port 80 It’s All  They  Need Thomas Powell, PINT and UCSD Saumil Shah, Net-Square
There Be Web Orcs! I can SQL injectz you!
Why  me ? You’re a commodity (at least your id or cc# is)
Better off undead “ Awake my Zombie army and attack!”
Big Tuna! “ Let’s go spear phising”
Hack for hire
Scalp Bounties World of Warcraft account $4 Paypal/Ebay account   $8 Credit Card   $25 Bank Account   $1000 WMF Exploit   $4000 Quicktime/iTunes/Realplayer $10000 Mac OS X   $10000* Windows 7   $50000 IE / Firefox   $100000 credit: Hacks Happen - Jeremiah Grossman - http://tinyurl.com/hacks-happen 0-day exploits
Bad people are real credit: From Russia With Love - Fyodor Yarochkin and The Grugq - http://tinyurl.com/frmrussiawlove
Build some walls
Man the defenses! “ No worry, firewall’s in place”
We’re awake! and what do you see?
Attack #1 “ Charge!” ../cmd.exe  &1=1;droptable
Attack #2
We need a bouncer “ Yer not on the list, so come on in!”
The weak minded are easily tricked “ These are not the requests you are looking for”
0-day to the Face! “ To get our new signature files you need a valid support plan”
Mutations Multiply
The Appearance of Security The Intent Thief:  “How quaint a club!”
Real Security Tradeoffs This...
Security Tradeoffs ...or this?
I want it all!
Attack Surfaces and many more
The Usual Suspects Input Tampering SQL Injection XSS CSRF RFI/LFI
Demo Time Presto!
I want to believe! Your Only Defense: Trust No One (User, Packet, Input, etc.)
Next Steps?
Questions? Thomas A. Powell [email_address] http://www.pint.com Twitter: PINTSD Saumil Shah [email_address] http://net-square.com

Port 80 - it's all they need