plaverty's blog

We'll be back on March 4, 2013 (5:45 pm) with another edition of Hands-On Hacking!

If you remember our March 2012 meeting, we had Allison Nixon come and show us how to use SQL injection to get access to a web database, as well as how to prevent it. We learned how to think like a hacker. We'll we're going to bring that back and do something similar. Except this time, we're going to make it even more fun by turning it into a sort of capture the flag. We'll stay educational and non-competitive, and we'll aim to have multiple levels of flags to obtain.

The Evolution of the Information Security Management Function - David Sherry, Brown University CISO

Maybe it's better suited as a podcast, as I think one of the cameras wasn't capturing properly but you at least get the slides and David's audio.

View the Presentation (Warning: Sorry about loud feedback at 04:30)

Interested in cloud security and compliance? Good architecture and planning are the foundation for solid security, but infrastructure providers have raised the level of abstraction and now companies of all sizes are making use of cloud services to build high-security environments with modest engineering effort. At Swipely, we process credit cards in partnership with the world's largest Payment Processor and the US’s largest bank.

At our next monthly meeting, on October 9th, we will have David Sherry, Brown University's CISO to give a presentation titled: "The Evolution of the Information Security Management Function". Here's the description:

You're pretty good at detecting Cross Site Scripting right? You know how to find the alerts and script tags and even cookie grabbers? So if you see something like this, is it any big deal?

Finding All The Ninjas in the Forrest: Web Application Testing Strategies Revisited

Read more about this year's social engineering contest champion at DefCon who scored the first 100% as he got a major corporation to give over *everything*:

http://www.thestar.com/business/article/1239150--canadian-hacker-dupes-wal-mart-to-win-def-con-prize

Some of them might not be too innovative as you might already be doing them and others might seem like they won't help too much. But keeping "defense in depth" in mind, every little bit helps, especially if it's easy and doesn't cost too much. Are you running services on standard ports and using the default administrator accounts? Why? Can you get around that? Here are 10 ideas that the article itself refers to being crazy and innovative, but they work:

For the longest time, I was one of those people who thought "Who cares?" about leaving my wireless router unprotected and open to any neighbors who wanted to use it. What do I care? Let's all share, right?

Then I started seeing the articles about people using open WiFi connections to do bad things, including to the host's systems. Then here's this:

SWAT Team Attacks Wrong House

Tuesday July 17, 6:45 pm

Brandon Levene - Dell SecureWorks
Practical Malware Analysis 101 Brandon Levene - Dell SecureWorks This will be an introduction to modern malware as the primary vector of intrusions. Detection of malware is crucial, and equally important is being able to differentiate between true and false positives. During this talk I will introduce techniques used by the industry to identify potentially malicious software without disassembly or debugging.