[Owasp-bayarea] OWASP Bay Area Meetup on 2/21

Garrett Gee list at srtek.org
Sun Feb 24 14:10:17 EST 2008

The slides for both presentations are now online at 

Garrett Gee wrote:
> Greetings IT Professionals,
> OWASP Bay Area will host its next meeting at Robert Half International
> on Thursday, February 21st.  As usual attendance is free and food and
> beverages will be provided.  This will be an awesome event and a great
> opportunity to network with industry peers.  The event is open to the
> public; please forward this invite to your colleagues and friends who
> are interested in computer and application security.
> Agenda and Presentations:
> 6:00pm - 6:30pm ... Check-in and Reception (food & beverages)
> 6:30pm - 7:15pm ... Your Client-Side Security Sucks. Stop Using It. –
> Kurt Grutzmacher
> 7:15pm - 8:00pm ... NTLM attacks and countermeasures - Eric Rachner
> 8:00pm - 8:30pm ... Networking Session
> Venue:
> Robert Half International
> 5720 Stoneridge Dr
> Pleasanton CA 94588
> Your Client-Side Security Sucks. Stop Using It.
> Presented by: Kurt Grutzmacher
> Abstract: Browser-based security has been used for many years to
> 'protect' back-end systems from attack or to enhance the user
> experience. This should not be your only protection and can even open
> your application to business logic flaws that scanning tools can not
> detect nor report upon! This talk will show some real world examples
> of client-side security and the failures they introduced. Business
> logic flaws such as the MacWorld Expo Platinum Pass will be examined
> in depth.
> Bio: Kurt Grutzmacher has been performing Penetration Testing for a
> "very large financial institution" for nearly a decade and recently
> moved to a "very large utility company" to start their internal
> testing program. For two years in a row he has exposed the methods
> required to obtain free Platinum Passes to MacWorld and is hoping
> they'll get it right the third time, he's tired of explaining it to
> them. Kurt contributes to the Metasploit project occasionally and is
> currently working on enhancing the project's support for NTLM in
> web-based attacks. He also randomly blogs at
> http://grutztopia.jingojango.net/ -- very randomly.
> NTLM attacks and countermeasures.
> Presented by: Eric Rachner
> Abstract: Eric will demonstrate the NTLM relay attack, in which an
> attacker accesses arbitrary web sites and file shares using the
> credentials of any user who can be lured into visiting the attacker's
> web site. Since NTLM is enabled by default as part of the Windows
> integrated authentication protocol suite, this attack is a potential
> concern in any enterprise where Windows is widely used.  Following the
> demonstration, we will explore the history and mechanics of the attack,
> as well as mitigation options.
> Bio: Eric Rachner is a security researcher and lead consultant
> specializing in threat analysis, vulnerability assessment and
> penetrating testing of complex mission critical applications and
> systems.  Mr. Rachner began his career in IT at Microsoft in 1994.  As a
> senior member of Microsoft's Security Team, Eric led several projects
> including application penetration testing, code reviews, design reviews
> and security awareness training for internal application teams
> throughout Microsoft's global IT organization. In 2005, Eric became an
> independent security consultant and researcher providing services to
> large global enterprises in North America and Europe.  Away from the
> office Eric has many hobbies; he also participated as a core member of
> the hacking team that won the prestigious "Capture the Flag" contest at
> Def Con three years in a row.
> Please RSVP at http://owaspfeb2008.eventbrite.com
> Special thanks to Robert Half International for hosting this event and
> to Cenzic and AppSec Consulting for sponsoring.
> _______________________________________________
> Owasp-bayarea mailing list
> Owasp-bayarea at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-bayarea

More information about the Owasp-bayarea mailing list