-
Quick defcon/blackhat preparation list
A couple of people had asked me what are some things that you can do prior to attending hacker cons such as Blackhat and Defcon. Kurt Cobain said it best "Just because you're paranoid, doesn't mean they're not after you'. Here's a short list (albeit not complete as I don't plan to publish all…
-
WASC Party at RSA
The Web Application Security Consortium (in which I am a co founder) is throwing a party at RSA this year in San Francisco. Here's the formal announcement. "Take a Break @ RSA and Meet-up with Your Peers at the WASC Meet UP Join your Web application security peers for lunch at Jillian's@Metreon. Take a…
-
Cryptography experts bicker with former NSA director at RSA panel
I recently attended RSA and had a chance to see the cryptography panel. Towards the end of the panel an amusing amount of bickering began between the former NSA technical director (Brian snow) and folks such as Whit Diffie (inventor of diffie hellman key exchange), and Adi Shamir (co founder of RSA algorithm) about what…
-
WASC RSA Meet-Up 2010!
The Web Application Security Consortium (WASC) is having an official meetup in San Francisco during the RSA conference.If you like to get free food/drinks, shoot pool, and chat appsec with many of the leading researchers in the appsec world this is your chance. WASC RSA 2010 Meet-up Wednesday, March 3, 2010 Lunch served: 12:00 PM…
-
Heading out to AppsecDC
I'll be heading out to AppSecDC to present Transparent Proxy Abuse on Thursday, so if you're attending and want to chat about appsec I'll be available after my talk. Here's a teaser of my presentation I'll be presenting a video demonstrating this abuse case against Squid and Mac OS X Parental Control software prior to…
-
AppSec DC 2009
"OWASP Announces International Application Security Conference for 2009 Speaker Agenda Released and Registration Open for 2009's Largest Web Application Security Event Washington DC August 20th, 2009 — Following in the footsteps of the Open Web Application Security Project's (OWASP, http://www.owasp.org ) immensely successful and popular conferences earlier this year in Australia, Poland, Ireland, and Brazil,…
-
Heading out to blackhat/defcon
I'm heading out later today for my yearly Blackhat/Defcon trip and looking to attend the following blackhat talks as of now. Day 1 Veiled – A Browser Based Darknet Practical Windows XP/2003 Heap Exploitation Fighting Russian Cybercrime Mobsters More Tricks for Defeating SSL Enterprise Java Rootkits The Language of Trust State of the Art Post…
-
Researcher barred for demoing ATM security vuln
"A talk demonstrating security weaknesses in a widely used automatic teller machine has been pulled from next month's Black Hat conference after the machine vendor placed pressure on the speaker's employer. Juniper Networks, a provider of network devices and security services, said it delayed the talk by its employee Barnaby Jack at the request of…
-
Practical Example of csSQLi Using (Google) Gears Via XSS
"Yesterday, at the Blackhat DC security conference, I spoke about the dangers of persistent web browser storage. Part of the talk focused on how emerging web browser storage solutions such as Gears (formerly Google Gears) and the Database Storage functionality included in the emerging HTML 5 specification, could be attacked on sites with existing cross-site…
-
Web Application Security Consortium (WASC) RSA Meetup 2009
If you like talking about website and application security and will be in San Francisco in April I highly recommend attending the Web Application Security Consortium's RSA Meet-up. We've been doing this for the past 3-4 years and always get a great crowd. He's the formal announcement. Take a Break @ RSA and Meet-up with…
-
MD5 considered harmful today: Creating a rogue CA certificate
UPDATE: I’ve added a link to the presentation slides and some other sites providing coverage of this. The following paper was published today at the CCC conference by Alexander Sotirov, Marc Stevens, Jacob Appelbaum, Arjen Lenstra, David Molnar, Dag Arne Osvik, and Benne de Weger. “We have identified a vulnerability in the Internet Public Key…
-
My Trip To Microsoft’s Bluehat Conference
Last week I attended Microsoft’s Bluehat conference for the first time and found the experience to be pretty positive. Here are a few highlights New Tools Announced– Microsoft Threat Modeling tool v3.1 RC2 (Public release date: unknown)– CSSH is a CSS history theft tool combining a crawler to enumerate the links you’ve visited on a…
-
OWASP European Summit 2008 is November 3-7 in Portugal
Matthew Chalmers submitted the following news. "With the theme "Setting the AppSec Agenda for 2009" the OWASP Summit will be a worldwide gathering of OWASP leaders and key industry players to present and discuss the latest OWASP tools, documentation projects, and web application security trends. Join us in Portugal in just a few short weeks!…
-
OWASP/WASC Party at Blackhat in Las Vegas
WASC and OWASP are throwing a party this year during blackhat at the shadow bar which is being sponsored by Breach. This will be the 3rd party at the shadow bar, and 2nd joint WASC/OWASP conference. If you want to chat appsec this is where everyone in appsec will be.
-
Getting to see an enigma machine at RSA 2008
My week at RSA has been fairly interesting. One of the highlights was getting to see an enigma at the NSA booth. Here is a short video I made of the NSA Museum employee explaining how it works.
-
WASC Beerfest 2008 @ RSA April 9th
Announcement Link: http://jeremiahgrossman.blogspot.com/2008/03/wasc-rsa-meet-up-2008.html
-
Appsec 2007 Event pictures
The WASC/OWASP event went very well as over 250 showed up. Below are some pictures of the event by a few of the sttendee's including Anurag a WASC officer. I will add some more pictures as they become available including news stories covering the event. Anurag Picture Link: http://myappsecurity.blogspot.com/2007/11/appsec-2007-pictures-of-breach-party.html Wayne Picture Link: http://picasaweb.google.com/wayne.armorize/OWASPWASC2007 GGee Picture…
-
WASC meetup on Nov 8
WASC is having a meetup in Silicon Valley in Cupertino California. If you're interested in attending visit the meetup link below and RSVP. These meetings are a good way to find out what WASC (The Web Application Security Consortium) is all about, chat with fellow security people, and drink beer. Meetup Link: http://myappsecurity.blogspot.com/2007/11/wasc-meetup-on-nov-8.html
-
OWASP & WASC AppSec 2007
"OWASP and WASC have joined forces for this year's AppSec 2007 conference being held at eBay in San Jose, CA on Nov 12-15. A huge concentration of industry leading experts will be in attendance presenting high quality web application security content. AppSec 2007 offers a unique opportunity for security professionals, software developers, and IT managers…
-
OWASP & WASC AppSec 2007
"OWASP and WASC have joined forces for this year's AppSec 2007 conference being held at eBay in San Jose, CA on Nov 12-15. A huge concentration of industry leading experts will be in attendance presenting high quality web application security content. AppSec 2007 offers a unique opportunity for security professionals, software developers, and IT managers…
-
My experience at blackhat/defcon
Vegas was interesting this year to say the least. For starters I finally got to attend NOT as a vendor which I gotta say was pretty nice. Here are the talks I attended. Intranet Invasion With Anti-DNS Pinning It's All About The Timing Tactical Exploitation (Part 1) Dangling Pointer IsGameOver(), anyone? The Art of Unpacking…
-
Undercover reporter ousted at defcon, probably pretty f@!ked
UPDATE: Her myspace page was linked off of defconpics.org and shortly after has been removed from myspace. No word on how it was removed at this time. An NBC reporter (Michelle Madigan Associate Producer of NBC Dateline) was found to be trying to find hackers for hire and recording them with a video camera. Jeff…
-
Mozilla Releases JavaScript Fuzzer at Blackhat
"Mozilla has been using an open-source application security testing tool, known as a fuzzer, for JavaScript to detect and fix dozens of security bugs in Firefox, Mozilla director of ecosystem development Window Snyder said Thursday at the Black Hat USA 2007 conference in Las Vegas. The JavaScript fuzzer found 280 bugs in Firefox, 27 of…
-
Joanna Rutkowska Pwns challengers at blackhat
"In their presentation, titled "Don't Tell Joanna, The Virtualized Rootkit Is Dead," the researchers detailed how to use counters that are external to a system to detect a virtualized rootkit's pull on CPU resources or other telltale footprints. It's got to be an external counter, given that a virtualized rootkit sits at the hypervisor level…
-
Leaving for blackhat
I'll be leaving for blackhat shortly and site updates will slow down a bit as well as moderation of the web security mailing list. If you're in vegas and want to chat appsec, be sure to RSVP to the huge OWASP/WASC party, I'll be there with just about every other application security industry person. I'll…
Favorite Links
- Security Templates (New)
- The Web Application Security Consortium
- QA Security
- The Web Security Mailing List
- Romain Gaucher’s Blog
- Jeremiah Grossman’s Blog
Popular Pages
WASC Threat Classification
- Abuse of Functionality
- Application Misconfiguration
- Brute Force Attack
- Content Spoofing
- Credential/Session Prediction
- Denial of Service
- Directory Indexing
- Information Leakage
- Remote File Inclusion Attack
- Routing Detour Attack
- SOAP Array Abuse
- XML Attribute Blowup
- XML Injection
- XML External Entity Attack