"DNSSEC & DNS Security" (PDF)

Presented by Steve Pinkham of Maven Security at MIS InfoSec World 2008 on March 12, 2008

• Introduction to DNSSEC core technology
• Current attack vectors into the DNS system
• Protections afforded by DNSSEC
• Current implementation pitfalls and problems, with some suggested workarounds
• What DNSSEC can and cannot do: impact on phishing, pharming and beyond

Reference Sheets

Maven Security's Favorite Web Application Security Testing Tools updated Sept 2007
This is a one-page summary of the best tools available for remotely testing the security of a web-based application. Most are freeware and/or open source. In the right hands they are very powerful.

Nmap Reference Sheet
A one-page PDF summary of nmap usage and command-line options.
This was taken directly from the nmap documentation (man page) and put into a single page layout for easy reference.

Presentations

"Emerging Trends in Hacking Tools & Techniques" (PDF)
Presented by David Rhoades of Maven Security.
September 11, 2007 at the Network Security Conference for ISACA in Las Vegas.
90 minute presentation that covers recent trends in information security

"Wireless Security Attacks & Defense" (PDF)
Presented by Steve Pinkham of Maven Security.
September 2007 at the IT Security Showcase in Hong Kong for HKPC.
This short presentation discusses current trends in Wi-Fi security and outlines best practices for deploying and auditing both securely authenticated and public Wi-Fi in organizations of varying sizes.

"Emerging Trends in Hacking Tools & Techniques" (PDF)
Presented by David Rhoades of Maven Security.
September 2007 at the IT Security Showcase in Hong Kong for HKPC.
35 minute presentation that covers recent trends in XSS and SQL Injection.

"Session #44 - Effective Vulnerability Testing" (zipped PDF)
Session 44 taught at "The 26th Annual Conference & Expo on Control and Audit" in Boston, MA on November 15, 2006.
A short presentation that discusses security testing best practices, tips, and some tools and techniques.

"Online Retail: Protecting Your Website" (PDF)
Session R5 taught at IT Security World Conference in San Francisco, CA on September 26, 2006.
A short presentation that discusses PCI Dss v1.1 and web application firewalls.

"CISO's Guide to Ethical Hacking" (zipped PDF)
Presented at the Canadian Financial Institute CIRT (CFI-CIRT) event in Toronto, Canada on Feb. 9, 2006.
This session discusses key areas to consider when using ethical hacking as part of your overall security program. This session includes case studies and insights from CISOs across several industries, including banking.

"Ethical Phishing Case Study" (zipped PDF)
Maven Security was hired to conduct a security assessment for an insurance company. The assessment employed various forms of social engineering and phishing which resulted in Maven Security gaining remote access to policy holder data. This short presentation outlines the technical details of the attacks used, and suggests a few simple solutions to mitigate the exposures presented by these forms of attack.

"In-depth Topics for Web Application Security (2005-12)" (zipped PDF)
Presented for USENIX at LISA 2005.
Overview of remote web app security auditing techniques, using mod_security as an application firewall, and tips for testing for cross-site scripting (XSS).

"De-Evolution of the Hacker"
(last updated January 29, 2003 - presented at COMNET 2003)

"Taking the Stand: Expert Witness Case Studies" version 2.0 (PDF)
The Federal Trade Commission investigation of the Tower Record's incident of December 2002.
Also, US vs. Herbert Pierre-Louis: The 2nd case ever to be tried in the US under 18 U.S.C. Section 1030

White Papers

Session ID Case Study

Basic Authentication Log Out (v1.0 - last updated June 10, 2002).