[Owasp-austin] Austin OWASP invites you to Supercharged Password Cracking Techniques - Austin... (Feb 22, 2011)

Austin OWASP invite at eventbrite.com
Fri Feb 18 09:00:23 EST 2011


We hope you can make it!Cheers,Austin OWASP

------------------------------ 
Event Summary:
------------------------------ 

Event: Supercharged Password Cracking Techniques - Austin OWASP Meeting
Date: Tuesday, February 22, 2011 from 11:30 AM - 1:00 PM (CT)
Location: <b>National Instruments - Conference Room 1S13</b><br />11500 North Mopac Expwy<br />Building C<br />Austin, TX 78759<br />

------------------------------ 
Event Details:
------------------------------ 

<div><span class="vevent"><span class="description"><strong>When:</strong> February 22, 2011, 11:30am - 1:00pm <br /><br /><strong>Topic:</strong> Supercharged Password Cracking Techniques<br /></span></span></div>
<div><strong><br /></strong></div>
<div>In the past 2-3 years there ha<span style="background-color: #ffffff;">ve been many important discoveries/releases in the world of </span><span style="color: black; background-color: #ffffff;">password</span> cracking. Between massive <span style="color: black; background-color: #ffffff;">password</span><span style="background-color: #ffffff;">
 leaks (like RockYou, Gawker, etc) and the release of many free tools 
that take advantage of the processing power of GPU cards, there are many
 new techniques/tools/tricks that security professionals should be 
taking advantage of while cracking passwords. But, by default tools you 
download (Like John the Ripper) do not take advantage of this.</span></div>
<div style="background-color: #ffffff;"><br /></div>
<div style="background-color: #ffffff;">Over the past 12 years, Rick has been collecting <span style="color: black;">password</span>
 hashes from various large corporations (during authorized penetration 
tests). For years now, he has been cracking these passwords, and 
discovering more and more patterns that users are using. But the 
majority of <span style="color: black;">password</span> cracking tools out there (Such as John the Ripper, L0phtCrack, etc) do not take advantage of these "human weaknesses" in <span style="color: black;">password</span>
 creation. So far Rick has cracked almost 4 million hashes from inside 
corporate America, and an additional 5+ million from sources over the 
Internet.</div>
<div style="background-color: #ffffff;"><br /></div>
<div style="background-color: #ffffff;">During this talk Rick will talk about the current state of <span style="color: black;">password</span>
 cracking by walking the attendees through a PWDUMP output file 
containing 49000+ real "complex" NTLM passwords) how the default 
rule-set provided by John the Ripper can be improved to crack tens of 
thousands of additional passwords. Wordlists/Dictionaries will be shared
 that can help you better crack passwords (these wordlists were created 
based on what users are _actually_ doing in Fortune 500 environments). 
New "rules" will be given out that were created to specifically attack 
the patterns that users are choosing.</div>
<div style="background-color: #ffffff;"><br /></div>
<div><span style="background-color: #ffffff;">This is relevant to OWASP, because the applications we are 
developing/securing almost always have logins and passwords that protect
 them. But, unlike Operating Systems, our web applications do not 
usually have strict </span><span style="color: black; background-color: #ffffff;">password</span><span style="background-color: #ffffff;">
 requirements that users have to meet in order to create an account. We 
do this as to not scare away users; but we are placing our O</span>WN systems 
at risk.</div>
<div><br /></div>
<div>Even now, sites like Google/Twitter/Facebook only warn the users 
about poor passwords, or have a list of 500 passwords that are not 
allowed. This will _not_ be the case in 10 years. Lets address this 
problem now.</div>
<div><br /></div>
<div>The only way to address the problem, is to first become aware of 
how bad our users are at choosing passwords , and what we can do (as 
developers or security professionals) to help protect our users from 
themselves.</div>
<div><br /></div>
<div><strong>Who</strong>: Rick Redman (Korelogic)</div>
<div><br /></div>
<div>During his 12 years as a security practitioner, Rick has delivered 
numerous application and network penetration tests for a wide range of 
Fortune 500 and government clients. He serves as KoreLogic's subject 
matter expert in advance<span style="color: black; background-color: #ffffff;"><span style="background-color: #ffffff;">d </span>password</span><span style="background-color: #ffffff;">
 cracking systems and coordinated the "Crack Me if You Can" Contest at 
DefCon 2010. Additionally, Rick presents at a variety of security forums
 such as the Techno-Security Conference, ISSA Chapters and AHA (Au</span>stin 
Hackers Anonymous). Rick also provides technical security training on 
topics such as web application security. Rick also delivers web 
application security training to management, developers and security 
staff. Rick has served as a member of a penetration testing tiger team 
supporting Sandia National Laboratories. Mr. Redman is a graduate of 
Purdue University with a degree in Computer Science from the 
COAST/CERIAS program under Eugene Spafford. Rick started performing 
application layer security tests of applications in 2000, before inline 
web-proxies existed.</div>
<div><br /></div>
<div><span class="description">
<p><strong>Where:</strong>
 National Instruments, 11500 N Mopac, Building C which is the tallest 
building on campus (8 levels). There will be signs posted in the lobby 
to direct you where to go and the receptionists will be able to assist 
you as well. See directions to National Instruments. </p>
<p><br /><strong>Cost:</strong> Always Free </p>
</span></div>



------------------------------ 
Register Online:
------------------------------ 

More information and online registration are available here:
http://www.eventbrite.com/event/1338578725/?ref=enivte&amp;invite=NzM5MzAxL093YXNwLWF1c3RpbkBsaXN0cy5vd2FzcC5vcmcvMA%3D%3D%0A

----------------------------------------------------------------------

Collect event fees online with Eventbrite
http://www.eventbrite.com
-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.owasp.org/pipermail/owasp-austin/attachments/20110218/11ee5c7d/attachment.html 


More information about the Owasp-austin mailing list