BeNeLux OWASP Day 2010 - Revision history

Bart De Win at 09:48, 10 December 2010

2010-12-10T09:48:31Z

Jocelyn.aubert: change an error...

2010-12-08T22:13:02Z

change an error...

Jocelyn.aubert: add flickr link!

2010-12-08T22:11:38Z

add flickr link!

Bart De Win at 21:37, 8 December 2010

2010-12-08T21:37:23Z

Bart De Win at 21:30, 8 December 2010

2010-12-08T21:30:43Z

Bart De Win at 21:24, 8 December 2010

2010-12-08T21:24:43Z

Sdeleersnyder at 19:45, 5 December 2010

2010-12-05T19:45:34Z

Sdeleersnyder at 21:03, 30 November 2010

2010-11-30T21:03:00Z

Sdeleersnyder at 22:22, 29 November 2010

2010-11-29T22:22:55Z

Bart De Win at 21:51, 29 November 2010

2010-11-29T21:51:18Z

@@ Line 92: / Line 92: @@
 |-
 | style="background: none repeat scroll 0% 0% rgb(123, 138, 189); width: 15%; -moz-background-inline-policy: continuous;" | 17h00-17h40
-| align="left" style="background: none repeat scroll 0% 0% rgb(242, 242, 242); width: 75%; -moz-background-inline-policy: continuous;" colspan="2" | '''Attacking is easy, defending is hard''' (by Walter Belgers, Madison Gurkha)
+| align="left" style="background: none repeat scroll 0% 0% rgb(242, 242, 242); width: 75%; -moz-background-inline-policy: continuous;" colspan="2" | '''Attacking is easy, defending is hard''' (by Walter Belgers, Madison Gurkha) [http://www.owasp.org/images/d/d3/OWASPBeNeLux2010-Belgers-DefendingIsHard.pdf Presentation]
 :An attacker has an easy job. They need only find one security hole, and they've broken the system. The system, application and network administrators :have a much harder task. They have to find not just one, but each and every one of the holes. Preferably before the bad guys do.
 :And, these holes can be at several different layers. In the presentation, we will look at those layers (system level, application level, but also user :level) and observe what goes wrong and how to fix it. The observations come from the daily work at Madison Gurkha.

@@ Line 13: / Line 13: @@
 Xavier did blog a nice wrap-up of the BeNeLux day: see his [http://blog.rootshell.be/2010/12/03/owasp-benelux-day-2010-wrap-up/ blog].
-The Luxembourg Chapter publishes on Flickr a set of pictures: [http://www.flickr.com/photos/owasplux/sets/72157625432687293/ OWASP BeNeLux Days 2010 set]
+The Luxembourg Chapter published on Flickr a set of pictures: [http://www.flickr.com/photos/owasplux/sets/72157625432687293/ OWASP BeNeLux Days 2010 set].
 If you know of other coverage, photo's: send them to seba@owasp.org

@@ Line 12: / Line 12: @@
 ===blog===
 Xavier did blog a nice wrap-up of the BeNeLux day: see his [http://blog.rootshell.be/2010/12/03/owasp-benelux-day-2010-wrap-up/ blog].
 If you know of other coverage, photo's: send them to seba@owasp.org

@@ Line 7: / Line 7: @@
 <br>
 <center>
 ===blog===
 Xavier did blog a nice wrap-up of the BeNeLux day: see his [http://blog.rootshell.be/2010/12/03/owasp-benelux-day-2010-wrap-up/ blog].

@@ Line 47: / Line 47: @@
 |-
 | style="background: none repeat scroll 0% 0% rgb(123, 138, 189); width: 15%; -moz-background-inline-policy: continuous;" | 11h00-11h40
-| align="left" style="background: none repeat scroll 0% 0% rgb(242, 242, 242); width: 75%; -moz-background-inline-policy: continuous;" colspan="2" | '''Clickjacking: an empirical study with an automated testing/detection system''' (by Marco Balduzzi, Eurecom)  [http://www.owasp.org/images/d/d2/OWASPBeNeLux2010-Balduzzi-Clickjacking.pdf]
+| align="left" style="background: none repeat scroll 0% 0% rgb(242, 242, 242); width: 75%; -moz-background-inline-policy: continuous;" colspan="2" | '''Clickjacking: an empirical study with an automated testing/detection system''' (by Marco Balduzzi, Eurecom)  [http://www.owasp.org/images/d/d2/OWASPBeNeLux2010-Balduzzi-Clickjacking.pdf Presentation]
 :Clickjacking recently received new media attentions: Thousands of Facebook users have fallen victims of a worm that uses clickjacking techniques to propagate.
 :In a clickjacking attack, a malicious page is constructed (or a benign page is hijacked) to trick the user into performing unintended clicks that are advantageous for the attacker, such as propagating a web worm, stealing confidential information or abusing of the user session.
@@ Line 54: / Line 54: @@
 |-
 | style="background: none repeat scroll 0% 0% rgb(123, 138, 189); width: 15%; -moz-background-inline-policy: continuous;" | 11h40-12h20
-| align="left" style="background: none repeat scroll 0% 0% rgb(242, 242, 242); width: 75%; -moz-background-inline-policy: continuous;" colspan="2" | '''Privacy of file sharing service''' (by Nick Nikiforakis, Katholieke Universiteit Leuven) [http://www.owasp.org/images/1/14/OWASPBeNeLux2010-Nikiforakis-FileSharing.pdf]
+| align="left" style="background: none repeat scroll 0% 0% rgb(242, 242, 242); width: 75%; -moz-background-inline-policy: continuous;" colspan="2" | '''Privacy of file sharing service''' (by Nick Nikiforakis, Katholieke Universiteit Leuven) [http://www.owasp.org/images/1/14/OWASPBeNeLux2010-Nikiforakis-FileSharing.pdf Presentation]
 :File sharing services are used daily by tens of thousands of people as a way of sharing files. Almost all such services, use a security-through-obscurity method of hiding the files of one user from others. For each uploaded file, the user is given a secret URL which supposedly cannot be guessed. The user can then share his uploaded file by sharing this URL with other users of his choice. Unfortunately though, a number of file sharing services are incorrectly implemented allowing an attacker to guess valid URLs of millions of files and thus allowing him to enumerate their file database and access all of the uploaded files. In this paper, we study some of these services and we record their incorrect implementations. We design automatic enumerators for two such services and a privacy-classifying module which characterises an uploaded file as private or public. Using this technique we gain access to thousands of private files ranging from private and company documents to personal photographs. We present a taxonomy of the private files found and ways that the users and services can protect themselves against such attacks.
 |-
 | style="background: none repeat scroll 0% 0% rgb(123, 138, 189); width: 15%; -moz-background-inline-policy: continuous;" | 12h20-13h00
-| align="left" style="background: none repeat scroll 0% 0% rgb(242, 242, 242); width: 75%; -moz-background-inline-policy: continuous;" colspan="2" | '''Finding Backdoors in Code''' (by Matias Madou, Fortify) [http://www.owasp.org/images/8/8f/OWASPBeNeLux2010-Madou-RepellingTheWilyInsider.pdf]
+| align="left" style="background: none repeat scroll 0% 0% rgb(242, 242, 242); width: 75%; -moz-background-inline-policy: continuous;" colspan="2" | '''Finding Backdoors in Code''' (by Matias Madou, Fortify) [http://www.owasp.org/images/8/8f/OWASPBeNeLux2010-Madou-RepellingTheWilyInsider.pdf Presentation]
 :Insiders who write code, whether they are developers working for an enterprise or contributors to an open source project, have an almost unlimited number of ways to put chinks in the armor of their software. Many times, these holes are put in place for seemingly good reasons—to facilitate easy debugging, make working from home easier, or as a failsafe in case other mechanisms for interfacing with the system fail. Worse still, malicious insiders can plant logic bombs or insert backdoors so that they can embezzle funds, steal private information, or exact revenge if they become disgruntled.<BR>
 :Whether unintentional or malicious, code that performs questionable behavior or permits unauthorized access can be introduced with relative ease and can persist in a code base almost indefinitely without being discovered. Until it's too late. In this talk, we discuss techniques for applying static analysis to program source code to assist auditors hunting for backdoors, logic bombs, and other threats introduced by insiders. We give detailed examples of insider threats that have been uncovered in real software systems, outline possible motives for malicious insiders, and discuss how external stimuli like layoffs are increasing the attention paid to insider threats. We conclude the talk with results of applying the detection techniques discussed in this talk to real-world software.
@@ Line 75: / Line 75: @@
 |-
 | style="background: none repeat scroll 0% 0% rgb(123, 138, 189); width: 15%; -moz-background-inline-policy: continuous;" | 15h20-16h00
-| align="left" style="background: none repeat scroll 0% 0% rgb(242, 242, 242); width: 75%; -moz-background-inline-policy: continuous;" colspan="2" | '''0wning Networks with VoIP and Web attacks''' (by Radu State, University of Luxembourg) [http://www.owasp.org/images/6/6a/OWASPBeNeLux2010-State-VoipHacking.pdf]
+| align="left" style="background: none repeat scroll 0% 0% rgb(242, 242, 242); width: 75%; -moz-background-inline-policy: continuous;" colspan="2" | '''0wning Networks with VoIP and Web attacks''' (by Radu State, University of Luxembourg) [http://www.owasp.org/images/6/6a/OWASPBeNeLux2010-State-VoipHacking.pdf Presentation]
 :Voice over IP is the current de facto technology for delivering voice data in both enterprise and  service provider infrastructure. Although , security threats specific to VoIP signalling have been known for a while, few is known about cross-layer attacks in which Web enabled VoIP devices allow for efficient attacks against the VoIP infrastructure and general IT networks .
 :This talk will give a short introduction to VoIP and continue with a series of attacks that leverage SIP as efficient transport vehicle for billing attacks , disclosure attacks and  network penetration.     The talk will show how one single phone call can compromise even the best secured and hardened network perimeter .

@@ Line 215: / Line 215: @@
 [http://www.sogeti.nl http://www.owasp.org/images/3/31/Sogeti_Nederland_b_v_Logo.jpg]
 [http://www.comsec.nl/ http://www.owasp.org/images/c/c1/Comsec.gif]
 <br><br> '''Supported by:'''<br>

← Older revision		Revision as of 21:51, 29 November 2010
Line 203:		Line 203:

	The social event is scheduled for Wednesday, 1st of December:		The social event is scheduled for Wednesday, 1st of December:
−	[http://www.effenaar.nl/over-de-effenaar ~~Effenaaar~~], starting from 7 pm!	+	[http://www.effenaar.nl/over-de-effenaar Effenaar], starting from 7 pm!