SecDSM, a monthly meetup providing the opportunity to network with other InfoSec pros and listen to short tech talks presented by your fellow members (or give a presentation yourself!) while enjoying some beer/drinks/food. No sales pitches. The idea is to provide you actionable knowledge for you to take back to your $dayjob while building a top tier InfoSec community in the Des Moines area. If you have the desire to learn about real world InfoSec scenarios - get out of your comfort zone - and join us in a relaxed vendor neutral environment. No registration is required.
Schedule
We meet monthly, on the 1st Thursday starting at 6pm at Foundry Distilling Company in West Des Moines.
Caitlin Navratil FBI Threat Briefing and an Overview of Intelligence Analysis7:00 PM
Join for a threat briefing from FBI Intelligence Analyst Caitlin Navratil on latest trends impacting Iowa, a discussion of the FBI’s intelligence program, and an overview of intelligence sharing programs such as InfraGard and IC3.gov.
Caitlin Navratil is an Intelligence Analyst with FBI Omaha, Des Moines Resident Agency. IA Navratil provides intelligence and operational support for National Security matters across Iowa and Nebraska. She has written intelligence products and provided threat briefings to inform FBI decision makers, the US Intelligence Community, law enforcement, and the private sector.
Tom Pohl Zero-Day in the Wild: A SCADA Case Study from a Routine Pen Test 7:40 PM
What happens when a penetration test exposes a vulnerability not just in one environment—but in hundreds?
During an external engagement, Tom Pohl identified an internet-facing SCADA/HMI system and traced it back to a widely deployed vendor product. By acquiring and analyzing the software, he uncovered a zero-day: an unauthenticated interface capable of issuing commands directly to backend control systems.
This session walks through the technical path from discovery to validation—service identification, vendor attribution, software analysis, and exploitation of the flaw.
With a vulnerability of this severity, you would expect a rapid and coordinated response. The vendor said they would fix it—but did they? We'll examine what actually happened: partial remediation, inconsistent patching, and systems that remained exposed.
If a single penetration test can uncover a flaw like this, what happens as AI systems begin finding vulnerabilities—and generating working exploits—at scale? As tools like Project Glasswing emerge, the pressure on vendors to respond quickly and completely is only increasing.
Senior Cybersecurity Consultant by day; CTF dream crusher by night
Sponsored by
Nicholas Starke Introducing Embedded Linux Audit: A Toolkit for Performing Security Analysis of Embedded Devices7:00 PM
Anyone who has done an embedded device security audit can attest to some of the struggles with doing these types of evaluations: libraries are missing, code has to be statically compiled to run usually - and cross compiled for another CPU architecture. Trying to debug a process is usually a non starter due to these problems and others.
I developed a tool, dubbed "Embedded Linux Audit" (https://github.com/nstarke/embedded_linux_audit) to help alleviate some of these troubles, plus also make it possible to "remotely" audit an embedded device. This talk will cover what the tool is, how it works, and some of my motivations for developing such a tool.
The second part of the talk will focus on how this project was developed using the latest in AI assisted development tools, which allowed me to "punch above my weight" in terms of writing code I probably could have never written myself.
Nick Starke is an embedded device and firmware security researcher. When he isn't hacking, he likes playing with synthesizers
