Monday, May 30, 2011

Reasons to attend Security BSides St John's 2011 (part 7)

So you've heard about the Security BSides St John's 2011 event and wonder if you'll sign up to attend? Well if you do you'll be able to take in a variety of information security talks from leaders in the field, while  having the opportunity to meet other information security practitioners, and researchers. In this week's 'Reasons to attend Security BSides St John's 2011' I'm highlighting Nicholas Donarski's (Kizz MyAnthia) talk entitled "Weaponizing The Smartphone: Deploying The Perfect WMD":

Weaponizing The Smartphone: Deploying The Perfect WMD
Nicholas Donarski (Kizz MyAnthia)

The acceptance and integration of mobile phones, specifically smartphones, into our everyday life has allowed for these devices to penetrate deep into secure areas. The ability to have your phone along with you at any moment of the day feeds our needs for social media, email, business, and pleasure. This ability and access has allowed the use of smartphones to be bred into devices that rival other penetration testing hardware/software combinations.

Nicholas has developed and created an OS platform package that allows penetration testers and security professionals the ability to test both physical security and technical security without being constrained by computers, cords, or the image of suspicious behavior. The WMD platform package is based on Windows Mobile 6.5 Smartphones and is executed similar to a virtual machine. The WMD package is preloaded with many of the same applications and testing tools that are included with Backtrack 4, www.backtrack-linux.org, there is no affiliation between the two projects, only the similar desire to create a single source of the latest tools, applications, and techniques used by today's security professionals integrating today's latest technologies.

"Weaponizing The Smarphone: Deploying The Perfect WMD" will show the audience how to create a deployable package on a MicroSD card for use on the HTC Rhodium (AT&T Tilt2) or similar Windows Mobile 6.5 smartphone. Then using a test wireless AP, a windows server 2003 VM, and The loaded WMD Smartphone the audience will be presented with a live demonstration of some of the tools including NMap, Metasploit, and The Social Engineering Toolkit to exploit the Windows Server 2003 VM and gain administrative access.

The fundamental security flaw of accepting technology to perform only for what is was "made" for without the expectation of manipulation presented by "Weaponizing The Smartphone: Deploying The Perfect WMD" will help security professionals protect their environments while stimulating "out-of-the-box" thinking.

Sunday, May 22, 2011

Reasons to attend Security BSides St John's 2011 (part 6)

So you've heard about the Security BSides St John's 2011 event and wonder if you'll sign up to attend? Well if you do you'll be able to take in a variety of information security talks from leaders in the field, while having the opportunity to meet other information security practitioners, and researchers. In this week's 'Reasons to attend Security BSides St John's 2011' I'm highlighting Tim Newell's talk entitled "Having Your Cake and Eating it - Remote Access Security":

Having Your Cake and Eating it - Remote Access Security
Tim Newell, Senior Security Consultant with Bell Aliant

Remote access to IT systems is a near-universal requirement, yet often the security considerations are badly misunderstood. (Ever had an argument with somebody over relative encryption strength when they’re using usernames with basic passwords for authentication?) In the midst of this, IT staff are under pressure to reduce costs, enable mobile remote access, and support home-based usage. Is there a “right answer” to remote access security? For that matter, what are the questions to ask? How do you even begin to find a balance that works?

This presentation will look at threats, countermeasures, and policy related to remote access security. From there, the talk will look at securely implementing very different security postures using typical SSL VPN capabilities. Tim has experience with several different vendors’ remote access solutions, and will be looking at the issues from a product-agnostic perspective.

Monday, May 16, 2011

Apache Karaf build status and current road map.

We've had a busy few weeks here at the Apache Karaf project so I'd like to take some time to review our build status and road map.

There has been two recent releases of Apache Karaf, representing updates to the 2.1.x and 2.2.x branches. Each release encompassed bug fixes, improvements, and updates to libraries while attempting to ensure backwards compatibility within each branch.

Apache Karaf 2.2.1:
http://karaf.apache.org/index/community/download/karaf-2.2.1-release.html

Apache Karaf 2.1.5:
http://karaf.apache.org/index/community/download/karaf-2.1.5-release.html

On the radar we have several scheduled builds, with particular focus on bringing the first Karaf 3.x release to general availability. As we've recently produced patches to the 2.1.x and 2.2.x lines I would expect it will be several weeks before we begin discussing rolling up another patch. For anyone whom would like to know the current build status of Apache Karaf you may visit the Hudson build reports as indicated by branch below:

Apache Karaf 3.0.0:
https://hudson.apache.org/hudson/view/G-L/view/Karaf/job/Karaf/

Apache Karaf 2.2.2:
https://hudson.apache.org/hudson/view/G-L/view/Karaf/job/Karaf-2.2.x/

Apache Karaf 2.1.6:
https://hudson.apache.org/hudson/view/G-L/view/Karaf/job/Karaf-2.1.x/


We also have a new sub project, Apache Karaf Cellar, to have it's first release. Currently two versions are planned under the versions cellar-2.2.0 and cellar-3.0.0. I expect to see more posts on this project as it approaches a release candidate.

This is definitely an exciting time to be working on the Karaf project, and I would greatly encourage everyone interested in the project to join us on the discussion forums, drop by our IRC room, or better yet visit our issue tracker and join in with our fun :)

Reasons to attend Security BSides St John's 2011 (part 5)

So you've heard about the Security BSides St John's 2011 event and wonder if you'll sign up to attend? Well if you do you'll be able to take in a variety of information security talks from leaders in the field, while having the opportunity to meet other information security practitioners, and researchers. In this week's 'Reasons to attend Security BSides St John's 2011' I'm highlighting Travis Barlow's talk entitled "Chasing Turkeys":

Chasing Turkeys
Travis Barlow, Director of Consulting Services – Atlantic Region, eSentire

During this talk Mr. Barlow will explain how items (i.e. tools, software, etc.) never considered a risk by infrastructure managers, systems administrators, and yes even IT Security Pros can be leveraged by attackers to not only exploit key weaknesses in systems but to exfiltrate data from within an organization.

Sunday, May 15, 2011

Apache Karaf 2.2.1 Released!

The Apache Karaf team is pleased to announce the availability of Apache Karaf 2.2.1.

This release of Apache Karaf is based off of the 2.2.x series branch, representing an update to Apache Karaf 2.2.0. It contains bug fixes identified in the prior release, and introduces improvements including; updates to pax-logging, pax-runner, pax-web, jetty, and felix versions. The config commands have has been updated, and kar features are now in features-maven-plugin.

To help make the transition from Apache Karaf 2.2.0 to 2.2.1 easier I've put together a table of changed dependencies:

Karaf Version
2.2.0
2.2.1
aopalliance.bundle.version
1.0_4
1.0_5
asm.bundle.version
3.3_1
3.3_2
cglib.bundle.version
2.1_3_6
2.1_3_7
commons-codec.bundle.version
1.3_3
1.3_4
commons-collections.bundle.version
3.2.1_1
3.2.1_2
commons-lang.bundle.version
2.4_4
2.4_5
jasypt.bundle.version
1.7_1
1.7_3
jetty.version
7.2.2.v20101205
7.3.1.v20110307
junit.bundle.version
4.7_2
4.7_3
felix.framework.version
3.0.8
3.0.9
felix.eventadmin.version
1.2.8
1.2.10
aries.blueprint.version
0.3
0.3.1
pax.exam.version
1.2.3
1.2.4
pax.logging.version
1.6.0
1.6.2
pax.runner.version
1.5.0
1.6.1
pax.url.version
1.2.5
1.2.6
pax.web.version
1.0.1
1.0.3

For more information please see the release notes.

As discussed in my prior Apache Karaf 2.2.1 preparation post, I enjoyed listening to Hey Rossetta throughout the release process and was delighted to try the Carpineto Chianti Castaldo 2008 once the release was complete. Now, sadly, I find my carafe empty... hopefully Karaf 3.0.0 will not be too far away :)

Monday, May 9, 2011

Reasons to attend Security BSides St John's 2011 (part 4)

So you've heard about the Security BSides St John's 2011 event and wonder if you'll sign up to attend? Well if you do you'll be able to take in a variety of information security talks from leaders in the field, while  having the opportunity to meet other information security practitioners, and researchers. In this week's 'Reasons to attend Security BSides St John's 2011' I'm highlighting Jon Anstey's talk entitled "How to secure your Apache Camel Deployment":


How to secure your Apache Camel Deployment
Jon Anstey, Principal Engineer, FuseSource and PMC member of the Apache Camel project.

Apache Camel is an open source Java framework that focuses on making integration easier and more accessible to developers. It does this by providing: concrete implementations of all the widely used Enterprise Integration Patterns (EIPs), connectivity to a great variety of transports and APIs, and an easy to use Domain Specific Language (DSL) to wire EIPs and transports together to form routes.

Interacting with secure services and also hosting secure services is essential in most integration projects. In this session, Jon will go over the four categories of security features in Camel, which include securing: routes, message payload, endpoints, and configuration.

Wednesday, May 4, 2011

Reasons to attend Security BSides St John's 2011 (part 3)

So you've heard about the Security BSides St John's 2011 event and wonder if you'll sign up to attend? Well if you do you'll be able to take in a variety of information security talks from leaders in the field, while  having the opportunity to meet other information security practitioners, and researchers. In this week's 'Reasons to attend Security BSides St John's 2011' I'm highlighting Adam Mosher's talk entitled "Evasion with anti-forensics":


Evasion with anti-forensics
Adam W. Mosher, Senior Security & Network Consultant, Bulletproof Solutions

Digital forensics investigations are difficult. With the increasingly complex capability of anti-forensics techniques and an endless array of clever software, uncovering evidence has become more sophisticated. Therefore, the need for the forensics investigator to stay abreast of the current threat landscape with regards to anti-forensics techniques and methodology is crucial. The footprint being left behind on evidence, if at all, is growing smaller and smaller.

The following subsections will be explored in depth during the 30 minute presentation:
o   What anti-forensics is and what it is not.
§  Encryption on all levels is explored.
o   Underground market for anti-forensics.
§  The effectiveness of the anti-forensics subculture.
§  Avoiding detection.
§  Malware as anti-forensics.
o   Attacking the forensic investigator.
§  The advancement of disk wiping tools.
§  Attacks against forensics tools.
o   Collecting, examining and analyzing bad data.
§  What and where to look for data?
§  Data in unexpected places.