| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Wed, 9 May 2007 16:41:36 -0400 From: "Ofer Shezaf" <OferS@...ach.com> To: <bugtraq@...urityfocus.com> Subject: 2nd OWASP Israel mini conference at the Interdisciplinary Center Herzliya (IDC), Monday, May 21st, 13:30 Hi fellow Security experts, Following the big success of the 1st one, we are glad to announce the 2nd OWASP Israel mini conference at Interdisciplinary Center Herzliya (IDC). The mini conference is a non-commercial event focusing on web application security. As you can see in the program below, we have carefully selected the presentations and we hope they are all relevant, informative and most importantly, none commercial. Never the less, we are happy to say that we were able to get very distinguish companies to sponsor the event and make sure that the refreshments would be great. The meeting is sponsored by Breach Security, Checkpoint, Hacktics, Applicure Technologies, Zend, Microsoft and the Interdisciplinary Center Herzliya (IDC). The meeting will be held on Monday, May 21st, Starting at 13:30 at Interdisciplinary Center (IDC) Herzliya campus (driving directions will be sent to registrants). Participation is free and open to all, but please inform us (e-mail to ofers@...ach.com) that you are coming as space is limited. Feel free to spread the word about this meeting to anyone you feel would be interested. You can also register to get the OWASP Israel mailing list (http://lists.owasp.org/mailman/listinfo/owasp-israel) and receive updates regarding chapter's meetings. For further details please contact us at ofers@...ach.com or go to the web page at http://www.owasp.org/index.php/Israel#2nd_OWASP_IL_mini_conference_at_IDC.2C_May__21th_2007 Dr. Anat Bremler-Barr Program Academic Director, Information Security Program Efi Arazi School of Computer Science, IDC Herzliya Ofer Shezaf Chapter Leader, OWASP Israel CTO, Breach Security The agenda of the meeting is: * Gathering and Refreshments 13:30 - 14:00 * Updates from OWASP Europe, Milan Ofer Shezaf, OWASP IL chapter leader, CTO, Breach Security 14:00 - 14:15 Since the conference is just a few days after OWASP Europe 2007 in Milan, and since most of you would not have a chance to be there, I will try to convey the content and spirit of this unique conference to you. In addition you will hear Yair Amit, who will repeat the presentation he is going to make in OWASP Europe, and Erez Metula will build his lecture on OWASP chief evangelist's presentation about .NET. For my presentation in OWASP Europe, you had to come to the previous OWASP IL Mini Conference. * Pen-Testing at Microsoft: FuzzGuru fuzzing framework John Neystadt, Lead Program Manager, Microsoft Forefront Edge, Microsoft 14:15 - 15:00 Fuzzing is the main systematic methodology used these days by hackers to find vulnerabilities in web and other applications. Fuzzing can find buffer overrun, denial-of-service and information disclosure vulnerabilities. It should be done for C++, C#/Java, ASP/JP code. FuzzGuru is a generic network fuzzing development framework developed in Microsoft Israel Development Center and is formally recommended best practice for all products developed in Microsoft. In this talk John will present some fuzzing testing theory, demonstrate the tools and discuss Microsoft fuzzing practices. * Unregister Attacks in SIP Ronit Halachmi-Bekel, Efi Arazi school of Computer Science at Interdisciplinary Center (IDC) Herzliya 15:00 - 15:40 The presentation discusses a research work done at the Interdisciplinary Center (IDC) Herzliya about the "unregister attack", a new kind of a denial of service attack on SIP servers. In this attack, the attacker sends a spoofed "unregister" message to a SIP server and cancels the registration of the victim at that server. This prevents the victim user from receiving any calls. The research also offers a solution: the SIP One-Way Hash Function Algorithm (SOHA), motivated by the one-time password mechanism. SOHA prevents the unregister attack in all situations. The algorithm is easy to deploy since it requires only a minor modification and is fully backwards compatible and requires no additional configuration from the user or the server. The paper is a joint work with Dr. Anat Bremler-Barr and Jussi Kangasharju. The paper was presented at the 14th IEEE International Conference on Network Protocols (ICNP). * Break 15:40 - 16:00 * Application Denial of Service; is it Really That Easy? Shay Chen, Hacktics 16:00 - 16:40 Denial of service attacks, which are quite a nuisance on the network layer, are a nightmare when done on the application layer, but are equally underrated. On our last conference, Dr. Anat Bremler-Bar discussed some of the theoretical aspects of application layer denial of service attacks. Shay Chen will expand and explore the practicalities of application layer denial of service. He will show real world techniques, real life stories and personal experiences conducting DOS attacks during penetration testing on major Israeli sites. * Behavioral Analysis for Generating A Positive Security Model For Applications Ofer Shezaf, OWASP IL chapter leader, CTO, Breach Security 16:40 - 17:10 In the last OWASP IL conference, as well as in OWASP Europe in Milan, I explored the potential of a negative security model for securing applications. While a negative security model can provide some level of security, most agree that a positive security model is preferable for protection application. However, building a rule set to provide positive security is a difficult and never ending project. Modern tools employ behavioral analysis to build automatically those rules. The presentation will discuss the algorithms and methods used to build automatically an application layer positive security rule set as well as the problems and limitation of such as approach. * Overtaking Google Desktop - Leveraging XSS to Raise Havoc Yair Amit, Senior Security Researcher, Watchfire 17:10 - 17:50 Yair will present a ground breaking research paper by Watchfire application security labs. The paper describes an innovative attack methodology against Google Desktop which enables a malicious individual to achieve a remote, persistent access to sensitive data, and potentially a full system control. This represents a significant real world example of a new generation of computer attacks which take advantage of Web application vulnerabilities utilizing the increasing power of the Web browser. Their purpose is to remotely access private information. This presentation would be presented by Yair the week before at OWASP Europe in Milan. * Break 17:50 - 18:00 * Application Security is Not Just About Development David Lewis, CISM, CISA, CISSP, Rosenblum Holtzman 18:00 - 18:20 What many developers forget about is that the application even though it is a very important part of securing the "Gold", data, there are other risks that require their attention. These risks require their understanding and preventative measures need to be implemented, managed and validated to limit the exposure to themselves and their organizations. E.g. Developers do not see the need for securing their code. One of the things I will provide you during my presentation is why you should secure your code. It is one of the ways you will keep your job. * .NET reverse engineering Erez Metula, Application Security Department Manager, 2Bsecure 18:20 - 19:20 The presentation will introduce MSIL (Microsoft Intermediate Language) and debugging MSIL. Based on this foundation the presentation will explore and demonstrate tools and techniques for changing the behavior of .NET assemblies and the CLR using reversing engineering techniques.
Powered by blists - more mailing lists