[Owasp-orlando] Thu Oct 29 Meeting Announcement

Adrian Pastor adrian.pastor at owasp.org
Tue Oct 27 15:06:01 UTC 2015

Hello all,

We just wanted to let you know we will be holding our next meeting on Oct 29 at 5 PM in HD Supply. Free food and drinks will be provided! We'll have two amazing presentations on reverse-engineering Android applications and attacking cryptographic libraries.

Register at http://meetup.com/owasp-orlando

Details are posted below:

Location & Parking
The meeting is free to attend and will take place from 5 PM to 7.30 PM. The location will be kindly provided by HD Supply. Parking is free in the dirt lot on the north side of Pine St.

Location Details
HD Supply
501 W Church St
Orlando, FL

Guest Speakers
Reverse Engineering Android Applications for Pride and Glory - Ben Watson
This presentation will serve as an introduction for those who want to dive into the art of reverse engineering Android applications and firmware. We will explore the inner workings of the Android architecture, traverse the landscape of reverse engineering tools and techniques, and propose some practical methodologies and workflows for all your bug hunting needs.

Ben Watson has over 7 dedicated years in application and mobile security. Prior to joining GuidePoint Security, Ben has been solving mobile & application security problems for cutting edge companies in the financial services, eCommerce, and medical industries. Often Ben has been sought after for building application security programs from the ground up. This is due to his experience in not only developing testing methodologies, tools, and techniques, but his understanding and perspective around what it requires to build secure products. Ben has managed and lead efforts in large mobile application security service initiatives, and is also an experienced mobile security researcher. He currently focuses his efforts around discovering new exploitable vulnerability patterns in Android and iOS. He also has multiple published zero day vulnerabilities effecting various Android web browsers, and is the creator and curator of the Android assessment toolkit called Lobotomy.

Do Your Own Highly Successful Five-minute Cryptography Evaluations - Scott Arciszewski
From web frameworks to encrypted chat applications to contactless smartcards, our industry is filled with people who deploy home-grown cryptography. The result of this choice is usually catastrophic. Even if you're using good primitives from well-studied libraries, how you utilize them can completely defeat the security they provide. Clearly, rolling your own cryptography is a bad idea; but how do you assess the libraries that others have written? The following implementations will be scrutinized:

•	OpenCart's Encryption library (ECB mode, no MAC)
•	Tutanota's messaging app (CBC mode without a MAC)
•	Mifare Classic's Proprietary Stream Cipher (aside from the 48-bit key, this cipher is incredibly unsound)
•	Defuse Security's PHP Encryption Library (safe, for reasons I will explain)
•	Libsodium - crypto_box() (safe, for reasons I will explain)

Before winning the password hashing category of the Underhanded Crypto Contest at the Crypto & Privacy Village at DEFCON this year, Scott has spent years studying how to make real-world cryptosystems fail in useful ways for attackers, from timing side-channels to padding oracles and random number generator failures. Scott leads the software development efforts for, and audits client's cryptography products on behalf of, the Orlando-based technology consulting firm, Paragon Initiative Enterprises.

5:00 PM - 5:30 PM Arrive at HD Supply
5:30 PM - 6:30 PM Reverse Engineering Android Applications for Pride and Glory by Ben Watson
6:30 PM - 7:30 PM Do Your Own Highly Successful Five-minute Cryptography Evaluations by Scott Arciszewski

Adrian Pastor
OWASP Orlando Chapter Co-Leader
linkedin.com/in/adrianpastor @pagvac

More information about the Owasp-orlando mailing list