Difference between revisions of "2012 BASC Presentations"

From OWASP
Jump to: navigation, search
Line 39: Line 39:
 
internet into a DMZ environment."
 
internet into a DMZ environment."
  
{{2012_BASC:Presentaton_Info_Template|Metasploit Hands On Presentation|Roy Wattanasin| | | }}
+
{{2012_BASC:Presentaton_Info_Template|Metasploit Fundamental Elements - Course 1|Roy Wattanasin| | | }}
 +
Audience: This class is open to all
 +
 
 +
This 50-minute class will give students a basic understanding of what is Metasploit, some of the features it allows and examples of how it can be used. This includes Meterpreter basics, the MSF command line interface, MSF console, using exploits and payloads. One example exploit that may be shown is the MS08-067 vulnerability and maybe another one per the class's choosing, time-permitting. This class is in no way the full class and is designed to get you using Metasploit in the class's timeframe.
 +
 
 +
Students are expected to already have Metasploit installed on their laptops (Download at http://www.metasploit.com/download/) with VMWare Workstation (trial version or the full version) with Windows XP (trial version or full that is not patched) OS installed as well. There will be no technical support because of the limited class time and we will be on an internal class wired network. All notes will be made available.
 +
 
 +
 
 +
Hardware and Software Requirements:<br/>
 +
A. The recommended is at least 50GB+ of hardrive space<br/>
 +
B. 4GB or more of RAM<br/>
 +
C. The more horsepower (CPU) you have, the better for virtual machines<br/>
 +
D. Metasploit installed<br/>
 +
E. VMWare Workstation<br/>
 +
F. Windows XP (unpatched) virtual machine
 +
 
 +
{{2012_BASC:Presentaton_Info_Template|Metasploit Continued - Course 2|Roy Wattanasin| | | }}
 +
Audience: Students that have taken the fundamental elements class or students that have an understanding of Metasploit or have already used it
 +
 
 +
This 1-hour course will continue where the fundamental elements class left off. This will be a quick overview of some of the mostly used features of Metasploit including information gathering and vulnerability scanning. We may have time to go over some exploit development, defeating antivirus and/or meterpreter scripting. This class will not cover MSF post exploitation.
 +
 
 +
Students are expected to already have Metasploit installed on their laptops (Download at http://www.metasploit.com/download/) with VMWare Workstation (trial version or the full version) with Windows XP (trial version or full that is not patched) OS installed as well. There will be no technical support because of the limited class time and we will be on an internal class wired network. All notes will be made available.
 +
 
 +
 
 +
Hardware and Software Requirements:<br/>
 +
A. The recommended is at least 50GB+ of hardrive space<br/>
 +
B. 4GB or more of RAM<br/>
 +
C. The more horsepower (CPU) you have, the better for virtual machines<br/>
 +
D. Metasploit installed<br/>
 +
E. VMWare Workstation<br/>
 +
F. Windows XP (unpatched) virtual machine
  
 
{{2012_BASC:Presentaton_Info_Template|NSA Configuration Guidelines for Baseline Security|Ray Cote| | | }}
 
{{2012_BASC:Presentaton_Info_Template|NSA Configuration Guidelines for Baseline Security|Ray Cote| | | }}

Revision as of 20:51, 2 October 2012

2012 BASC: Home Agenda Presentations Speakers

Contents

Sponsorships Available

Platinum Sponsors (Listed Alphabetically)
Silver Sponsors (Listed Alphabetically)

Akamai




Imperva




Rapid7

Cigital

Denim Group

GlobalSign

NetSPI

Praetorian

Security Management Partners

We kindly thank our sponsors for their support. Please help us keep future BASCs free by viewing and visiting all of our sponsors.
Sponsorships are still available.

Presentations

We would like to thank our speakers for donating their time and effort to help make this conference successful.


An Insider's Look: WAF and Identity and Access Management Integration

Presented by: Barracuda Networks

Data center security teams are being challenged to rapidly deploy and secure new applications while controlling costs and improving efficiency. In this presentation, we will provide an inside look at some of the problems with traditional access management implementations and how enterprises can sucessfully overcome these challenges by integrating web application firewall technologies with Identity and Access Management. Learn about best practices, specific use cases and how this new integration translates into operational simplicity for the enterprise.


Fuzzing and You: How to Automate Whitebox Testing

Presented by: Michael Anderson

Fuzzing is easy, but getting useful information from fuzzing isn’t. ‘Spray and pray’ might get some results, but a set of well-designed tests will get much better results faster. Unfortunately, the job doesn’t end there. Fuzzing doesn’t find vulnerabilities; fuzzing finds unexpected behavior. Interpreting that unexpected behavior relies on understanding the application you’re fuzzing and the tests you’ve designed. This presentation will discuss techniques for creating tests targeted towards uncovering specific behavior, including authorization bypasses, directory traversals, and buffer overflows.


Hiding Inside the "Real-Time Web" (to Take-Over the DMZ)

Presented by: Matt Wood

"Increasingly ""real-time"" web applications require new hacks on-top of HTTP that requires server support (e.g. WebSockets, SPDY); this presentation will demonstrate how this new functionality permits attackers to more effectively, and more stealthily establish bidirectional communication with compromised hosts; thus bypassing any outbound connection restrictions. We will cover the theory, historical techniques, defensive methodologies and new techniques throughout the presentation.

At the heart of these techniques is the ability to establish arbitrary bidirectional TCP connections given vulnerabilities in web applications, even in the presence of restrictive DMZ firewalls; this is a ""well-known"" attacker methodology. Attackers have for many years known to abuse the trusted relationship between web servers (or any exposed service!) and perimeter firewalls (inbound ports). Generally these tricks come at a price and are something that can be detected by a vigilant security team.

We will discuss how attackers can easily bypass outbound firewall rules, the history of these methodologies, and common defensive techniques combating this threat. Furthermore, new techniques will be described that utilize ""real-time"" protocols; specifically, how can these new techniques create back-channels and simultaneously hide from those vigilant security teams, increase the throughput and reliability of an attacker’s ""VPN"", and arbitrarily direct traffic from the internet into a DMZ environment."


Metasploit Fundamental Elements - Course 1

Presented by: Roy Wattanasin

Audience: This class is open to all

This 50-minute class will give students a basic understanding of what is Metasploit, some of the features it allows and examples of how it can be used. This includes Meterpreter basics, the MSF command line interface, MSF console, using exploits and payloads. One example exploit that may be shown is the MS08-067 vulnerability and maybe another one per the class's choosing, time-permitting. This class is in no way the full class and is designed to get you using Metasploit in the class's timeframe.

Students are expected to already have Metasploit installed on their laptops (Download at http://www.metasploit.com/download/) with VMWare Workstation (trial version or the full version) with Windows XP (trial version or full that is not patched) OS installed as well. There will be no technical support because of the limited class time and we will be on an internal class wired network. All notes will be made available.


Hardware and Software Requirements:
A. The recommended is at least 50GB+ of hardrive space
B. 4GB or more of RAM
C. The more horsepower (CPU) you have, the better for virtual machines
D. Metasploit installed
E. VMWare Workstation
F. Windows XP (unpatched) virtual machine


Metasploit Continued - Course 2

Presented by: Roy Wattanasin

Audience: Students that have taken the fundamental elements class or students that have an understanding of Metasploit or have already used it

This 1-hour course will continue where the fundamental elements class left off. This will be a quick overview of some of the mostly used features of Metasploit including information gathering and vulnerability scanning. We may have time to go over some exploit development, defeating antivirus and/or meterpreter scripting. This class will not cover MSF post exploitation.

Students are expected to already have Metasploit installed on their laptops (Download at http://www.metasploit.com/download/) with VMWare Workstation (trial version or the full version) with Windows XP (trial version or full that is not patched) OS installed as well. There will be no technical support because of the limited class time and we will be on an internal class wired network. All notes will be made available.


Hardware and Software Requirements:
A. The recommended is at least 50GB+ of hardrive space
B. 4GB or more of RAM
C. The more horsepower (CPU) you have, the better for virtual machines
D. Metasploit installed
E. VMWare Workstation
F. Windows XP (unpatched) virtual machine


NSA Configuration Guidelines for Baseline Security

Presented by: Ray Cote

We've found this NSA resource to provide very useful and clear guidance -- this 15-minute talk will tell you about it.


Pitfalls of Secure SDLC and How to Succeed With Automation

Presented by: Rohit Sethi & Ehsan Foroughi

People have been talking about secure Software Development Life Cycles (SDLCs) for years, but there has been little traction in scaling secure SDLC activities outside of a few very security-conscious companies. We assert that a key reason for this is that to scale, these processes require automation. Static analysis, web application firewalls, and dynamic testing are the primary methods many organizations use to secure their applications because these tools can scale effectively. However, there is widespread acknowledgement that relying solely on verification activities for security is neither cost effective nor holistic. In fact, a 2012 study by SD Elements (to be published) indicates that on average 42% of security requirements are NOT covered by automated static and/or dynamic testing tools. To efficiently scale secure SDLC, we emphasize on process automation via criteria-based requirement generation, contextual on-the-job training for developers, and smart checklists. Our data indicates a significant savings for the organization on remediation costs. This talk discusses the process automation in detail and demonstrates how it effectively scales to large development teams.


Secure Password Storage: Increasing Resistance to Brute Force Attacks

Presented by: Scott Matsumoto

In the event that your password table gets into the wild, how long will it take an attacker to expose the plaintext passwords? The recent set of well publicized disclosures of user passwords raised the question of whether current best practices adequately protect passwords from brute force attacks by many of our clients. In addition, with the advent of GPU-based (or FPGA) computing where GPUs are used for general purpose computing, are the current defenses and practices built for brute-force attacks sufficient? Cigital reviewed the current hardware innovations, analyzed the current methods for protecting passwords at rest and whether the methods sufficiently protected the passwords from being revealed using today’s hardware.

This talk discusses the pros and cons of the current practices such as salted-hashes, adaptive hashes and proposes an alternative solution for strengthening these existing practices. The talk will discuss the cryptographic properties of the current practices, but does not require a PhD in mathematics to understand the details.


Streamlining Application Vulnerability Management: Communication Between Development and Security Teams

Presented by: John Dickson

Identifying application-level vulnerabilities via scanning, penetration tests and code reviews is only the first step in actually addressing the underlying risk. Managing vulnerabilities for applications is more challenging than dealing with traditional infrastructure-level vulnerabilities because they typically require the coordination of security teams with application development teams. The process also means that security managers need to get time from developers during already-cramped development and release schedules. In addition, fixes require changes to custom application code and application-specific business logic rather than the patches and configuration changes that are often sufficient to address infrastructure-level vulnerabilities. This presentation will illustrate the communication difficulties between security and development teams, and how this usually results in unactionable reports and fewer vulnerabilities remediated. In addition, the presentation will walk through an example workflow of addressing application vulnerabilities as software defects. This will be based on freely-available tools and show specific examples of how vulnerabilities can be grouped together, false positives can be culled out, and vulnerabilities transitioned to software defects, as well as how security managers can monitor and verify progress.


Quick Response Mal-Codes

Presented by: Jim Weiler

QR Code (abbreviated from Quick Response Code) is the trademark for a type of matrix barcode (or two-dimensional code) consisting of black modules (square dots) arranged in a square pattern on a white background. There are numerous free mobile applications that interpret QR codes. There are also different types of 2D codes and tags - Microsoft Tags and NFC tags. Users may receive text, add a vCard contact to their device, open a Uniform Resource Identifier (URI), or compose an e-mail or text message after scanning QR Codes. When the app is running and a QR image that fills a certain portion of the screen is focused on, the app executes the QR command. The problem is that the mobile apps execute the QR action without asking the user anything. The malicious exploits can be: directing the mobile app to open a malicious web page that downloads malware to the device; sending text messages that cost money, adding malicious Vcards to the address book that take over the address book. The possible data types available in QR codes allow a great range of malicious actions - Website URL; YouTube Video; Google Maps Location ; Twitter; Facebook; LinkedIn; FourSquare; iTunes Link; Plain Text; Telephone Number; Skype Call; SMS Message; Email Address; Email Message; Contact Details (VCARD); Event (VCALENDAR); Wifi Login (Android Only); Paypal Buy Now Link

This talk will cover the different types of codes, the mobile apps that use them and their risks.

You can find out more about this conference at basc2012.org
Conference Organizer: Jim Weiler