Port 80 - it's all they need

1,513 views
1,351 views

Published on

A Presentation by Thomas Powell (PINT) and me at the Bird Rock Systems luncheon at the Del Mar Race Track on 11th August 2010.

We talked about web attacks and the threat landscape as it stands today.

Published in: Technology
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total views
1,513
On SlideShare
0
From Embeds
0
Number of Embeds
11
Actions
Shares
0
Downloads
0
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

Port 80 - it's all they need

  1. 1. port 80 <ul><li>It’s All They Need </li></ul>Thomas Powell, PINT and UCSD Saumil Shah, Net-Square
  2. 2. There Be Web Orcs! I can SQL injectz you!
  3. 3. Why me ? You’re a commodity (at least your id or cc# is)
  4. 4. Better off undead “ Awake my Zombie army and attack!”
  5. 5. Big Tuna! “ Let’s go spear phising”
  6. 6. Hack for hire
  7. 7. Scalp Bounties <ul><li>World of Warcraft account $4 </li></ul><ul><li>Paypal/Ebay account $8 </li></ul><ul><li>Credit Card $25 </li></ul><ul><li>Bank Account $1000 </li></ul><ul><li>WMF Exploit $4000 </li></ul><ul><li>Quicktime/iTunes/Realplayer $10000 </li></ul><ul><li>Mac OS X $10000* </li></ul><ul><li>Windows 7 $50000 </li></ul><ul><li>IE / Firefox $100000 </li></ul>credit: Hacks Happen - Jeremiah Grossman - http://tinyurl.com/hacks-happen 0-day exploits
  8. 8. Bad people are real credit: From Russia With Love - Fyodor Yarochkin and The Grugq - http://tinyurl.com/frmrussiawlove
  9. 9. Build some walls
  10. 10. Man the defenses! “ No worry, firewall’s in place”
  11. 11. We’re awake! and what do you see?
  12. 12. Attack #1 “ Charge!” ../cmd.exe &1=1;droptable
  13. 13. Attack #2
  14. 14. We need a bouncer “ Yer not on the list, so come on in!”
  15. 15. The weak minded are easily tricked “ These are not the requests you are looking for”
  16. 16. 0-day to the Face! “ To get our new signature files you need a valid support plan”
  17. 17. Mutations Multiply
  18. 18. The Appearance of Security The Intent Thief: “How quaint a club!”
  19. 19. Real Security Tradeoffs This...
  20. 20. Security Tradeoffs ...or this?
  21. 21. I want it all!
  22. 22. Attack Surfaces and many more
  23. 23. The Usual Suspects Input Tampering SQL Injection XSS CSRF RFI/LFI
  24. 24. Demo Time Presto!
  25. 25. I want to believe! Your Only Defense: Trust No One (User, Packet, Input, etc.)
  26. 26. Next Steps?
  27. 27. Questions? Thomas A. Powell [email_address] http://www.pint.com Twitter: PINTSD Saumil Shah [email_address] http://net-square.com

×