Moderation status updates, InfoSec World Orlando notes

From: Erin Carroll (amoeba@amoebazone.com)
Date: Thu Mar 13 2008 - 12:29:12 EST


Pen-testers,

As you can probably infer from the flood of pen-test emails today, I'm back
from the InfoSec World conference in Orlando and am catching up with
moderation. If you had a submission to the list in the queue that got
bounced back from timeout, please resubmit.

I got to meet a few of my fellow pen-test list members while there and it
was great to be able to attach faces to names & talk shop. Thanks to
everyone who managed to track me down and say hi. R0cketgrl managed to be
ninja and avoid me somehow so I'll have to pick on her. Of course, it could
have been the fact that I was dressed up in the corporate monkey suit that
provided impenetrable camouflage.

InfoSec itself was an interesting mix this year. A lot of the usual suspects
and a few new players in security but I didn't have the chance to catch
everything so if you attended and saw something neat tell us about it. I
noticed a distinct lack of wireless/VoIP/Bluetooth security companies this
time around which surprised me. Last year you couldn't swing a dead cat5
cable without hitting one. I did have some fun poking at some of the vendors
WAPs and I don't think I was the only one since I saw one WAP get renamed to
"BarracudaSucks". Personally I like the Barracuda products but it made me
smile to see someone being mischievous.

I didn't get a chance to hit all the talks I wanted but I did sit in on
David Rhoades' Hacking Web 2.0 talk (and got a monkey!) which was nothing
new to me technically but was a well-organized breakdown of html-specific
Web application hacking and the issues and differences between XHR, CSRF,
JSON, etc. Good stuff for those just starting to explore web application
hacking. Dave Pogue from the NY Times was a very entertaining speaker at the
main lunch keynote on Monday, despite his singing (don't quit the day job
Dave). All of the conference presentation material is available at
http://misti.com/infosecworld.

I spoke with the Tenable guys and got the skinny on what's coming up on
their roadmap as well as pick on them about features and things I wanted to
see for Nessus moving forward. They just released version 3.2 yesterday with
some tweaks that I'd been hoping for (IPv6 support, better bandwidth control
independent of concurrent threads, native WMI support), especially a real
auto-updater so no more need to update packages by manual exec. I don't keep
up with the Nessus mailing list as much as I should but Tenable CEO Ron Gula
has a blog going at http://blog.tenablesecurity.com/ that you may want to
add to your RSS feeds list. I also heard Renaud got married and moved to
France. Congrats Renaud!

CORE was there as well and hosted a hands-on lab event to play with Impact
and do some active hacking on VM's they had set up for it. Again, nothing
new to me but it provided a great opportunity for people to get some
hands-on time with their tool and play around with it. A lot of pen-testers
don't have the cash to drop on all the commercial tools and being able to
get some keyboard time on them is a smart way to target your market
audience. I wish more companies did this. It'll be interesting to see where
CORE goes with their addition of Client-side and Web app sections as it
matures. What they do have is fairly well put together but you can still see
some rough edges. It misses some things that are kind of basic for those of
us with extensive experience in the subject (WebDAV/PROPFIND exploits, some
SQL injection methods, etc) but what it does have works well and CORE's
attention to detail on their modules shows.

There was a lot more going on but those were some things off the top of my
head. If you got a chance to attend and have some information or things
you'd like to share about the conference please submit to the list.

--
Erin Carroll
Moderator, SecurityFocus pen-test mailing list
amoeba@amoebazone.com
"Do Not Taunt Happy-Fun Ball"
------------------------------------------------------------------------
This list is sponsored by: Cenzic
Need to secure your web apps NOW?
Cenzic finds more, "real" vulnerabilities fast.
Click to try it, buy it or download a solution FREE today!
http://www.cenzic.com/downloads
------------------------------------------------------------------------


This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:58:27 EDT