2012 BASC Presentations

We would like to thank our speakers for donating their time and effort to help make this conference successful.

Data center security teams are being challenged to rapidly deploy and secure new applications while controlling costs and improving efficiency. In this presentation, we will provide an inside look at some of the problems with traditional access management implementations and how enterprises can sucessfully overcome these challenges by integrating web application firewall technologies with Identity and Access Management. Learn about best practices, specific use cases and how this new integration translates into operational simplicity for the enterprise.

Fuzzing is easy, but getting useful information from fuzzing isn’t. ‘Spray and pray’ might get some results, but a set of well-designed tests will get much better results faster. Unfortunately, the job doesn’t end there. Fuzzing doesn’t find vulnerabilities; fuzzing finds unexpected behavior. Interpreting that unexpected behavior relies on understanding the application you’re fuzzing and the tests you’ve designed. This presentation will discuss techniques for creating tests targeted towards uncovering specific behavior, including authorization bypasses, directory traversals, and buffer overflows.

"Increasingly ""real-time"" web applications require new hacks on-top of HTTP that requires server support (e.g. WebSockets, SPDY); this presentation will demonstrate how this new functionality permits attackers to more effectively, and more stealthily establish bidirectional communication with compromised hosts; thus bypassing any outbound connection restrictions. We will cover the theory, historical techniques, defensive methodologies and new techniques throughout the presentation.

At the heart of these techniques is the ability to establish arbitrary bidirectional TCP connections given vulnerabilities in web applications, even in the presence of restrictive DMZ firewalls; this is a ""well-known"" attacker methodology. Attackers have for many years known to abuse the trusted relationship between web servers (or any exposed service!) and perimeter firewalls (inbound ports). Generally these tricks come at a price and are something that can be detected by a vigilant security team.

We will discuss how attackers can easily bypass outbound firewall rules, the history of these methodologies, and common defensive techniques combating this threat. Furthermore, new techniques will be described that utilize ""real-time"" protocols; specifically, how can these new techniques create back-channels and simultaneously hide from those vigilant security teams, increase the throughput and reliability of an attacker’s ""VPN"", and arbitrarily direct traffic from the internet into a DMZ environment."

We've found this NSA resource to provide very useful and clear guidance -- this 15-minute talk will tell you about it.

People have been talking about secure Software Development Life Cycles (SDLCs) for years, but there has been little traction in scaling secure SDLC activities outside of a few very security-conscious companies. We assert that a key reason for this is that to scale, these processes require automation. Static analysis, web application firewalls, and dynamic testing are the primary methods many organizations use to secure their applications because these tools can scale effectively. However, there is widespread acknowledgement that relying solely on verification activities for security is neither cost effective nor holistic. In fact, a 2012 study by SD Elements (to be published) indicates that on average 42% of security requirements are NOT covered by automated static and/or dynamic testing tools. To efficiently scale secure SDLC, we emphasize on process automation via criteria-based requirement generation, contextual on-the-job training for developers, and smart checklists. Our data indicates a significant savings for the organization on remediation costs. This talk discusses the process automation in detail and demonstrates how it effectively scales to large development teams.

In the event that your password table gets into the wild, how long will it take an attacker to expose the plaintext passwords? The recent set of well publicized disclosures of user passwords raised the question of whether current best practices adequately protect passwords from brute force attacks by many of our clients. In addition, with the advent of GPU-based (or FPGA) computing where GPUs are used for general purpose computing, are the current defenses and practices built for brute-force attacks sufficient? Cigital reviewed the current hardware innovations, analyzed the current methods for protecting passwords at rest and whether the methods sufficiently protected the passwords from being revealed using today’s hardware.

This talk discusses the pros and cons of the current practices such as salted-hashes, adaptive hashes and proposes an alternative solution for strengthening these existing practices. The talk will discuss the cryptographic properties of the current practices, but does not require a PhD in mathematics to understand the details.

Identifying application-level vulnerabilities via scanning, penetration tests and code reviews is only the first step in actually addressing the underlying risk. Managing vulnerabilities for applications is more challenging than dealing with traditional infrastructure-level vulnerabilities because they typically require the coordination of security teams with application development teams. The process also means that security managers need to get time from developers during already-cramped development and release schedules. In addition, fixes require changes to custom application code and application-specific business logic rather than the patches and configuration changes that are often sufficient to address infrastructure-level vulnerabilities. This presentation will illustrate the communication difficulties between security and development teams, and how this usually results in unactionable reports and fewer vulnerabilities remediated. In addition, the presentation will walk through an example workflow of addressing application vulnerabilities as software defects. This will be based on freely-available tools and show specific examples of how vulnerabilities can be grouped together, false positives can be culled out, and vulnerabilities transitioned to software defects, as well as how security managers can monitor and verify progress.

QR Code (abbreviated from Quick Response Code) is the trademark for a type of matrix barcode (or two-dimensional code) consisting of black modules (square dots) arranged in a square pattern on a white background. There are numerous free mobile applications that interpret QR codes. There are also different types of 2D codes and tags - Microsoft Tags and NFC tags. Users may receive text, add a vCard contact to their device, open a Uniform Resource Identifier (URI), or compose an e-mail or text message after scanning QR Codes. When the app is running and a QR image that fills a certain portion of the screen is focused on, the app executes the QR command. The problem is that the mobile apps execute the QR action without asking the user anything. The malicious exploits can be: directing the mobile app to open a malicious web page that downloads malware to the device; sending text messages that cost money, adding malicious Vcards to the address book that take over the address book. The possible data types available in QR codes allow a great range of malicious actions - Website URL; YouTube Video; Google Maps Location ; Twitter; Facebook; LinkedIn; FourSquare; iTunes Link; Plain Text; Telephone Number; Skype Call; SMS Message; Email Address; Email Message; Contact Details (VCARD); Event (VCALENDAR); Wifi Login (Android Only); Paypal Buy Now Link

This talk will cover the different types of codes, the mobile apps that use them and their risks.