In this talk, Jon will be hating on Linux kernel security, giving an overview of the highlights and lowlights of Linux kernel security last year and presenting some sexy new techniques to bypass popular kernel protection mechanisms.
SmartMeters: Are they a gateway drug? A GrrCon 2011 talk by Robert Former.
In the information security business, it seems you can’t open a journal or blog site without being inundated with articles about SmartMeters and AMI. There is a lot of speculation and FUD on this topic. There are claims of wormable code and full carnal pwnage. What are the facts? What can you really do to hack a meter, and what does that gain you? This talk will examine the vulnerability points of a typical meter and the systems that support it. Will you be able to hack a meter by the end of this talk? Maybe, maybe not. It depends on how smart you are I guess. What you WILL get out of this talk is a sense of the security realities that adding two-way communication and shutoff switches to the meter on the side of your house brings, along with the ability to tell if the talking head on is full of sh*t or not. Oh yes, I’ll also be poking fun at the Tin Foil Hat crowd. If you don’t know who that is, come to the talk.
It’s Vulnerable… Now What? Three Tales of Woe and Remediation. A GrrCon 2011 talk by Mark Stanislav.
Very few people in IT have the distinction of being considered a “security researcher” by title alone. Despite that designation, many of us run across security vulnerabilities every day and sometimes just go “ah, someone should report that!” rather than taking the initiative to wear the security researcher hat and handle it ourselves. In this presentation I will cover three diverse situations of vulnerabilities that I ran across and how I went about getting them remediated. Situations include: a PII/PHI vulnerability in a SaaS application with 90,000 affected users; an open-source CMS SQL injection vulnerability (CVE-2010-4006); and a client’s web site that was riddled with vulnerability from a contractor’s poor programming practices. If you’ve wondered what you as a system administrator, web developer, or general IT enthusiast should do in these kinds of situations, come hear real stories and learn from my actions and related mistakes! Learn about requesting a CVE, contacting vendors, 0-day vs. vendor-friendly disclosure, and more. The presentation will feature code snippets/exploitation of each vulnerability and include screenshots (where allowed) of the situations.
November’s MiSec meeting will be held on Thursday, November 17th, at 7pm.
What makes cloud computing insecure? It comes down to web app software defects or insecure networking. In this month’s talk, Mark Stanislav discusses how poor web programming is ruining Information Security, and what it means when all our apps our in the cloud.
We will also have a cloud round table discussion. Come on out and join in.
August’s MichSec meeting will be held on Thursday, August 18th at 7pm. J Wolfgang Goerlich will be giving a preview of his GrrCON talk: How asteroids falling from the sky improve security. Rattis will get us into some locksport as well.
Please either contact us through email (email@example.com) or log into our IRC Channel for the street address and any other questions you may ave about attending.
August’s MichSec meeting will be held on Thursday, August 18th at 7pm. We are still not publishing the address publicly on the website (this is not done for any kind of exclusionary motive, only because of the nature of the meeting site), so please either contact us through email (firstname.lastname@example.org) or log into our IRC Channel.
We are still in need of a presenter for this month, so if you are interested please get in contact via the above email address or via the channel.
Thanks to all those who attended our inaugural meeting. We had a very productive discussion around goals for the organization as well as the member’s backgrounds. A technical presentation by Josh Little (ZTango) on the foundation of the HTTP protocol was also given.
We’re looking into streaming and/or recording future meetings so that members who could not attend can participate with the group. More info on this as it becomes available.
Our July (and first) meeting will take place on July 21st at 7pm at a location in Royal Oak, MI. For exact location details, we ask that you contact us either through email (meetings AT michsec.org) or ask in IRC.
Agenda for this month’s meeting includes:
Roundtable about expectations for MichSec
Technical presentation – Introduction to HTTP for Security Professionals by ZTango
MichSec.org was born out the community discussions from BSides Detroit. As part of the last talk on Friday, Dug Song started a conversation on ethics in the security world. This talk morphed through conversations on mentoring, community, and the security scene in Michigan. While Ann Arbor is home to several security user groups and the Metro Detroit area hosts several of the large professional organizations, it was suggested that a group that held to the spirit of the BSides movement would be a welcome addition. Thus the #misec IRC channel was formed.
While IRC is great and all, the community and camaraderie of face-to-face can’t be beat. Thus the monthly MichSec meetings were formed. MichSec.org is the central information house for all things going on with the MichSec meetings and #misec. Check out our meetings page for more information on our next gathering.