February OWASP Bay Area Meeting

Yesterday night I ran my first OWASP Bay Area meeting! It was certainly an interesting experience, and it wasn’t as bad as I thought. Thanks to everyone that helped me to make the meeting possible.

We had a great turnout, with about 35 people attending, and I hope everyone enjoyed the talks as much as I did. For those that weren’t able to make it, Kurt Grutzmacher’s presentation was called ‘Your Client-Side Security Suck. Stop Using It.‘ and Eric Rachner’s presentation was on NTLM attacks and countermeasures.

I did record both presentations, but I am having a hard time re-encoding it to fit within youtube’s file size limits. Anyone have ideas on how to squeeze a 40 minute presentation down to under 100mb? My current settings are output to XViD, 320×240, 528kps video, 32kpbs audio. I am going to guess that if I reduce the video bit quality, I can reduce the file size some more, but what is is a good setting? I can’t seem to find any docs or howtos on this.

OWASP-SF Meeting

Tonight was another good OWASP Bay Area meeting. Over 50 people attended the meeting, and I hope these numbers continue to rise.

The first talk was on Adobe Flash security. Here are my notes:

  • Cross-site flashing takes advantage of the html flash parameter allowscriptaccess=always
  • Stefano Di Paola released SWFIntruder a few months ago to help analyze Flash applications at runtime

The second talk was on PCI. I was surprised that the discussion around this topic was lively, as I thought it would be pretty boring. Anyway, here are my notes from this talk.

  • Criminals are getting better
    • Tiny wireless skimmers are point of sale devices
    • In-line wiretaps to record transactions
  • Current PCI spec doesn’t require end to end encryption
  • Visa’s PABP – Payment Application Best Practice
  • PA-DSS – PCI Council adapted version of Visa’s PABP
  • Section 6.6 is required by June 30, 2008
    • Requires either a code review or a web application firewall for front facing sites
    • But what defines a code review? Static vs dynamic
  • Section 11.3 talks about pentesting

The next Bay Area meeting will be in the East Bay, probably somewhere in Pleasanton. If you want to give a talk at the next meeting, please drop me a line.

I only took a few pictures at this event, but they can be found on flickr.

Update: There is a great blog on PCI at pcianswers.com.

OWASP Stanford Meeting

Yesterday was the first meeting under the newly founded “OWASP Bay Area” chapter, which combines the San Francisco, San Jose, and East Bay chapters into one big one! The meeting was held at the beautiful Stanford Alumni Association Center.

Niels Provos presented on how Google detects malware from their web crawlers, and the ties to the safe browsing plugin. Jerry Yang, the co-founder of Yahoo! was also present, and he asked some good questions. He seemed very interested on if Google was doing this program for the greater good of the web, or if there was a business case for it.

The second talk was from a Stanford Ph.D. student. He gave some neat examples on how attackers can gain information from users. Some techniques he went over was iframes, mixed content behavior, cross site request forgery, and DNS rebinding.

Both talks were excellent, and the crowd turnout was great. Another nice thing was the open bar :)

The next OWASP meeting will be in San Francisco; location to be determined soon. I took a few other pictures at this event, which can be viewed at flickr.

OWASP & WASC AppSec 2007

Over the last week I was at eBay in San Jose California for the OWASP and WASC AppSec conference. The event was loads of fun, and over 200 people attended the two day event.

There were many good talks, but the winner had to be from Samy (of the MySpace Samy worm). It was not a highly technical talk, but more of a story of events that happened. RSnake and Jeremiah came dressed for his talk by wearing “Samy is my hero” shirts.

Gunnar Peterson, Jeremiah Grossman, RSnake, and pdp also blogged about the event, and Wayne Huang took pictures. My pictures can be found on flickr.

OWASP-SF Meeting

Yesterday was another great OWASP meeting by the SF chapter. The lineup included Ivan Ristic, who talked about web application firewalls (WAF), and Neil Daswani, who talked about emerging security vulnerabilities and the impact to business.

The meeting was held at Golden Gate University, a place I didn’t even know existed, even though I pass it all the time. The lecture rooms were very nice though, with power and network connections at each seat.

Both talks were very good, and here are some of the interesting points that I remember:

There will be no San Jose or San Francisco OWASP meeting next month, due to the OWASP and WASC AppSec conference in San Jose. That event will be taking place at eBay, from November 12th to the 15th.

Below are a couple from the event, the full set can be found on flickr.



Thursday was the worldwide OWASP day, with the common theme of privacy in the 21st century. I was at the San Jose meeting which was hosted by eBay, and had a blast.

This was my first visit to the eBay campus, and I liked the place except for the security. They weren’t armed police, but all of them wore black outfits with dark glasses and always asked for my ID. Maybe I got extra hassle because I had my camera with me; who knows.

But back to the OWASP meeting, there were two sessions. The first was a technical talk on cross site scripting, and the second was a panel on privacy and security.

The panel discussion covered lots of interesting topics, as the attendees gave good questions, and Alex Stamos of iSEC Partners did a good job at moderating.

One thing to note if you are a OWASP San Francisco or San Jose member – the two groups will be alternating months on the meetings. So because San Jose had one this month, the next one will be in San Francisco. Also, Brian Christian stepped down as the San Francisco chapter leader, and Robi Papp of Accuvant is stepping in.

The rest of my pictures are on flickr.