OWASP Chapter Meeting
The Fourth Avenue Building (FAB), which contains the Computer Science Department, is east of the main campus at 1900 SW 4th Ave., Portland, OR 97201. It is just north of the City of Portland's tower at the same address. The underground parking garage entrance is just south of the tower, on the right side of the street.
The event will be held in room 86-01. Take the elevator or stairs down to basement and follow the signs. Entrances are well-staffed, if you have any questions. Failing that, call 503.453.6253 for assistance.
Double Feature! For this chapter meeting, we have two protocol-oriented talks at PSU. Basic refreshments will be provided.
Kevin P. Dyer presents:
What Encryption Leaks and Why Traffic Analysis Countermeasures Fail
As more applications become web-based, an increasing amount of client-server interactions are exposed to our networks and vulnerable to Traffic Analysis (TA) attacks. In one form, TA attacks exploit the lengths and timings of packets in a protocol's flow to infer sensitive information about communications. In the context of encrypted HTTP connections, such as HTTP over SSH, this means an adversary can determine which website a user is visiting. In the context of a specific web application, an adversary can determine user input by viewing only a few client-server interactions.
Recent advances in the application of Machine Learning tools demonstrate that TA attacks are possible despite industry-standard encryption such as TLS, SSH or IPSec. What is more, even if a protocol uses stronger countermeasures, such as fixed-length per-packet padding, this incurs significant overhead but only provides limited security benefit. These types of security vs. efficiency trade-offs are of immediate concern to security-aware applications such as Tor, and performance-sensitive application features such as Google Search Autocomplete.
In this talk, Kevin will address the state-of-the-art TA attacks and proposed countermeasures in the context of network and web application security. Most importantly, he will discuss open problems in this area and why a general-purpose TA countermeasure remains elusive.
Timothy D. Morgan presents:
HTTPS, Cookies, and Men-in-the-Middle: Why You Shouldn't Allow Marketing Departments to Design Your Security Protocols
Login session management in modern web applications is largely dominated by use of HTTP cookies. However, HTTP cookies were never designed for secure applications, which has led to a significant number of protocol security problems.
In this talk, Tim will start with a brief background on why HTTP cookies are a poorly-conceived mechanism to begin with, and continue with a discussion of how this impacts security. He will describe several lesser-known cookie-based session management problems that remain wide spread and allow for session hijacking through a variety of clever attacks.
Kevin P. Dyer is a PhD student at Portland State University. His research focuses on building protocols that are resistant to Traffic Analysis attacks. Prior to his academic life, Kevin worked as an engineer on various projects in telecommunications security, web security and network security. Kevin holds an MSc in the Mathematics of Cryptography and Communications from Royal
Holloway, University of London, and a BS in Computer Science and Mathematics from Santa Clara University.
Timothy D. Morgan is a consultant at Virtual Security Research, LLC (VSR). As an application security specialist and digital forensics researcher, Tim has been taking deep technical dives in security for over a decade. Tim resides in Oregon and works at VSR where he helps to secure his customers' environments through penetration testing, training, and forensics investigations. His past security research has culminated in the release of several responsibly disclosed vulnerabilities in popular software products. Tim also develops and maintains several open source digital forensics tools which implement novel data recovery algorithms.
The Open Web Application Security Project (OWASP) is a 501c3 not-for-profit worldwide charitable organization focused on improving the security of application software. To sign up for future meeting notes and to discuss security topics with local gurus, sign up on the OWASP Portland mailing list: https://lists.owasp.org/mailman/listinfo/owasp-portland
Meetings are free and open to the public.