Conferences
ITWeb Security Summit
The ITWeb Security Summit is creeping up on us again and will be happening on the 10-11th of May. This year ITWeb went with something slightly different, and are asking for people to suggest who they’d like to see on day 2. These suggestions will then be voted on. So, if there’s someone you’re dying to see present or a topic you really want someone to spend some time researching, head over to their community portal and write it down.
Black Hat Abu Dhabi – Full … NOT!
The bad news is that our course at Black Hat Abu Dhabi is completely full. The good news is … they’ve given us a bigger room! So if you’ve been told the course is full, or if you haven’t registered yet, please do it quickly before it fills up again.
Problems? Please contact us or mail training[at]sensepost[dot]com.
Gitex 2010 Dubai
At the invitation of the South African Department of Trade and Industry SensePost will form part of a South African delegation represented at GITEX 2010 from 17-21 October 2010:
Dubai International Convention and Exhibition Centre (DICEC) Dubai, United Arab Emirates Hall 5, Stand C6-20B If you are in Dubai or intend to visit the Gitex event, come over and visit me, Shane Kemp, at the SensePost stand.
http://www.sensepost.com/gitex
Information Security South Africa (ISSA) 2010
Last week we presented an invited talk at the ISSA conference on the topic of online privacy (embedded below, click through to SlideShare for the original PDF.)
The talk is an introductory overview of Privacy from a Security perspective and was prompted by discussions between security & privacy people along the line of “Isn’t Privacy just directed Security? Privacy is to private info what PCI is to card info?” It was further prompted by discussion with Joe the Plumber along the lines of “Privacy is dead!”
Memcached talk update
Wow. At some point our talk hit HackerNews and then SlashDot after swirling around the Twitters for a few days. The attention is quite astounding given the relative lack of technical sexiness to this; explanations for the interest are welcome!
We wanted to highlight a few points that didn’t make the slides but were mentioned in the talk:
Bit.ly and GoWalla repaired the flaws extremely quickly, prior to the talk. PBS didn’t get back to us. GlobWorld is in beta and isn’t publicly available yet. For those blaming admins or developers, I think the criticism is overly harsh (certainly I’m not much of a dev as the “go-derper” source will show). The issues we found were in cloud-based systems and an important differentiating factor between deploying apps on local systems as opposed to in the cloud is that developers become responsible for security issues that were never within their job descriptions; network-level security is oftentimes a foreign language to developers who are more familiar with app-level controls. With cloud deployments (such as those found in small startups without dedicated network-security people) the devs have to figure all this out.
BlackHat Write-up: go-derper and mining memcaches
[Update: Disclosure and other points discussed in a little more detail here.]
Why memcached? At BlackHat USA last year we spoke about attacking cloud systems, while the thinking was broadly applicable, we focused on specific providers (overview). This year, we continued in the same vein except we focused on a particular piece of software used in numerous large-scale application including many cloud services. In the realm of “software that enables cloud services”, there appears to be a handful of “go to” applications that are consistently re-used, and it’s curious that a security practitioner’s perspective has not as yet been applied to them (disclaimer: I’m not aware of parallel work).
Go-derper: mining your memcacheds
Today at BlackHat USA 2010 we released a tool for manipulating memcached instances; we still need to write it up properly but here’s a link to the tool for the moment.
tl;dr: if you find a memcached, you can dump the cache and manipulate entries in the cache.
SensePost’s Training @ Black Hat Vegas ’10 (win something)
After hearing our talk was accepted at BlackHat, we’re happy to announce that our training will be back for it’s 9th straight run. Speaking of a run, we’re going to be hosting the usual marathon of courses: cadet, bootcamp, combat, web 2.0. But, while the names remain, we’ve spent some time updating the material. In particular, bootcamp, combat & web 2.0 have been through the ringer. We’re hoping to get some detailed info on the updates out in the coming weeks.
SensePost at BlackHat USA 2010
A brief update from South Africa on some recent talks as well as the upcoming BH USA: our talk proposal has been accepted for BH USA 2010 which makes it the ninth year running that SensePost is talking in Las Vegas. One more and we qualify for free milkshakes at the Peppermill. This year we’ll be discussing caching in large scale web apps and why exposing caches to the interwebs is a Very Bad Thing. We’ll also be looking at caching services, an idea whose time should never come.
ITWeb Security Summit 2010 & Afterparty
The ITWeb security summit is coming up next week from the 11th to 13th of May. This is a conference we’re quite excited about, and have been involved in for the last few years, but most recently, we’ve been able to further our involvement beyond just speaking.
For years I jealously watched as SensePost’ers would trundle all over the world shaking hands and drinking beer with the leet haxors of the world. Then a few years ago, the ITWeb Security Summit brought over Kevin Mitnick. I remember sitting in the audience awe’d not so much by what was said (sorry Kevin, I’m sure it was interesting) but at the fact a real celebrity hacker was meters from me. I still keep his lock-pick business card as a memento. Since then, the summit has gotten bigger and better. ITWeb previously brought out people like Bruce Schneier (who I think thought I was a stalker), David Litchfield, Johnny Long (he’s African now), Johny Cache, Richard Stiennon, Roberto Preatoni and Phil Zimmerman (he video conf’ed in from his hospital bed after emergency heart surgery).