Earth vs. The Giant Spider: Amazingly True Stories of Real Penetration Tests

Presented at DEF CON 19 (2011), Aug. 7, 2011, 10 a.m. (50 minutes).

Earth vs. The Giant Spider: Amazingly True Stories of Real Penetration Tests brings the DEF CON 19 audience the most massive collection of weird, downright bizarre, freaky, and altogether unlikely hacks ever seen in the wild. This talk will focus on those complex hacks found in real environments - some in very high end and important systems, that are unlikely but true. Through stories and demonstrations we will take the audience into a bizarre world where odd business logic flaws get you almost free food [including home shipping], sourcing traffic from port 0 allows ownership of the finances a nation, and security systems are used to hack organizations. The SpiderLabs team delivered more than 2300 penetration tests last year, giving us access to a huge variety of systems and services, we've collected a compendium of coolest and oddest compromises from the previous year to present at DEF CON. Our goal is to show effective attacks and at the same time not the trivial ones that can be found by automated methods. By the end of this presentation we hope to have the audience thinking differently about systems and applications that organizations use every day, and how they may be used against them.

Presenters:

  • Rob Havelt - Director of Penetration Testing, Trustwave SpiderLabs
    Rob Havelt is the director of penetration testing at Trustwave's SpiderLabs, the advanced security team within Trustwave focused on forensics, ethical hacking, and application security testing for premier clients. Rob has worked with offensive security seemingly forever, and from running a start-up ISP, to working as a TSCM specialist, he's held just about every job possible in the realm of system administration and information security. Formerly a bourbon-fueled absurdist, raconteur, and man about town, currently a sardonic workaholic occasionally seeking meaning in the finer things in life - Rob is, and will always be, a career hacker.
  • Wendel Guglielmetti Henrique - Security Consultant, Trustwave SpiderLabs
    Wendel Guglielmetti Henrique is a Security Consultant at Trustwave's SpiderLabs, the advanced security team within Trustwave focused on forensics, ethical hacking, and application security testing for premier clients. He has over 11 years experience in Information Technology, where the last 6 years were dedicated to penetration testing. He has performed security focused code reviews, secure development training, forensics analysis and security assessments. Wendel has performed countless network, application and web application penetration tests for various organizations across the globe, including government, banking, commercial sectors, as well as the payment card industry. Recent presentations include Black Hat Arsenal 2010 (USA), OWASP AppSec Research 2010 (Sweden) and Black Hat Europe 2010 (Spain). Previously, Wendel spoke in Troopers 09 (Germany), OWASP AppSecEU09 (Poland), YSTS 3.0 (Brazil), and has spoken in well known security conferences such as DEF CON 16 (USA) and H2HC (Brazil). Wendel developed a tool to detect and remove the famous BugBear virus, before most of the antivirus companies around the world in 2002. During his career, he has discovered vulnerabilities across a diverse set of technologies including webmail systems, wireless access points, remote access systems, web application firewalls, IP cameras, and IP telephony applications. Some tools he wrote already were used as examples in national magazines like PCWorld Brazil and international ones like Hakin9 Magazine.

Links:

Similar Presentations: