I will be presenting for the PASS Security virtual chapter on Thursday, April 17, 2014 at 1 PM Eastern. Attendees can go to the link to register for the webinar. The talk is entitled “Understanding and Eliminating SQL Injection” and here is the abstract:
Over the past several years, hacktivists, criminals, and people just “out for lulz” have managed to find sensitive data owned by organizations like Sony, Yahoo, NASA, and the U.S. army, among many others. In all of these cases, the attackers exploited websites using SQL injection attacks.
SQL injection is at the top of the Open Web Application Security Project (OWASP) top 10 list and is an important part of one of the SANS 20 critical security controls. This talk will go into what SQL injection is, how attackers can use it, and how to secure your sites so that your CIO and CISO never show up on the evening news.
Although the talk will focus on using the Microsoft stack (IIS, ASP.Net, and SQL Server), the lessons will apply to all web systems everywhere.
So…it turns out that OpenSSL has been broken for a couple of years. Most UNIX-based servers are going to be affected. If you use OpenSSL on a server, get this fixed now. Many of the big companies are doing so now. If you don’t, you’re probably going to get several “Hey, you should change your password” e-mails over the next several days.
Bruce Schneier has more. For a humorous take, check out The Daily WTF. Several people there make the argument that we shouldn’t use C or other languages without boundary protection for…well, pretty much anything. Given how easy it is for a good developer to make a catastrophic mistake and for it to sneak by code reviews for years, I think they have a point.
I will be going to Derbycon for my third straight year. This year, I’m taking Carlos Perez’s training course on using Powershell for defense and post-exploitation. The last couple of years, I branched out into parts of security in which I had no experience; this is coming a lot closer to my wheelhouse.
I also have submitted a paper for their CFP. Here’s my title and abstract:
A Gentle Introduction to Security Economics
Why do software manufacturers release software known to be vulnerable? Why are 419 scammers’ e-mails often so poorly written? Is making software open source better for security–or could it actually be worse? These are all questions which we can answer using economic tools. Economics is, at its core, the study of human behavior; given that security is fundamentally a human problem, marrying economic concepts to security analysis can give security researchers a better perspective on the problems we’re all trying to solve.
This talk assumes little to no knowledge of economics among attendees and will feature exactly zero Lagrangian calculations.
This talk is somewhat far afield of your standard Derbycon talk—which tends to be either highly technical or advocacy-related—but with luck, the committee will select my paper and I’ll have a chance to present in front of a brand new audience.
Derbycon 4.0 tickets go on sale April 3rd. I’ve booked a room at the Hyatt and plan to snag a ticket. This is one security conference I make a point to attend each year.
Yeah, you might want to change your password if you have a Kickstarter account.
(Also, it feels weird stealing Kevin’s category like this.)
Bruce Schneier has been all over this NSA mess. This includes a number of essays, including this one from about a month ago. He also testified before Congress on the issue.
I’m looking at a pretty busy conference schedule this year. Here’s what I’m looking forward to:
February 8 — Powershell Saturday 007, Charlotte, North Carolina.
March 22 — SQL Saturday #277, Richmond, Virginia.
May 16 — May 18 — CarolinaCon-10, Raleigh, North Carolina.
June 14 — SQL Saturday #299, Columbus, Ohio.
September 6 (?) — SQL Saturday, Raleigh, North Carolina.
September 24 — September 28 (?) — Derbycon 4.0, Louisville, Kentucky.
November 4 — November 7 — PASS Summit 2014, Seattle, Washington.
I might be able to sneak one or two more conferences in there, but going to seven conferences across three major domains is pretty nice for me. I might also be able to attend the 2014 Raleigh Code Camp if the time is right.
A new year brings in a new set of security notes.