7Sep/070

OWASP Malicious Code Injection and Privacy

Last night I went to a local OWASP chapter meeting on two topics: malicious code injection and online privacy. Both topics scared the bejesus out of me and I've been completely obsessed with locking down computers all day today. In fact, my poor boss had to listen to quite a long rant on the subject this morning. It's lucky that he's interested in security, too.

First off, I want to say that the local chapter here is doing a great job of setting up meetings and finding interesting speakers. This meeting was combined with the San Francisco chapter and was held at the eBay offices. In fact, the plan is for all future meetings to be combined. They had a free meal for everyone, which was quite nice and they didn't forget about vegetarians, either. That included assorted beverages and beer, too. They also had free t-shirts: OWASP shirts, and the moderator of the privacy panel had shirts from his company to give away. It was a great deal from the standpoint of freebies.

The speaker presenting the malicious code injection had quite simple slides. The real impact was in the words he said, which can probably be summed up as "be very, very careful - you can never be too careful". He had an example online banking site as the victim of his XSS exploits. He didn't have time to cover everything, and so he pointed everyone to the infamous RSnake XSS Cheat Sheet. That wasn't the first time that's been mentioned at OWASP meetings, but probably it can never be mentioned enough. The bits that struck me the most about the presentation were the talk about SSL proxying, his comments that root kits are so sophisticated nowdays that no one can detect them, and his closing statement that he wipes his OS probably about every two weeks and reinstalls - that's how paranoid he's become - the expert! Yikes!

Then we were on to a panel discussion about online privacy. I actually thought it was going to be boring and was plotting my escape, but I was so wrong. The panelists were great. The questions were mostly driven by the audience, and many kept going back to the Electronic Frontier Foundation lawyer (whose name I didn't write down and it's not listed in the OWASP website). He was fascinating to listen to. The other panelists were great, too. I especially enjoyed the points of view raised by Larry Pingree of Safeway and a very knowledgeable gentleman from Kaiser Permanente. The main bit of information I took away is this: don't ever give any more information to anyone than you absolutely have to and especially don't give it out to anyone not in the United States (this was from the perspective that we were in the US, of course), because as much as we may complain about invasions of our privacy here, we have it the best here of anywhere else in the world.

Overall, it was a great meeting, 5 thumbs up. Now I have to go lock down some more computers. Hmmm, maybe I could convince the neighbors to let me in to tweak theirs just a little...

Filed under: Security Leave a comment
Comments (0) Trackbacks (0)

No comments yet.


Leave a comment


No trackbacks yet.

« OWASP Meetings and Software Developers Women in Technology at O’Reilly »
twitter delicious
safe to click,
no evil Javascript on these links

Menu

Ubuntu Linux

Gentoo Linux

LinuxChix button

Recent Posts