With Upserve's Bryan Brannigan! Bug bounties are a marketplace and like all marketplaces, there are good sellers (researchers) and buyers (programs), and there bad sellers and buyers. There are resources everywhere to help researchers get going in this exciting world of bug hunting, but there are few resources available to help those running programs. But it is far worse to be a bad program than it is to be a bad researcher. Let's have a conversation about how Upserve went from no bounty program to launching a public program (and beyond!). We'll talk about the speedbumps and the lessons learned along the way. And you'll learn about how managing a successful bug bounty program is more about managing expectations and clear communication then it is about fixing security bugs.
• What we'll do
Posting this to both Meetup sites...I am organizing a first of its kind conference in RI, "Social Engineering RI" This is a one-day conference on June 16th, at Salve Regina University's Pell Center, with talks and activities focused on IT social engineering. Learning about phishing, vishing, pre-texting, physical bypasses and how to defend against these attacks. We will also have a panel with past winners of the Social Engineering CTF from DefCon and DerbyCon, to learn how they did it.
Get more information at: http://se-ri.org
Tickets are available at: https://socialengri.eventbrite.com
• What to bring
• Important to know
Modern applications require modern security and the OpenID Connect and OAuth2 security protocols are designed to meet this need. To achieve a modern security architecture you must then use something called a “security token service” that implements these protocols. In this session we will look at how applications are now architected to incorporate and use a token service for authentication thus providing single sign-on. We will also see how this same token service also provides tokens for securing Web APIs.
Currently Brock is an independent consultant specializing in .NET, web development, and web-based security with 20 years of industry experience.Brock is the co-author of many security related open source frameworks including IdentityServer, IdentityManager, and MembershipReboot. He also frequently posts to the ASP.NET forums, is a MVP for ASP.NET/IIS, a member of ASPInsiders and a contributor to the ASP.NET platform.
In our physical world, we have instrumentation all around us. Clocks tell us time, kitchen ovens tell us temperature, cars tell us speed, fuel level and even has onboard health diagnostics. At our homes, we have security alerts when someone trespasses our property or opens a door. However, in the world of software, we have very little visibility into what is going on inside the software. Our presenters will describe how instrumentation can be used to enable your software applications to both detect vulnerabilities and block attacks. Furthermore, they will demonstrate the insights offered by using instrumentation and why this approach can offer unique insights to your security program.
Bio: Jon Seidman has been a software developer for more than a decade. He has special interest in web related technologies and application security. He has a Master’s degree in computer science, and is a CISSP. He currently works for Contrast Security, where he evangelizes their technology.
Managing Apple in the EnterpriseAn environment where outliers were allowed to use Macs at work unsupported by IT has turned into an environment where employees from sales people to executives are requesting Macs and iOS devices, and saving the company money at the same time. But, how are you managing these devices?
Adam Codega, IT Operations Leader at Upserve in Providence, RI, will review how to manage Apple OS X and iOS devices for simplicity and security. Device encryption, remote lock and wipe, PIN removal, and more will be covered. Hindsight is 20/20, so avoid the pitfalls and cut through the marketing scare tactics by putting the right practices in place now to benefit your organization in the future.
Adam Codega has worked in IT for 5 years first as a consultant before joining Upserve 3 years ago. He manages the company's all Mac environment as well as the service desk and network infrastructure. Outside of the office, he manages the Providence Apple Admins meetup group and he's given talks at the JAMF Nation User Conference, MacTech, and most recently the 2016 Mac Admins at Penn State conference.
William Gamble is going to discuss recent how changes in the law (Federal regulations, civil law suits, state laws, insurance, cloud contracts, international treaties) will impact the IT industry. Essentially the economic impact, the risk profile of the law rather than a discussion of the law itself.
Speaker is finalizing details, putting it on the calendar as a place holder
Steve Carmody is the project lead for the Internet2's Shibboleth (http://www.internet2.edu/products-services/trust-identity/shibboleth/) and an IT Architect at Brown University. Steve will speak on single sign on mechanisms and the idea of federated identity. If you have ever chosen to use your Google account, Facebook account or Twitter account to log in to other services, you are familiar with the idea of federated identity. Come hear more about the projects on May 12.
This was an incredibly popular meeting last year that was enjoyed by all, including by Congressman Langevin, so we'll do it again! We will have another session with him where he can tell us about what's happening in Congress and the US government with regard to cybersecurity and he'll take questions from the audience. This year, he will meet us at Swipely. This session will not be recorded.
This meeting will be a little different. For one, the target audience will be kids and their parents, and anyone else interested in online security for children. Another thing making it different is we'll start a half hour earlier, and we'll probably make the presentation only 30 minutes and then questions. The last thing making this presentation different is that I will be co-presenting with my favorite presenter in the history of OWASP RI (with apologies to all other presenters) my own 10 year old daughter. So please bring your kids to this session and you'll hear about computer security for kids by a kid (and her dad). We hope you enjoy this one as we are looking forward to presenting it for you.
Communicating about security and secure technologies among peers uses a common language, one we're often comfortable with. But when we need to explain security to others who don't focus on it every day, we sometimes need to find other ways to explain it. In this meeting, John will talk about ways that you can explain security needs and priorities to your C-level executives in ways that will help them to understand why it is important and why funding needs should be prioritized.
Due to John being located in South Dakota, this presentation will be live streamed.
About the Presenter:
John Strand is the Owner of Black Hills Information Security (BHIS), and has both consulted and taught hundreds of organizations in the areas of security, regulatory compliance, and penetration testing. John is also an instructor and course author of BlackHat’s “Active Defense, Offensive Countermeasures, and Hacking Back” and the SANS Institute’s “Hacker Tools, Techniques, Exploits and Incident Handling” classes.
John is co-author of the" Offensive Countermeasures: The Art of Active Defense” book and is a contributor to the industry shaping Penetration Testing Execution Standard and 20 Critical Controls frameworks.
Have a great December, and we will start up again in January. See you in 2016!
Kellen Kleinfelter will talk about his work in the area of account checkers and rewards fraud detection and defense. Online criminals often will use known credentials to check against many other systems to see if the credentials are valid. When they find some that are, whether that is for banking information, credit cards, air reward miles, hotel points or any other loyalty programs, those can be turned into cash. Kellen will show us the ways that the criminals find the information and turn a profit, as well as ways that he has found to defend against these actions.
Additionally, we will have a short talk by Amber Lee about three types of XSS.
Larry Pesce is an expert pentester for Inguardians and a long time host of Paul's Security Weekly. Additionally, he teaches Wireless Ethical Hacking for SANS. He will come and talk about the steps of penetration testing a site, anetwork and applications, as well as share stories of his exploits (pun intended).
We are also scheduled to have a short overview of the OWASP Top 10 by Bernadette McHugh.
Velu will recap what he learned and saw at Blackhat and Defcon in Las Vegas, aka "Hacker Summer Camp"
We may also do a little overview of Burp Suite and Zed Attack Proxy
About Velu: Velu Jeganathan, CISSP, CISM,CEH working as a Senior Penetration Tester for Voya Financial.
Has more than 25 yrs of IT Experience and about 10 years in Information Security.
My interests are in Mobile Security, Vulnerability Management and Cryptography.
John Lambert observed attackers win becaue while defenders think in lists, attackers think in graphs. Access control systems divide the system a priori into secure and insecure states. But that’s only worth the paper its printed on. A Attackers see the system as it is, for attackers, the access control scheme is the beginning of the game not the end. Determined attackers seek out access control models and then find holes that they can leverage. Access control systems that purport to protect the system are built on assumptions from which reality diverges. Application security needs a new approach to access control- adding feedback loops for risk based decisions, fine-grained, dynamic access control.
Security is a business with a very long list of issues and requirements. The spreadsheets are miles long. This makes it essential to find reusable solution patterns that can address multiple problems.This presentation looks at both medium term improvements and code examples to improve access control decisions and overall security today
About the Speaker
Gunnar Peterson (@oneraindrop) focuses on security architecture consulting and training. Experience includes Associate Editor for IEEE Security & Privacy Journal, a Microsoft MVP for App security, an IANS Research Faculty member, a Securosis Contributing Analyst, and a Visiting Scientist at Carnegie Mellon Software Engineering Institute. He maintains a popular information security blog at http://1raindrop.typepad.com.
This presentation will be given by Ben Brown of Akamai Technologies. "Doxxing" is when a person's personal information, ie. home address, spouse and children's names, school attended, job information, and more, is all made public by someone looking to scare, intimidate or harass an individual. Ben will talk about ways that we currently "over-share" and how we can help to keep that information a little more private for ourselves.
Some people ask about parking for the meeting location. We chose 6:30 pm as a start time because the Providence parking meters are "off" at 6 pm, and it gives time for the people who work in the city all day to clear out and open up those spaces. You can sometimes find a spot right outside the building but there are also parking lots in the area.
Yes, we will be having an OWASP RI chapter meeting with Congressman James Langevin! Mr. Langevin is Rhode Island's representative from the 2nd Congressional District. He is the co-founder and co-chair of the Congressional Cybersecurity Caucus, a senior member on the House Armed Services Committee, the ranking member of the Intelligence, Emerging Threats and Capabilities Subcommittee, is a senior member of the Permanent Select Committee on Intelligence and is a member of the Technical and Tactical Intelligence subcommittee. We are very exciting to be joining with Congressman Langevin to learn about the state of US Cybersecurity. Space is limited so please RSVP if you can attend and update that information if you cannot. Thank you.
Details are coming but learn more about how threat intelligence is gathered using Open Source Intelligence. (OSINT). Presentation will be by Stuart Gorton.
Speaker: John Poulin is an application security consultant for nVisium who specializes in web application security. He worked previously as a web developer and software engineer that focused on building multi-tier web applications. When he's not hacking on web apps, John spends his time building tools to help him hack on web apps! You can find him on twitter: @forced_request Food and beverages will be provided by our host and sponsor, Swipely!
Speaker: John Poulin is an application security consultant for nVisium who specializes in web application security. He worked previously as a web developer and software engineer that focused on building multi-tier web applications. When he's not hacking on web apps, John spends his time building tools to help him hack on web apps! You can find him on twitter: @forced_request
Food and beverages will be provided by our host and sponsor, Swipely!
When gathering open source data and transforming it into actionable intelligence, it is critical to recognize that humans are not objective observers. Conscious and unconscious assumptions drive analysts' choices about which data to analyze and how much importance to ascribe to each resource. Furthermore, analysts' personal conceptual frameworks about reality and how the world works can undermine the process of objectively translating data into intelligence. These implicit assumptions, otherwise known as cognitive biases, can lead to missed data, skewed intelligence, illogical conclusions, and poor decision making. In this presentation I will illustrate cognitive biases relevant to OSINT and what can be done about them.
Speaker bio: Benjamin Brown currently works on systems safety, adversarial resilience, and threat intelligence at Akamai Technologies. He has experience in Non-profit, Academia, and the corporate world as well as degrees in both Anthropology and International Studies. Research interests include the psychology, anthropology, and sociology of information security, threat actor profiling, and thinking about security as an ecology of complex systems.
Cross-Site Scripting is one of the most pervasive web application security flaws, and one attackers frequently target for attack. While the best line of defense for Cross-Site Scripting is defensively programming with proper input validation and context-sensitive output encoding, Content-Security Policy is quickly becoming a very effective mitigation strategy to protect sites' visitors and to warn application developers of potential attacks. This talk will cover content injection (including Cross-Site Scripting) and how Content-Security Policy mitigates many of the associated risks.
Will Stranathan is an application security professional in the Charlotte, North Carolina area. He's been writing rotten code for 32 years, and has spent the last ten years breaking rotten applications, analyzing rotten code, and writing rotten code which helps the world's best programmers identify their own rotten code, and training developers how to write code that's not so rotten.
Food and beverages will be provided by our host and sponsor, Swipely!
Our next OWASP RI meeting will be on November 25 at 6 pm at Swipely, 39 Peck Street in Providence.
We will have Allison Nixon, fresh off her talk at Black Hat in Las Vegas to show how to bypass DDoS-protected web sites. If you would like to participate, please bring the following setup: Laptop with a WiFi connection, Kali Linux installed with Perl, Wireshark and ability to run as root. Please also have an email address where you are able to view the mail headers. Lastly, it would be helpful if you do have access to your own web server, though this one is not a requirement to participate.
Modern web browsers implement a "private browsing" mode that is intended to leave behind no traces of a user's browsing activity on their computer. This feature is in direct tension with support for *extensions*, which let users add third-party functionality into their browser. I will discuss the scope of this problem, present our approach to verifying extensions' compliance with private browsing mode, and sketch our findings on several real, third-party extensions. I will then briefly describe the toolkit underlying our approach, and end with a sketch of a newer project, adapting this approach to the very different-seeming problem of statically catching errors when using the jQuery library.
Bio: Benjamin Lerner is a post-doctoral researcher in the PLT group at Brown University, and soon to be a lecturer at Northeastern University. His research examines the challenges of analyzing client-side web programming, from the behavior of web pages down through the semantics of the browser. He received a PhD in Computer Science from the University of Washington in 2011, building a platform to analyze conflicts between browser extensions, and a B.S. in Computer Science and Mathematics from Yale University. Food and beverages will be provided by our host and sponsor, Swipely!
39 Pike Street (sole building in median between al Forno and the Shell station)
Nick MacCarthy will be giving a presentation around some of the things he has found helpful in building and evolving security programs over the past few years. It will cover everything around building a program from the low level like scan engine choice, all the way to the high level needs like senior management buy-in techniques to establish a sustainable program.
Google-able address: 566 South Main St, Providence. It's a brick building with a billboard on the roof.
We'll be back on February 18, 2013 (5:45 pm) with another edition of Hands-On Hacking!