Oauth 2.0 - The Promise and Pitfalls

OWASP 2016 - February 2016 - Sergey Ozernikov

OAuth 2.0, the second version of the popular authorisation framework, was proposed as an IETF standard in October 2012 and has since been implemented and used by companies such as Facebook, Google and Microsoft. In January 2013 an RFC containing a comprehensive threat model of OAuth 2.0 was introduced. It was as long as the initial specification which had left out a lot of security considerations, most likely as it was assumed that developers would know how to securely implement OAuth 2.0. However many didn’t and without the necessary security controls, many relatively benign web application vulnerabilities could now flourish on a much larger and bountiful attack surface. An open redirect directly leading to an account compromise? Easy. In this talk, an overview of what should be catered for when integrating OAuth 2.0 into your project and how not to introduce additional security risks, will be provided. Most common attack vectors and some examples of real-life vulnerabilities in OAuth 2.0 implementations will be presented. Ideally attendees should have a basic understanding of OAuth 2.0 flow and web application security.

The presentation is available here.


Source Code Reviews - Why You Should

OWASP 2016 - February 2016 - David Waters

In this talk Daivd gives the case that you should be using security focused code review as part of your defensive strategy. David discusses the types of bugs that are more easily found with either white-box penetration tests or code reviews as opposed to more limited penetration tests. David then presented some real world examples of issues found during code reviews.

The presentation is available here.


Defaced - An insight into methodologies, tools and motivations

OWASP 2015 - February 2015 - Adam Bell

Based on a true story, Adam presented at OWASP 2015 on the incident response methodology that he used for a charatable organisation's security breach. His talk looked at some of the tools that the defacer had left behind and gave an insight into the bad guys' mindset and motives.

The presentation is available here.


Lazily Finding Holes Without Breaking The Law

OWASP 2015 - February 2015 - Nick von Dadelszen

Why risk criminal prosecution actively testing for security vulnerabilities in websites when a large amount of vulnerabilities can be passively found? Nick von Dadelszen and Adam Bell presented at OWASP 2015 after developing a passive scanning tool that can continuously find vulnerabilities as you browse, which could be used to check a large number of sites for common issues in a quick and painless manner.

The presentation is available here.


Crypto 101: A "no crazy maths" guide to crypto VULNERABILITES

OWASP 2015 - February 2015 - Nick von Dadelszen

While less common than other types of security vulnerabilities, encryption flaws can often have a very high impact. Some big applications, hardware and frameworks have been vulnerable to simple encryption flaws in recent years. Ben delivered this presentation at OWASP 2015 about a variety of crypto flaws which have been observed in web and mobile applications over the last couple of years. He demonstrated how to expoit them and how to protect yourself.

The presentation is available here


Getting Personal With NFC

AusCERT 2013 - May 2013 - Nick von Dadelszen and Eugene Gibney

Nick and Eugene presented their NFC research at AusCERT 2013.  This was a more business focused approach to the topic.

The presentation is available here.


NFC Redux

Kiwicon 6 - November 2012 - Nick von Dadelszen

NFC Redux takes a look at the changes that have occurred in the Mobile NFC world since the last Kiwicon. The talk included:

Updates on the tech and security
A new tool release
Some crowd-sourcing research
  • Updates on the tech and security
  • A new tool release
  • Some crowd-sourcing research

Presentation is available here. Tools downloads are available here.


Mobile NFC 101

OWASP Day 2012 - August 2012 - Nick von Dadelszen

This talk is designed to provide a detailed understanding of NFC on mobile phones and security considerations associated with the technology.

The participants should leave the presentation with an understanding of the technology behind NFC on mobile phones and how it interacts. They should obtain an understanding of the security considerations for NFC on Mobile and how it differs from standard NFC implementations.

Presentation is available here.


An (Unofficial) OWASP Top 10 for Managers

OWASP Day 2102 - August 2012 - Dean Cater and Shahn Harris

The OWASP Top 10 Web Application Security Risks has done a fantastic job at a technical level.

Dean and Shahn have decided to turn their attention to the layer above and create a Top 10 for Managers.

10 things to assist Managers in ensuring that their web application projects are delivered in a secure, measurable, repeatable manner.

Oh… and they don’t cost a lot….

Presentation is available here.


Blindsided By Security 

OWASP Day 2102 - August 2012 - Laura Bell

Lateral Security and The Royal New Zealand Foundation of the Blind examine the guidance and security best practice commonly in use for web applications today and how effective they are for those with visual impairments. In addition, a series of improvements and solutions are outlined.

The pdf whitepaper is available here.  A screen reader friendly word version is available here.

Privacy Awareness Week 2012

Privacy Awareness Week - May 2012 - Laura Bell

Laura from Lateral Security presented today at the Privacy Forum in Wellington as part of the Privacy Awareness Week 2012. The presentation was on "practical tools to manage privacy risks".

Presentation is available here.

Mobile Apps and RFID

Kiwicon V - November 2011 - Nick von Dadelszen

Nick presented his mobile NFC research at Kiwicon V in Wellington. The talk discussed the good, bad, and ugly of NFC on mobile phones. The presentation is available here and tools released during the presentation are available here.


Combating APT With SRP

ISIG - October 2011 - Tim Thomson

Tim presented at October's ISIG meeting in Wellington. The presentation was on how application whitelisting, and in particular Microsoft's Software Restriction Policies, can be used to help protect against APT-style malware. The presentation can be downloaded here.


Testing Mobile Applications

NZ OWASP Day - July 2011 - Nick von Dadelszen

Nick presented at New Zealand's 2011 OWASP Day security seminar, which Lateral Security sponsored for the third year. Nick's presentation was on Testing Mobile Applicatons. The presentation can be downloaded here.


Comply Or Die

ISIG - June 2011 - Andrew Kelly

Andrew presented at this month's ISIG meeting in Wellington (and previously at the Auckland meeting). His topic was Comply or Die, discussing how compliance-with-whatever can actually help you to achieve your information security goals. The presentation can be downloaded here.


Sam Banks Presents in New York

New York BSD User Group - April 2011 - Sam Banks

Sam recently presented to the New York BSD User Group on security considerations when deploying BSD High Availability. The presentation covered issues and resolutions or work-arounds to security vulnerabilities in High Availability protocols such as CARP and PFSYNC.

Lateral Security is proud that our knowledge is being shared amongst a wider community of IT professionals and congratulates Sam on a great presentation. The presentation can be downloaded here.


Smart Card Security

Kiwicon III - November 2009 - Nick von Dadelszen

Nick presented his research on smart card security at Kiwicon III, and released some tools to help others audit smart card systems. The presentation can be downloaded here, and released tools can be found here.


Exploiting Native Client

Hacking At Random - August 2009 - Ben Hawkes

Ben Hawks presented his Google Native Client research at HAR 2009 in the Netherlands in August.

Download here.


Testing Web Services

NZ OWASP Day - July 2009 - Nick von Dadelszen

Nick presented at New Zealand's first OWASP Day security seminar, which was offered free to attendees (Lateral Security also sponsored the event). Nick's presentation was on Testing Web Services, and provided a methodology for doing so.

Download here.


Mobility And Security - Threats and Prevention

Customer Security Awareness Seminar - December 2008 - Ratu Mason

Ratu recently presented an awareness seminar for a New Zealand bank aimed at increasing the awareness of mobile security within their workforce. This presentation covered basic security concepts such as firewalling, antivirus, encrpytion and the use of strong passwords. 
Download here.


Interesting Vulnerabilities of 2008

ISACA Computer Security Day - December 2008 - Nick von Dadelszen and Ratu Mason

This presentation gives an overview of 5 interesting vulnerabilities of 2008 and how good security design and architecture decisions can potentially mitigate new vulnerabilities as they are discovered.
Download here.


Attacking The Vista Heap

Ruxcon 2008 - November 2008 - Ben Hawkes

Lateral Security contractor Ben Hawkes recently presented at the Ruxcon computer security conference in Sydney, Australia. "Attacking the Vista Heap", which was first presented at Black Hat USA in Las Vegas, examined new security measures introduced in Windows Vista. Ben found several new techniques for exploiting memory corruption vulnerabilities despite the improved security, and discussed multiple new measures for securing applications from this type of vulnerability.
Download here.


NZ Malware Distribution

Kiwicon 2k8 - September 2008 - Nick von Dadelszen

Compromised websites are now one of the largest distributors of malware on the Internet, with drive-by downloads being common. Website compromises and malicious JavaScript injections have become automated and recently massive SQL injection worms have swept the Internet. This talk provides the results of an effort to evaluate the number of New Zealand websites being infected in this way. Nick discusses a tool (BotSearch) written to identify sites, and also discusses techniques to analyse malicious JavaScript.
Download here.