OWASP AppSec EU 2013 was held in Hamburg Germany at the Emporio.  The session line-up featured key speakers from all over the world.  As usual, the OWASP conference provides terrific value for your money.  OWASP is also noteworthy among security conferences since it focuses heavily on defending web applications.

The longer I’m in the business of security, the more I appreciate speakers who communicate in terms of solutions as opposed to raising conundrums.  Now that’s not to say pointing out problems is unimportant.  Conferences that teach offensive techniques help us all understand better how to defend our assets.  They also serve well to shock the entire industry to change.   Still after 0-day sensations fade away, it’s up to the defenders to pick up the pieces and secure their application assets.  This is where OWASP comes in.  While OWASP dabbles a little on both sides of the fence with both offensive and defensive session content, I see its real value in defensive measures — helping an entire community solve tough security challenges.  Along the lines of defense, a couple of sessions standout from among the pack.

OWASP Top 10 Proactive Controls by Jim Manico (Twitter: @manicode), White Hat Security.  Many security professionals are familiar with the OWASP Top 10.  The Top 10 brings attention common security problems or “gotchas” many organizations encounter writing software.  The OWASP Top 10 Proactive Controls are somewhat the converse, security measures we should apply to protect our information systems.  From a security maturity perspective, OWASP Top 10 helps us spot common security problems and Top 10 Proactive Controls helps us address our security concerns.  I really like follow through and where this effort is heading.  Especially, thinking in terms of positive action we can all take helps move the industry forward.

New OWASP ASVS 2013 by Sahba Kazerooni (Twitter: @ShahbaKaz), Security Compass.  For those not familiar, the OWASP Application Security Verification Standard (ASVS) project, establishes security test cases by major domain.  Specifically, ASVS defines the security requirement areas or major domains of security as: Authentication, Session Management, Access Control, Input Validation, Cryptography (at Rest), Error Handling and Logging, Data Protection, Communication Security, HTTP Security, Malicious Controls, Business Logic, Files and Resources, and Mobile.  Within each of the domains various security tests cases are provided.  The idea is that you can choose the domains applicable to your product and review the test cases so you don’t overlook any.  Sahba’s presentation covers a refresh of the ASVS standard to bring it current to 2013 challenges.  If your charged with creating security test cases or even implementing security controls the document is a helpful resource worth a review.

Aside from the conference sessions, I take some time out to talk with colleagues.  The security landscape changes fast so it’s good to keep up to date.  In this conference, I spoke with Dinis Cruz (Twitter: @DinisCruz) the O2Platform project lead.  O2 provides some really cool means to generate security test scripts fast.  An ancillary platform feature I really liked is you can take these scripts and compile them to standalone Windows executables.  This is great if you want to share a binary you create with others without requiring a grab bag of supporting components or even the O2 platform.

Photo: OWASP AppSec EU from left,
Dinis Cruz, Steven van der Bann, and Milton Smith

In considering scripting features, the O2 platform seems to have some practical uses even if your not interested in security.  I’m still learning about O2 but it’s interesting technology I would like to investigate further.  Ok, a couple of tips if you get to meet Dinis.  Be up on your coffee since he talks really fast.  Next, Dinis does not wear shoes so don’t step on his toes.  Steven van der Bann (Twitter: @vdbaan) joined our discussion.  Steven helps organize OWASP Capture The Flags (CTF).  He will be heading up a CTF at AppSec USA in NYC.

On Friday, I provided a session at the conference on Java security, Making the Future Secure with Java.  In my session I covered some background around Oracle security policies.  Covering policies is not very exciting but I have discovered if omit it entirely I inevitably receive questions like, “Hey why don’t you guys discuss X,Y,Z with the public”?  I also provided an overview of remediation progress and recent security features delivered since many are unaware of our progress.  I believe the OWASP events team is planning to make session media available to the public but I’m not sure when.

A few thoughts on the location.  Hamburg is a refreshingly beautiful port town and bustling center of commerce.  In the summer, the climate is very similar to San Fransisco California and made complete by occasional fog.   While residents are quick to report winters are cold the conversation is warm and the people are inviting. 

Photo:  Hamburg panoramic from 23rd floor of Emporio

You will be challenged without a command of the German language but you will not be lost.  A significant number of signs provide an English translation less prominently under the primary German message.  ATMs and public transit ticket machines are localized in English.  There’s a significant population that understand some English and remainder are surprising tolerant of visitors like me who don’t know anything about the language.  It’s always humbling to be immersed in a room full of people where you don’t understand the discussion.  

Photo: OWASP AppSec EU from left,
Dalibor Topic and Milton Smith

Thanks to Dalibor Topic (Twitter: @robilad) for taking time away from his evening and family to show me around the city.  Dalibor is local to Hamburg so it’s always great to visit a new place with a friend — many thanks!  Dalibor is a leader in the OpenJDK project.  If you want to see what Dalibor’s up to check out the OpenJDK project. 

Also perhaps only loosely related but the timing seems appropriate.  Thanks to Jim Manico and Michael Coates (Twitter: @_mwc) for assisting me with reviewing JavaOne session submissions for our new security track, Securing Java and for your participation.  J1 is almost here, phew time fly’s.  I should have mentioned this in my presentation.

Recent interview I provided Roger Brinkley on security for Java Spotlight Episode 142.  In the featured segment I discuss the new security track added to JavaOne 2013 San Francisco.  I also provide an update on Java platform security.


OWASP LogoPresenting on Java security at AppSec EU August 20-23, Emporio, in Hamburg Germany.  I noticed some friends are speaking.  Always good to visit old friends as well as meet new friends.  Thanks to the OWASP team and conference leads for accepting my presentation.  Looking forward to visiting Hamburg for the first time.

This years computer security conference Black Hat 2013 USA was held at Caesars Palace in Las Vegas Nevada.  DEFCON 21, a follow-up security conference was about a block away at the Rio hotel.

I have attended a number of security conferences over the years but I must admit I’m a bit of Black Hat and DEFCON noob.  In any case, many people asked if I was attending so I though I should experience these events myself firsthand.  By pure happenstance, the Black Hat staff asked me to present (my previous post) about a month prior to the conference.  I only mention the session briefly since some have criticized me for the closed session.  Please keep in mind, the summit rules are not my rules.  I was privileged to be invited and I will respect their rules.  It’s also the first time I have ever been invited.

There’s a few things I noticed immediately as a new attendee.  Both conferences are a little rougher or raw around the edges.  Often a heckler in the audience would belch out a contrary opinion to the speaker or even obscenities at times.  In one case, a speaker retaliated telling a heckler to “-uck off”.  There were a few uncomfortable moments where I considered slipping down into my chair and low crawling out the door.  I was not sure what was going to happen next.  The leader of the National Security Agency,  General Alexander’s, keynote presentation was a great example of the electric atmosphere at Black Hat.

Photo:  Mohawks at DEFCON21

A few impressions from a first-timer, one of things you will notice is that the crowd is a little different than some of the conferences you may be accustomed.  But a little background first, over the years I have developed what I affectionately call the, 1000 yard gaze.  The 1000 yard gaze, shared by most Californian’s, is simply the blissful indifference to shocking sights and sounds.  So for example, if you want to walk around me with a purple mohawk and sparklers for ear rings it’s OK.  I will pretend I don’t notice and you can feel like we all have purple hair.  Even with a trained gaze, there are a few sights you are likely to encounter at these conferences that will test your abilities.  Also presenters, while undeniably experts at what they do, are sometimes not the best communicators, lack of eye contact, mumbling, etc.  One would think communications ability is a requirement for presenting at a conference but you might be wrong.  My impression is innovative content is sometimes favored over presentation ability.  It’s a tough tradeoff for conference planners I suspect but I can understand how that makes sense for these innovative conferences.  Still during a couple sessions, I had to tap a fellow attendee on the shoulder and ask what the heck the speaker just said, only to receive a shoulder shrug.  I wondered if anyone in the room understood what was said at the time.  It’s definitely the exception rather than the rule but it surprised me.

In the end, the raw edginess (if that’s a word) gives these conferences their charm.  Both conferences were super fantastic and I should have attended them many years ago.  Following are a few highlights from the conferences to challenge what you know about the state of the art in security.

Mobile platforms are a security nightmare
Most security professionals realize the tools for mobile security are woefully inadequate.  In fact, intrusion detection and prevention tools are simply not available to consumers.  Mobile consumers are running on the “trust me” security model.  One particular presentation at DEFCON21 stands out, Do-It-Yourself Cellular IDS Sherri Davidoff & Panel.  They demonstrated how to turn a femtocell into a Intrusion Detection System (IDS).  The project was a considerable effort by a team lasting almost a year.  Incidentally, there are a few ways to sniff your mobile traffic like connecting your phone to a local WIFI network and sniffing outbound traffic with standard tools.  The limitation with the approach is that you can’t see IP traffic going back through the carrier networks.  The presenters claimed around 50% of the audience phones were infected, ouch!  Also that some malware allows listening to conversations or viewing what is happening in a room — downright creepy.

Hardware hacks

Photo:  Hardware hacking lab

There were a ton of good hardware hacks and spy gear.  ACE Hackware was selling a device called the r00tabaga for penetration testers.  The device is self-contained computer, smaller than a pack of cigarettes running a modified Linux kernel.  It’s mostly for executing remote pentest assessments, surveillance, and Man in the Middle(MITM) attacks.  The device appears to be a 3G mobile hotspot, exploited, and reflashed with a modified version of OpenWRT.  The device is a little too polished to be manufactured by a niche vendor in my opinion.  Nevertheless, whatever it is it’s great and the price at the show was $110USD.  There are other popular long standing competitors like the Pineapple.  Likewise, Raspberry PI maybe a good contender for such a project but I’m not aware of any flash images/plans for ready to go solutions.

The lock pickers also had a strong presence.  If I knew they had a Lock Pick Village maybe I would have considered bringing my picks.  Although, I’m done with traveling abroad with my picks

Exploitation of office equipment
Stepping p3wns: Adventures in Full Spectrum Embedded Exploitation by Ang Gui and Michael Costello showed how an entire office environment may be exploited by an adversary.  In his demonstration, Ang exploited an HP printer to gain a foothold in a mock office environment.  The printer was used for office reconnaissance to find other IP enabled devices.  An attack from the printer was launched to exploit a Cisco IP phone and other devices were captured.  The presentation crescendo was a denial of service attack against a Cisco 2851 router by the printer rendering it useless.  The point of the presentation was that many common office devices are IP enabled.  These devices may have interesting information (e.g., phone numbers last dialed, contacts, last document scanned), valuable platforms for reconnaissance, or even to launch attacks.  Given the proprietary nature of hardware these devices are difficult to secure.  Ang mentioned some technology he’s developed to help secure these legacy environments.

Trading privacy for security
ACLU and EFF had a strong presence and generated interest from attendees.  These groups highlighted many of the current issues(e.g., Snowden, FISA courts) and the need for more privacy and transparency.  The greatest challenge presented was how can the government ensure the safety for American’s without violating their privacy?  Unfortunately, there didn’t seem to be any satisfying answers for attendees.

Celebrity appearances
Brian Krebs (Krebs on Security) and Lance James session Spy Jacking the Booters covers Brian’s SWAT’ing ordeal.  For those who don’t know SWAT’ing is, it’s like it sounds.  Bad guys fabricate a story to bringing the SWAT to your home.  Unfortunately, SWAT don’t have a good sense of humor so it’s guaranteed to inconvenience the victim for an evening.  Not to mention the price for door repair which, according to Brian, some cities don’t cover.  The lesson learned here, it’s no fun to be SWAT’ed.  Interestingly, I did get to shake Brian’s hand as he was walking out the door.  He was in a hurry so we did not talk long but it was fun to watch his expression as I introduced myself.  Anyway, I enjoy reading Brian’s articles.  Maybe someday I will be able to communicate so expertly.

Will Smith appeared at DEFCON21.  I really have no idea why he was attending the conference.  I didn’t notice him on the schedule.  Maybe his giving up movie making for life in security?  I didn’t see him at the conference myself but I saw a few Tweets.  If anyone has details feel free to drop a comment on this posting or send a tweet.

Equipment failures

Photo:  Crashed phone system?

I noticed a rather higher than usual occurrence of failure for hotel hardware at the event.  I really have no figures to back up my feelings, consider it a hunch.  First was the phone in my room.  Take a look at the screen in the photo, “Server Unreachable”.  I’m not sure what that’s trying to tell me but it does not look good.  The next event was a fire alarm at the Rio hotel during DEFCON.  There were flashing lights all throughout the halls and audible warnings followed by a voice message.  The alarm sounded for at least 10 minutes.  Following the alarm termination a voice indicated it was a test.  I don’t ever remember tests like this in any fully occupied hotel during a large event.  The last time I heard a flashing lights and sounds like that Halon was about to dump and I was sprinting out of the data center.   If anyone has any hardware failures please share them.

A parting thought…
Evidently there’s not much you can’t do in Vegas.  Including shooting fully automatic weapons — geek bait.  I wonder how many attendees tried this?  Send me a Tweet or something if you got to shoot any of these firearms.

Photo: The Gun Store