulted in a drastic reduction in the number of bugs observed Christoph Kern,Software Engineer, Google Christoph Kern is a software engineer in Google's Information Security Engineering team He leads a team focused on the prevention and mitigation of security vulnerabilities in Google's applications and services through framework, API, and platform design For More Information Please Visit - https 2016appseccaliforniaorg http://www.secuobs.com/revue/news/602179.shtmlhttp://www.secuobs.com/revue/news/602179.shtml 2016-03-28 14:39:47 - SecurityTube.Net : ClickOnce is a deployment solution that enables fast, easy delivery of packaged software It is commonly used by organizations to deploy both internal and production-grade software packages along with their respective updates By allowing end-users to accept the requested permissions of the software package without the intervention of an administrator, ClickOnce simplifies the deployment and use of robust software solutions It also provides an excellent opportunity for malicious actors to establish a foothold in your network In this talk, I will discuss how I combined ClickOnce technology and existing phishing techniques into a new methodology for establishing an initial presence in an environment By minimizing user interaction, we only require that the user is fooled for one click - after that, we already have a foothold in their environment and are ready to pivot and escalate further Ryan Gandrud Senior Security Consultant, NetSPI Ryan is a senior security consultant with a BS in computer science from North Dakota State University He has worked in the Information Technology, Healthcare, Financial Services, and Information Security industries Ryan's primary knowledge base includes network, web application, and thick application penetration testing with extensive knowledge in email phishing Ryan has presented at multiple venues before including Bsides Las Vegas and Secure360 For More Information Please Visit - https 2016appseccaliforniaorg http://www.secuobs.com/revue/news/602178.shtmlhttp://www.secuobs.com/revue/news/602178.shtml 2016-03-28 14:39:47 - SecurityTube.Net : Many of the talks at security conferences these days involve the launch of a new security automation framework Each of these tools have different goals and technologies that met their organizations needs When it comes to your organization, how will you decide whether to build, buy, or borrow Are there better criteria than just technology stack compatibility What qualities make a good design for your environment Where do you deploy Which open-source tools work best How do you ensure that your implementation will effectively enable teams versus creating more noise This presentation will discuss criteria for designing and evaluating security automation tools for your organization Peleus Uhley Lead Security Strategist, Adobe Systems, Inc Peleus Uhley has been a part of the security industry for more than 15 years As the Lead Security Strategist at Adobe, he assists the company with proactive and reactive security Prior to joining Adobe, Peleus was a senior developer at Anonymizer, and a security consultant for stake and Symantec For More Information Please Visit - https 2016appseccaliforniaorg http://www.secuobs.com/revue/news/602177.shtmlhttp://www.secuobs.com/revue/news/602177.shtml 2016-03-28 14:39:47 - SecurityTube.Net : While many threats to web applications such as SQLi and XSS can be mitigated through generic framework solutions, enforcing authorization remains a complex task for developers Proper enforcement of access controls requires unique design considerations for each application and can be difficult to get right Detecting vulnerabilities in authorization can be just as challenging, as these issues are generally difficult to map and test for Due to the complexity in an application's architecture, pen-testers must frequently use their limited time and resources developing custom tools specific to a single application's authorization model In this presentation we take you through the process of designing a tool capable of simplifying this testing methodology to reduce the redundancy between testing unique targets We will discuss some of the common authorization insecurity patterns seen in web applications and services, consider the common challenges faced by pen-testers when testing for these issues, and present effective methods for mapping the intricacies of these models Additionally, we will introduce AuthMatrix, a new extension to the Burp Suite testing utility designed to simplify authorization test cases in a clear and reproducible manner Mick Ayzenberg Security Engineer, Security Innovation Mick s years of security industry experience have included consulting on dozens of mid-to-long term projects for well-known technology companies He has done extensive work in network protocol analysis, reversing, and fuzzing of both software applications and network communications Mick s broad spectrum of security skills, ranging from the network, transport, operating system, and application layers has equipped him well for his position at Security Innovation wherein he works with the company s clients to identify and remediate vulnerabilities in high-profile applications and operational systems For More Information Please Visit - https 2016appseccaliforniaorg http://www.secuobs.com/revue/news/602176.shtmlhttp://www.secuobs.com/revue/news/602176.shtml 2016-03-23 14:50:50 - Office of Inadequate Security : Chad Terhune reports Hackers demanded a ransom from two more Southern California hospitals last week and federal http://www.secuobs.com/revue/news/601845.shtmlhttp://www.secuobs.com/revue/news/601845.shtml 2016-03-16 14:11:47 - Office of Inadequate Security : The Laborers Health Welfare Trust Fund for Northern California has experienced a recent HIPAA security incident http://www.secuobs.com/revue/news/601184.shtmlhttp://www.secuobs.com/revue/news/601184.shtml 2016-03-11 14:24:48 - Slashdot Your Rights Online : whoever57 writes A California jury in one of the cases between Synopsys and Atoptech found copyright infringement in Atoptech's use of the Primetime commands These companies compete in the field of EDA Electronic Design Automation software software that is used by semiconductor companies to design ICs The Primetime commands are merely an interface Atoptech has their own implementation of the functionality that these commands provide This can be seen as similar to the Oracle vs Google lawsuit, in which an appeals court has found that providing a similar interface via header files can constitute copyright infringement Naturally, there will be appeals in this case IMAGE IMAGE Share on Google Read more of this story at Slashdot http://www.secuobs.com/revue/news/600831.shtmlhttp://www.secuobs.com/revue/news/600831.shtml 2016-03-04 17:49:52 - Office of Inadequate Security : Brian Bowling reports A California college student hacked the student account of a Carnegie Mellon University student to http://www.secuobs.com/revue/news/600190.shtmlhttp://www.secuobs.com/revue/news/600190.shtml 2016-02-29 05:37:54 - Help Net Security : More than ever, California stands at the forefront of new technologies based on the Internet of Things IoT We are also increasingly vulnerable, a fact underscored by breaches of corporations and government agencies that have impacted millions across the nation Toward that end, a state-wide alliance of cyber security leaders, companies, educators and elected officials CyberCalifornia has been formed The non-profit coalition will work closely with select representatives from government, industry and academia More http://www.secuobs.com/revue/news/599608.shtmlhttp://www.secuobs.com/revue/news/599608.shtml 2016-02-27 00:14:04 - Office of Inadequate Security : From the University of California Berkeley UC Berkeley officials are sending alert notices to approximately 80,000 http://www.secuobs.com/revue/news/599528.shtmlhttp://www.secuobs.com/revue/news/599528.shtml 2016-02-20 18:07:58 - Office of Inadequate Security : I ve previously posted a link to a report by the California Attorney General on breaches in California and http://www.secuobs.com/revue/news/598887.shtmlhttp://www.secuobs.com/revue/news/598887.shtml 2016-02-19 21:49:54 - Security Bloggers Network : As the state of California ventures into a new regulatory effort to track all marijuana grown and sold in the state, one of the key decisions before state officials is what kind of system it should deploy http://www.secuobs.com/revue/news/598838.shtmlhttp://www.secuobs.com/revue/news/598838.shtml 2016-02-19 04:47:41 - Security Bloggers Network : Kamala Harris, California s Attorney General AG shared key findings from the latest data breach report to a packed room on the Stanford campus this past Tuesday It was an honour to see Harris in person, http://www.secuobs.com/revue/news/598749.shtmlhttp://www.secuobs.com/revue/news/598749.shtml 2016-02-17 02:55:54 - Office of Inadequate Security : Attorney General Kamala D Harris today addressed the Stanford Cyber Initiative to release a comprehensive report detailing http://www.secuobs.com/revue/news/598478.shtmlhttp://www.secuobs.com/revue/news/598478.shtml 2016-02-05 16:26:45 - Risk Assessment Ars Technica : University of California administration says it's just going after bad actors http://www.secuobs.com/revue/news/597495.shtmlhttp://www.secuobs.com/revue/news/597495.shtml 2016-02-02 16:10:09 - LinuxSecurity.com Latest News : LinuxSecuritycom The government's use of a controversial invasive technology for tracking phones just got a little more controversial http://www.secuobs.com/revue/news/597152.shtmlhttp://www.secuobs.com/revue/news/597152.shtml 2016-01-29 04:41:17 - Security Bloggers Network : Startupinresidenceorg Building on a program from 2014, the San Francisco Mayor's Office of Civic Innovation announced during a Jan 28 press conference the 2016 Startup in Residence program that includes a regional partnership with the neighboring cities of Oakland, San Leandro and West Sacramento Selected startups will work with city departments to solve challenges around housing, transportation, the environment, public safety and public experience through the creation of new technologies developed during a 16-week residency And this isn't a one-off, San Francisco officials said they're building toward a national and global effort to encourage startup investment in the govtech market When we look at the transformation happening in nearly every industry and sector, startups are leading the way, San Francisco Chief Innovation Officer Jay Nath said during the event Yet the public sector is one of the few remaining areas that have yet to be transformed by startups We believe one of the most critical barriers for entrepreneurs is not understanding the needs of government organizations In 2014, San Francisco experimented with a four-month Entrepreneurship in Residence program that paired six civic tech startups with city departments to craft new technologies aimed at improving government Smartphone apps, predictive analytics platforms and notification systems were among the technologies developed, and two companies won contracts through a formal procurement with the city At the start of that program, the city was surprised and encouraged by the outpour of participation from around the world as San Francisco received applications from more than 200 startups from 25 cities and countries, Nath said and the city is now building on this model A 474,453 allocation from a 10 million three-year grant from the US Department of Commerce is allowing San Francisco to scale its program regionally, said Jeremy Goldberg, Startup in Residence program director Through this iteration of the program, startups will develop new technologies that improve cities, Goldberg said, but they're also compiling a repository of resources and methodology that for cities around the world to use Following the program, all of the education and learning and experience we're developing now will become part of a blueprint and a guide for other cities that seek to participate and develop a version of the Startup in Residence to access that information, Goldberg said during the press conference The program website lists 27 challenges to which startups can apply before the deadline of Feb 18 They include projects like helping cities improve the process of recruiting foster parents, creating mobile apps for government inspectors to ensure post-disaster assessments are safe, and installing sensors in garbage cans to help cities meet their goal of reduced waste and increased efficiency Organizers will select startups that best match the challenges presented, Nath said, and if no one applies to a given challenge, it may not be pursued He guessed that when the program begins in March, each city would end up with between three and six startups under its tutelage It's about quality, Nath said, not quantity Selected startups will get training on how government works, what its challenges are and which government workers to talk to get things done When the program completes in July, startups will have a chance to sell their technology to government through a streamlined procurement process that Nath said the city hopes will encourage more startups to give the growing govtech sector a chance This is another way to address a barrier that startups are facing, which is lengthy and complex procurement processes that often require a number of legal resources and know-how that many startups don't have, Nath said Government, broadly, is a huge commercial opportunity There's tens of billions of dollars, and internationally hundreds of billions of dollars and yet the ecosystem is mostly large players, so how do we bring entrepreneurs into that ecosystem And this is one program that's trying to tackle that challenge In September, each city will host a demo day to showcase the technologies developed by each startup, and a regional demo day will feature the best products from each city Interested startups can apply by visiting the program website at startupinresidenceorg http://www.secuobs.com/revue/news/596818.shtmlhttp://www.secuobs.com/revue/news/596818.shtml 2016-01-23 04:17:28 - Office of Inadequate Security : Sometimes I find a breach listed on HHS s public breach tool, but it s a while before I can find out what http://www.secuobs.com/revue/news/596302.shtmlhttp://www.secuobs.com/revue/news/596302.shtml 2016-01-22 14:25:48 - Security Bloggers Network : California s legislature has introduced a new anti-encryption bill that, if passed, would result in a ban on iPhones and Android devices across the state On Wednesday, Californian assembly member Jim Cooper introduced the AB 1681, which if adopted by the legislature would mandate that a smartphone that is manufactured on or after January 1, 2017, Read More The post Anti-Encryption Bill Would Ban iPhones, Android Devices in California appeared first on The State of Security IMAGE http://www.secuobs.com/revue/news/596241.shtmlhttp://www.secuobs.com/revue/news/596241.shtml 2016-01-15 23:08:54 - Slashdot Your Rights Online : An anonymous reader writes A pair of legislators in California have introduced separate pieces of legislation aimed at further regulating the nascent drone industry in the name of safety Assemblyman Mike Gatto wants inexpensive insurance policies sold with drones, and also wants those drones to be outfitted with tiny license plates He said, If cars have license plates and insurance, drones should have the equivalent, so they can be properly identified, and owners can be held financially responsible, whenever injuries, interference, or property damage occurs Another bill, put forth by Assemblyman Ed Chau, wants to require drone owners to leave contact information in the event of a crash Chau also made parallels with cars If you lose control of your drone and someone gets hurt or someone else's property gets damaged then you should have the same duty to go to the scene of the accident, give your name and address, and cooperate with the police The bills follow a number of incidents during 2015 in which drones damaged people and property, or simply got in the way of other operations IMAGE IMAGE Share on Google Read more of this story at Slashdot http://www.secuobs.com/revue/news/595742.shtmlhttp://www.secuobs.com/revue/news/595742.shtml 2016-01-12 05:27:40 - Office of Inadequate Security : Jonah Bennett reports New figures show that the number of identification theft investigations collapsed by 30 percent in http://www.secuobs.com/revue/news/595394.shtmlhttp://www.secuobs.com/revue/news/595394.shtml 2015-12-30 06:47:37 - Office of Inadequate Security : As I first reported in co-breaking the story about the massive leak of voter records that had been discovered by Chris http://www.secuobs.com/revue/news/594454.shtmlhttp://www.secuobs.com/revue/news/594454.shtml 2015-12-16 21:02:02 - Security Bloggers Network : After years of testing, California has taken its first step toward putting cars that can drive themselves into the hands of its citizens but state regulators have taken a cautious approach that will delay som http://www.secuobs.com/revue/news/593408.shtmlhttp://www.secuobs.com/revue/news/593408.shtml 2015-12-12 17:59:59 - Office of Inadequate Security : California Virtual Academies CAVA is a network of 11 publicly funded charter k-12 schools in California Researcher Chris http://www.secuobs.com/revue/news/592977.shtmlhttp://www.secuobs.com/revue/news/592977.shtml 2015-12-11 14:33:53 - Office of Inadequate Security : From the Office of the Inspector General of the US Dept of Health Human Services We summarized the high-risk http://www.secuobs.com/revue/news/592887.shtmlhttp://www.secuobs.com/revue/news/592887.shtml 2015-12-06 14:55:40 - Slashdot Your Rights Online : JoeyRox writes The recent terror attack in California reflects an evolution of the terrorist threat that Mr Obama and federal officials have long dreaded homegrown, self-radicalized individuals operating undetected before striking one of many soft targets that can never be fully protected in a country as sprawling as the United States With this new type of terror risk, authorities may begin relying more heavily on citizens reporting suspicious behavior of others The attack is also expected to renew the debate over privacy versus security for software encryption President Obama will be addressing the nation tonight to discuss the attack IMAGE IMAGE Share on Google Read more of this story at Slashdot http://www.secuobs.com/revue/news/592228.shtmlhttp://www.secuobs.com/revue/news/592228.shtml 2015-11-12 13:14:28 - Security Bloggers Network : The DNA data is supposedly anonymized, but one expert says the de-identification is easy to see through http://www.secuobs.com/revue/news/589872.shtmlhttp://www.secuobs.com/revue/news/589872.shtml 2015-11-11 01:36:06 - Slashdot Your Rights Online : schwit1 writes This might come as a surprise to California natives in their 20s and early 30s The state owns your DNA Every year about four million newborns in the US get a heel prick at birth, to screen for congenital disorders, that if found early enough, can save their life However, when those tests are done, the leftover blood isn't simply thrown away Instead, they're taken to an office building and the DNA data is stored in a database It s a treasure trove of information about you, from the color of your eyes and hair to your pre-disposition to diseases like Alzheimer s and cancer And that's not the end of it The California Department of Public Health CDPH is not the only agency using the blood spots Law enforcement can request them Private companies can buy them to do research without your consent IMAGE IMAGE Share on Google Read more of this story at Slashdot http://www.secuobs.com/revue/news/589724.shtmlhttp://www.secuobs.com/revue/news/589724.shtml 2015-11-04 22:35:59 - Slashdot Your Rights Online : v3rgEz writes EFF and MuckRock teamed up in August to reveal how state and local law enforcement agencies are using mobile biometric technology in the field by filing public records requests around the country With the help of members of the public who nominated jurisdictions for investigation, we have now obtained thousands of pages of documents from more than 30 agencies Here's how police around California are using iris scanners, fingerprint readers, and facial recognition to monitor civilians IMAGE IMAGE Share on Google Read more of this story at Slashdot http://www.secuobs.com/revue/news/589095.shtmlhttp://www.secuobs.com/revue/news/589095.shtml 2015-10-30 17:11:24 - Hackaday : Next year Hyperloop Transportation Technologies is planning on breaking ground on a five mile test track for the Hyperloop concept as originally proposed by Elon Musk back in 2013 It s being built around Quay Valley, which is a large real-estate development in California In addition to serving as a test-bed for different pod designs and to further the technology as a whole, they re planning on being able to transport passengers at mind-boggling speeds how s 760mph sound by as soon as 2018 While Elon Musk has no real involvement in the company, he is extremely supportive of the company and seeing read more http://www.secuobs.com/revue/news/588557.shtmlhttp://www.secuobs.com/revue/news/588557.shtml 2015-10-25 21:30:13 - Slashdot Your Rights Online : New submitter willworkforbeer writes The proposed US 68B high speed rail project in California faces extraordinary hurdles, both in terms of budget and timeframe Even Einstein no, not that one Herbert Einstein, an MIT civil engineer and top tunneling expert says the schedule is probably not possible Having looked at a number of these long tunnels, the California plan is aggressive, said Einstein, who has consulted on a 35-mile-long tunnel under the Swiss Alps From a civil engineering perspective it is very, very ambitious to put it mildly New York's 11-mile East Side Access tunnel project is 14 years late and about 25x its original budget If California's 72 miles of tunnels twin tunnels of 36 miles go like New York's, that would be over US 160B spent, with an opening date sometime in the 2030s The article goes through a number of complicating factors for the tunnels, from the major faults they must cross to the melange of rock types they must drill through IMAGE IMAGE Share on Google Read more of this story at Slashdot http://www.secuobs.com/revue/news/587902.shtmlhttp://www.secuobs.com/revue/news/587902.shtml 2015-10-22 02:58:19 - Office of Inadequate Security : AP reports A clerk at the California Department of Motor Vehicles and five other people have been indicted on charges http://www.secuobs.com/revue/news/587576.shtmlhttp://www.secuobs.com/revue/news/587576.shtml 2015-10-17 01:35:00 - Office of Inadequate Security : From their counsel s notification to the California Attorney General s Office Community Catalysts of California http://www.secuobs.com/revue/news/587059.shtmlhttp://www.secuobs.com/revue/news/587059.shtml 2015-10-13 15:23:52 - Security Bloggers Network : California police will no longer be able to get their hands on phone or other digital data about users without a warrant http://www.secuobs.com/revue/news/586562.shtmlhttp://www.secuobs.com/revue/news/586562.shtml 2015-10-13 15:08:25 - LinuxSecurity.com Latest News : LinuxSecuritycom California continued its long-standing tradition for forward-thinking privacy laws today when Governor Jerry Brown signed a sweeping law protecting digital privacy rights http://www.secuobs.com/revue/news/586560.shtmlhttp://www.secuobs.com/revue/news/586560.shtml 2015-10-12 06:34:52 - Security Bloggers Network : Our security roundup series covers the week s trending topics in the world of InfoSec In this quick-read compilation, we ll let you know of the latest news and controversies that the industry has been talking about recently Here s what you don t want to miss from the week of October 5, 2015 Samsung s mobile payment system, LoopPay, was hacked Read More The post This Week in Security Outlook Web App Attack, Angler Exploit Kit Disrupted, California Privacy Law appeared first on The State of Security IMAGE http://www.secuobs.com/revue/news/586379.shtmlhttp://www.secuobs.com/revue/news/586379.shtml 2015-10-11 14:13:34 - Office of Inadequate Security : Brandon Johnson writes On October 6, 2015, California Governor Jerry Brown signed into law a trio of bills that is intended http://www.secuobs.com/revue/news/586348.shtmlhttp://www.secuobs.com/revue/news/586348.shtml 2015-10-04 19:26:22 - Office of Inadequate Security : The president of a southern California trucking company plotted with a Serbian man to extort 40,000 from a Chicago-area http://www.secuobs.com/revue/news/585625.shtmlhttp://www.secuobs.com/revue/news/585625.shtml 2015-09-29 17:33:12 - Security Bloggers Network : Google autonomous vehicle video According to Google, none of the accidents its self-driving cars has been in was the fault of the vehicle, or rather the program making decisions for the vehicle But for one nonprofit group, Google s word isn t enough and that group has called on the California Department of Motor Vehicles to more closely scrutinize all companies testing autonomous vehicles in the state Consumer Watchdog, a nonprofit consumer advocacy group, has formally requested that the California DMV update its rules to require autonomous vehicle testers to submit more data when accidents happen The state already requires operators to submit reports within 10 days of an accident that include information such as the location of the vehicle and the circumstances surrounding the accident But Consumer Watchdog says the companies have more information than that, including video recordings of the crashes The implications of self-driving vehicles is significant a Google employee wrote in a July blog post that autonomous vehicles could help address traffic problems like distracted driving, and a video the company released in 2012 showed a car driving a blind man to pick up his dry cleaning But John Simpson, privacy project director for Consumer Watchdog, said the world needs to make sure the vehicles are safe first Before we get to the point of these things running all over the roads, we need to be able to understand why things went wrong when they went wrong, and that s going to help us develop appropriate safety rules going forward, he said The video Google and other companies collect from autonomous vehicles, along with data from the cars sensors, should be made available to the DMV as it works to put together rules that will govern the use of self-driving vehicles for the general public and not just for testing, Simpson said They record the speed of the car, how hard the brakes were put on, that kind of stuff, he said That information would help shed light on exactly what happens when self-driving cars get into accidents, which Simpson said is important since the testing is happening on public roads largely in the Bay Area, though Google recently expanded its testing grounds to Austin, Texas Some of the public is potentially in harm s way, and that means there needs to be absolute transparency about what goes wrong, Simpson said According to the DMV website, 10 different companies have received state permits to test autonomous vehicles among them Google and several automotive giants like Honda, Nissan and Volkswagen Emails with the DMV public affairs office that Simpson shared with Government Technology show that Google has the largest fleet of test cars by far, with 48 on California roads as of Aug 14 Tesla had the next-largest fleet at 12 cars Google has been testing its autonomous cars since 2009, according to a monthly newsletter the company publishes on its driverless car program Since then, its cars have been involved in 16 accidents The company selects case studies of accidents for its newsletters and describes the accidents in detail On Aug 20, a car rear-ended one of Google s autonomous vehicles at an intersection in front of Eagle Park in Mountain View as the Google driver took over the controls and slowed down to give way to a pedestrian crossing the street On July 1, another one of Google s cars was rear-ended at an intersection near Mountain View s Frank L Huff Elementary School when two vehicles stopped at a green light in front of the Google car, forcing the self-driving program to stop as well The last incident prompted Google to release an 8-second YouTube video showing what the self-driving car saw at the intersection during the crash Still, Simpson said, the company should be releasing all it has for every accident We think that this is simply too important to be left up to the companies responsible for self-reporting, he said While Google s monthly newsletters state that the autonomous vehicles weren t responsible for any of the accidents, Simpson said it s possible that the vehicles could have contributed to the crashes nonetheless The vehicle might behave in a different way than the driver might expect stopping more abruptly or whatever, he said As he understands it, Simpson said state law requires the DMV to respond to the rulemaking request within 30 days of submission He submitted the request on Sept 24 Bernard Soriano, deputy director of the California DMV, said the purpose of the testing regulations is to help the department understand how to regulate autonomous vehicles as Google and other companies make progress toward offering the cars to the public We want to get an idea of how the testing programs are proceeding throughout the state, because for us the No 1 priority is the safety of the motoring public, he said, and we need to ensure that with any regulations we develop the motoring public is safe as the technology is deployed He declined to comment on whether the type of information Consumer Watchdog wants the companies to disclose videos, vehicle speeds, rate of deceleration and more would help the department in that goal It s way too early to say what type of response we re going to have to the petition , Soriano said http://www.secuobs.com/revue/news/585077.shtmlhttp://www.secuobs.com/revue/news/585077.shtml 2015-09-16 22:22:05 - Slashdot Your Rights Online : An anonymous reader writes AT T have offered a 250,000 reward to anyone providing information leading to the arrest and conviction of what appears to be a serial disruptor of fiber-optic connections in California The latest incident has taken place in Livermore in the San Francisco Bay Area, where an individual thought by the FBI to possess expert knowledge and specialist tools severed a critical AT T cable, gaining access to the enclosure via a manhole The attack precedes 11 previous ones in California in the preceding twelve months IMAGE IMAGE Share on Google Read more of this story at Slashdot http://www.secuobs.com/revue/news/583757.shtmlhttp://www.secuobs.com/revue/news/583757.shtml 2015-09-11 14:00:16 - Security Bloggers Network : He vetoed the bill because, he says, litigation would rain down on hobbyists and FAA-authorized operators Let s look at this more carefully, he said http://www.secuobs.com/revue/news/583104.shtmlhttp://www.secuobs.com/revue/news/583104.shtml 2015-09-10 16:58:56 - Slashdot Your Rights Online : An anonymous reader writes Uber's third attempt to overturn a California court ruling stating that its drivers are employees and not contractors has ended in failure, with the appeal dismissed by the California Employment Development Department EDD The California Labor Commission ruled in June on the matter, and in a later appeal one judge effectively decided that the difference between 'firing' a driver and deactivating their account is purely semantic IMAGE IMAGE Share on Google Read more of this story at Slashdot http://www.secuobs.com/revue/news/583006.shtmlhttp://www.secuobs.com/revue/news/583006.shtml 2015-09-09 15:44:27 - LinuxSecurity.com Latest News : LinuxSecuritycom The California state assembly has passed a digital privacy bill that aims to prevent government access without warrant to private electronic communications The bill would provide some exceptions for law enforcement in emergencies or for other public safety requirements http://www.secuobs.com/revue/news/582847.shtmlhttp://www.secuobs.com/revue/news/582847.shtml 2015-08-26 06:50:20 - Slashdot Your Rights Online : An anonymous reader writes California's Senate Bill 142 would prohibit drones from flying under 350 feet over any property without express permission from the property's owner The bill passed the California Assembly easily Tech advocates have been battling privacy advocates to influence the inevitable regulation of private and commercial drones Industry groups say this restriction will kill drone delivery services before they even begin The legislation would also drastically diminish the usefulness of camera-centric drones like the ones being rolled out by GoPro If passed, the bill could influence how other states regulate drones The article notes that 156 different drone-related bills have been considered in 46 different states this year alone, and the FAA will issue nationwide rules in September IMAGE IMAGE Share on Google Read more of this story at Slashdot http://www.secuobs.com/revue/news/581391.shtmlhttp://www.secuobs.com/revue/news/581391.shtml 2015-08-26 00:14:26 - Office of Inadequate Security : Juliet Williams of AP reports Many California state agencies are not complying with the state s information http://www.secuobs.com/revue/news/581372.shtmlhttp://www.secuobs.com/revue/news/581372.shtml 2015-08-24 17:33:59 - Slashdot Your Rights Online : UnknowingFool writes Recently a judge ruled in California that the city of Inglewood cannot hold copyrights of videos of public city council meetings which they published on their YouTube account and thus cannot sue individuals for copyright infringement for using them In several YouTube videos, Joseph Teixeira, a resident of Inglewood, California, criticized the mayor, James Butts Under the account name Dehol Truth, Teixeira took city council meetings posted on their YouTube account and edited them to make pointed criticisms about the mayor The city responded by registering the videos with copyrights and then suing Teixeira for copyright infringement Many would say it was a thinly veiled attempt to silence a critic Teixeira filed a motion to dismiss, arguing that 1 the city cannot claim copyright over public records videos of public city council meetings and 2 even if they could, his videos fell under Fair Use Unsurprisingly, a judge dismissed the city's case, citing California law which bars the city from holding copyrights on most public records This case may not be over as Teixeira's pro bono lawyer has not filed for attorney's fees The ruling can be found here What is notable is that the judge dismissed the case with prejudice, so the city cannot refile Normally judges do not do this unless they feel that the plaintiff's case was so weak that he feels no judge should hear the case ever again Since the judge agreed with the defendant on the first point, he would not normally need to address Teixeira's Fair Use defense, but he did anyway Anticipating that the city may appeal his decision, judge ruled that Teixeira's videos substantially met all four factors for Fair Use There is no evidence Teixeira used the videos for commercial gain and was transformative His work was creative by adding music and commentary to the normally boring council videos Despite the city's claim he used their entire work , it clear that he only used portions of meetings that lasted as long as four hours editing them down to a max of 15 minutes Teixeira did not harm the city's market for the videos because the city is barred by state law from recouping more than direct costs of duplication Even if the city could sell the videos which they published themselves for free on YouTube , his short videos are not a substitute IMAGE IMAGE Share on Google Read more of this story at Slashdot http://www.secuobs.com/revue/news/581169.shtmlhttp://www.secuobs.com/revue/news/581169.shtml 2015-06-25 20:37:39 - Office of Inadequate Security : The Justice Department announced today that the owner and operator of a payment processing company that was involved in the http://www.secuobs.com/revue/news/575487.shtmlhttp://www.secuobs.com/revue/news/575487.shtml 2015-06-15 07:53:41 - SecurityTube.Net : Hackazon Stop hacking like its 1999 Abstract Applications have changed, but your test apps havent Its about time for a test app that s a little more current than circa 2002 Enter Hackazon Hackazon, is a modern vulnerable web application It looks like an online storefront with a modern AJAX interface, strict workflows and RESTful API s used by a companion mobile app And, its here to replace the old Web 10 test apps WebGoat, DVWA, Hackme Bank and Hackme Casino that no longer mirror the applications we see in the wild Will your application security scanner successfully test this site Doubt it Even manual pen testers will have their hands full testing their skills against it There are vulnerabilities scattered throughout Hackazon, and each vulnerable area is configurable so that users can change the vulnerability landscape to prevent known vuln testing or any other form of cheating To find all the vulnerabilities in Hackazon it will require proper handling of not only classic web security, but will require testing RESTful interface formats that power AJAX functionality and mobile clients JSON, XML, GwT, and AMF It will also require tedious testing of strict workflows common in todays business applications Hackazon is an open source application that will ultimately be contributed to OWASP to be included with the other vulnerable test applications Join Dan for this talk where he will demonstrate Hackazon and the techniques required to find the vulnerabilities in the different interfaces and formats Bio Dan Kuykendall co-CEO and CTO, NT OBJECTives Dan has been with NTO for more than 10 years and is responsible for the strategic direction and development of products and services He also works closely with technology partners to make sure our integrations are both deep and valuable As a result of Dan s dedication to security, technology innovation and software development, NTO application security scanning software is often recognized as the most accurate because of its sophisticated automation techniques Dan joined NTO from Foundstone, where he was a key developer of FoundScane s scan management, and remediation capabilities Before Foundstone, Dan was the founder of the Information Security team in the United States branches of Fortis When Dan s not working on NTO products or screen sharing with our customers to help them solve their application security challenges, you ll find him blogging, co-hosting An Information Security Place Podcast and speaking at conferences like B-Sides, OWASP AppSecUSA, HouSecCon, ToorCon and more He also works with industry groups and contributes to many open source development projects Little known fact about Dan, he was a founder of the phpGroupWare project and creator of podPress For More Information Please Visit - https 2015appseccaliforniaorg http://www.secuobs.com/revue/news/574027.shtmlhttp://www.secuobs.com/revue/news/574027.shtml 2015-06-15 07:53:41 - SecurityTube.Net : Abstract In the world of cybersecurity, there are two very important players There are the builders The folks who spend their time developing, writing source code for and launching products And there are the breakers The folks who spend their time testing for, identifying and fixing vulnerabilities in said code For the builder, development deadlines are constantly evolving and security measures tend to be seen as a hindrance, often slowing down the development process And developers, by nature of their job descriptions, are responsible for contributing to products which make money Without developers, there are no products, and thus no revenue stream For the builder fixer, the challenge lies in making the builders take their concerns seriously From the security team s perspective, security efforts help minimize risk Without security measures, there are increased chances of security flaws and breaches Where the problem lies is in the inability for the builders to not only speak the language of the breakers, but also to accurately understand their motivations thereby creating a chasm in the way security is managed and executed But the real developer problem is that builders don t believe in The Bogeyman And the real security problem is that the breakers fixers don t have the time or resources to spend convincing developers that The Bogeyman is real The Bogeyman, in this case, represents the very real possibility that your company will be hacked After all, the most security aware a company will ever be is immediately after a breach In this presentation, Bugcrowd s co-founder and CEO, Casey Ellis, will deep-dive into the hacker mentality, and how acknowledging the existence of The Bogeyman gets developers and security folks one step closer to implementing an effective security program He ll also discuss several security measures, outside the traditional penetration testing model, that can aid developers and security teams in leveling the playing field against potential threats The Bogeyman is real But through acknowledgement, understanding and proactivity, you can be the hero in this cybersecurity story, not the victim Bio Casey Ellis is the CEO and co-founder of Bugcrowd, the innovator in crowdsourced security testing for the enterprise He has been in the information security industry for 14 years, working with clients from the very small to the very large, and has presented at Derbycon, Converge, SOU RCE Conference, and the AISA National Summit Before relocating from Sydney Australia to San Francisco with Bugcrowd, he founded White Label Security, a white-labelled penetration testing company and served as the CSO of Scriptrock A former penetration tester, he likes thinking like a bad guy without actually being one For More Information Please Visit - https 2015appseccaliforniaorg http://www.secuobs.com/revue/news/574026.shtmlhttp://www.secuobs.com/revue/news/574026.shtml 2015-06-15 07:53:41 - SecurityTube.Net : Abstract Writing secure software is far cheaper for society as a whole than fixing vulnerable software after it is released Teaching developers how to write secure software can be very effective in the short term, but over time security knowledge becomes less relevant, some security-conscious developers move into management, and additional uninitiated developers join the work force each year While secure software development training will always play a role in helping secure application development, are there ways we can prevent even the least security-savvy developers from regularly shooting themselves and their customers in the foot Yes By providing development environments and APIs that subtly guide developers down a secure implementation path, we can prevent whole classes of vulnerabilities with very little effort This talk will discuss the properties that tend to exist in safe development environments and will propose some guiding principles that API designers should consider Bio Tim has been taking deep technical dives in security for over a decade In that time, he has been credited with the discovery and responsible disclosure of numerous security vulnerabilities in a variety of software products, including IBM Tivoli Access Manager, Sun Java Runtime Environment, Google Chrome Web Browser, OpenOffice, Oracle WebLogic Application Server, and IBM Websphere Commerce His current research interests include applied cryptanalysis, IPv6 security, and XML external entities attacks Tim develops and maintains several open source forensics tools in addition to Bletchley, an application cryptanalysis toolkit Tim works to secure his customers environments through black box testing, code reviews, social engineering exercises, security training, and a variety of other services Tim earned his computer science degrees from Harvey Mudd College and Northeastern University and currently resides in Portland, Oregon where he leads the local OWASP chapter For More Information Please Visit - https 2015appseccaliforniaorg http://www.secuobs.com/revue/news/574025.shtmlhttp://www.secuobs.com/revue/news/574025.shtml 2015-06-13 12:13:58 - SecurityTube.Net : When Geo goes Wrong a Case Study Abstract Mobile apps are truly ubiquitous and enhance our lives in countless ways However, many either leak or insecurely handle geolocation data, affording an attacker the ability to locate or track users Here, we present an intriguing case study of a widespread social dating app that was vulnerably to a surprising number of OWASP mobile risks Weak server side controls check Insufficient Transport Layer Protection check Unintended data leakage check and on and on Our case study will present research performed on Grindr a common social dating app , and illustrate a myriad of geolocation bugs that placed its users in harms way see Grindr vulnerability places men in harm s way http googl dg4cs6 First, due to the lack of SSL pinning, we present a MitM attack that reveals the user s exact location Following this, we demonstrate a far simpler and generic attack This attack combined several bugs, including the fact that the app reported to anybody , the precise relative distance of all near-by users With these distances and the ability to spoof one s location and perform unlimited requests, trilateration could precisely locate and track users world-wide Unfortunately, though we responsibly reported the bugs patches only appeared after it was reported that the Egyptian government was tracking and arresting Grindr users Besides illustrating location-specific bugs and providing real-world examples, the talk will provide suggestions best practices to ensure applications are developed in a manner that does not put users at risk Such suggestions include precision limiting of geolocation data, rate limiting APIs in order to make large-scale data harvesting difficult , and limiting the speed and magnitude of user location changes to prevent harvesting of distances from arbitrary points For companies or anybody developing location-aware apps, these suggestions will be directly applicable Bio Colby Moore is a Security Research Engineer at Synack where he works mainly on special projects His most recent focus has been on Internet of Things security, mobile device software vulnerabilities, and automation More specifically, research surrounding location based privacy vulnerabilities and the reverse engineering home automation devices A Mechanical Engineer by trade, he prefers to focus on the realm where physical world and software meet He has identified countless 0-day vulnerabilities in embedded systems, major social networks, and consumer devices Colby s previous work includes security research at VRL as well as mentoring students at the USNA to develop a mission specific UAS platform In his spare time you will probably find him reverse engineering access control systems or hacking satellites For More Information Please Visit - https 2015appseccaliforniaorg http://www.secuobs.com/revue/news/573927.shtmlhttp://www.secuobs.com/revue/news/573927.shtml 2015-06-13 12:13:58 - SecurityTube.Net : Katie Moussouris is the Chief Policy Officer of HackerOne, where she oversees the company s philosophy and approach to vulnerability coordination and disclosure, advises customers and researchers, and works toward the public good to legitimize and promote security research to help make the Internet safer for everyone Katie Moussouris Microsoft work encompasses industry-leading initiatives such as Microsoft s bounty programs, BlueHat content chair, security researcher outreach, vulnerability disclosure policies, and MSVR Microsoft Vulnerability Research She was honored with the 2011 Executive Women s Forum Women of Influence Award in the category of One to Watch Ms Moussouris is a renowned keynote speaker and has presented at Security Analyst Summit 2014, RSA 2014, and Nordic Security Con 2013 as well as several others She also was an invited speaker at Harvard Business School, MIT, HitB Malaysia 2012 and the Executive Womens Forum 2012 She is working on a book about vulnerability disclosure do s and don ts for vendors For More Information Please Visit - https 2015appseccaliforniaorg http://www.secuobs.com/revue/news/573926.shtmlhttp://www.secuobs.com/revue/news/573926.shtml 2015-06-13 12:13:58 - SecurityTube.Net : Abstract HTTPS SSL TLS has been under fire for years BEAST, CRIME, problems with the weakness of the CA system, problems with various versions of the protocol and more have plagued HTTPS to be less than satisfactory, at best, as a transport security protocol Some of the most popular algorithms used to secure communications are getting close to their end of life Proper protection of information in the upcoming years will require adoption of new technology and standards Recent enhancements in browsers have made encryption in transit over the web viable for the first time in history and it s imperative that everyone understand them This presentation will start by reviewing some of the most recent cases related to security protocols flaws and weaknesses of cryptografic standards that should be proactively phased out This pragmatic presentation will then discuss possible mitigations and their limitations, along with valuable implementation advice Bio Cassio Goldschmidt is a globally recognized information security leader with strong background in both product and program-level security Outside work, Cassio is known for his contributions to Open Web Application Security Project OWASP , Software Assurance Forum for Excellence in Code SAFECode , the Common Weakness Enumeration CWE SysAdmin, Audit, Network, Security SANS Top 25 Most Dangerous Software Errors, along with contributing to the security education curriculum of numerous universities and industry certifications Cassio was one of the three finalist in the first ISC ² Americas Information Security Leadership ISLA Awards 2011 in the Information Security Practitioner category and endowed with the special Community Service Star award during the same occasion In 2012 Cassio was one of the finalists of the first OWASP Web Application Security Person of the Year WASPY Awards Cassio holds a number of US patents and is an accomplished writer and presenter in the field of application security Cassio holds a bachelor degree in computer science from Pontificia Universidade Catolica do Rio Grande Do Sul, a masters degree in software engineering from Santa Clara University, and a masters of business administration from the University of Southern California Jim Manico authors and delivers developer security awareness training and has a 20 year history building software as a developer and architect Jim is also a global board member for the OWASP foundation where he helps drive the strategic vision for the organization He manages and participates in several OWASP projects, including the OWASP cheat sheet series and several secure coding projects For More Information Please Visit - https 2015appseccaliforniaorg http://www.secuobs.com/revue/news/573925.shtmlhttp://www.secuobs.com/revue/news/573925.shtml 2015-06-13 12:13:58 - SecurityTube.Net : Abstract Agile Scrum is here to stay, and security teams are finding themselves under-resourced and unprepared for the pace of modern software development Best-practices models for Agile security make too many simplifying assumptions about how software is built These models impose impractical requirements without providing the necessary support or expertise In the real world, development teams know that software development often includes multiple Scrum teams working on various components of a larger project that will eventually be integrated They also recognize that only the most well-funded and resourced enterprises and ISVs have the bandwidth to execute on the idealized Agile SDL Smaller organizations, or development teams without vast resources are forced to adapt and make tradeoffs that often include sacrificing security In this session, I ll discuss how our company has incorporated security into our own Agile development lifecycle for a product that involves about ten Scrum teams working in concert to ship monthly releases I ll explain how we ve optimized the way our security research team interacts with our engineering teams and accommodates their processes I ll also share some of the lessons we ve learned along the way, including things that haven t worked as well as we thought I ll also describe how we re organically growing more security experts within the organization Security practitioners will be able to leverage our experiences to work more effectively with their own Agile Scrum teams Bio Chris Eng has over 15 years of application security experience As vice president of research at Veracode, he leads the team responsible for integrating security expertise into Veracode s technology Throughout his career, he has led projects breaking, building and defending web applications and commercial software for some of the world s largest companies Chris is a frequent speaker at premier industry conferences, such as BlackHat, RSA, OWASP, and CanSecWest, where he has presented on a diverse range of application security topics, including cryptographic attacks, agile security, mobile application security, and security metrics Chris has been interviewed by Bloomberg, Fox Business, CBS, and other media outlets with regard to security trends and noteworthy events Additionally, he has served on the advisory board of the SOURCE Boston conference since its inception Chris holds a BS in Electrical Engineering and Computer Science from the University of California He is an unabashed supporter of the Oxford comma and hates it when you use the word ask as a noun For More Information Please Visit - https 2015appseccaliforniaorg http://www.secuobs.com/revue/news/573924.shtmlhttp://www.secuobs.com/revue/news/573924.shtml 2015-06-13 12:13:58 - SecurityTube.Net : Charlie Miller is a security engineer at Twitter Back when he still had time to research, he was the first with a public remote exploit for both the iPhone and the G1 Android phone He is a four-time winner of the CanSecWest Pwn2Own competition He has authored three information security books and holds a PhD from the University of Notre Dame He has hacked browsers, phones, cars, and batteries Charlie spends his free time trying to get back together with Apple, but sadly they still list their relationship status as, It s complicated For More Information Please Visit - https 2015appseccaliforniaorg http://www.secuobs.com/revue/news/573923.shtmlhttp://www.secuobs.com/revue/news/573923.shtml 2015-06-13 12:13:58 - SecurityTube.Net : Abstract Java is one of the longest standing and most widely deployed enterprise programming languages in the world It is also frequently attacked due to its numerous and well documented security vulnerabilities, many of which have a very high CVSS Common Vulnerability Scoring System This problem is amplified by the fact that countless data center applications are still running on older, legacy versions of the platform Although the original promise of Java was application portability, in reality most core enterprise applications were written for execution on a specific version of Java, and that s where they ve stayed This session will discuss the two primary reasons that legacy Java security risks persist, namely the cost of mitigation and operational impacts The obvious way to deal with legacy Java issues is to update the Java runtime But this process is costly since it requires extensive application modifications, testing and re-qualification Meanwhile, the risk of downtime is an even bigger problem No matter how much testing is done, it s impossible to guarantee that changes to the application will not break it Using several documented Java server vulnerabilities, the speaker will explain and evaluate the merits of the current approaches to addressing them, including network based tools, code analysis and run-time application self-protection Attendees will gain a deeper understanding of legacy Java security risks, the alternatives available to address them and how to choose the right approach for their particular application environment Bio Jonathan Gohstand is the security strategist for Waratek A 20-year veteran of the IT industry, he was previously with PacketMotion, driving the creation of the User Activity Management category, until the company s acquisition by VMware He has worked in Cisco Systems Security Technology Group, where he was responsible for IOS-based security Mr Gohstand has held international positions with Chevron Oil and FORE Systems, in addition to consulting and channel roles He holds a Bachelor s of Science degree in Electrical Engineering and Computer Science from the University of California, Berkeley, and an MBA from St Mary s College He has given numerous talks on security, compliance and IT audit at venues such as SANS, ISACA, and VMworld For More Information Please Visit - https 2015appseccaliforniaorg http://www.secuobs.com/revue/news/573922.shtmlhttp://www.secuobs.com/revue/news/573922.shtml 2015-06-13 12:13:58 - SecurityTube.Net : Abstract Software development has been transformed by practices like Continuous Integration and Continuous Delivery, while application security has remained trapped in expert-based waterfall mode In this talk, Jeff will show you how you can evolve into a Continuous Application Security organization that generates assurance automatically across an entire application security portfolio Jeff will show you how to bootstrap the sensor-model-dashboard feedback loop that makes real time, continuous application security possible He will demonstrate the approach with a new free tool called Contrast for Eclipse that brings the power of instrumentation-based application security testing directly into the popular IDE Check out Application Security at DevOps Speed and Portfolio Scale for some background Bio CTO of Contrast Security Continuous Application Security OWASP DevOps For More Information Please Visit - https 2015appseccaliforniaorg http://www.secuobs.com/revue/news/573921.shtmlhttp://www.secuobs.com/revue/news/573921.shtml 2015-06-13 12:13:58 - SecurityTube.Net : Abstract Traditional PKI focuses on binding a public key to the keyholder s identity, which is implicitly assumed to be a well-defined, relatively static thing such as individual s full name or email address, or the hostname of a public webserver However, in the envisioned smart grid, for example, the relevant properties of the keyholder are not just the device s identity ie this is a meter made by ACME or this is a refrigerator made by GE but its context This is a refrigerator in the apartment rented by Alice, who buys power from X This context information will not necessarily be known until device installation and also may change dynamically What if Alice sells her fridge on Craigslist or sublets her apartment to Bob What if repair personnel replace Alice s meter This information may also not be particularly simple What if Alice s landlord owns many apartment buildings, and changes power vendors to get a better rate If our cryptographic infrastructure is going to enable relying parties to make the right judgments about IoT devices such as the example provided using Smart Grid , this additional contextual information needs to be available We can try to modify a traditional identity-based PKI to attest to these more dynamic kinds of identities, and we can also try to adapt the largely experimental world of attribute certificates to supplement the identity certificates in the smart-grid PKI Either of these approaches will break new ground Alternatively, we can leave the identity PKI in place and use some other method of maintaining and distributing this additional data which would require supplementing our scalable PKI with a non-scalable database In any of these approaches, we also need to think about who is authorized to make these dynamic updates or who is authoritative for making these types of attestations Who witnesses that Alice has sold her refrigerator Thinking about this organizational structure IoT devices also complicates the revocation problem If we can t quite figure out who it is that speaks for where a device currently lives, how will we figure out who it is who is authorized to say it has been compromised In this presentation, all of these issues and more will be explored and actionable guidelines will be proposed to build a secure and scalable system of IDs and attributes for the complex networked world that awaits us all Bio Scott Rea is the Sr PKI Architect at DigiCert He and his team provide policy and technology subject matter expertise during the design and architecture of emerging PKI systems and work with DigiCert executive management in strategic planning and forecasting Rea is an innovative thought leader and sought-after public speaker who participates in, and influences the development of, emerging PKI policies, practices, and applications Rea previously operated the HEBCA, is founding member and current Vice Chair of TAGPMA, and is also the previous Chair of both the TAGPMA and IGTF Rea is a Board Member and Co-Chair of the Certificate Policies and Practices Working Group within DirectTrustorg and also serves as a Board Member and director administrator of the REBCA For More Information Please Visit - https 2015appseccaliforniaorg http://www.secuobs.com/revue/news/573920.shtmlhttp://www.secuobs.com/revue/news/573920.shtml 2015-06-13 12:13:58 - SecurityTube.Net : On every network there are is a set of highly desired assets which every pentester strives to compromise One of those assets are databases which house sensitive information The default settings of most databases are to communicate over unencrypted channels Because of this, why bother attempting to compromise the database server itself when all the information you could ever want is already flying over the wire SQLViking is a tool which takes advantage of this in two ways The first piece, dubbed scout, passively sits on a network segment logging any SQL queries it sees and and the corresponding result set The active piece, called pillage, leverages TCP injection for executing arbitrary SQL queries without credentials SQLViking is available as a standalone python tool and can be easily loaded onto a small device with a LAN tap such as a Raspberry Pi for physical pentests The tool is still very much in the beta testing stages and only supports the MySQL and SQL Server Tabular Data Stream network protocols at this time We re also investigating ways to increase the likelihood of a successful TCP injection attack on very busy networks Bio Jonn Callahan has spent the last two years rooting out web application flaws both at the source code level and dynamically When not actively researching whatever topic has piqued his interest, he s losing money on the cryptocoin market and getting beat up by his two dogs Ken Toler is a Senior Application Security Consultant at nVisium specializing in web application penetration testing and static analysis in Ruby, Java, and NET He also comes with a network security background and has worked closely with growing startups in the DC area For More Information Please Visit - https 2015appseccaliforniaorg http://www.secuobs.com/revue/news/573919.shtmlhttp://www.secuobs.com/revue/news/573919.shtml 2015-06-13 12:13:58 - SecurityTube.Net : Object serialization technologies allow programs to easily convert in-memory objects to and from various binary and textual data formats for storage or transfer but with great power comes great responsibility, because deserializing objects from untrusted data can ruin your day We will look at historical and modern vulnerabilities across different languages and serialization technologies, including Python, Ruby, and Java, and show how to exploit these issues to achieve code execution We will also cover some strategies to protect applications from these types of attacks Bio Chris Frohoff is a Cyber Security Engineer at Qualcomm with a focus on Application Security he performs Application Security Assessments and Penetration Tests, and sometimes dabbles in Incident Response, Reverse Engineering, and general research mischief In a former life, Chris developed enterprise web applications and services at Sony Network Entertainment and UC San Diego His primary areas of geekdom include programming languages, parsers compilers interpreters, crypto, covert channels, HTTP REST, and JVM stuff Gabriel Lawrence leads the Application Security team at Qualcomm, doing Application Security Assessments, Penetration Tests, Incident Response, Reverse Engineering, and anything else that comes his way He s developed enterprise applications, founded three startups, and run Information Security for UC San Diego For More Information Please Visit - https 2015appseccaliforniaorg http://www.secuobs.com/revue/news/573918.shtmlhttp://www.secuobs.com/revue/news/573918.shtml 2015-06-13 12:13:58 - SecurityTube.Net : Abstract Mobile apps are ever more ubiquitous, but their widespread adoption comes at a cost Seemingly every week, a new vulnerability is discovered that jeopardizes the security and privacy of mobile users Examples include the popular dating app Tinder leaked the exact location of its users , the photo messaging app SnapChat exposed connections between phone numbers and users accounts and CitiMobile stored sensitive account information without encryption These vulnerabilities and many more were not found by the developers of the applications, but rather by reverse-engineers who took it upon themselves to dissect said applications Unfortunately, at least for iOS applications, reverse-engineering is still viewed by many as somewhat of a black art This is due to a myriad of reasons iOS apps are encrypted, written in a difficult-to-reverse-engineer language Objective-C , and run on a mostly closed-sourced proprietary OS This talk will detail the process of reverse-engineering iOS apps in order to perform security audits and identify common mobile-specific vulnerabilities eg OWASP Mobile Risks Specifically, the talk will describe how to extract an application s unencrypted binary code, analyze the ARM disassembly, and identify vulnerabilities that commonly affect iOS apps Real-life cases from iOS applications in the App Store will be presented to provide a more hands-on feel to the reversing procedure and to show some actual security vulnerabilities Bio Patrick Wardle is the Director of Research at Synack, where he leads cyber R D efforts Currently, his focus is on automated vulnerability discovery and the emerging threats of malware on OS X and mobile devices Patrick previously worked at NASA, the NSA, and Vulnerability Research Labs VRL While working at the NSA as a global network exploitation and vulnerability analyst, Patrick received several classified patents and helped lead a team which received NSA s highest civilian team award Patrick has extensive experience analyzing malware and has authored several sophisticated malware detection tools He also enjoys hunting for bugs, and has found exploitable 0days in major operating systems and several popular client applications For More Information Please Visit - https 2015appseccaliforniaorg http://www.secuobs.com/revue/news/573917.shtmlhttp://www.secuobs.com/revue/news/573917.shtml 2015-06-13 12:13:58 - SecurityTube.Net : Abstract Continuous deployment and the DevOps philosophy have forever changed the ways in which businesses operate This talk with discuss how security adapts effectively to these changes, specifically covering Practical advice for building and scaling modern AppSec and NetSec programs Lessons learned for organizations seeking to launch a bug bounty program How to run realistic attack simulations and learn the signals of compromise in your environment Bio Zane Lackey is the Founder CSO at Signal Sciences and serves on the Advisory Boards of the Internet Bug Bounty Program and the US State Department-backed Open Technology Fund Prior to Signal Sciences, Zane was the Director of Security Engineering at Etsy and a Senior Security Consultant at iSEC Partners For More Information Please Visit - https 2015appseccaliforniaorg http://www.secuobs.com/revue/news/573916.shtmlhttp://www.secuobs.com/revue/news/573916.shtml 2015-06-13 12:13:58 - SecurityTube.Net : Abstract Caspr, a free and open source tool for collecting, aggregating and analyzing Content-Security-Policy CSP violation reports was released near the end of summer This talk will cover the background of CSP and violation reports, give an overview of Caspr and how it can be used, and then talk about some of the other tools surrounding CSP violation reports The tools include Enforcer, a chrome extension for forcing CSP on websites, and csp-tools, a suite of tools for managing CSP reports from command line CSP is a relatively new HTTP header for eliminating potential XSS vulnerabilities from websites CSP is a white list that specifies where assets are allowed to be loaded from and executed This includes scripts that come from the same website If the website tries to load or execute an asset that isn t on the white list, an asset being javascript, css, websockets, images, etc, the asset will be blocked A report-uri can be specified so that when a CSP violation occurs, a report will be sent out describing the violation These reports can be extremely important in gauging the effectiveness and coverage of your policy As of the summer 2014 , there weren t any popular tools for gathering these reports, or doing analysis and policy generation And thus Caspr was born Caspr handles the collection, aggregation, and analysis of these reports It runs on Heroku, so it s as simple as a button click to have your own instance of Caspr up and running A few tools have been released for dealing with CSP violation reports This talk will also give a brief intro to those tools Enforcer Chrome Extension for forcing a policy on a website csp-tools A suite of tools for testing setting up analyzing reports from command line Bio Hai I m c0nrad I started programming about 10 years ago on my TI-84 so I could cheat on exams I ve been cheating and sometimes programming ever since I graduate this December 2014 with a degree in Electrical Engineering from Michigan Technological University Before then I used to work at Solar and Heliospheric Research Group doing data and algorithmic analysis, Air Force Research Labs doing security research on highly assured systems, Fog Creek Software as a intern software developer, MongoDB as a Security Intern, and a part time security contractor at IncludeSecurity When not writing software, I can be found drinking cheap and sweet wine, doing Crossfit, and pretending to be social But I m usually just programming For More Information Please Visit - https 2015appseccaliforniaorg http://www.secuobs.com/revue/news/573915.shtmlhttp://www.secuobs.com/revue/news/573915.shtml 2015-06-10 08:39:06 - SecurityTube.Net : Bio Ilja van Sprundel is experienced in exploit development and network and application testing As IOActive s Director of Penetration Testing he performs primarily gray-box penetration testing engagements on mobile specializing in iOS and runtime specializing in Windows kernel applications that require customized fuzzing and source code review, identifying system vulnerabilities and designing custom security solutions for clients in technology development telecommunications, and financial services van Sprundel specializes in the assessment of low-level kernel code and architecture infrastructure design, having security reviewed literally hundreds of thousands of lines of code However, as a Director, he also functions in a managerial capacity by overseeing penetration testing engagements, providing oversight regarding technical accuracy, serving as the point of contact between technical consultants and technical stakeholders, and ensuring that engagements are delivered on time and in alignment with customer s expectations van Sprundel also is responsible to mentor and guide Associate-level consultants as they grow both their penetration testing and general consulting skillsets He is the driver behind the team s implementation of cutting-edge techniques and tools, guided by both research and successful exploits performed during client engagements For More Information Please Visit - https 2015appseccaliforniaorg http://www.secuobs.com/revue/news/573543.shtmlhttp://www.secuobs.com/revue/news/573543.shtml 2015-06-10 08:39:06 - SecurityTube.Net : Anatomy of memory scraping, credit card stealing POS malware Abstract Credit card payment processing and point-of-sale POS systems are like a black box for most people without knowledge of its internal workings But recent data breaches of thousands of credit cards have shown that determined attackers have not only mastered ways to steal magnetic stripe cards, but also targeted EMV chip cards The session will start by explaining the architecture of different type of POS systems along with its components, operation and integration This includes magnetic stripe track data format, technology behind credit card readers, point-of-sale hardware and software A common element in POS attacks is the credit card swipe Swiping refers to the process of reading un-encrypted credit card data from the magnetic strip of the card by a card reader and communication between the POS terminal I will explain various malware attack techniques used for exploitation and exfiltration of credit card data This will include RAM scraping, process hooking and injection, keyboard hooks, command and control techniques as well as Luhn algorithm A live demo of a PoC ram scraping malware and its internal working will be shown along with explanation of key concepts A live demo of a working POS system compromise based on a malware that I created for research purpose will be shown This will be followed by Q A which will conclude the session Bio Amol heads Qualys worldwide security engineering team responsible for vulnerability and compliance research His team tracks emerging threats and develops software which identifies new vulnerabilities and insecure posture for Qualys VM, PC, PCI and QBC services Amol is a veteran of the security industry and has devoted his career to protecting, securing and educating the community from security threats Amol has presented his research on Vulnerability Trends, Security Axioms, SCADA security, Malware and other security topics at numerous security conferences, including RSA Conference, BlackHat, Hacker Halted, SecTor, BSides, InfoSec Europe, NullCon, GrrCon, ISSA, Homeland security Network HSNI and FS ISAC He regularly contributes to the SANS Top 20 expert consensus identifying the most critical security vulnerabilities He writes the HOT or NOT column for SC Magazine and holds a US patent for Systems and Methods for Performing Remote Configuration Compliance Assessment of a Networked Computer Device For More Information Please Visit - https 2015appseccaliforniaorg http://www.secuobs.com/revue/news/573542.shtmlhttp://www.secuobs.com/revue/news/573542.shtml 2015-06-10 08:39:06 - SecurityTube.Net : We All Know What You Did Last Summer Privacy and the Internet of Things Abstract The devices we carry and systems we interact with on a daily basis generate a lot of information about us This data includes financial and medical information, location data, personal connections, images and other data Although you may think this information is private and secure, the data is often accessible to advertisers, hackers and others with malicious intent One small piece of data is all it takes to unlock a wealth of information about you Security researcher Ken Westin will be illustrating this point showing tools and techniques he has used in actual cases to track and convict criminals and then how those same tools can be used by criminals to track you He will also show how personal data compromised in data breaches is sold and used against us as well and the role businesses can play in mitigating these risks to their customers Bio Ken is a security researcher with 14 years experience building and breaking things through the use misuse of technology His technology exploits and endeavors have been featured in Forbes, Good Morning America, Dateline, New York Times, The Economist and has won awards from MIT, CTIA, Oregon Technology Awards, SXSW, Entrepreneur and named in Portland Business Journal s 2013 40 Under 40 He has worked with law enforcement and journalists utilizing various technologies to unveil organized crime rings, recover stolen cars, even a car jacking amongst other crimes For More Information Please Visit - https 2015appseccaliforniaorg http://www.secuobs.com/revue/news/573541.shtmlhttp://www.secuobs.com/revue/news/573541.shtml 2015-06-10 08:39:06 - SecurityTube.Net : Fixing XSS with Content Security Policy Abstract Cross-site scripting XSS has been dominating OWASP Top 10 for many years Although input validation and output encoding are good traditional defenses against XSS, it is often difficult to ensure that they are used in all required places in large applications Content Security Policy CSP is a promising new HTML5 feature that can help prevent traditional and DOM-based XSS on your website If you keep dynamic data and static code separate, you can have conforming browsers enforce your CSP to ensure that the data never gets interpreted as code The intricacies of the technology are in how CSP policies are combined and what limitations they place on web development The first version of CSP, which is supported by most modern browsers, requires complete separation of JavaScript static code from HTML which contains dynamic data This is not feasible for large existing web applications as it can require completely rewriting the user interface CSP 11 introduces new keywords that can be used to apply policies to existing code bases without requiring a re-write from scratch The talk will help the audience understand What the differences between CSP 10 and CSP 11 are, and what these mean for web application developers How CSP protects web applications from cross-site scripting Whether input validation and output encoding are necessary if CSP is used properly What is the different browser support for this technology How you can get started with using CSP on your website Bio Ksenia Dmitrieva is a Senior Security Consultant at Cigital with over six years of experience developing and securing web applications Ksenia holds a MS in Computer Science from George Washington University As a Senior Consultant, she performs penetration testing and code review focusing on web applications, web services, new web technologies and frameworks for clients in financial services, entertainment, telecommunications, and enterprise security industries Ksenia s current concentration is on researching HTML5 technologies, their security implications and how their vulnerabilities could be discovered and remediated Ksenia often delivers training sessions and has previously presented at Nullcon, BSides Security London, and LASCON For More Information Please Visit - https 2015appseccaliforniaorg http://www.secuobs.com/revue/news/573540.shtmlhttp://www.secuobs.com/revue/news/573540.shtml 2015-06-10 08:39:06 - SecurityTube.Net : Abstract Eli Goldratt asks us to always keep in mind, What s the Goal If our goal is to help the business succeed, how can I make the biggest impact using web application security with the least effort This turbo talk will reveal extra powerful, very low cost, and extremely under utilized HTTP headers to help the business win Bio Caleb Queern is the Chief Scientist at Cyveillance, and the creator of securityheaderscom For More Information Please Visit - https 2015appseccaliforniaorg http://www.secuobs.com/revue/news/573539.shtmlhttp://www.secuobs.com/revue/news/573539.shtml 2015-06-10 08:39:06 - SecurityTube.Net : Title OWASP Top Ten Proactive Controls Abstract The major cause of web insecurity is poor development practices We cannot firewall or patch our way to secure websites Programmers need to learn to build websites differently No company or industry is immune The OWASP Ten Ten Proactive Controls Project is a Top-Ten like document that focuses directly on informing developers of necessary secure coding techniques This talk describes the bare minimum required of a development team if they wish to have even a small chance of producing secure software Validation Whitelist Validation struggles with internationalization URL validation as part of redirect features HTML Validation as part of untrusted content from features like TinyMCE Authentication Password storage, HMAC s for scale Multi-factor AuthN implementation details OAuth Forgot password workflow Access Control Limits of access control Permission-based access control Encoding Output encoding for XSS Query Parameterization Other encodings for LDAP, XML construction and OS Command injection resistance Data Protection Secure number generation Certificate pinning Proper use of AES CBC IV Management Secure Requirements Core requirements for any project technical Business logic requirements project specific Secure Architecture and Design When to use request, session or database for data flow Bio Jim Manico authors and delivers developer security awareness training and has a 20 year history building software as a developer and architect Jim is also a global board member for the OWASP foundation where he helps drive the strategic vision for the organization He manages and participates in several OWASP projects, including the OWASP cheat sheet series and several secure coding projects For More Information Please Visit - https 2015appseccaliforniaorg http://www.secuobs.com/revue/news/573538.shtmlhttp://www.secuobs.com/revue/news/573538.shtml 2015-06-10 08:39:06 - SecurityTube.Net : Title Wi-Fi Hacking for Web Pentesters Abstract There is an ever-increasing trend with Internet Service Providers of all sizes providing open wireless hotspots nationwide, many of which are bridged off of existing customers personal access points and others are made available through restaurants, hotels, and other businesses Many of these guest networks have recently spurred discussion within the security community over the insecurity of open access points in general and the ethics of their deployment methods The talk will cover the many gaping insecurities of wireless hotspots and dive in to how these can be leveraged to attack clients, gain free Internet access, hijack accounts, steal sensitive information, and more This will progress into how web penetration testers can leverage their existing skill-sets to design, build, and deploy malicious targeted access points All of the attacks that will be demonstrated live during the talk can be deployed on various platforms, making it easy for the audience to reproduce regardless of hardware available Bio Greg Foss is a Senior Security Research Engineer with the LogRhythm Labs Threat Intelligence Team, where he focuses on developing defensive strategies, tools and methodologies to counteract advanced attack scenarios He has over 7 years of experience in the Information Security industry with an extensive background in Security Operations, focusing on Penetration Testing and Web Application Security Greg holds multiple industry certifications including the OSCP, GPEN, GWAPT, GCIH, and CEH, among others He has presented at national security conferences such as DerbyCon, AppSecUSA, and BSidesLV to name a few along with actively participating in the Denver security community For More Information Please Visit - https 2015appseccaliforniaorg http://www.secuobs.com/revue/news/573537.shtmlhttp://www.secuobs.com/revue/news/573537.shtml 2015-06-10 08:39:06 - SecurityTube.Net : Title Making SSL Warnings Work Abstract HTTPS is an important tool for protecting the privacy of online communication However, SSL warnings are a weak point in this system Often, the browser can t tell whether a certificate validation error is indicative of an attack or a simple server misconfiguration The user is asked to decide what to do, even though s he probably isn t equipped to make that decision My team is trying to make SSL warnings more effective and helpful in Chrome In this talk, I ll describe how we re trying to automatically identify and resolve common sources of false positive warnings I ll also discuss how we redesigned SSL warnings to be more understandable by end users Bio Adrienne Porter Felt is a software engineer on the Google Chrome security team Her mission is to make it easy to stay safe on the web Adrienne leads Chrome s usable security efforts, including making security warnings understandable, improving warning accuracy, and encouraging developers to use HTTPS correctly Previously, she was a research scientist on Google s security research team For More Information Please Visit - https 2015appseccaliforniaorg http://www.secuobs.com/revue/news/573536.shtmlhttp://www.secuobs.com/revue/news/573536.shtml 2015-06-10 08:39:06 - SecurityTube.Net : Title 10 Deadly Sins of SQL Server Configuration Abstract Databases are the backbone of the applications that run our world and store our personal data Microsoft s SQL Server one of the primary database platforms used in enterprise environments today This talk will cover 10 common weak SQL Server configurations and the practical attacks that help hackers gain unauthorized access to data, applications, and systems This will include a few demonstrations of the techniques that are used during real-world attacks and penetration tests This should be interesting to developers, new database admins, and aspiring penetration testers looking to gain a better understanding of the risks associated with weak SQL Server configurations Bio Scott Sutherland is a principal security consultant responsible for the development, and execution of penetration test services at NetSPI His role includes researching and developing tools, techniques, and methodologies used during network and application penetration tests As an active participant in the information security community Scott performs security research in his free time and contributes technical security blog posts, presentations, and tools on a regular basis through NetSPI You can find Scott blogging on the NetSPI website and on Twitter For More Information Please Visit - https 2015appseccaliforniaorg http://www.secuobs.com/revue/news/573535.shtmlhttp://www.secuobs.com/revue/news/573535.shtml 2015-06-10 08:39:06 - SecurityTube.Net : Title Medical Device Security An Infectious Disease Abstract Medical devices touch almost every one of us, whether through personal experience or that of a close friend or family member They save countless lives and ensure a better quality of life for many Although medical devices are key to quality care and undergo rigorous testing, many are not sufficiently tested for adversarial resiliency Some question whether our dependence on these life-saving medical devices has grown more quickly than our ability to secure themThere is no question that medical devices save countless lives, but is insecure design or deployment of these devices putting patients at risk Join us for an in-depth presentation on a three year research project that shows numerous medical devices and healthcare organizations are vulnerable to direct attack vectors that can impact patient safety and human life Bio Scott Erven is a healthcare security visionary with more than 15 years experience in information technology and security He is currently an Associate Director with Protiviti, where he focuses on medical device and healthcare security His research on medical device security has been featured in Wired and numerous media outlets worldwide Mr Erven has presented his research and expertise in the field internationally He has been involved in numerous IT certification development efforts as a subject matter expert in information security His current focus is on research that affects human life and public safety issues inside today s healthcare landscape For More Information Please Visit - https 2015appseccaliforniaorg http://www.secuobs.com/revue/news/573534.shtmlhttp://www.secuobs.com/revue/news/573534.shtml 2015-06-10 08:39:06 - SecurityTube.Net : Abstract Abstract Why won t your company s management just do the right thing with security How can you get necessary changes made when the answer always seems to be no In this turbo talk, learn quick tips and tricks for hacking organizational decision making structures, using empathy to communicate more effectively, and improving tactical execution of your change plan Bio Adam Brand is a habitual Changer of Things As an Associate Director with Protiviti s Information Security and Privacy practice, he helps organizations improve their information security programs, find existing attackers within their networks hunting , and respond to security incidents particularly with malware reverse-engineering Adam has spoken at a number of information security conferences, including various BSides, Toorcon, LASCON, Shmoocon, and RSA, and is a co-organizer of OWASP Orange County He is also a core member of the I am the Cavalry grassroots security organization focused on improving security in connected devices that can impact human safety For More Information Please Visit - https 2015appseccaliforniaorg http://www.secuobs.com/revue/news/573533.shtmlhttp://www.secuobs.com/revue/news/573533.shtml 2015-06-10 08:39:06 - SecurityTube.Net : Abstract The purpose of this presentation will be to introduce the audience to new techniques attackers are using to target users of web applications for exploitation The first part of this presentation will be an introduction to the modern Malware landscape, with a breakdown of the top 5 types of malware being actively used in campaigns to target end users of web applications Of interest, though perhaps unsurprising the top three are not what we traditionally think of as malware in the sense of exploitative code or remote backdoors but aimed at direct monetization of the user The second part of this presentation will be a technical walkthrough a real-world modern malvertising malware campaign, and break down each step of the attack, and each distribution obfuscation layer This walkthrough will be the bulk of the presentation 30 minutes , leaving time for Q A at the end Time permitting, we may provide more examples of modern campaigns malware Bio Arian Evans is a recognized expert in information and application security, software development, systems architecture and financial services He previously ran operations and product strategy for WhiteHat Security and built the company s world-renowned Threat Research Center In addition to managing the global application security practice for consulting firm FishNet Security, Arian has worked on global security projects for the Center for Internet Security, NIST, the FBI, and the US Secret Service As VP of Product Strategy, Arian is responsible for ensuring RIskIQ technology enables enterprises to accurately visualize their enterprise beyond the firewall and actionably detect and respond to threats to their brand and customers In this role he draws upon his previous 12 years in creating software solutions and methodologies for discovering and managing application security across the enterprise, and throughout the SDLC For More Information Please Visit - https 2015appseccaliforniaorg http://www.secuobs.com/revue/news/573532.shtmlhttp://www.secuobs.com/revue/news/573532.shtml 2015-06-09 10:44:15 - SecurityTube.Net : Alex Stamos is Yahoo s Vice President of Information Security and Chief Information Security Officer Alex leads all aspects of information security at Yahoo, including the team of Yahoo Paranoids , charged with making Yahoo s products as secure as possible This is a broad role which includes implementing top-to-bottom security for products and systems but also to lead the company and the industry in not just how security works today but how it needs to work in the future Alex has spent his career building and improving secure, trustworthy systems and is a well-known expert on Internet infrastructure, cloud computing and mobile security Most recently, he served as the CTO of Artemis and co-founded iSEC Partners He has been a keynote speaker at FS-ISAC, was a key organizer of TrustyCon, and is frequently requested to present at conferences such as BlackHat, DEF CON, Microsoft Blue Hat and Infragard He holds a BSEE from the University of California, Berkeley For More Information Please Visit - https 2015appseccaliforniaorg http://www.secuobs.com/revue/news/573428.shtmlhttp://www.secuobs.com/revue/news/573428.shtml 2015-06-09 10:44:15 - SecurityTube.Net : NET Reversing and Exploitation for Cool Kids Abstract Java isn t the only managed language with bugs This talk will cover the current state of NET reverse engineering and exploitation, including practical examples of both application-level and framework vulnerabilities We ll cover the various strengths and weaknesses of NET security features, including bypassing strong-name signing including the GAC Finally, I will provide a short demo on how to modify the behavior of the NET framework through DLL byte patching Bio Kelly Lum has officially worked in Information Security since 2003 She recently left an eight-year stint as a code auditor penetration tester application security director bad-ass MC in the financial security sector to become a Security Engineer at Tumblr For More Information Please Visit - https 2015appseccaliforniaorg http://www.secuobs.com/revue/news/573427.shtmlhttp://www.secuobs.com/revue/news/573427.shtml 2015-06-09 10:44:15 - SecurityTube.Net : Malicious MDM Fun with iOS MobileConfigs Abstract MDM can be great way to put security controls on smart phones, but what happens when an attacker brings your device into their MDM domain From smartphone manufacturers to cell phone service providers, everyone seems to be developing a solution for managing smart phones We will be covering the basics of how MDM works and how you can abuse the Apple MDM service to gain control over iOS devices This attack will demo how to deploy malicious MDM configurations and how to abuse company phones to gain access to a company s internal domain Additionally, we will be covering the steps you should take to protect your business from malicious MDM profiles Bio Karl is a senior security consultant at NetSPI This role has allowed Karl to work in a variety of industries, including financial services, health care, and hardware manufacturing Karl specializes in network and web application penetration testing In his spare time, Karl likes to volunteer at THOTCON and DEF CON Karl can be found on Twitter at kfosaaen For More Information Please Visit - https 2015appseccaliforniaorg http://www.secuobs.com/revue/news/573426.shtmlhttp://www.secuobs.com/revue/news/573426.shtml 2015-06-09 10:44:15 - SecurityTube.Net : Abstract This talk will discuss the oddities of proper Unicode handling, as well as revealing some common problems with handling Unicode in various operating systems, applications, and frameworks Bio Christien Rioux, also known by his handle DilDog, is the co-founder and chief scientist for the Burlington, Massachusetts based company Veracode, for which he is the main patent holder Educated at MIT, Rioux was a computer security researcher at L0pht Heavy Industries and then at the company Stake While at stake he looked for security weaknesses in software and led the development of Smart Risk Analyzer He co-authored the best-selling Windows password auditing tool stake LC and the AntiSniff network intrusion detection system For More Information Please Visit - https 2015appseccaliforniaorg http://www.secuobs.com/revue/news/573425.shtmlhttp://www.secuobs.com/revue/news/573425.shtml 2015-06-09 10:44:15 - SecurityTube.Net : API Authentication s Poorly Implemented Abstract Who doesn t love a robust, easy-to-use, well-documented API The ability to plug right into an application, a service, an infrastructure, especially in a secure way, is a marvelous feeling But, what about those mild and not so mild oversights Implementation flaws Security bugs Legacy APIs being integrated with new, flashy RESTful APIs In this talk, we ll highlight some real-world examples of web-related API security problems, notably surrounding authentication and authorization issues in targets ranging from a big online payment shop to an embedded device s backend infrastructure and a slew of things in between Bio Zach Lanier is a Senior Research Scientist with Accuvant Labs, specializing in various bits of network, mobile, and application security Prior to joining Accuvant, Zach most recently served as a Senior Security Researcher with Duo Security He has spoken at a variety of security conferences, such as Black Hat, CanSecWest, INFILTRATE, ShmooCon, and SecTor, and is a co-author of the Android Hackers Handbook Wiley, April 2014 For More Information Please Visit - https 2015appseccaliforniaorg http://www.secuobs.com/revue/news/573424.shtmlhttp://www.secuobs.com/revue/news/573424.shtml 2015-06-09 10:44:15 - SecurityTube.Net : DevOps for the Discouraged Abstract You got DevOpsed Your sysadmin team got renamed as the DevOps team Developers got prod access Code deploys to prod happen multiple times a day now In the eyes of the business, things are great Yet, the security team continues to be left out and really nothing seems to be better In fact it feels worse Time to learn how to hack some devops for great good This talk will equip you with advice and tools to join in on the devops You will also leave with a sample continuous delivery pipeline that is armed to dangerous and ready to identify security issues in a typical web application stack We ll use a range of open source technology including OWASP ZAP, gauntlt, brakeman, nmap, sqlmap, arachni and more Bio James is an innovative thought leader in the DevOps and InfoSec communities and has a passion for helping big companies work like startups to deliver products in the cloud He got his start in technology when he ran a Web startup company as a student at University of Oklahoma and since then has worked in environments For More Information Please Visit - https 2015appseccaliforniaorg http://www.secuobs.com/revue/news/573423.shtmlhttp://www.secuobs.com/revue/news/573423.shtml 2015-06-09 10:44:15 - SecurityTube.Net : Abstract We've learned much about application security during its lifetime We've honed assessment techniques and improved vulnerability discovery tools This mastery hasn t resulted in secure software, it s piled up bugs The recent push to place better testing tools in the hands of developers will do little more It s time we _Fix_the_damned_software_ It s time we _build security_in_ It s time to _design_securely_ Using experience and BSIMM survey data we look at what this challenge means and how we can meet it today, with today s dev frameworks and tools, dev cultures, and security memes Bio John s expertise runs the gamut of software security from threat modeling and architectural risk analysis, through static analysis with an emphasis on automation , to security testing As a consultant, John has provided strategic direction to many multi-national corporations, and his keen interest in automation keeps Cigital technology at the cutting edge He has served as co-editor of the Building Security In department of IEEE Security Privacy magazine, speaks with regularly at conferences and trade shows, and is the leader of the Northern Virginia OWASP chapter Follow John on Twitter m1splacedsoul For More Information Please Visit - https 2015appseccaliforniaorg http://www.secuobs.com/revue/news/573422.shtmlhttp://www.secuobs.com/revue/news/573422.shtml 2015-06-09 10:44:15 - SecurityTube.Net : Abstract Application security lies in the core of Salesforcecom s products, for which the reason is obvious As much as one has strengthened on perimeter defenses, an in-depth defense strategy that lies right in the app is much needed This talk focuses on the application of statistics and machine learning techniques on in-app events to detect and eventually prevent attacks and abuses on Salesforce platform OWASP group laid out a framework of intrusion detection response in applications Appsensor Our work is distinct from the Appsensor project in that the data-driven statical approaches are built with online learning methodologies and adaptive behavior modeling techniques it thus require as little configuration and supervision as possible Unsupervised learning and bootstrapping are established techniques within machine learning This research dramatically differs from the previous detection techniques for two reasons 1 The in-app detection inspects transactions in the context of the application s semantics, interaction and enhanced information about their users, whereas an IDS or IPS usually operates on the perimeters at the firewall or at the network gateway They have no to little knowledge of the behavior within an application 2 Our methods are adaptive to behavior changes, while the previous techniques largely rely on signature-based misuse detection with rather stale configuration that are thus susceptible to a higher level of false positives One example of the adaptive behavior based detections include detecting a fraud user who is stepping through a multi-step business process in an anomalous order The determination of the anomaly is based on firstly a learned regular behavior over time, and secondly automatically adjusted by evidences of changes in a user s role or business process Other examples include alerting on abnormal timing or volume of certain in-app activities or geolocation abnormality of user s access points in a single session In this talk, we will also give our experience of the big data technologies around the Apache Hadoop ecosystem, in particular, Apache Spark as the major enabling technologies for in-depth app platform threat detection Bio Ping spent nearly a decade conducting academic and applied research, innovating algorithmic models in various domains, from consumer behavior modeling to algorithmic security detection Her works were published as journal articles, monographs and books Ping has her PhD degree in Management Information System from University of Arizona with a focus on machine learning, consumer analytics and healthcare surveillance She spoke at various academic conferences in the field of management science such as ICIS, WITS, BioSecure among others, and InfoSec events including BayThreat, BSidesSF and CanSecWest 2014 For More Information Please Visit - https 2015appseccaliforniaorg http://www.secuobs.com/revue/news/573421.shtmlhttp://www.secuobs.com/revue/news/573421.shtml 2015-06-09 10:44:15 - SecurityTube.Net : The Emperor s New Password Manager Security Analysis of Web-based Password Managers Abstract Joint work with Zhiwei Li, Warren He, Dawn Song We conduct a security analysis of five popular web-based password managers Unlike local password managers, web-based password managers run in the browser We identify four key security concerns for web-based password managers and, for each, identify representative vulnerabilities through our case studies Our attacks are severe in four out of the five password managers we studied, an attacker can learn a user s credentials for arbitrary websites We find vulnerabilities in diverse features like one-time passwords, bookmarklets, and shared passwords The root-causes of the vulnerabilities are also diverse ranging from logic and authorization mistakes to misunderstandings about the web security model, in addition to the typical vulnerabilities like CSRF and XSS Our study suggests that it remains to be a challenge for the password managers to be secure To guide future development of password managers, we provide guidance for password managers Given the diversity of vulnerabilities we identified, we advocate a defense-in-depth approach to ensure security of password managers Bio Dev is a security engineer at Dropbox Previously, he was a grad student at UC Berkeley interested in web application security His research focuses on web application security, browser security, and other related topics He is also an editor of the Sub Resource Integrity spec and is always happy to talk about Content Security Policy For More Information Please Visit - https 2015appseccaliforniaorg http://www.secuobs.com/revue/news/573420.shtmlhttp://www.secuobs.com/revue/news/573420.shtml 2015-06-09 10:44:15 - SecurityTube.Net : Leveling up an application security program Abstract In this talk, David will relay lessons learned from his first year working in the application security program at Riot Games David will explain how he assessed the level of the program when he joined, and what gaps he identified He will give an overview of how Riot approaches application security in a fast paced, agile environment This will include how Riot implements controls which do not negatively impact product development or player experience David will explain how Riot provides secure coding guidance to software engineers, works with QA, and maintains an application security community of practice There are many options when it comes to understanding and improving an application security program This talk will address Riot s efforts in this regard Bio David Rook is a Security Engineer focusing on Application Security at Riot Games in Dublin He has held various application security roles in the financial services industry since 2006 before moving into the computer games industry in early 2014 He is a contributor to several OWASP projects including the code review guide and the Cryptographic Storage Cheat Sheet He has presented at leading information security conferences including DEF CON, BlackHat USA and RSA Europe In addition to his work with OWASP David created a security resource website and blog called Security Ninja The Security Ninja blog was been nominated for five awards including the best technology blog at the Irish Blog Awards, the Computer Weekly IT Security blog award and was a finalist for the Irish Web Awards Best Technology Site David received a Developer Security MVP award from Microsoft in 2011, 2012 and 2013 as well as the SC Magazine Europe 2012 Rising Star award David strives to practice what he preaches and has backed up his work experience by developing two open source security code review tools called Agnitio and the Windows Phone App Analyser For More Information Please Visit - https 2015appseccaliforniaorg http://www.secuobs.com/revue/news/573419.shtmlhttp://www.secuobs.com/revue/news/573419.shtml 2015-06-05 16:10:45 - Security Bloggers Network : The hodgepodge of US state and federal laws about phone search, some of which say the law needs a warrant and some of which say they don't, just got a bit messier http://www.secuobs.com/revue/news/573131.shtmlhttp://www.secuobs.com/revue/news/573131.shtml 2015-05-27 23:54:36 - Slashdot Your Rights Online : MikeChino writes Oakland-based non-profit GRID Alternatives is giving away 1,600 free solar panels to California's poorest residents by the year 2016 The initiative was introduced by Senator Kevin de León and launched with funds gathered under the Greenhouse Gas Reduction Fund GCRF , the state's cap-and-trade program SFGate reports Kianté London used the program to put panels on his three-bedroom North Richmond home, which he shares with two sons and a daughter 'It helps me and my family a great deal to have low-cost energy, because these energy prices are really expensive,' said London, 46, whose solar array was installed this week 'And I wanted to do my part It s clean, green energy' London had wanted a solar array for years, but couldn t afford it on his income as a merchant seaman roughly 70,000 per year Even leasing programs offered by such companies as SolarCity and Sunrun were too expensive, he said The new program, in contrast, paid the entire up-front cost of his array IMAGE IMAGE Share on Google Read more of this story at Slashdot http://www.secuobs.com/revue/news/572172.shtmlhttp://www.secuobs.com/revue/news/572172.shtml 2015-05-23 02:10:15 - Slashdot Your Rights Online : New submitter Kristine Lofgren writes The California Assembly just passed a vote to ban toxic microbeads, the tiny flecks found in toothpastes and exfoliants Microbeads cause a range of problems, from clogging waterways to getting stuck in gums The ban would be the strictest of its kind in the nation As the article notes, the California Senate would need to pass a bill as well, for this ban to take effect, and if that happens, the resulting prohibition will come into place in 2020 From the article Last year, Illinois became the first state in the US to pass a ban on the usage of microbeads in cosmetics, approving a law that will go into effect in 2018, and earlier this year two congressmen introduced a bipartisan bill to outlaw the use of microbeads nationwide And for exceptionally good reason the beads, which serve as exfoliants and colorants are a massive source of water pollution, with scientists estimating that 471 million plastic microbeads are released into San Francisco Bay alone every single day IMAGE IMAGE Share on Google Read more of this story at Slashdot http://www.secuobs.com/revue/news/571750.shtmlhttp://www.secuobs.com/revue/news/571750.shtml 2015-05-15 00:05:16 - Slashdot Your Rights Online : mpicpp writes California state senators have passed a controversial bill designed to increase school immunization rates SB277 would prohibit parents from seeking vaccine exemptions for their children because of religious or personal beliefs California would join West Virginia and Mississippi as the only states with such requirements if the bill becomes law SB 277 is about increasing immunization rates so no one will have to suffer from vaccine-preventable diseases, said Sen Ben Allen D- Santa Monica who coauthored the bill with Sen Richard Pan D-Sacramento IMAGE IMAGE Share on Google Read more of this story at Slashdot http://www.secuobs.com/revue/news/570791.shtmlhttp://www.secuobs.com/revue/news/570791.shtml 2015-05-10 20:59:24 - Slashdot Your Rights Online : The LA Times features a look at the contentious issue of a publicly funded high-speed rail system for travel within the state of California, which focuses especially on an obvious question how much would it cost for passengers to ride This isn't a straightforward answer, though, partly because the system isn't expected to be operational for another 13 years, and the estimates vary wildly for what would be a trip of more than 400 miles that touches on some of the US's most expensive real estate From the Times' article The current 86 fare for an LA to San Francisco ticket is calculated in 2013 dollars based on a formula that prices tickets at 83pourcents of average airline fares to help attract riders The rail fare is an average that includes economy and premium seats, nonstop and multi-stop trains, as well as last-minute and advance purchase tickets A premium, same-day nonstop bullet train trip would cost more than 86 But compared with current average prices on several high-speed rail systems in Asia and Europe, 86 would be a bargain, equating to about 20 cents a mile or less, the Times review found The analysis was based on a 438-mile route in the mid-range of what state officials expect the final alignment to measure How much would you be willing to pay to take a fast train between LA and San Francisco IMAGE IMAGE Share on Google Read more of this story at Slashdot http://www.secuobs.com/revue/news/570273.shtmlhttp://www.secuobs.com/revue/news/570273.shtml 2015-05-08 22:10:08 - Security Bloggers Network : California lawmakers are considering a proposal that would give cops permission to use technology that identifies drivers under the influence of marijuana, cocaine and other drugs Assembly Bill 1356 changes Californi http://www.secuobs.com/revue/news/570199.shtmlhttp://www.secuobs.com/revue/news/570199.shtml 2015-04-29 01:10:37 - Security Bloggers Network : I was in Silicon Valley recently speaking at another Transparency Trust in the Cloud event Thank-you very much to all the customers that made time to join us at the Microsoft campus in Mountain View, California This was another very well attended event with numerous large enterprise customers located in the vicinity in attendance Like all the Transparency and Trust events prior to this one, I learned from the Read more http://www.secuobs.com/revue/news/569089.shtmlhttp://www.secuobs.com/revue/news/569089.shtml 2015-04-27 19:51:38 - Security Bloggers Network : California could become the first state to require that local governments maintain a list of the technology systems used to collect and store public data Senate Bill 272, authored by Sen Robert Hertzb http://www.secuobs.com/revue/news/568937.shtmlhttp://www.secuobs.com/revue/news/568937.shtml 2015-04-27 14:46:50 - Office of Inadequate Security : Cathy Locke reports that Edwin Ludwig IV, 34, a former inmate of the California Correctional Center in Susanville, has http://www.secuobs.com/revue/news/568879.shtmlhttp://www.secuobs.com/revue/news/568879.shtml 2015-04-22 23:58:49 - Slashdot Your Rights Online : mpicpp sends the latest news on California legislation that would eliminate exemptions for vaccinating school children A bill that would require nearly all children in California to be vaccinated by eliminating personal belief exemptions advanced through the State Legislature on Wednesday, though it still has several hurdles to clear If approved, California would become one of only three states that require all parents to vaccinate their children as a condition of going to school, unless there is a medical reason not to do so Under the bill, introduced after a measles outbreak that began at Disneyland, parents who refuse vaccines for philosophical or religious reasons would have to educate their children at home The legislation prompted a roiling debate in Sacramento, and last week hundreds of people protested at the Capitol, arguing that it infringed on their rights and that it would unfairly shut their children out of schools Last Wednesday, the legislation stalled in the Senate Education Committee as lawmakers said they were concerned that too many students would be forced into home schooling This Wednesday, however, the bill passed that committee after its authors tweaked it, adding amendments that would expand the definition of home schooling to allow multiple families to join together to teach their children or participate in independent study programs run by public school systems IMAGE IMAGE Share on Google Read more of this story at Slashdot http://www.secuobs.com/revue/news/568400.shtmlhttp://www.secuobs.com/revue/news/568400.shtml 2015-04-15 14:11:09 - Office of Inadequate Security : Six California privacy and consumer groups have called on members of the US House Energy and Commerce Committee to oppose http://www.secuobs.com/revue/news/567447.shtmlhttp://www.secuobs.com/revue/news/567447.shtml 2015-04-07 03:04:22 - Office of Inadequate Security : Mark Muckenfuss reports UC Riverside officials are notifying 8,000 graduate students and graduate applicants that their http://www.secuobs.com/revue/news/566259.shtmlhttp://www.secuobs.com/revue/news/566259.shtml 2015-04-02 22:10:04 - Office of Inadequate Security : California s Department of Business Oversight is notifying some investment advisers and dealer-brokers that due to a http://www.secuobs.com/revue/news/565856.shtmlhttp://www.secuobs.com/revue/news/565856.shtml 2015-03-25 13:04:00 - SecurityTube.Net : When the topic is a cyber-threat, most often, leadership and the public focus on the IT technology aspect of such an attack or the privacy implications as in the breach of credit card information or protected health information However, the risks to public safety and the well-being of Californians due to cyber-attacks to the essential infrastructure, such as water resources, power plants, and online services are frightening and not well-understood by agency and department executives The media places an overemphasis on the breach of personal information and protected health information but places little to no emphasis on the very real risks to public health and safety issues stemming from cyber-attacks This session will paint three business scenarios involving hypothetical cyber-attacks against California's water system, surface transportation system and online services It will highlight the all-too-real impact to agencies and departments, citizens, and the Governor s Office At the end of the session you will be equipped with 2 3 practical risk management strategies to begin identifying and managing risks related to California s critical infrastructure and online services Intended Outcome Participants will clearly understand the risks to California, walk away with 2 - 3 risk management strategies that they can execute and have more informed discussions with their cyber security and resiliency leaders and the Legislature Intended Audience Chief Information Security Officers CISO , Agency and Department Executives and representatives from the Governor s office including Office of Emergency Services For More Information Please Visit - http wwwpspinfous http://www.secuobs.com/revue/news/564745.shtmlhttp://www.secuobs.com/revue/news/564745.shtml 2015-03-21 13:20:53 - Office of Inadequate Security : Paula Stannard reminds us As a result of recent breaches including breaches of health information and information held by http://www.secuobs.com/revue/news/564370.shtmlhttp://www.secuobs.com/revue/news/564370.shtml 2015-03-12 02:14:22 - Office of Inadequate Security : Sam Levin reports In February, the Berkeley Health Center, a clinic that provided medical services to low-income http://www.secuobs.com/revue/news/563094.shtmlhttp://www.secuobs.com/revue/news/563094.shtml 2015-03-12 01:45:20 - Slashdot Your Rights Online : An anonymous reader writes A new law has been proposed in California that would effectively outlaw all Bitcoin-related businesses that don't first get permission The details are vague within the bill itself, which is part of what makes it dangerous If you're doing anything with virtual currency, you may have to go line up in Sacramento to get permission first IMAGE IMAGE Share on Google Read more of this story at Slashdot http://www.secuobs.com/revue/news/563092.shtmlhttp://www.secuobs.com/revue/news/563092.shtml 2015-02-14 21:02:19 - Slashdot Your Rights Online : New submitter Lord Flipper writes The California Public Utilities Commission decision on the Comcast Time-Warner proposed merger has just been released It's not an exciting read, but the 25-bullet-point Appendix to the decision is interesting PDF, starts on page 75 For example 19 Comcast shall for a period of five years following the effective date of the parent company merger neither oppose, directly or indirectly, nor fund opposition to, any municipal broadband development plan in California, nor any CASF or CTF application within its service territory that otherwise meets the requirements of CASF or CTF Whoa Comcast was not expecting this at all, and they're not happy about it Here's one more, as an example 8 Comcast shall offer Time Warner's Carrier Ethernet Last Mile Access product to interested Competitive Local Exchange Carriers throughout the combined service territories of the merging companies for a period of five years from the effective date of the parent company at the same prices, terms and conditions as offered by Time Warner prior to the merger The ruling by the CPUC covers all customers, present or in the future of the merged company, in California What they're talking about is opening up Last Mile Access This could be a step in the right direction, but the ruling today is definitely a surprise It could nix the merger in California, or it could light a fire under the FCC's butts, or it could bring real competition to Internet access in California The CPUC is basing their entire decision on Common Carrier law Setion 706, as opposed to Title II , and, unlike the projected FCC decision coming around the 26th of the month the CPUC's decision has all kinds of teeth as opposed to the FCC's Title II, with forbearance approach It could get very interesting, very soon IMAGE IMAGE Share on Google Read more of this story at Slashdot IMAGE IMAGE IMAGE IMAGE IMAGE IMAGE http://www.secuobs.com/revue/news/559601.shtmlhttp://www.secuobs.com/revue/news/559601.shtml 2015-02-10 15:01:41 - LinuxSecurity.com Latest News : LinuxSecuritycom Backed by a number of tech companies, California is eyeing state legislation to protect Relevant Products Services its citizens from warrantless government surveillance of e-mails, text messages and cellphone communications The proposed legislation is being backed by state senators Mark Leno, a Democrat, and Joel Anderson, a Republican http://www.secuobs.com/revue/news/558853.shtmlhttp://www.secuobs.com/revue/news/558853.shtml 2015-01-26 01:00:47 - Slashdot Your Rights Online : An anonymous reader writes In a Sacramento Bee op-ed, in famous computer security researcher Ed Felten responds to the State of the Union cybersecurity proposal He doesn't mince words The odds of clearing Congress low The odds of materially improving security even lower What he suggests as an alternative, though, is a surprise California, he writes, could blaze a trail for effective cybersecurity policy He calls for the state government to protect critical infrastructure and sensitive data, relying on outside auditors and experts It's an interesting idea Even if it doesn't go anywhere, at least it's some fresh thinking in this area of backward policy From Felten's essay Critical infrastructure increasingly relies on industrial automation systems And those systems are often vulnerable they keep a default password, for instance, or are accessible from the public Internet These are not subtle or sophisticated errors Fixing them requires basic due diligence, not rocket science Requiring the state s critical infrastructure providers to undergo regular security audits would be straightforward and inexpensive especially relative to the enormous risks Areas of sensitive data are also low-hanging cyber fruit In health care, education and finance, California already imposes security and privacy requirements that go beyond federal law Those legal mandates, though, are mostly enforced through after-the-fact penalties Much like critical infrastructure, sectors that rely upon sensitive data would benefit from periodic outside auditing Of any state government's, California's policies also have the chance to help or harm the most people nearly 39 million people, according to a 2014 US Census estimate IMAGE IMAGE Share on Google Read more of this story at Slashdot IMAGE IMAGE IMAGE IMAGE IMAGE IMAGE http://www.secuobs.com/revue/news/556517.shtmlhttp://www.secuobs.com/revue/news/556517.shtml 2015-01-07 22:55:58 - Security Bloggers Network : Images from last year s AppSec California courtesy seanleftbelow If your organization is like most, one of your goals in 2015 is to be more secure than it was in 2014 Many organizations invest in training and education to keep one step ahead of their attackers, and conferences offer both The Open Web Application Security Project The post Improving Web Application Security OWASP s AppSec California appeared first on Cyveillance Blog - The Cyber Intelligence Blog http://www.secuobs.com/revue/news/553511.shtmlhttp://www.secuobs.com/revue/news/553511.shtml 2015-01-03 08:07:49 - Open Web Application Security Project : From StuartSchwartz owasporg, Happy New Year everyone I wanted to ensure that everyone was aware of our upcoming conference On January 26-28, OWASP AppSec California conference returns to the Annenberg Community Beach House right on the beach in Santa Monica California A collaborative effort by the Los Angeles, Orange County, San Diego, Santa Barbara, and the Bay Area chapters of the Open Web Application Security Project OWASP , the event will feature world class speakers in a truly unique environment The conference will be two days filled with multiple tracks, great networking, and a full day of training Last year s conference was a tremendous success, and according to those Symantec folks who have attended, it s a must-go-to software security event You can expect the brightest lights in the information security industry at the podium and in the seats around you AppSec Cali draws California's prodigious information security and management talent as well as expertise from around the globe Senior executives, technical experts, information security practitioners and students attend AppSec Cali for the information and personal connections the event offers The conference venue sits on 5-acres of oceanfront property with spectacular views of the Pacific Ocean Attendees will be able to enjoy the various indoor and outdoor spaces, meeting with the leading information security practitioners, researchers, and developers in California AppSec California will feature four outstanding Keynote speakers Alex Stamos, CISO at Yahoo John Steven, CTO at Cigital Charlie Miller, Security Researcher at Twitter and Katie Moussouris, Chief Policy Officer at HackerOne The full schedule can be found here https appseccalifornia2015schedorg Training courses have also been added to the agenda, including courses from the basic OWASP Top 10 Exploitation and Effective Safeguards to more advanced topics such as Cryptography for the Modern Developer and everything in between More information about the exciting training classes can be found at https 2015appseccaliforniaorg training Who Should Attend AppSec California Application Developers Application Testers and Quality Assurance Application Project Management and Staff Chief Information Officers, Chief Information Security Officers, Chief Technology Officers, Deputies, Associates and Staff Chief Financial Officers, Auditors, and Staff Responsible for IT Security Oversight and Compliance Security Managers and Staff Executives, Managers, and Staff Responsible for IT Security Governance IT Professionals Interested in Improving IT SecurityVarious sponsorship opportunities are available to allow all companies to gain exposure for their products and services For more details on sponsoring this event, please visit https 2015appseccaliforniaorg wp-content uploads 2014 09 Sponsorship-Opportunities-09-07-2014pdf To register, please follow this link https myowaspforcecom MN4__PublicEventRegistration id a2oU0000000LKyfIAG For more general event information, please visit the AppSec California 2015 website https 2015appseccaliforniaorg Stu http://www.secuobs.com/revue/news/552895.shtmlhttp://www.secuobs.com/revue/news/552895.shtml 2014-12-28 06:43:42 - Slashdot Your Rights Online : Convicted drunk drivers all over California may soon be required to install and pay for the use of ignition interlock devices, at a cost of 50-100 per month, plus installation Says the article State Sen Jerry Hill, D-San Mateo, wants to expand a program already in place in four California counties, including Alameda, and 24 other states Under the proposed state law Hill will introduce Monday, anyone convicted of driving under the influence would be required to install an ignition interlock device in their car for six months on a first offense and a year on a second conviction Though interlock devices could be fitted to check for other conditions as well, the usual case as described on this Wikipedia page is that they base the ability to operate a car on blood alcohol content Already in California, interlock devices are mandatory for those re-arrested for DUI while driving on a suspended license due to a DUI conviction IMAGE IMAGE Share on Google Read more of this story at Slashdot IMAGE IMAGE IMAGE IMAGE IMAGE IMAGE http://www.secuobs.com/revue/news/552103.shtmlhttp://www.secuobs.com/revue/news/552103.shtml 2014-12-17 15:58:15 - LinuxSecurity.com Latest News : LinuxSecuritycom In September 2014, cyber criminals managed to breach the security of the University of California, Berkeley servers The Real Estate Division of the UC Berkeley was apparently hacked and the personal information of approximately 1600 people including student and faculty may have been compromised http://www.secuobs.com/revue/news/550659.shtmlhttp://www.secuobs.com/revue/news/550659.shtml 2014-12-14 00:10:15 - Office of Inadequate Security : The University of California -Berkeley is notifying individuals of a recent data breach in the Real Estate Division http://www.secuobs.com/revue/news/550079.shtmlhttp://www.secuobs.com/revue/news/550079.shtml 2014-12-11 12:09:01 - Slashdot Your Rights Online : mpicpp writes with news that California is the latest government to file a lawsuit against Uber California prosecutors on Tuesday filed a lawsuit against Uber over the ridesharing company's background checks and other allegations, adding to the popular startup's worldwide legal woes San Francisco County District Attorney George Gascon, meanwhile, said Uber competitor Lyft agreed to pay 500,000 and change some of its business practices to settle its own lawsuit Los Angeles District Attorney Jackie Lacey partnered with Gascon in a probe of the nascent ridesharing industry A third company Sidecar is still under investigation and could face a lawsuit of its own if it can't reach an agreement with prosecutors Uber faces similar legal issues elsewhere as it tries to expand in cities, states and countries around the world The companies have popular smartphone apps that allow passengers to order rides in privately driven cars instead of taxis IMAGE IMAGE Share on Google Read more of this story at Slashdot IMAGE IMAGE IMAGE IMAGE IMAGE IMAGE http://www.secuobs.com/revue/news/549667.shtmlhttp://www.secuobs.com/revue/news/549667.shtml 2014-12-04 21:17:08 - Voltage Security : The post What You Need to Know About The California Data Breach Report appeared first on Voltage Security http://www.secuobs.com/revue/news/548564.shtmlhttp://www.secuobs.com/revue/news/548564.shtml 2014-12-02 21:01:15 - Help Net Security : OWASP s AppSec California goes beyond security for security s sake , bringing application security professionals and business experts together with the objective of sharing new information that helps http://www.secuobs.com/revue/news/548090.shtmlhttp://www.secuobs.com/revue/news/548090.shtml 2014-11-22 14:06:21 - Computer Security News : A man who hacked into computerized cash registers at Subway sandwich shops and stole more than 40,000 in gift cards has been sentenced in Boston to 18 months in prison US District Judge Richard Stearns also sentenced 46-year-old Lake Elsinore, California, resident Shahin Abdollahi to two years of supervised release and ordered him to pay nearly 44,000 in restitution to Subway http://www.secuobs.com/revue/news/546778.shtmlhttp://www.secuobs.com/revue/news/546778.shtml 2014-11-14 17:49:33 - Office of Inadequate Security : The California Highway Patrol CHP is notifying some drivers that collision investigation reports with their personal http://www.secuobs.com/revue/news/545525.shtmlhttp://www.secuobs.com/revue/news/545525.shtml 2014-10-29 02:39:11 - Computer Security News : Personal information about more than 185 million Californians was hacked, stolen or otherwise exposed last year and as many as one-third of those people will become victims of fraud, California Attorney General Kamala Harris said Tuesday in a new report on data breaches in the nation's biggest state Retailers, banks, health care providers and other organizations reported 167 different breaches in the state during 2013 http://www.secuobs.com/revue/news/542963.shtmlhttp://www.secuobs.com/revue/news/542963.shtml 2014-10-28 20:54:24 - Office of Inadequate Security : From California s Attorney General LOS ANGELES Attorney General Kamala D Harris today released the second annual http://www.secuobs.com/revue/news/542945.shtmlhttp://www.secuobs.com/revue/news/542945.shtml 2014-10-03 20:30:36 - Office of Inadequate Security : Tanya Forsheit and M Scott Koller of BakerHostetler have a good write-up of the new provisions in California law and how http://www.secuobs.com/revue/news/538462.shtmlhttp://www.secuobs.com/revue/news/538462.shtml 2014-10-02 13:13:36 - Office of Inadequate Security : Andrew Hoffman writes California Governor Jerry Brown signed into law an amendment to California s data breach notification http://www.secuobs.com/revue/news/538126.shtmlhttp://www.secuobs.com/revue/news/538126.shtml 2014-10-01 19:59:38 - Help Net Security : California Governor Edmund Brown has signed on Tuesday new legislation that will strengthen privacy and consumer protections in the state The new set of bills will, among other things, require eac http://www.secuobs.com/revue/news/538002.shtmlhttp://www.secuobs.com/revue/news/538002.shtml 2014-10-01 13:37:17 - Office of Inadequate Security : The wait is over Governor Jerry Brown signed AB1710 into law yesterday The law not only requires reasonable http://www.secuobs.com/revue/news/537917.shtmlhttp://www.secuobs.com/revue/news/537917.shtml 2014-09-30 14:58:41 - Slashdot Your Rights Online : schwit1 sends word that California governor Jerry Brown has vetoed legislation that would have required warrants for surveillance using unmanned drones In his veto message PDF , Brown said, This bill prohibits law enforcement from using a drone without obtaining a search warrant, except in limited circumstances There are undoubtedly circumstances where a warrant is appropriate The bill's exceptions, however, appear to be too narrow and could impose requirements beyond what is required by either the 4th Amendment or the privacy provisions in the California Constitution The article notes that 10 other states already require a warrant for routine surveillance with a drone Florida, Idaho, Illinois, Indiana, Iowa, Montana, Oregon, Tennessee, Utah, and Wisconsin Further, Brown's claims about the bill's exceptions are overstated according to Slate, California's drone bill is not draconian It includes exceptions for emergency situations, search-and-rescue efforts, traffic first responders, and inspection of wildfires It allows other public agencies to use drones for other purposes just not law enforcement IMAGE IMAGE Share on Google Read more of this story at Slashdot IMAGE IMAGE IMAGE IMAGE IMAGE IMAGE IMAGE http://www.secuobs.com/revue/news/537608.shtmlhttp://www.secuobs.com/revue/news/537608.shtml 2014-09-27 00:47:46 - Security Bloggers Network : Warmer waters are moving squid fishing up the California coast As usual, you can also use this squid post to talk about the security stories in the news that I haven't covered IMAGE http://www.secuobs.com/revue/news/537102.shtmlhttp://www.secuobs.com/revue/news/537102.shtml 2014-09-26 14:27:04 - Office of Inadequate Security : Pacific Biosciences of California is notifying employees and dependents after a laptop with personal information was stolen http://www.secuobs.com/revue/news/536979.shtmlhttp://www.secuobs.com/revue/news/536979.shtml 2014-09-17 14:15:36 - Security Bloggers Network : There's a lot at stake think student records that cover attendance, grades, discipline, health, academics, intimate details about family members, parent and student contact information, biometrics, and sometimes even a child's geolocation IMAGE http://www.secuobs.com/revue/news/535305.shtmlhttp://www.secuobs.com/revue/news/535305.shtml 2014-09-13 05:01:18 - Slashdot Your Rights Online : An anonymous reader writes Ride-share companies like Uber, Lyft, and Sidecar got letters from the California Public Utilities Commission this week telling them that carpool features for their services are illegal Basically, the CPUC says that under California law it's illegal for these ride-sharing services to charge passengers an individual fare when carrying multiple people in one vehicle If the companies would like to add a carpool feature, they first have to request an adjustment to their existing permits with the CPUC or petition the state legislature to modify the law Uber, Lyft and Sidecar all unveiled carpool features last month The three companies say the feature lets strangers in multiple locations, but heading the same direction, share rides and split fares saving passengers up to 50 percent per ride This news arrives just as Uber gave in to the demands of striking drivers who claim the company is undermining their ability to earn a livable wage IMAGE IMAGE Share on Google Read more of this story at Slashdot IMAGE IMAGE IMAGE IMAGE IMAGE IMAGE IMAGE http://www.secuobs.com/revue/news/534760.shtmlhttp://www.secuobs.com/revue/news/534760.shtml 2014-09-12 13:52:37 - Security Bloggers Network : California has passed a bill that protects customers from getting penalized by companies after writing bad reviews Yelp's response Yippee IMAGE http://www.secuobs.com/revue/news/534655.shtmlhttp://www.secuobs.com/revue/news/534655.shtml 2014-09-11 00:38:17 - Slashdot Your Rights Online : ericgoldman writes Some businesses are so paranoid about negative consumer reviews that they have contractually banned their customers from writing reviews or imposed fines on consumers who bash them California has told businesses to stop it AB 2365--signed by Governor Brown yesterday, and the first law of its kind in the nation--says any contract provisions restricting consumer reviews are void, and simply including an anti-review clause in the contract can trigger penalties of 2,500 IMAGE IMAGE Share on Google Read more of this story at Slashdot IMAGE IMAGE IMAGE IMAGE IMAGE IMAGE IMAGE http://www.secuobs.com/revue/news/534308.shtmlhttp://www.secuobs.com/revue/news/534308.shtml 2014-08-30 01:04:28 - Office of Inadequate Security : US District Judge Robert J Conrad, Jr sentenced two California residents to prison on Tuesday, August 26, 2014, for http://www.secuobs.com/revue/news/532247.shtmlhttp://www.secuobs.com/revue/news/532247.shtml 2014-08-29 22:15:22 - Security Bloggers Network : California passed a kill-switch law, meaning that all cell phones sold in California must have the capability to be remotely turned off It was sold as an antitheft measure If the phone company could remotely render a cell phone inoperative, there wou IMAGE http://www.secuobs.com/revue/news/532223.shtmlhttp://www.secuobs.com/revue/news/532223.shtml 2014-08-29 20:27:58 - LinuxSecurity.com Latest News : LinuxSecuritycom Beginning next year, if you buy a cell phone in California that gets lost or stolen, you'll have a built-in ability to remotely deactivate the phone under a new kill switch feature being mandated by California law-but the feature will make it easier for police and others to disable the phone as well, raising concerns among civil liberties groups about possible abuse http://www.secuobs.com/revue/news/532216.shtmlhttp://www.secuobs.com/revue/news/532216.shtml 2014-08-27 20:05:26 - Security Bloggers Network : The post California s New Smartphone Kill Switch Law Could Increase Your Attack Surface appeared first on The State of Security IMAGE IMAGE IMAGE http://www.secuobs.com/revue/news/531839.shtmlhttp://www.secuobs.com/revue/news/531839.shtml 2014-08-27 19:58:56 - Help Net Security News : On Monday, California Governor Jerry Brown signed into law a bill SB 962 that will require any smartphone sold in the state after July 1, 2015, to include a software or hardware or both kill swit http://www.secuobs.com/revue/news/531837.shtmlhttp://www.secuobs.com/revue/news/531837.shtml 2014-08-26 20:09:28 - Security Bloggers Network : via Randall Munroe, at XKCD IMAGE http://www.secuobs.com/revue/news/531661.shtmlhttp://www.secuobs.com/revue/news/531661.shtml 2014-08-26 17:50:43 - Security Bloggers Network : Technology saves the day California governor Jerry Brown on Monday signed off on a kill switch bill that is aimed at sharply curbing smart phone theft The law which will impact smart phone sales throughout the US and the world goes into effect in July 2015 and requires smart phone makers to build a software switch into their devices that would render them useless if stolen read more IMAGE http://www.secuobs.com/revue/news/531620.shtmlhttp://www.secuobs.com/revue/news/531620.shtml 2014-08-26 16:52:15 - Slashdot Your Rights Online : alphadogg 971356 writes Smartphones sold in California will soon be required to have a kill switch that lets users remotely lock them and wipe them of data in the event they are lost or stolen The demand is the result of a new law, http wwwleginfocagov pub into effect on Monday, that applies to phones manufactured after July 1, 2015, and sold in the state While its legal reach does not extend beyond the state's borders, the inefficiency of producing phones solely for California means the kill switch is expected to be adopted by phone makers on handsets sold across the US and around the world IMAGE IMAGE Share on Google Read more of this story at Slashdot IMAGE IMAGE IMAGE IMAGE IMAGE IMAGE IMAGE http://www.secuobs.com/revue/news/531607.shtmlhttp://www.secuobs.com/revue/news/531607.shtml 2014-08-26 01:56:06 - Office of Inadequate Security : AP reports that the California state assembly has passed AB1710, and it now goes to the governor s desk But will he http://www.secuobs.com/revue/news/531497.shtmlhttp://www.secuobs.com/revue/news/531497.shtml 2014-08-23 01:17:09 - Office of Inadequate Security : A northern California man who served as an information and document vendor in the identity theft and credit card fraud ring http://www.secuobs.com/revue/news/531163.shtmlhttp://www.secuobs.com/revue/news/531163.shtml 2014-08-20 01:43:10 - Office of Inadequate Security : MEETME STATUTORY NOTICE NEW HOPE, Pa, August 15, 2014 MeetMe, Inc today announced that it has recently discovered a http://www.secuobs.com/revue/news/530594.shtmlhttp://www.secuobs.com/revue/news/530594.shtml 2014-08-19 18:27:45 - Security Bloggers Network : An appeals court rules that, under CA labor law, employee use of personal cell phones must be reimbursed, even if the employee has an unlimited or flat rate plan IMAGE http://www.secuobs.com/revue/news/530535.shtmlhttp://www.secuobs.com/revue/news/530535.shtml 2014-08-10 19:21:16 - Security Bloggers Network : Estella Geraghty says the birth of California s first Health and Human Services HHS open data portal is much like the birth of a child It took about nine months to create and is the object of great affe IMAGE http://www.secuobs.com/revue/news/529171.shtmlhttp://www.secuobs.com/revue/news/529171.shtml 2014-08-08 01:19:29 - Office of Inadequate Security : The University of California Santa Barbara has sent out an update to a breach alert it sent out in July after some http://www.secuobs.com/revue/news/528897.shtmlhttp://www.secuobs.com/revue/news/528897.shtml 2014-08-07 19:03:59 - Slashdot Your Rights Online : Sonny Yatsen 603655 writes A California man with nothing better to do has launched a class-action lawsuit against Sony because he claims he was harmed because Killzone Shadowfall's multiplayer mode doesn't have native 1080p resolution as Sony originally claimed He now demands 'all economic, monetary, actual, consequential, statutory and compensatory damages' as well as punitive damages from Sony IMAGE IMAGE Share on Google Read more of this story at Slashdot IMAGE IMAGE IMAGE IMAGE IMAGE IMAGE IMAGE http://www.secuobs.com/revue/news/528842.shtmlhttp://www.secuobs.com/revue/news/528842.shtml 2014-07-24 20:17:39 - Security Bloggers Network : After I was appointed as the Director of the Office of Technology Services in 2012, I met with all of our major customers to ask what services we weren t providing that they would like to see us provide Cloud services was th IMAGE http://www.secuobs.com/revue/news/526804.shtmlhttp://www.secuobs.com/revue/news/526804.shtml 2014-07-21 14:32:54 - Slashdot Your Rights Online : An anonymous reader writes Thanks to some clean-energy tax incentives approved late this spring, California appears to be in the running again for Tesla's Gigafactory From the article The decision should have been made by now, and ground broken, according to the company's timeline, but is on hold, allowing California, which was not in the race initially CEO Elon Musk has called California an improbable choice, citing regulations to throw its hat in the ring 'In terms of viability, California has progressed Now it's a four-plus-one race,' said Simon Sproule, Tesla's vice president of global communication and marketing, referring to the four named finalists Texas, Arizona, New Mexico and Nevada for the prize That's heartening Having the Gigafactory would be a vindication of Gov Jerry Brown's drive to make California the home of advanced manufacturing, of which Tesla's battery technology is a prime example With its technology, 'Tesla may be in position to disrupt industries well beyond the realm of traditional auto manufacturing It's not just cars,' a Morgan Stanley analyst told Quartz, an online business publication last year IMAGE IMAGE Share on Google Read more of this story at Slashdot IMAGE IMAGE IMAGE IMAGE IMAGE IMAGE IMAGE http://www.secuobs.com/revue/news/526164.shtmlhttp://www.secuobs.com/revue/news/526164.shtml 2014-07-09 22:59:45 - Security Bloggers Network : A new online tool that combines video archiving with social engagement could usher in a new era of legislative transparency in California Called Digital Democracy, the database identifies IMAGE http://www.secuobs.com/revue/news/524460.shtmlhttp://www.secuobs.com/revue/news/524460.shtml 2014-07-03 23:04:31 - Slashdot Your Rights Online : New submitter DaveSmith1982 writes with word from PV Tech that A property tax exemption for solar power systems in California has been extended to 2025, following the passing of a bill as part of the annual state budget Senate Bill 871 SB871 was approved during the signing of the budget by governor Jerry Brown, which took place last week The wording of SB871 extends the period during which property taxes will not be applied to active solar energy systems, which includes PV and solar water heaters IMAGE IMAGE Share on Google Read more of this story at Slashdot IMAGE IMAGE IMAGE IMAGE IMAGE IMAGE IMAGE http://www.secuobs.com/revue/news/523643.shtmlhttp://www.secuobs.com/revue/news/523643.shtml 2014-06-30 07:54:13 - Slashdot Your Rights Online : jfruh 300774 writes California governor Jerry Brown has signed a law repealing Section 107 of California's Corporations Code, which prohibited companies or individuals from issuing money other than US dollars Before the law was repealed, not only bitcoin but everything from Amazon Coin to Starbucks Stars were techinically illegal the law was generally not enforced IMAGE IMAGE Share on Google Read more of this story at Slashdot IMAGE IMAGE IMAGE IMAGE IMAGE IMAGE IMAGE http://www.secuobs.com/revue/news/522813.shtmlhttp://www.secuobs.com/revue/news/522813.shtml 2014-06-26 15:38:21 - Office of Inadequate Security : The University of California, Washington Center UCDC recently notified alumni of a breach involving their course http://www.secuobs.com/revue/news/520843.shtmlhttp://www.secuobs.com/revue/news/520843.shtml 2014-06-25 19:51:16 - Security Bloggers Network : Today, in Riley v California, SCOTUS struck down warrantless cellphone searches during arrest However, I think more importantly, they are setting things for a future battle over cloud privacyToday, the police can grab your old emails stored in the cl IMAGE http://www.secuobs.com/revue/news/520704.shtmlhttp://www.secuobs.com/revue/news/520704.shtml 2014-06-25 04:01:40 - Office of Inadequate Security : The California DMV has confirmed that there was no breach of its systems A breach had originally been reported in March by http://www.secuobs.com/revue/news/520555.shtmlhttp://www.secuobs.com/revue/news/520555.shtml 2014-06-20 21:42:37 - Security Bloggers Network : A California oil company that lost thousands after being attacked by hackers has won 350,000 in a legal settlement after suing its bank The post California company sues bank over cybercrime, wins 350,000 settlement appeared first on We Live Security IMAGE http://www.secuobs.com/revue/news/520006.shtmlhttp://www.secuobs.com/revue/news/520006.shtml 2014-06-13 02:53:47 - Slashdot Your Rights Online : An anonymous reader writes in with news about ride-share crackdowns in California California regulators are threatening to revoke permits for on-demand ride companies UberX, Lyft, Sidecar, Summon and Wingz unless they stop giving rides to and from airports within two weeks The move could lead to the state shutting down the companies' operations Flouting the airport rules also flouts regulations that the CPUC set up for the new generation of ride companies to operate in California In a clear rebuttal to an argument often made by the ride companies, Peevey wrote These safety requirements should not hinder your creativity nor should they impede your innovation IMAGE IMAGE Share on Google Read more of this story at Slashdot IMAGE IMAGE IMAGE IMAGE IMAGE IMAGE IMAGE http://www.secuobs.com/revue/news/518691.shtmlhttp://www.secuobs.com/revue/news/518691.shtml 2014-06-11 04:26:30 - Slashdot Your Rights Online : An anonymous reader writes Tenure laws one of the most controversial aspects of education reform, and now the tide seems to be turning against them A California judge has handed down a ruling that such laws are unconstitutional, depriving students of an education by sometimes securing positions held by bad teachers The judge said, Substantial evidence presented makes it clear to this court that the challenged statutes disproportionately affect poor and or minority students The evidence is compelling Indeed, it shocks the conscience The plaintiff's case was that California's current laws make it impossible to get rid of the system's numerous low-performing and incompetent teachers that seniority rules requiring the newest teachers to be laid off first were harmful and that granting tenure to teachers after only two years on the job was farcical, offering far too little time for a fair assessment of their skills This is a precedent-setting case, and there will likely be many similar cases around the country as tenure is challenged with this new ammunition IMAGE IMAGE Share on Google Read more of this story at Slashdot IMAGE IMAGE IMAGE IMAGE IMAGE IMAGE IMAGE http://www.secuobs.com/revue/news/518143.shtmlhttp://www.secuobs.com/revue/news/518143.shtml 2014-05-30 01:39:56 - Office of Inadequate Security : From AmEx s AXP notification to the California Attorney General s Office Hacktivist group Anonymous http://www.secuobs.com/revue/news/516200.shtmlhttp://www.secuobs.com/revue/news/516200.shtml 2014-05-28 13:58:41 - Office of Inadequate Security : AP reports that retailers would have to notify customers of data breaches under a bill that passed the state Assembly, http://www.secuobs.com/revue/news/515891.shtmlhttp://www.secuobs.com/revue/news/515891.shtml 2014-05-22 22:43:19 - Slashdot Your Rights Online : smaxp 2951795 writes California just released rules for testing autonomous vehicles on California's roads and highways Californians will soon be seeing more autonomous vehicles than just those built by the Google X labs These vehicles offer great promise, such as freeing the driver's attention for productivity or leisure, better safety and less congestion It will be a while, though, before we see these vehicles on the road From the article 'Getting started requires the RMV s approval of testing under controlled circumstances prior to testing on public roads The manufactures must insure the vehicles with a 5 million surety bond Autonomous vehicle manufacturers need a permit and test drivers need a special license The RMV will receive applications beginning on July 1, 2014, and the permits that are granted will be announced beginning on September 1, 2014' IMAGE IMAGE Share on Google Read more of this story at Slashdot IMAGE IMAGE IMAGE IMAGE IMAGE IMAGE IMAGE http://www.secuobs.com/revue/news/515031.shtmlhttp://www.secuobs.com/revue/news/515031.shtml 2014-05-21 00:17:46 - Slashdot Your Rights Online : New submitter amxcoder writes A recent bill making its way through the California state legislature reaffirms 4th amendment protections against NSA-style wiretapping of cell phones and computer records, and declares that the NSA's data collection methods and practices are unconstitutional The bill has passed the California Senate with only a single opposing vote It would require a warrant to be issued by a Judge before the state's law enforcement and other departments can assist federal agencies in obtaining these records Similar bills in other states are trickling through the legislative process, but California's is the furthest along At the least, it will establish that a state of 38 million people are unhappy with the NSA's methods IMAGE IMAGE Share on Google Read more of this story at Slashdot IMAGE IMAGE IMAGE IMAGE IMAGE IMAGE IMAGE http://www.secuobs.com/revue/news/514581.shtmlhttp://www.secuobs.com/revue/news/514581.shtml 2014-05-19 23:28:34 - Slashdot Your Rights Online : An anonymous reader writes in with news about a California bill that aims to protect online reviewers rights The proposed law appears to take aim at online licensing agreements that consumers often enter into with companies when they click through the many boilerplate terms and conditions of various online services Buried deep in the small print of a number of these contacts are provisions stating that consumers agree not to write negative reviews about the service provider 'If merchants think that our First Amendment free speech rights need to be curtailed, they should say so upfront and in plain language,' Pérez explained of the impetus for his bill, as reported by the Times IMAGE IMAGE Share on Google Read more of this story at Slashdot IMAGE IMAGE IMAGE IMAGE IMAGE IMAGE IMAGE http://www.secuobs.com/revue/news/514346.shtmlhttp://www.secuobs.com/revue/news/514346.shtml 2014-05-13 17:48:22 - Security Bloggers Network : Sen Alex Padilla, D-Pacoima, will leave office later this year after two consecutive terms representing California s San Fernando Valley in the state Senate During his tenure, he s garnered a reputation IMAGE http://www.secuobs.com/revue/news/513317.shtmlhttp://www.secuobs.com/revue/news/513317.shtml 2014-05-12 19:05:58 - Security Bloggers Network : The first time it came up for a vote, legislators turned it down, saying the pro-consumer bill would be bad for business Now, after having dropped the requirement for tablets and having added 7 months to the deadline for phones to have mandatory k IMAGE http://www.secuobs.com/revue/news/513103.shtmlhttp://www.secuobs.com/revue/news/513103.shtml 2014-05-10 00:18:02 - Security Bloggers Network : An experiment using tablet devices to display city council agendas has sparked a paperless office movement and progressive technology policy-making in Rancho Cordova, Calif Under a new policy launched last July, if a IMAGE http://www.secuobs.com/revue/news/512856.shtmlhttp://www.secuobs.com/revue/news/512856.shtml 2014-04-29 16:30:28 - Office of Inadequate Security : Jeff Vaughn reports Richard Woo is in the import export business In the past, he used an email account to verify auto http://www.secuobs.com/revue/news/510906.shtmlhttp://www.secuobs.com/revue/news/510906.shtml 2014-04-09 20:53:51 - Security Bloggers Network : A California appeals court ruled last month that emails and other forms of electronic communication about public business are not subject to the state s Public Records Act if they re conducted on a privat IMAGE http://www.secuobs.com/revue/news/507348.shtmlhttp://www.secuobs.com/revue/news/507348.shtml