Biting tha Hand that Feeds You - Storing and Serving Malicous Content >From Well Known Web Servers

Presented at DEF CON 15 (2007), Aug. 5, 2007, 3 p.m. (50 minutes).

Whats in a name? How do you know you should "trust" the content you are receiving? In today's World Wide Web, we place a lot of "trust" into domain names. For many, domain names help determine the whether a particular link or file should be trusted, or eyed with suspicion. Domain name trust has even made its way into security systems, considering many of the protections built into our browsers are based strictly on domain names! In this talk, we'll take a look at some simple ways to store and serve malicious content from some of the most popular servers on the Internet. It's time we rethink the ways we've implemented one of our most treasured Web resources... web mail. We'll bite the hand that feeds us by abusing the very features that make web mail services so popular. We'll show you how to use popular web mail servers as a repository for malicious content and how to serve that content to those surfing the World Wide Web (no email address required!)

Presenters:

  • Billy Rios - Senior Security Researcher, VeriSign
    Billy Rios is a Senior researcher for VeriSign's Global Security Consulting Service. He has performed network, application, web-application, source-code, wireless, Internet, Intranet, and dial-up security reviews and penetration testing for numerous clients in the Fortune 500. Prior to joining VeriSign, Billy worked as an Intrusion Detection Analyst with the Defense Information Systems Agency (DISA). While at DISA, Billy provided vulnerability analysis, network intrusion detection, incident response, incident handling and formal incident reporting of incidents related to Department of Defense information systems throughout the entire Pacific Region. Billy has an undergraduate degree in Business (with a formal concentration Information Systems) from the University of Washington and a Master of Science Degree in Information Systems (with Distinction) from Hawaii Pacific University. Billy is also a Captain in the United States Marine Corps Reserve and served as an active duty Marine Officer during Operation Iraqi Freedom. Billy was recognized by Time magazine as "Person of the Year" for 2006.
  • Nathan McFeters - Senior Security Advisor, Ernst & Young
    Nathan McFeters is a Senior Security Advisor for Ernst & Young's Advanced Security Center based out of Houston, TX. Nathan has performed web application, deep source code, Internet, Intranet, wireless, dial-up, and social engineering engagements for several clients in the Fortune 500 during his career at Ernst & Young and has served as the Engagement Manager for the ASC#s largest client, leading hundreds of web application reviews this year alone. Prior to taking the position with Ernst & Young, Nathan paid his way thru undergrad and graduate degrees at Western Michigan University by doing consulting work for Solstice Network Securities a company co-founded with Bryon Gloden of Arxan, focused on providing high-quality consulting work for clients in the Western Michigan area. Nathan has an undergraduate degree in Computer Science Theory and Analysis from Western Michigan University and a Master of Science Degree in Computer Science with an emphasis on Computer Security, also from Western Michigan University.

Links:

Similar Presentations: