Difference between revisions of "Episode249"

From Security Weekly Wiki
Jump to navigationJump to search
Line 7: Line 7:
  
 
* This month's Late Breaking Computer Attack Vectors webcast will be given by Carlos Perez on [https://cybersecurityworldevents.webex.com/mw0306ld/mywebex/default.do?siteurl=cybersecurityworldevents Wednesday June 29th at 2 PM EDT]
 
* This month's Late Breaking Computer Attack Vectors webcast will be given by Carlos Perez on [https://cybersecurityworldevents.webex.com/mw0306ld/mywebex/default.do?siteurl=cybersecurityworldevents Wednesday June 29th at 2 PM EDT]
 
 
* Los tres primeros episodios de PaulDotCom Espanol con Julio Canto, Lorenzo Martinez, y Chema Alonso [http://pauldotcom.com/wiki/index.php/PaulDotCom_Espanol esta disponible aqui].  Tenemos mas entrevistas en las semanas que vienen....
 
* Los tres primeros episodios de PaulDotCom Espanol con Julio Canto, Lorenzo Martinez, y Chema Alonso [http://pauldotcom.com/wiki/index.php/PaulDotCom_Espanol esta disponible aqui].  Tenemos mas entrevistas en las semanas que vienen....
 
 
* Sign up for Blackhat Training Courses:
 
* Sign up for Blackhat Training Courses:
 
** PaulDotCom Blackhat Training [http://blackhat.com/html/bh-us-11/training/pauldotcom-offensive.html Sign up] for "Offensive Countermeasures: Making Defense Sexy" as a two-day course at Blackhat July 30-31. Every student gets a FREE "Hack Naked" t-shirt and sticker!
 
** PaulDotCom Blackhat Training [http://blackhat.com/html/bh-us-11/training/pauldotcom-offensive.html Sign up] for "Offensive Countermeasures: Making Defense Sexy" as a two-day course at Blackhat July 30-31. Every student gets a FREE "Hack Naked" t-shirt and sticker!
 
** Tenable Security Blackhat Training [http://blackhat.com/html/bh-us-11/training/bh-us-11-training_TEN-AdvNessus.html Sign up] for "Advanced Vulnerability Scanning Techniques Using Nessus" July 30-31 or August 1-2
 
** Tenable Security Blackhat Training [http://blackhat.com/html/bh-us-11/training/bh-us-11-training_TEN-AdvNessus.html Sign up] for "Advanced Vulnerability Scanning Techniques Using Nessus" July 30-31 or August 1-2
 
 
* DerbyCon : Louisville, Kentucky – September 30th to October 2nd. Catch Carlos Perez's training session - [http://www.derbycon.com/training/ "Automating Post Exploitation with Metasploit"] Friday and Saturday of the Con from 4:00PM to 9:00PM.
 
* DerbyCon : Louisville, Kentucky – September 30th to October 2nd. Catch Carlos Perez's training session - [http://www.derbycon.com/training/ "Automating Post Exploitation with Metasploit"] Friday and Saturday of the Con from 4:00PM to 9:00PM.
 
 
 
* Don't forget to [http://pauldotcom.com/ Read our blog], [http://mail.pauldotcom.com/listinfo Participate on our mailing list], [http://pauldotcom.com/insider/ Visit PaulDotCom Insider], [http://twitter.com/pauldotcom Follow us on Twitter], [irc://irc.freenode.net/pauldotcom Join the IRC channel at irc.freenode.net #pauldotcom], and [http://pauldotcom.blip.tv Watch our Videos]!
 
* Don't forget to [http://pauldotcom.com/ Read our blog], [http://mail.pauldotcom.com/listinfo Participate on our mailing list], [http://pauldotcom.com/insider/ Visit PaulDotCom Insider], [http://twitter.com/pauldotcom Follow us on Twitter], [irc://irc.freenode.net/pauldotcom Join the IRC channel at irc.freenode.net #pauldotcom], and [http://pauldotcom.blip.tv Watch our Videos]!
 +
** You can [http://www.facebook.com/therealpauldotcom Add us on Facebook] where we can be "friends"
  
 
= Interview: Chris Gates=
 
= Interview: Chris Gates=

Revision as of 13:18, 23 June 2011


Announcements

PaulDotCom Security Weekly - Episode 249 for Thursday June 23d, 2011.

Interview: Chris Gates

Chris joined the original Titan Team (Lares) in 2011 as a Partner & Principal Security Consultant. Chris is a member of the Metasploit Project, a major contributor to the carnal0wnage attackresearch blog and is known to enjoy business logic flaws, misconfigured databases and the occasional client-side attack.

7:30 PM

Full Bio:

Chris joined Lares in 2011 as a Partner & Principal Security Consultant. Chris has extensive experience in network and web application penetration testing as well as other Information Operations experience working as an operator for a DOD Red Team and other Full Scope penetration testing teams. Chris holds a BS in Computer Science and Geospatial Information Science from the United States Military Academy at West Point and holds his CISSP, CISA, GPEN, GCIH, CEH, and Security+. In the past, he has spoken at the United States Military Academy, BlackHat, DefCon, Toorcon, Brucon, Troopers, SOURCE Boston, OWASP AppSec DC, ChicagoCon, NotaCon, and CSI. He is a regular blogger carnal0wnage.attackresearch.com and is also a regular contributor to the Metasploit and wXf Projects.

  1. What's the distinction you make when you say that "repeatable" pentests are really vulnerability assessments (with exploitation) vs. actual pentesting
  2. What is the Web Exploitation Framework?
  3. What's the difference between w3af and the wXf framework?
  4. Will wXf ever be part of Metasploit?
  5. Tell us about your research such as the recent Attacking Oracle Web Applications With Metasploit talk
  6. Between the Lares Blog and carnal0wnage.attackresearch.com, when do you sleep?
  7. We need to start a drinking game - this time based on how many times Chris says "fuzz" or "fuzzing".

Tech Segment: Catching base64 on the network with Kevin Fiscus of NWN Corportation

8:15 PM

Kevin is a security architect and consultant with 2 decades of experience in information technology and a decade in compliance, which we won't hold against him. He is currently the Director of NWN Corporation's Security Technology, Assessment and Response (STAR) Team

Kevin will be on to discuss work he's been involved with detecting base64 using Snort. Instead of detecting basic web authentication, he'll be going over other malicious uses for base64 encoding including evading DLP systems that don't involve basic web authentication. Specifically, using snort and a variety of regular expressions to catch base64 on the network.


Stories For Discussion

PaulDotCom Blog Roundup

Larry's Stories

Paul's Stories