Facebook Google Plus Twitter LinkedIn YouTube RSS Menu Search Resource - BlogResource - WebinarResource - ReportResource - Eventicons_066 icons_067icons_068icons_069icons_070

Tenable Blog

  • Twitter
  • Facebook
  • LinkedIn

Louisville Metro Infosec 2009

A Small Conference with a Big Presence

Last week I attended the Louisville Metro Infosec conference that was held at Churchill Downs in Louisville, Kentucky. The sold out event hosted 375 people and 28 sponsors. Although this was a small local event, it had the feel and energy of a much larger conference.

Louisville is the home of the "Louisville Slugger" factory where they still provide the bats for major league baseball players.

Bob is Evil

There were several great presentations and everyone spoke highly of each talk they attended. My presentation was titled "Bob's Great Adventure: Attacking and Defending Web Applications". The presentation was in two parts: the first part on attacking web applications and the second covering how to defend them. The entire presentation is wrapped into a story about an "evil hacker" named Bob who plans to break into a web site defended by Alice. There are several reasons the presentation was wrapped into a story. In addition to entertainment value, it allowed me to underscore some very important points. First, most attackers do not show the same care as a professional penetration tester. Attackers will not operate within a maintenance window, think twice about destructive behavior and will go to great lengths to accomplish their goals without consideration of consequences. An attacker will not care about taking out an ISP that is in the way of the target. The other important point about attackers is that the tools they use may not be public. This sometimes frustrates the audience when I talk about a tool that is not in public circulation. However, we cannot be "one dimensional" about defense. Our networks and systems need to have a defensive program that protects against both known and unknown threats. We will not always have the luxury of being able to use the attacker's weapons, see how they work and develop protections.

The event was well photographed; above is a picture of me interacting with my slides during my presentation. They posted more pictures of the event on the conference website.

Additionally, the story allows me to tell both sides of web application security and cover not just the attacks, but the defenses as well. After giving this talk twice, I have found that it accomplishes the goal of scaring people, while at the same time giving them ideas for implementing practical defenses. For example, after I gave the presentation, we had a great discussion that covered how to prevent MySQL users from being able to write files to the file system.

As with all of my materials, I try to give people something they can take back to the office and put to use that helps them do their jobs. Below are some of the highlights from my presentation:

  • There are methods for fingerprinting and bypassing web application firewalls available to attackers
  • When attacking virtual hosting environments, an attacker will not think twice about breaking into a site hosted alongside your site to gain access to your data
  • You can chain multiple web proxies together to collect more results and better formulate attacks (e.g., chaining WebScarab through Ratproxy)
  • SQL injection vulnerabilities not only give an attacker access to your data, but can be used to gain remote command execution
  • Defenders need to collect, analyze and monitor logs then take action accordingly
  • Patch “less critical” vulnerabilities such as local privilege escalation
  • Use perimeter devices properly and block outgoing traffic to make an attacker's life more difficult while better protecting resources
  • Harden your systems using industry standard guidelines, such as the CIS Benchmarks

More Capture The Flag

Adrian "Irongeek" Crenshaw, known primarily for his useful information security web site www.irongeek.com, ran a CTF at the event. The game was focused primarily on attack, challenging players to obtain an encryption file (filled with mock medical information) and decrypt it to view the contents. The game was won in the late morning by some creative hackers who were at first puzzled as to how to obtain the password. It turns out there was a webcam attached to one of the machines that needed to be rotated slightly. Once aimed at the computer screen of a mock desktop computer, there was a sticky note that contained the password. This was a fun event where players could sharpen their skills.

John Strand (left) and myself (right) spent some time helping some of the teams overcome the technical challenges of the CTF.

The Internet is Evil

While all of the presentations got rave reviews, one of the keynote speeches was particularly interesting. John Strand gave a keynote speech titled "The Internet is Evil". Most of us know that the Internet is evil, but John wants us to do something about it. He challenges us to think differently about defense, question how much, if any, Internet access your users should have. He also brings up a good point about the perceptions of users. Many believe that the average user is not knowledgeable about computers, when in reality they are using anonymizing proxies to bypass corporate web filtering. John then went on to identify two areas of "security" that need improvement. I put "security" in quotes, because it's a false sense of security that the following provide:

  • Anti-virus - John points out a new service that allows you to upload your binary and have it encoded by several different programs, then review a report of which Anti-virus engines caught it, and which ones did not. You can find more information on the PolyPack web site.
  • SSL - SSLStrip is a tool that tricks the user into running a connection over HTTP instead of HTTPS. You can watch a video demonstration of this tool in action to get a better idea how it works. John then goes on to show how this could be combined with attacks against BGP to intercept traffic without having to be on the same subnet as your victims.

John Strand presenting. Hey wait - I thought I was supposed be the evangelist!

John then went on to cover defensive techniques that work, such as using firewalls not only to restrict outgoing access, but also to enable the built-in firewall on all of your hosts (especially desktops). The other interesting idea he presented was to treat your user desktop subnets as hostile. I know this may sound like a radical idea, but if the users are accessing the Internet and exposing their systems to malicious code, it's best to treat them as if they are already infected with malware. I've used this tactic when developing security strategies for universities and it works quite well.


The Louisville Metro Infosec conference was an informative and fun environment to meet people and talk about information security. Everyone was very welcoming, friendly and eager to discuss all things related to information security, from the latest attacks, to the latest defensive strategies.

Related Articles

Are You Vulnerable to the Latest Exploits?

Enter your email to receive the latest cyber exposure alerts in your inbox.

Try for Free Buy Now

Try Tenable.io


Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Sign up now.

Buy Tenable.io

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Purchase your annual subscription today.

65 assets

Choose Your Subscription Option:

Buy Now
Try for Free Buy Now

Try Nessus Professional Free


Nessus® is the most comprehensive vulnerability scanner on the market today. Nessus Professional will help automate the vulnerability scanning process, save time in your compliance cycles and allow you to engage your IT team.

Buy Nessus Professional

Nessus® is the most comprehensive vulnerability scanner on the market today. Nessus Professional will help automate the vulnerability scanning process, save time in your compliance cycles and allow you to engage your IT team.

Buy a multi-year license and save. Add Advanced Support for access to phone, community and chat support 24 hours a day, 365 days a year. Full details here.

Try for Free Buy Now

Try Tenable.io Web Application Scanning


Enjoy full access to our latest web application scanning offering designed for modern applications as part of the Tenable.io platform. Safely scan your entire online portfolio for vulnerabilities with a high degree of accuracy without heavy manual effort or disruption to critical web applications. Sign up now.

Buy Tenable.io Web Application Scanning

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Purchase your annual subscription today.



Buy Now

Try for Free Contact Sales

Try Tenable.io Container Security


Enjoy full access to the only container security offering integrated into a vulnerability management platform. Monitor container images for vulnerabilities, malware and policy violations. Integrate with continuous integration and continuous deployment (CI/CD) systems to support DevOps practices, strengthen security and support enterprise policy compliance.

Buy Tenable.io Container Security

Tenable.io Container Security seamlessly and securely enables DevOps processes by providing visibility into the security of container images – including vulnerabilities, malware and policy violations – through integration with the build process.

Get a Demo of Tenable.sc

Please fill out the form below with your contact information and a sales representative will contact you shortly to schedule a demo. You may also include a short comment (limited to 255 characters). Please note that fields with asterisks (*) are mandatory.

Try for Free Contact Sales

Try Tenable Lumin


Visualize and explore your Cyber Exposure, track risk reduction over time and benchmark against your peers with Tenable Lumin.

Buy Tenable Lumin

Contact a Sales Representative to see how Lumin can help you gain insight across your entire organization and manage cyber risk.

Request a demo of Tenable.ot

Get the Operational Technology Security You Need.
Reduce the Risk You Don’t.