Presented at ToorCon San Diego 13 (2011)
Oct. 8, 2011, 2 p.m.
Earth vs. The Giant Spider [V2]: Amazingly True Stories of Real Penetration Tests brings the TOORCON 13 audience the a NEW massive collection of weird, downright bizarre, freaky, and altogether unlikely hacks ever seen in the wild. This talk will focus on those complex hacks found in real environments - some in very high end and important systems, that are unlikely but true. Through stories and demonstrations we will take the audience into a bizarre world of our famous hacks where odd business logic flaws get you almost free food [including home shipping], sourcing traffic from port 0 allows ownership of the finances a nation, security systems are used to hack organizations. Presentation contents heavily updated.
The SpiderLabs team delivered more than 2300 penetration tests last year, giving us access to a huge variety of systems and services, we've collected a compendium of coolest and oddest compromises from the previous year to present at TOORCON. Our goal is to show effective attacks and at the same time not the trivial ones that can be found by automated methods. By the end of this presentation we hope to have the audience thinking differently about systems and applications that organizations use every day, and how they may be used against them.
Wendel Guglielmetti Henrique is a Security Consultant at Trustwave's SpiderLabs, the advanced security team within Trustwave focused on forensics, ethical hacking, and application security testing for premier clients. He has over 11 years experience in Information Technology, where the last 6 years were dedicated to penetration testing. He has performed security focused code reviews, secure development training, forensics analysis and security assessments. Wendel has performed countless network, application and web application penetration tests for various organizations across the globe, including government, banking, commercial sectors, as well as the payment card industry.
Recent presentations include Defcon 19 (USA), Black Hat Arsenal 2010 (USA), OWASP AppSec Research 2010 (Sweden) and Black Hat Europe 2010 (Spain). Previously, Wendel spoke in Troopers 09 (Germany), OWASP AppSecEU09 (Poland), YSTS 3.0 (Brazil), and has spoken in well known security conferences such as Defcon 16 (USA) and H2HC (Brazil).
Wendel developed a tool to detect and remove the famous BugBear virus, before most of the antivirus companies around the world in 2002.
During his career, he has discovered vulnerabilities across a diverse set of technologies including webmail systems, wireless access points, remote access systems, web application firewalls, IP cameras, and IP telephony applications. Some tools he wrote already were used as examples in national magazines like PCWorld Brazil and international ones like Hakin9 Magazine.
Wendel co-authored patent-pending penetration testing technology.