The second and last day of EUSecWest has been and gone. It turned out to be a fun experience, with a lot of valuable and interesting information shared by the speakers, and a lot of interesting folks met at the conferece. Here are my notes from the main speakers today (I haven't included the lightning talks or vendors because I was busy drinking beer by that stage...):
Shreeraj Shah from net-square talked about web application attacks and defences. He introduced and demonstrated a number of tools he has written for the enumeration of information from the MSN Search engine, as well as some cool tools for web services testing and penetration, including:
Andy Davis from Information Risk Management talked about ColdFusion security. They have been doing a lot of research on version 7, 6.1 and 6.0 of CF, and talked about some of the issues (especially in the admin interface) that can be leveraged for nefarious purposes. Some of the issues they found haven't been fixed yet (in the services etc that ship with CF), so we can look forward to more once Adobe release the fixes.
Tim Hurman from Pentest Limited talked about the security over personal ARM devices, such as common PDAs. This covered some similar ground to Barnaby Jack's talk yesterday, with the differences that Tim was using JTAG to debug IPAQ's and the like, and went on to demo an "always on" vulnerability in (I think) the vCal parsing via Bluetooth OBEX file transfer on a (I think) HP 5xxx IPAQ running Windows Mobile 2003. The exploit was a nice Window showing "0wn3d". Tim mentioned how this type of issue could be used to formulate an "airborne virus" that you could pick up from an infected device, which would attack your desktop PC when in the sync cradle, and attack other mobile devices via Bluetooth when not attached. Nice :-)
Raffael Marty from ArcSight talked about visual security event analysis using the Afterglow toolset. Raff went through a number of visualisation examples, and these did look very useful for this type of application. I will definitely be having a look into these sometime soon.
Michael Boman from KPMG Singapore talked about network security monitoring theory and practice, and also the SGUIL network monitoring console. This looked pretty useful, and a possible alternative to some of the (expensive) commercial consoles that are becoming more available.
Jim DeLeskie from Teleglobe & Danny McPherson from Arbor Networks, talked about securing the infrastructure from the point of view of the service provider. This was pretty interesting to me as well, especially when talking about the provider techniques and limitations when responding (or not) to DDOS attacks.
Andrea Barisani from Inverse Path (and the Gentoo team) talked about the Gentoo rsync server compromise that happened in December 2003 (of a core portage rsync server), the detection of the compromise, analysis of what happened (including identification of the flaw in rsync), and the coordination of working with the rsync developers in fixing the flaw. Very informative.
Shreeraj Shah from net-square talked about web application attacks and defences. He introduced and demonstrated a number of tools he has written for the enumeration of information from the MSN Search engine, as well as some cool tools for web services testing and penetration, including:
- MSNPawn - discovery and enumeration of information about HTTP hosts (including discovering running hosts by the server IP address) from querying using the MSN Search web service
- MSNKnight - for building a profile about the site, by acting as a local proxy
- wsPawn - for footprinting web services
- wsKnight - for interacting with the web service using a WSDL file
- wsAudit - for performing attack fuzzing on web services
Andy Davis from Information Risk Management talked about ColdFusion security. They have been doing a lot of research on version 7, 6.1 and 6.0 of CF, and talked about some of the issues (especially in the admin interface) that can be leveraged for nefarious purposes. Some of the issues they found haven't been fixed yet (in the services etc that ship with CF), so we can look forward to more once Adobe release the fixes.
Tim Hurman from Pentest Limited talked about the security over personal ARM devices, such as common PDAs. This covered some similar ground to Barnaby Jack's talk yesterday, with the differences that Tim was using JTAG to debug IPAQ's and the like, and went on to demo an "always on" vulnerability in (I think) the vCal parsing via Bluetooth OBEX file transfer on a (I think) HP 5xxx IPAQ running Windows Mobile 2003. The exploit was a nice Window showing "0wn3d". Tim mentioned how this type of issue could be used to formulate an "airborne virus" that you could pick up from an infected device, which would attack your desktop PC when in the sync cradle, and attack other mobile devices via Bluetooth when not attached. Nice :-)
Raffael Marty from ArcSight talked about visual security event analysis using the Afterglow toolset. Raff went through a number of visualisation examples, and these did look very useful for this type of application. I will definitely be having a look into these sometime soon.
Michael Boman from KPMG Singapore talked about network security monitoring theory and practice, and also the SGUIL network monitoring console. This looked pretty useful, and a possible alternative to some of the (expensive) commercial consoles that are becoming more available.
Jim DeLeskie from Teleglobe & Danny McPherson from Arbor Networks, talked about securing the infrastructure from the point of view of the service provider. This was pretty interesting to me as well, especially when talking about the provider techniques and limitations when responding (or not) to DDOS attacks.
Andrea Barisani from Inverse Path (and the Gentoo team) talked about the Gentoo rsync server compromise that happened in December 2003 (of a core portage rsync server), the detection of the compromise, analysis of what happened (including identification of the flaw in rsync), and the coordination of working with the rsync developers in fixing the flaw. Very informative.
Found this useful? Then Digg It.
Comments (1)
I was there also..You captured perfectly the environment..great writing and also thanks for the simplescanner.pl
Posted by H4mm3r | February 28, 2006 4:50 PM
Posted on February 28, 2006 16:50