Belgium Events 2010

These are the 2010 events of the OWASP Belgium Chapter.

Previous year: 2009. Next year: 2011.

WHEN
September 21st 2010 18h-20h

WHERE
Hosted by Distrinet Research Group (K.U.Leuven).

Pizza's sponsored by F5 Networks

Address: Department of Computer Science (auditorium 00.225) Celestijnenlaan 200 A 3001 Heverlee

Routemap: http://distrinet.cs.kuleuven.be/about/route/

PROGRAM
The agenda:


 * 18h00 - 18h30: Welcome &amp; Pizza's
 * 18h30 - 18h45: OWASP Update (by Sebastien Deleersnyder, SAIT Zenitel, OWASP Board)
 * 18h45 - 19h45: Attacking and Defending the Grid (by Justin Searle)
 * The Smart Grid brings greater benefits for utilities and customer alike, however these benefits come at a cost from a security perspective. This presentation will explore how the increased functionality and complexity also increases the Smart Grid's attack surface, or in other words, increases the ways attackers can compromise the Smart Grid's new infrastructures, systems, and business models.  We'll discuss several specific attack avenues against the Smart Grid and recommendations for mitigating or blocking these attacks.
 * Justin Searle, a Senior Security Analyst with InGuardians, specializing in the penetration testing of web applications, networks, and embedded devices. Justin currently leads the Smart Grid Security Architecture group of the CSWG (Cyber Security Work Group) for NIST (National Institute of Standards and Technologies) and is a member of ASAP-SG (Advanced Security Acceleration Project for the Smart Grid).  Previously, Justin served as JetBlue Airway’s IT Security Architect, and has taught courses in hacking techniques, forensics, networking, and intrusion detection for multiple universities and corporations.  Justin has presented at top security conferences including DEFCON, ToorCon, ShmooCon, and SANS.  Justin co-leads prominent open source projects including the Samurai Web Testing Framework, Middler, Yokoso!, and Laudnum.  Justin has an MBA in International Technology and is CISSP and SANS GIAC-certified in incident handling and hacker techniques (GCIH) and intrusion analysis (GCIA).


 * 19h45 - 20h00: Break
 * 20h00 - 21h00: How I Met Your Girlfriend (by Samy Kamkar)
 * The discovery and execution of entirely new classes of attacks executed from the Web in order to meet your girlfriend. This includes newly discovered attacks including HTML5 client-side XSS (without XSS hitting the server!), PHP session hijacking and weak random numbers (accurately guessing PHP session cookies), browser protocol confusion (turning a browser into an SMTP server), firewall and NAT penetration via Javascript (turning your router against you), remote iPhone Google Maps hijacking (iPhone penetration combined with HTTP man-in-the-middle), extracting extremely accurate geolocation information from a Web browser (not using IP geolocation), and more.
 * Samy Kamkar is best known for the Samy worm, the first XSS worm, infecting over one million users on MySpace in less than 24 hours. A co-founder of Fonality, Inc., an IP PBX company, Samy previously led the development of all top-level domain name server software and systems for Global Domains International (.ws).
 * In the past 10 years, Samy has focused on evolutionary and genetic algorithmic software development, Voice over IP software development, automated security and vulnerability research in network security, reverse engineering, and network gaming. When not strapped behind the Matrix, Samy can be found stunt driving, getting involved in local community service projects, and continuing his focus on staying out of jail.

WHEN
June 16th 2010 18h-20h

WHERE
Location was sponsored by Zenitel Belgium.

Location: Zenitel Belgium, Z.1. Research Park 110 – 1731 Zellik, Belgium (same building as http://www.u2u.net/Route.aspx)

PROGRAM
The agenda:


 * 18h00 - 18h30: Welcome &amp; Refreshments
 * 18h30 - 18h45: OWASP Update (by Sebastien Deleersnyder, Zenitel, OWASP Board)
 * 18h45 - 20h00: Advanced SQL Injection (by Joe McCray, Learn Security Online)
 * SQL Injection is a vulnerability that is often missed by web application security scanners, and it's a vulnerability that is often rated as NOT exploitable by security testers when it actually can be exploited. Advanced SQL Injection is a presentation geared toward showing security professionals advanced exploitation techniques for situations when you must prove to the customer the extent of compromise that is possible.
 * The key areas are:
 * Re-Enabling stored procedures
 * Old and new ways of obtaining an interactive command-shell
 * Data Exfiltration via DNS
 * IDS Evasion & Web Application Firewall Bypass
 * Privilege Escalation
 * Joe McCray has 10 years of experience in the security industry with a diverse background that includes network and web application penetration testing, forensics, training, and regulatory compliance. Joe is a frequent presenter at security conferences, and has taught Ethical Hacking and Web Application Security at Johns Hopkins University (JHU), University of Maryland Baltimore College (UMBC), and several other technical training centers across the country.

WHEN
June 1st 2010 18h-21h

WHERE
Location is sponsored by Cisco Belgium.

Location: Cisco, Pegasus Park, De Kleetlaan, 6A, B-1831 Diegem. See directions.

PROGRAM
The agenda:


 * 18h00 - 18h30: Welcome &amp; Refreshments
 * 18h30 - 18h45: OWASP Update (by Sebastien Deleersnyder, Zenitel, OWASP Board)
 * 19h00 - 20h00: The Belgian e-ID: hacker vs developer (by Erwin Geirnaert and Frank Cornelis)
 * Presentation + discussion: What can go wrong when implementing the Belgian eID in an unsecure way to authenticate a user? We will discuss the security issues, the problems with trust, SSL and some examples of a bad implementation. We will demo how to use WebScarab to intercept and change authentication data on the fly, impersonating somebody else.
 * To help developers to implement it correctly, we will give away best practices and a road map to do it properly using the new eID applet with entity authentication.
 * This presentation will be given by Frank Cornelis, Developer @ Fedict, who is responsible for the new eID applet and Erwin Geirnaert, co-founder & white-hat hacker @ ZION SECURITY, who has reviewed unsecure implementations of eID authentication


 * 20h00 - 20h15: Break
 * 20h15 - 21h15: Analyzing the Accuracy Of Web Application Scanners (by Larry Suto)
 * Presentation + discussion: Analyzing the Accuracy Of Web Application Scanners
 * This talk summarizes my recent study related to benchmarking a set of web application scanners against target test sites constructed by the scanner vendors themselves. I will review the methodology and some of the challenges that were faced as the tests were conducted. I have received some interesting feedback from the vendors and the security community. This new information will be integrated into the presentation. The controversial nature of "Point and Shoot" and "Trained" scanning will be addressed and scanning issues related to cloud computing/SaaS will be covered. The presentation will cover some thoughts on open source scanners such as Skipfish and W3AF. Finally I will go into the ideas for another round of testing and the possibility of soliciting target apps from the community.
 * Larry Suto is an application security consultant based in the San Francisco Bay Area. He is focused on software security analysis and the testing the effectiveness of software security tools.

WHEN
Monday, February 1th, 2010 (18h00pm-21h00pm), together with ISSA Belgium.

WHERE
Location sponsored by Ernst&amp;Young's Information Security Team. address: De Kleetlaan 2, 1831 Diegem (Route + Google Maps)

PROGRAM
The agenda:


 * 18h00 - 18h30: Welcome &amp; Refreshments
 * 18h30 - 18h45: OWASP Update (by Sebastien Deleersnyder, Zenitel, OWASP Board)
 * 18h45 - 19h00: ISSA Update (by Bart Moerman, ISSA)
 * 19h00 - 20h00: GreenSQL: an Open Source database firewall (by Yuli Stremovsky, VP of Research and Development at GreenSQL)


 * Presentation + discussion: GreenSQL, an open source database security solution, is available for three years. With the release of version 1.2 GreenSQL started providing support to PostgreSQL besides MySQL. GreenSQL provides a reverse proxy solution to SQL statements and during the reverse proxy process provides several security mechanisms. The lecture will focus on the latest version of GreenSQL and the solution for SQL injection and other attacks.
 * Yuli Stremovsky is a database security expert. He is responsible for design, development of novel database protection solution - GreenSQL. He is an experienced security consultant that worked for a number of leading financial institutions, telecom and health service companies. In the past, he was also involved in software development in a number of start-up companies including development of the security products.


 * 20h00 - 20h15: Break
 * 20h15 - 21h15: MOBILE MALWARE NOW AND IN THE FUTURE (by Mikko Hypponen, Chief Research Officer at F-Secure Corp)


 * Presentation + discussion:
 * Mobile Platforms
 * Situation 2005-2009
 * Current threats
 * Case: The Ikee / Duh botnet on jailbroken iPhones
 * Case: Android banking trojans
 * Future scenarios
 * How to fight content security problems in mobile world?
 * Mikko Hypponen is the Chief Research Officer for F-Secure. He has worked with F-Secure since 1991 and has led his team through the biggest malware outbreaks in history. Mr. Hypponen has assisted law enforcment in USA, Europe and Asia on cybercrime cases. He has written for magazines such as Scientific American, Foreign Policy and Virus Bulletin.

REGISTRATION
There are only 100 seats available (first register, first serve)! Please send a mail to Belgium 'at' owasp.org if you plan to attend.