Xploiting Google Gadgets: Gmalware and Beyond

Presented at DEF CON 16 (2008), Aug. 8, 2008, 1 p.m. (50 minutes).

Google Gadgets are symptomatic of the Way 2.0 Way of things: from lame gadgets that rotate through pictures of puppies to calendars, and inline email on your iGoogle homepage. This talk will analyze the security history of Google Gadgets and demonstrate ways to exploit Gadgets for nefarious purposes. We will also show ways to create Gadgets that allow you to port scan internal systems and do various JavaScript hacks via malicious (or useful) gadgets, depending on your point of view. We've already ported various JavaScript attack utilities to Google Gadgets (like PDP's JavaScript port scanner) among other things. We will also disclose a zero day vulnerability in Google Gadgets that makes Gmalware (Gmodules based malware) a significant threat.


Presenters:

  • Tom "strace" Stracener - Senior Security Analyst
    Tom "strace" Stracener is Cenzic's Sr. Security Analyst reporting to the office of the CTO. Mr. Stracener was one of the founding members of nCircle Network Security. While at nCircle he served as the head of vulnerability research from 1999 to 2001, developing one of the industry's first quantitative vulnerability scoring systems, and co-inventing several patented technologies. Mr. Stracener is an experienced security consultant, penetration tester, and vulnerability researcher. One of his patents, 'Interoperability of vulnerability and intrusion detection systems,' was granted by the USPTO in October 2005. Tom is the Senior Security Analyst for Cenzic's CIA Labs. Tom has spoken at various conferences including New York Security Conference, ISSA, OWASP, Defcon, and others.
  • Robert Hansen / RSnake - CEO SecTheory   as Robert "Rsnake" Hansen
    Robert "RSnake" Hansen (CISSP) is the Chief Executive Officer of SecTheory. SecTheory is a web application and network security consulting firm. Robert has been working with web application security since the mid 90's, beginning his career in banner click fraud detection at ValueClick. Robert has worked for Cable & Wireless heading up managed security services, and at eBay as Sr. Global Product Manager of Trust and Safety, focusing on anti-phishing, anti-cross-site scripting, and anti-virus strategies. Robert also sits on the technical advisory board of ClickForensics and contributes to the security strategy of several startup companies. Robert is best known for founding the web application security lab at ha.ckers.org and co-authoring XSS Exploits and Defense. Robert is a member of WASC, IACSP, and ISSA, and contributed to the OWASP 2.0 guide.

Links:

Similar Presentations: