If you're in the Seattle area, come see me and Ian Gallagher speak about Firesheep at the next iSEC Open Security Forum. Full details below... see you there!
iSEC Open Forum Seattle!
View Larger Map -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= SPEAKER: Eric Butler, Software Developer, Seattle, WA
Ian Gallagher, Security Consultant, Security Innovation TITLE: Firesheep: Intentions, Responses, and what's next? ABSTRACT: At ToorCon several weeks ago, Eric and Ian released Firesheep, a Firefox extension that simplifies HTTP Session Hijacking / Sidejacking. They were tired of seeing insecure websites that made a big deal out of user privacy with upper-layer controls (Facebook privacy prefs, for example) but neglected protecting the basic HTTP transport. This is nothing new, all of the big websites know about these dangers, and usually they protect usernames and passwords with HTTPS, but nothing more. Eric and Ian hope to push big sites everywhere to adopt site-wide HTTPS by making it painfully clear that the issue is real. -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= SPEAKER: Andreas Junestam, Vice President and Resident Swede, iSEC Partners TITLE: Integer issues in C - Exploring the dusty corners of C arithmetic ABSTRACT: In this talk, I'll walk through different issues when it comes to arithmetic problems in C: variable promotions, operator precedence, sign extension / truncation and more, and what issues this can result in. I will end the talk with a few bug examples where the audience is very encouraged to participate in the walk-through of the issue. -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= SPEAKER: To be Announced Next Week TITLE: To be Announced Next Week ABSTRACT: To be Announced Next Week -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
About the iSEC Open Security Forum
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= The iSEC Open Security Forum is an informal and open venue for the discussion and presentation of security related research and tools, and an opportunity for security researchers from all fields to get together and share work and ideas. The Forum aims to meet in the Bay Area and Seattle quarterly. Forum agendas are crafted with the specific needs/interests of its members in mind and consist of brief 20-30 minute talks. Talks are not product pitches or strongly vendor preferential. Attendance is by invite only and is limited to engineers and technical managers. Any area of security is welcome including reversing, secure development, new techniques or tools, application security, cryptography, etc. Interested in presenting at a future Forum? Email email@example.com. Talks should be 20-30 minutes max.
UPDATE: The iSEC Partners Seattle Open Forum speaking series is tonight at Google's Kirkland office (http://maps.google.com/maps?q=Google,+Kirkland+WA). Attendees can park anywhere in Google's surface parking lot. There are a few updates to announce. Bruce Dang is the third speaker for our event. Bruce will be presenting 20 minutes on Stuxnet. Andreas Junestam is ill and will be unable to present his talk on C integer arithmetic. Andreas will be replaced in the agenda by iSEC Partner's Scott Stender who will discuss some of the hard problems of computer security. Also of note, David Hulton will be bringing some subject appropriate books to give away from Ada's Technical Books on Capitol Hill.
The night will begin with Bruce Dang, a Security Software Engineer at Microsoft. Bruce will be sharing information from his investigation into Stuxnet. The Stuxnet worm gained notoriety earlier this year for targeting critical infrastructure in Iran that utilized Siemens control systems. It has been widely reported that Stuxnet is the first worm to include a programmable logic controller (PLC) rootkit. Bruce is regarded as one of the foremost malware experts and will be speaking publicly for the first time ever about his Stuxnet investigation.
iSEC Partners own Scott Stender will presenting "Reflections on Security Engineering." The past ten years have seen an explosion of security awareness and investment in security engineering. Improvements have been made in the systems we use, but much more is required. Scott's talk will explore the "hard problems" in security engineering including the technical, economic, and organizational problems that we as an industry must tackle if we are to engineer truly safe systems.
Our last presentation of the evening will be Eric Butler, of Neg9, and Ian Gallagher, of Neg9 and Security Innovation, the creators of Firesheep. The Firesheep tool has created a sensation by highlighting insecure session management in web applications. This proof of concept sniffs wireless network communications in order to obtain session identifier cookies sent over plain text HTTP. The Firesheep tool is configured to attack sessions of such prominent websites as Facebook, Flickr, Foursquare, Twitter, Wordpress and Yahoo. Firesheep is special because it runs as a Firefox extension and allows point and click exploitation by untrained users. Tired of insecure websites making a big deal out of user privacy with application layer controls but neglecting the basic HTTP transport they created Firesheep. Eric and Ian will discuss their motivations for creating Firesheep, the reactions they have received and what comes next for Firesheep.