Presented at
BSidesDC 2017,
Oct. 8, 2017, 12:30 p.m.
(50 minutes)
Automation is great! It enables us to accomplish complex tasks in a fraction of the time and removes the need to manually perform mundane, redundant actions. In IT especially, we’ll spend 20 hours coding a script that will save us from a boring, 10 minute recurring activity (and be happy about time well spent!). Crimeware groups and other threat actors have the same mindset, except that they’re interested in methods that will operate at scale to net a profit, bypass defenses, and protect their identity. This talk will demonstrate the use of automation tools like Sentry MBA, PhantomJS, and Selenium to mimic human interaction against vulnerable fields on websites, while incorporating techniques to defeat common anti-bot defenses like CAPTCHA, to accomplish Account Takeover (ATO), Database Stuffing, or even Application-Layer DDoS attacks.
Presenters:
-
Andrew Jones
- Sr. Systems Engineer at Shape Security
Andrew Jones knew he wanted to be a Network Engineer since he was 16 and began his first job as a desktop tech in the IT department of a network equipment manufacturer in Dallas. After graduating from the University of Texas at Austin and achieving that goal, his career path naturally evolved into security by being the only person on staff with enough Linux experience to stand up a Snort deployment following a breach incident. Since then, Andrew has overseen IT Security for a defense contractor, been an analyst at DHS US-CERT, and had a lot of fun as an SE for start-ups such NetWitness, FireEye, Tanium, and Shape Security. In his downtime, you can (try to) find Andrew riding his Harley in northern Virginia, or on the way to Bardstown, KY.
Links: