Wednesday, February 12, 2014

Matt Wood & Nick Popovich at BSides Tampa

Sunera's penetration testing team members Matt Wood and Nick Popovich will both be presenting at this week's BSides Tampa security conference!

Nick Popovich is a Senior Consultant on the A&P team, and recently presented at the Shmoocon conference. His talk, Enterprise Active Directory Password Auditing, will be at 2:30 PM in Track 2. Here is the summary:

Most organizations enforce some form of password complexity requirements for their Active Directory (AD) users. They may be required by a compliance vertical, or they are attempting to employ an industry best practice. However, as security consultants, we have observed that not many organizations take the time to audit their Active Directory passwords, and therefore are unaware if their password policy is being enforced, or if it requires enhancement. This talk will detail the process and steps necessary to audit AD passwords using publicly available tools, and provide metrics that can be used to identify common weaknesses in passwords.

Matt Wood is a Manager on the A&P team, and is a veteran presenter from conferences such as BlackHat, Source, RSA, and OWASP. His presentation, What's lurking inside the "Real-Time Web"?, will be in Track 2 at 4:30 PM. The talk summary is below:

Increasingly "real-time" web applications are utilizing new protocols implemented by HTTP clients and servers such as WebSockets and SPDY. This presentation will demonstrate how these new functionalities permit attackers to more effectively, and more stealthily establish bidirectional communication with compromised hosts and in the process bypass outbound connection restrictions. We will cover the theory, historical techniques, defensive methodologies and new techniques throughout the presentation.

At the heart of these techniques is the ability to establish bidirectional communication channels on-top of HTTP connections; which is in stark contrast to the original intent of HTTP. These new channels defeat event the best DMZ traffic policies which generally disallow all connectivity outbound from the DMZ and only allow certain ports (80,443) inbound. Attackers have for many years known to abuse the trusted relationship between web servers (or any exposed service!) and perimeter firewalls (inbound ports). Generally these tricks come at a price and due to the way these applications functioned were something that could be detected by a vigilant security team.

We will discuss how attackers can easily bypass outbound firewall rules, the history of these methodologies, and common defensive techniques combating this threat. Furthermore, new techniques will be described that utilize "real-time" protocols; specifically, how can these new techniques create back-channels and simultaneously hide from those vigilant security teams, increase the throughput and reliability of an attacker’s "VPN", and arbitrarily direct traffic from the Internet into a DMZ environment.