Back from RootedCon 2010

I know, I didn't write anything about the Rootedcon as I promised last week but following the congress I came up with some new ideas and I have been busy coding them.

I don't know how to describe the congress. Simply amazing is a good approach. I met a lot of fantastic people and saw a lot of friends again. And, of course, we talked and learnt about security, so, what more I can ask for?

The first day (the Thursday) we had some less technical sessions about how to start a career as pentester and the actual situation of the national (Spanish) security. We also received a very interesting speach about computer forensics. The day ended in a pub near the congress place talking with the speakers and meeting people I only know from Internet.

Friday was a very intense day. The most technical sessions took place on this day. Also the CTF (Capture The Flag) tournament started. It was a shame that I was unable to participate, but I didn't want to miss any of the sessions, maybe next year! ;) We saw some 0-days exploits in the conferences: One for airodump, another for a support ActiveX program widely use in some big companies such as Telefonica and Symantec and others for the Oracle Financials 12. The most technical speach was the presentation of the Radare2 tool. Very low level programming and high level concepts which was difficult for me to understand. I'll try to download it and understand better how it works and how to use it.

Last day the sessions were very interesting too. Android forensic, metadata security, cryptography, botnets and one about hackers in the comics too! It was a very good mix of themes to finish the event. Also we had dinner with almost all the speakers so we kept talking about security even after three days. After dinner we went to a party but I'm not going to comment on this... ;)

I have to admit that after the congress I was really tired but also shocked! I met all these incredible people who know a lot about security making me realise that I need to keep studying and researching because out there are more things that I can imagine... and I want to learn them all!

P.S. I'll try to add the slides of the rest of the speaks when they release them. They release the slides today and you can see them online at Slideshare.

Rooted Con 2010

I'm today at Madrid, at the first Rooted Con conferences. They are going to be in Spanish only but I'll try to post a small report of all the things they show here.

Is planned the release of two 0days bugs. One in the Oracle Financials 12 software and other in an undetermined software. I'll post more details about they :)

Also we are going to have another great speaks about well-know pentesting tools. One of them is going to be about the release of Wifislax 4.0 by Sergio Gonzalez. It's a live-cd linux distribution focused on wifi networks intrusion testing and I'm expecting a great work and for sure some new functionalities.

Other tool to be released is the Foca 2.0. Foca is a fingerprinting tool to map a company network using the metadata included in the documents all companies offers in their websites. In this second version they integrated it with the Shodan search engine and the option to perform a DNS zone transfer attack. I know very well the people behind this tool and I know is going to the an impressive release :)

But no all is going to be releasing new tools, we are going to have also speaks about other topics like forensic, rootkits and hacker's world in comics! Looks for me like a very complete conferences.

I have to leave you now because the first speak is going to start...

2010 CWE/SANS Top 25 Most Dangerous Programming Errors

A few weeks ago was released a new version of the "Top 25 Most Dangerous Programming Errors" list about coding bugs that the MITRE and SANS released last year. This new version comes with a better layout to a better understanding about the risks, the remedies and focus into the identification of the problem.

From my point of view is very interesting the table which defines the weakness by language. I miss the presence of ASP.Net in this list but it can be equated to JSP in most of the cases. In my experience as web pentester I have my own "personal ranking" of insecure web applications. From the most common secure applications to the less one are:

1. ASP.Net
2. JSP
3. Perl/Python
4. ASP
5. PHP

This is not a fact! It's only based on my personal experience in my years of web security testing. I'm open to discuss this ranking ;)

I'm also impressed to see how many of these coding bugs are specifically related to web (or mostly associated with web applications). Web applications are becoming more popular everyday (they are already) and with the rising of the cloud computing they are going to become more and more popular even in the Intranet applications.

Documents like this helps developers to build more secure applications and to application tester to identify and document better these bugs that makes our days :) Enjoy reading!

Testing and virtual machines

Sometimes I need to test specific software version or make a custom machines for a specific propose like developing in a particular language. For now I used my personal machine for it, but today I have discovered something that I'm planning  adapt to my day by day.

I was a bit lazy about creating virtual machines because I need to download a whole CD image, install it and later configure it. Today I discover TurnKey Linux website. They have a lot of virtual machines and ISO images of preconfigured Linux machines. They are based on Ubuntu 8.04 Server LTS so I have a platform I'm familiar with and very cool (and secure!) preconfigured options.

Well, maybe I'm being a bit enthusiastic but the LAMP machine looks really good in my initial tests. I'm planning to give in a try to other machines too like the Ruby On Rails machine or the Revision Control one.

These machines give me the ability to create fresh machines from scratch with a lot of dirty work already done. And I love it :)

If you are looking for more complex machines for testing you can found some preconfigured web security testing machines. They allow you to play with some vulnerable web pages and measure your skills without breaking the law.

• The OWASP is hosting a project called "Broken Web Applications Project" who offers a virtual machine to test different vulnerable software. You can check online the list of vulnerable applications included.
• Recently was released the version 1.0 of Web Security Dojo, which includes vulnerable applications and some web security related tools, as Brup proxy or w3af.

And it is all for today, I have some things to test... ;)