36 Chambers – The Legendary Journeys: Execution to the max!

April 13, 2014

New Presentation: SQL Injection

Filed under: (In)Security, Database Administration — Kevin Feasel @ 6:00 pm

I will be presenting for the PASS Security virtual chapter on Thursday, April 17, 2014 at 1 PM Eastern.  Attendees can go to the link to register for the webinar.  The talk is entitled “Understanding and Eliminating SQL Injection” and here is the abstract:

Over the past several years, hacktivists, criminals, and people just “out for lulz” have managed to find sensitive data owned by organizations like Sony, Yahoo, NASA, and the U.S. army, among many others. In all of these cases, the attackers exploited websites using SQL injection attacks.

SQL injection is at the top of the Open Web Application Security Project (OWASP) top 10 list and is an important part of one of the SANS 20 critical security controls. This talk will go into what SQL injection is, how attackers can use it, and how to secure your sites so that your CIO and CISO never show up on the evening news.

Although the talk will focus on using the Microsoft stack (IIS, ASP.Net, and SQL Server), the lessons will apply to all web systems everywhere.

April 11, 2014


Filed under: (In)Security — Kevin Feasel @ 6:00 pm

So…it turns out that OpenSSL has been broken for a couple of years.  Most UNIX-based servers are going to be affected.  If you use OpenSSL on a server, get this fixed now.  Many of the big companies are doing so now.  If you don’t, you’re probably going to get several “Hey, you should change your password” e-mails over the next several days.

Bruce Schneier has more.  For a humorous take, check out The Daily WTF.  Several people there make the argument that we shouldn’t use C or other languages without boundary protection for…well, pretty much anything.  Given how easy it is for a good developer to make a catastrophic mistake and for it to sneak by code reviews for years, I think they have a point.

April 9, 2014

Going To Derbycon

Filed under: (In)Security, Where's Poochy? — Kevin Feasel @ 6:00 pm

I will be going to Derbycon for my third straight year.  This year, I’m taking Carlos Perez’s training course on using Powershell for defense and post-exploitation.  The last couple of years, I branched out into parts of security in which I had no experience; this is coming a lot closer to my wheelhouse.

I also have submitted a paper for their CFP.  Here’s my title and abstract:

A Gentle Introduction to Security Economics

Why do software manufacturers release software known to be vulnerable? Why are 419 scammers’ e-mails often so poorly written? Is making software open source better for security–or could it actually be worse? These are all questions which we can answer using economic tools. Economics is, at its core, the study of human behavior; given that security is fundamentally a human problem, marrying economic concepts to security analysis can give security researchers a better perspective on the problems we’re all trying to solve.

This talk assumes little to no knowledge of economics among attendees and will feature exactly zero Lagrangian calculations.

This talk is somewhat far afield of your standard Derbycon talk—which tends to be either highly technical or advocacy-related—but with luck, the committee will select my paper and I’ll have a chance to present in front of a brand new audience.

March 30, 2014

Derbycon Tickets On Sale This Week

Filed under: (In)Security — Kevin Feasel @ 1:50 pm

Derbycon 4.0 tickets go on sale April 3rd.  I’ve booked a room at the Hyatt and plan to snag a ticket.  This is one security conference I make a point to attend each year.

March 9, 2014

Intelligence Community Fooled Again

Filed under: (In)Security — Kevin Feasel @ 7:30 pm

It appears that U.S. intelligence had no idea that Russia’s military was going to invade Ukraine.  If only they had spied on the other 2/3 of Americans’ calls, they certainly would have gotten this one!

February 16, 2014

Kickstarter hacked

Filed under: (In)Security — Tony Demchak @ 7:48 am

Yeah, you might want to change your password if you have a Kickstarter account.

(Also, it feels weird stealing Kevin’s category like this.)

February 15, 2014

No Security Allowed

Filed under: (In)Security — Kevin Feasel @ 6:00 pm

Bruce Schneier has been all over this NSA mess.  This includes a number of essays, including this one from about a month ago.  He also testified before Congress on the issue.

January 22, 2014

This Year’s Conference Schedule

Filed under: (In)Security, Computinating, Database Administration — Kevin Feasel @ 6:00 pm

I’m looking at a pretty busy conference schedule this year.  Here’s what I’m looking forward to:

February 8 — Powershell Saturday 007, Charlotte, North Carolina.
March 22 — SQL Saturday #277, Richmond, Virginia.
May 16 — May 18 — CarolinaCon-10, Raleigh, North Carolina.
June 14 — SQL Saturday #299, Columbus, Ohio.
September 6 (?) — SQL Saturday, Raleigh, North Carolina.
September 24 — September 28 (?) — Derbycon 4.0, Louisville, Kentucky.
November 4 — November 7 — PASS Summit 2014, Seattle, Washington.

I might be able to sneak one or two more conferences in there, but going to seven conferences across three major domains is pretty nice for me.  I might also be able to attend the 2014 Raleigh Code Camp if the time is right.

January 1, 2014

Security Notes

Filed under: (In)Security — Kevin Feasel @ 6:00 pm

A new year brings in a new set of security notes.

December 24, 2013

Security Notes

Filed under: (In)Security — Kevin Feasel @ 6:00 pm
Older Posts »

The Silver is the New Black Theme. Create a free website or blog at WordPress.com.


Get every new post delivered to your Inbox.

Join 75 other followers