April 4, 2012 | RM West Overlook | 2 PM

The working session will be held to reflect on achievements, discuss current initiatives, and to identify emerging areas of concern. If you are involved with the project or would like to get involved, the working session is the perfect place for your voice to be heard.

Through the OWASP Mobile Security Project, our goal is to raise visibility and awareness around mobile application security issues. With collaboration between many different industries, we are bringing together experts from many different areas to solve hard problems.

Join us in our efforts to make the mobile world a more secure place.

Kris will be participating as a Panel Speaker at AppSec DC 2012.

With more than 15 years of information security experience, Percoco leads the global SpiderLabs organization that has performed more than 1300 computer incident response and forensic investigations globally, run thousands of ethical hacking and application security tests for clients, and conduct bleeding-edge security research to improve Trustwave’s products.

Prior to joining Trustwave, Percoco ran security consulting practices at VeriSign, and Internet Security Systems. In 2004, he drafted an application security framework that became known as the Payment Application Best Practices (PABP). In 2008, this framework was adopted as a global standard called Payment Application Data Security Standard (PA-DSS).

As a speaker, he has provided unique insight around security breaches, malware, mobile security and InfoSec trends to public (Black Hat, DEFCON, SecTor, You Sh0t the Sheriff, OWASP) and private audiences (Including DHS, US-CERT, Interpol, United State Secret Service) throughout North America, South America, Europe, and Asia.

Percoco and his research has been featured by many news organizations including: The Washington Post, eWeek, PC World, CNET, Wired, Hakin9, Network World, Dark Reading, Fox News, USA Today, Forbes, Computerworld, CSO Magazine, CNN, The Times of London, NPR, Gizmodo, Fast Company, Financial Times and The Wall Street Journal.

In 2011, SC Magazine named Percoco Security Researcher of the Year. In addition, he was inducted into the inaugural class of the Illinois State University College of Applied Science and Technology Academy of Achievement.

Percoco is a member of the Dean’s Advisory Board for The College of Applied Science & Technology at Illinois State University and a co-creator on the planning committee of THOTCON, a hacking and security conference held in Chicago each year. He has a Bachelor of Science in Computer Science from Illinois State University.

Abstract:

2012 Global Security Report

The Trustwave 2012 Global Security Report highlights top data security risk areas, offering predictions on future targets based on analysis and perceived trends.
This 45 min., presentation will provide the attendee with a understanding current threats, techniques and entertaining examples

• Results from over 300 incident response and forensic investigations performed across 18 different countries _ you can learn how to fight better if you understand history.
• Results analysis from over 2000 manual penetration tests and over 2 million network and application vulnerability scans the results will surprise you. _ attendee will better understand what SpiderLabs is seeing in the real world
• Analysis and trends from 16 Billion emails from 2008 to 2011 _ the results are surpising -Usage and weakness analysis of over 2 million business passwords _ what r00t can tell you about your user base.
• Analysis of Denial of Service incidents of 2011 and update on OWASP http post tool and the OWASP CRS Mod_Security project
• Analysis of almost 300,000 different digital certificates (SSL) from a scan of over 17 million Internet facing devices including The Online Certificate Status Protocol (OCSP) usage data from our SSL infrastructure
• References to OWASP projects and methodologies in helping the attendee deal with yesterdays problems, tomorrow.

Abstract:

Hacking NETC Applications The Black Arts

This talk will focus on attacking .NET Desktop Applications(EXE/DLL/Live Memory)
Both WhiteHat and BlackHat hacking will be shown on common security concerns such as intellectual property protection systems and licensing systems.

This presentation will have a New Drop of forensic info on what can be accessed about a .NET application, with basic info targeted at Malware Analysis and Live/Dead System Forensics.

Last year I showed how to bend .NET applications and the Runtime, This year I will show how to break the rules. I will break rules like executing ASM and injecting compiled IL (byte code) into signed and protected EXE/DLLs. I will show some Black Arts like making Malware/Key-Gens/Cracks.

The tools shown will be available from DigitalBodyGuard.com.

Francis founded Tempest Software Inc. in 1995 to develop middleware products for advanced enterprise applications. The company flourished under his leadership, growing to $8 million in sales in its first five years. In 1991 he founded Heldenleben Corporation, where he developed HeldenPort, the world’s first compiler for a graphical 4GL. The product was licensed and marketed to over 40,000 developers around the world.

Prior to becoming an entrepreneur, Francis held senior technology positions at the Bank of New York, New York Life Insurance Company, and several other major corporations. He was the lead developer for major enterprise systems for applications including finance, manufacturing, treasury management, and underwriting.

Francis is a noted expert in the fields of cybersecurity, computer-language design, compiler implementation, network communications, large-scale distributed application architectures. He has several issued and pending patents to his credit.

A very strong advocate of open-source software development, Francis created several widely-used open projects, including the Ruby Net/LDAP library, and the EventMachine high-speed network-event management system. He has also contributed to many other projects.

A strong speaker and writer, Francis has developed a significant following on subjects relating to technology, cybersecurity, financial markets, and national economic and security policy. He is a regular guest on the Coffee & Markets podcast series, and has been published in Commentary Magazine, Human Events, and others.

Francis attended the Eastman School of Music and the University of Michigan, majoring in music history and orchestral conducting. He began his career at the New York City Opera, under the direction of Beverly Sills. He and his wife Paula, a professional opera singer, reside in Long Island City, NY. Francis is a member of the 2000 class of Henry Crown Fellows at the Aspen Institute

Abstract:

Securing Critical Infrastructure

Author: Francis Cianfrocca, Bayshore Networks
The actual practice of information assurance in industrial control systems (ICS) has changed very little in recent years, even as recognition and awareness of vulnerabilities have risen sharply and statutory/regulatory pressures have intensified. In this presentation, we identify the key reasons for this mismatch between need and action. We show that, while business and organizational issues get much of the attention, a far more serious gap has opened between system vulnerabilities (including the capabilities of attackers) and commonly-deployed cyber security technology.

The technology gap is widening rapidly as organizations seek 1) broader integration of industrial control systems with enterprise IT; and 2) increased sharing of operational data across organizational boundaries.

Standard practice and regulations generally view the assurance of ICS integrity/availability as either an access-control problem or a problem that encrypted streams can solve. This approach has value, but is quite inadequate to address both 1) the expanding scale of potential attacks against civil infrastructure; and 2) the potential monetary and societal losses from successful attacks. The current state of ICS security parallels that of enterprise IT security in the past, with respect to the differences between the network (Layer-3) and the application (Layer-7) approaches. History shows that network-level security failed to adequately protect enterprise applications. ICS security is at that point today.

We present experience-based results from new technologies developed and/or applied by our organization in industrial control systems. Among the technologies to be described are 1) new data-flow protection methodologies including flow-based heuristics; 2) improving the detection of malicious or dangerous events within “normal” ICS data flows; 3) architectural controls such as unidirectional flows; 4) the value of “big-data” approaches, particularly in large-scale metasystems such as electric power transmission and distribution; 5) how to inhibit attacks like Stuxnet and Duqu in real-time.

We also assess the applicability of many existing OWASP recommendations for enhancing security in enterprise IT to the ICS threat.
Use-cases will be drawn from sectors including: building/factory-floor management; electrical grid; oil/gas; tactical/battlespace applications; and/or any of the 18 critical infrastructure sectors as defined by the Department of Homeland Security.

Abstract:

What can an Acquirer do to prevent developers from make dangerous software errors

Today’s technology enabled environment has an exponentially increasing number of paths that an adversary could take to compromise an IT product or service. To ensure confidentiality, integrity, and availability of the technology, security professionals must convince stakeholders to adopt foundational and specialized security practices to ensure trustworthiness of the product or service. Acquisition organizations and their stakeholders are engaging in discussions about trustworthiness of the products and services they are acquiring and are incorporating requirements in request for proposals (RFPs) and contracts. The question is are they choosing the language that best represents their needs or are they simply looking for a one size fits all solution. Over the last 6 months multiple RFPs from the a diverse group of US Government agencies included requirements for NIST IR 7622 practices, the OWASP Top 10, and SANS Top 25 CWEs, and SANS certified secure Java developers. Recently some statements from NISTIR 7622 on ICT Supply Chain Risk Management were found in a large government procurement and the document is just a draft. It is clear that development teams need to be ready to deliver against additional requirements for trustworthy technology products and services. The session will tackle many questions related to understanding why developers continue to make these dangerous coding errors including how developers can work with security practitioners and organizations to ensure the success of their business mission and functions.

Dave has over 20 years of experience in the information security field, and has focused exclusively on application security since 1998. At Aspect, in addition to his COO duties, he is Aspect’s application security courseware lead, one of their chief instructors, and provides a wide variety of application security consulting services to Aspect’s clients. Prior to starting Aspect, he ran the Application Security Services Group at Exodus Communications. Dave has a Bachelors and Masters degree in Computer Science, is a CISSP, and a CISM.

Abstract:

Unraveling some of the Mysteries around DOMbased XSS

DOM-based XSS was first revealed to the world back in 2005 by Amit Klien, when it was an interesting theoretical vulnerability. In 2012, with the push towards Web 2.0 well into the mainstream, DOM-based XSS has become a very commonly uncovered and exploited vulnerability, but it’s poorly understood.

This talk will focus on the full range of issues around DOM-based XSS. It will start with a discussion of the technical details of the vulnerability, the true nature of the risk it introduces (both likelihood and impact), and some new terminology and updated definitions about what truly is a DOM-based XSS vulnerability as compared to the standard Stored and Reflected XSS that the community is well aware of. It will then discuss the difficulties that security analysts face when trying to find DOM-based XSS flaws, and provide recommended analysis techniques that help move DOM-based XSS discovery from an art towards more of a science. And finally, it will discuss simple techniques for avoiding DOM-based XSS issues in the first place as well as how to mitigate issues that are uncovered during a security review.

This talk will include discussion of numerous open source resources that are available on this topic. OWASP has numerous articles on DOM-based XSS, including a definition article (https://www.owasp.org/index.php/DOM_Based_XSS), an OWASP testing guide article _site_scripting_(OWASP-DV-003)), and the DOM-based XSS prevention cheat sheet eat_Sheet), and there are also other open source articles from leading researchers like Stefano Di Paulo (http://code.google.com/p/domxsswiki/wiki/Introduction) as well. The speaker has already contributed to all of these OWASP articles and in preparation for this talk, plans to review and contribute additional enhancements to each of these articles in order to make the author’s recommendations publically available to the web security community in a very broad manner far beyond just delivering this talk at AppSec DC. The talk will also showcase and provide worked examples of how to use open source proxy tools like OWASP ZAP (https://www.owasp.org/index.php/ZAP) and WebScarab (https://www.owasp.org/index.php/WebScarab), along with Firebug and Chrome’s developer tools to track down DOM-based XSS issues within an application. The only open source DOM-based XSS detection tool, DOMinator (http://code.google.com/p/dominator/), will also be showcased in this talk.

His interest and expertise in the area of security dates back to his thesis in which he wrote about avoiding and tracing distributed denial-of-service attacks. He worked for a Swiss IT service provider as a Web security expert; later he joined LINX, Europe’s largest Internet exchange, where he took care of member network security issues. After working for three years as a senior consultant designing and implementing large Web farms, including security audits with a leading traffic management company, Alexander switched to the SPX Corporation, where he was the main project manager for Web application solutions in the SAP area. In 2005 he founded ‘art of defence’ in Germany and developed a truly distributed web application firewall product for high performance environments. The company has been acquired in 2011 by Zeus Technology which has shortly after been acquired by Riverbed Technology.

Alex is one of the major contributors to OWASP’s whitepaper “Best Practices Guide: Web Application Firewalls,” which was released by the OWASP Germany Chapter has been translated into English, French, and Chinese. He is a regular speaker at OWASP conferences and meetings world wide mostly with a focus on web application security, scalability and performance.

Abstract:

Cloudbased dWAF A Real World Deployment Case Study

I explain the decision-making process of the customer during proof-of-concept, pilot and eventual deployment of a distributed Web App Firewall (dWAF). Post-deployment, I go through the care and feeding of a dWAF protecting resources living in the public cloud, from technical hiccups and tradeoffs to integration in the Dev/QA/Production processes of the security lifecycle of a web app firewall. The talk will be 45 minutes including questions and answers.

Prior to joining HP, Los defined what became the software security program and served as a regional security lead at a Global Fortune 100 contributing to the global organization’s security and risk-management strategy internally and externally.  Rafal prides himself on being able to add a ‘tint of corporate realism’ to information security.

Rafal received his B. S. in Computer Information Systems from Concordia University, River Forest, Ill.

Abstract:

Overcoming the Quality vs Quantity Problem in SoftwareSecurity Testing

The current state of software security poses a very serious problem when it comes to technology. Does the organization strive for more quality, or quantity in uncovering critical software security defects? Unfortunately as a result of the constraints of many security organizations’ budgets and available resources these critical components are often mutually exclusive. Organizations shouldn’t have to sacrifice quality for quantity, or vice versa their software security programs.

While obtaining good quantity of coverage (both inside a single application from a static and dynamic perspective and across the enterprise application landscape) is critical to understanding the total threat profile of an organization, the organization simply can’t forego the quality aspect because a poor test can not only provide a false statement of compliance but create the illusion of security. So what can organizations constrained by resources, capital and knowledge do to balance quantity against quality in their software security programs?

How can people, process, and technologies be leveraged to effectively balance the quantity vs. quality scale? The speaker will address this very critical balance from a vendor-neutral, technology-agnostic perspective, giving developers, quality analysts and security testers the perspective necessary to provide optimal balance.

Abstract:

State of Web Security

I will cover the current state of web based attacks as we see them monitored on our network. In total somewhere around 1 million+ domains are attacked and monitored on our network, so the sample of data provided should be acceptably accurate.
The data will be provided in the presentation using statistical data of logged attacks against our network and customer’s sites (and can be provided to security researchers in a raw formet). This will provide the audience with a knowledge of how severe a new exploit can become once attackers utilize it, as well as details on what types of attacks are popular with malicious parties.
Time allowing, we will cover a detailed dissection of a handful of common backdoors we see on our network (of course choosing the most unique and interesting backdoors we encounter.) This is not to help the audience on how to design backdoors, but instead provides a basic overview of these attacker’s knowledge and intent (why the bad guys do the things they do.)

Abstract:

AMI Security

Advanced Metering Infrastructure (AMI) is the most exposed part of the Smart Grid. Public-facing devices include smart meters on the sides of businesses and houses and aggregation points on the top of telephone poles. But the risks and vulnerabilities do not stop here. The back-end resources of an AMI implementation are still potentially vulnerable to all of the same threat vectors as everyday web-based business solutions. Cross-site scripting, cross site request forgery, insufficient network monitoring, and questionable web server and database configurations all play a part in increasing the risk to the AMI deployment and the electrical grid itself. This presentation will outline these vulnerabilities and provide recommendations that will increase the security of an AMI deployment and increase the reliability of the electrical infrastructure it supports. This presentation will cover the following topics:
- AMI implementation overview from Smart Meters to the back-end resources – Smart meter hacking techniques and mitigations – FHSS analysis techniques and mitigations – Network configuration and monitoring concerns and mitigations – Web application vulnerabilities and mitigations

Rules:
The contest begins on April 4th at 1pm and ends the next day, April 5th at 1pm.
Competitors are allowed to team up with a other contestants but prizes are only available for four (4) participants. All participants must physically attending the conference and external access ot the system is not available. Additionally, we are bound by the Convention Center’s hours of operation to conduct the CTF so this will not be an all night competition.

The scoring system and any other system NOT designated as “In-Scope” is considered OFF-LIMITS and any malicious activity towards or on those systems will result in an immediate disqualification for the team from which the participant(s) exists.

Contestants will use their own equipment to compete with but it is HIGHLY recommended that contestants do not bring equipment which hosts personal or sensitive data.
Scoring will take place via a web-based scoreboard portal. Teams will have individual logins that will be required to submit points.

Resources:
Internet access will be offered at the conference as a means to obtain tools necessary for the competition, but we recommend that you bring the necessary tools to the event. We cannot guarantee access to all sites via the standard convention network, and visiting some sites you would normally obtain hacking tools from may be blocked from the normal convention Wi-Fi. OWASP AppSec DC will provide an isolated the environment and systems which will host the vulnerable applications.

• Bring…
• Android SDK (Emulator)
• Any other Android related testing tools (Mallory, Eclipse & DDMS, etc.)
• Your toolkit, of course
• Energy!

Prizes:
First Place: TBD
Second Place: TBD
Third Place: Free admission to AppSecDC 2013
Fourth Place: TBD

Registration:
Registration will be held up to the day of the competition 4/4/2012 at 12:30PM and can be done either by sending an email to ctf@appsecdc.org in the format listed below or in person in room 207A. We urge participants to register prior to the conference as space is limited.

Name: First, Last
Alias: Ex: 1337h4xx0r
Team Name: Ex: E4tU4br34kf4s7
Team Size: Max of 4
List Teammates: By Alias, if none, list N/A

Abstract:

Smart Bombs Mobile Vulnerability and Exploitation

Kevin Johnson, John Sawyer and Tom Eston have spent quite a bit of time evaluating mobile applications in their respective jobs. In this presentation they will provide the audience an understanding of how to evaluate mobile applications, examples of how things have been done wrong and an understanding of how you can perform this testing within your organization.
This talk will work with applications from the top three main platforms; iOS, Android and Blackberry. Kevin, Tom and John have used a variety of the top 25 applications for each of these platforms to provide real world examples of the problems applications face.