Crisis maps collect and present open source intelligence (Twitter, Facebook, YouTube, news reports) and direct messages (SMS, email) during disasters such as the Haiti earthquake and civil unrest in Africa. The deployment of crisis mapping technology is on its way to becoming a standard tool to collect and track ground truth from crisis zones, but very little work has been done to evaluate and mitigate the threat posed by adversaries with offensive infosec capabilities. These platforms can provide responders and humanitarian organizations with the timely, high fidelity situational awareness necessary to direct aid and save lives. Unfortunately, they can also provide hostile national security services and other malicious groups with the information they need to target vulnerable populations, hunt down individuals, and manipulate response operations. In this session we'll setup, operate, attack and defend an online crisis map. Bring your laptop and toolsets because you will have the opportunity to play the bad actor (a technical member of the secret police or terrorist organization) as well as the defender (the response agency, citizen on the ground, and sysadmin trying to keep the server online). The experience will bring together everything we know and love and hate about defending online systems including buggy code, naive users, and security vs. usability tradeoffs and do so in a situation where people are dying and the adversary controls the network. We'll also introduce some not-so-typical concepts like building trust on the fly, crowdsourced verification, and maintaining situational awareness from halfway around the globe. Each step in the process will be based on real-world deployment experiences monitoring everything from local riots to nation-wide revolutions and natural disasters. The lessons learned, vulnerabilities found, and exploits developed during the session will be taken back to the crisis mapping community - enabling them to build more secure systems and more effective, life-saving deployments.
George Chamales has spent the last decade working in almost every legal permutation of employer / job the computer security field has to offer. His list of current and former government employers includes DOD, DOE, DHS, and DOI. In the private sector, he's worked as a security architect, member of the Honeynet Project, and corporate pen-tester targeting Fortune 500 companies. He is an active member of the crisis mapping community, where he develops new tools and capabilities, co-founded the Crisis Mappers Standby Task Force, and has served as the technical lead for numerous deployments including LibyaCrisisMap.net, Pakreport.org, and SudanVoteMonitor.com.