Monthly Archives: September 2013

DerbyCon 2013 Wrap Up

Another year and another awesome conference put on by Dave Kennedy and his team.  DerbyCon never lets down and is getting better every year.   This year also brought in training classes before the conference that were an excellent addition.  Kevin and James taught the Assessing and Exploiting Mobile Applications with OWASP MobiSec and the feedback on the class was great.  Two days of working with mobile testing is always a good time.  Throw in these two instructors and it gets even better.

In addition to the training, there were a lot of great talks.   If you were not able to attend the talks, they are all recorded.   I will include links to the ones that are up at the time of this post.  The rest should be up soon.

Kevin and James did their talk about testing SharePoint servers.   In addition, we have some cool new tools that will be released soon to help with assessing these servers.  The full talk can be seen at https://www.youtube.com/watch?v=Kb450FtCieY.  The tools will be released under both http://extensions.professionallyevil.com and http://sharepoint.professionallyevil.com.

John Strand from Black Hills Information Security did another excellent talk regarding the ADHD project.  For those that don’t know, ADHD is an Active Defense distribution and John does a great job explaining what Active Defense really is.

Tim Tomes from Black Hills Information Security did some great demonstrations regarding the recon-ng project.  This talk can be found at https://www.youtube.com/watch?v=vkmNTNl6urw

Tom Eston and Spencer McIntyre from Secure State did a talk about exploiting the Microsoft Dynamics application. The talk included some cool demos of how they could use Metasploit modules to manipulate the Dynamics server.

This is just a small sampling of the talks that were available.   One of the great things about DerbyCon is that it brings in many, many well known speakers.  Time spent is well worth it as you get a chance to also hang out with friends you don’t normally get to see throughout the year.

The Secure Ideas team has also done a podcast talking about their experience at DerbyCon which you can listen to at http://secureideas.libsyn.com/derby-con-and-the-security-con-discussion

James Jardine is a Principal Security Consultant at Secure Ideas. If you are in need of a penetration test or other security consulting services you can contact him at james@secureideas.com or visit the Secure Ideas – Professionally Evil site for services provided.

Professionally Evil: Self Inflicted Injury at Vendor’s Request

It’s an unfortunate and still too common a vulnerability to find administrative interfaces exposed and configured with default passwords.  In some cases it doesn’t matter what else you might find like some sexy injection vulnerability;  if I can access your administrative controls and gut your infrastructure it’s game over and a resume generating event for… Continue Reading

We Can’t Rely on the Browser for Protection

 A large part of doing security consulting is providing proper mitigations and recommendations to our clients.  Sure, the testing is the exciting part, but it is the recommendations that are going to have the greatest impact on our client’s security.  It is our goal to help make the security posture better, not set a record… Continue Reading

When the flood is going to come…

Most everyone in the U.S. is aware that its not uncommon for the Mississippi River to flood in the spring.  Even though the river has a series of locks and dams, they are intended for navigation, not flood control.  In fact back it the days of Mark Twain there were spot in the Mississippi River… Continue Reading