PCI Compliance - Disable SSLv2 and Weak Ciphers

According to section 4.1 of the the Payment Card Industry Data Security Standard (PCI-DSS) v1.2, merchants handling credit card data are required to “use strong cryptography and security protocols such as SSL/TLS or IPSEC to safeguard sensitive cardholder data during transmission over open, public networks.”

What does this mean? In order to validate your PCI DSS compliance in this area you will need to ensure that your relevant server(s) within your PCI environment are configured to disallow Secure Sockets Layer (SSL) version 2 as well as "weak" cryptography. You are also required to have quarterly PCI security vulnerability scans conducted against your externally facing PCI systems. Without disabling SSLv2 and weak ciphers you are almost guaranteed to fail the scans. In turn this will lead to falling out of compliance along with the associated risks and consequences.

The SSLv2 Conundrum

Does your server support SSLv2?

How to test:

You will need to have OpenSSL installed on the system that you will perform the tests from. Once installed, use the following command to test your web server, assuming port 443 is where you're providing https connections:

# openssl s_client -ssl2 -connect SERVERNAME:443

If the server does not support SSLv2 you should receive an error similar to the following:

# openssl s_client -ssl2 -connect SERVERNAME:443

CONNECTED(00000003)

458:error:1407F0E5:SSL routines:SSL2_WRITE:ssl handshake failure:s2_pkt.c:428:

How to configure Apache v2 to not accept SSLv2 connections:

You will need to modify the SSLCipherSuite directive in the httpd.conf or ssl.conf file.

An example would be editing the following lines to look similar to:

SSLProtocol -ALL +SSLv3 +TLSv1

Restart the Apache process and ensure that the server is functional. Also retest using OpenSSL to confirm that SSLv2 is no longer accepted.

How to configure Microsoft IIS to not accept SSLv2 connections:

You will need to modify the system’s registry.

Merge the following keys to the Windows registry:

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\PCT 1.0\Server]

"Enabled"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 2.0\Server]

"Enabled"=dword:00000000

Restart the system and ensure that the server is functional. Also retest using OpenSSL to confirm that SSLv2 is no longer accepted.

Those Pesky Weak SSL Ciphers

Does your server support weak SSL ciphers?

How to test:

You will need to have OpenSSL installed on the system that you will perform the tests from. Once installed, use the following command to test your web server, assuming port 443 is where you're providing https connections:

# openssl s_client -connect SERVERNAME:443 -cipher LOW:EXP

If the server does not support weak ciphers you should receive an error similar to the following:

# openssl s_client -connect SERVERNAME:443 -cipher LOW:EXP

CONNECTED(00000003)

461:error:140790E5:SSL routines:SSL23_WRITE:ssl handshake failure:s23_lib.c:226:

How to configure Apache v2 to not accept weak SSL ciphers:

You will need to modify the SSLCipherSuite directive in the httpd.conf or ssl.conf file.

An example would be editing the following lines to look similar to:

SSLCipherSuite ALL:!aNULL:!ADH:!eNULL:!LOW:!EXP:RC4+RSA:+HIGH:+MEDIUM

Restart the Apache process and ensure that the server is functional. Also retest using OpenSSL to confirm that weak SSL ciphers are no longer accepted.

How to configure Microsoft IIS to not accept weak SSL ciphers:

You will need to modify the system’s registry.

Merge the following keys to the Windows registry:

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\DES 56/56]

"Enabled"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\NULL]

"Enabled"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC2 40/128]

"Enabled"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC2 56/128]

"Enabled"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC4 40/128]

"Enabled"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC4 56/128]

"Enabled"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC4 64/128]

"Enabled"=dword:0000000

Restart the system and ensure that the server is functional. Also retest using OpenSSL to confirm that weak SSL ciphers are no longer accepted..

At this point have your Approved Scanning Vendor (ASV) scan your external facing PCI environment to validate. Making the above changes should cause the ASV scans to not tag and fail you on the following vulnerabilities:

• SSL Server Supports Weak Encryption
• SSL Server Allows Cleartext Encryption
• SSL Server May Be Forced to Use Weak Encryption
• SSL Server Allows Anonymous Authentication

Steve

###

Sync Oracle Calendar to Google Calendar + iCal + iPhone

I've been searching for a reliable method to automate the synchronization of events from Oracle Calendar (formerly CorporateTime) to my Google Calendar, iCal on my Mac, and internal iPhone calendar on my iPhone.

Recently I learned of a promising iPhone app available at iTunes called Todo+Cal+Sync that could do most of what I was looking for with synchronizing calendars. However, I didn't want to fork over $14.99 for an application that, instead of importing Oracle Calendar events into the native iPhone calendar, added an additional calendar application on my iPhone. Synthesis AG, the developer of the Todo+Cal+Sync application, is required to do this because of limitations imposed by Apple's iPhone software development kit (SDK). In other words, Apple does not allow 3rd part applications, such as Todo+Cal+Sync, to access the internal iPhone calendar, nor sync with iCal. This is a risk/benefit that Apple needs to manage; is the benefit of restricting access to the internal iPhone calendar worth the impact it has on the development of 3rd party applications and subsequent ripple effect? Until Apple's iPhone SDK allow such access, I did not want two calendar applications and continued looking for something that would better match my needs.

After digging around and tinkering with different solutions, I worked out a method that did exactly what I wanted. To make this solution even better, it cost $0 - in other words, FREE!

Below are the steps that I came up with to make the calendar sync work for me. Steps 1-3 are also useful for those who do not necessarily have an iPhone or iTouch but want to sync their Oracle Calendar with other devices and/or calendar apps that support Google Calendar's CalDAV sync.

1. Begin by changing your password for your Oracle Calendar user account. Make it a unique password that you are not using anywhere else. In other words, your new Oracle Calendar password should not be the same password as you're using for other email accounts, online banking, eBay, PayPal, etc. This new password should also comply to any password policies that may exist for users of the Oracle Calendar system.
2. Create a "magic" URL using SyncML2iCal.com. This URL will be used in step #3. You will want your magic URL to look something like the following:

Example - Oracle Calendar supporting https on port 443

http://sync.syncml2ical.com/?serverurl=https://YOUR.ORACLE.CALENDAR.COM:443/ocas-bin/ocas.fcgi?sub=syncml&user=USERNAME&pass=PASSWORD&eventsdb=./Calendar/Events?/dr(-7,30)

SECURITY WARNING - There is an increased security risk with this method. It's up to you to determine if this is a risk you are willing to accept and that it doesn't violate any policies or restrictions imposed by the organization running the Oracle Calendar service that you are using. The risks include:

• Unauthorized interception of your password from the URL as it's being transmitted to SyncML2iCal.com or from SyncML2iCal.com.
• SyncML2iCal.com itself becoming compromised and allowing an attacker to intercept your password.

In my opinion, the likelihood of the above risks happening are medium to low. You can keep this risk on the lower end by never connecting to untrusted networks or using insecure wireless, which includes wireless networks that use WEP encryption.

Additionally, you will need to determine if the impact of an unauthorized user obtaining your Oracle Calendar password would have a significant impact or not. In most instances, I would imagine the impact would be low.

This is why doing step #1 above is critical in helping minimize the impact if your password was compromised.

Anyone using an application that syncs using the SyncML functionality of Oracle Calendar should take the same precautions irregardless if he or she are using SyncML2iCal.com as a proxy to convert SynchML to iCal format.

3. Go to Google Calendar and add a new calendar by selecting Add by URL . You will use the URL you created from step #2. You may also want to change the display name and color of this new calendar on Google Calendar.
   
   Do note that Google has stated that external feeds added via the "Add by URL" method should be refreshed every 24 hours.
   

4. Download and run Calaboration from Google Code. This will allow you to add your Oracle calendar to your Mac's iCal application. Before you can add the new calendar, click on preferences within Calaboration and enable allowing read only calendars to be added. Make sure your new calendar is selected and let Calaboration do the setup work for you. Your Oracle calendar will then sync with iCal.

5. Use iTunes to sync Oracle calendar from iCal to your iPhone.

One minor annoying issue I came across was with how day events and day notes from Oracle Calendar were handled by the time they showed up in iCal. Day events and notes from Oracle Calendar showed up in iCal as being a blocked all-day event from 0000-2359. As a quick temporary solution I simply denied day events and notes within Oracle Calendar and re-synced. This temporary approach was acceptable for me since I use Google Calendar to manage my daily notes and I can look at a user's Oracle calendar if I need to know if he or she is on vacation, on-call, etc.

As for effectively managing tasks using your iPhone, see my previous article titled, Tools To Get Things Done.

Steve

###

Thoughts on IT Security Organizational Structure

I've recently been asking myself how to most effectively structure Information Security (InfoSec) within an organization. Here are some thoughts I've had while trying to answer this.

As with any "structure" there needs to be some form of integral support, whether it's a frame for a house or honeycomb for a beehive. This is also true with organizational structures - there needs to be support. In order for InfoSec to be successful it must have the full support of senior or executive management. This support would be actualized as a sincere commitment by senior management to achieve the following:

• Develop high standards of corporate governance
• Treat InfoSec as a critical function that enables an organization to do business
• Create an environment that understands the importance of, and embraces, InfoSec
• Consistently show 3rd parties that InfoSec is vital and will always be handled in a professional manner
• Ensure that controls being implemented by InfoSec are appropriate and proportionate to risk being addressed
• Stay informed and accept ultimate responsibility and accountability
  

The first bulleted point in the above list, "Develop high standards of corporate governance", is where the necessary framework is built from which InfoSec can flourish. At a minimum, an effective governance framework includes:

• An all-inclusive security strategy that links to clearly defined and documented business objectives
• Security policies that address the multiple facets of security strategy, regulatory compliance and controls
• Standards for each of the policies to make sure that procedures and guidelines comply with policy
• An organizational structure void of conflicts of interest with sufficient resources and authority
• Metrics and monitoring processes to ensure compliance and provide feedback

Again, I want to emphasize that It is imperative that an organization's top management sees InfoSec as a critical business function and is fully committed to stand behind InfoSec. Without the complete assurance from top management we will continue to see security functions getting moved around the organization while adequate resources are never obtained and conflicts of interest are progressively created.

To limit conflicts of interest and actualize the benefits from investing within InfoSec, the Chief Information Security Officer (CISO/ISO) or Information Security Manager (ISM) must report directly to the top of the organizational structure, or an independent branch such as Audit. The trend in the past was to embed central InfoSec within Information Technology (IT), that is, until organizations began realizing that this structure kept InfoSec's hands tied behind their back, significantly reducing InfoSec's overall effectiveness. In other words, organizations were self-limiting their return on investment (ROI) from InfoSec. To resolve this issue and improve the ROI from InfoSec, CISO's/ISO's/ISM's began reporting to the CEO's, CFO's, CTO's and CIO's.

Ok, great, so the ISO should report to the CFO ... then what?

What we want to avoid is a structure with the fragmentation that is commonly seen today. Rather, create a tighter integration of the duties and activities performed by IT Security, Operations, Policy & Compliance, Risk Management and Audit. To anticipate the trends of the future, it’s very likely that individuals and departments taking on central InfoSec duties will also have various risk management responsibilities that extend beyond IT. This can include anything from physical security, business continuity and disaster recovery.

Fact is, too often in industry the security discipline is (mis)directed by technology instead of using a risk analysis and proactive ‘intelligence’ approach. To add to the vicious cycle, when majority of the investment is being put into technology then most of the return comes from there too. This reinforcement perpetuates the destructive spiral.

So, how does a business avoid this technodazed shortsightedness? It comes down to strategy, making the conscious shift to be more strategic. This means moving away from the predictable technology-centric and tactical security operation seen in the industry since the golden days of the dot-gone era. At a high level, for InfoSec to more closely align with and help business achieve its objectives, InfoSec will need to become more focussed on 'intelligence'; gathering information, ability to comprehend, ability to develop policy and plans at a high level, using a methodology of risk analysis and risk mitigation, having the knowledge about an organization's business environment that has implications for its long-term viability and success, thinking long-term, and being both pragmatic and visionary.

Thinking strategically while taking into account anticipation of future trends and using proactive 'intelligence', I believe the wise CISO, or equivalent, who's in a healthy organizational environment needs to start planning for incorporating some of the non-IT specific risk management responsibilities before it's thrust upon them within the next three to five years. There will need to be coordination between IT Security, Operations, Policy & Compliance, Risk Management, Audit and Physical Security.

What this boils down to is that a very effective way to structure InfoSec within an organization involves having the CISO, or equivalent, reporting directly to the senior/executive level of the organization while having their full support, commitment and involvement. This top level commitment includes the development of high standards of corporate governance and actively limiting conflicts of interest so that InfoSec will be effective and provide a high ROI by enabling the organization to do business.

Steve ###

Forensics: Blackberry Curve 8310 and Incorrect EXIF Time Stamp

While working on a forensic investigation that involved a Blackberry 8310 I ran into an issue that just didn't settle right with me. I wanted to ensure that, beyond a reasonable doubt, the EXIF time stamp embedded within a photo taken by the Blackberry device was written accurately by the device. Before signing off on the validity of the EXIF time stamp, something just didn't seem right. After digging around and doing countless tests, I was surprised that I was able to consistently recreate a failure whereby the incorrect time stamp was written to the original date/time EXIF field. Here are additional details:

DEVICE: Blackberry Curve 8310 smartphone (EDGE)

VERSIONS: v4.5.0.55 (Platform 2.7.0.68) & v4.5.0.110 (Platform 2.7.0.90)

PROVIDER: AT&T

DATE/TIME SOURCES: Blackberry & Network

ADDITIONAL ENABLED SETTINGS WORTH NOTING:

• PASSWORD (options | security options | general settings | password)
• BACKLIGHT TIMEOUT value of 30 seconds (options | screen/keyboard | backlight timeout)
  
• SECURITY TIMEOUT value of 1 minute (options | security options | general settings | security timeout)

OBSERVED BEHAVIOR:

The EXIF original date/time embedded within a photo taken by the Blackberry 8310 had the incorrect time stamp. Consistently and repeatedly I was able to have the Blackberry device write the incorrect time stamp to the EXIF field. The EXIF original date/time was inconsistent with the actual date/time that the photo was taken in addition to the “Last Modified” time displayed by the Blackberry device.

SCENARIO REPRODUCING THE PROBLEM:

1. I take a photo with the Blackberry at 0600 on 1/22/2009. The image name is IMG00001. Using the Blackberry and looking at the properties of photo IMG00001 I see the correct “Last Modified” date and time of “Jan 22, 2009 6:00AM”. Emailing the photo to my email address I then view the EXIF data of the photo on a separate forensics system and see the correct original date/time of “2009:01:22 06:00:00”.
2. An hour passes. I delete IMG00001 from the Blackberry and then take a photo at 0700 on 1/22/2009. The image name is IMG00002. Using the Blackberry and looking at the properties of photo IMG00002 I see the correct “Last Modified” date and time of “Jan 22, 2009 7:00AM”. Again, I email myself the photo and view the EXIF data of the photo on a separate forensics system. However, this time I see the incorrect original date/time. The EXIF field shows “2009:01:22 07:02:00”.
3. [update: 1/23/2009] - I can also reproduce this EXIF incorrect time stamp issue without deleting photos. This issue presents itself only with the first photo taken after the phone has automatically locked, requiring a password to unlock before the said photo with the incorrect EXIF time stamp can be taken by the device. Subsequent photos taken before the security timeout locks the device have the correct EXIF time stamps.

IMPLICATIONS:

An assumption is made that the Blackberry device is writing the correct date/time within the EXIF data when a photo is taken with the device. EXIF data within photos could potentially be used as evidence to support what an individuals recorded statement (e.g., whereabouts at a given time). From my tests there’s reasonable doubt that the EXIF time stamp of a photo taken by a Blackberry 8310 device (and perhaps others) may be incorrect. Therefore, EXIF time stamps from photos used as evidence becomes highly questionable and ultimately, and likely, could be rendered irrelevant.

ADDITIONAL NOTES & QUESTIONS:

• Blackberry and RIM have been contacted to investigate and confirm the issue.
• I was able to reproduce this issue on a single Blackberry Curve 8310 which was initially running v4.5.0.55 (Platform 2.7.0.68). I was also able to reproduce the failure after upgrading the same Blackberry Curve 8310 to v4.5.0.110 (Platform 2.7.0.90).
• I viewed the EXIF data on a Mac using both “EXIF Viewer” and “Preview”. I viewed the EXIF data on a Windows XP system using “InfranView” with the EXIF plugin installed.
• Can others reproduce the same issue on 8310’s running similar and/or different firmwares?
• Can others reproduce the same issue on non-8310 Blackberry devices?
• [update: 1/23/2009] - Could this be a residual artifact of the security lockout feature? (will need to test after disabling the security timeout)
  

Steve

###

Tools To Get Things Done

“Give us the tools and we will finish the job.” ~  Winston Churchill

Managing tasks and keeping notes readily accessible and easily searchable has been an ongoing challenge for me. In 1997 I took a Franklin Time Management class and clearly understood the necessity to effectively manage my tasks and time. However, carrying an awkward organizer with me wherever I went wasn't convenient, and I often found it annoying to pull my organizer out when I needed review my schedule and often difficult to quickly locate notes that I had taken previously.

Fortunately...through need, advances in technology and the synergy of creative minds, many electronic productivity tools have surfaced in the market over the years to help with staying organized and getting things done.

Task Management

Over the past several years I've used tools such as Jott and Remember The Milk (RTM) to help me with managing my tasks. Over a period of time I found myself growing more and more frustrated with the two productivity tools. Jott started charging money for a service that did a mediocre job with converting speech-to-text. I tethered RTM with Jott for adding tasks through speech...in other words, I was using two productivity tools to do what one should have been able to do independently.

I can't expect to meet the challenges of today with yesterday's tools and expect to be in business tomorrow. Fortunately, I found a very powerful yet easy to use productivity tool that has been working extremely well for me. Several months ago I started using ReQall as a replacement for both Jott and RTM. What exactly is ReQall? According to the marketing blurb on the ReQall website:

"ReQall is the best memory tool you may ever have, connecting all the ways you communicate in one easy-to-use reminder system. Use it on the web (no software to install!) or download it into your iPhone or BlackBerry smartphone. ... By integrating voice input, speech-to-text transcription, automatic organization and multi-platform reminders, ReQall goes beyond typical to-do and reminder applications."

I've been using ReQall to manage my tasks and shopping lists. From my experience ReQall does a much better job with speech-to-text conversions than with Jott. ReQall's web interface to manage tasks is simpler to use. I'm able to add tasks via the following; web (text), iphone app (text and voice), firefox plugin (text), phone (voice), and instant messaging (text). Plus, I appreciate now having a single solution (ReQall) to do what I had been doing with two (Jott and RTM).

ReQall also allows me to add meetings and schedule tasks for specific dates and times. For example, on my iPhone I can launch the ReQall app and say the following note:

"Meet with Mike on Friday at 3pm"

The above voice note gets converted to text by ReQall. Adding my ReQall meeting feed to my Google Calendar I then see a meeting on Friday at 3pm with Mike! I also synch my iCal with Google Calendar so that my schedule stays current and easily accessible no matter where I'm accessing it.

If I want to add an item to my shopping list, all I have to do is say "buy" and whatever it is I need to pick up at the market. Whoala, the item gets converted to text and shows up in my shopping list. My shopping list can be accessed and individual items checked off from my iPhone while at the store.

Though ReQall is currently a very useful productivity tool, there's room for improvement that will increase ReQall's value. Features I would like to see include:

• A ReQall desktop widget for Mac (RTM already has a desktop widget for Mac OS X)
• Ability to view all To-Do's and shopping list items via the Firefox extension
• Ability to check items off as completed via Firefox extension
• Ability to check items off as completed via the IM interface
  
• iPhone app: Have shared shopping list entries show up in my shopping list AS WELL as my recipient's shopping list
• iPhone app: Auto refresh when starting app, making changes to items, and at specified time intervals (e.g., every 15 mins)
• iPhone app: Ability to change user/pass from the ReQall app instead of having to go through the standard iPhone settings app

I look forward to seeing what ReQall will rollout throughout 2009!

“Computers are magnificent tools for the realization of our dreams, but no machine can replace the human spark of spirit, compassion, love, and understanding.” ~ Louis Gerstner

Note Taking, Journaling and Retrieval

Over the past six months I've been using Journler to record and search through my notes. Journler was great so long as I had my laptop next to me when I needed to retrieve notes. Ultimately, what I needed was a solution that would allow me to securely access my notes from my iPhone as well as from the web. I also wanted a productivity tool that would let me take photos with my iPhone, or other camera, of whiteboards at the conclusion of a work meeting and would place the photo into my notes and preferably convert the words on the whiteboard from the photo into searchable text (OCR).

Last month a co-worker of mine asked about Evernote. Simply put, Evernote is incredibly useful! According to the Evernote website:

"Evernote allows you to easily capture information in any environment using whatever device or platform you find most convenient, and makes this information accessible and searchable at any time, from anywhere."

I've now migrated all of my Journler entries into Evernote. It goes without saying, I don't store anything sensitive in Evernote unless PGP'd. I can access my notes from the web browser on my laptop, the Evernote application, and from my iPhone. Imagine I was in a meeting this morning and I took a picture of the whiteboard where the word "Monkey" was written. Evernote will convert the writing into text and make it searchable. Therefore, I can search my Evernotes for the word "Monkey" and the picture of the whiteboard will be a returned result. That's awesome!

Screenshot: Evernote iPhone App

Additional features I would like to see in Evernote include:

• Strong crypto that can be applied to specific notes requiring a separate password to encrypt/decrypt for enhanced security and privacy - see next bullet point regarding two-factor authentication;
• Two-factor authentication with support for one-time-passwords (see PayPal Security Key)

Overall, I see productivity tools finally getting to a point where there's a noticeable benefit in my productivity in using them. ReQall and Evernote are two such productivity tools.

“When you write down your ideas you automatically focus your full attention on them. Few if any of us can write one thought and think another at the same time. Thus a pencil and paper make excellent concentration tools.” ~ Michael Leboeuf

Steve

###

Microsoft out-of-band security bulletin for October 2008

Microsoft recently issued an out-of-band security advisory for a vulnerability in the server service that could allow remote code execution (MS08-067). Due to the criticality of the vulnerability, Microsoft has released a fix out-of-band (i.e., not on the regular Patch Tuesday).

It is strongly recommended that patches be tested and applied to all vulnerable systems you administrate as soon as possible. According to one source, targeted attacks using this vulnerability to compromise fully-patched Windows XP and Windows Server 2003 systems have been seen.

Advisories

MS08-67

SecurityFocus

Additional Information

Technet Blog

Steve
###

Blackhat Briefings: The Talks I Plan on Attending

The Blackhat Trainings just wrapped up and now everybody here is getting ready for the Blackhat Briefings.

After today's training I picked up my official annual Blackhat swag bag. While picking up my bag there were slews of people wandering around the Caesar's Palace Convention Center for the briefings. The number of people seems to have doubled since the trainings, which is typical.

Last week I had looked online at the list of presentations and had written down what I wanted to attend. This afternoon I reviewed my list against what was shown within the printed brochure. Assuming there's room, my plan is to attend the following presentations at the Blackhat Briefings for the next two days:

Day 1 - August 6

• 0900-0950 - Keynote: Complexity in Computer Security - Ian Angell
  
• 1000-1100 - Nmap: Scanning the Internet - Fyodor Vaskovich
• 1115-1230 - DNS Goodness - Dan Kaminsky
• 1345-1500 - Client-Side Security - Petko D. Petkov
• 1515-1630 - Xploiting Google Gadgets: Gmalware and Beyond - Tom Stracener
• 1645-1800 - MetaPost Exploitation - Val Smith

Day 2 - August 7

• 0900-0950 - Keynote: Natural Security - Rod Beckstrom
  
• 1000-1100 - Satan is on My Friends List - Shawn Moyer & Nathan Hamiel
  
• 1115-1230 - Visual Forensic Analysis and Reverse Engineering - Greg Conti & Erik Dean
• 1345-1500 - Hacking and Injecting Federal Trojans - Lukas Grunwald
• 1515-1630 - The Internet is Broken - Nathan McFeters, Rob Carter & John Heasman
• 1645-1800 - Pushing the Camel Through the Eye of a Needle - Haroon Meer & Marco Slaviero

For those of you in Twitterland - tweet me if you're going to any of the same presentations and want to say "hi" [twitter]

Steve Zenone
###