Upcoming Conferences: DerbyCon! (September 25-29th, 2013)

The security rockstars are at it again in Kentucky.  This week, DerbyCon 3 will be held in Louisville. And it looks like they have a great lineup. A ton of talks, tech tracks and parties.

They will even have a Zombie Apocalypse with proceeds going to Hackers for Charity.

How cool is that?

DerbyCon will run from Sept. 25th to the 29th:

Wednesday – Training starts at 9:00AM and ends at 5:00PM
Thursday – Training starts at 9:00AM and ends at 5:00PM
Friday – Opening ceremonies start at 8:30AM and the keynote starting at 9:00AM. Talks finish at 8:00PM
Saturday – Talks start at 9:00AM and end at 7:00PM
Sunday – Talks start at 9AM and end at 4PM

Event and Talk Schedule

I also hear that security guru and creator of the Social Engineering Toolkit (SET) David Kennedy will be live on Foxnews tomorrow morning at 7:40 EST.

Check it out!

Advertisements

Black Hat USA 2013 Day One – Latest News

Black Hat’s Barnaby Jack Statement:

We have lost a member of our family. Everyone would agree that the life and work of Barnaby Jack are legendary and irreplaceable. Barnaby had the ability to take complex technology and intricate research and make it tangible and accessible for everyone to learn and grow from. Beyond his work in our industry, Barnaby was an incredibly warm hearted and welcoming individual with a passion for celebrating life. We all have a hilarious and upbeat story about Barnaby. He is truly a shining example of what we love about this community. (Continue Reading…)

Latest BlackHat news, Courtesy of DarkReading:

‘Hangover’ Persists, More Mac Malware Found
Attackers behind the Operation Hangover cyberspying campaign out of India found dropping OS X malware, covering their tracks online

Researchers To Highlight Weaknesses In Secure Mobile Data Stores
At Black Hat USA, a team of mobile-security researchers plans to show off ways to circumvent the security of encrypted containers meant to protect data on mobile devices.

‘Tortilla’ Spices Up Active Defense Ops
New free Tor tool due out at Black Hat USA aims to make the Tor anonymizing network easier to use for all types of Intel-gathering

Black Hat USA 2013: Complete Coverage
Articles leading up to and live coverage from Black Hat USA 2013, July 27 – Aug. 1

UPCOMING EVENTS

Pentesting High Security Environments

I was checking out some of the videos on our friend Vivek’s excellent security resource – Security Tube.net – again today and found an exceptional video on pentesting high security SQL systems. The video features Joe McCray’s (an awesome speaker by the way) presentation, “Big Bang Theory – Pentesting High Security Environments” at the 2012 Hacktivity Conference.

This is hands down one of the best presentations I have seen on both SQL injection and how much computer security… well… sucks!

Joe explains that many companies that are creating a web application presence on the web (or already have one) have two options, to write secure code, or write average or even unsecure code and just put a web application firewall and IDS in front of it to protect it.

In his presentation, he shows how SQL injection can still be done on a website protected by an IDS, and it does not even throw any alarms. He then shows similar techniques on a site using a web application firewall.

Joe was able to pull database information and even password hashes from a system, while the IDS system showed no SQL injection attempts at all.

None – Zero….

He then explains that these security systems are set to look for certain signatures, or attacks. Many are configured to stop low level attacks (ankle biter attacks he called them), but let more sophisticated attacks straight through. Joe also explains that commercial IDS systems many times “borrow” signatures from open source IDS programs. So hackers practice on open source ones, and if their attacks don’t trigger anything on them, the chances that they are picked up by a commercial product are very low.

Lastly, Joe shows the config file of a Web Application Firewall program and shows stunning settings that are set by default. These include IP ranges excluded from being scanned, old attacks being blocked – but newer technologies aren’t even filtered and how Outlook Web Access isn’t monitored at all…

The solution – People!

Get and maintain the people who know how to setup, test and configure these security features to protect your network!

Exceptional video, I highly recommend that you and your security team check this out. Then explain what he is saying to your boss!  🙂

BSides Cleveland Security Conference Videos

If you don’t have the chance to get to the big security conferences, then you always look forward to the conference videos when they come out. July is no exception with several awesome conferences taking place. Adrian Crenshaw (aka Irongeek) has released links to all of the BSides Cleveland Security conference videos.

Below are two of my favorites.

First up is Dave Kennedy, mad hugger, and security guru extraordinaire, with a great look at some of his pentesting secrets and techniques. This is an excellent look at his Social Engineering Toolkit, tips on bypassing Anti-Virus, elevating a user to Admin account, and egress techniques.

Next up is “Pass the Hash like a Rockstar” by Martin “Purehate” Bos. This is a great look at different techniques used to compromise systems by using pass the hash. Kind of disappointing, this is not the talk he was going to do. He was going to do a speech on password cracking, which sounded really interesting, but he had to change it at the last moment. Hopefully he will release the intended speech at some point, but this talk is very good too!