Difference between revisions of "OWASP EEE Bucharest Event 2015 Agenda"

From OWASP
Jump to: navigation, search
 
(8 intermediate revisions by 2 users not shown)
Line 9: Line 9:
 
| style="width:40%" valign="middle" height="30" bgcolor="#CCCCEE" align="center" colspan="0" | '''Description'''
 
| style="width:40%" valign="middle" height="30" bgcolor="#CCCCEE" align="center" colspan="0" | '''Description'''
 
|-
 
|-
| style="width:10%" valign="middle" height="30" bgcolor="#CCEEEE" align="center" colspan="0" | 13:30 - 14:00<br>(30 mins)
+
| style="width:10%" valign="middle" height="30" bgcolor="#CCEEEE" align="center" colspan="0" | 8:30 - 9:00<br>(30 mins)
 
| style="width:25%" valign="middle" height="30" bgcolor="#CCEEEE" align="center" colspan="0" | Registration
 
| style="width:25%" valign="middle" height="30" bgcolor="#CCEEEE" align="center" colspan="0" | Registration
 
| style="width:25%" valign="middle" height="30" bgcolor="#CCEEEE" align="center" colspan="0" |  
 
| style="width:25%" valign="middle" height="30" bgcolor="#CCEEEE" align="center" colspan="0" |  
 
| style="width:40%" valign="middle" height="30" bgcolor="#CCEEEE" align="justify" colspan="0" |  
 
| style="width:40%" valign="middle" height="30" bgcolor="#CCEEEE" align="justify" colspan="0" |  
 
|-
 
|-
| style="width:10%" valign="middle" height="30" bgcolor="#CCEEEE" align="center" colspan="0" | 14:00 - 14:45<br>(45 mins)
+
| style="width:10%" valign="middle" height="30" bgcolor="#EEEEEE" align="center" colspan="0" | 9:15 - 10:00<br>(45 mins)
| style="width:25%" valign="middle" height="30" bgcolor="#CCEEEE" align="center" colspan="0" | One day at product security team
+
| style="width:25%" valign="middle" height="30" bgcolor="#EEEEEE" align="center" colspan="0" | [https://www.owasp.org/images/3/38/OWASP_2015_v2_-_BM.pdf From SCADA to IoT - Cyber Security]
| style="width:25%" valign="middle" height="30" bgcolor="#CCEEEE" align="center" colspan="0" |  [https://twitter.com/oxdef Taras Ivaschenko]
+
| style="width:25%" valign="middle" height="30" bgcolor="#EEEEEE" align="center" colspan="0" |  [https://ro.linkedin.com/in/bogdanmatache/en Bogdan Matache]
| style="width:40%" valign="middle" height="30" bgcolor="#CCEEEE" align="justify" colspan="0" | Description TBD
+
| style="width:40%" valign="middle" height="30" bgcolor="#EEEEEE" align="justify" colspan="0" | The presentation dwells on the distinctive issues of cybersecurity in the world of Internet of Things (IoT). It starts with a short overview of the entities and trends of IoT: Industrial Control Systems (ICS), SCADA, consumer IoT, communication protocols and operating modes, threats and vulnerabilities for ICS / IoT. The presentation moves on to illustrating protection profiles, non-invasive penetration testing for ICS/IoT and finishes with a few consideration on building and operating a security operation center for SCADA / ICS / IoT.
 
|-
 
|-
| style="width:10%" valign="middle" height="30" bgcolor="#EEEEEE" align="center" colspan="0" | 14:50 - 15:35<br>(45 mins)  
+
| style="width:10%" valign="middle" height="30" bgcolor="#EEEEEE" align="center" colspan="0" | 10:00 - 10:45<br>(45 mins)
| style="width:25%" valign="middle" height="30" bgcolor="#EEEEEE" align="center" colspan="0" | Give me a stable input and I'll p0wn the planet<br>
+
| style="width:25%" valign="middle" height="30" bgcolor="#EEEEEE" align="center" colspan="0" | [https://www.owasp.org/index.php/File:OWASP_Romania.pptx Application security, Gamification and how they fit together]
 +
| style="width:25%" valign="middle" height="30" bgcolor="#EEEEEE" align="center" colspan="0" | [https://il.linkedin.com/pub/amit-ashbel/0/383/641 Amit Ashbel]
 +
| style="width:40%" valign="middle" height="30" bgcolor="#EEEEEE" align="justify" colspan="0" | While studies clearly show a majority of cyber-attacks initiate at the Application level, both web and mobile application development is booming and it seems that security was left behind… again. <br>
 +
Agile development, Continuous integration and Devops methodologies allow organizations to frequently release new and updated functionality. <br>
 +
Can application security keep up? What solutions can rise to the challenge and how can they make your life easier?<br>
 +
 +
In this session you will learn:<br>
 +
•            What are the main Application Security solutions, and what are their pros and cons?<br>
 +
•            How can developers screw it up and how can they be the key to a successful application security program?<br>
 +
•            How and why education should be at the core of application security?
 +
|-
 +
| style="width:10%" valign="middle" height="30" bgcolor="#EEEEEE" align="center" colspan="0" | 11:00 - 11:45<br>(45 mins)
 +
| style="width:25%" valign="middle" height="30" bgcolor="#EEEEEE" align="center" colspan="0" | [https://www.owasp.org/images/5/58/XML_Based_Attacks_-_OWASP.pdf XML Based Attacks]<br>
  
| style="width:25%" valign="middle" height="30" bgcolor="#EEEEEE" align="center" colspan="0" | [https://twitter.com/zackhimself Zakaria Rachid] <br>
+
| style="width:25%" valign="middle" height="30" bgcolor="#EEEEEE" align="center" colspan="0" | [https://www.linkedin.com/pub/daniel-tomescu/b0/94b/b92?trk=pub-pbmap Daniel Tomescu] <br>
| style="width:40%" valign="middle" height="30" bgcolor="#EEEEEE" align="justify" colspan="0" | Description TBD.<br>
+
| style="width:40%" valign="middle" height="30" bgcolor="#EEEEEE" align="justify" colspan="0" | The presentation is focused on general and specific attack vectors in applications that use XML and additional technologies. The audience will learn how some of the OWASP Top 10 vulnerabilities can be reproduced using XML vectors, how XML External Entities can be used in order to read local files and how XML can be used in order to cause Denial of Service in vulnerable applications.<br>
  
 
|-
 
|-
| style="width:10%" valign="middle" height="30" bgcolor="#EEEEEE" align="center" colspan="0" | 15:40 - 16:00<br>(20 mins)
+
| style="width:10%" valign="middle" height="30" bgcolor="#EEEEEE" align="center" colspan="0" | 12:00 - 12:45<br>(45 mins)
 +
| style="width:25%" valign="middle" height="30" bgcolor="#EEEEEE" align="center" colspan="0" | [https://www.owasp.org/images/f/fa/OWASP_EEE_Darkappsec_final.pdf Dark appsec made simple]
 +
| style="width:25%" valign="middle" height="30" bgcolor="#EEEEEE" align="center" colspan="0" | [https://ru.linkedin.com/in/antukh Alexander Antukh]
 +
| style="width:40%" valign="middle" height="30" bgcolor="#EEEEEE" align="justify" colspan="0" | In this talk I would like to present results of my security research of applications in the "darknet" - a place where even low-risk vulnerabilities can become crucial for successful de-anonymization. We will go through different techniques of de-anonymizing subjects and will see that privacy is much harder topic than it appears to be. Finally, some vulnerabilities in real well-known services will be presented.<br>
 +
|-
 +
| style="width:10%" valign="middle" height="30" bgcolor="#EEEEEE" align="center" colspan="0" | 12:55 - 13:40<br>(45 mins)
 +
| style="width:25%" valign="middle" height="30" bgcolor="#EEEEEE" align="center" colspan="0" | [https://www.owasp.org/images/2/28/Attack_is_easy%2C_let's_talk_defence_v3.pdf Attack is easy, let's talk defence. From threat modelling to intelligence driven defence.]
 +
| style="width:25%" valign="middle" height="30" bgcolor="#EEEEEE" align="center" colspan="0" | [https://ro.linkedin.com/in/cteodor Teodor Cimpoesu] and [https://ro.linkedin.com/pub/cosmin-anghel/b6/344/a99 Cosmin Anghel]
 +
| style="width:40%" valign="middle" height="30" bgcolor="#EEEEEE" align="justify" colspan="0" |Warfare is hard in asymmetric territories, and while cyber realm favours offence, defence is even harder. Modern cyber security talks about adversaries and threat actors, attack modelling and defence chain. But little information is about implementing these concepts. We propose to have a look at the modern approaches of taming security complexity by implementing intelligence driven defence in the day-to-day operations.<br>
 +
|-
 +
| style="width:10%" valign="middle" height="30" bgcolor="#EEEEEE" align="center" colspan="0" | 13:40 - 14:30<br>(50 mins)
 
| style="width:25%" valign="middle" height="30" bgcolor="#EEEEEE" align="center" colspan="0" |Lunch/Coffee Break
 
| style="width:25%" valign="middle" height="30" bgcolor="#EEEEEE" align="center" colspan="0" |Lunch/Coffee Break
 
| style="width:25%" valign="middle" height="30" bgcolor="#EEEEEE" align="center" colspan="0" |  
 
| style="width:25%" valign="middle" height="30" bgcolor="#EEEEEE" align="center" colspan="0" |  
 
| style="width:40%" valign="middle" height="30" bgcolor="#EEEEEE" align="justify" colspan="0" |  
 
| style="width:40%" valign="middle" height="30" bgcolor="#EEEEEE" align="justify" colspan="0" |  
 
|-
 
|-
| style="width:10%" valign="middle" height="30" bgcolor="#EEEEEE" align="center" colspan="0" | 16:00 - 16:45<br>(45 mins)  
+
| style="width:10%" valign="middle" height="30" bgcolor="#EEEEEE" align="center" colspan="0" | 14:30 - 15:15<br>(45 mins)
| style="width:25%" valign="middle" height="30" bgcolor="#EEEEEE" align="center" colspan="0" | Bugs -> max; time <= T
+
| style="width:25%" valign="middle" height="30" bgcolor="#EEEEEE" align="center" colspan="0" | [https://www.owasp.org/images/1/14/OWASP_fuzzinozer.pdf Your Intents are dirty, droid]
| style="width:25%" valign="middle" height="30" bgcolor="#EEEEEE" align="center" colspan="0" | [https://twitter.com/ahack_ru Omar Ganiev]
+
| style="width:25%" valign="middle" height="30" bgcolor="#EEEEEE" align="center" colspan="0" | [https://ro.linkedin.com/in/ionescr Ionescu Razvan-Costin] and [https://ro.linkedin.com/pub/cristina-stefania-popescu/84/b0a/3aa Stefania Popescu]
| style="width:40%" valign="middle" height="30" bgcolor="#EEEEEE" align="justify" colspan="0" | Description TBD.
+
| style="width:40%" valign="middle" height="30" bgcolor="#EEEEEE" align="justify" colspan="0" | Analyzing the Inter-Process Communication mechanism and monitoring how applications communicate through intents is essential for the integrity of the Android system. <br>
 +
Drozer is a comprehensive security attack framework for Android. It can analyse the Android’s Inter-Process Communication (IPC) mechanism and interact with the underlying operating system. Drozer also helps us to remotely exploit Android devices. At this moment Drozer doesn’t provide fuzzing testing on the intents in Android. This presentation aims to present a new Drozer module, “Fuzzinozer”, which allows us to send fuzzed intents to the applications installed on the Android device, analyse the system logcat and collect information based on which of the intents have generated crashes. <br>
 +
After a session of intents is run, the module parses the saved logcat and creates seed files. A seed file is generated when an intent crash is produced and it contains the list of all intents that have been executed until the moment of the crash. Using this functionality, we can recreate the same testing environment so we can retest a session of intents to see if the crash happens again.
 +
|-
 +
| style="width:10%" valign="middle" height="30" bgcolor="#EEEEEE" align="center" colspan="0" | 15:20 - 16:05<br>(45 mins)
 +
| style="width:25%" valign="middle" height="30" bgcolor="#EEEEEE" align="center" colspan="0" | [https://www.owasp.org/images/5/58/OWASP_-_EEE_2015_-_Reversing_the_Apple_Sandbox.pdf Reversing the Apple Sandbox]
 +
| style="width:25%" valign="middle" height="30" bgcolor="#EEEEEE" align="center" colspan="0" | [https://ro.linkedin.com/in/razvandeaconescu Razvan Deaconescu]
 +
| style="width:40%" valign="middle" height="30" bgcolor="#EEEEEE" align="justify" colspan="0" | Apple OSes (Mac OS X and iOS) use a variety of security mechanisms, one of which is sandboxing. Sandboxing uses kernel-based support to enforce strict operations for a given application. However,documentation for the Apple sandboxing is scarce and only few people have delved into its internals. <br>
 +
In this talk we present the process of reversing Apple sandbox profiles allowing us to shed light into its inner workings, particulary for iOS. We base our work on previous work by Dionysus Blazakis and Stefan Esser and we extract information on the runtime sandboxing environment of iOS Apps.
 +
|-)
 +
| style="width:10%" valign="middle" height="30" bgcolor="#EEEEEE" align="center" colspan="0" | 16:10 - 16:55<br>(45 mins)  
 +
| style="width:25%" valign="middle" height="30" bgcolor="#EEEEEE" align="center" colspan="0" | [https://www.owasp.org/images/1/10/OWASP_Adrian.Ifrim_latest.pdf Catching up with today's malicious actors]
 +
| style="width:25%" valign="middle" height="30" bgcolor="#EEEEEE" align="center" colspan="0" | [https://www.linkedin.com/profile/view?id=AAYAAADQyLIBKerMjLNFkbfaxrX5jAWKfvGx670&authType=name&authToken=qISZ&trk=mirror-profile-memberlist-name Adrian Ifrim]
 +
| style="width:40%" valign="middle" height="30" bgcolor="#EEEEEE" align="justify" colspan="0" | Current approaches to cyber security do not respond adequately to  changing technology or threat conditions. Repeated cyber intrusions into critical infrastructure demonstrate the need for improved cyber security. Traditional ways of protecting our networks are clearly not working anymore. This presentation will help you get a glimpse at what are your current solutions and what you need to expect from the future.
 +
|-
 +
|}
 +
 
 +
{|style="vertical-align:top;width:90%;background-color:#white;padding:10px;border:1px solid silver;" align="center" cellspacing="4"
 +
| style="width:100%" valign="middle" height="40" bgcolor="#CCCCEE" align="center" colspan="6" | <h2>Workshop </h2>
 +
|-
 +
| style="width:10%" valign="middle" height="30" bgcolor="#CCCCEE" align="center" colspan="0" |  '''Time'''
 +
| style="width:25%" valign="middle" height="30" bgcolor="#CCCCEE" align="center" colspan="0" | '''Title'''
 +
| style="width:25%" valign="middle" height="30" bgcolor="#CCCCEE" align="center" colspan="0" | '''Trainers'''
 +
| style="width:40%" valign="middle" height="30" bgcolor="#CCCCEE" align="center" colspan="0" | '''Description'''
 +
|-
 +
| style="width:10%" valign="middle" height="30" bgcolor="#CCEEEE" align="center" colspan="0" | 9:00 - 14:00<br>(5 hours)<br>[http://www.ccins.ro/sala-albastra.php Sala Albastra ]
 +
| style="width:25%" valign="middle" height="30" bgcolor="#CCEEEE" align="center" colspan="0" | '''OWASP Top 10 vulnerabilities – from discovery to complete exploitation''' <br>The purpose of this workshop is to increase the participants’ awareness on the most common web application vulnerabilities and their associated risks. <br>
 +
We will discuss each type of vulnerability described in the OWASP Top 10 project and we will be practicing manual discovery and exploitation techniques. <br>
 +
| style="width:25%" valign="middle" height="30" bgcolor="#CCEEEE" align="center" colspan="0" | '''[https://ro.linkedin.com/in/adrianfurtuna Adrian Furtună]''' – Technical Manager – Security Services – KPMG Romania <br> '''[https://twitter.com/iambrosie Ionuţ Ambrosie]''' – Security Consultant – KPMG Romania
 +
| style="width:40%" valign="middle" height="30" bgcolor="#CCEEEE" align="justify" colspan="0" | '''Description:'''<br>
 +
 
 +
This will be a (very) hands-on workshop where we will practice exercises as:<br>
 +
* Discover SQL injection and exploit it to extract information from the database<br>
 +
* Find OS command injection and exploit it to execute arbitrary commands on the target server<br>
 +
* Discover Cross-Site Scripting and exploit it to gain access to another user’s web session<br>
 +
* Identify Local File Inclusion and exploit it to gain remote command execution<br>
 +
* Find Cross-Site Request Forgery and exploit it to gain access to the admin panel<br>
 +
* Other fun and challenging tasks<br>
 +
Of course, we will also present safe ways in which the identified vulnerabilities can be eliminated or mitigated in a production environment.<br>
 +
Intended audience: Web application developers, security testers, quality assurance personnel, people passionate about web security<br>
 +
'''Skill level''': Intermediate<br>
 +
Requirements: - Laptop with a working operating system <br>
 +
* At least 2 GB of free disk space and at least 2 GB RAM<br>
 +
* Administrative rights on the laptop<br>
 +
* VMWare Player installed<br>
 +
 
 +
'''Seats available: '''20 (first-come, first served)<br>
 +
[http://www.eventbrite.com/e/owasp-top-10-vulnerabilities-from-discovery-to-complete-exploitation-tickets-18454393588 Register here]
 
|-
 
|-
| style="width:10%" valign="middle" height="30" bgcolor="#EEEEEE" align="center" colspan="0" | 16:50 - 17:35<br>(45 mins)
+
|}
| style="width:25%" valign="middle" height="30" bgcolor="#EEEEEE" align="center" colspan="0" | Mysql OOB injection. Can I surprise you?
+
 
| style="width:25%" valign="middle" height="30" bgcolor="#EEEEEE" align="center" colspan="0" | [https://twitter.com/d0znpp Ivan Novikov]
+
 
| style="width:40%" valign="middle" height="30" bgcolor="#EEEEEE" align="justify" colspan="0" | Description TBD.
+
<!--
|-}
+
{{:OWASP_EEE_Bucharest_Event_2015_Sponsors}}
 +
-->

Latest revision as of 10:50, 12 October 2015


Conference agenda

Time Title Speaker Description
8:30 - 9:00
(30 mins)
Registration
9:15 - 10:00
(45 mins)
From SCADA to IoT - Cyber Security Bogdan Matache The presentation dwells on the distinctive issues of cybersecurity in the world of Internet of Things (IoT). It starts with a short overview of the entities and trends of IoT: Industrial Control Systems (ICS), SCADA, consumer IoT, communication protocols and operating modes, threats and vulnerabilities for ICS / IoT. The presentation moves on to illustrating protection profiles, non-invasive penetration testing for ICS/IoT and finishes with a few consideration on building and operating a security operation center for SCADA / ICS / IoT.
10:00 - 10:45
(45 mins)
Application security, Gamification and how they fit together Amit Ashbel While studies clearly show a majority of cyber-attacks initiate at the Application level, both web and mobile application development is booming and it seems that security was left behind… again.

Agile development, Continuous integration and Devops methodologies allow organizations to frequently release new and updated functionality.
Can application security keep up? What solutions can rise to the challenge and how can they make your life easier?

In this session you will learn:
• What are the main Application Security solutions, and what are their pros and cons?
• How can developers screw it up and how can they be the key to a successful application security program?
• How and why education should be at the core of application security?

11:00 - 11:45
(45 mins)
XML Based Attacks
Daniel Tomescu
The presentation is focused on general and specific attack vectors in applications that use XML and additional technologies. The audience will learn how some of the OWASP Top 10 vulnerabilities can be reproduced using XML vectors, how XML External Entities can be used in order to read local files and how XML can be used in order to cause Denial of Service in vulnerable applications.
12:00 - 12:45
(45 mins)
Dark appsec made simple Alexander Antukh In this talk I would like to present results of my security research of applications in the "darknet" - a place where even low-risk vulnerabilities can become crucial for successful de-anonymization. We will go through different techniques of de-anonymizing subjects and will see that privacy is much harder topic than it appears to be. Finally, some vulnerabilities in real well-known services will be presented.
12:55 - 13:40
(45 mins)
Attack is easy, let's talk defence. From threat modelling to intelligence driven defence. Teodor Cimpoesu and Cosmin Anghel Warfare is hard in asymmetric territories, and while cyber realm favours offence, defence is even harder. Modern cyber security talks about adversaries and threat actors, attack modelling and defence chain. But little information is about implementing these concepts. We propose to have a look at the modern approaches of taming security complexity by implementing intelligence driven defence in the day-to-day operations.
13:40 - 14:30
(50 mins)
Lunch/Coffee Break
14:30 - 15:15
(45 mins)
Your Intents are dirty, droid Ionescu Razvan-Costin and Stefania Popescu Analyzing the Inter-Process Communication mechanism and monitoring how applications communicate through intents is essential for the integrity of the Android system.

Drozer is a comprehensive security attack framework for Android. It can analyse the Android’s Inter-Process Communication (IPC) mechanism and interact with the underlying operating system. Drozer also helps us to remotely exploit Android devices. At this moment Drozer doesn’t provide fuzzing testing on the intents in Android. This presentation aims to present a new Drozer module, “Fuzzinozer”, which allows us to send fuzzed intents to the applications installed on the Android device, analyse the system logcat and collect information based on which of the intents have generated crashes.
After a session of intents is run, the module parses the saved logcat and creates seed files. A seed file is generated when an intent crash is produced and it contains the list of all intents that have been executed until the moment of the crash. Using this functionality, we can recreate the same testing environment so we can retest a session of intents to see if the crash happens again.

15:20 - 16:05
(45 mins)
Reversing the Apple Sandbox Razvan Deaconescu Apple OSes (Mac OS X and iOS) use a variety of security mechanisms, one of which is sandboxing. Sandboxing uses kernel-based support to enforce strict operations for a given application. However,documentation for the Apple sandboxing is scarce and only few people have delved into its internals.

In this talk we present the process of reversing Apple sandbox profiles allowing us to shed light into its inner workings, particulary for iOS. We base our work on previous work by Dionysus Blazakis and Stefan Esser and we extract information on the runtime sandboxing environment of iOS Apps.

16:10 - 16:55
(45 mins)
Catching up with today's malicious actors Adrian Ifrim Current approaches to cyber security do not respond adequately to changing technology or threat conditions. Repeated cyber intrusions into critical infrastructure demonstrate the need for improved cyber security. Traditional ways of protecting our networks are clearly not working anymore. This presentation will help you get a glimpse at what are your current solutions and what you need to expect from the future.

Workshop

Time Title Trainers Description
9:00 - 14:00
(5 hours)
Sala Albastra
OWASP Top 10 vulnerabilities – from discovery to complete exploitation
The purpose of this workshop is to increase the participants’ awareness on the most common web application vulnerabilities and their associated risks.

We will discuss each type of vulnerability described in the OWASP Top 10 project and we will be practicing manual discovery and exploitation techniques.

Adrian Furtună – Technical Manager – Security Services – KPMG Romania
Ionuţ Ambrosie – Security Consultant – KPMG Romania
Description:

This will be a (very) hands-on workshop where we will practice exercises as:

  • Discover SQL injection and exploit it to extract information from the database
  • Find OS command injection and exploit it to execute arbitrary commands on the target server
  • Discover Cross-Site Scripting and exploit it to gain access to another user’s web session
  • Identify Local File Inclusion and exploit it to gain remote command execution
  • Find Cross-Site Request Forgery and exploit it to gain access to the admin panel
  • Other fun and challenging tasks

Of course, we will also present safe ways in which the identified vulnerabilities can be eliminated or mitigated in a production environment.
Intended audience: Web application developers, security testers, quality assurance personnel, people passionate about web security
Skill level: Intermediate
Requirements: - Laptop with a working operating system

  • At least 2 GB of free disk space and at least 2 GB RAM
  • Administrative rights on the laptop
  • VMWare Player installed

Seats available: 20 (first-come, first served)
Register here