R1 Hacking & Securing Web-based Applications—Hands-On (Day 1 of 2) 
David Rhoades, Maven Security Consulting, Inc.
9:00 a.m.–5:00 p.m.
Who should attend: People who are auditing Web application security,
developing Web applications, or managing the development of a Web
application.
Is your Web application secure? CD Universe, CreditCard.com, and
others have found out the hard way: encryption and firewalls are
not enough. Numerous commercial and freeware tools assist in locating network-level
security vulnerabilities. However, these tools are incapable of
locating security issues for Web-based applications.
With numerous real-world examples from the instructor's years of
experience with security assessments, this informative and entertaining
course is based on fact, not theory. The course material is
presented in a step-by-step approach, and will apply to Web portals,
e-commerce (B2B or B2C), online banking, shopping, subscription-based
services, or any Web-enabled application.
Class exercises will require that students have an x86-based laptop
computer that can be booted from a KNOPPIX CD, along with a 10/100 Ethernet
network card. Please download a copy of KNOPPIX-STD
(https://www.knoppix-std.org), burn it to a CD-R, and try to boot your system
on a network offering DHCP. Be sure your network card is recognized by
Knoppix-STD, otherwise you will not be able to participate in most classroom
exercises. Wireless access will not be supported during class.
Topics include:
- The primary risks facing Web applications
- Exposures and vulnerabilities in HTML and JavaScript, authentication,
and session tracking
- Tools, techniques, and methodologies required to locate weaknesses
- Recommendations for mitigating exposures found
- Best practices for Web application security
Students will be provided access to several target Web applications.
Some of these applications are real applications with known security
issues. Others are mock applications
designed by Maven Security to simulate real security issues. At
each step, the instructor will supply the tools needed and demonstrate
the required techniques. All software provided will be publicly available freeware.
Day 1
- Introduction
- The problem and root causes
- Web primer: HTTP and HTML
- Foundational security
- OS vulnerabilities
- Web server security highlights
- Web server and Web application output
- HTTP headers
- HTML and JavaScript
- Encryption ciphers
- Error messages
- Caching
- Authentication
- Authentication: digital certificates; form-based; HTTP basic
- Threats to authentication
- Sign-on
- User name harvesting
- Brute-force password guessing
- Password harvesting
- Resource exhaustion
Day 2
- Session issues
- Session tracking mechanisms
- Session ID best practices
- Session cloning
- Transaction issues
- Malicious user input
- Hidden form elements
- GET vs. POST
- JavaScript filters
- Improper application logic
- Cross-site scripting (XSS)
- Third-party products
- Testing procedures
- Methodology and safety
David Rhoades (T1, W1, R1, F1) is a principal consultant with Maven Security
Consulting, Inc.  Since 1996, David has provided information protection services
for various FORTUNE 500 customers. His work has taken him across the US
and abroad to Europe and Asia, where he has lectured and consulted in
various areas of information security. David has a B.S. in computer
engineering from the Pennsylvania State University and has taught
for the SANS Institute, the MIS Training Institute, and ISACA.
R2 Managing Samba 2.2 & 3.0
Gerald Carter, Samba Team/Hewlett-Packard
9:00 a.m.–5:00 p.m.
Who should attend: System administrators who are
currently managing Samba servers or are planning to deploy
new servers this year. This course will outline the new
features of Samba 3.0, including working demonstrations
throughout the course session.
Topics include:
- Providing basic file and print services
- Upgrading a Samba server from version 2.2 to 3.0
- Integrating with Windows NT 4.0 and Active Directory
authentication services
- Centrally managing printer drivers for Windows clients
- Managing NetBIOS network browsing
- Implementing a Samba primary domain controller along with
Samba backup domain controllers
- Migrating from a Windows NT 4.0 domain to a Samba domain
- Utilizing account storage alternatives to smbpasswd such
as LDAP
- Making use of Samba VFS modules for features such as virus
scanning and a network recycle bin
Gerald Carter (M9, T2, R2) has been a member of the Samba Team since 1998.  He has published articles in various
Web-based magazines and gives instructional courses as a
consultant for several companies. Currently employed by
Hewlett-Packard as a Samba developer, Gerald has written
books for SAMS Publishing and is the author of the recent
LDAP System Administration (O'Reilly & Associates).
R3 Perl for System Administration
David N. Blank-Edelman, Northeastern University
9:00 a.m.–12:30 p.m.
Who should attend: System and
network administrators with at least advanced-beginner to intermediate Perl skills, who would like a clearer understanding of how Perl can make their jobs easier.
Perl was originally created to help with system administration, so
it is a wonder that there isn't more instructional material
available to help people in our field use Perl to their
advantage. This tutorial hopes to begin to remedy this situation by presenting
a solid three hours of instruction on using Perl for system
administration. You are also likely to deepen
your knowledge of Perl.
Based on the instructor's upcoming O'Reilly book, this tutorial will
take a multi-platform approach to the subject. We'll be exploring
cutting-edge and old standby system administration topics as they
manifest themselves on both UNIX and Windows NT/2000.
Topics include:
- Secure Perl scripting
- Dealing with files and filesystems
- Source control
- XML
- Databases
- Log files
- Dealing with SQL databases via DBI and ODBC
- Email as a sysadmin tool (including spam analysis)
- Network directory services: NIS, DNS, LDAP, ADSI
- Network management: SNMP and WBEM
David N. Blank-Edelman (M10, R3, R6) is the Director of Technology
at the Northeastern University College of  Computer and Information Science
and the author of the O'Reilly book Perl for System Administration. He has
spent the last 19 years as a system/network administrator in large multi-platform environments, including Brandeis University, Cambridge Technology
Group, and the MIT Media Laboratory. He has given several successful
invited talks off the beaten path at LISA.
R4 Next-Generation Security Tools
Peter Baer Galvin, Corporate Technologies
9:00 a.m.–12:30 p.m.
Who should attend: Systems managers and security managers interested in
current security problems and the new generation of tools designed to solve
those problems.
This course covers a variety of topics of importance to those
designing or implementing security solutions for their installations. It
starts with the nasty world of current security threats and the
problems sites have to solve. It then talks about what is solvable and
what still has no solution. Finally, it covers each of the possible
solutions in detail.
(Note: Most of these solutions are commercial products.)
Topics include:
- A security methodology
- Determining the state of your world
- Determining the problems to solve
- Policy and procedure
- Risk assessment, security audit, and penetration testing
- Firewalls: Why don't they work?
- Protecting Web servers
- Reducing spam
- Patch management and avoiding patching
- Network snooping
- Gaining status knowledge of your facility
- Content filtering and antivirus software
- Weak and strong authentication
- Spyware and peer-to-peer networks
Peter Baer Galvin (M3, T11, R4) is the Chief Technologist for Corporate Technologies, Inc., a systems integrator and VAR,  and was the Systems Manager for Brown University's Computer Science Department. He has written articles
for Byte and other magazines. He wrote the "Pete's Wicked World" and
"Pete's Super Systems" columns at SunWorld. He is currently
contributing editor for Sys Admin, where he manages the Solaris
Corner. Peter is co-author of the Operating Systems Concepts and Applied Operating Systems Concepts textbooks. As a consultant and trainer, Peter has taught tutorials on security and system administration and has given talks at many conferences and institutions on such topics as Web
services, performance tuning, and high availability.
R5 Introduction to Domain Name System Administration
William LeFebvre, CNN Internet Technologies
9:00 a.m.–12:30 p.m.
Who should attend: System or network administrators who have been exposed to the Domain Name System only as users. A basic understanding of the IP protocols, TCP and UDP, data encapsulation, and the seven-layer model will be beneficial.
DNS, the primary method the Internet uses to name and number machines, is used to translate names like "www.usenix.org" into addresses like 131.106.3.253. Any site that is serious about joining the Internet community will need to understand how to configure and administer DNS.
This tutorial will describe the basic operation of DNS and will provide instructions and guidelines for the configuration and operation of DNS on UNIX platforms using the BIND software distribution. This class is designed for the beginner and is intended to provide a foundation for the tutorial on "Intermediate Topics in Domain Name System Administration."
Topics include:
- DNS and BIND
- The DNS name hierarchy
- The four components of DNS
- Iterative vs. recursive querying
- Essential resource records: SOA, A, PTR, CNAME, NS
- Zone transfers and secondaries
- Vendor-specific differences
William LeFebvre (R5, F5) is an author, programmer, teacher, and sysadmin expert who has been using UNIX and Internet technologies since 1983. He writes a monthly column for UNIX Review and has taught since 1989 for such organizations as USENIX, the Sun User Group (SUG), MIS Training Institute, IT Forum, and Great Circle Associates. He has contributed to several widely used UNIX packages, including Wietse Venema's logdaemon package. He is also the primary programmer for the popular UNIX utility top. William is currently a technology fellow at CNN Internet Technologies, exploring the applicability of new technology to one of the busiest Web farms on the Internet. He received his bachelor's degree in 1983 and his master of science degree in 1988, both from Rice University.
R6 Perl Saves the Day: Writing Small Perl Programs to Get You Out of Big Sysadmin Pinches
David N. Blank-Edelman, Northeastern University
1:30 p.m.–5:00 p.m.
Who should attend: System administrators with at least advanced-beginner to
intermediate Perl skills. This tutorial will show them how to get themselves
out of a jam using Perl.
Perl is an excellent language for rapid development and
prototyping. Thanks to the power of the core language and the large
body of additional modules, it is often possible to write quick
programs to solve pressing problems. System administrators have no
shortage of pressing problems, so knowing how to wield this
"swiss-army chain saw" can be a lifesaver.
Centering on battle stories
and the Perl source code used to deal with them, we'll discuss
approaches to system administration crises using
Perl. The code presented in this class will be mostly UNIX-related,
with a sprinkling of Windows NT/2000 examples, but the approaches
we'll talk about will not be operating-system specific. Students are
welcome to bring their own pressure-cooker problems (solved
or not) for class discussion.
David N. Blank-Edelman (M10, R3, R6) is the Director of Technology
at the Northeastern University College of Computer and Information Science
and the author of the O'Reilly book Perl for System Administration. He has
spent the last 19 years as a system/network administrator in large multi-platform environments, including Brandeis University, Cambridge Technology
Group, and the MIT Media Laboratory. He has given several successful
invited talks off the beaten path at LISA.
R7 Recovering from Linux Hard Drive Disasters
Theodore Ts'o, IBM Linux Technology Center
1:30 p.m.–5:00 p.m.
Who should attend: Linux system administrators and users.
Ever had a hard drive fail? Ever kick yourself because you didn't
keep backups of critical files, or you discovered that your regularly
nightly backup didn't succeed?
Of course not: you keep regular backups and
verify them frequently to make sure they are successful, right? But for those of
you who think you might nevertheless someday need this information,
this tutorial will discuss ways of
recovering from hardware or software disasters.
Topics include:
- Low-level techniques to recover data from a corrupted
ext2/ext3 filesystem when backups aren't available
- Recovering from a corrupted partition table
- Using e2image to back up critical ext2/3 filesystem metadata
- Using e2fsck and debugfs to sift through a corrupted filesystem
- Some measures to avoid needing to use heroic measures
Theodore Ts'o (R7) has been a Linux kernel developer since almost the very
beginnings of Linux: he implemented POSIX job control in the
0.10 Linux kernel. He is the maintainer and author of the Linux COM
serial port driver and the Comtrol Rocketport driver, and he architected
and implemented Linux's tty layer. Outside of the kernel, he is
the maintainer of the e2fsck filesystem consistency checker. Ted
is currently employed by IBM Linux Technology Center.
R8 Introduction to Massive Upgrades and Changes
Tom Limoncelli, Cibernet
1:30 p.m.–5:00 p.m.
Who should attend: Sysadmins from environments where upgrading a
single large server, or hundreds of individual hosts, is common.
Although the focus will be on UNIX and IP networks, all sysadmins will benefit
from this tutorial. Examples include situations found both in
small and in large sites.
Imagine a project that involves renumbering the IP addresses on
thousands of hosts, none of which sees more than one interruption.
Imagine upgrading a large server that provides dozens of critical
services with confidence that it will be done on time and with all
services working. Imagine performing one or more changes on 1,000
individual hosts without fear that you've installed the same typo
on each. Imagine a tutorial that teaches the disciplines involved
in making those things happen.
This tutorial will include a mix of theory and case studies
of real events. Case studies will include success stories as well
as disasters—there's much to be learned from both.
Topics include:
- A sample "change management" policy you can start using right away
- The network life cycle: birth, certification, decommission
- Case study: network change management (avoiding outages, managing risk)
- The project everyone hates: moving your data center
- Surviving weekend-long maintenance windows with no major problems
- The secret to successful server upgrades
- Case study: upgrading a major application server
- Case study: upgrading a multi-purpose server
- Service conversions (it's more than just upgrading the software)
- Case study: IP renumbering and reorganization
Tom Limoncelli (R8, F3) co-author of The Practice of System and Network
Administration
(Addison-Wesley), is Director of IT Services at Cibernet Corp. A sysadmin and network wonk since 1987, he
has worked at Dean for America, Lumeta, Bell Labs/Lucent, Mentor Graphics, and Drew
University. He is a frequent presenter at LISA conferences.
|
Need help? Use our Contacts page.
