Biting tha Hand that Feeds You - Storing and Serving Malicous Content >From Well Known Web Servers

Presented at DEF CON 15 (2007), Aug. 5, 2007, 3 p.m. (50 minutes)

Whats in a name? How do you know you should "trust" the content you are receiving? In today's World Wide Web, we place a lot of "trust" into domain names. For many, domain names help determine the whether a particular link or file should be trusted, or eyed with suspicion. Domain name trust has even made its way into security systems, considering many of the protections built into our browsers are based strictly on domain names! In this talk, we'll take a look at some simple ways to store and serve malicious content from some of the most popular servers on the Internet. It's time we rethink the ways we've implemented one of our most treasured Web resources... web mail. We'll bite the hand that feeds us by abusing the very features that make web mail services so popular. We'll show you how to use popular web mail servers as a repository for malicious content and how to serve that content to those surfing the World Wide Web (no email address required!)

Presenters:

• Nathan McFeters - Senior Security Advisor, Ernst & Young
  Nathan McFeters is a Senior Security Advisor for Ernst & Young's Advanced Security Center based out of Houston, TX. Nathan has performed web application, deep source code, Internet, Intranet, wireless, dial-up, and social engineering engagements for several clients in the Fortune 500 during his career at Ernst & Young and has served as the Engagement Manager for the ASC#s largest client, leading hundreds of web application reviews this year alone. Prior to taking the position with Ernst & Young, Nathan paid his way thru undergrad and graduate degrees at Western Michigan University by doing consulting work for Solstice Network Securities a company co-founded with Bryon Gloden of Arxan, focused on providing high-quality consulting work for clients in the Western Michigan area. Nathan has an undergraduate degree in Computer Science Theory and Analysis from Western Michigan University and a Master of Science Degree in Computer Science with an emphasis on Computer Security, also from Western Michigan University.
• Billy Rios - Senior Security Researcher, VeriSign
  Billy Rios is a Senior researcher for VeriSign's Global Security Consulting Service. He has performed network, application, web-application, source-code, wireless, Internet, Intranet, and dial-up security reviews and penetration testing for numerous clients in the Fortune 500. Prior to joining VeriSign, Billy worked as an Intrusion Detection Analyst with the Defense Information Systems Agency (DISA). While at DISA, Billy provided vulnerability analysis, network intrusion detection, incident response, incident handling and formal incident reporting of incidents related to Department of Defense information systems throughout the entire Pacific Region. Billy has an undergraduate degree in Business (with a formal concentration Information Systems) from the University of Washington and a Master of Science Degree in Information Systems (with Distinction) from Hawaii Pacific University. Billy is also a Captain in the United States Marine Corps Reserve and served as an active duty Marine Officer during Operation Iraqi Freedom. Billy was recognized by Time magazine as "Person of the Year" for 2006.

Links:

• https://defcon.org/html/defcon-15/dc-15-speakers.html#Rios
• https://infocon.org/cons/DEF CON/DEF CON 15/DEF CON 15 video/DEF CON 15 - Rios and McFeters - Biting the Hand That Feeds You - Video.mp4
• https://www.youtube.com/watch?v=dYysXFUEYT0

Similar Presentations:

• DerbyCon 3.0 All in the Family (2013) / RAWR – Rapid Assessment of Web Resources
• DEF CON 22 (2014) / Dark Mail
• ToorCon: Seattle (Beta) (2007) / Web 4.0