port 80 <ul><li>It’s All They Need </li></ul>Thomas Powell, PINT and UCSD Saumil Shah, Net-Square
There Be Web Orcs! I can SQL injectz you!
Why me ? You’re a commodity (at least your id or cc# is)
Better off undead “ Awake my Zombie army and attack!”
Big Tuna! “ Let’s go spear phising”
Hack for hire
Scalp Bounties <ul><li>World of Warcraft account $4 </li></ul><ul><li>Paypal/Ebay account $8 </li></ul><ul><li>Credit Ca...
Bad people are real credit: From Russia With Love - Fyodor Yarochkin and The Grugq - http://tinyurl.com/frmrussiawlove
Build some walls
Man the defenses! “ No worry, firewall’s in place”
We’re awake! and what do you see?
Attack #1 “ Charge!” ../cmd.exe &1=1;droptable
Attack #2
We need a bouncer “ Yer not on the list, so come on in!”
The weak minded are easily tricked “ These are not the requests you are looking for”
0-day to the Face! “ To get our new signature files you need a valid support plan”
Mutations Multiply
The Appearance of Security The Intent Thief: “How quaint a club!”
Real Security Tradeoffs This...
Security Tradeoffs ...or this?
I want it all!
Attack Surfaces and many more
The Usual Suspects Input Tampering SQL Injection XSS CSRF RFI/LFI
Demo Time Presto!
I want to believe! Your Only Defense: Trust No One (User, Packet, Input, etc.)
Next Steps?
Questions? Thomas A. Powell [email_address] http://www.pint.com Twitter: PINTSD Saumil Shah [email_address] http://net-squ...
of 27

Port 80 - it's all they need

A Presentation by Thomas Powell (PINT) and me at the Bird Rock Systems luncheon at the Del Mar Race Track on 11th August 2010.We talked about web attacks and the threat landscape as it stands today.
Published on: Mar 4, 2016
Published in: Technology      
Source: www.slideshare.net


Transcripts - Port 80 - it's all they need

  • 1. port 80 <ul><li>It’s All They Need </li></ul>Thomas Powell, PINT and UCSD Saumil Shah, Net-Square
  • 2. There Be Web Orcs! I can SQL injectz you!
  • 3. Why me ? You’re a commodity (at least your id or cc# is)
  • 4. Better off undead “ Awake my Zombie army and attack!”
  • 5. Big Tuna! “ Let’s go spear phising”
  • 6. Hack for hire
  • 7. Scalp Bounties <ul><li>World of Warcraft account $4 </li></ul><ul><li>Paypal/Ebay account $8 </li></ul><ul><li>Credit Card $25 </li></ul><ul><li>Bank Account $1000 </li></ul><ul><li>WMF Exploit $4000 </li></ul><ul><li>Quicktime/iTunes/Realplayer $10000 </li></ul><ul><li>Mac OS X $10000* </li></ul><ul><li>Windows 7 $50000 </li></ul><ul><li>IE / Firefox $100000 </li></ul>credit: Hacks Happen - Jeremiah Grossman - http://tinyurl.com/hacks-happen 0-day exploits
  • 8. Bad people are real credit: From Russia With Love - Fyodor Yarochkin and The Grugq - http://tinyurl.com/frmrussiawlove
  • 9. Build some walls
  • 10. Man the defenses! “ No worry, firewall’s in place”
  • 11. We’re awake! and what do you see?
  • 12. Attack #1 “ Charge!” ../cmd.exe &1=1;droptable
  • 13. Attack #2
  • 14. We need a bouncer “ Yer not on the list, so come on in!”
  • 15. The weak minded are easily tricked “ These are not the requests you are looking for”
  • 16. 0-day to the Face! “ To get our new signature files you need a valid support plan”
  • 17. Mutations Multiply
  • 18. The Appearance of Security The Intent Thief: “How quaint a club!”
  • 19. Real Security Tradeoffs This...
  • 20. Security Tradeoffs ...or this?
  • 21. I want it all!
  • 22. Attack Surfaces and many more
  • 23. The Usual Suspects Input Tampering SQL Injection XSS CSRF RFI/LFI
  • 24. Demo Time Presto!
  • 25. I want to believe! Your Only Defense: Trust No One (User, Packet, Input, etc.)
  • 26. Next Steps?
  • 27. Questions? Thomas A. Powell [email_address] http://www.pint.com Twitter: PINTSD Saumil Shah [email_address] http://net-square.com

Related Documents