JW Network Consulting » open source

UTOS 2009 Presentation Resources

Jason — Thu, 08 Oct 2009 05:27:40 +0000

On Friday October 9th at 12:00 PM I will be speaking at the Utah Open Source Conference on how to put together a kit of security tools using open source software. I discuss a fictional company that we work at and some of the things that we can put in place to help secure the environment and handle some of the requests that get thrown our way. The slides can be downloaded here. I hope to have video of the presentation up later.

Here are the apps I cover and where you can got to get more information on them. I’ve also got some community resources to go check out.

Network Security and Monitoring
Nmap – http://nmap.org/
OpenVAS – http://openvas.org/
Snort – http://www.snort.org/
Emerging Threats – Snort rules – http://www.emergingthreats.net/
BASE – http://base.secureideas.net/
Sguil – http://sguil.sourceforge.net/
OSSEC – http://www.ossec.net/
Kismet – http://www.kismetwireless.net/

Web Security
Nikto – http://www.cirt.net/nikto2
Log Analysis – http://www.loganalysis.org
PHPIDS – http://php-ids.org/
ModSecurity – http://www.modsecurity.org/

Penetration Testing
WebGoat – http://www.owasp.org/index.php/Category:OWASP_WebGoat_Project
Mutillidae – http://www.irongeek.com/i.php?page=security/mutillidae-deliberately-vulnerable-php-owasp-top-10
Hacme Bank, Books, etc – http://www.foundstone.com/us/resources-free-tools.asp
Paros – http://www.parosproxy.org/
WebScarab – http://www.owasp.org/index.php/Category:OWASP_WebScarab_Project
Burp Suite – http://portswigger.net/suite/
Privoxy – http://www.privoxy.org/
Tor – http://www.torproject.org/
w3af – http://w3af.sourceforge.net/
Beef – http://www.bindshell.net/tools/beef/
Metasploit – http://metasploit.com/
Backtrack - http://www.remote-exploit.org/backtrack.html
SamuraiWTF- http://samurai.inguardians.com/

Forensics
Caine – http://www.caine-live.net/
Deft Linux – http://www.deftlinux.net/
Helix – http://www.e-fense.com/

Etc…
Top 100 Security Tools - http://sectools.org/

Podcasts
Pauldotcom – http://pauldotcom.com/
Exotic Liability – http://exoticliability.com/
Securabit – http://www.securabit.com/
CyberSpeak (forensics) – http://cyberspeak.libsyn.com/

Community Groups
ISSA – http://www.issa-utah.org/
OWASP – http://owasp.org/
Hack SLC hacker space – http://www.hackslc.com/forum/latestnews.php
Defcon – http://defcon.org/

Technorati Tags: open source, security tools, utos 2009, utos presentation

New Open Source Project Created – Reconnoiter

Jason — Wed, 16 Sep 2009 05:07:03 +0000

Earlier this month I decided to take the scripts for username generation and roll them into an open source project. There were a couple of reasons for doing so. First, I needed source control hosting and SourceForge provides that for free as long as you release the project to the public. Second, I want to expand the scope of it to go beyond what I’ve done so far. It’s great that people have found these scripts useful, but its hardly rocket science. This should give me some more room to explore and share with others.

If you would like to check out the project, you can search for “Reconnoiter” on sourceforge.net or you can just follow this link:

http://sourceforge.net/projects/reconnoiter/

One last note. There are some changes in the 0.2 release of Reconnoiter that may be useful. I found a nasty bug in the Yahoo script that needed to be fixed badly. That’s been done and committed to the release. Last, I made the output a lot more useful. There was no filtering at all for results that included HTML code in them. This caused some obviously bad usernames. Unless you logged in as “jwood” often. To help with that I’ve added some filtering which should improve the quality of the results. Enjoy!

Technorati Tags: open source, penetration testing, web app security

Speaking at the 2009 Utah Open Source Conference

Jason — Tue, 15 Sep 2009 16:53:32 +0000

Last month I sent the Utah Open Source Conference a proposal for a presentation on “Building an Open Source Security Tool Set“. Presentations are voted on by the registered attendees and the other folks who have submitted a presentation. When I was making my votes, I saw that there were a lot of great abstracts. In fact, there were a lot of abstracts period. Because of this, I really didn’t expect to get selected. Turns out I was wrong!

I received word on September 3rd that my presentation was accepted and that I will be speaking at the Utah Open Source Conference. The current time scheduled is on October 9th at 12:00 PM. Here is my description of the proposal.

If you want to build out a kit of commercial security tools, bring a big bank account to pay for it. Not only that, you’ll find that there are still gaps in your setup that need to be filled. What do you do if you have a finite budget (who doesn’t?) or have no budget? Does testing your security require a fat wallet? Fortunately, no.

In this presentation I’ll go over a number of open source security tools, what they do and where you can get them. Individual tools will be discussed as well as Live CDs which have a collection of the tools all together.

I’m very excited to have been selected to give this presentation. It should be a lot of fun and I hope it will be useful to those in attendance. I’m trying to have some goodies for the attendees, but I’m not sure how many I’ll need. We will see.

You can register for the conference using the UTOS 2009 banner on the right or you can use the link below. Hope to see you there!

http://register.utosc.com/utoscreg/

Technorati Tags: open source, security tool, speaking, tech conference