SANS Institute

SANS @Night

Java and Secure Programming

- Marc Schoenefeld
- Monday, November 6th: 6:30pm

Java is not secure by default. You as a programmer decide to use its built-in features to make your software more secure. But on the other hand your errors and the flaws in the software stack below (like the JDK) can add a set of vulnerabilities to your Java-based software.

The problems are buried deep in the code. When software is build with wrong assumptions about its environment, the attack surface is often not adequately designed. Integration of third-party software is a typical cause in security breach. A programmer is able to influence the protection level of the application by applying secure coding principles. This talk is about the causes for errors and detection techniques, therefore, focusing on the anti-pattern side of secure programming. We will explore antipatterns in code, real-life examples of code violations that lead to vulnerabilities, and the following security breaches:

• privilege escalation
• covert channels
• remote code execution
• sandbox leakage

In addition, we will cover enterprise components like J2EE containers and database services, and will see how open ports listening to user for communication with enterprise beans can be used by attackers to trigger functionality directly in the JVM of the J2EE server. In the last part of the talk, we will see how byte code scanners can be used to filter out the bugs in your code and those of third party components, even without the code source.

- Speaker Bio

Marc Schoenefeld works in security management for a large German financial institution. He studied business informatics and is currently completing his PhD thesis is in Java Security. Marc has been a hacking addict since 1983 (c64,amiga, st, x86) and has previously presented at Blackhat, RSA, Bellua, DIMVA and D-A-CH.

ICMP Use and Abuse - Hands-On

- Antonio Merola
- Thursday, November 9th: 6:30pm

ICMP is often regarded as a very innocent, harmless protocol, however, if not properly handled by the operating system or a firewall, it can be used by intruders for evil purposes. We will cover the basis of ICMP protocol and its prominent abuses, details on how ICMP works and what it's used for, how ICMP can disturb TCP connections, and how to protect against ICMP abuse. In the "live session", you will be able boot your laptop using a Linux live distro and then break into a simulated environment using the techniques described.

During the live session of the lecture you will try to use this knowledge practically, using specially-crafted ICMP packets to drop or even redirect TCP connections of victims. Participants will receive copies of step-by-step instructions and a Linux live CD. Please bring your laptop.

- Speaker Bio

Antonio Merola works as senior security expert. He started his career 10 years ago, he worked as consultant serving several company as Microsoft Certified Systems Engineer. Since 2000 he has been involved in many aspects of security such as perimeter protection, vpn, intrusion detection etc. as employee for Telecom Italia. Additional, as a freelancer, he serves several companies as consultant and instructor on a wide variety of security topics. Antonio, holds several certifications and is speaker on international security events; he has been publishing IT articles in several Italian magazines and collaborating with hackin9 magazine.

SANS Community Night

- Tuesday, November 7th: 6:00pm

- MC for SANS Community Night - Brian Honan

Brian is recognized as an industry expert on information security and has addressed a number of major conferences relating to the management and securing of information technology. He has also had a number of technical papers published and has been technical editor and reviewer of a number of industry recognized publications and most recently contributed to the "Information Security Today" magazine. Brian is also the European editor for the SANS Institute's weekly SANS NewsBites, a semi-weekly electronic newsletter.

Brian's work also includes advising to various Government security agencies and the European Commission. Brian is currently in the process of establishing a Computer Emergency Response Team for Ireland. He is a member of the Information Systems Security Association, a working member of the GAISP project developing IT Security standards, a member of the British Standards Institute, the Irish Computer Society, the Business Continuity Institute and was a founding member of the Irish Corporate Windows NT User Group.

- Speaker - Kevin Dunn

Using a case study investigating Openbase SQL - the database software most commonly used on Mac OS systems - Kevin Dunn will use his experience as part of a team that has discovered more security vulnerabilities in enterprise products than any other consultancy to demonstrate the most common methods of finding vulnerabilities within network applications. By leveraging techniques such as system monitoring, fuzz testing and debugging NGS will show the process of discovering new buffer overflow vulnerability, manipulating programmatic control to gain arbitrary code execution and even the development of exploit code to compromise the vulnerable database server.

Kevin Dunn is a Principal Security Consultant for NGS Software working in all aspects of computer security. With detailed knowledge of attack and penetration techniques, Kev has worked for many Fortune-500 companies - breaking into their most trusted systems and providing practical fixes and workarounds to help keep hackers out. Kev is Head of NGS Training and takes the company's expertise on the road to clients and industry conferences alike - for the past two years he has taught advanced database security, including bug finding techniques, at the BlackHat Security Briefings around the world - bringing security professionals up-to-date (and beyond!) with the latest cutting edge information.

- Speaker - Peter Wood

The office cleaner wanders around the IT department emptying bins into a black plastic sack. He bends below each desk to look for stray sandwich wrappers and plastic cups. Whilst he's under the desk, it is a matter of seconds for him to attach a hardware key logger between keyboard and system unit. These small key loggers are effectively invisible on the back of the computer, and record every keystroke the IT folk make for the next week. They will capture user names and passwords, as well as every e-mail and browser entry. Often this will include credit card information from Internet shopping, home address details, bank account details - in fact whatever the individual typed into the computer during that week.

Of course there are plenty of similar opportunities throughout the organization - the CEO's secretary's PC for instance, or the Finance Director's. It's just like bugging with virtually no risk and far bigger rewards according to Peter Wood, Chief of Operations at First Base Technologies. Most organizations are vulnerable to this type of attack and will never know that it has taken place. The truth is that no-one conduct proper staff vetting, and they certainly don't check the cleaner's credentials! Peter's highly entertaining talk will demonstrate a huge area of vulnerability for many organizations.

Peter Wood's innovative and entertaining style has led him to present to the boards of the largest international companies as well as at international conferences on many IT security-related topics. He was recently rated the British Computer Society's number one speaker.

Peter is a Fellow of the British Computer Society and member of the Institute of Electrical and Electronics Engineers, the Information Systems Audit and Control Association and the Association of Computing Machinery. He is also a BCS Registered Security Consultant, a Microsoft Certified Product Specialist and a member of MENSA.