Morning all, It is time for another iSEC Seattle Open Forum. This time we have Billy Rios, Rachel Engel and Ian Hellen speaking on a variety of security topics. For 2009 I have resolved to set the agenda earlier. As such we have settled on a quarterly schedule with events on the fourth Thursday of the month. Future events will occur on April 23rd, 2009, July 23rd, 2009 and October 22nd, 2009. I am soliciting speakers for future events.
If you plan on attending please RSVP either directly to me or to [email protected] so we can ensure there is enough food and drink. -- Andrew Becherer -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= iSEC Open Forum Seattle -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= DATE: Thursday, January 22nd, 2009 TIME: 6pm-9pm LOCATION: iSEC Seattle Office (1st Floor Conference Room) 810 Third Avenue Seattle, WA 98104 Please RSVP to [email protected] if you wish to attend! ***appetizers and beverages to be served*** ***technical managers and engineers only please*** -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= AGENDA -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= SPEAKER: Billy Rios / Security Engineer / Microsoft Corp. PRESENTATION TITLE: "Cross domain leakiness: Divulging sensitive information and attacking SSL sessions" PRESENTATION SUMMARY: In this presentation, we'll see that cross-domain issues are still relatively common in browsers. The cross-domain issues can be split into two groups. First, there are out-and-out bugs that can be fixed relatively easily. These bugs tend to be in the less common cross-domain functional areas, and are often introduced with new cross-domain capable features. Interesting examples of such bugs will be discussed, and some new examples released. Secondly, there are cross-domain leakages resulting from how browsers generally work by design or intent. These are unfortunately hard to fix without breaking things, and the regrettable consequence is often that web app developers have to beware of an increasing list of dangers. We will look at some new pitfalls here in the areas of cross-domain CSS, scripting and cookie handling. Finally, there will be an interesting diversion that takes "sidejacking" to the max -- looking at what you really can do if you are an active man-in-the-middle attacker looking to attack a victim who is carefully using only SSL sessions. SPEAKER: Rachel Engel / Security Consultant / iSEC Partners PRESENTATION TITLE: "Why I wrote my own web proxy (when there are so many already available)." PRESENTATION SUMMARY: Web proxies with a graphical editor mode are a staple of web penetration testing. The current round of web penetration proxies are a good start, but I think we can do a little better, and am working on doing so. Current approaches mix being web proxies with attempts at automated analysis of security vulnerabilities. The best approach is to leave automated analysis to tools that do such things, and have the web proxy act as an attack surface browser for web attacks, putting the security analyst firmly in the drivers seat of the web pentesting experience. Gizmo is a the beginning of a new attack surface browser, and I'll be talking about the thought process that led me to reinvent the wheel, what features I think attack surface browsers should include, and where I'm going with gizmo. SPEAKER: Ian Hellen / Senior Security Engineer in Windows Security Assurance / Microsoft Corp. PRESENTATION TITLE: "Probing the Far Corners of Windows – Using Code Characteristics to Find Security Bugs" PRESENTATION SUMMARY: The talk will focus on methods we've used to identify high risk components that need special attention in the form of design and code reviews. We will be covering the following topics: * Recap on security review process for Windows – where do we need to improve things? * What makes code high risk – combination of attackable surface, the security guarantees made and the quality of the design and code. * How we identify and measure attack surface components * How we identify components that make security guarantees * How we identify code quality (or at least where code is likely to be poor, more bug prone or simply naive) * How we add all this together to produce meaningful metrics * How this all fits (or will fit) into the Windows security review process * Case studies of where we've used this to help track down serious bugs * Future plans to automate security testing based on the risk score outcome and code characteristics Interested in presenting at a future Forum? Email [email protected]. Talks should be 20-30 minutes max. -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= About the iSEC Open Security Forum -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= The iSEC Open Security Forum is an informal and open venue for the discussion and presentation of security related research and tools, and an opportunity for security researchers from all fields to get together and share work and ideas. The Forum aims to meet in the Bay Area and Seattle quarterly. Forum agendas are crafted with the specific needs/interests of its members in mind and consist of brief 20-30 minute talks. Talks are not product pitches or strongly vendor preferential. Attendance is by invite only and is limited to engineers and technical managers. Any area of security is welcome including reversing, secure development, new techniques or tools, application security, cryptography, etc. -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= To unsubscribe from further communication regarding iSEC Partners Events, please email [email protected] with UNSUBCRIBE in the subject. --~--~---------~--~----~------------~-------~--~----~ Website: http://saturdayhouse.org/ Post: [email protected] Unsubscribe: [email protected] -~----------~----~----~----~------~----~------~--~---
