This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit https://owasp.org

Difference between revisions of "Boulder"

From OWASP
Jump to: navigation, search
Line 4: Line 4:
 
== Upcoming Events ==
 
== Upcoming Events ==
  
'''Thursday, May 17th at 6pm – Renowned speaker Chris Roberts, Chief Geek'''
+
'''Thursday, June 21st at 6pm – Discussion with Laz: How bad is it out there? '''
  
The Boulder chapter's May meeting will be held at the [https://maps.google.com/maps?q=1711+Pearl+St,+Boulder,+CO+80302&hl=en&ll=40.018955,-105.272412&spn=0.005801,0.016512&sll=40.019446,-105.273058&layer=c&cbp=13,345.63,,0,0.03&cbll=40.019323,-105.273016&hnear=1711+Pearl+St,+Boulder,+Colorado+80302&t=m&z=17&panoid=5v0RhKi7sjpi-Z5HcgKFFw Aerstone offices] on 17th and Pearl.  This month we welcome renowned speaker Chris Roberts. As founder, CISO, and Chief Geek at [http://www.oneworldlabs.com/index.php/owl-blog/ OneWorldLabs], Chris is well known for his expansive knowledge and humorous insights. He has spoken at numerous security events, and was featured in a McAfee security documentary. Take the opportunity to engage Chris in this collaborative setting before he heads down to [http://www.isaca-denver.org/Conferences/RMISC/ RMISC] in Denver (and beyond).
+
The Boulder chapter's June meeting will be held at the [https://maps.google.com/maps?q=1711+Pearl+St,+Boulder,+CO+80302&hl=en&ll=40.018955,-105.272412&spn=0.005801,0.016512&sll=40.019446,-105.273058&layer=c&cbp=13,345.63,,0,0.03&cbll=40.019323,-105.273016&hnear=1711+Pearl+St,+Boulder,+Colorado+80302&t=m&z=17&panoid=5v0RhKi7sjpi-Z5HcgKFFw Aerstone offices] on 17th and Pearl.  June's discussion is "Emerging Threats - How Bad is It out There?". Laz, Director of Strategy for [http://www.silvertailsystems.com/ Silver Tail Systems], brings extensive insight this topic, diving into:
  
As always, seating is limited, so '''please [http://www.meetup.com/OWASP-Boulder/ RSVP] early'''! We can only accommodate those who RSVP. 
+
*Emerging Threats (Real World Case Studies of What Cyber Criminals are doing)
 +
*Where is Mobile in the Mix
 +
*Quantifying the Threats and Risks
 +
*Reporting – What Metrics are Leadership Teams Looking for Today
  
 +
Laz came to Silver Tail Systems from the Sears Online Business Unit as Head of Information Security. Previously, Laz served as an IT security consultant and IT auditor who worked with Fortune 500 companies and government agencies. Laz is the inventor of several patents for controlling personally identifiable information, Information Security, and Information Technology. His involvement with security initiatives includes contributions for standards and policies regarding compliance and Information Security methodologies, policies, and Web application security.
  
 +
Laz is a published author, has served in the United States Air Force, holds a Masters in Computer Information Security from the University of Denver and an MBA from Pepperdine University.
  
 +
As we learned from our May meeting, the conversation doesn't stop with the speaker. The meetings are meant to be interactive, and we appreciate the wonderful audience contributions throughout evening. Thanks to all who participated! What a lively discussion!
  
<!-- '''November Meeting combined with the Denver Chapter meeting:'''
+
Seating is limited! We can only accommodate seating for those who [http://www.meetup.com/OWASP-Boulder/ RSVP].  If you have a change of plans, please update your RSVP to allow those who are on the waiting list.
  
Wednesday 18 November 2009, 6pm @ Raytheon Polar Services
+
Parking is available through the Whittier Neighborhood Zone for up to three hours daily. As always, food and drinks are free and there will be an open networking session after the meeting.
 
 
Anton Rager: "The Evils of XSS: Its not just for cookies anymore"
 
 
 
Many security professionals, security administrators and developers are aware of Cross-Site Scripting (XSS) vulnerabilities, but disregard them as a significant risk to an organization. Traditionally XSS attacks have either involved nuisance re-direction of a client or leakage of client cookies/state information to an attacker. They are almost always a one-shot XSS exploit against a vulnerable server and dont have the ability to execute multiple transactions against an XSS vulnerable site.
 
 
 
This presentation briefly outlines current XSS attacks, then discusses and demonstrates methods to create multi-transaction XSS attacks or persistent XSS based browser hi-jacking. Browser hi-jacking uses the victim browser to leverage existing trust that a browser may have with an XSS vulnerable site, and performs an arbitrary number of transactions from the victim browser against the vulnerable site. This means that the attacker can use the victims browser to attack a site that is behind a firewall, requires client-side certificates, filters IP addresses, or has a cached authentication with the victim browser this is way beyond cookie theft as an attacker is actually using the victims browser to access the site. Attack modes can include transparent site traversal thru victim browser (read and/or write to server with access of victim from remote attack console), passive monitoring of victim interaction with target site, or active MITM content modification of information to/from victim browser.
 
 
 
A custom tool (XSS-Proxy) will be demonstrated that demonstrates the ability for a remote attacker to perform these XSS based attacks. XSS persistence and commands are controlled from a Perl based HTTP attack server with victim/XSS target content forwarded to the same server. This does not rely on any new vulnerability in browsers and currently works in modern JavaScript enabled IE and Mozilla/Firefox based browsers.
 
 
 
Presenter: Anton Rager
 
 
 
Anton Rager is an independent security researcher focused on vulnerability exploitation, VPN security and wireless security. He is currently a programmer with an undisclosed network storage startup where he focuses on application development, Linux network magic, and Linux kernel/driver hacking.
 
He is best known for his work with 802.11 wireless WEP security and associated testing/analysis tools. In 2001 he released WEPCrack, the first open-source, public domain utility to validate the WEP/RC4 attack discovered by Fluhrer, Mantin and Shamir. Anton was also a Contributing Technical Editor to the book Maximum Wireless Security. In 2003 he continued researching 802.11/WEP and developed an injection attack and open-source tool (WEPWedgie) that allows network scanning attacks of WEP encrypted networks without knowledge of WEP keys. This tool/attack is mentioned in the book WI-FOO: The Secrets of Wireless Hacking as well as multiple online articles.
 
 
 
Anton has also focused heavily on IPSec VPN security issues and in 2001 implemented the first open-source utility to allow password attacks against IKE based IPSec VPN connections (IKECrack). Follow-on IPSec research resulted in an IKE protocol testing tool (IKEProber) that highlighted multiple vulnerabilities in common IPSec client/gateway implementations.
 
 
 
More recently he has been working with web application security issues and in 2005 devised a novel Cross-Site-Scripting (XSS) attack method and open-source tool (XSS-Proxy) to allow browser hijacking with XSS vulnerable sites. This tool/attack is also highlighted in Phishing Exposed book and as well as the book XSS-Attacks that he co-authored with other leading XSS researchers.
 
Anton has presented at well-known security conferences and has conducted many security training and security awareness primers with industry and government sectors. He currently resides and works near Denver, Colorado. In addition to an addictive computer security hobby, Anton is also an extreme mountain biker, snowboarder, naturalist, guitarist and philosopher hack.  
 
 
 
Agenda
 
 
 
• 6pm: Pizza & pop @ Raytheon Polar Services, courtesy of Accuvant
 
 
 
• 6:30pm: Introduction and Chapter business
 
 
 
• 6:45pm -- 8pm: Presentation
 
-->
 
  
 
[[Category:OWASP Chapter]]
 
[[Category:OWASP Chapter]]
 
[[Category:Colorado]]
 
[[Category:Colorado]]

Revision as of 05:38, 11 June 2012

OWASP Boulder

Welcome to the Boulder chapter homepage. The chapter leader is Mark Major.


Participation

OWASP Foundation (Overview Slides) is a professional association of global members and is open to anyone interested in learning more about software security. Local chapters are run independently and guided by the Chapter_Leader_Handbook. As a 501(c)(3) non-profit professional association your support and sponsorship of any meeting venue and/or refreshments is tax-deductible. Financial contributions should only be made online using the authorized online chapter donation button. To be a SPEAKER at ANY OWASP Chapter in the world simply review the speaker agreement and then contact the local chapter leader with details of what OWASP PROJECT, independent research or related software security topic you would like to present on.

Sponsorship/Membership

Btn donate SM.gif to this chapter or become a local chapter supporter. Or consider the value of Individual, Corporate, or Academic Supporter membership. Ready to become a member? Join Now BlueIcon.JPG


Upcoming Events

Thursday, June 21st at 6pm – Discussion with Laz: How bad is it out there?

The Boulder chapter's June meeting will be held at the Aerstone offices on 17th and Pearl. June's discussion is "Emerging Threats - How Bad is It out There?". Laz, Director of Strategy for Silver Tail Systems, brings extensive insight this topic, diving into:

  • Emerging Threats (Real World Case Studies of What Cyber Criminals are doing)
  • Where is Mobile in the Mix
  • Quantifying the Threats and Risks
  • Reporting – What Metrics are Leadership Teams Looking for Today

Laz came to Silver Tail Systems from the Sears Online Business Unit as Head of Information Security. Previously, Laz served as an IT security consultant and IT auditor who worked with Fortune 500 companies and government agencies. Laz is the inventor of several patents for controlling personally identifiable information, Information Security, and Information Technology. His involvement with security initiatives includes contributions for standards and policies regarding compliance and Information Security methodologies, policies, and Web application security.

Laz is a published author, has served in the United States Air Force, holds a Masters in Computer Information Security from the University of Denver and an MBA from Pepperdine University.

As we learned from our May meeting, the conversation doesn't stop with the speaker. The meetings are meant to be interactive, and we appreciate the wonderful audience contributions throughout evening. Thanks to all who participated! What a lively discussion!

Seating is limited! We can only accommodate seating for those who RSVP. If you have a change of plans, please update your RSVP to allow those who are on the waiting list.

Parking is available through the Whittier Neighborhood Zone for up to three hours daily. As always, food and drinks are free and there will be an open networking session after the meeting.

Retrieved from "https://wiki.owasp.org/index.php?title=Boulder&oldid=131267"