TRAINING TRACK Overview | By Day (Sunday, Monday, Tuesday, Wednesday, Thursday, Friday) | By Instructor | All in One File Locations: See the overview.

Friday, July 2, 2004

F1 Hacking & Securing Web-based Applications—Hands-On (Day 2 of 2) David Rhoades, Maven Security Consulting, Inc. 10:30 a.m.–6:00 p.m. Who should attend: People who are auditing Web application security, developing Web applications, or managing the development of a Web application. Is your Web application secure? CD Universe, CreditCard.com, and others have found out the hard way: encryption and firewalls are not enough. Numerous commercial and freeware tools assist in locating network-level security vulnerabilities. However, these tools are incapable of locating security issues for Web-based applications. With numerous real-world examples from the instructor's years of experience with security assessments, this informative and entertaining course is based on fact, not theory. The course material is presented in a step-by-step approach, and will apply to Web portals, e-commerce (B2B or B2C), online banking, shopping, subscription-based services, or any Web-enabled application. Class exercises will require that students have an x86-based laptop computer that can be booted from a KNOPPIX CD, along with a 10/100 Ethernet network card. Please download a copy of KNOPPIX-STD (https://www.knoppix-std.org), burn it to a CD-R, and try to boot your system on a network offering DHCP. Be sure your network card is recognized by Knoppix-STD, otherwise you will not be able to participate in most classroom exercises. Wireless access will not be supported during class. Topics include: The primary risks facing Web applications Exposures and vulnerabilities in HTML and JavaScript, authentication, and session tracking Tools, techniques, and methodologies required to locate weaknesses Recommendations for mitigating exposures found Best practices for Web application security Students will be provided access to several target Web applications. Some of these applications are real applications with known security issues. Others are mock applications designed by Maven Security to simulate real security issues. At each step, the instructor will supply the tools needed and demonstrate the required techniques. All software provided will be publicly available freeware. Day 1 Introduction The problem and root causes Web primer: HTTP and HTML Foundational security OS vulnerabilities Web server security highlights Web server and Web application output HTTP headers HTML and JavaScript Encryption ciphers Error messages Caching Authentication Authentication: digital certificates; form-based; HTTP basic Threats to authentication Sign-on User name harvesting Brute-force password guessing Password harvesting Resource exhaustion Day 2 Session issues Session tracking mechanisms Session ID best practices Session cloning Transaction issues Malicious user input Hidden form elements GET vs. POST JavaScript filters Improper application logic Cross-site scripting (XSS) Third-party products Testing procedures Methodology and safety David Rhoades (T1, W1, R1, F1) is a principal consultant with Maven Security Consulting, Inc. Since 1996, David has provided information protection services for various FORTUNE 500 customers. His work has taken him across the US and abroad to Europe and Asia, where he has lectured and consulted in various areas of information security. David has a B.S. in computer engineering from the Pennsylvania State University and is an instructor for the SANS Institute, the MIS Training Institute, and Sensecurity (based in Singapore). F2 Managing Samba 2.2 & 3.0 Gerald Carter, Samba Team/Hewlett-Packard 10:30 a.m.–6:00 p.m. Who should attend: System administrators who are currently managing Samba servers or are planning to deploy new servers this year. This course will outline the new features of Samba 3.0, including working demonstrations throughout the course session. Topics include: Providing basic file and print services Upgrading a Samba server from version 2.2 to 3.0 Integrating with Windows NT 4.0 and Active Directory authentication services Centrally managing printer drivers for Windows clients Managing NetBIOS network browsing Implementing a Samba primary domain controller along with Samba backup domain controllers Migrating from a Windows NT 4.0 domain to a Samba domain Utilizing account storage alternatives to smbpasswd such as LDAP Making use of Samba VFS modules for features such as virus scanning and a network recycle bin Gerald Carter (R2, F2) has been a member of the Samba Team since 1998. He has published articles in various Web-based magazines and gives instructional courses as a consultant for several companies. Currently employed by Hewlett-Packard as a Samba developer, Gerald has written books for SAMS Publishing and is the author of the recent LDAP System Administration (O'Reilly & Associates). F4 System and Network Performance Tuning Marc Staveley, Soma Networks 10:30 a.m.–6:00 p.m. Who should attend: Novice and advanced UNIX system and network administrators, and UNIX developers concerned about network performance impacts. A basic understanding of UNIX system facilities and network environments is assumed. We'll examine the virtual memory system, the I/O system and the file system, NFS tuning and performance strategies, common network performance problems, examples of network capacity planning, and application issues. We'll also cover guidelines for capacity planning and customized monitoring based on your workloads and traffic patterns. Analysis periods for particular situations will be provided. Topics include: Performance tuning strategies Server tuning Filesystem and disk tuning Memory consumption and swap space System resource monitoring NFS issues Automounter and other tricks Network performance, design, and capacity planning Application tuning System resource usage Memory allocation Code profiling Job scheduling and queuing Real-time issues Managing response time Marc Staveley (F4) works with Soma Networks, where he is applying his many years of experience with UNIX development and administration in leading their IT group. Previously Marc had been an independent consultant and also held positions at Sun Microsystems, NCR, Princeton University, and the University of Waterloo. He is a frequent speaker on the topics of standards-based development, multi-threaded programming, system administration, and performance tuning. F5 Defeating Junk/Spam Email Marcus Ranum, Trusecure Corp. 10:30 a.m.–6:00 p.m. Who should attend: Network and system administrators responsible for email systems; people who are annoyed by junk email; mail server administrators; senior managers who want to understand the technologies for blocking junk email. Some familiarity with Internet email systems is recommended. Familiarity with UNIX system administration is a must. Is unplugging from the network the only way to avoid junk email? Many organizations are finding that junk email is a major time-waster and performance hog. Some individuals are finding that, every morning, 95% of their inbox is garbage. This workshop covers real-world issues in dealing with junk email, and how to block a significant percentage of it from your personal or corporate network. Attendees will learn the various techniques of junk email blocking, the tools that are available, and the advantages and disadvantages of various approaches. We will also examine a number of popular tools in detail, and discuss configuration and tuning issues. Topics include: Junk email: you know what it is when you get it Whitelisting, blacklisting, and blackholing Early attempts at junk email blocking The state of the art in junk email blocking Tools and techniques Setting up a centralized junk email blocking system Integrating junk email blocking into various mail clients Integrating junk email blocking into various servers Legalities and legal initiatives Marcus Ranum (T5, R5, F5) is senior scientist at Trusecure Corp. and a world-renowned expert on security system design and implementation. He is recognized as the inventor of the proxy firewall and the implementer of the first commercial firewall product. Since the late 1980s, he has designed a number of groundbreaking security products, including the DEC SEAL, the TIS firewall toolkit, the Gauntlet firewall, and NFR's Network Flight Recorder intrusion detection system. He has been involved in every level of operations of a security product business, from developer, to founder and CEO of NFR. Marcus has served as a consultant to many FORTUNE 500 firms and national governments, as well as serving as a guest lecturer and instructor at numerous high-tech conferences. In 2001, he was awarded the TISC Clue award for service to the security community, and he holds the ISSA lifetime achievement award.