—< NORTHEAST OHIO INFORMATION SECURITY FORUM MEETING —< Wednesday December 15, 2010 —< 6:30 PM – 8:00 PM —< Pizza and social start 6:00 PM —< Location: Park Center Plaza #1, 6100 Oak Tree Blvd, off Rockside Road, Independence, Ohio —< Open to everyone and free as always The Northeast Ohio Information Security Forum will meet for its monthly meeting on Wednesday January 19, 2010 starting at 6:30 PM. It will be held in the lower level of the Park Center Plaza #1 building (in the large room on lower level) off of Rockside Road in Independence. I’ve included links to maps and directions in this email. We have two talks planned… +++ What the FOCA – Chris Murrey, SecureState +++ Vulnerabilities in Third Party Web Applications – Gary McCully, SecureState See bottom of email for talk abstracts. PRIZES! Did we get your attention? We plan to have some prize giveaways as well. Don’t forget to come early, starting at 6:00 PM, for pizza and pop. Another great meeting from NEO Info Sec Forum – we hope to see you there! – NEOISF Board – ============================================================ [Location] Park Center Plaza 1 6100 Oak Tree Blvd Google maps link: TinyURL link http://tinyurl.com/neoisfmtg [Directions] 1. I-77 2. Rockside Road exit 3. West on Rockside Road 4. 2nd light go South onto Oak Tree Blvd 5. Pull into the 3rd driveway on the right 6. Go to lower level Signs will be posted on the building. ============================================================ TALK ABSTRACTS Title: What the FOCA – Chris Murrey, SecureState In this presentation, Chris Murrey of SecureState will provide a detailed overview of FOCA, a tool for extracting metadata as well as discovery of systems. Attendees will leave with a thorough understanding of the tool, including proper use. Chris Murrey’s BIO: As a member of SecureState’s Profiling Team, Chris Murrey is passionate about the role he plays in ethical hacking. Mr. Murrey performs technical security assessments on a weekly basis, specifically Web Application Security Assessments and External Penetration Tests. An Offensive Security Certified Professional and Microsoft Certified Systems Administrator, Mr. Murrey previously worked in the IT sector for a Cleveland printing company and as a “jack of all trades” for a multi-million dollar corporation. Title: Vulnerabilities in Third Party Web Applications, Gary McCully It’s a third party web application. . . Of course it’s secure. They have a whole team of people who thoroughly test their software before it’s released to the public.” Many organizations are installing third party web applications in their production environment without subjecting the applications to a formal web application security assessment. These organizations assume that third party software is more secure than the web applications that are internally designed. All web applications, whether they are third party or not, should go through a formal web application security review before they are placed in the production environment. To illustrate the risks of installing an insecure third party web application, Gary McCully will walk through a series of vulnerabilities he has found in a third party web application which can lead to remote code execution on the underlying operating system. Gary's BIO: Gary McCully is a Security Consultant on SecureState’s Profiling Team. At SecureState, Mr. McCully performs Vulnerability Assessments, War Dialing, Firewall Reviews, Penetration Tests, Physical Penetration Tests, and Web Application Security Reviews. Mr. McCully recently passed the CISSP certification exam, establishing himself as an (ISC)2 Associate. Passionate about expanding his knowledge and expertise, Mr. McCully’s research interests include the discovery and exploitation of buffer overflows, lock picking, and SSL vulnerabilities. Before joining SecureState, Mr. McCully worked as a Security Analyst at National City Bank, where he was responsible for the corporate usage compliance program, and offshore user access. Mr. McCully also worked with technical teams to ensure software was implemented with proper security controls, and assisted with the Vendor Security Review Program.