Getting SSLizzard

Presented at DEF CON 19 (2011), Aug. 7, 2011, noon (50 minutes)

The world has seen a seismic shift from browser-based web applications to GUI-rich semi-thick client applications running on handheld mobile devices. In the browser world, the industry had placed a great deal of time and energy towards providing users visual cues to indicate the level security and trust that their data being transmitted to the remote server is protected and not falling into the hands of unintended recipients. In the mobile device world, these visual cues are mostly nonexistent, resulting in the inherent trust that the underlying APIs are ensuring a level of security before transmitting a users sensitive data. In our research, we tested the most popular apps on both the iOS and Android platforms. We ran each app through a data transmission assault course that contained various historic, contemporary, and obscure SSL attacks and documented the results. In this presentation, we will discuss and demonstrate flaws at both the application an OS layer that need to be addressed by both the mobile app developers and well the mobile device manufactures. A utility called "SSLizzard" will also be released for use by mobile application developers to test their mobile apps and their behavior against SSL-based attacks discussed in this talk.

Presenters:

• Nicholas J. Percoco - Senior Vice President and Head of SpiderLabs at Trustwave
  Nicholas J. Percoco: With more than 14 years of information security experience, Percoco is the lead security advisor to many of Trustwaveps premier clients and assists them in making strategic decisions around security compliance regimes. He leads the SpiderLabs team that has performed more than 1000 computer incident response and forensic investigations globally, run thousands of penetration and application security tests for clients, and conducted security research to improve Trustwave's products. Percoco and his research has been featured by many news organizations including: The Washington Post, eWeek, PC World, CNET, Wired, Hakin9, Network World, Dark Reading, Fox News, USA Today, Forbes, Computerworld, CSO Magazine, CNN, The Times of London, NPR and The Wall Street Journal. Twitter: c7five
• Paul Kehrer - SSL Architect, Trustwave
  Paul Kehrer is a web developer and programmer at Trustwave with extensive experience with X.509 and PKI, including writing and maintaining a registration authority. Since 2007, Paul has lead the team responsible for the design and infrastructure of Trustwave's Certification Authority. Paul enjoys baking cakes in his spare time. Twitter: reaperhulk

Links:

• https://defcon.org/html/defcon-19/dc-19-speakers.html#Percoco
• https://infocon.org/cons/DEF CON/DEF CON 19/DEF CON 19 video and slides/DEF CON 19 - Nicholas Percoco and Paul Kehrer - Getting SSLizzard - Video and Slides.mp4 (Video and Slides)
• https://www.youtube.com/watch?v=Jg3V7zM15Ak

Similar Presentations:

• Black Hat USA 2010 / App Attack: Surviving the Mobile Application Explosion
• TROOPERS18 (2018) / Mobile App Security Fails and How To Survive Them
• AppSec USA 2013 / 2 Day Pre-Conference Training: Securing Mobile Devices & Applications Training