Web and System Security

Several large websites and companies have been pwned and exploited recently. Those exploits can even give crackers access to your internal systems, as they did to Apple's, Google's, and Facebook's. How do you think your websites and systems would hold up against the likes of LulzSec or Anonymous?

For this meeting, we've assembled a crack team of security gurus to help you avoid common security pitfalls, to harden your servers against automated attacks, and to keep the bots out of your systems.

The Meeting Agenda

Socializing and Networking

5:45PM - 6:15PM

Drop in before the presentations to pick brains and rub elbows with other members. We'll also have the food set up so you can grab a bite before the main event begins. Please consider donating a few dollars to help cover the cost of food.


Intro
6:15PM ~ 6:20PM

Welcome, sponsor recognition, interesting upcoming events, miscellaneous babbling.


The Main Event
6:15PM ~ 7:45PM

Greg Folkert - 'Vaht eez dis *security* you spreche of?'

Greg Folkert has been the systems and network administrator at donor.com for more than five years - working via telecommute. He makes systems respond and perform well under varying amounts of load and traffic. Linux is his operating system of choice, and he uses it to build everything upon. He provides support to staff and customers alike, including the feedback on the "Just give me what I want" - aka "The Easy Button" solutions - everyone wants nowadays.

"Phone calls to support start rolling, you get an IM: <Customer> can't get to their website. What to do? How to figure out what is happening? What proactive tools should you have used and what should you be thinking about before the trouble that happens?" Greg will cover some higher level ideas and flow charts on how to auto-magically (re-actively) block probes/attacks and the kinds of tools you need to use to help keep things secure. He will also tell you why you need to think about security in the first place, not an after thought, especially in theses PCI-DSS, HIPPA and SAS70 days. If there is enough time, Greg will also talk about his chores dealing with the Chinese IP Addresses everyone is worried about and the numbers involved.

Tyler Paxton - "Dealing with spam"

Tyler Paxton is the founder and CEO of Are You a Human which uses simple and fun games as a replacement for CAPTCHAs. Are You a Human is based in Detroit and has grown to serve 20 Million games a month on over 3000 sites. Tyler previously founded and IT services and consulting company and attended graduate school at the University of Michigan where he founded Are You a Human. Tyler currently lives in the Detroit area and spends all of his free time with his wife and three kids

Spam is the invasive weed of the internet. Once popular sites have been destroyed by it. It kills the community and waste your time. Learn some of the many things you can do to fight back and reclaim your property. Weigh the benefits of the myriad choices available to you depending on the type of site you run and the type of spam you get.

Mark Stanislav - How Poor Web Programming is Ruining Information Security

Mark Stanislav is a Senior Consultant at NetWorks Group, focused on operational automation and information security. With a career spanning a decade, Mark has worked within small business, academia, start-up, and corporate environments primarily focused on Linux architecture, information security, and web application development. In his free time, Mark responsibly identifies and reports vulnerabilities in open-source software. Mark holds a Bachelor's degree in Networking & IT Administration and a Master's in Technology Studies focused on Information Assurance, both from Eastern Michigan University. Mark also holds his CISSP, Security+, Linux+, and CCSK certifications.

A review of recent web site attacks will be given to help understand what major vulnerabilities are common for web sites, how attacks are executed, and what a compromise can mean to a company, government, or other organization. Further attention will be given to: how an entity can prevent poor programming from ruining their security; how web programmers compare to other industries for qualifications required to interact with highly sensitive data; and a forward-thinking discussion on how the industry can be proactive when hiring programmers. The goal of this presentation is to make all parties involved in information security aware of just how serious one poorly created web site can be to the fabric of their information security architecture and practices.


Post-Meeting Activities

Join other members for drinks and discussion at a local watering hole afterwards.

Join or login to comment.

  • Adam Michael F.

    I'm seeing two threats on a site I manage. Could someone help me identify these threat types, so I can pursue appropriate countermeasures?

    1. The first threat is a large amount of requests for "Account details for [user]" that result in a "failure notice" email. The reasons cited are "Unknown User," "Did not like user," "Mailbox unavailable," or "I couldn't find any host named..." I've received many such requests since March 28.

    The message usually says, "Hi. This is the qmail-send program at [host]. I'm afraid I wasn't able to deliver your message to the following addresses. This is a permanent error; I've given up..."

    2. The second threat could be same as the first, but the messages read, "Undeliverable: Account details for [user]... A communication failure occurred during the delivery of this message. Please try resending the message later. If the problem continues, contact your helpdesk."

    If you could help me identify these threats, I would greatly appreciate it! -Adam

    April 3, 2013

    • Greg F.

      Gah, Number 2 is probably the management system you are using to manage the site, telling you that there are problems with these e-mails being sent out. And since you are using a "system" to manage your machine, its telling you to contact the Helpdesk.

      This is the reason I dislike these "control panels" people do not understand what is happening, even if something is normal. Since the noise looks exactly the same with a real threat, the messages are washed out and nobody pays attention to them.

      Nothing against you Adam. But you do need to understand, by looking at the headers where these messages are coming from to see if they are a "real" threat or not.

      1 · April 3, 2013

    • Adam Michael F.

      Hey Ben, sorry about that. I just joined the group and I'll move my question out there. Thanks for the tip! Tim, John, and Greg -- thank you for your responses and good questions!

      April 3, 2013

  • Jace B.

    Am I the only one that left feeling terrified?

    1 · March 25, 2013

    • Greg F.

      Nah... don't be terrified. You've got to learn how to manage that fear and adrenaline. I admit, I used to live on Adrenaline and Large Quantities Diet Mountain Dew. I've since dropped caffeine and can manage the fear now. Took me a while, it just takes practice, hard work/learning and an employer trusting you to do the right thing.

      In Systems and Network Administration, if you don't learn something new everyday, you are doing it wrong. Fear is a good moderator sometimes.

      1 · March 26, 2013

    • Brandon G.

      If I had any web apps for medical, government or financial institutions...I would have. lol. Instead I just left feeling like I need to add another handful of things to my current list of learning.

      1 · March 27, 2013

  • Greg F.

    Presentation from March 25th, 2013:
    https://docs.google.com/presentation/d/1vzW8AKmRclP9Mc5HZZyW8Xy5y_xcD_eQVNuUNAP8yNM/edit#slide=id.p

    Here is the spreadsheet referenced but not shown, that shows the single IP Attack plan and type of query string attacks:
    https://docs.google.com/spreadsheet/ccc?key=0Ao8Xs1P5qtijdERWekNHS2gtUmltaVBaVG5UZmJqZ3c#gid=0

    Cheers!

    March 26, 2013

  • Greg F.

    I'll have the links for my stuff later today.

    March 26, 2013

  • Shai L.

    Missed it - sad to say. I am a big proponent of learning more about and implementing security better. I should be, since it's my forte

    March 25, 2013

  • A former member
    A former member

    I love talking security. I am a contributor on PHP Vulnerability Hunter, an automated whitebox fuzz testing tool for PHP web applications written in C#.

    March 8, 2013

  • Greg F.

    Evidently, I'm one of the speakers... so, I'm hoping I attend!

    March 8, 2013

  • Dave B.

    I'm not a security expert, but I've dealt with these issues and could talk about them.

    September 18, 2012

Our Sponsors

People in this
Meetup are also in:

Create a Meetup Group and meet new people

Get started Learn more
Allison

Meetup has allowed me to meet people I wouldn't have met naturally - they're totally different than me.

Allison, started Women's Adventure Travel

Sign up

Meetup members, Log in

By clicking "Sign up" or "Sign up using Facebook", you confirm that you accept our Terms of Service & Privacy Policy