R1 Hacking & Securing Web-based ApplicationsHands-On (Day 1 of 2)
Who should attend: People who are auditing Web application security,
developing Web applications, or managing the development of a Web
David Rhoades, Maven Security Consulting, Inc.
10:30 a.m.6:00 p.m.
Is your Web application secure? CD Universe, CreditCard.com, and
others have found out the hard way: encryption and firewalls are
not enough. Numerous commercial and freeware tools assist in locating network-level
security vulnerabilities. However, these tools are incapable of
locating security issues for Web-based applications.
With numerous real-world examples from the instructor's years of
experience with security assessments, this informative and entertaining
course is based on fact, not theory. The course material is
presented in a step-by-step approach, and will apply to Web portals,
e-commerce (B2B or B2C), online banking, shopping, subscription-based
services, or any Web-enabled application.
Class exercises will require that students have an x86-based laptop
computer that can be booted from a KNOPPIX CD, along with a 10/100 Ethernet
network card. Please download a copy of KNOPPIX-STD
(http://www.knoppix-std.org), burn it to a CD-R, and try to boot your system
on a network offering DHCP. Be sure your network card is recognized by
Knoppix-STD, otherwise you will not be able to participate in most classroom
exercises. Wireless access will not be supported during class.
Students will be provided access to several target Web applications.
Some of these applications are real applications with known security
issues. Others are mock applications
designed by Maven Security to simulate real security issues. At
each step, the instructor will supply the tools needed and demonstrate
the required techniques. All software provided will be publicly available freeware.
- The primary risks facing Web applications
and session tracking
- Tools, techniques, and methodologies required to locate weaknesses
- Recommendations for mitigating exposures found
- Best practices for Web application security
- The problem and root causes
- Web primer: HTTP and HTML
- Foundational security
- OS vulnerabilities
- Web server security highlights
- Web server and Web application output
- HTTP headers
- Encryption ciphers
- Error messages
- Authentication: digital certificates; form-based; HTTP basic
- Threats to authentication
- User name harvesting
- Brute-force password guessing
- Password harvesting
- Resource exhaustion
David Rhoades (T1, W1, R1, F1) is a principal consultant with Maven Security
Consulting, Inc. Since 1996, David has provided information protection services
for various FORTUNE 500 customers. His work has taken him across the US
and abroad to Europe and Asia, where he has lectured and consulted in
various areas of information security. David has a B.S. in computer
engineering from the Pennsylvania State University and is an instructor
for the SANS Institute, the MIS Training Institute, and Sensecurity
(based in Singapore).
- Session issues
- Session tracking mechanisms
- Session ID best practices
- Session cloning
- Transaction issues
- Malicious user input
- Hidden form elements
- GET vs. POST
- Improper application logic
- Cross-site scripting (XSS)
- Third-party products
- Testing procedures
- Methodology and safety
R2 Implementing LDAP Directories
Who should attend: Both LDAP directory administrators and architects. The focus is on integrating standard network services with LDAP directories. The examples are based on UNIX hosts and the OpenLDAP directory server and will include actual working demonstrations throughout the course.
Gerald Carter, Samba Team/Hewlett-Packard
10:30 a.m.6:00 p.m.
System administrators today run a variety of directory services, although these are referred to by names such as DNS and NIS. The Lightweight Directory Access Protocol (LDAP) is the up-and-coming successor to the X500 directory and has the promise of allowing administrators to consolidate multiple existing directories into one.
Gerald Carter (R2, F2) has been a member of the Samba Team since 1998. He has published articles in various
Web-based magazines and gives instructional courses as a
consultant for several companies. Currently employed by
Hewlett-Packard as a Samba developer, Gerald has written
books for SAMS Publishing and is the author of the recent
LDAP System Administration (O'Reilly & Associates).
- Replacing NIS domains
- Integrating Samba user accounts
- Authenticating RADIUS clients
- Integrating MTAs such as Sendmail, Qmail, or Postfix
- Creating address books for mail clients
- Managing user access to HTTP and FTP services
- Storing DNS zone information
- Managing printer information
R4 But Is It UNIX? A Mac OS X Administrator's Survival Guide
Who should attend: UNIX system administrators who want or need
to administer Macintosh systems running Mac OS X and/or Mac OS X
Server. Familiarity with standard UNIX system administration
concepts and tasks is assumed. No previous Macintosh experience
is necessary. Experienced Macintosh users who want to learn about system
administration tasks in the Mac OS X environment will also benefit
from this course. People very familiar with Max OS X or with the NeXTSTEP environment will find much of this material to be a review. Note that
comparisons with NeXTSTEP will not be made.
Aeleen Frisch, Exponential Consulting
10:30 a.m.6:00 p.m.
We will note interactions between the UNIX implementation and the Mac
graphical user/administrative environment.
- What is this beast and what's Darwin (and why should I care)?
- Basic tasks
- Installation hints and pitfalls
- Software packages
- Startup and shutdown
- File and file systems
- File system layout
- File types: resource forks, applications, etc.
- User management
- Users and groups
- Mac OS X shared domains
- Managed preferences
- Client configuration
- Managing standard TCP/IP daemons: DNS, DHCP, NTP, and so on
- The Mac OS X multiprotocol environment
- Rendezvous and its implications
- Process management and performance
- Managing funky Mac peripherals and user expectations
- Mac OS X security architecture and implementation
Aeleen Frisch (T3, W3, R4) has been a system administrator for over 20 years. She currently
looks after a pathologically heterogeneous network of UNIX and Windows
systems. She is the author of several books, including Essential
System Administration (now in its 3rd edition).
R5 Intrusion Detection and Prevention Systems
Who should attend: Network or security managers responsible for
an IDS roll-out, security auditors interested in assessing IDS
capabilities, security managers involved in IDS product selection.
Marcus Ranum, Trusecure Corp.
10:30 a.m.6:00 p.m.
Overview: This workshop covers the real-world issues you'll encounter as part
of doing an intrusion detection roll-out or product selection.
Attendees will learn the advantages and disadvantages
of popular approaches to Intrusion Detection Systems (IDSes), how to
deal with false positives and noise, where to deploy IDSes, how to test
them, how to build out-of-band IDS management networks, and how they
interact with switches, routers, and firewalls.
- IDS and IPS: what they are and how they work
- Burglar alarms and honeypotslow-rent IDS
- Misuse detection and anomaly detection
- False positives, noise, and false alarms
- Does freeware stack up to the commercial products?
- Deployment issues
- Where to place IDS within the network
- Alert tuning: what it is and how it works
- How to estimate the size of an IDS deployment
- How to size and design a logging / management architecture
- Tools and tricks for logging and event correlation
- A typical IDS roll-out
- How to test an IDS for correct function
- IDS benchmarks: bogus and bogusest
- Management issues
- How to justify the expenditures on an IDS to management
- Cyclical maintenance
- Alert management procedures
Marcus Ranum (T5, R5, F5) is senior scientist at Trusecure Corp. and a world-renowned expert
on security system design and implementation.
He is recognized as the inventor of the proxy firewall and the
implementer of the first commercial firewall product. Since the
late 1980s, he has designed a number of groundbreaking security
products, including the DEC SEAL, the TIS firewall toolkit, the
Gauntlet firewall, and NFR's Network Flight Recorder intrusion
detection system. He has been involved in every level of operations
of a security product business, from developer, to founder and CEO
of NFR. Marcus has served as a consultant to many FORTUNE 500 firms
and national governments, as well as serving as a guest lecturer
and instructor at numerous high-tech conferences. In 2001, he was
awarded the TISC Clue award for service to the security community,
and he holds the ISSA lifetime achievement award.