Difference between revisions of "BeNeLux OWASP Day 2012"

From OWASP
Jump to: navigation, search
Line 111: Line 111:
 
<!-- Fifth tab -->
 
<!-- Fifth tab -->
 
= Conferenceday =
 
= Conferenceday =
 
 
<!-- Sixth tab -->
 
= Social Event =
 
 
The social event is scheduled for Thursday, 29th of November, 19:00 at
 
<br>
 
<br>
 
<center>
 
Leuven (TBD)
 
<br>
 
 
Remark: Costs are around eur. 10,00.
 
 
<!-- Seventh tab -->
 
= CTF  =
 
 
Do you like puzzles? Do you like challenges? Are you a hacker?
 
 
Whether you are an old hacker or new enthusiast you should come to OWASP BeNeLux days 2012 and participate in the Capture the Flag event November 30th 2012 in Leuven (place TBD). 
 
 
The OWASP CTF is especially designed to support challengers of all skill levels. The CTF contains multiple challenges in various fields related to application security. As every challenge gains you one point, you can pick and choose which challenge you want to play.
 
 
All you need is a laptop with a wifi card and your favorite (preferably) non-commercial tools.
 
 
So come to Leuven, show off your skills, learn new tricks and above all have a good time at the CTF event.
 
 
 
 
<!-- Eighth tab -->
 
= Slides =
 
 
=== Slides will be available online ===
 
 
  
 
<!--
 
<!--
Line 189: Line 155:
 
-->
 
-->
  
<!-- deze laten staan. is handig om anchors te vinden tijdens edi (seba) __TOC__ -->
+
<!-- Sixth tab -->
 +
= Social Event =
  
=====Speech 1=====
+
The social event is scheduled for Thursday, 29th of November, 19:00 at
 +
<br>
 +
<br>
 +
<center>
 +
Leuven (TBD)
 +
<br>
  
=====Speech 2=====
+
Remark: Costs are around eur. 10,00.
<!--
+
=====OWASP SIMBA - guarding your applications (by [https://www.owasp.org/index.php/BeNeLux_OWASP_Day_2011#Koen_Vanderloock.2C_Leader_Security_Competence_Group_at_Cegeka Koen Vanderloock], Leader Security Competence Group at Cegeka)=====
+
[[OWASP SIMBA Project|SIMBA (Security Integration Module for Business Applications)]] is a OWASP project that provides you with a User Access Management system that can be integrated with any business application. The purpose of SIMBA is to secure an application fast and easy. Because SIMBA itself is generic it can be customized for every project. Many features are customizable e.g. designing your own authentication chain is easy and fast by using existing or newly created building blocks. SIMBA contains authentication, authorization, session management and a GUI to manage your security information.
+
 
+
======Koen Vanderloock, Leader Security Competence Group at Cegeka======
+
Koen Vanderloock is the leader of the security competence group at Cegeka.  About  2 years ago Cegeka decided to create a sandbox for investigating security issues and solutions so they could be included in the current projects. 
+
Koen Vanderloock is a Java developer with 8 years of experience and started exploring the world of security 3 years ago when UAM problems started to occur.
+
 
+
=====Practical Crypto Attacks Against Web Applications (by [https://www.owasp.org/index.php/BeNeLux_OWASP_Day_2011#Justin_Clarke.2C_Director_and_Co-Founder_of_Gotham_Digital_Science_Ltd Justin Clarke], Director and Co-Founder of Gotham Digital Science Ltd)=====
+
The science of cryptography underpins many of the information security technologies we use on a daily basis, such as the ability to keep information confidential and to ensure we can identify who we are communicating with. However, it is a very complex subject area with many types of mistakes that can reduce the overall security of a solution. A number of these types of mistakes can be identified by a tester, if they know what they're looking for, but in general it isn't a well tested area.
+
 
   
 
   
This talk is intended to provide a high level overview of some of the areas where cryptographic operations such as encryption and hashing can provide far less security than was planned, and concrete examples of how these were found and exploited. Examples will include discussion and demonstration of the recently patched cryptographic padding attack against the Microsoft .NET framework (affecting ASP.NET applications) caused by a design error in how ASP.NET handles some types of encrypted data, but we will also be looking at some other fun areas including bit flipping attacks, ECB mode attacks, and some miscellaneous hashing algorithm attacks against common web application implementations.
+
<!-- Seventh tab -->
 +
= CTF  =
  
======Justin Clarke, Director and Co-Founder of Gotham Digital Science Ltd======
+
Do you like puzzles? Do you like challenges? Are you a hacker?
Justin is a Director and Co-Founder of Gotham Digital Science and an experienced software security consultant with extensive international Big 4 risk management, security consulting and testing experience. He is the lead author/technical editor of "SQL Injection Attacks and Defenses" (Syngress 2009), co-author of "Network Security Tools" (O'Reilly 2005), contributor to "Network Security Assessment, 2nd Edition" (O'Reilly 2007), as well as a speaker at various security conferences and events such as Black Hat, EuSecWest, ISACA, BruCON, OWASP, OSCON, RSA and SANS. He is currently the OWASP London chapter president, and a member of the OWASP Global Connections Committee.
+
On 10 Oct 2011, at 09:33, Seba wrote:
+
  
=====HTML5 security (by [https://www.owasp.org/index.php/BeNeLux_OWASP_Day_2011#Lieven_Desmet.2C_Research_Manager_at_Katholieke_Universiteit_Leuven Lieven Desmet], Research Manager at Katholieke Universiteit Leuven)=====
+
Whether you are an old hacker or new enthusiast you should come to OWASP BeNeLux days 2012 and participate in the Capture the Flag event November 30th 2012 in Leuven (place TBD).
In this talk, Lieven will highlight the results of the HTML5 security analysis, conducted by the DistriNet Research Group (K.U.Leuven). The security analysis of next generation web standards, commissioned by ENISA, looked into 13 emerging W3C web standards (i.e. the specification of HTML 5 and some of the associated APIs), and assessed the security of each of them as well as the overall security and consistency across specifications.
+
  
In total 51 security threats and issues have been identified, and detailed in the ENISA report (http://www.enisa.europa.eu/html5). During the talk, Lieven will discuss the methodology developed to assess the huge amount of specifications, and zoom into a representative set of identified threats and their remediation.
+
The OWASP CTF is especially designed to support challengers of all skill levels. The CTF contains multiple challenges in various fields related to application security. As every challenge gains you one point, you can pick and choose which challenge you want to play.
  
======Lieven Desmet, Research Manager at Katholieke Universiteit Leuven======
+
All you need is a laptop with a wifi card and your favorite (preferably) non-commercial tools.  
Lieven Desmet is the Research Manager on Secure Software at the Katholieke Universiteit Leuven (Belgium), where he coaches junior researchers in web application security and participates in dissemination and valorization activities. His interests are in software verification and security of middleware and web-enabled technologies. Lieven is actively engaged in OWASP and is board member of the OWASP Chapter Belgium.
+
  
=====Overcoming iOS Data Protection to Re-Enable iPhone Forensics (by [https://www.owasp.org/index.php/BeNeLux_OWASP_Day_2011#Andrey_Belenko.2C_Chief_Security_Researcher_at_ElcomSoft Andrey Belenko], Chief Security Researcher at ElcomSoft)=====
+
So come to Leuven, show off your skills, learn new tricks and above all have a good time at the CTF event.  
Data protection is a feature available for iOS devices (iOS 4 and up) with hardware encryption: iPhone 4S, iPhone 4, iPhone 3GS, iPod touch (3rd generation or later), and all iPad models. Introduction of this feature had complicated iPhone forensics process because now (almost) all files on user partition are encrypted and physical dumps are of much less value to examiners: while the filesystem seems to be intact, actual file contents are encrypted and are not suitable for analysis.
+
  
This talk will provide in-depth information about iOS Data protection internals and on the implication it had on iOS forensics. More specifically, it will cover the following:
 
*System keys and their hierarchy
 
*Device passcode and its recovery
 
*Escrow keys
 
*Filesystem encryption
 
*Keychain encryption
 
  
Presentation will start by providing attendees with required background on iOS encryption keys architecture: system keys, passcode key, escrow key. After attendees are familiar with those concepts, presentation will continue to filesystem and keychain encryption details and to the techniques that can be used to overcome the hurdles imposed by iOS Data Protection.
 
  
======Andrey Belenko, Chief Security Researcher at ElcomSoft======
+
<!-- Eighth tab -->
Chief security researcher and software developer at Elcomsoft. Co-invented ThunderTables (which are improved RainbowTables) and was first to bring GPU acceleration to password recovery. M. Sc. IT and CISSP.
+
= Sponsor =
 
+
LinkedIn: http://ru.linkedin.com/in/belenko
+
 
+
Twitter: @andreybelenko
+
 
+
=====Do you... Legal? (by [https://www.owasp.org/index.php/BeNeLux_OWASP_Day_2011#Ludovic_Petit.2C_Group_Fraud_.26_Information_Security_Adviser_at_SFR.2C_Vodafone_Group Ludovic Petit], Group Fraud & Information Security Adviser at SFR, Vodafone Group) =====
+
 
+
The OWASP core mission is to make application security visible, so that people and organizations can make informed decisions about true application security risks. However, if you do not pay enough attention to many aspects of Legal compliance, you'll see why Web Application Security is somehow linked to Legal and Regulatory aspects as well as... Corporate Responsability, so yours. Who is accountable for what, what about each other's responsibility? Nowadays, the legal constraints oblige us to comply via technical means, whatever the local framework, and this is specially true for Web Application Security, many sensitive informations having to be handled through these web interfaces. A such, what do you think about your Security Policy compliance with your local Legal framework? Compliant? Sure? Really? Interesting isn't it? Let's have a talk about this.
+
 
+
======Ludovic Petit, Group Fraud & Information Security Adviser at SFR, Vodafone Group======
+
Ludovic is an internationally recognised information security expert with over 25 years experience. Last 15 years spent in various Corporate Management positions covering both Technical and Law Enforcement expertise dedicated to Mobile Telecommunications Fraud and Security in multi-national corporations.
+
 
+
Ludovic is Chapter Leader & Founding Member OWASP France and an active contributor to OWASP in several roles and projects.
+
 
+
LinkedIn Profile: http://www.linkedin.com/in/lpetit
+
 
+
=====Dynamic malware analysis - or: The ~five  deadly (anti-)venoms (by Sascha Rommelfangen, Incident Management - Security Research at CIRCL) =====
+
Malware reversing is a time consuming task. Many approaches are available to dissect and analyse suspicious binaries. Dynamic malware analysis is one of the option to better understand them and also a nifty companion to static analysis.  The current dynamic malware analysis techniques will be presented especially the ones relying on instrumented operating system systems (from the filesystem to the network stack).  You'll see a wandering through common and less common malware partially analysed using dynamic analysis and how dynamic malware analysis can help you.
+
 
+
===== The limits of e-banking (by Jean-Marc Bost and Sébastien Bischof, ECLA)  =====
+
The swiss german TV channel SF1 showed a footage on swiss e-banking security. The TV show follows a team of the ETH who earned a special authorization to test several e-anking platforms. After admitting that a personal computer can be infected by different means (actually 5% of the tested PCs are infected according to Microsoft), The team from Zürich showed the limits of the different platforms. Only the bank who signs each transaction is labelled as safe. We will come back during the presentation on the nature of the threat.<br>First of all, we will explain how famous malwares such as Zeus and SpyEye manage to steal from their victims without them being able to notice anything. Then we will see that e-banking is not the only target, as a matter of fact, the reality is far from this.<br>And then we will comment the most recent techniques that allow malwares to escape Antivirus and Antimalware programs even if they are up to date. We will vulgarize several concepts such as DKOM and bootkits in order to let everybody have a glimpse on the danger they represent.<br>Finally, we will think about if signing each transaction can efficiently fight off these threats. In fact, when attacks are coupled with Social Engineering, they have potentially no limit. Zeus is a living proof of this fact, because it even managed to attack the transaction validation system by SMS. As a conclusion, we will see that the e-banking platform that managed to resist the tests of the ETH team is vulnerable to such kind of attacks.
+
 
+
====== Jean-Marc Bost, ELCA  ======
+
Jean-Marc Bost leads the security division at ELCA. <br>He is in charge of the various security solutions proposed by ELCA, some being released by ELCA, others being provided by partner vendors. <br>With a significant experience in the development of internet applications, he focused 10 years ago on their need for security. <br>Since then, he has been very active in&nbsp;:<br>- demonstrating the threats, in particular for ebanking<br>- conceiving practical and patented solutions for strong authentication, online transactions, electronic signature and secured documents<br>- presenting the findings of the security division in security events and through expert talks<br>  
+
 
+
====== Sébastien Bischof, ELCA  ======
+
Sébastien Bischof works in the security division at ELCA Where he is specialized in OS-level and communication security.<br>As a major result, he developped a fully-working proof-of-concept of an attack against a sophisticated USB token for safe-browsing.<br>He obtained his Master of Science in Engineering at HEIG-VD/HES-SO with a strong emphasis on IT Security.<br>During his education, he focused on obfuscation and rootkit techniques.<br>Computer security enthusiast, he is very interested in hackings events such as Insomni'hack and keeps himself informed on the latest threats throuhg active participation in security forums.
+
 
+
=====The Rise of the Vulnerability Markets - History, Impacts, Mitigations (by Thierry Zoller, Verizon) =====
+
A decade has gone by and the security area is no longer the same, amongst other factors sophistication and motivation changed tremendously. This talk will give you a crash course on the history of vulnerability discovery and market value, a brief excurse into the world of Vulnerability Markets, how they emerged, how they vary and what this implies for those that are defending. The presentation will conclude with an Attacker Classification System (Attacker Triad) and an associated assurance model around OWASP OSVS. Some parts of this presentation will only be done in live and will not be published after this conference.
+
 
+
====== Thierry Zoller, Verizon ======
+
Born and living in Luxembourg, Thierry has been active in the Information Security space since over 14 years, he works as an EMEA wide Practise Lead and Professional Service Manager for Verizon Business Luxembourg. His past experience includes, maintaining a well known malware research site, leading a security software company, shifting over into the realms of Information Security Consulting focusing on Luxembourg (PSF), creating a national penetration test center, being Director of Security Services and Products for n.runs and doing information security consulting for "too big to fail" type of enterprises (formally known as "Fortune 100"). Thierry was endorsed as a TOP 10 Security Researcher by IBM Xforce in 2009.
+
 
+
Thierry is leading the Verizon Business SDLC efforts and is managing the Microsoft SDL PRO partnership EMEA wide, he maintains a blog at http://blog.zoller.lu
+
 
+
-->
+
 
+
<br>
+
 
+
==== Organisation  ====
+
 
+
The BeNeLux Day 2012 Program Committee:
+
 
+
*Martin Knobloch / Ferdinand Vroom ([[Netherlands|OWASP Netherlands]])
+
*Bart De Win / Sebastien Deleersnyder ([[Belgium|OWASP Belgium]])
+
*Jocelyn Aubert / Andre Adelsbach ([[Luxembourg|OWASP Luxembourg]])
+
*Steven van der Baan ([[:Category:OWASP CTF Project|Capture The Flag]])
+
 
+
Local organization:
+
 
+
*Thomas Engel
+
*Radu State
+
*Magali Martin
+
*Aurel Machalek
+
  
==== Sponsorship  ====
+
==== Become a sponsor of OWASP BeNeLux ====
  
Contact seba &lt;at&gt; owasp.org for sponsorship
+
==== Donate to OWASP BeNeLux ====
  
 
<paypal>BeNeLux OWASP Day 2012</paypal>  
 
<paypal>BeNeLux OWASP Day 2012</paypal>  
  
 
 
</center>
 
  
 
==== Promotion  ====
 
==== Promotion  ====
Line 309: Line 202:
  
 
The bad news: there are only 160 seats available (first register, first serve)!
 
The bad news: there are only 160 seats available (first register, first serve)!
 
 
'''PROGRAM Day 1'''
 
* 10:00 AM - 18:00 PM: OWASP Training Day
 
* 19:00 PM - ?: Social event
 
 
<!--
 
'''OWASP Training: Secure Application Development''', by Eoin Keary<br>
 
This intensive one-day training focuses on the most common web application security problems, including aspects of both the OWASP Top Ten (2010) and the MITRE Top 25. The training will introduce and demonstrate application assessment techniques, illustrating how application vulnerabilities can be exploited so students really understand how to avoid introducing such vulnerabilities in their code.
 
 
-->
 
 
'''PROGRAM Day 2'''
 
* 10:00 AM - 18:00 PM: OWASP Conference
 
 
<!--
 
List of '''confirmed speakers''' (more to be announced soon):
 
*Brenno De Winter (Journalist) on the Diginotar story
 
*Koen Vanderloock (Lead Security Competence Group at Cegeka) on the new OWASP Simba project
 
*Justin Clarke (Director and Co-Founder of Gotham Digital Science Ltd) on practical crypto attacks against web applications
 
*Lieven Desmet (Research Manager at University Leuven) on HTML5 security
 
*Andrey Belenko (Chief Security Researcher at ElcomSoft Co. Ltd) on iOS data protection internals
 
*Sascha Rommelfangen (Incident Management - Security Research at CIRCL) on dynamic malware analysis
 
*Ludovic Petit (Group Fraud & Information Security Adviser at SFR, Vodafone Group) on WebApp Security and legal and regulatory aspects
 
*Seba Deleersnyder & Eoin Keary (OWASP Board) on OWASP Update
 
-->
 
 
'''ORGANIZATION<br>'''
 
OWASP's all-volunteer participants produce free, professional quality, open-source documentation, tools, and standards on application security. An example of this is the famous OWASP top ten of most critical web application security flaws. The OWASP community facilitates conferences, local chapters, articles, and message forums. Participation in OWASP is free and open to all, as are all the materials we produce.
 
 
'''WHO should attend?<br>'''
 
Anyone interested in Web Application Security (management, security professionals, developers, students, etc). OWASP Belgium, Netherlands and Luxembourg chapters membership is free. All meetings are free. There are never vendor pitches or sales presentations at OWASP meetings.<br>
 
Check our chapter page http://www.owasp.org/index.php/Belgium on meeting details, sign up to the chapter mailing list and introduce yourself.<br>
 
Check our chapter page http://www.owasp.org/index.php/Netherlands on meeting details, sign up to the chapter mailing list and introduce yourself.<br>
 
Check our chapter page http://www.owasp.org/index.php/Luxembourg on meeting details, sign up to the chapter mailing list and introduce yourself.<br>
 
 
'''WHEN<br>'''
 
Thursday and Friday, 29th and 30th of November, 2012 (10 AM - 7 PM)
 
 
'''WHERE<br>'''
 
'''University of Leuven<br>
 
Department of Computer Science, KU Leuven<br>'''
 
Celestijnenlaan 200A<br>
 
3001 Heverlee<br>
 
Belgium<br>
 
[http://wms.cs.kuleuven.be/cs/ Website]<br>
 
 
Attention: make sure to '''book your hotel in time''', it will be difficult to find rooms in Leuven around Nov 29-30!<br>
 
Hotel details https://www.owasp.org/index.php?title=BeNeLux_OWASP_Day_2012#tab=Venue
 
 
'''REGISTRATION<br>'''
 
Only 160 places, please '''Register upfront: http://owaspbenelux2012.eventbrite.com''' !<br>
 
All latest details are available on http://www.owaspbenelux.eu<br>
 
Hope to see you all!<br>
 
 
 
  
  

Revision as of 04:52, 17 October 2012

Owaspbnl12header.jpg



[edit]

Welcome to OWASP BeNeLux 2012

Confirmed trainers for Trainingday

  • Dan Cornell (Denim group) - SDLC with open source tools
  • Dinis Cruz (Security Innovation) - Advanced O2
  • Volkert de Buisonjé (Sogeti) Secure Java Development with ESAPI (Hands-On )

Confirmed speakers Conferenceday

  • Dinis Cruz (Security Innovation) - Making Security Invisible by Becoming the Developer’s Best Friends
  • Rüdiger Bachmann and Achim D. Brucker (SAP) - Code review large companies
  • Lieven Desmet (Distrinet, KU Leuven) - Sandboxing JavaScript
  • Herbert Bos and Asia Slowinska (VU Amsterdam) - Body Armor for Binaries
  • Marc Hullegie and Kees Mastwijk (Vest) - Forensics
  • Dan Cornell (Denim group) - Streamlining Application Vulnerability Management: Communication Between Development and Security Teams
  • John Wilander (OWASP Sweden) - Browser security
  • Seba Deleersnyder (OWASP) - Update on OWASP

The OWASP BeNeLux Program Committee

  • Bart De Win / Sebastien Deleersnyder/ Lieven Desmet/ David Mathy, OWASP Belgium
  • Martin Knobloch / Ferdinand Vroom, OWASP Netherlands
  • Jocelyn Aubert / Andre Adelsbach, OWASP Luxembourg
  • Steven van der Baan, OWASP CTF Project

Tweet!

Event tag is #owaspbnl12

OWASP BeNeLux training day and conference are free!


To support the OWASP organisation, consider to become a member, it's only US$50!
Check out the Membership page to find out more.

Registration is open:

Buttoncreate.png


Venue is the Department of Computer Science @ KU Leuven

Celestijnenlaan, 200a
3001 Heverlee
Belgium


Parking:

There is a public parking close to the conference venue.


Hotels nearby:


Trainingday, November 29th


The training room is: Paul Feidert (for details, check the Venue tab)


Registration starts at xxhxx

Training will start at xxhxx and we plan to stop at xxhxx.



OWASP Training: Title of training here, by Trainername here

Abstract: Abstract here

This course includes coverage of the following areas:

  • TOC here

Hands on Exercises

Instructions here]

Audience

Targeted audience here

Level: Select lever here (Beginner/ Intermediate/ Advanced)

Prerequisite: Enter prerequisites here

e.g. Bring your laptop...

Trainer Bio:

Enter trainerbio here


The social event is scheduled for Thursday, 29th of November, 19:00 at

Leuven (TBD)

Remark: Costs are around eur. 10,00.

Do you like puzzles? Do you like challenges? Are you a hacker?

Whether you are an old hacker or new enthusiast you should come to OWASP BeNeLux days 2012 and participate in the Capture the Flag event November 30th 2012 in Leuven (place TBD).

The OWASP CTF is especially designed to support challengers of all skill levels. The CTF contains multiple challenges in various fields related to application security. As every challenge gains you one point, you can pick and choose which challenge you want to play.

All you need is a laptop with a wifi card and your favorite (preferably) non-commercial tools.

So come to Leuven, show off your skills, learn new tricks and above all have a good time at the CTF event.


<center> Hosted and co-organized by:





Made possible by our sponsors:
List is being updated... Stay tuned!