F1 Hacking & Securing Web-based ApplicationsHands-On (Day 2 of 2)
Who should attend: People who are auditing Web application security,
developing Web applications, or managing the development of a Web
David Rhoades, Maven Security Consulting, Inc.
10:30 a.m.6:00 p.m.
Is your Web application secure? CD Universe, CreditCard.com, and
others have found out the hard way: encryption and firewalls are
not enough. Numerous commercial and freeware tools assist in locating network-level
security vulnerabilities. However, these tools are incapable of
locating security issues for Web-based applications.
With numerous real-world examples from the instructor's years of
experience with security assessments, this informative and entertaining
course is based on fact, not theory. The course material is
presented in a step-by-step approach, and will apply to Web portals,
e-commerce (B2B or B2C), online banking, shopping, subscription-based
services, or any Web-enabled application.
Class exercises will require that students have an x86-based laptop
computer that can be booted from a KNOPPIX CD, along with a 10/100 Ethernet
network card. Please download a copy of KNOPPIX-STD
(https://www.knoppix-std.org), burn it to a CD-R, and try to boot your system
on a network offering DHCP. Be sure your network card is recognized by
Knoppix-STD, otherwise you will not be able to participate in most classroom
exercises. Wireless access will not be supported during class.
Students will be provided access to several target Web applications.
Some of these applications are real applications with known security
issues. Others are mock applications
designed by Maven Security to simulate real security issues. At
each step, the instructor will supply the tools needed and demonstrate
the required techniques. All software provided will be publicly available freeware.
- The primary risks facing Web applications
and session tracking
- Tools, techniques, and methodologies required to locate weaknesses
- Recommendations for mitigating exposures found
- Best practices for Web application security
- The problem and root causes
- Web primer: HTTP and HTML
- Foundational security
- OS vulnerabilities
- Web server security highlights
- Web server and Web application output
- HTTP headers
- Encryption ciphers
- Error messages
- Authentication: digital certificates; form-based; HTTP basic
- Threats to authentication
- User name harvesting
- Brute-force password guessing
- Password harvesting
- Resource exhaustion
David Rhoades (T1, W1, R1, F1) is a principal consultant with Maven Security
Consulting, Inc. Since 1996, David has provided information protection services
for various FORTUNE 500 customers. His work has taken him across the US
and abroad to Europe and Asia, where he has lectured and consulted in
various areas of information security. David has a B.S. in computer
engineering from the Pennsylvania State University and is an instructor
for the SANS Institute, the MIS Training Institute, and Sensecurity
(based in Singapore).
- Session issues
- Session tracking mechanisms
- Session ID best practices
- Session cloning
- Transaction issues
- Malicious user input
- Hidden form elements
- GET vs. POST
- Improper application logic
- Cross-site scripting (XSS)
- Third-party products
- Testing procedures
- Methodology and safety
F2 Managing Samba 2.2 & 3.0
Who should attend: System administrators who are
currently managing Samba servers or are planning to deploy
new servers this year. This course will outline the new
features of Samba 3.0, including working demonstrations
throughout the course session.
Gerald Carter, Samba Team/Hewlett-Packard
10:30 a.m.6:00 p.m.
Gerald Carter (R2, F2) has been a member of the Samba Team since 1998. He has published articles in various
Web-based magazines and gives instructional courses as a
consultant for several companies. Currently employed by
Hewlett-Packard as a Samba developer, Gerald has written
books for SAMS Publishing and is the author of the recent
LDAP System Administration (O'Reilly & Associates).
- Providing basic file and print services
- Upgrading a Samba server from version 2.2 to 3.0
- Integrating with Windows NT 4.0 and Active Directory
- Centrally managing printer drivers for Windows clients
- Managing NetBIOS network browsing
- Implementing a Samba primary domain controller along with
Samba backup domain controllers
- Migrating from a Windows NT 4.0 domain to a Samba domain
- Utilizing account storage alternatives to smbpasswd such
- Making use of Samba VFS modules for features such as virus
scanning and a network recycle bin
F4 System and Network Performance Tuning
Who should attend: Novice and advanced UNIX system and network administrators, and UNIX developers concerned about network performance impacts. A basic understanding of UNIX system facilities and network environments is assumed.
Marc Staveley, Soma Networks
10:30 a.m.6:00 p.m.
We'll examine the virtual memory system, the I/O system and the file system, NFS tuning and performance strategies, common network performance problems, examples of network capacity planning, and application issues. We'll also cover guidelines for capacity planning and customized monitoring based on your workloads and traffic patterns. Analysis periods for particular situations will be provided.
Marc Staveley (F4) works with Soma Networks, where he is applying his many years of experience with UNIX development and administration in
leading their IT group. Previously Marc had been an independent
consultant and also held positions at Sun Microsystems, NCR,
Princeton University, and the University of Waterloo. He is a
frequent speaker on the topics of standards-based development,
multi-threaded programming, system administration, and performance
- Performance tuning strategies
- Server tuning
- Filesystem and disk tuning
- Memory consumption and swap space
- System resource monitoring
- NFS issues
- Automounter and other tricks
- Network performance, design, and capacity planning
- Application tuning
- System resource usage
- Memory allocation
- Code profiling
- Job scheduling and queuing
- Real-time issues
- Managing response time
F5 Defeating Junk/Spam Email
Who should attend: Network and system administrators
responsible for email systems; people who are annoyed by junk email;
mail server administrators; senior managers who want to understand the
technologies for blocking junk email. Some familiarity with Internet email systems is recommended. Familiarity with
UNIX system administration is a must.
Marcus Ranum, Trusecure Corp.
10:30 a.m.6:00 p.m.
Is unplugging from the network the only way to avoid junk email? Many
organizations are finding that junk email is a major time-waster and
performance hog. Some individuals are finding that, every morning, 95% of their inbox is
This workshop covers real-world issues in dealing with junk email, and how
to block a significant percentage of it from your personal or corporate
network. Attendees will learn the various techniques of junk email blocking,
the tools that are available, and the advantages and disadvantages of various
approaches. We will also examine a number of popular tools in detail, and
discuss configuration and tuning issues.
Marcus Ranum (T5, R5, F5) is senior scientist at Trusecure Corp. and a world-renowned expert
on security system design and implementation.
He is recognized as the inventor of the proxy firewall and the
implementer of the first commercial firewall product. Since the
late 1980s, he has designed a number of groundbreaking security
products, including the DEC SEAL, the TIS firewall toolkit, the
Gauntlet firewall, and NFR's Network Flight Recorder intrusion
detection system. He has been involved in every level of operations
of a security product business, from developer, to founder and CEO
of NFR. Marcus has served as a consultant to many FORTUNE 500 firms
and national governments, as well as serving as a guest lecturer
and instructor at numerous high-tech conferences. In 2001, he was
awarded the TISC Clue award for service to the security community,
and he holds the ISSA lifetime achievement award.
- Junk email: you know what it is when you get it
- Whitelisting, blacklisting, and blackholing
- Early attempts at junk email blocking
- The state of the art in junk email blocking
- Tools and techniques
- Setting up a centralized junk email blocking system
- Integrating junk email blocking into various mail clients
- Integrating junk email blocking into various servers
- Legalities and legal initiatives