Yesterday was iSEC’s Open Security Forum. It is an informal and open venue to present and discuss security related research and tools. The last meeting was in October of 2007, and I believe they are aiming for quarterly meetings. There were four presentations, and here are my notes from them.
Rich Cannings – Cross Site Scripting and Common ActionScript Coding Practices
- Thousands of vulnerable SWF files on the internet
- Major issue is due to cross-domain loading
- Adobe document on creating secure SWF applications
- getURL and navigateToURL XSS attacks
- Rich’s paper on XSS Vulns in SWFs
Seth David Schoen – Comcast P2P Traffic Analysis
- In 2007, Comcast was suspected of trottling P2P traffic.
- Sources – Ars Technica, TorrentFreak, NY Times
- EFF research determined Comcast sending spoofed reset packets to slow down users uploading data via BitTorrent
- Sandvine might be behind the automated resets
- pcapdiff – Tool to compare two packet captures to identify potential forged, dropped or mangled packets
- Packet Forgery by ISPS: A Report on the Comcast Affair – EFF paper
Nate Lawson – Recent Attacks on SSL/TLS
- SSL PKCS padding attack
- TLS 1.1 addresses the above issue
Fred Bret-Mounet – ASP.NET Application Firewall
- Homebrewed application firewall using ASP.NET’s pipeline model
- 10-15% overhead
I really liked the variety of topics that were discussed. Between the four talks, I felt like there was something for everyone. iSEC did a great job hosting the event. The next meetup might have to be at a different venue though, as the meeting room was packed. But that’s a good thing right? Also, thanks to Peter Kim for providing his feedback and notes on the event.
Update: I only took a few pictures at the event, but they can be found here.