The 2014 Security Analyst Summit was held in the Dominican Republic in early February.
Microsoft Security Strategist Katie Moussouris discussed the creation of the company's bug bounty program on the first day of the conference. Moussouris claimed the program has been a success so far and the company is looking for new ways to expand it in the future. “There are probably only a thousand people worldwide who could do this kind of work,” she said, “And there’s probably only a few hundred who would work with Microsoft.”
Chris Soghoian, a principal technologist and senior policy analyst at the American Civil Liberties Union said in his talk that “our threat model has changed. The APT powers of my government and your government and the Chinese government are not the biggest power. The most powerful tool the Department of Justice has is not the ability to hack but the ability to coerce.”
Bruce Schneier, Baroness Pauline Neville-Jones and moderator Phil Bond discussed government surveillance and cryptography. "The efficacy of bulk collection has never been proved. The targeted stuff is good. TAO going after the bad guys with their James Bond-like tools is what we want the NSA to do," Schneier said.
Researchers Chris Valasek (left) and Charlie Miller discussed how they were able to hack the steering, braking and other functions in some cars while driving them. "A layered approach is better and we think having a detection system built in is smart," Miller said.
Tillmann Werner, a senior security researcher with Crowdstrike, talked about how to steal money from ATMs with malware and showed several examples of attacks that have been employed.
Jonathan Pollet, a security consultant, discussed the burgeoning PLC and ICS world and how it may be driven to better security by demands from users. "Let's take what we learned and bake it into industrial control devices," he said.