Wednesday, August 29, 2007

OS Fingerprinting - Most Fulfilling Talk

Today, Rajkumar and I gave a talk on Operating System Fingerprinting. Rajkumar, the main speaker of the talk started and talked about security mind set. He narrated various reconnaissance attacks. He then explained about OS Fingerprinting and active fingerprinting. During his speech he talked about TCP/IP implementation differences in many popular and infamous operating systems like Windows XP, Linux and Solaris. He also demonstrated active OS fingerprinting with NMAP.

The second part of the session, I started with an overview on Buffer overflow to emphasis why OS Fingerprinting is essential. Then explained POSFP with a real incident took place in this world. We also discussed positive aspects of OSFP like Network Auditing.

That was one of our most fulfilling talks in Network Security. The audience were great and totally it was wonderful feeling.

Posted by at No comments:
Labels: ,

Tuesday, August 28, 2007

Security - Art, Passion and Character

Having Worked in Network Security for three years, I got addicted to attacks and VD. Though not a veteran, I would proudly say that I am Security Enthusiast. For studying or mastering security one needs to know internals of how things work. Security is not a technology or a silver bullet. In a broader perspective, security is way of life, place that cannot be achieved in this Information/Internet era.

Whenever, I get a chance to get connected with security aspects of life, I tuned myself. Rajkumar (colleague of mine) and I were browsing through some websites. Most of the websites have logic bombs in them. As far as a web application is concerned, it needs to take one thing seriously. Linux geeks used to say “Do onething. Do it well” and it greatly applies to Web. For web application, the quote should be “Do validation properly. Do it well”. Coming to back those web applications, they did something fundamentally wrong. We never tried XSS, SQL Injection and stuff like that. We simply played with input fields. Havoc…

Based on that we came out with a paper that talks about web application security. Personally, we don’t prefer to preach others. This paper is just a guideline for make better software. The time has come to build security in the product. No more, the security is a plug-in.

We will be presenting our paper in “Step Auto”, an International Conference on Software Testing, Process and Automation. More in the conference.

Posted by at No comments:
Labels: ,
Subscribe to: Posts (Atom)