Richmond, VA

June 5th - 6th, 2014

Speaker Feature: Jayson E. Street

Jayson E. Street

@jaysonstreet /
Krypton Security

Jayson E. Street is an author of “Dissecting the hack: The F0rb1dd3n Network” from Syngress. Also creator of He has also spoken at DEFCON, DerbyCon, UCON and at several other ‘CONs and colleges on a variety of Information Security subjects. His life story can be found on Google under “Jayson E. Street” *He is a highly carbonated speaker who has partaken of Pizza from Beijing to Brazil. He does not expect anybody to still be reading this far but if they are please note he was chosen as one of Time’s persons of the year for 2006. ;-)

The hacker in the fun house mirror (A talk on skewed perspectives)

This is a talk on perspectives. Hackers, and hacking, are perceived
differently around the world and, in turn, some view our community and
what we do with different eyes than ours. I believe most
reports/papers about that topic are skewed and never give a quite
accurate global image. It’s all about perspectives, and these are what
I will explore in this talk. Being a foreign hacker attending a con,
or delivering an engagement, in an alien land often led to unexpected
situations that I will also recount. I am not only looking to
enlighten and entertain attendees with this talk, but also to have
them take a step back and look at the big picture, at what they are
part of; a global community that spreads beyond borders and
continents. My hope is that the contents of this talk will circulate
wider than just Con attendees so family, friends and co-workers get a
better understanding of who we are, what we stand for, and what that
thing is that brings us all together globally under one banner.

Speaker feature: David Sharpe and Katherine Trame

David Sharpe and Katherine Trame


David Sharpe and Katherine Trame are currently incident responders in GE-CIRT’s Advanced Threats team. The GE-CIRT Advanced Threats team provides world class incident response services for APT-related matters for the entire GE organization. David has a wide range of IT experience spanning 19 years. He has served in a variety of roles in Fortune 10 and Fortune 500 companies, ranging from systems programmer writing device drivers and operating system components, to large scale systems administration, to IT security. David joined GE-CIRT in 2011. Katherine served as an intelligence analyst with the Hampton, VA Police Division for five years during which she gained experience in tactical/operational intelligence and computer forensics. Katherine joined GE-CIRT in 2013.

Real World Intrusion Response – Lessons from the Trenches

Two battle-scarred, sleep-deprived GE-CIRT incident responders share lessons learned from the trenches, from their daily duties repelling real world, high-end network intrusions globally. This talk will include fresh thinking and innovative ideas in: intrusion response, intrusion detection, effective use of intel, and defensive operations. We will cover roughly a dozen (time permitting) cutting edge ideas and techniques that you can take back to your own organizations and put into practice right away.

How Bad-Ass is the “Secrets of Security” Workshop?

We asked Pete Herzog to tell us more about what people can expect at his OSSTMM class at RVAsec and he provided us a great response!

As humans, we like secrets as long as they don’t harm us for knowing them. We like knowing the dirt on people and the stories behind things. We like to know we’re right and they’re wrong and justifiably so. That’s what this workshop is about. It’s that feel-good, bad-ass workshop full of secrets, dirt, and indignation. Here’s why:

You may have been thrown by the word OSSTMM in the full title, “Secrets of Security with the OSSTMM.” Don’t worry. It’s not about the OSSTMM the way you might be wary that it’s about the OSSTMM. What this workshop won’t do is show you OSSTMM slides and tell you about it. Because that wouldn’t be bad-ass. It’s more about the bad-ass stuff not in the OSSTMM and why we can’t put it in.

For a moment, let me re-introduce you to ISECOM, our organization. Our mission is to make sense of security but how we do it is by not limiting contributors or ideas and we take any profession or hobbyist who wants to partake. And that’s where it gets weird. We’re a research organization with people all over the world working virtually so there are very few constraints to what we can actually research. So we try to reign it in around our mission but sometimes we just do things because somebody was curious. It’s that last part where things get really bad-ass because there’s no context.

When there’s no context that means anything can happen since we’re not constraining it to test a specific theory for security. What happens then is we might learn something spooky or strange or strangely true. Even when we end up with a security truth it can’t just be disseminated as is. It takes a lot of eloquence to take it from from a finding to practical use that can go into one of our publications like the OSSTMM. So sometimes we can’t. That’s also why we struggle to release a coherent document full of cool stuff re-written as practical steps but then it reads like stereo instructions. So in the workshop I’ll show you the behind-the-scenes footage, the stuff we refer to as the “Dark OSSTMM” which is the stuff without context so you can be equally interested or freaked out. Then I’ll show you with context. This is a bit of what it looks like behind the scenes:


Topics Research Without Context Adding Context for Practical Use
Vulnerability Management What would a defense look like that blocked every kind of attack all the time? How to measure an attack surface. How to classify threats based on operations instead of risk.
Electromagnetic Waves How electromagnetic waves affect personality, behavior, and health. Best ways to test large spectrum EM waves. Using EM waves in Social Engineering. Correlating HR data with EM maps. Analyzing EM wave collisions with business processes also using EM frequencies.
Sound waves Using HF sound waves to cause visual hallucinations. Ways to test for HF sound waves. Visual mapping of sound waves. Implementing high frequency sound waves above human perception for machine to machine communication. Using sound waves to causing chaos, confusion, and disruption within the workplace for social engineering and physical attacks.
Neurohacking Using electric signals to modify brain function. ??? We’ve got nothing yet but there’s some pretty cool stuff we can do from enhancing vision contrast to improving working memory to learning skills really quickly.
Trust What are the logical reasons we have to trust someone or something? Testing and measuring trust in people, things, third parties like Vendors and Clouds. Improving social engineering tests to include manipulated trusts. Expanding attack surface calculations to include people.
Perception Can we manipulate how people experience time with external signals or electrical impulses? ??? We’ve got no security context here yet but in some tests we found with direct contact we can increase or decrease physiological responses to hunger, wakefullness, sex, and the speed in which we perceive something.


This research is so bad-ass that it’s sometimes too bad-ass to go in the OSSTMM until we can find further context. So we share it with team members, classes, and subscribers who like to know about stuff like this, groups like: NIST, NSA, NASA, the Whitehouse, CERN, and even the Vatican.

But the point of this workshop is to make you a better security professional as well as more aware of what’s being done out there in security that’s not afraid to challenge concepts we’ve grown up with. So you can expect there will be a good deal of discussion.

Think of it this way:

If doctors worked like today’s security professionals, they’d know everything about all the ways a person could be killed and still use blood letting and leeches to heal us.

And this is what can you do with the stuff from the workshop:

  1. Bring more value to a penetration test and vulnerability scans

a) vastly increase the length of validity for the snapshot
b) analyze points of interaction
c) manage operational security controls including devops

  1. Enhance vulnerability management
  2. Identify the points of attack or points where interactions can cause problems
  3. Increase office and network efficiency by identifying unnecessary interactions
  4. Analyze third party services and vendors, including cloud using trust
  5. Be more smug for having more security dirt to dish at the watercoolers than your colleagues.


Additionally, for fun, I’ll show you how Heartbleed attacks and the latest Target hack look like according to some of our older research.

Finally, I’ll bring some neurohacking gear for workshop attendees to play with. So over-all, I can tell you this will be a bad-ass workshop.

About the Instructor

Pete Herzog is the lead security researcher and creator of the OSSTMM. His analysis of security, hacking, trust, fraud, and neuro-hacking have shown up in thousands of research papers, books, and government documents around the world. He’s passionate about hacking and figuring out how things (and people) work.


Title: The Secrets of Security with the OSSTMM
Instructor: Pete Herzog
Date: 6/4/2014, 9AM-5PM
Cost: $250

Register for this Class


Speaker feature: Nick Popovich

Nick Popovich

@pipefish_ /
Sunera LLC

Nick Popovich’s passion is learning and exploring the offensive side of IT security. He works as a penetration tester, trying to raise the overall security posture of organizations through infrastructure security testing. Nick’s mission is to help individuals and organizations involved with the defensive side of InfoSec understand the mechanics and methods of the attackers they defend against, and to assist in realistically testing those defenses. He’s a lifelong learner and loves finding new ways to get under the hood of systems and networks. He is a father of two and a husband to one.

I Found a Thing and You Can Too: ISP’s Unauthenticated SOAP Service = Find (almost) All the Things!

This presentation is meant to encourage individuals to put the applications and software that they may use on their own home or small business networks under the research microscope. This is will be a discussion of a recent independent research project that eventually lead to an information disclosure vulnerability by a major U.S. ISP. This is also an example of when a coordinated disclosure goes right.
What began with simple curiosity into the inner workings of an application lead to the ability to list wireless network names and wireless encryption keys (among other things) armed only with a WAN IP address.

Normal Registration Closes 5/16 & Badge Updates

Just a few more weeks to get RVAsec tickets at regular price–only $100!

And if that’s not enough incentive to purchase your tickets early, and you still want to attend, you had better pull the trigger soon! We have already sold approximately 85% of all available tickets for the event!

Don’t forget all the things you get with registration, including 2 full days of talks, parking, meals, snacks, drinks, after party, reception, prizes, a capture the flag contest, t-shirt & swag!

We only have a few badges from Hack.RVA that are not accounted for at this point.  For everyone that has signed up already, we should have you covered but the sooner you register the higher up the list you are to get an amazing badge from Hack.RVA.

So, to recap, we are closing in on selling out already, badges are almost all spoken for and the conference prices are as follows:

  • $100 regular price until 5/16
  • $150 late registration until 5/30


Register now!



Speaker feature: Joey Peloquin

Joey Peloquin

@jdpeloquin /

GuidePoint Security

Joey has over 15 years of experience in the information technology industry specializing in information security. Prior to joining the GuidePoint Security team, he served as World Wide Security Architect for F5 Networks focusing on mobile and application security, and authentication and access security. His previous experience includes managing application and mobile security consulting teams at national security consulting firms, and leading JCPenney’s internal penetration-testing team. Joey is an active member of the information security community, speaking frequently at conferences and security events such as OWASP, TakeDownCon, ISSA, and has written, or appeared in, articles by Hakin9, SC Magazine, SD Times, and Information Week. He is also an accomplished technical scuba diver and PADI Divemaster.

Offensive Mobile Forensics

It’s official; enterprise mobility has been redefined, and Bring Your Own Device is a permanent reality, not a trend or fad. The problem everyone has failed to solve, however is not protection of the device itself. MDM, and now MAM are failed attempts to enable the secure use of personally-owned mobile devices. They’ve failed because they stop short of providing a holistic solution for data protection. Enter Offensive Mobile Forensics, a process in which an analyst employs use of the same techniques and tools potential attackers or criminals use on lost or stolen devices, to determine the actual risk of that loss or theft to the enterprise. What data is accessible?

Speaker feature: Kimberley Parsons & Carmen Sullo

Kimberley Parsons & Carmen Sullo
Created for Greatness, LLC

Kimberley Parsons has refined her approach through thirteen years of serving leaders and teams in Fortune 500 and not-for-profit companies. Over 10 years as an IT professional and seven years of coaching and training, she’s had extensive opportunities to elevate others while deepening her learning in leadership and team development, change leadership, strategy execution, and coaching.
Kimberley obtained her Leadership Coach Certification from Georgetown University, is an accredited Associate Certified Coach (ACC) with the International Coach Federation (ICF) and holds a Masters of Science in Information Systems from Virginia Commonwealth University.
Carmen Sullo’s background as an IT Project Manager and Agile Coach for software development in leading financial institutions put her on the path towards team leadership and coaching. Leveraging her natural talents in interpersonal awareness, Carmen excels at building high performing teams that thrive on the most complex and challenging opportunities. Carmen has developed a reputation for developing teams that leaders trust, that people want to be a part of, and with which clients love to work.
Carmen graduated from the University of Richmond with a BA in Information Systems Management and is a graduate of the Newfield Network in Ontological Coach Training.

Leading Security When the Rest of The Business Doesn’t Care About Security
In many organizations, security teams are viewed as a “necessary evil” or a cumbersome speed bump in a project plan. It is almost as though the security teams purpose is in conflict with the organization’s purpose, creating competition for resources and funding rather than collaboration and quality execution. This talk focuses on leading through this challenging organizational environment, transforming from dissatisfied performers with high burnout to high performing teams that attract and retain elite staff.

Speaker feature: Kizz MyAnthia

Kizz MyAnthia

@KizzMyAnthia /
HP ShadowLabs

Infosec specialist whose qualifications include an indepth understanding of security principals and practices; C|EH, MCSE+Security designations; and detailed knowledge of security tools, technologies and development. Seven years of security experience in the creation and deployment of solutions protecting networks, systems and information assets for diverse companies and organizations, with over 10 years overall in the industry.

Into The Worm Hole: Metasploit For Web PenTesting

Ever wondered how to use MSF to make web exploitation EPIC?!
If you said, H3LL YEAH!! Than this talk is for you.
Into the Worm Hole is an adventure into web exploitation and how to use Metasploit Framework to get farther and pwn all the things.

Speaker feature: mubix

@mubix /


Mubix is a Senior Red Teamer. His professional experience starts from his time on active duty as United States Marine. He has worked with devices and software that run gambit in the security realm. He has a few certifications, but the titles that he holds above the rest is FATHER, HUSBAND and United States Marine.

Attacker Ghost Stories: Mostly Free Defenses That Gives Attackers Nightmares

This talk was originally titled “I’m tired of defenders crying”, but thought better of it. This talk is about the tidbits that I’ve seen piecemeal across the multitude of businesses big and small that were innovated and highly effective, yet free, or mostly free and stopped me dead in my tracks.
Going over 4 free, or nearly free methods, tactics, and software setups that will cut down intrusions significantly that you can deploy or start deployment of the hour after the talk is done.

Speaker feature: Jack Mannino, Abdullah Munawar

@jack_mannino /


Jack Mannino is a Co-Founder at nVisium, a DC area firm specializing in application security. At nVisium, he helps to ensure that large corporations, government agencies, and software startups have the tools they need to build and maintain successful security initiatives. He is an active Android security researcher/tinkerer, and has a keen interest in identifying security issues and trends on a large scale. Jack is a leader and founder of the OWASP Mobile Security Project. He is the lead developer for the OWASP GoatDroid project, and is the chairman of the OWASP Northern Virginia chapter.

Abdullah Munawar is an application security consultant at nVisium who specializes in mobile application testing and ripping apart new things. He previously worked on the security teams at financial and aviation organizations, with over 7 years of experience. Abdullah attempts humor on a daily basis and succeeds most of the time, every time.

How To Find Mobile Internet Love

As mobile dating applications grow in popularity, so does our interest in the security posture behind these apps. We wanted to take a look at numerous features within these apps to determine the good, the bad, and the ugly. We will cover popular features such as location-based services, analytics, sharing of information, and any other features we discovered to be interesting.
This talk will feature some highlights from popular, obscure, and scary mobile dating applications to answer a very simple question: Can you find love on the Internet without having your personal data exposed?