This past week I attended the East Tennessee Cyber Security Summit. I had never been before, but an acquaintance of mine who knew that I am always looking for opportunities to learn more about any and everything security-related really encouraged me to attend.
Of all the talks given, I think Joe McCray's talk on advanced SQL injection was my favorite. I had heard of Joe a few years back and had since viewed a few videos and slides that he has posted online but never had the chance to hear him in person until this week. One of his first questions during this talk was "Who likes to break things?" and it was at this moment that I knew this was the right place for me. Joe continued to demonstrate some techniques he uses in some of his pen-tests such as using different types of encoding to bypass different types of Web app firewalls.
While I really enjoyed the technical stuff I simply could not stop thinking about something he said at the beginning of the talk that went something along the lines of "Network pen-testing is dead and it died in 2006 with the introduction of SP2 for windows XP."
He laid the topography of modern day pen-testing out and since I always find it beneficial to look at things from a birds eye view as well as nuts and bolts, I will share what he said:
1) Service pen testing - Rest in peace thanks to things like Data Execution Prevention, Stack cookies, and Address Space Layout Randomization.
2) Client side exploitation - such as IE, flash, shockwave, and my favorite Adobe :)
3) Web app - email, XSS, databases, etc...
This was incredibly beneficial for me to hear from someone who is very active in the field and is able to present findings like this from experience. Computer attacks are fascinating to me and when I first started becoming interested in attacks service based exploitation was still very effective. It is interesting to look back and read things like Kevin Mitnicks "Ghosts in the Wires" book and see how much change has occurred in regards to security as defenders as well as attackers have raised the bar due to computers becoming exponentially more advanced. The transformation of "hackers" from being people who are curious and exploratory to the modern "cyber criminal" is a pretty wild leap. I fear it will only become worse, as far as cyber crime attacks are concerned, as more and more things are computerised and then pushed to the Internet. InfoSec is a rapidly changing field and there is no doubt that to be good, one must make it a priority of riding the wave of change.
Overall I really enjoyed the conference. I was somewhat suprised to see that, from what I could tell, most of the audience was general IT which was pretty different from the other conferences or videos of conferences that I have seen or been to.
In my next few posts I will be demonstrating the three basic forms of SQL injection: Error based, Union, and Blind.
No comments:
Post a Comment