[cs615asa] HW #N Meetup Report

Brian Ridings bridings at stevens.edu
Sun Apr 26 20:57:53 EDT 2015 

Hello,

I went to the OWASP (Open Web Application Security Project) Cyber Security
Meet-up at UBS on April 16th. This time it was hosted by UBS but mutable
companies host OWASP event through out the year. They are an organization
that provides security tools, information and standards for the security
community. As a Systems Administrator this is very important to make sure
that you systems are secure for attacks. Some of the things that they are
best known for are the OWASP top 10 which induces that top 10 attacks that
are most prevalent in systems that should be addressed and each year they
come out with a new ordering. They also provide tools like web proxys that
you can use to test web applications. They also provide sample vulnerable
web application in mutable languages that can show how to exploit the
application but also more important how to fix the application and after
retesting the application you can verify that it is fixed and use that
knowledge to improve the security of your own application.


Talk 1:
This first talk was from three speakers Thomas Ryan, Renee Pollack and
Morgan Strobel. They spoke about the rising need for cyber security
professionals and the best way to provide the amount the we need with the
training that we need. It goes in to depth on ways to restructure the
education system including college to increase the quantity and quality of
the new people in the cyber security.

http://www.nebraskacert.org/CSF/CSF-Oct2014.pdf


Talk 2: This talk is about Exploiting SAP ASE via SQL injections in
database core by Martin Rakhmanov this is a combination of multable attacks
taht compounded on one another make a total breach in the system and get
full access to the database. This is managed by breaking in to the system
and elevating privileges. Getting in to the system is an old trick by using
an old trick with a system user called "probe". By using a modified version
of the client to run arbitrary commands. It then uses the JAVA subsystem to
get access to the file system. Using this you can create commands and
output them to a log file and send the log file back in a SQL command.

https://www.rsaconference.com/writable/presentations/file_upload/hta-r01-owning-sap-ase-chained-database-attack_final.pdf




-- 
Brian D Ridings
Stevens Institute of Technology
Class: 2015
Year: 5/5
Master: Cyber Security
Major: Computer Science
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.stevens.edu/pipermail/cs615asa/attachments/20150426/9b752732/attachment.html>

More information about the cs615asa mailing list