Rhode Island

=Meeting Info= We ask all attendees to RSVP for meetings. Either join our Meetup group and use the RSVP function or join the chapter's listserv and reply to meeting announcements.

OWASP RI on Meetup.com or ListServ

The listserv is "push-only" and will only be used for meeting announcements. The membership list is never shared with anyone.

=Sponsor/Host= OWASP RI is generously sponsored by Swipely with both their office space at 10 Dorrance St, 3rd Floor, Providence, RI as well as with refreshments at meetings. We thank Swipely for their sponsorship of OWASP RI

=Videos/Slides= All videos are on the OWASP RI YouTube Channel https://www.youtube.com/channel/UCD7buF7w8WuF3xfQPrkBiOw  Ben Brown, July 2015, On Defending Against Doxxing, Video (Video courtest of irongeek.com and Converge 2015) Larry Cashdollar, March 2015, Mining Ruby Gems for Fun and No Profit, Video, Slides Jake Fonseca, February 2015, Digital Forensics Slides Taryn Mandrell, September 2014, Advanced Threat Protection  Patrick Laverty, August 2014, How Hackers View Your Web Site Ben Jackson, June 2014, Running a non-attributable honeypot system via fly by night VPS providers 

= Next Meeting =

'''October 6, 6:30 pm - Penetration Testing Overview and stories from the field, by Larry Pesce

We are excited to have Larry Pesce from Inguardians, SANS and Paul's Security Weekly to talk to us about his experiences while performing penetration testing. Larry has additional expertise in ethical hacking of wireless devices, as he teaches the SANS SEC617 Wireless Ethical Hacking course. Larry will give an overview of penetration testing as well as give examples from his own experiences. You can also hear Larry weekly on the Paul's Security Weekly podcast, for which Larry is a co-creator and co-host.

Food and beverages will be provided by our host and sponsor, Swipely!

Location
Swipely 10 Dorrance St., 9th Floor Providence, RI

= Future Meetings =

Account Checkers and Rewards Program Fraud with Kellen Kleinfelter

= Past Meetings =

'''September 15, 6:30 pm - Briefings from Blackhat and Defcon 2015 – Hacking Cars, Rifles and Powerplants

Exactly as the title indicates, stuff that Velu saw and learned about in Las Vegas this year. Plus, we may also do an overview of Burp Suite and Zed Attack Proxy

About the Speaker Velu Jeganathan, CISSP, CISM,CEH working as a Senior Penetration Tester for Voya Financial. Has more than 25 yrs of IT Experience and about 10 years in Information Security. My interests are in Mobile Security, Vulnerability Management and Cryptography.

'''August 18, 6:30 pm - Access in Maliceland, by Gunnar Peterson.

John Lambert observed attackers win becaue while defenders think in lists, attackers think in graphs. Access control systems divide the system a priori into secure and insecure states. But that’s only worth the paper its printed on. A Attackers see the system as it is, for attackers, the access control scheme is the beginning of the game not the end. Determined attackers seek out access control models and then find holes that they can leverage. Access control systems that purport to protect the system are built on assumptions from which reality diverges. Application security needs a new approach to access control- adding feedback loops for risk based decisions, fine-grained, dynamic access control.

Security is a business with a very long list of issues and requirements. The spreadsheets are miles long. This makes it essential to find reusable solution patterns that can address multiple problems.This presentation looks at both medium term improvements and code examples to improve access control decisions and overall security today

About the Speaker Gunnar Peterson (@oneraindrop) focuses on security architecture consulting and training. Experience includes Associate Editor for IEEE Security & Privacy Journal, a Microsoft MVP for App security, an IANS Research Faculty member, a Securosis Contributing Analyst, and a Visiting Scientist at Carnegie Mellon Software Engineering Institute. He maintains a popular information security blog at http://1raindrop.typepad.com.

'''July 29, 6:30 pm - Defending Against Doxxing, by Ben Brown Abstract and Why This Topic is Important: Doxxing is the Internet-based practice of researching and broadcasting personally identifiable information about an individual. It is also a scourge on our internet lives that can quickly boil over into the physical realm. Often wielded as a weapon of hate or manipulation and a tactic for intimidation doxxing easily leads to real-world threats of violence, financial harm, sexual assault, career damage, or even murder. Examples of these impacts can be seen surrounding the recent events of 'GamerGate' through the targeting of Anita Sarkeesian, Felicia Day, Tara Long, and Brianna Wu. Doxxing also often leads to another tragic outcome; that of targets for hate being misidentified leading to unaffiliated individuals becoming the subjects of attack. Occurrences of this can be found in such online sagas as Anonymous vs. Scientology, the Amanda Todd case, and the incorrect fingering of Sunil Tripathi as the Boston Bomber. Given the real world impacts of being doxxed what can we do to protect ourselves, our friends, and our loved ones? In this talk I will highlight common methods employed by doxxers as well as methods to safeguard the information they seek. I will move from the easy wins and low-hanging fruit, with an eye for practicality, to the more complex and long-term defenses employed by professionals. While this is a pertinent topic for everyone I believe it is especially important for those who's livelihoods involve spending copious amounts of time interacting with the internet. Our Doxxing attack surfaces are larger than those for others.

Bio: Benjamin Brown currently works on systems safety, adversarial resilience, and threat intelligence at Akamai Technologies. He has experience in the non-profit, academic, and corporate worlds as well as degrees in both Anthropology and International Studies. Research interests include novel and side-channel attack vectors, radio systems, the psychology and anthropology of information security, metacognitive techniques, threat actor profiling, intelligence analysis, and thinking about security as an ecology of complex systems.

'''May 11, 6:30 pm - The State of US CyberSecurity with US Congressman James Langevin.

'''April 15, 6:30 pm - Threat Intelligence and OSINT with Stuart Gorton

'''March 18, 6:30 pm - Mining Ruby Gem Vulnerabilities for Fun and No Profit, Larry (@_larry0) Cashdollar, Akamai Technologies

'''February 18, 6:30 pm Digital Forensics, Jacob Fonseca, Digital Forensics and Cyber Security Center at University of Rhode Island Description: Jacob Fonseca will present the field of Digital Forensics - which is the application of forensics science to the identification, acquisition and analysis of digital evidence such as email, texts, digital documents, and web/social media activity. He will also describe aspects of cyber security and its overlap with digital forensics. He will outline the technical, legal and procedural issues in handling digital evidence, and illustrate it with cases in the media and cases from the RI Digital Forensics Center, which he directs. (the Center web site with degree programs, research, case work, etc is dfcsc.uri.edu).

Speaker: Jacob Fonseca is a digital forensic investigator and security researcher at the Digital Forensics and Cyber Security Center. He is an experienced network administrator and is responsible for creating and maintaining the DFCSC forensic lab and network systems. Mr. Fonseca specializes in applied computer science for research and education. He routinely works with state agencies toward improving the security posture of critical infrastructure in Rhode Island. He earned his Masters in Computer Science from the University of Rhode Island and holds several certifications in the areas of investigation and computer security. Slides

'''January 21, 6:30 pm - The Maturing Security Model, David Sherry, CISO Brown University

'''November 5, 6:30 pm - Web application firewalls as used in the enterprise, Ed Martin

Description: Overview of Web Application Firewall concepts – We will cover types of appliances, deployment methods and tuning principles Examples of different types of attacks will be given, as well as basic remediations

Bio: Web application firewall engineer, Dell Secureworks Former Senior Security Analyst and SOC mentor for Secureworks SANS: GSEC/GCIA/GWAPT ITILv3 Imperva IWSS certified

'''October 15, 6:30 pm

Title: Intro to Metasploit and Armitage

Speaker: Rob Kornmeyer

Bio: OSCP, Sec+, SPSE, A+ Executive Producer of Paul’s Security Weekly and Stogie Geeks. An Infosec student with interests in pen testing and embedded device hacking. Motto: Never Stop Learning.

Description: Learning about using Metasploit along with the Armitage module

'''September 17, 6:30 pm

Title: Advanced Threat Protection

Speaker: Taryn Mandrell Security Technology Manager, Inno4LLC

Description: We will discuss the importance of OWASP top 10 and well-known attacks (signature based) and how to additionally utilize endpoint protection (i.e. Whitelisting, MDM, BYOD, SIEM). We'll aim to educate on other services to protect from zero-day Malware...with a focus on the holistic approach to reduce the impact and cost of remediation in the event of data compromise, whether that be PCI, IP, PII, PHI, and so forth.

Food and beverages will be provided by our host and sponsor, Swipely!

August 13, 2014 6:30 pm Title:''' How a Hacker Views Your Web Site

Description: As developers, we look at a web site usually just one way, how it should work and what it should do. However hackers look at it differently, they try to figure out what else it can do. They poke and prod at every possible vector looking for a single way in to compromise a site. In this talk, we'll look at many of the possibilities and different ways that attackers try to hack your site.

'''July 16, 2014 6:30 pm

Title: Point-of-Sale Malware

Description: This is a Point of Sale Malware presentation focusing on breaches in the industry. This presentation uses the Target breach as an example, and cautions against following in Target’s footsteps, as well as outlining as a whole POS Malware and infection vectors most commonly experienced.

Speaker Bio: I am Milandon Foley, I’ve worked for Johnson & Wales University full time since I graduated in May of 2013, doing Point Of Sale security and various Malware and technical related tasks. I also work part-time for Dissect Cyber and have started doing various project maintainer tasks along with developing scripts and tools for protecting systems and networks. I have a BS in Network Engineering from JWU, but in terms of Information Security I am mainly self-taught and driven by the knowledge and information I learn from working these two jobs, as well as from developing my own side projects. You can find most of what I am working on at github.com/Theory5 and I am always open to connect via LinkedIn!

June 11, 2014, 6:30 pm Title:''' Running a non-attributable honeypot system via fly by night VPS providers

Description: Ben "@innismir" Jackson will talk about cheap VPS providers and how they make great homes for honeypots in which you can monitor the ankle biters that poke at your network day in and day out.

Speaker Bio: Ben spends his time enjoying being a husband, dad, and messing around with anything that has a button on it. He was the author for "Asterisk Hacking" from Syngress, has spoken at various conferences, and has appeared on various media outlets discussing security and privacy. Ben strongly dislikes Thursdays and writing about himself in the third person.

May 7, 2014, 6:30 pm Title:''' XSSValidator

Description: xssValidator is a tool developed to automate the testing and validation of Cross-Site Scripting (xss) vulnerabilities within web applications. This tool leverages Burp Suite Pro's extension API as well as PhantomJS, a headless, scriptable web browser.

Speaker: John Poulin is an application security consultant for nVisium who specializes in web application security. He worked previously as a web developer and software engineer that focused on building multi-tier web applications. When he's not hacking on web apps, John spends his time building tools to help him hack on web apps! You can find him on twitter: @forced_request

April 16, 2014 6:30 pm Title:''' OWASP Broken Web Applications (BWA) Project

Description: The presentation will include a demonstration of some of the realistic, vulnerable web applications within the OWASP BWA project, including applications written in PERL, PHP and Rails.

The presentation will demonstrate the many benefits of such vulnerable applications including:  Testing web application scanners (people) Testing web application scanners (products) Testing source code analysis tools</li> Examining code that allows the vulnerabilities</li> Testing web application firewalls</li> Reviewing evidence left by attacks</li> </ul>

Speaker: Mordecai Kraushar is Director of Audit for CipherTechs, a security solutions company based in New York City. He leads an OWASP project called Vicnum, (it is part of the OWASPBWA project) which demonstrates vulnerabilities such as cross-site scripting, SQL injections and session management issues that are helpful to IT auditors developing  web security skills. This application has also been used in multiple 'capture the flag' challenges including the Breaking Bad CTF at AppSecUSA in New York this past November.

'''March 19, 2014 6:30 pm

Ben Brown, Akamai Technologies

Meta Cognition and Critical Thinking in Open Source Intelligence (OSINT) or It's Turtles All the Way Down Mate

When gathering open source data and transforming it into actionable intelligence, it is critical to recognize that humans are not objective observers. Conscious and unconscious assumptions drive analysts' choices about which data to analyze and how much importance to ascribe to each resource. Furthermore, analysts' personal conceptual frameworks about reality and how the world works can undermine the process of objectively translating data into intelligence. These implicit assumptions, otherwise known as cognitive biases, can lead to missed data, skewed intelligence, illogical conclusions, and poor decision making. In this presentation I will illustrate cognitive biases relevant to OSINT and what can be done about them.

Speaker bio: Benjamin Brown currently works on systems safety, adversarial resilience, and threat intelligence at Akamai Technologies. He has experience in Non-profit, Academia, and the corporate world as well as degrees in both Anthropology and International Studies. Research interests include the psychology, anthropology, and sociology of information security, threat actor profiling, and thinking about security as an ecology of complex systems.

'''February 12, 2014 5:45 pm Preventing XSS with CSP Cross-Site Scripting is one of the most pervasive web application security flaws, and one attackers frequently target for attack. While the best line of defense for Cross-Site Scripting is defensively programming with proper input validation and context-sensitive output encoding, Content-Security Policy is quickly becoming a very effective mitigation strategy to protect sites' visitors and to warn application developers of potential attacks. This talk will cover content injection (including Cross-Site Scripting) and how Content-Security Policy mitigates many of the associated risks.

Will Stranathan is an application security professional in the Charlotte, North Carolina area. He's been writing rotten code for 32 years, and has spent the last ten years breaking rotten applications, analyzing rotten code, and writing rotten code which helps the world's best programmers identify their own rotten code, and training developers how to write code that's not so rotten.

'''November 25, 2013 5:45 pm Unmasking DDoS Protected Web Sites

We will have Allison Nixon, fresh off her talk at Black Hat in Las Vegas to show how to bypass DDoS-protected web sites. If you would like to participate, please bring the following setup:

Laptop with a WiFi connection, Kali Linux installed with Perl, Wireshark and ability to run as root. Please also have an email address where you are able to view the mail headers. Lastly, it would be helpful if you do have access to your own web server, though this one is not a requirement to participate.

'''September 23, 2013 5:45 pm JavaScript Verification: From Browsers to Pages

Modern web browsers implement a "private browsing" mode that is intended to leave behind no traces of a user's browsing activity on their computer. This feature is in direct tension with support for *extensions*, which let users add third-party functionality into their browser. I will discuss the scope of this problem, present our approach to verifying extensions' compliance with private browsing mode, and sketch our findings on several real, third-party extensions. I will then briefly describe the toolkit underlying our approach, and end with a sketch of a newer project, adapting this approach to the very different-seeming problem of statically catching errors when using the jQuery library.

'''Monday, April 15, 2013 5:45 pm Evolving WAS - Taking remediation to the next level

It will be presentation and discussion around some of the things he has found helpful in building and evolving security programs over the past few years. It will cover everything around building a program from the low level like scan engine choice, all the way to the high level needs like senior management buy-in techniques to establish a sustainable program. By Nick MacCarthy

'''Monday March 4, 2013 5:45 pm

Hands-on Hacking

If you remember our March 2012 meeting, we had Allison Nixon come and show us how to use SQL injection to get access to a web database, as well as how to prevent it. We learned how to think like a hacker. We'll we're going to bring that back and do something similar. Except this time, we're going to make it even more fun by turning it into a sort of capture the flag. We'll stay educational and non-competitive, and we'll aim to have multiple levels of flags to obtain.

We will look to have a lecture/lesson portion on SQL injection, then the hands-on time. We will then try to repeat the process for Cross-Site Scripting (XSS) where you can learn and play with the dangers of this vector.

Please bring your own laptop to be involved with the lessons. As always, we are demonstrating these techniques to help developers think like the attackers and so we can better understand the vectors and better understand how to protect our sites and code. OWASP, the organizers and sponsors do not condone illegal activity. We also remind you to never use these techniques against a site or network that you either do not own or do not have explicit, written permission to perform them on. In other words, don't blame us if you get arrested.

Wednesday November 7, 2012 5:45 pm PCI in the Cloud Interested in cloud security and compliance? Good architecture and planning are the foundation for solid security, but infrastructure providers have raised the level of abstraction and now companies of all sizes are making use of cloud services to build high-security environments with modest engineering effort. At Swipely, we process credit cards in partnership with the world's largest Payment Processor and the US’s largest bank. Learn how a startup can achieve Level 1 PCI Compliance through isolation, technology selection, and aggressive automation, all while promoting a security-conscious and agile engineering culture. Bright Fulton - [Swipely | http://www.swipely.com]/

200 Dyer Street, Providence, RI

Tuesday October 9, 2012 6:45 pm The Evolution of the Information Security Management Function

Information security has evolved as a discipline over the last two decades, and managing a security program is no longer just administering firewall rules. In this talk, the group will hear something away from the bits and bytes, and hear how security management programs are moving towards a holistic risk mitigation and reduction functions that may include privacy and compliance.

David Sherry, CISO, Brown University

Tuesday September 18, 2012 6:45 pm There is No Patch For Human Stupidity Darren will come and show us all the fun and foibles that come with the confidence game, also known as social engineering. Learn how to look out for people just trying to get information from you and steal all your secrets. Outsmart the smart people by just saying no. Darren Wigley, NWN Corporation

Tuesday August 21, 2012 6:45 pm Finding All The Ninjas in the Forrest: Web Application Testing Strategies Revisited Have you ever wondered what you might miss if an organization had over 800 web applications? How do you know where all your web applications exist? What if your targets built in traps for you to fall into? Finding, discovering, enumerating and testing for web application vulnerabilities is a tedious process. To top it all off, the remediation is rarely as easy as applying a patch or updating a configuration setting. Learn some tips and tricks to conduct more effective web application tests and help with remediation efforts. Paul Asadoorian - PaulDotCom (http://www.pauldotcom.com)

Tuesday July 17, 2012 6:45 pm

Practical Malware Analysis 101 Brandon Levene - Dell SecureWorks This will be an introduction to modern malware as the primary vector of intrusions. Detection of malware is crucial, and equally important is being able to differentiate between true and false positives. During this talk I will introduce techniques used by the industry to identify potentially malicious software without disassembly or debugging. Location: Brown University Continuing Education 200 Dyer Street Providence, RI |map

Monday June 4, 2012 6:45 pm Our next meeting is Monday, June 4, 6:45 pm at Swipely's headquarters in Providence's Jewelry District. The address is 39 Pike St in Providence (Google maps shows the church, but that's not it). The building also faces Benefit Street, across from Al Forno and has a billboard on the roof, near the Shell station. Come in through the side entrance.

You are all among the first to hear the great news about the Providence Web Application Security Group. As of April 25, we were granted chapter status with the Open Web Application Security Project (OWASP) for Rhode Island. This is a great development and you can find out more about OWASP at http://www.owasp.org

But if you don't want to surf the site to learn more, no worries, just come to the next meeting on Monday, June 4 to hear Tom Brennan from the OWASP International Board of Directors (via videoconference) tell us all about OWASP and everything they do and everything that is available to you. One of the best parts about OWASP is everything they do is FREE! They have free security tools, some free books, some free training, free videos, free meetings to attend and it's free to participate and contribute to new projects.

Also at the meeting, in keeping with the OWASP Security Blitz we will also have Paul McAndrew from Dell's Secureworks group to talk about Cross Site Scripting (XSS). Paul is a Security Analyst at Dell SecureWorks responsible for analysis and event management on thousands of IDS/IPS/WAF devices deployed globally. This broad view of the Internet gives insight into the current threat landscape and new threats as they are emerging. Paul has been a security hobbyist for over 10 years, with a specific interest in network and web application security.