Implementing a strong defensive posture might not garner much overt recognition, but a job well done will let you sleep well, knowing the crown jewels are safely out of reach of most intruders. Today's trio of Black Hat Europe 2015 Briefings all focus on closing loopholes and hardening systems, all the better for getting that 7.5 hours of sleep doctors keep harping on.
CloudFlare knows more about denial of service than most, with their mission of helping clients offset such attacks. As they say, at some point buying more bandwidth is no longer sufficient, and more thoughtful interventions are helpful. Come to Lessons from Defending the Indefensible for a tour of the many layers of defenses they've constructed to keep their sites online. You'll hear why increasing backlog queue size may hurt you, why servers can't send more than 200k syn cookies per second, how to stop a botnet with iptables, ipsets, and hashlimits, and how to process 10M pps on a single commodity server. Expect a big focus on BPF, among their favorite defensive tricks.
Next, Rails does a good job of handling a large subset of developers' security needs, keeping them safe from SQL Injection, XSS, and CSRF right out of the box. But what about authentication and authorization logic? Anything goes here, leaving it up to developers to enact a sensibly secure framework. Going AUTH the Rails on a Crazy Train will delve into patterns the researchers have noticed in some of the biggest Rails applications on the web, pointing out common pitfalls that could endanger the entire enterprise. They'll also release a new dynamic analysis tool for Rails applications to help pentesters navigate through authentication and authorization solutions.
Finally, Windows' Kerberos is a prime target for attackers, being the default authentication protocol for Microsoft networks. The last year's research has seen powerful new attacks emerge, allowing intruders to steal credentials and penetrate enterprise data centers. Now the other shoe drops in Watching the Watchdog: Protecting Kerberos Authentication with Network Monitoring. A novel new method can detect and defeat all the new attacks (Golden Ticket, Skeleton Key, etc.) using just network monitoring. Also expect a new Golden Ticket variation (along with its countermeasure) and the release of Kerberos Leash, a tool that implements some of these defensive techniques.
Black Hat Europe 2015 takes place November 10-13 in Amsterdam. If you want in on these exciting Briefings, you really ought to register!