From the official HITBSecConf2008 page @ http : // conference . hackinthebox . org / hitbsecconf2008kl / ? page_id = 197 ):
For the second time ever in a HITBSecConf we will be organizing an Open-Hack competition with a slight twist inspired by the Pwn-to-0wn contest run by the guys at CanSecWest.
The purpose of an Open Hack is to uncover new and previously unknown software vulnerabilities in operating systems and software. This year’s Open Hack will involve 4 fully patched Macbook Air’s with a default install of Leopard with all patches applied and the firewall set to default settings. Similar to the contest in CanSecWest, the machine will be accessible via wired cross-over ethernet connections. Be the first to hack in and you walk away with a brand new machine!
To claim a laptop as your own, you will need to read the contents of a designated file on the system through exploitation of a 0day code execution vulnerability (ie: no directory traversal style bugs). Each laptop will only have a direct wired connection (exposed through a crossover cable) and only one person may attack each system at a time so that each team’s exploit remains private. Slots will be available for sign up in 30 minute increments at the beginning of each day. Any WiFi or Bluetooth exploits will be verified offsite in a secure lab to prevent snooping. The first winner of each laptop gets to keep it (one laptop per vulnerability entry).
Attack Vectors
Day 1 - 29th October 2008 - Default client-side applications
Day 2 - 30th October 2008 - Popular 3rd party apps
** Depending on the outcome on Day 1, we may extend the competition to submissions from remote (i.e. you don’t have to be on-site). More details will be posted next week.
Once a laptop is won however, no more exploits may be submitted. All winning exploits will be handed over to the affected vendors at the conference through WabiSabiLabi with the appropriate credit given to the contestant. All contestants must agree to the responsible disclosure handling of their vulnerability/exploit.
Sunday, October 26, 2008
Phishing Updates
EvilFingers is trying to be active in the community. Phishing is one of the major streams that is being looked at, due to the amount of loss that has been happening because of the phished sites. Phishtank is one such group that has been doing such stuff (as discussed in older postings). EvilFingers has contributed 5000+ Phishing links verification/review so far. If you are active or would like to something for community, kindly contact us at contact.fingers @ gmail.com.
The following is the graph representing our contributions to Phishtank:
Thank you for your time.
- EF
The following is the graph representing our contributions to Phishtank:
Thank you for your time.
- EF
Thursday, October 23, 2008
HITBSecConf2008 has announced their schedule
Agenda for the entire conference has been announced.
On 29th Oct 2008, Jeremiah Grossman will start with a Keynote Address on "The Art of Click-Jacking", which is the current hot topic at ZDNET and various other sites. Marcus Ranum follows this by his Keynote Address on "Cyberwar is Bullshit". Once the keynotes are done, the rest of the day is split into 3 tracks.
The second day of the conference(Oct 30th, 2008) starts with a Keynote Address on "Welcome to the 0wned World" by Dr. Anton Chuvakin followed by Peter Sunde [brokep] and Fredrik Neij [TiAMO] on "Dissolving an Industry as a Hobby". Once again the day is divided into 3 tracks after the keynote speeches.
The best part of HITB is that they give ample conference presentations beyond which they also have contests and trainings. HITB Rocks hard!!!
- EF
On 29th Oct 2008, Jeremiah Grossman will start with a Keynote Address on "The Art of Click-Jacking", which is the current hot topic at ZDNET and various other sites. Marcus Ranum follows this by his Keynote Address on "Cyberwar is Bullshit". Once the keynotes are done, the rest of the day is split into 3 tracks.
The second day of the conference(Oct 30th, 2008) starts with a Keynote Address on "Welcome to the 0wned World" by Dr. Anton Chuvakin followed by Peter Sunde [brokep] and Fredrik Neij [TiAMO] on "Dissolving an Industry as a Hobby". Once again the day is divided into 3 tracks after the keynote speeches.
The best part of HITB is that they give ample conference presentations beyond which they also have contests and trainings. HITB Rocks hard!!!
- EF
Wednesday, October 22, 2008
Last Call for DeepSec IDSC 2008 in Vienna
The DeepSec In Depth Security Conference is happy to announce the planned
schedule for this year's event from November 11th to 14th in Vienna, Austria.
The schedule (which can be found at https://deepsec.net/schedule) covers a
range of topics including botnet analysis, web application security, malware
detection/analysis, legal and administrative issues, secure coding and code
review, hardware and firmware attacks, attacking/hardening databases, social
engineering, dealing with rich Internet applications (RIAs) and, of course,
the Digital Armageddon (coming soon to a server near you).
Key speakers include:
- Adam Laurie (http://rfidiot.org/)
- Ivan Krstić (http://radian.org/)
- Johnny Long (http://johnny.ihackstuff.com/)
- Gadi Evron (http://gadievron.blogspot.com/)
In addition Matt Jonkman will present a new project about the development of
a next-generation intrusion detection and prevention engine. Feedback of the
community is highly welcome!
Registration is open at: https://deepsec.net/register/
Please make sure to book your tickets in time, we have only a _limited_ number!
We also offer two days of in-depth workshops on selected topics, designed for
software developers, security researchers and sysadmins:
‣ Improving Code with Destructive Data (Heikki Kortti and Jukka Taimisto)
‣ Security Audit and Hardening of Java based Software (Marc Schoenefeld)
‣ The Exploit Laboratory (Saumil Udayan Shah)
‣ Design and Implementation of Security Awareness Campaigns (Stefan Schumacher)
‣ Advanced Malware Deobfuscation (Scott Lambert)
‣ Protocol and Traffic Analysis for Snort Signature (Matt Jonkman)
‣ Secure Application Coding for Enterprise Software (Vimal Patel)
The DeepSec IDSC is sponsored by CERT.at, Cisco, Microsoft, Sec Consult, Global
Knowledge Austria/Germany and IronPort.
DeepSec Organisation Team.
https://deepsec.net/contact
Internet Access at the conference is provided by: http://www.nets.at/
schedule for this year's event from November 11th to 14th in Vienna, Austria.
The schedule (which can be found at https://deepsec.net/schedule) covers a
range of topics including botnet analysis, web application security, malware
detection/analysis, legal and administrative issues, secure coding and code
review, hardware and firmware attacks, attacking/hardening databases, social
engineering, dealing with rich Internet applications (RIAs) and, of course,
the Digital Armageddon (coming soon to a server near you).
Key speakers include:
- Adam Laurie (http://rfidiot.org/)
- Ivan Krstić (http://radian.org/)
- Johnny Long (http://johnny.ihackstuff.com/)
- Gadi Evron (http://gadievron.blogspot.com/)
In addition Matt Jonkman will present a new project about the development of
a next-generation intrusion detection and prevention engine. Feedback of the
community is highly welcome!
Registration is open at: https://deepsec.net/register/
Please make sure to book your tickets in time, we have only a _limited_ number!
We also offer two days of in-depth workshops on selected topics, designed for
software developers, security researchers and sysadmins:
‣ Improving Code with Destructive Data (Heikki Kortti and Jukka Taimisto)
‣ Security Audit and Hardening of Java based Software (Marc Schoenefeld)
‣ The Exploit Laboratory (Saumil Udayan Shah)
‣ Design and Implementation of Security Awareness Campaigns (Stefan Schumacher)
‣ Advanced Malware Deobfuscation (Scott Lambert)
‣ Protocol and Traffic Analysis for Snort Signature (Matt Jonkman)
‣ Secure Application Coding for Enterprise Software (Vimal Patel)
The DeepSec IDSC is sponsored by CERT.at, Cisco, Microsoft, Sec Consult, Global
Knowledge Austria/Germany and IronPort.
DeepSec Organisation Team.
https://deepsec.net/contact
Internet Access at the conference is provided by: http://www.nets.at/
Tuesday, October 21, 2008
EvilFingers.com: The Phoenix bird
We are in the midst of rebuilding the entire site. We are taking down few parts of the site and reorganizing ourselves into channels. There could be few delays in this blog and the site itself. Kindly, excuse us for any such delays.
- EF
- EF
Saturday, October 18, 2008
OISF Receives Funding for Open Source Next Generation IDS/IPS
October 16, 2008 (LAFAYETTE, Ind.) – The Open Information Security Foundation (OISF, www.openinfosecfoundation.org) is proud to announce its formation, made possible by grant funding. The OISF has been chartered and funded to build a next-generation intrusion detection and prevention engine. This project will consider every new and existing technology, concept and idea to build a completely open source licensed engine. Development will be funded through these grants, and the end product will be made available to any user or organization.
Over the next six months, members of OISF will be leading brainstorming sessions at key conferences and meetings as well as through mailing list discussions. These sessions will function as open forums to bring up ideas, ask questions and, most of all, let OISF know what YOU need for YOUR network. Any idea, any technology – anything – will be considered for integration. This project will solicit input, code and support from all interested parties, academic groups, vendors and projects.
Intrusion Detection and the Security field in general is at a crossroads. We collectively have more data about hostile sources available than we can effectively act upon using existing tools. This engine we hope will allow feeding these disparate sources of information into a single tool to assist in decision making and protection.
Any vendor, group, academic institution, government agency or individual may be part of the consortium that will manage this project long-term. Members may support development and maintenance with financial donations, coding support, technology support, infrastructure, etc. Members will be rewarded with licensing that will allow integration of this engine into their products and services.
Initial project members are Matt Jonkman of Emerging Threats as Project Manager (http://www.emergingthreats.net), Victor Julien (http://www.inliniac.net) and Will Metcalf (http://node5.blogspot.com) both of Snort_Inline (http://snort-inline.sourceforge.net) as Technical Leads.
We will be recruiting many new members for this project over time. If you are interested in participating or contributing to the project please contact us at\n team@openinfosecfoundation.orgThis e-mail address is being protected from spambots. You need JavaScript enabled to view it This e-mail address is being protected from spambots. You need JavaScript enabled to view it .
If you have ideas to contribute please join our discussion mailing list:
http://lists.openinfosecfoundation.org/mailman/listinfo/discussion
or join oisf-announce to stay in touch:
http://lists.openinfosecfoundation.org/mailman/listinfo/oisf-announce
Over the next six months, members of OISF will be leading brainstorming sessions at key conferences and meetings as well as through mailing list discussions. These sessions will function as open forums to bring up ideas, ask questions and, most of all, let OISF know what YOU need for YOUR network. Any idea, any technology – anything – will be considered for integration. This project will solicit input, code and support from all interested parties, academic groups, vendors and projects.
Intrusion Detection and the Security field in general is at a crossroads. We collectively have more data about hostile sources available than we can effectively act upon using existing tools. This engine we hope will allow feeding these disparate sources of information into a single tool to assist in decision making and protection.
Any vendor, group, academic institution, government agency or individual may be part of the consortium that will manage this project long-term. Members may support development and maintenance with financial donations, coding support, technology support, infrastructure, etc. Members will be rewarded with licensing that will allow integration of this engine into their products and services.
Initial project members are Matt Jonkman of Emerging Threats as Project Manager (http://www.emergingthreats.net), Victor Julien (http://www.inliniac.net) and Will Metcalf (http://node5.blogspot.com) both of Snort_Inline (http://snort-inline.sourceforge.net) as Technical Leads.
We will be recruiting many new members for this project over time. If you are interested in participating or contributing to the project please contact us at\n team@openinfosecfoundation.orgThis e-mail address is being protected from spambots. You need JavaScript enabled to view it This e-mail address is being protected from spambots. You need JavaScript enabled to view it .
If you have ideas to contribute please join our discussion mailing list:
http://lists.openinfosecfoundation.org/mailman/listinfo/discussion
or join oisf-announce to stay in touch:
http://lists.openinfosecfoundation.org/mailman/listinfo/oisf-announce
Thursday, October 16, 2008
PRESS RELEASE: OWASP European Summit - Portugal
This was sent by Dinis Cruz to all OWASP members:
Hello OWASP ! ! !
It is with great pleasure and pride that I'm officially launching today the OWASP European Summit 2008
This is an event 100% focused on OWASP and will have the highest concentration of OWASPers per square meter (OWASP is flying 80+ of its Leaders and key contributors to Portugal). If you ever wanted to be more involved with OWASP or wanted to know more about certain OWASP projects, this Summit is for you. Please join us in Portugal and help to 'Set the AppSec Agenda for 2009'.
I would like to personally acknowledge the work done by an amazing team of OWASP collaborators that have been working non stop for the past 3 months on everything related to the Summit's organization: Thank You! (and if you want to be involved, please join asap this great OWASP virtual team)
Below is the official Press Release containing detailed information about the Summit's organization and objectives.
Obtaining media visibility for our events is an historical challenge for OWASP. It would be great if you could help us by personally distributing this Press Release to your media contacts and influential bloggers.
Looking forward to seeing you all in Portugal :)
Dinis Cruz
OWASP Board Member
PRESS RELEASE: OWASP European Summit - Portugal
Portugal/Algarve - 4th - 7th November 2008
Setting the Web Application Security Agenda for 2009: OWASP Invites You to Join Our Summit in Portugal
http://www.owasp.org/index.php/OWASP_EU_Summit_2008
With the theme 'Setting the AppSec agenda for 2009', the OWASP Summit will be a worldwide gathering of OWASP leaders and key industry players to present and discuss the latest OWASP tools, documentation projects, and web application security trends. Join us in Portugal in just a few short weeks! This venue hosts a diverse selection of training courses along with technical and business tracks, making it THE place to learn about web application security and the resources OWASP has available for use today.
OWASP is a not-for-profit organization with the purpose of supporting the Web Application Security community around the world, and has granted $250,000 USD for web application security research. In addition to over 40 presentations from the OWASP Leaders and grant recipients, the OWASP Summit will host multiple Working Sessions designed to improve collaboration, achieve specific objectives and identify roadmaps for OWASP projects, chapters, and the OWASP community itself.
To facilitate this event, OWASP is investing $150,000 USD which will be used to cover air travel and accommodation expenses for OWASP leaders, active contributors, and select key industry leaders. With their confirmed presence, the OWASP Summit will provide a relaxed but professional environment to meet, discuss, influence and contribute to OWASP projects.
There are still funds available! If you are interested in attending and you meet the profile of the current OWASP supported attendees (see list here: http://spreadsheets.google.com/pub?key=pAX6n7m2zaTVLrPtR07riBA) contact Paulo Coimbra (paulo.coimbra@owasp.org). Please note that you should do so only if you meet the paid attendance criteria (see herehttps://www.owasp.org/index.php/OWASP_EU_Summit_2008_paid_participation_rules) and are unable to get corporate support to attend this event (for other corporate sponsorship opportunities see http://www.owasp.org/index.php/OWASP_EU_Summit_2008_Sponsors).
The OWASP Summit will also host a large and diverse selection of training courses, covering multiple OWASP specific and Web Application Security Topics.
The remarkable impact of OWASP is made possible only by the collaboration of many dedicated people and organizations worldwide. In that spirit of cooperation, OWASP invites all its members (who have 20% discount + 1 VIP Ticket) and interested individuals and companies to attend this thrilling event. Please join us and help to set the Web Application Security Agenda for 2009!
Please see below for additional details about the OWASP Summit or visit the OWASP Summit website: http://www.owasp.org/index.php/OWASP_EU_Summit_2008.
Projects
OWASP projects selected for Summit presentation include new documentation and innovative tools to help developers, architects, and security specialists ensure that applications are secure:
* Application Security Verification Standard,
* Code review guide, V1.1,
* Ruby on Rails Security Guide v2,
* Securing WebGoat using ModSecurity,
* Testing Guide v3,
* GTK+ GUI for w3af project,
* Access Control Rules Tester,
* AntiSamy .NET,
* Live CD & DVD Project,
* OpenPGP Extensions for HTTP,
* Orizon Project,
* Python Static Analysis,
* WebScarab-NG,
* And many, many others.
Working Sessions
Expecting the presence of the application security industry key players, the Working Sessions will cover a wide range of issues such as:
* OWASP Top 10 2009,
* Browser Security,
* Web Application Framework Security,
* Enterprise Security API Project,
* Best Practices for OWASP Chapter Leaders,
* OWASP Documentation Projects,
* OWASP Tools Projects,
* OWASP Education Project,
* OWASP Strategic Planning for 2009,
* OWASP Certification,
* OWASP Winter of Code 2009
* Two-way Internationalization of OWASP Content
* And many more.
Training
These 2-day, 1-day or 1/2-day training courses cover a wide range of OWASP specific and Web Application Security Topics:
* OWASP Top 10 - What Developers Should Know on Web Application Security
* Uncovering WebScarab's Secret Treasures
* Securing WebGoat with ModSecurity
* Secure Programming with Java
* Advanced Web Application Security Testing
* Building Secure Web 2.0 Applications
* Building Secure Web Services
* Building Secure Web Applications with OWASP's Enterprise Security API (ESAPI)
* Classic ASP Security using OWASP tools
* Web Application Assessments
* Hacking Owasp Orizon Project v1.0
* Ajax Security
* Practical Penetration Testing: Think Like an Attacker to Stop Attacks
* Linux Software Exploitation
* Web server/services hardening using SELinux
Main Contact:
Kate Hartmann
OWASP Operations Director
9175 Guilford Road, Suite 300
Columbia, MD 21046, USA
Phone: +1-301-575-0189
Facsimile: +1-301-604-8033
Email: kate.hartmann@owasp.org
Hello OWASP ! ! !
It is with great pleasure and pride that I'm officially launching today the OWASP European Summit 2008
This is an event 100% focused on OWASP and will have the highest concentration of OWASPers per square meter (OWASP is flying 80+ of its Leaders and key contributors to Portugal). If you ever wanted to be more involved with OWASP or wanted to know more about certain OWASP projects, this Summit is for you. Please join us in Portugal and help to 'Set the AppSec Agenda for 2009'.
I would like to personally acknowledge the work done by an amazing team of OWASP collaborators that have been working non stop for the past 3 months on everything related to the Summit's organization: Thank You! (and if you want to be involved, please join asap this great OWASP virtual team)
Below is the official Press Release containing detailed information about the Summit's organization and objectives.
Obtaining media visibility for our events is an historical challenge for OWASP. It would be great if you could help us by personally distributing this Press Release to your media contacts and influential bloggers.
Looking forward to seeing you all in Portugal :)
Dinis Cruz
OWASP Board Member
PRESS RELEASE: OWASP European Summit - Portugal
Portugal/Algarve - 4th - 7th November 2008
Setting the Web Application Security Agenda for 2009: OWASP Invites You to Join Our Summit in Portugal
http://www.owasp.org/index.php/OWASP_EU_Summit_2008
With the theme 'Setting the AppSec agenda for 2009', the OWASP Summit will be a worldwide gathering of OWASP leaders and key industry players to present and discuss the latest OWASP tools, documentation projects, and web application security trends. Join us in Portugal in just a few short weeks! This venue hosts a diverse selection of training courses along with technical and business tracks, making it THE place to learn about web application security and the resources OWASP has available for use today.
OWASP is a not-for-profit organization with the purpose of supporting the Web Application Security community around the world, and has granted $250,000 USD for web application security research. In addition to over 40 presentations from the OWASP Leaders and grant recipients, the OWASP Summit will host multiple Working Sessions designed to improve collaboration, achieve specific objectives and identify roadmaps for OWASP projects, chapters, and the OWASP community itself.
To facilitate this event, OWASP is investing $150,000 USD which will be used to cover air travel and accommodation expenses for OWASP leaders, active contributors, and select key industry leaders. With their confirmed presence, the OWASP Summit will provide a relaxed but professional environment to meet, discuss, influence and contribute to OWASP projects.
There are still funds available! If you are interested in attending and you meet the profile of the current OWASP supported attendees (see list here: http://spreadsheets.google.com/pub?key=pAX6n7m2zaTVLrPtR07riBA) contact Paulo Coimbra (paulo.coimbra@owasp.org). Please note that you should do so only if you meet the paid attendance criteria (see herehttps://www.owasp.org/index.php/OWASP_EU_Summit_2008_paid_participation_rules) and are unable to get corporate support to attend this event (for other corporate sponsorship opportunities see http://www.owasp.org/index.php/OWASP_EU_Summit_2008_Sponsors).
The OWASP Summit will also host a large and diverse selection of training courses, covering multiple OWASP specific and Web Application Security Topics.
The remarkable impact of OWASP is made possible only by the collaboration of many dedicated people and organizations worldwide. In that spirit of cooperation, OWASP invites all its members (who have 20% discount + 1 VIP Ticket) and interested individuals and companies to attend this thrilling event. Please join us and help to set the Web Application Security Agenda for 2009!
Please see below for additional details about the OWASP Summit or visit the OWASP Summit website: http://www.owasp.org/index.php/OWASP_EU_Summit_2008.
Projects
OWASP projects selected for Summit presentation include new documentation and innovative tools to help developers, architects, and security specialists ensure that applications are secure:
* Application Security Verification Standard,
* Code review guide, V1.1,
* Ruby on Rails Security Guide v2,
* Securing WebGoat using ModSecurity,
* Testing Guide v3,
* GTK+ GUI for w3af project,
* Access Control Rules Tester,
* AntiSamy .NET,
* Live CD & DVD Project,
* OpenPGP Extensions for HTTP,
* Orizon Project,
* Python Static Analysis,
* WebScarab-NG,
* And many, many others.
Working Sessions
Expecting the presence of the application security industry key players, the Working Sessions will cover a wide range of issues such as:
* OWASP Top 10 2009,
* Browser Security,
* Web Application Framework Security,
* Enterprise Security API Project,
* Best Practices for OWASP Chapter Leaders,
* OWASP Documentation Projects,
* OWASP Tools Projects,
* OWASP Education Project,
* OWASP Strategic Planning for 2009,
* OWASP Certification,
* OWASP Winter of Code 2009
* Two-way Internationalization of OWASP Content
* And many more.
Training
These 2-day, 1-day or 1/2-day training courses cover a wide range of OWASP specific and Web Application Security Topics:
* OWASP Top 10 - What Developers Should Know on Web Application Security
* Uncovering WebScarab's Secret Treasures
* Securing WebGoat with ModSecurity
* Secure Programming with Java
* Advanced Web Application Security Testing
* Building Secure Web 2.0 Applications
* Building Secure Web Services
* Building Secure Web Applications with OWASP's Enterprise Security API (ESAPI)
* Classic ASP Security using OWASP tools
* Web Application Assessments
* Hacking Owasp Orizon Project v1.0
* Ajax Security
* Practical Penetration Testing: Think Like an Attacker to Stop Attacks
* Linux Software Exploitation
* Web server/services hardening using SELinux
Main Contact:
Kate Hartmann
OWASP Operations Director
9175 Guilford Road, Suite 300
Columbia, MD 21046, USA
Phone: +1-301-575-0189
Facsimile: +1-301-604-8033
Email: kate.hartmann@owasp.org
Subscribe to:
Posts (Atom)
