I had a great time at the SOURCE Boston conference last week. Veracode was a sponsor and a few Veracoders participated as advisory members or volunteers. I had the pleasure, along with Chris Eng, of presiding over the application security track. I think all the talks were of high quality but still a few stood out for me:
Dino Dai Zovi on Mac OS Xploitation. Dino showed how to exploit a quicktime heap overflow. He got the built in iSight camera to take a picture of his victim and send it to him just by clicking on a malicious quicktime movie file. He talked about how exploiting OS X is 1999 all over again because of the lack of ASLR and stack canary protection. He said hacking Windows and Linux is a chore, but OS X is still fun.
Chris Gates and Vince Marvelli on Attacking Layer 8: Client Side Penetration Testing. Client side attacks are on the rise and now the corporate attack of choice yet we don't pen test for them. What's up with that? The video for this one is already available online at Vimeo.
Val Smith on Dissecting Foreign Web Attacks. Val unwound one of the popular attacks of our time: compromising web sites to install malicious code that owns the browser and then installs a bot. We all understand it is possible but it is great to see all the tricks of the trade. It is pretty clear that the source of this one was China.
Chris Hoff on The Frogs Who Desired A King: A Virtualization and Cloud Computing Security Fable Set To Interpretive Dance. This talk is being touted as the best ever. Unfortunately I missed it. Can't wait to see the video.
The videos for all the SOURCE talks should be on-line over the next few weeks. Check www.sourceconference.com
Here is another review of the conference that will help you decide which videos are worth watching: