Netherlands events held in 2013

March 13, 2013

The Annual OWASP Netherlands Black Hat Edition Chapter meeting

Every year around Black Hat Europe we try to get Internationally well-known speakers to talk at a Chapter Meeting. This year Colin Watson and Georgia Weidman are on the agenda!

This chaptermeeting will be about web application logging, Access Control Design and the all new OWASP Cornucopia.

Programme:

18:30 - 19:15 Registration & Pizza

19:15 - 19:35 "Record It" - Colin Watson

19:35 - 19:40 Break

19:40 - 20:25 “The smartphone penetration testing framework”- Georgia Weidman

20:25 - 20:30 Break

20:30 - 21:00 OWASP Cornucopia - Colin Watson

21:00 - 21:30 Networking

Presentations

Record It!

Do you know security event information should be recorded by an application? Colin Watson will outline which event properties are useful, what should be avoided and how logging can be implemented. In this short presentation, the benefits of good application logging will also be described.

The smartphone penetration testing framework

As smartphones enter the workplace, sharing the network and accessing sensitive data, it is crucial to be able to assess the security posture of these devices in much the same way we perform penetration tests on workstations and servers. However, smartphones have unique attack vectors that are not currently covered by available industry tools. The smartphone penetration testing framework, the result of a DARPA Cyber Fast Track project, aims to provide an open source toolkit that addresses the many facets of assessing the security posture of these devices. We will look at the functionality of the framework including information gathering, exploitation, social engineering, and post exploitation through both a traditional IP network and through the mobile modem, showing how this framework can be leveraged by security teams and penetration testers to gain an understanding of the security posture of the smartphones in an organization. We will also show how to use the framework through a command line console, a graphical user interface, and a smartphone based app. Demonstrations of the framework assessing multiple smartphone platforms will be shown.

OWASP Cornucopia

Microsoft's Escalation of Privilege (EoP) threat modelling card game has been refreshed into a new version more suitable for common web applications, and aligned with OWASP advice and guides. "OWASP Cornucopia - Ecommerce Web Application Edition" will be presented and used to demonstrate how it can help developers identify security requirements from the OWASP Secure Coding Practices - Quick Reference Guide.

Speakers

Colin Watson

Colin Watson is an application security consultant, based in London. He is project leader for the OWASP Codes of Conduct and OWASP Cornucopia projects, wrote the Application Logging Cheat sheet, contributes to a number of other OWASP projects including AppSensor,and is a member of the OWASP Global Industry Committee.

Georgia Weidman

Georgia Weidman is a penetration tester, security researcher, and trainer. She holds a Master of Science degree in computer science, secure software engineering, and information security as well as holding CISSP, CEH, NIST 4011, and OSCP certifications. Her work in the field of smartphone exploitation has been featured in print and on television internationally. She has presented her research at conferences around the world including Shmoocon, Hacker Halted, Security Zone, and Bsides. Georgia has delivered highly technical security training for conferences, schools, and corporate clients to excellent reviews. Building on her experience, Georgia recently founded Bulb Security LLC (http://www.bulbsecurity.com), a security consulting firm specializing in security assessments/penetration testing, security training, and research/development. She was awarded a DARPA Cyber Fast Track grant to continue her work in mobile device security.

March 7, 2013

Incident Respons in a Cyberwar context and Responsible Disclosure

This chaptermeeting will be about Incident respons in a cyberwar context and responsible disclosure.

Programme:

18:30 - 19:00 Registration

19:00 - 19:15 Welcome & Updates

19:15 - 20:00 Incident Respons in a Cyberwar context - Dennis Lemckert

20:00 - 20:15 Break

20:15 - 21:00 Disclosure - Lex Borger & André Koot

Presentations:

Incident Respons in a Cyberwar context

Cyber Warfare is the new buzz in the IT security. However, is War to compare with today's interconnected world? Are breaches in Integrity, Continuity and Exclusivity similar to an attack on a state?

Disclosure, Prevention is better than to cure

In this presentation we explain what the background was behind our request to CPB to perform research of the Diagnostics for U case. We discuss recent incidents in healthcare (Henk Krol, the Groene Land Hospital), and the effects of the announcement for the companies involved. We will also discuss the practice of Responsible Disclosure (the initiatives of the NCSC and others) and the arise of Responsible Disclosure (Leak October and other hacks) and how companies can ensure that information is sufficiently protected against privacy leaks using data identification and classification.

Speakers

Dennis Lemckert

Dennis Lemckert is active in the IT world for almost 20 years. 12 Years thereof, he's operating in or around the IT security world. Some roles that at the time he has completed are: Pentester, Security Auditor, Security Architect, Incident Analyst, Security Analyst and Security Advisor. During that time, Dennis has developed a no-nonsense approach on how to build, deliver and maintain secured environments. However, telling others how to do something well, leaves Dennis little time to play with the latest and cool tools, so he spends most of his time writing documentation, both technical and non-technical, giving awareness training, providing training to both technical staff and management and analyzing and improving incident processes.

Lex Borger

Lex Borger is a consultant at Ideas to Interconnect (I-to-I). He has more than 20 years of experience in information security and system security. He was involved in the development of control systems, where he learned to apply security from within. Gradually he broadened his view of information security to the entire field. Most of his experience he has gained in the United States of America. Lex is editor of the journal PvIB "Information"

André Koot

André Koot's Security Consultant with expertise in Identity Management and Access Control. He is also editor of the PvIB journal "Information", trainer and lecturer at the International Management Forum, member EXIN examination committee, NL Chapter Board member CSA and Advisory Board member IDentity.Next. Previously, André worked for the IRS, and Unive VGZ.

January 31, 2013

Broken Online Strong Authentication and OWASP update

This chaptermeeting will be about broken online strong authentication with banking web applications and OWASP updates.

Programme:

18:30 - 19:00 Registration

19:00 - 19:45 The Truth about the e.dentifier2 - Erik Poll

19:45 - 20:00 Break

20:00 - 20:45 OWASP Update - Martin Knobloch

20:45 - 21:30 Networking

Presentations

The Truth about the e.dentifier2

We present a security analysis of an internet banking system used by one of the bigger banks in the Netherlands, in which customers use a USB-connected device – a smartcard reader with a display and numeric keyboard – to authorise transactions with their bank card and PIN code. Such a set-up could provide a very strong defence against online attackers, notably Man-in-the-Browser attacks, where an attacker controls the browser and host PC. However, we show that the system we studied is flawed: an attacker who controls an infected host PC can get the smartcard to sign transactions that the user does not explicitly approve, which is precisely what the device is meant to prevent.

OWASP Update

News and updates on OWASP BeneLux 2013, OWASP Dutch Chapter meetings, AppSec EU 2013, OWASP Connector, the OWASP Newsletter and new OWASP initiatives.

Speakers

Erik Poll

Erik works in the Digital Security group of the Radboud University on a range of topics in security, including smartcards, security protocols, software security, and critical infrastructures (esp. the smart grid).

Martin Knobloch

Martin Knobloch is member of the Dutch chapter board and chair of the Global Education Committee. Next to this he contributes to several projects as the OWASP Education Project and the OWASP Academy Portal. Martin is an independent security consultant and owner of PervaSec. His main working area is (software) security in general, from awareness to implementation. In his daily work, Martin is responsible for education in application security matters, advise and implementation of application security measures.