Difference between revisions of "BeNeLux OWASP Day 2013"

From OWASP
Jump to: navigation, search
m (updated coffee break and some beautifying)
m (speker info in conference order)
Line 163: Line 163:
 
| 10h15 - 10h30 || Sebastien Deleersnyder, OWASP Global || OWASP update  
 
| 10h15 - 10h30 || Sebastien Deleersnyder, OWASP Global || OWASP update  
 
|-
 
|-
| 10h30 - 11h10 || [[#JanJorisVereijken|Jan Joris Vereijken]] || [['''Keynote: Inside the mind of the fraudster''']] <br>''Abstract:''
+
| 10h30 - 11h10 || [[#JanJorisVereijken|Jan Joris Vereijken]] || '''Keynote: Inside the mind of the fraudster''' <br>''Abstract:''
 
|-
 
|-
 
| 11h10 - 11h30  
 
| 11h10 - 11h30  
Line 170: Line 170:
 
| 11h30 - 12h10 || [[#TomVanGoethem|Tom Van Goethem]] || '''Remote code exection in WordPress: an analysis''' <br>''Abstract:''
 
| 11h30 - 12h10 || [[#TomVanGoethem|Tom Van Goethem]] || '''Remote code exection in WordPress: an analysis''' <br>''Abstract:''
 
|-
 
|-
| 12h10 - 12h50 || [[#JanPhilipp|Alexios Fakos & Jan Philipp]] || '''Getting a handle on SharePoint security complexity''' <br>''Abstract:''
+
| 12h10 - 12h50 || [[#AlexiosFakosAndJanPhilipp|Alexios Fakos & Jan Philipp]] || '''Getting a handle on SharePoint security complexity''' <br>''Abstract:''
 
|-
 
|-
 
| 12h50 - 13h30
 
| 12h50 - 13h30
Line 177: Line 177:
 
| 13h30 - 14h10 || [[#DickBerlijn|Dick Berlijn]] || '''Keynote: Cyber warfare''' <br>''Abstract:''
 
| 13h30 - 14h10 || [[#DickBerlijn|Dick Berlijn]] || '''Keynote: Cyber warfare''' <br>''Abstract:''
 
|-
 
|-
| 14h10 - 14h50 || Migchiel de Jong || ''' Static Analysis and code review; A journey through time, ''' <br>''Abstract:''
+
| 14h10 - 14h50 || [[#MigchieldeJong|Migchiel de Jong]] || ''' Static Analysis and code review; A journey through time, ''' <br>''Abstract:''
 
|-
 
|-
 
| 14h50 - 15h30 || [[#NickNikiforakis|Nick Nikiforakis]] || '''Everything you always wanted to know about web-based device fingerprinting (but were afraid to ask)''' <br>''Abstract:''
 
| 14h50 - 15h30 || [[#NickNikiforakis|Nick Nikiforakis]] || '''Everything you always wanted to know about web-based device fingerprinting (but were afraid to ask)''' <br>''Abstract:''
Line 195: Line 195:
  
  
<div id="'JanJorisVereijken"></div>
+
<div id="JanJorisVereijken"></div>
 
=== Key note: Inside the mind of the fraudster, by Jan Joris Vereijken (Chief Security Architect, ING) ===
 
=== Key note: Inside the mind of the fraudster, by Jan Joris Vereijken (Chief Security Architect, ING) ===
 
''Abstract:''<br>
 
''Abstract:''<br>
Line 206: Line 206:
 
<br>
 
<br>
  
<div id="'JeromeNokin"></div>
+
<div id="TomVanGoethem"></div>
=== Turning your managed Anti-Virus into my botnet, by Jerome Nokin (Senior Security Consultant, Verizon Business) ===
+
=== Remote code exection in WordPress: an analysis, by Tom Van Goethem (PhD Researcher, University of Leuven) ===
 
''Abstract:''<br>
 
''Abstract:''<br>
Today centrally managed Anti-Virus (AV) solutions are used across all enterprises and are relied upon to provide central management, logging and enforcement. This talk presents the journey and the results of a reviewing the security posture of the core components of a few selected managed AV solutions, the central servers themselves.
+
With over 13 million downloads, WordPress is one of the most popular open source blog platforms and content management systems. One of its key features is the installation of plugins. These are developed by third parties, but WordPress has to maintain its legacy codebase in order to remain compatible with these plugins. As this codebase makes use of unsafe functions, vulnerabilities may arise, affecting thousands websites - if not more. This presentation will focus on a vulnerability that has been present in WordPress versions up to September 2013. This vulnerability, which may lead to Remote Code Execution, was found by a simple combination of two publicly known elements: PHP Object Injection and unexpected behaviour of MySQL regarding Unicode characters.
Critical security vulnerabilities will be presented, covering SQL Injection, Directory Path Traversal and Buffer Overflow.
+
Particular focus will be given to the different steps required to analyze both protocols and management functionality and covers reverse-engineering, debugging and the creation of fuzzing tools. Who does not want to transform a major managed AV into his private botnet within minutes?
+
 
<br>
 
<br>
 
<br>
 
<br>
 
''Bio:''<br>
 
''Bio:''<br>
'''Jerome Nokin''' works as a Security Consultant for Verizon Enterprise where he is a senior member of the Vulnerability Management Team mainly focusing on Penetration Tests
+
'''Tom Van Goethem''' is passionate about web security. After getting a master's degree of Applied Informatics, he enrolled in a PhD at the University of Leuven. As a student with a chronic drinking problem, he still found some time to hunt bugs for fun (and profit).<br>
and Web Application Assessment. Prior to his role at Verizon he worked in the area of security covering both consultancy and ICT.<br>
+
 
<br>
 
<br>
  
 
+
<div id="AlexiosFakosAndJanPhilipp"></div>
<div id="'JanPhilipp"></div>
+
 
=== Getting a handle on SharePoint security complexity, by Jan Philipp (Solutions Consultant Security, n.runs) and Alexios Fakos (Principal IT Security Consultant, n.runs) ===
 
=== Getting a handle on SharePoint security complexity, by Jan Philipp (Solutions Consultant Security, n.runs) and Alexios Fakos (Principal IT Security Consultant, n.runs) ===
 
''Abstract:''<br>
 
''Abstract:''<br>
Line 228: Line 224:
 
''Bio:''<br>
 
''Bio:''<br>
 
'''Jan Philipp''' (MCT since 1989, MCITP, MCSE) works as a security consultant at n.runs, where he is responsible for design and implementation security assessments of complex global SharePoint infrastructures and solutions for major German and international companies. He has been involved with SharePoint technologies from their inception with Digital Dashboards throughout their many development changes (TeamSpaces, MOSS etc.) to the present day SharePoint and SharePoint Live versions.<br>
 
'''Jan Philipp''' (MCT since 1989, MCITP, MCSE) works as a security consultant at n.runs, where he is responsible for design and implementation security assessments of complex global SharePoint infrastructures and solutions for major German and international companies. He has been involved with SharePoint technologies from their inception with Digital Dashboards throughout their many development changes (TeamSpaces, MOSS etc.) to the present day SharePoint and SharePoint Live versions.<br>
'''Alexios Fakos''' (CRISC, CSSLP) began his career in development as a Software Engineer back in 1999. After seven years of inspired insights in the software industry he joined n.runs to be part of the security team. Alexios is leading n.runs SDL services and he is since 2008 part of the German OWASP chapter. Alexios held presentations at OWASP AppSec US and Germany.<br>
+
'''Alexios Fakos''' (CRISC, CSSLP) began his career in development as a Software Engineer back in 1999. After seven years of inspired insights in the software industry he joined n.runs to be part of the security team. Alexios is leading n.runs SDL services and he is since 2008 part of the German OWASP chapter. Alexios held presentations at OWASP AppSec US and Germany.
 +
<br>
 
<br>
 
<br>
  
<div id="TomVanGoethem"></div>
+
<--
=== Remote code exection in WordPress: an analysis, by Tom Van Goethem (PhD Researcher, University of Leuven) ===
+
<div id="DickBerlijn"></div>
 +
=== Title, by Dick Berlijn ===
 
''Abstract:''<br>
 
''Abstract:''<br>
With over 13 million downloads, WordPress is one of the most popular open source blog platforms and content management systems. One of its key features is the installation of plugins. These are developed by third parties, but WordPress has to maintain its legacy codebase in order to remain compatible with these plugins. As this codebase makes use of unsafe functions, vulnerabilities may arise, affecting thousands websites - if not more. This presentation will focus on a vulnerability that has been present in WordPress versions up to September 2013. This vulnerability, which may lead to Remote Code Execution, was found by a simple combination of two publicly known elements: PHP Object Injection and unexpected behaviour of MySQL regarding Unicode characters.
 
 
<br>
 
<br>
 
<br>
 
<br>
 
''Bio:''<br>
 
''Bio:''<br>
'''Tom Van Goethem''' is passionate about web security. After getting a master's degree of Applied Informatics, he enrolled in a PhD at the University of Leuven. As a student with a chronic drinking problem, he still found some time to hunt bugs for fun (and profit).<br>
+
'''Dic Berlijn''
 
<br>
 
<br>
 +
<br>
 +
-->
  
<div id="'NickNikiforakis"></div>
+
<div id="MigchieldeJong"></div>
 +
=== Static Analysis and code review; A journey through time, by Migchiel de Jong (Software Security Consultant, HP Fortify) ===
 +
''Abstract:''<br>
 +
Static analysis techniques to support code review, not just for security, have been around for a long time. This talk will take you on journey from the early days of computer science to this modern day and age of cloud, BYOD and mobile apps and how the passing of time affected code review and the technology to support it. The takeaways from this session are; Understanding the fundamentals problems that have to be addressed to really get the benefits from using static analysis for code review. Trends in code review. Best practices for code review. What the future holds for code review.
 +
<br>
 +
<br>
 +
''Bio:''<br>
 +
'''Migchiel de Jong''' has developed hardware and software for the nuclear medicine and nuclear industry space for 10 years before joining Rational Software. During the 5 years at Rational Software (later acquired by IBM) he was involved in many software development process improvement projects. Having joined Fortify 9 years ago, Migchiel de Jong is currently working at HP Fortify, as a software security consultant helping large customers succeed with their software security assurance initiatives.<br>
 +
<br>
 +
 
 +
<div id="NickNikiforakis"></div>
 
=== Everything you always wanted to know about web-based device fingerprinting (but were afraid to ask), by Nick Nikiforakis (Postdoctoral Researcher, University of Leuven) ===
 
=== Everything you always wanted to know about web-based device fingerprinting (but were afraid to ask), by Nick Nikiforakis (Postdoctoral Researcher, University of Leuven) ===
 
''Abstract:''<br>
 
''Abstract:''<br>
Line 262: Line 271:
 
<br>
 
<br>
  
 
+
<div id="JeromeNokin"></div>
 +
=== Turning your managed Anti-Virus into my botnet, by Jerome Nokin (Senior Security Consultant, Verizon Business) ===
 +
''Abstract:''<br>
 +
Today centrally managed Anti-Virus (AV) solutions are used across all enterprises and are relied upon to provide central management, logging and enforcement. This talk presents the journey and the results of a reviewing the security posture of the core components of a few selected managed AV solutions, the central servers themselves.
 +
Critical security vulnerabilities will be presented, covering SQL Injection, Directory Path Traversal and Buffer Overflow.
 +
Particular focus will be given to the different steps required to analyze both protocols and management functionality and covers reverse-engineering, debugging and the creation of fuzzing tools. Who does not want to transform a major managed AV into his private botnet within minutes?
 +
<br>
 +
<br>
 +
''Bio:''<br>
 +
'''Jerome Nokin''' works as a Security Consultant for Verizon Enterprise where he is a senior member of the Vulnerability Management Team mainly focusing on Penetration Tests
 +
and Web Application Assessment. Prior to his role at Verizon he worked in the area of security covering both consultancy and ICT.<br>
 +
<br>
  
 
<div id="VictorvanderVeen"></div>
 
<div id="VictorvanderVeen"></div>
Line 273: Line 293:
 
<br>
 
<br>
 
''Bio:''<br>
 
''Bio:''<br>
Victor van der Veen is a security consultant at ITQ and holds a MSc degree in Computer Science from the VU University Amsterdam. TraceDroid is part of his master thesis titled ‘Dynamic Analysis of Android Malware’ for which he co-worked with the Andrubis team from Vienna’s iSecLab. His interests are low-level system topics that enhance system security, as well as reverse engineering and analyzing malicious code. His previous work involves the implementation of a (partial) thrust-worthy voting machine and an in depth analysis on trends in the field of memory errors (published at RAID 2012).
+
'''Victor van der Veen''' is a security consultant at ITQ and holds a MSc degree in Computer Science from the VU University Amsterdam. TraceDroid is part of his master thesis titled ‘Dynamic Analysis of Android Malware’ for which he co-worked with the Andrubis team from Vienna’s iSecLab. His interests are low-level system topics that enhance system security, as well as reverse engineering and analyzing malicious code. His previous work involves the implementation of a (partial) thrust-worthy voting machine and an in depth analysis on trends in the field of memory errors (published at RAID 2012).
 
<br>
 
<br>
  
<div id="MigchieldeJong"></div>
 
=== Static Analysis and code review; A journey through time, by Migchiel de Jong (Software Security Consultant, HP Fortify) ===
 
''Abstract:''<br>
 
Static analysis techniques to support code review, not just for security, have been around for a long time. This talk will take you on journey from the early days of computer science to this modern day and age of cloud, BYOD and mobile apps and how the passing of time affected code review and the technology to support it. The takeaways from this session are; Understanding the fundamentals problems that have to be addressed to really get the benefits from using static analysis for code review. Trends in code review. Best practices for code review. What the future holds for code review.
 
<br>
 
<br>
 
''Bio:''<br>
 
Migchiel de Jong has developed hardware and software for the nuclear medicine and nuclear industry space for 10 years before joining Rational Software. During the 5 years at Rational Software (later acquired by IBM) he was involved in many software development process improvement projects. Having joined Fortify 9 years ago, Migchiel de Jong is currently working at HP Fortify, as a software security consultant helping large customers succeed with their software security assurance initiatives.<br>
 
<br>
 
 
 
 
<!--
 
 
<div id="TomVanGoethem"></div>
 
=== Remote Code Exection in WordPress: an analysis, by Tom Van Goethem (PhD University Leuven) ===
 
''Abstract:''<br>
 
With over 13 million downloads, WordPress is one of the most popular open source blog platforms and content management systems. One of its key features is the installation of plugins. These are developed by third parties, but WordPress has to maintain its legacy codebase in order to remain compatible with these plugins. As this codebase makes use of unsafe functions, vulnerabilities may arise, affecting thousands websites - if not more. This presentation will focus on a vulnerability that has been present in WordPress versions up to September 2013. This vulnerability, which may lead to Remote Code Execution, was found by a simple combination of two publicly known elements: PHP Object Injection and unexpected behaviour of MySQL regarding Unicode characters.
 
<br>
 
<br>
 
''Bio:''<br>
 
Tom Van Goethem is passionate about web security. After getting a master's degree of Applied Informatics, he enrolled in a PhD at the University of Leuven. As a student with a chronic drinking problem, he still found some time to hunt bugs for fun (and profit).<br>
 
<br>
 
 
=== Body Armor for Binaries, by Asia Slowinska (Vrije Universiteit Amsterdam) ===
 
''Abstract:''<br>
 
BinArmor is a novel technique to protect existing C binaries from memory corruption attacks on both control data and non-control data. Without access to source code, non-control data attacks cannot be detected with current techniques. Our approach hardens binaries against both kinds of overflow, without requiring the pro- grams’ source or symbol tables. We show that BinArmor is able to stop real attacks—including the recent non- control data attack on Exim. Moreover, we did not in- cur a single false positive in practice. On the downside, the current overhead of BinArmor is high—although no worse than competing technologies like taint analysis that do not catch attacks on non-control data. Specifi- cally, we measured an overhead of 70% for gzip, 16%- 180% for lighttpd, and 190% for the nbench suite.<br>
 
<br>
 
''Bio:''<br>
 
I am a postdoctoral researcher in the System and Network Security group at the Vrije Universiteit Amsterdam, under the guidance of Prof. dr. ir. Herbert Bos.<br>
 
I obtained my PhD from the Vrije Universiteit Amsterdam. My dissertation Using information flow tracking to protect legacy binaries was completed under the supervision of Prof. dr. ir. Herbert Bos, while my copromotor was Prof. dr. ir. Henri E. Bal.<br>
 
During my PhD studies, I interned twice with Microsoft Research Cambridge, where I joined the Systems and Performance Group. I also spent few months interning with the Systems and Security Department at Institute for Infocomm Research in Singapore.<br>
 
My research focuses on developing techniques to automatically analyze and reverse engineer complex software that is available only in binary form. Further, I’ve been looking into mechanisms that proactively protect software from malicious activities. Currently, I am involved in a project on Reverse Engineering of binaries, known as Rosetta.<br>
 
<br>
 
 
-->
 
  
 
<!-- Sixth tab -->
 
<!-- Sixth tab -->

Revision as of 22:06, 18 November 2013

Bnl13header-v.1.0.png



[edit]

Welcome to OWASP BeNeLux 2013

Registration is now open!

Buttoncreate.png


Confirmed speakers Conference

  • Dick Berlijn (ex Chief of Defence NL)
  • Jan Joris Vereijken (ING)
  • Tom Van Goethem (University Leuven)
  • Jerome Nokin (Verizon Business)
  • Nick Nikiforakis (University Leuven)
  • Fakos Alexios and Jan Philipp (n.runs AG)
  • Migchiel de Jong (HP Fortify)
  • Victor van der Veen (ITQ)


The OWASP BeNeLux Program Committee

  • Bart De Win / Sebastien Deleersnyder/ Lieven Desmet/ David Mathy, OWASP Belgium
  • Martin Knobloch / Ferdinand Vroom, OWASP Netherlands
  • Jocelyn Aubert / Andre Adelsbach/ Thierry Zoller, OWASP Luxembourg


Tweet!

Event tag is #owaspbnl13

Donate


OWASP BeNeLux training day and conference are free!

Registration is not now open:

Buttoncreate.png


To support the OWASP organisation, consider to become a member, it's only US$50!
Check out the Membership page to find out more.


Venue is

RAI Amsterdam - Entrance G

Emerald Room
(On the first floor of the Auditorium Centre)
Europaplein 2-22
1078 Amsterdam, THE NETHERLANDS


Parking & roadmap:

There is a public parking at the conference venue.

Roadmap and parking:



Hotels nearby:



Conferenceday, November 29th

Location

TBD (for details, check the Venue tab)

Agenda

Time Speaker Topic
09h00 - 10h00 Registration
10h00 - 10h15 OWASP Benelux Organization Welcome
10h15 - 10h30 Sebastien Deleersnyder, OWASP Global OWASP update
10h30 - 11h10 Jan Joris Vereijken Keynote: Inside the mind of the fraudster
Abstract:
11h10 - 11h30 Morning Break
11h30 - 12h10 Tom Van Goethem Remote code exection in WordPress: an analysis
Abstract:
12h10 - 12h50 Alexios Fakos & Jan Philipp Getting a handle on SharePoint security complexity
Abstract:
12h50 - 13h30 Lunch
13h30 - 14h10 Dick Berlijn Keynote: Cyber warfare
Abstract:
14h10 - 14h50 Migchiel de Jong Static Analysis and code review; A journey through time,
Abstract:
14h50 - 15h30 Nick Nikiforakis Everything you always wanted to know about web-based device fingerprinting (but were afraid to ask)
Abstract:
15h30 - 15h50 Break
16h30 - 17h10 Jerome Nokin Turning your managed Anti-Virus into my botnet
Abstract:
17h10 - 17h50 Victor van der Veen TraceDroid: A Fast and Complete Android Method Tracer
17h50 - 18h00 OWASP Benelux 2013 organization Closing Notes




Key note: Inside the mind of the fraudster, by Jan Joris Vereijken (Chief Security Architect, ING)

Abstract:
When we talk about banking malware, we typically think of bits and bytes: Zeus variants, field injections, Man-in-the-Browser attacks, or forensic analysis of infected PCs. What is actually much more interesting, is to understand what is driving the fraudster. He’s doesn’t care about bits and bytes, he’s just in it for the money. If we get into the mind of the fraudster, we can suddenly understand many issues much better. We’ll see that authentication is irrelevant, fraudsters don’t want to steal millions, that they hate the mobile app, and many more surprising things your never realized were keeping our poor fraudster awake at night.

Bio:
Jan Joris Vereijken holds a Ph.D. in Computing Science from the Eindhoven University of Technology, where he worked on algebraic protocol verification. After a brief stint at Bell Laboratories to work on Software Engineering, he moved to ING, the Dutch banking conglomerate.
In his current role as Chief Security Architect, he is responsible for the security architecture in the 35-odd countries where ING has banking operations.

Remote code exection in WordPress: an analysis, by Tom Van Goethem (PhD Researcher, University of Leuven)

Abstract:
With over 13 million downloads, WordPress is one of the most popular open source blog platforms and content management systems. One of its key features is the installation of plugins. These are developed by third parties, but WordPress has to maintain its legacy codebase in order to remain compatible with these plugins. As this codebase makes use of unsafe functions, vulnerabilities may arise, affecting thousands websites - if not more. This presentation will focus on a vulnerability that has been present in WordPress versions up to September 2013. This vulnerability, which may lead to Remote Code Execution, was found by a simple combination of two publicly known elements: PHP Object Injection and unexpected behaviour of MySQL regarding Unicode characters.

Bio:
Tom Van Goethem is passionate about web security. After getting a master's degree of Applied Informatics, he enrolled in a PhD at the University of Leuven. As a student with a chronic drinking problem, he still found some time to hunt bugs for fun (and profit).

Getting a handle on SharePoint security complexity, by Jan Philipp (Solutions Consultant Security, n.runs) and Alexios Fakos (Principal IT Security Consultant, n.runs)

Abstract:
This presentation’s main goal is to provide decision makers, architects, administrators and developers with a comprehensive SharePoint security overview. We will introduce a SharePoint security model applicable to SharePoint versions 2010 and 2013. Then we will take a closer look at the use of different types of security principals and their effective use. This will be followed by covering security aspects when implementing and extending SharePoint to meet business needs and will be emphasized by showcasing common security pitfalls with examples throughout the presentation. This will be demonstrated with security down to the “nitty-gritty” details based on actual use cases and tips and pitfalls that have been encountered during security assessments and implementation of SharePoint solutions.

Bio:
Jan Philipp (MCT since 1989, MCITP, MCSE) works as a security consultant at n.runs, where he is responsible for design and implementation security assessments of complex global SharePoint infrastructures and solutions for major German and international companies. He has been involved with SharePoint technologies from their inception with Digital Dashboards throughout their many development changes (TeamSpaces, MOSS etc.) to the present day SharePoint and SharePoint Live versions.
Alexios Fakos (CRISC, CSSLP) began his career in development as a Software Engineer back in 1999. After seven years of inspired insights in the software industry he joined n.runs to be part of the security team. Alexios is leading n.runs SDL services and he is since 2008 part of the German OWASP chapter. Alexios held presentations at OWASP AppSec US and Germany.

<--

Title, by Dick Berlijn

Abstract:


Bio:
'Dic Berlijn

-->

Static Analysis and code review; A journey through time, by Migchiel de Jong (Software Security Consultant, HP Fortify)

Abstract:
Static analysis techniques to support code review, not just for security, have been around for a long time. This talk will take you on journey from the early days of computer science to this modern day and age of cloud, BYOD and mobile apps and how the passing of time affected code review and the technology to support it. The takeaways from this session are; Understanding the fundamentals problems that have to be addressed to really get the benefits from using static analysis for code review. Trends in code review. Best practices for code review. What the future holds for code review.

Bio:
Migchiel de Jong has developed hardware and software for the nuclear medicine and nuclear industry space for 10 years before joining Rational Software. During the 5 years at Rational Software (later acquired by IBM) he was involved in many software development process improvement projects. Having joined Fortify 9 years ago, Migchiel de Jong is currently working at HP Fortify, as a software security consultant helping large customers succeed with their software security assurance initiatives.

Everything you always wanted to know about web-based device fingerprinting (but were afraid to ask), by Nick Nikiforakis (Postdoctoral Researcher, University of Leuven)

Abstract:
Billions of users browse the web on a daily basis, and there are single websites that have reached over one billion user accounts. In this environment, the ability to track users and their online habits can be very lucrative for advertising companies, yet very intrusive for the privacy of users.

In this talk, we are going to describe web-based device fingerprinting, i.e., the ability to tell users apart, without the use of cookies or any other client-side identifiers. We will explain how device fingerprinting works, who is using, for what reason, and how people are trying to defend against it today.

Bio:
Nick Nikiforakis is a Postdoctoral Researcher at KU Leuven in Belgium. Nick's interests lie in the analysis of online ecosystems from a security and privacy perspective and he has published his work in top conferences of his field. More information about him can be found on his personal page: http://www.securitee.org .

Turning your managed Anti-Virus into my botnet, by Jerome Nokin (Senior Security Consultant, Verizon Business)

Abstract:
Today centrally managed Anti-Virus (AV) solutions are used across all enterprises and are relied upon to provide central management, logging and enforcement. This talk presents the journey and the results of a reviewing the security posture of the core components of a few selected managed AV solutions, the central servers themselves. Critical security vulnerabilities will be presented, covering SQL Injection, Directory Path Traversal and Buffer Overflow. Particular focus will be given to the different steps required to analyze both protocols and management functionality and covers reverse-engineering, debugging and the creation of fuzzing tools. Who does not want to transform a major managed AV into his private botnet within minutes?

Bio:
Jerome Nokin works as a Security Consultant for Verizon Enterprise where he is a senior member of the Vulnerability Management Team mainly focusing on Penetration Tests and Web Application Assessment. Prior to his role at Verizon he worked in the area of security covering both consultancy and ICT.

TraceDroid: A Fast and Complete Android Method Tracer, by Victor van der Veen (Security Consultant, ITQ)

Abstract:
Tracedroid allows you to upload any Android APK file (i.e., an Android app) for automated analysis. Tracedroid records the behavior of the executed app, such as its network communication, the UI, but also its internal function calls and Java code that is executed. To trigger the app's real behavior, Tracedroid emulates a few actions, such as user interaction, incoming calls and SMS messages, etc. - this will reveal most malicious intents of an app (if any).
During this presentation, I will outline how Tracedroid is implemented and how its stimulation engine performs in terms of code coverage. I will also demonstrate how Tracedroid's output can help malware researchers to gain a better understanding of unknown Android applications during a live demo.
You can already give TraceDroid a try via http://tracedroid.few.vu.nl

Bio:
Victor van der Veen is a security consultant at ITQ and holds a MSc degree in Computer Science from the VU University Amsterdam. TraceDroid is part of his master thesis titled ‘Dynamic Analysis of Android Malware’ for which he co-worked with the Andrubis team from Vienna’s iSecLab. His interests are low-level system topics that enhance system security, as well as reverse engineering and analyzing malicious code. His previous work involves the implementation of a (partial) thrust-worthy voting machine and an in depth analysis on trends in the field of memory errors (published at RAID 2012).


Social Event, November 28th

You (still) got that swing, and what about the moves ? We've got the Balls!

So "Pin" your schedule to the OWASP Benelux Days - Social Event.
Thursday Night the 28th of November, our partner Vest Information Security is happy to invite you at:
Knijn Bowling
Scheldeplein 3
1078 GR Amsterdam
http://www.knijnbowling.nl/
This is Amsterdams most famous retro-style bowling centre.
We are very happy to welcome you from 20:30.
Our Bowling Tracks are open from 21:30 - 24:00

More details about the registration for the social event will be online soon!


The OWASP BeNeLux-Day 2013 Social Event is sponsored by:" Logo_Vest_BIG_170.gif

Capture the Flag!

  • Do you like puzzles?
  • Do you like challenges?
  • Are you a hacker?

Whether you are an experienced hacker or new enthusiast you should come to OWASP BeNeLux 2013 and participate in the Capture the Flag event November 29th 2013.

The OWASP CTF is especially designed to support challengers of all skill levels. The CTF contains multiple challenges in various fields related to application security. As every challenge gains you one point, you can pick and choose which challenge you want to play.

All you need is a laptop with a wifi card and your favorite (preferably) non-commercial tools.

So come, show off your skills, learn new tricks and above all have a good time at the CTF event.


Made possible by our Sponsors

PWC_log_resized.png        Zionsecurity.jpg Logo_Vest_BIG_170.gif Checkmarx.jpg Sogeti_logo.png Securify_BV_logo.png Whitehat.gif        Nviso_logo_RGB_baseline_200px.png Logo_Informatiebeveiliging-200.png HP_Blue_RGB_150_LG-200.png