DATE: Thursday, January 31, 2013
LOCATION: Facebook Campus, Building 15, 15 Hacker Way Menlo Park, CA 94025
Please RSVP if you wish to attend!
***technical managers and engineers only please***
***food and beverage provided***
SPEAKER: Devdatta Akhawe / UC Berkeley
PRESO TITLE: Privilege Separation in HTML5 Applications
PRESO SUMMARY: The standard approach for privilege separation in web applications is to execute application components in different web origins.This limits the practicality of privilege separation since each web origin has financial and administrative cost. In this paper, we propose a new design for achieving effective privilege separation in HTML5 applications that shows how applications can cheaply create arbitrary number of components. Our approach utilizes standardized abstractions already implemented in modern browsers. We do not advocate any changes to the underlying browser or require learning new high-level languages, which contrasts prior approaches. We empirically show that we can retrofit our design to real-world HTML5 applications (browser extensions and rich client-side applications) and achieve reduction of 6x to 10000x in TCB for our case studies. Our mechanism requires less than 13 lines of application-specific code changes and considerably improves auditability.
SPEAKER BIO: Dev is a graduate student studying how to build better and more secure web systems at UC Berkeley. In the past, he has interned at Mozilla, Microsoft (MSRC), Yahoo! Labs, and Microsoft Research. More information,including how to pronounce his name, can be found at https://www.cs.berkeley.edu/~devdatta
SPEAKER: Nathan McCauley / Security Engineer / Square Inc. & Justin Cummins / Security Engineer / Square Inc.
PRESO TITLE: Securing SOA: Secret Management, Authentication, and Authorization
PRESO SUMMARY: Service oriented architectures present interesting security challenges. Secret management spanning across dozens of services on thousands of machines can be challenging to elegantly solve. The services should all be authenticated and authorized such that customer data is protected, critical functionality is not misused, and system-wide trust is established.
This talk describes a deployed solution for hardening of a service oriented architecture, with focus on key distribution and authentication/authorization.A key distribution strategy is described using a central secret store with client agents installed on each machine throughout the infrastructure. A system for authentication and authorization based on TLS with client certificates is described. The talk contains details of the successes and challenges faced rolling this out to Square's infrastructure.
SPEAKER BIO(S): Nathan McCauley and Justin Cummins are Security Engineers atSquare.
SPEAKER: Mike Ryan // iSEC Partners
PRESO TITLE: Bluetooth Smart, But Not Smart Enough
PRESO SUMMARY: We are entering a golden age of affordable broad spectrum wireless sniffing. I will demonstrate how to use the new generation of wireless hacking tools to intercept and inject Bluetooth Low Energy communications. Bluetooth LE, aka Bluetooth Smart, is a new low power mode defined in the recent Bluetooth 4.0 spec. Found in recent high-end smartphones, it is used in sports devices, sensors, and will soon appear in some medical devices.
Bluetooth LE is much simpler than classic Bluetooth. Simpler to implement, simpler to debug, and hey, simpler to hack. The software presented in the talk was developed by Mike Ryan and is available open source as a part of the Ubertooth project.
SPEAKER BIO: By day Mike Ryan is a Security Consultant with iSEC partners, an information security firm specializing in application, network, and mobile security. By night he likes to take things apart, break them, and put them back together better than before. Mike recently joined the Ubertooth team to sniff out security issues in the latest lower-powered version of Bluetooth: Bluetooth Low Energy (LE). Mike gave a presentation on Bluetooth LE at Toorcon 14.