Sunday, July 26, 2009

Blackhat, Part 1

My first two days of Blackhat are complete. This weekend I took the "Web Application (In)Security" course by NGS Software. The class was taught by Dafydd Stuttard and Marcus Pinto. It covered pretty much every web application security topic you can imagine, and was heavily focused on attack, rather than defense. It seemed very oriented toward pen testers.

Before the class started, I had some doubts about whether it would be too basic. While most of the topics covered were topics I was already familiar with, the course material as a whole was intermediate to advanced. Dafydd and Marcus really know their stuff, and it shows. We started going really quickly in day 2, and I think a lot of us were struggling to keep up.

The course was about evenly split between presentation time and lab time. I appreciated the hands-on approach. These guys had a TON of labs available. I actually was kind of annoyed at the absolute impossibility of completing all the labs in the time given, but I think the point was to make sure nobody ran out of work to do. I don't think anyone was expected to complete them all.

We were encouraged to use Burp Suite, and many of the examples were shown using Burp. I'd never used Burp before, thinking it was just another localhost proxy. Turns out I was very wrong. Burp is an extremely powerful, flexible, and complete web application security tool, and I will definitely be using it in the future. I'd say this aspect of the course was worth the price of admission.

We finished out the course with a CTF game, which always makes me happy. I wish we had a little more time to work on it. (And I'm happy to say that I spent most of the game near the top of the leaderboard.)

My only real complaint about the course is that there seemed to be way too much material for two days, and it felt very rushed. (Also, the room was absolutely FREEZING.)

In other Vegas news, I kind of feel like I should be putting some more effort into making some friends here. I haven't really been socializing outside of class. I've spent some time on the poker tables, but I've been taking a beating and am busted out. (Last night I went to the felt on a flush draw with two overs, caught my flush on the river, turns out I was drawing dead to a boat. Part bad luck, part bad play.)

Also, there is absolutely nowhere to eat here that costs less than a million dollars.

Friday, July 10, 2009

Tyler Krpata: Picks for BlackHat 2009

As prompted by Jeremiah Grossman: Picks for BlackHat 2009

Day 1
  • FX: Router Exploitation
  • Nathan Hamiel & Shawn Moyer: Weaponizing the Web
  • Eduardo Vela Nava & David Lindsay: Our Favorite XSS Filters and How to Attack Them
  • Dan Kaminsky: Something to do with Network Security? (LOLZ)
  • Thomas Ptacek, David Goldsmith & Jeremy Rauch: Hacking Capitalism '09

Day 2
Not that interested in any of the 10am talks, so either
  • Zane Lackey & Luis Miras: Attacking SMS
    • or
  • Tyler Krpata: Sleep Late :)
  • Jeremiah Grossman & Trey Ford: Mo' Money Mo' Problems (and I don't even have to be there!)
  • Kevin Mahaffey, Anthony Lineberry & John Hering: Is Your Phone Pwned?
  • Turbo track
    • Steve Ocepek: Long-Term Sessions - This Is Why We Can't Have Nice Things
    • Peter Guerra: How Economics and Information Security Affects Cyber Crime
    • Michael Brooks: BitTorrent hacks
  • Bruce Schneier: Reconceptualizing Security

Thursday, July 9, 2009

Email From Security

From: Security
To: User
Subject: Cut the shit

Dear

This email is in regards to your recent download of "Ja Rule - R.U.L.E."

First of all, who the fuck listens to Ja Rule. I mean really.

Let's be clear, I could give a fuck less if you want to pirate music. Hell, I'm in FAVOR of illegal downloads. Nothing like Robin-Hood'ing those motherfuckers. When I have to think really hard before buying a DVD or a six pack, while the latest MTV flash-in-the-pan has 18 diamonds glued to his teeth, I think we can agree the recording industry is corrupt as hell and deserves what they get.

But regardless, for better or for worse, I'm the one stuck wasting my time responding to DMCA complaints when your stupid ass decides to use your employer's internet connection to download this shit. I know you don't realize it, but every time you do something stupid, a little alert pops up on my desktop, and then I have to do something about it. Believe it or not, I have better things to do with my time. Those Facebook status updates don't write themselves, you know.

In short: smarten up, or I'm changing your desktop background to lemonparty and disabling all your accounts.

Love,
Security