• Facebook
• Twitter
• Reddit
• LinkedIn

Otra de las remarcadas conferencias sobre seguridad informática, OWASP AppSecUSA 2013, fue celebrada en Nueva York del 18 al 21 de noviembre. Para los no privilegiados, aquí tenéis la lista de los vídeos (diapositivas con audio):

• OWASP Zed Attack Proxy - Simon Bennetts
• The Cavalry Is US: Protecting the public good - Josh Corman, Nicholas Percoco
• 2013 AppSec Guide and CISO Survey - Marco Morana, Tobias Gondrom
• Top Ten Proactive Controls - Jim Manico
• Forensic Investigations of Web Exploitations - Ondrej Krehel
• Big Data Intelligence - Ory Segal, Tsvika Klein
• All the network is a stage, and the APKs merely players - Daniel Peck
• BASHing iOS Applications - Jason Haddix, Dawn Isabel
• What You Didn't Know About XML External Entities Attacks - Timothy Morgan
• OWASP Hackademic - Konstantinos Papapanagiotou
• OWASP Periodic Table of Elements - James Landis
• Why is SCADA Security an Uphill Battle? - Amol Sarwate
• Making the Future Secure with Java - Milton Smith
• Tagging Your Code with a Useful Assurance Label - Robert Martin
• HTML5: Risky Business or Hidden Security Tool Chest? - Johannes Ullrich
• Thinking Differently About Security - Mary Ann Davidson
• The 2013 OWASP Top 10 - Dave Wichers
• PiOSoned POS - A Case Study in iOS based Mobile Point-of-Sale gone wrong - Mike Park
• Verify your software for security bugs - Simon Roses Femerling
• Insecure Expectations - Matt Konda
• Hacking Web Server Apps for iOS - Bruno Oliveira
• (Audio only) PANEL: Aim-Ready-Fire moderated by Wendy Nather
• AppSec at DevOps Speed and Portfolio Scale - Jeff Williams
• Application Security: Everything we know is wrong - Eoin Keary
• An Introduction to the Newest Addition to the OWASP Top 10 - Ryan Berg, Jeff Williams
• Mobile app analysis with Santoku Linux - Andrew Hoog
• Accidental Abyss: Data Leakage on The Internet - Kelly FitzGerald
• Mantra OS: Because The World is Cruel - Gregory Disney-Leugers
• (Audio only) Wassup MOM? Owning the Message Oriented Middleware - Gursev Singh Kalra
• Case Study: 10 Steps to Agile Development without Compromising Enterprise Security - Yair Rovek
• Contain Yourself: Building Secure Containers for Mobile Devices - Ron Gutierrez
• iOS Application Defense - iMAS - Gregg Ganley
• Pushing CSP to PROD - Brian Holyfield, Erik Larsson
• Leveraging OWASP in Open Source Projects - Aaron Weaver, David Ohsie, Bill Thompson
• HTTP Time Bandit - Vaagn Toukharian, Tigran Gevorgyan
• NIST - Missions and impacts to US industry, economy and citizens - James St. Pierre, Matthew Scholl
• Revenge of the Geeks: Hacking Fantasy Sports Sites - Dan Kuykendall
• Hack.me: a new way to learn web application security - Armando Romeo
• OWASP Broken Web Applications (OWASP BWA): Beyond 1.0 - Chuck Willis
• Can AppSec Training Really Make a Smarter Developer? - John Dickson
• The Perilous Future of Browser Security - Robert Hansen
• (Audio only) PANEL: Women in Information Security - moderated by Joan Goodchild
• (Audio only) Panel: Don't Tell Me Software Security - moderated by Mark Miller

• Facebook
• Twitter
• Reddit
• LinkedIn

La Øredev Developer Conference es una conferencia orientada al desarrollo de software en general. Ésta se viene celebrando desde al año 2005 y la edición de este año 2013 se celebró del 4 al 8 de noviembre en Suecia. Aquí os dejo la lista de vídeos de las charlas que se dieron:

• Implementing Micro­Service Architectures (Fred George)
• Implementing Programmer Anarchy (Fred George)
• Git secrets (Brent Beer)
• Programming, Only Better (Bodil Stokke)
• Postgres: The Bits You Haven't Found Yet (Peter van Hardenberg)
• Why Kotlin? (Svetlana Isakova)
• Functional Groovy (Andres Almiray)
• Let's Stop Faking It (Michael Larsen)
• Designer, developer communication (Heidi Harman)
• Developer Designer Communication (Heidi Harman)
• Lightning Fast SQL with Proper Indexing (Markus Winand)
• Design for times 10 or times 100: How to handle hundreds of millions played games per day. (Lars Sjödin)
• Discovering Type Providers in F# 3.0 (Rachel Reese)
• The Creativity (R)Evolution (Denise Jacobs)
• Google Glass, an introduction for developers (Mattias Erlö)
• A Live hacking demo that will make you care more about securing your code! (Marcus Murray)
• What's new in Visual Studio 2013 for web developers (Mads Kristensen)
• Azure Mobile Service – The backend for the masses (Dag König)
• F# for trading (Phil Trelford)
• Windows: Having it's ass kicked by puppet and PowerShell since 2012 (Paul Stack)
• Concurrent Applications with F# Agents (Rachel Reese)
• Lean UX: Building products people want (Adrian Howard)
• Aesthetics and the Beauty of an Architecture: Adventures in CQRS and Event Sourcing (Tom Scott)
• Spring 4 on Java 8 (Juergen Hoeller)
• Java Mission Control: Flight Recorder Deep Dive (Marcus Hirt)
• RRRADDD! Ridiculously rapid domain-driven (and restful) apps with Apache Isis (Dan Haywood)
• Refactor your specs! (Cyrille Martraire)
• Windows Phone 8 SDK: Beyond the Basics with Wallet, In-App Purchasing and Maps. (Michael Crump)
• Coding Tips and Tricks I Learned from Making Some of the Biggest Apps Out There (Atley Hunter)
• Symbiotic relationships between testing and analytics (Julian Harty)
• "Do it yourself"...Custom JavaFX Controls (Gerrit Grunwald)
• Cloud Infrastructure as Code (Henrik Lindberg)
• Developers Can't Design (And Other Completely Untrue Design Myths) (Jen Myers)
• Introduction to the Play Framework (James Ward)
• The next version of JavaScript: ES6 on the frontend, in the real world (John K. Paul)
• Effective Node.js Programming and Module Creation (Jed Wood)
• Unconventional promises - using promises for the kitchen sink, and control flow nivana (John K. Paul)
• Breakout - of the tiles (Håkan Reis)
• No Estimates: Let's explore the possibilities (Roy "Woody" Zuill)
• Security Avalanche – understanding today’s modern protocols (Michele Leroux Bustamante)
• Firefox OS - the platform HTML5 deserves (Christian Heilmann)
• Data visualization, infographics and big open data (Steen Lehmann)
• Regression Obsession (Michael Bolton)
• Advanced Android App Architectures + Lifecycles (Bryan Costanich)
• Balancing ATDD, GUI Automation and Exploratory Testing (Michael Larsen)
• An Artistic Science Approach to Analysis and Reporting Performance Data (Scott Barber)
• Practical Tools for Playing Well with Others (J. B. Rainsberger)
• Being Secure on a Mobile Platform (Siren Hofvander)
• Open APIs - risks and rewards (Andreas Krohn)
• Adopting Continuous Delivery (Jez Humble)
• Heuristics of Testability (James Bach)
• Art & code with XKCD (Randall Munroe)
• The Art of Ruby on Rails (Steve Klabnik)
• Gradle for Android and the rest of the world (Luke Daley)
• ZeroMQ – A Whole Bunch of Awesome [C# Edition] (Ashic Mahtab)
• HTML5 Hacks (Jesse Cravens)
• An Open Source Grid-Based Actor Model (Vaughn Vernon)
• Efficient Android Threading (Anders Göransson)
• Windows Phone 100+ Apps In – What I have Learned (Atley Hunter)
• Livin on the edge: Netflix edge architecture (Adrian Cole)
• C# Cross Platform Mobile with Xamarin (Bryan Costanich)
• F# for C# developers (Phil Trelford)
• Hands On with Clojure (Bodil Stokke)
• Windows Phone 8- the advanced session for the creative child at heart (Iris Classon)
• Functional Principles for Object-Oriented Developers (Jessica Kerr)
• Lightning introduction to three NoSQL technologies (Joel Jacobson)
• 30 NuGet Packages in 50 Minutes (Shay Friedman)
• if (BetterConcurrency == BetterPerformance) { ... (Kirk Pepperdine)
• Modern Component Design with Spring (Juergen Hoeller)
• How To Structure Your JavaEE 7 App (Adam Bien)
• Unlocking the Java EE Platform with HTML5 (Geertjan Wielenga)
• Agile Lightning Talks (J. B. Rainsberger)
• So What About Tablets? (Richard Campbell)
• Enterprise git collaboration patterns (Brent Beer)
• Tracking and Improving Software Quality with Sonar (Patroklos Papapetrou)
• Scaling mobile development at Spotify (Per Eckerdal)
• Less is more! - when it comes to art and software (Jimmy Nilsson)
• Code as a crime scene (Adam Petersen Tornhill)
• Managing Asynchronicity with RQ (Douglas Crockford)
• Shakespeare in Dev (Thomas Q Brady)
• The future of Java in the grander scheme of things (Tomas Nilsson)
• Habits of a Responsible Programmer (Anders Janmyr)
• Go To There and Back Again (Douglas Crockford)
• Entity Framework in Core-Business Applications that Leverage DDD (Julie Lerman)
• Building Secure and Social Applications (Michele Leroux Bustamante)
• Distributed teams - a pragmatic way (Björn Granvik)
• Building Reactive Apps with Play Framework, Akka, and Scala (James Ward)
• Layers Considered Harmful (Christian Horsdal)
• Ubuntu, a potent new force in mobile (David Planella)
• Release your creativity - join OpenJDK (Cecilia Borg)
• The Curious Case of JavaScript on the JVM (Attila Szegedi)
• Data @ King - How we are able analyze 100M DAU (Mats-Olov Eriksson)
• Being Lean in the Cloud: Continuous Deployment with Amazon Web Services (Martin Elwin)
• tekhnasthai (Anna Beatrice Scott)
• The Third Wave of Artfulness in Code (Matthew McCullough)
• Does Pair Programming Have to Suck? (Angela Harms)
• Mob Programming, A Whole Team Approach (Roy "Woody" Zuill)
• The Art of Learning and Mentoring (Jutta Eckstein)
• Rebranding Agile: How Marketers are Changing the Way they Work for Real-time World (Frank Days)
• Extreme Personal Finance (J. B. Rainsberger)
• New Frontiers For In-House Legal Practice (Kate Sullivan)
• The Art of Building Tools - A Language Engineering Perspective (Markus Voelter)
• Have You Seen Spring Lately? (Joshua Long)
• Go Beyond "Debug": Wire Tap your App for Knowledge with Hadoop (Oleg Zhurakousky)
• ElasticSearch - Distributed search on BigData made easy (Itamar Syn-Hershko)
• The very near future of a richer, standards based web (Christian Heilmann)
• Taking a PaaS on the Hard Stuff with Cloud Foundry (Joshua Long)
• Building End to End Web App Using TypeScript (Gil Fink)
• Building Web Applications with Ember.js and Ruby On Rails (Jesse Cravens)
• The Art of Ruby (Steve Klabnik)
• What's New in JAX-RS 2 (Reza Rahman)
• What is new in XAML for Windows 8.1 (Tess Ferrandez)
• Android Design: Beyond the Guidelines - Creating character and identity in your applications (Kevin Grant)
• NodeJS: the good parts? A skeptic’s view (Chris Richardson)
• Crafted Technology and Experiences (Petra Sundström)

• Facebook
• Twitter
• Reddit
• LinkedIn

Hay varias formas con las que nos podemos hacer con una botnet: comprar, alquilar, hacerte con la botnet tú mismo (¿robar?) o hacerte la tuya propia.

Comprar o alquilar, si dispones del dinero y quieres hacer dicha inversión… Hacerte con una botnet existente no es fácil y se requieren ciertos conocimientos técnicos, tiempo y paciencia. Y al hacerte tu propia botnet, pues más de lo mismo, conocimientos muy técnicos para construir la infraestructura y mucho tiempo.

Como proyectos Open Source los hay de todos los gustos, ¿Por qué no una herramienta para manejar botnets?

Splinter The Rat es una RAT (Remote Administration Tool). Este tipo de herramientas normalmente nos permite tomar el control de un bot (sistema comprometido).

Splinter The Rat actúa como BotMaster o controlador de la botnet y está diseñado para trabajar con distintos tipos de backdoors o puertas traseras: netcat listeners o implantes creados en Java o Python, ya precompilados en el sistema. En el futuro también se integrará con Armitage y Raven.

Además este RAT también permite la transferencia y navegación de ficheros, geolocalización, acceso y/o modificación del portapapeles de la víctima, capturas de pantalla y grabación, etc.

Splinter The RAT es un proyecto educativo del que podemos aprender como crear herramientas de este tipo y que además son totalmente funcionales. El objetivo de éste según sus autores es el de mostrar lo fácil que es crear una herramienta de este tipo.

Este proyecto está activamente siendo desarrollado y algunas de las características que podemos esperar en futuras versiones son:

• Desarrollos de implantes en Python, PowerShell y C++.
• Estaganogfía, TCP/DNS tunneling.
• Drive-by-downloaders y droppers Javascript
• Creación de implantes polimórficos y cifrado de la comunicación de los payloads
• Escaneo de redes internas
• Explotación de dispositivos móviles
• Etc