[SecurityRatty] tag: participation

OWASP European Summit - Portugal

Wed, 15 Oct 2008 14:27:22 +0000

Portugal/Algarve - 4th - 7th November 2008

Setting the Web Application Security Agenda for 2009: OWASP Invites You to Join Our Summit in Portugal

http://www.owasp.org/index.php/OWASP_EU_Summit_2008

With the theme ‘Setting the AppSec agenda for 2009′, the OWASP Summit will be a worldwide gathering of OWASP leaders and key industry players to present and discuss the latest OWASP tools, documentation projects, and web application security trends. Join us in Portugal in just a few short weeks! This venue hosts a diverse selection of training courses along with technical and business tracks, making it THE place to learn about web application security and the resources OWASP has available for use today.

OWASP is a not-for-profit organization with the purpose of supporting the Web Application Security community around the world, and has granted $250,000 USD for web application security research. In addition to over 40 presentations from the OWASP Leaders and grant recipients, the OWASP Summit will host multiple Working Sessions designed to improve collaboration, achieve specific objectives and identify roadmaps for OWASP projects, chapters, and the OWASP community itself.

To facilitate this event, OWASP is investing $150,000 USD which will be used to cover air travel and accommodation expenses for OWASP leaders, active contributors, and select key industry leaders. With their confirmed presence, the OWASP Summit will provide a relaxed but professional environment to meet, discuss, influence and contribute to OWASP projects.

There are still funds available! If you are interested in attending and you meet the profile of the current OWASP supported attendees (see list here: http://spreadsheets.google.com/pub?key=pAX6n7m2zaTVLrPtR07riBA) contact Paulo Coimbra (paulo.coimbra@owasp.org). Please note that you should do so only if you meet the paid attendance criteria (see herehttps://www.owasp.org/index.php/OWASP_EU_Summit_2008_paid_participation_rules) and are unable to get corporate support to attend this event (for other corporate sponsorship opportunities see http://www.owasp.org/index.php/OWASP_EU_Summit_2008_Sponsors).

The OWASP Summit will also host a large and diverse selection of training courses, covering multiple OWASP specific and Web Application Security Topics.

The remarkable impact of OWASP is made possible only by the collaboration of many dedicated people and organizations worldwide. In that spirit of cooperation, OWASP invites all its members (who have 20% discount + 1 VIP Ticket) and interested individuals and companies to attend this thrilling event. Please join us and help to set the Web Application Security Agenda for 2009!

Please see below for additional details about the OWASP Summit or visit the OWASP Summit website: http://www.owasp.org/index.php/OWASP_EU_Summit_2008.

Projects

OWASP projects selected for Summit presentation include new documentation and innovative tools to help developers, architects, and security specialists ensure that applications are secure:

Application Security Verification Standard,
Code review guide, V1.1,
Ruby on Rails Security Guide v2,
Securing WebGoat using ModSecurity,
Testing Guide v3,
GTK+ GUI for w3af project,
Access Control Rules Tester,
AntiSamy .NET,
Live CD & DVD Project,
OpenPGP Extensions for HTTP,
Orizon Project,
Python Static Analysis,
WebScarab-NG,
And many, many others.

Working Sessions

Expecting the presence of the application security industry key players, the Working Sessions will cover a wide range of issues such as:

OWASP Top 10 2009,
Browser Security,
Web Application Framework Security,
Enterprise Security API Project,
Best Practices for OWASP Chapter Leaders,
OWASP Documentation Projects,
OWASP Tools Projects,
OWASP Education Project,
OWASP Strategic Planning for 2009,
OWASP Certification,
OWASP Winter of Code 2009
Two-way Internationalization of OWASP Content
And many more.

Training

These 2-day, 1-day or 1/2-day training courses cover a wide range of OWASP specific and Web Application Security Topics:

OWASP Top 10 - What Developers Should Know on Web Application Security
Uncovering WebScarab’s Secret Treasures
Securing WebGoat with ModSecurity
Secure Programming with Java
Advanced Web Application Security Testing
Building Secure Web 2.0 Applications
Building Secure Web Services
Building Secure Web Applications with OWASP’s Enterprise Security API (ESAPI)
Classic ASP Security using OWASP tools
Web Application Assessments
Hacking Owasp Orizon Project v1.0
Ajax Security
Practical Penetration Testing: Think Like an Attacker to Stop Attacks
Linux Software Exploitation
Web server/services hardening using SELinux

Main Contact:

Kate Hartmann
OWASP Operations Director
9175 Guilford Road, Suite 300
Columbia, MD 21046, USA
Phone: +1-301-575-0189
Facsimile: +1-301-604-8033
Email: kate.hartmann@owasp.org

Information Assurance Education: A Work In Progress

Wed, 08 Oct 2008 00:42:06 +0000

The recognition that we need improved computer security education has increased over the past several years. Recent cyberattacks in Georgia and Estonia exemplify the new threats faced by economies that rely on the Internet. Thus, more people see the need to protect cyberspace—which translates into improving computer security in all aspects of computer use—as crucial for everyone, not merely for those who work with technology. In this column, we reflect on emerging opportunities and challenges in instruction as well as the need for increasing the partnerships among industry, government, and academia to foster mutual understanding of challenges and joint participation in solutions.

Interview with Lenny Heymann, Interop General Manager

Tue, 23 Sep 2008 16:47:39 +0000

Interop General Manager Lenny Heymann, took some time out of his very busy show schedule to talk with us at Interop New York this year.

We chatted about the growth of the show and how much that growth reflects the industry itself. Since the bust earlier in the decade both Interop Las Vegas and New York shows have grown year over year – not just in attendees and exhibitors but in topics covered in the conference tracks. As any of us who are in the space know, it’s a rapidly changing market and Interop strives not just to cover the latest trends but also to get ahead of them while still making sure that they are relevant.

The show’s mission overall has expanded beyond “just” networking to cover performance and new trends like virtualization, cloud computing and SAAS that all affect network performance. It is a mirror for the demands on the network (and network admins) and the convergence we see going on that make managing the network so complex today.

Responding to criticisms about the lack of interoperability at the show, Lenny says, “Our special sauce is interoperability.” And in fact the expanded mission of the show ensures that there are more interoperability issues to deal with and he invites the community to comment and share feedback on this core mission.

Last, we talked about InteropNet. We’ve loved our participation in it this year for a variety of reasons – from the opportunity to work with other cool vendors in an intensive and real-life/real-time environment to the true sense of camaraderie and “getting it done” that everyone shares on the InteropNet team to the wonderful atmosphere of hard work AND hard play that you have to experience to believe.

We talked with Lenny about how he measures InteropNet “success” and the answer was illuminating. They’ve got high expectations at Interop; they expect the network to just work, so the focus is actually not on uptime and SLAs – that’s a given. “Nothing less than perfection works here.” (Let me tell you, after my horrible experience with the super slow and inaccessible network at the VMworld conference, that is definitely not always the case. Maybe InteropNet should sell its services…hmmmm…) Rather, it’s about being able to showcase technologies and strategies for networking and interoperability – or as we’re interpreting that, basically “walking the walk – which in the end is what InteropNet is all about.

See the full video here.

Interop NY: The ROI of Social Networking

Wed, 17 Sep 2008 17:54:45 +0000

How do you derive business value from social networks?

Moderator: Nick Hoover, Senior Editor, InformationWeek
Speaker - Anne Berkowitch, Co-Founder & CEO, SelectMinds
Speaker - J.B. Holston, CEO and President, NewsGator
Speaker - Umberto Milletti, CEO, InsideView

Businesses can take advantage of social networks by finding innovative ways to reach out to people. Looking at who you know and how you know them can benefit you. Knowing a personal connection to someone that you are trying to contact (for sales) is helpful. The blurring between home, personal, and business life is making this information more available and better able to leverage. People are able to capture more valuable long term information from social networks.

A lot of social network applications can be taken from the talent management space. Deploying alumni networks as a talent source is also a great asset. Alumni represent a well-known and relevant population. This provides a great economic benefit from a social network.

If you are running a sales organization and looking at building a pipeline of leads, consider how these leads are relevant. The ability to get more leads is apparent in finding the right person, right connection, and right contact. Underlying everything are productivity and efficiency. How much time are sales reps spending researching and pursuing each opportunity? With information on social networks, the time can be greatly decreased. Knowledge sharing is something that can be actively measured.

The ROI varies with the business issue that’s trying to be addressed by a particular network. Recruiting for example has a very concrete, measurable ROI. Knowledge share gets a little more tricky. How do you measure how much is shared and the impact on business systems? Businesses need to determine what specific goal they are trying to address.

CFOs want to see ROI, not intuitive information. If you can demonstrate engagement and participation in these networks and knowledge sharing tools, more and more executives are getting comfortable seeing how it’s used at a qualitative and process level. It’s a very case by case basis.

One major crisis that we see in our customers is the competition between sales and marketing. Each wants to do their own thing, they go together like oil and water. However, the push of the economy is now forcing them work together. This is a great opportunity for IT to step in and help them collaborate and be more productive.

Other resistance from companies are how to manage what they are trying to accomplish while still giving employees free reign of sites like Facebook. What are the incentives for using these technologies? How does it fit into your company culture and productivity scale? You must bring meaning to the structure of engaging in social networks.

Social networks like LinkedIn and Facebook would not exist if people did not contribute information to them. However, if people don’t know that it is there, it does not exist. People need to see the value and get drawn in to engage. There are two ways that companies get into social networks. Tie it into the business process. The general idea of social networks are intuitive and easy to understand, which make it an easier case to present to chief executives. Make it clear - how do you go about it and what’s the value?

Social networks are intrinsically about extending the network, the more contacts you have, the more to choose from when researching a specific contact. It also has to be integrated into your dataworkflow. Companies are going to build a variety of networks inside and outside the enterprise. The big companies (SAP, IBM) are all rushing to offer collaborative and social network functionality. However, this is not entirely useful unless it’s integrated into the entire infrastructure.

Q&A with Sergey Katsev of Coyote Point Systems

Tue, 05 Aug 2008 12:34:35 +0000

I recently had the opportunity to sit down with Sergey Katsev, an Engineering Project Manager at Coyote Point Systems and discuss his experiences with InteropNet and talk about the Coyote Point products. With a couple of years of experience as a vendor for Interop, he had some interesting insights in to how participating in the InteropNet can help a vendor.

ScienceLogic: How long have you been involved in InteropNet?

Katsev: I started at Coyote Point 3 years ago and InteropNet 2006 was my first “big” assignment. This was the first time Coyote Point had put in a proposal to participate, so we were very excited when we were selected.

ScienceLogic: How long has Coyote Point been involved in Interop overall?

Katsev: We’ve been exhibiting at Interop for a number of years, and after seeing the InteropNet in action, we decided to submit a proposal in ‘06. We were actually one of the first companies in the load balancing/traffic management space (we’ve been doing this for almost 10 years), so we have a lot of experience to share with InteropNet.

ScienceLogic: What is your role at Coyote Point?

My official title is “Engineering Project Manager”. Basically, that means that I’m in charge of product releases and maintenance. It sounds like a weird title for someone participating in InteropNet, but I’ve actually found it extremely useful since my position means that I don’t get to see our systems out in the field a lot. We’ve added several features and have ideas for others just from my experiences at InteropNet.

ScienceLogic: What do the Coyote Point products do?

Katsev: Coyote Point makes a Traffic Management appliance called Equalizer. What this means is that any traffic destined for a datacenter’s servers goes through our appliances and we make sure that the server which is best equipped to handle it, does. Our systems sit between the clients and the servers and monitor the client traffic and the state of the servers. If the clients start sending more traffic, we’ll balance it out so that no server is overloaded. If one of the servers stops responding or starts responding very slowly, we’ll steer traffic away from that server.

ScienceLogic: In what way are your products being used as part of InteropNet?

Katsev: In the InteropNet, we’re utilizing a lot of our expertise: We’re making sure that traffic is balanced and servers are redundant for show services such as DNS and SMTP. We’re also using our geographic load balancing technology to ensure that the ScienceLogic EM7 appliances and some other internal NOC services are available from anywhere, with the lowest latency, with our SSL acceleration and GZIP compression technology. Finally, we’re helping logistics in the NOC by allowing a physical separation between systems located in the NOC and those in an emergency rack outside of the NOC. If either of these two locations were to fail, the network will continue operating without a glitch.

ScienceLogic: Are there any special considerations for Interop that cause you to deploy your systems there differently that any other place?

Katsev: Interop is definitely different than most of our customer installations. One difference from a standard environment is that the network (at least this year) is one large flat network, with pieces carved out where extra security is needed. Because of this, we can actually run our failover pairs of Equalizer systems in a non-standard configuration where the two peers are in different racks, or even on different floors. That’s one of the things that I really like about InteropNet — it definitely brings new ideas to mind, which end up becoming ’special configuration’ white papers after the show.

ScienceLogic: Has InteropNet taught you anything that caused you to actually change your product?

Katsev: In addition to the failover configuration differences I mentioned above, participating in InteropNet has actually caused us to add several new features and allowed configurations. One example is the “no-spoof” option for Layer 4 clusters. Prior to the 2006 shows, we always ’spoofed’ the client’s IP address when talking to a server so that the server would see the client’s IP address instead of our own. At Interop, we ran into a special configuration which would’ve been very difficult to set up in this manner, so our engineers added this feature, and it’s been very a very popular configuration with our customers ever since.

We have also had a couple of business relationships that extended outside of the show. In 2006, we had a good experience using Spirent Communications gear to benchmark the network, so we ended up purchasing a couple of these systems to test our products. More recently, we have found a way to bundle our Equalizer e350si load balancers with the ScienceLogic EM7 collector appliances to help ScienceLogic get the best performance in load balancing large quantities of syslog messages to be processed. If it wasn’t for our participation in InteropNet, neither of these relationships would’ve happened.

ScienceLogic: What’s the best part of being involved with InteropNet? What do you most look forward to?

Katsev: InteropNet is an amazing networking opportunity (no pun intended). The group of engineers that put the network together every year is, well, amazing. There is so much combined experience that any question instantly has several possible answers, and the best answer is chosen very quickly. One of the ’sayings’ at Interop is “if you run into a problem, ask someone… we’ve probably seen that problem before… five times.” One would think that being part of InteropNet is the same thing, year after year. However, in the two years that I’ve been part of this (for four shows), there have been huge differences in the way that the network is designed and put together. These are both because the vendors selected every year are different, and because the engineers who design the network change from year to year. Somehow, though, when all is said and done, we have a network that works.

ScienceLogic: You don’t have to answer this one if you’re not comfortable… What would you like to see changed with the way things are done at InteropNet?

Katsev: This isn’t a cop-out… I really can’t think of anything I would do differently. Sure, there are small problems that pop up sometimes, but every project has those, and the people at InteropNet are more than capable of figuring them all out. In fact, I know that Interop started out as a show to test the interoperability of devices… but I’m still amazed that all of these devices actually talk to each other and “play nice” together.

ShareThis

Monetizing Compromised Web Sites

Sun, 13 Jul 2008 23:26:24 +0000

Despite that pure patriotic hacktivism is still alive and kicking, compromised sites are largely getting monetized these days, starting from hosting blackhat SEO junk pages, to redirecting to live exploit URLs and fake codecs where revenue is earned through their participation in an affiliate business model.

With The Africa Middle Market Fund's site monetized by web site defacers who defaced it "in between" the blackhat SEO infrastructure they were hosting internally, in this I'll comment on the currently compromised and redirection to a fake porn sites, Camara Municipal de Amparo (camaraamparo.sp.gov.br/r.html). Basically, it's homepage is heavily linking to the Zlob variant (camaraamparo.sp.gov.br/ video.exe) in between loading an IFRAME to 61.162.230.12/ index.php. As always, upon uploading their redirector, they've build enough confidence into their new hosting provider that the link to the redirector was instantly spammed across the web. The site is so heavily linking to the internal redirector itself, that upon clicking on the majority of links the user will inevitably come across it.

Speaking of fake porn sites redirecting to Zlob variants, here are the very latest additions spammed across the web through blackhat SEO practices :

just-tube .com
mypornmovies .net
moms-galls .net
porntubefilms .com
porntubedot .com
hot-porntube .com
landmovieblog .com
sexvidtube .com
freelifevideo .com
getyourfreemovie .com
iubat .com
sweetyjoly .com
hardbizarre .com
freeworldvideo .net
hot-porntube .net
qualitymovies .net
porntube1con .net
video-info .net
videocityblog .com
fuckedolder .com
highpro1 .com
max-graf.com .pl
grandsupertds .info
hot-porn-tube .net
hot-porntube .com
terryschulz .com
show-sextube .com
qualitymovies .net
clubvideos .net

No matter the high profile site that's been exploited in order to participate in such malicious operations, for the time being, crunching out new domain names and using the hosting services of the well known ISPs neglecting their removal, seems to be the tactic of choice. The long tail of SQL injected sites is however, clearly replacing the plain simple blackhat SEO web spamming, so that traffic to these rogue sites is driven through redirection of the the traffic from legitimate sites.

Lithuania Attacked by Russian Hacktivists, 300 Sites Defaced

Sun, 06 Jul 2008 21:19:13 +0000

Last week's mass defacement of over 300 Lithuanian sites hosted on the same ISP, an upcoming attack that was largely anticipated due to the on purposely escalated online tensions out of Lithuan's accepted legislation banning communist symbols across the counry, once again demonstrates information warfare building capabilities in action.

Moreover, the attack is again relying on common prerequisites for a successful information warfare campaign, used in the Russia vs Estonia cyberattack last year. These very same Internet PSYOPS tactics ensure the success of the information warfare as a whole :

- start publicly justifying upcoming attacks based on nationalism sentions, which in a bandwidth empowered (botnets) collectivist society ensures a decent degree of cyber mobilization. In Lithuania's case, the discussions across web forums were on purposely escalated to the point where "if you don't take action, you're not loyal to your country"

- the media as the battleground for winning the hears and minds of the bandwidth empowered botnet masters, and position the insult against loyal nationalists next to the daily basis, thereby putting the nationalists in a "stand by" mode prompting them to take actions and to break even. In Estonia's case for instance, news broadcasts of the riots on the streets were on purposely broadcast as often as possible, mostly emphasizing on the nationalist sentiments within the crowds

- prioritizing the attack targets, distributing the targets list and ensuring the coordination in terms of the exact time and data for the attacks to take place is something that didn't happen in the public domain for the mass defacement of Lithuanian sites, the way it happened in the Estonia attack

- utilizing a people's information warfare tactic known as the malicious culture of participation, when everyone's consciously contributing bandwidth to be used/abused by those coordinating the attacks

Also, it's important to point out that by the time they announced their ambitions to attack Lithuania and other countries such as Latvia, Ukraine, and again Estonian sites, they literally put these countries in a "stay tune" mode. Here's a translated statement :

"All the hackers of the country have decided to unite, to counter the impudent actions of Western superpowers. We are fed up with NATO's encroachment on our motherland, we have had enough of Ukrainian politicians who have forgotten their nation and only think about their own interests. And we are fed up with Estonian government institutions that blatantly re-write history and support fascism," says the appeal that is being circulated on Russian Internet forums."

But why did they signalled their intentions, compared to keeping them quiet and attack Lithuania surprisingly? Another relevant use of PSYOPS, namely the biased exclusiveness and keeping a non-existent status bar for the upcoming attacks. And since they can launch a coordinated attack at the country at any time without warning about it, this warning was aiming to cause confusion prompting country officials to make public statements that could later on be analyzed and a better attack strategy formed on the basis of what they said they've done to ensure the attacks don't succeed.

If they did launch DDoS attacks compared to defacing over 300 sites hosted on a single ISP, and had warned about the upcoming attacks about a week earlier, successfully shutting down the country's Internet infrastructure would have achieved a double effect, since they did warn them about the attacks, and despite that they countries couldn't prepate to fight back even though fighting back was futile right from the very beginning.

At least, that's the level of confidence they've build into capabilities.

Related posts:
Right Wing Israeli Hackers Deface Hamas's Site
Monetizing Web Site Defacements
Pro-Serbian Hacktivists Attacking Albanian Web Sites
The Rise of Kosovo Defacement Groups
A Commercial Web Site Defacement Tool
Phishing Tactics Evolving
Web Site Defacement Groups Going Phishing
Hacktivism Tensions
Hacktivism Tensions - Israel vs Palestine Cyberwars
Mass Defacement by Turkish Hacktivists
Overperforming Turkish Hacktivists

Help an analyst get some real data

Thu, 19 Jun 2008 10:46:39 +0000

With all of my writing this week about lack of truth in much of the data being put on the public whether from vendors or analysts, I thought I would put my money where my mouth is. In order to get some real data to the analysts so that their reports are accurate I am posting a note I received from Aberdeen Group about a new survey they are conducting in vulnerability management. If you have a few minutes it is an excellent way to contribute. Remember, the truth shall set you free!

Would you like to learn how Best-in-Class companies successfully maximize their results in IT Security Patch and Vulnerability Management?

By participating in this brief survey, you will be able to see how your experiences in Patch and Vulnerability Management compare with those of your peers, benchmark your performance, and see how you can achieve Best-in-Class results.

My name is Saqib A. Khan, a Senior Research Analyst at Aberdeen Group, and I am conducting a survey that will help companies such as yours determine the Best-in-Class procedures for Vulnerability Management. Your participation is a vital part of the report development, and serves as the foundation of Aberdeen's research. If your company is planning on implementing Vulnerability Management solution, or is simply evaluating the potential benefits, we would appreciate your feedback in this brief, 10-minute survey.

In appreciation for sharing your time and thoughts with us, we will provide complimentary access for you to the full benchmark report as soon as it is published (a $399 value).

Individual responses will be kept strictly confidential, and data will
only be used in aggregate.

We look forward to hearing from you, and greatly appreciate your
time and participation.

Sincerely,

Saqib Khan

Help an analyst get some real data

Thu, 19 Jun 2008 09:49:28 +0000

Would you like to learn how Best-in-Class companies successfully maximize their results in IT Security Patch and Vulnerability Management?

In appreciation for sharing your time and thoughts with us, we will provide complimentary access for you to the full benchmark report as soon as it is published (a $399 value).

Individual responses will be kept strictly confidential, and data will
only be used in aggregate.

We look forward to hearing from you, and greatly appreciate your
time and participation.

Sincerely,

Saqib Khan

Contributing to the Official CISSP Courseware

Sun, 15 Jun 2008 14:53:16 +0000

I promised a while ago to let you all in on some of the various projects I’ve been working on over the past few months. One I haven’t shared with you yet is my participation in contributing as a SME to the official (ISC)2 courseware for CISSP certification.

It’s a huge undertaking with 10 domains chock full of every security topic you can imagine, 20 contributing SMEs from all over the worls, a handful of editors and 1 man to bring it all together. Our team leader, Dean Bushmiller has been the Project Manager for both versions 8 and 9 of the CISSP courseware and does an amazing job.

Each of the SMEs and editors have put a lot of thought and time into the materials, in an effort to create the best and most relevant content, topic arrangement and flow possible. You’ve seen how big these books are- that’s a lotta’ stuff to pull together and I admire the group, especially the domain wranglers and Dean, for keeping it all on track.

It’s a strange and exciting project. I can’t say it’s completely foreign to me, many years ago I created content for advanced Microsoft Office courses and developed official Computer Competency Training for K-12s for use in schools here. However, a project with this much mass is definitely unique.

So, that’s another little project I’ve been working on for the past several months… and will be continuing for several more. On those occasions I drop off the face of Blog World, it’s sometimes because I’m using every free moment to try and keep up with these types of projects and deadlines.

# # #