Date: Feb 02/29/12 7:00 AM Subject: Owasp-boston Digest, Vol 60, Issue 4 From: Jim Weiler Send Owasp-boston mailing list submissions to owasp-boston@lists.owasp.org To subscribe or unsubscribe via the World Wide Web, visit https://lists.owasp.org/mailman/listinfo/owasp-boston or, via email, send a message with subject or body 'help' to owasp-boston-request@lists.owasp.org You can reach the person managing the list at owasp-boston-owner@lists.owasp.org When replying, please edit your Subject line so it is more specific than "Re: Contents of Owasp-boston digest..." Today's Topics: 1. OWASP March mtg- Thurs. March 8 (Weiler, Jim) ---------------------------------------------------------------------- Message: 1 Date: Tue, 28 Feb 2012 10:31:35 -0500 6:30 at JobSpring, Boyleston st, with the Boston Security Meetup group. Speaker will be VP for Security Research at ZScaler, along with other speakers at the security meetup. Corporate Espionage for Dummies: The Hidden Threat of Embedded Web Servers Today, everything from kitchen appliances to television sets come with an IP address. Network connectivity for various hardware devices opens up exciting opportunities. Forgot to lower the thermostat before leaving the house? Simply access it online. Need to record a show? Start the DVR with a mobile app. While embedded web servers are now as common as digital displays in hardware devices, sadly, security is not. What if that same convenience exposed photocopied documents online or allowed outsiders to record your telephone conversations? A frightening thought indeed. Software vendors have been forced to climb the security learning curve. As independent researchers uncovered embarrassing vulnerabilities, vendors had little choice but to plug the holes and revamp development lifecycles to bake security into products. Vendors of embedded web servers have faced minimal scrutiny and as such are at least a decade behind when it comes to security practices. Today, network connected devices are regularly deployed with virtually no security whatsoever. The risk of insecure embedded web servers has been amplified by insecure networking practices. Every home and small business now runs a wireless network, but it was likely set up by someone with virtually no networking expertise. As such, many devices designed only for LAN access are now unintentionally Internet facing and wide open to attack from anyone, regardless of their location. Leveraging the power of cloud based services, Zscaler spent several months scanning large portions of the Internet to understand the scope of this threat. Our findings will make any business owner think twice before purchasing a 'wifi enabled' device. We'll share the results of our findings, reveal specific vulnerabilities in a multitude of appliances and discuss how embedded web servers will represent a target rich environment for years to come. More info to follow. Jim Weiler CISSP CSSLP GSSP - Java Application Security Architect Starwood Hotels 1505 Washington St. Braintree MA. 02184 desk - 781 356 0067 mobile - 7816546048 This electronic message transmission contains information from the Company that may be proprietary, confidential and/or privileged. The information is intended only for the use of the individual(s) or entity named above. If you are not the intended recipient, be aware that any disclosure, copying or distribution or use of the contents of this information is prohibited. If you have received this electronic transmission in error, please notify the sender immediately by replying to the address listed in the "From:" field. -------------- next part -------------- An HTML attachment was scrubbed... URL: ------------------------------ _______________________________________________ Owasp-boston mailing list Owasp-boston@lists.owasp.org https://lists.owasp.org/mailman/listinfo/owasp-boston End of Owasp-boston Digest, Vol 60, Issue 4 *******************************************