iSEC Open Security Forum

About the iSEC Open Security Forum

The iSEC Open Security Forum is an informal and open venue for the discussion and presentation of security related research and tools, and an opportunity for San Francisco and Seattle area security researchers from all fields to get together and share work and ideas. Forum agendas are crafted with the specific needs/interests of its members in mind and consist of brief 20-30 minute talks. Talks are not product pitches or strongly vendor preferential. Attendance is by invite only and is limited to engineers and technical managers. Any area of security is welcome including reversing, secure development, new techniques or tools, application security, cryptography, etc.

Upcoming Meetings:

Date: Thursday, August 21
Time: 6pm
Location: eBay Town Hall, San Jose, CA

Agenda:

Alex Stamos / Co-Founder and VP / iSEC Partners/ "Living in the RIA World: Blurring the Line Between Web and Desktop Security"
Rich Internet Applications (RIA) represent the next generation of the Web. They intentionally blur the line between websites and traditional desktop applications and greatly complicate the jobs of web developers, corporate security teams, and external security professionals. Our goal with this talk will be to outline the different attack scenarios that exist in the RIA world and to provide a comparison between the security models of the leading RIA platforms, including Adobe AIR, Microsoft Silverlight, Google Gears, JavaFX, and Mozilla Prism.

Gordon Lyon "Fyodor" / Hacker / Insecure.Org / "The New Nmap"
The Nmap Security Scanner has become more popular than I ever imagined when I released it more than a decade ago. It has attracted a vibrant community, won awards, and even appeared in motion pictures! Yet this longevity also has a dark side: routine and complacency. Many security professionals grew up with Nmap and developed their favorite options and scan techniques back in the '90s. Some haven't read the man page in years, and are missing out on great new functionality. So I'd like to highlight some of my favorite new Nmap features and demonstrate how they can be used to get the most out of security scans. These features include the Nmap Scripting Engine, Zenmap Results Viewer, fixed-rate packet sending, new performance options, and more. I can't cover everything in 20 minutes, but I hope to inspire people to take a fresh look at Nmap and don't be afraid to add an -sV, -sC, or even --reason to your command line.

Chris Paget / Distinguished Engineer / eBay / "Real World Malware"
There is a neverending buzz within the anti-malware industry about "the latest threats" presented by the malicious code that can be found on the internet, despite the fact that most security professionals deal with such malware rarely, if ever. eBay is a magnet for phishing scams and malware; we routinely deal with the cutting edge on a daily basis.
This talk will demonstrate some of the more invasive pieces of malware that we have recently encountered, with live demonstrations of their capabilities and interesting snippets from their disassembly. Rather than presenting the current "latest thing" in malware, we will instead focus on code that is actively spreading across the internet affecting users. All the samples to be demonstrated were recovered from infected machines in the wild - no samples, no "previews", just a reality check for what can happen to unsuspecting users on the modern Internet.

Date: Thursday, August 28
Time: 6pm
Location: iSEC Partners Seattle Office

Agenda:

Scott Stender / Co-Founder and VP / iSEC Partners / "Concurrency Attacks in Web Applications"
Modern web application frameworks are designed for developer productivity and performance. They are highly scalable, object-oriented, and can be used to create a usable web site in a matter of minutes. Highly parallelized, object-oriented web application frameworks encourage programming practices that make managing state difficult for a typical programmer. In order to have a web application that is robust in a multi-threaded environment, the developer must carefully manage access to all resources that can shared by threads. Global variables, session variables, database access, and back-end systems are common examples of such resources, not to mention application-specific resources.

Concurrency flaws result when security-sensitive resources are not managed properly. As we have seen with almost every other prevalent class of security flaws, mistakes happen often when doing the right thing is difficult. To make things worse, concurrency flaws are often subtle and are identified only through difficult targeted testing. This presentation will provide an overview of the issue, testing and mitigation techniques.

Richard Johnson / Computer Security Specialist / Microsoft/ "Visualizing Software Security"
Software security is an area of research with an ideal need for information visualization techniques. This talk will discuss the latest in program visualization and show examples of ongoing research at universities and corporations worldwide. Several visualization techniques will be examined for usability in software security and a short discussion of graph layouts will illustrate the function and ideal use for each. Finally, a process for creating visualizations from data derived from static analysis will be demonstrated.

John Heasman / VP of Research / NGS Software/ “Who needs Java in a world of Ajax, Flash and Silverlight? The Bad Guys do.”
Who needs Java in a world of Ajax, Flash and Silverlight? Regardless of its oft predicted demise, the simple truth is that the Java browser plugin is ubiquitous among both corporate and home users. With an estimated install base of 300 million desktops, 2.1 billion phones and 11 million TVs, client-side Java presents an attack surface that cannot be ignored. But somehow it has been, both by security researchers and by the malware community.

This presentation tells the story of a myriad of [now patched] vulnerabilities discovered by the presenter in the Java browser plugin. Some will make you laugh, some will make you cry, all will compromise your browser.

If you are interested in presenting a short 20-30 minute talk at an upcoming Forum meeting, please email a short abstract and bio to forum@isecpartners.com

Past Meetings:

Date: Wednesday, April 30
Location: iSEC Partners Seattle Office
Bruce Dang / Security Software Engineer / Security Windows Initiative Group, Microsoft - “Methods for analyzing malicious Office documents used in targeted attacks”
Felix Von Leitner / Co-Founder / Code Blau - “Complier Optimizations”
Alex Stamos / Co-Founder and Vice President / iSEC Partners - “Breaking Forensics”

Date: Thursday, April 10
Location: San Francisco
Meeting Agenda:
Tal Garfinkel, VMWare - "Virtual Machine Monitor (VMM) Security: Current Research on Virtual Machine Security"
Luis Miras, RingZero – “Developing IDA Pro Plugins”
Scott Stender, iSEC Partners - “Attacking Internationalized Software”

Date: Thursday, January 10
Location: San Francisco
Meeting Agenda:
Rich Cannings - “Cross Site Scripting and Common ActionScript Coding Practices”
Fred Bret-Mounet - "How to use asp.net's pipeline model to insert an application firewall in front of your web server. This talk will cover the requirements, options, lessons learnt and areas of improvement."Nate Lawson - "Recent Attacks on SSL/TLS"
Seth David Schoen- "Pcapdiff"

Date: Thursday, October 18
Location: San Francisco
Meeting Agenda:
Luis Miras- "RF Wireless Vulnerabilities"
Josha Bronson - "Fenum: a tool to enumerate HTML filtering in web applications"
Zane Lackey and Alex Garbutt - "Point, Click, RTPInject"

WORK WITH iSEC PARTNERS

iSEC Partners is always looking to expand its team of experienced technical professionals and continue to provide best-of-breed security solutions to its Fortune-100 customers.

If you are an experienced security researcher, developer, or consultant, please send an ASCII, PDF, or HTML resume to:

careers@isecpartners.com