Thursday, June 19, 2008

Recent OWASP Events

Last week I presented at FROC.us and my demos worked fine. Last night at the OWASP NY/NJ chapter meeting my demos failed hard! Fortunately for me, everyone was very nice and understanding, and the presentation was able to hold its own without the demos. Thanks for everyone who came out to both of these events!

You can view my slides here:


FROC.us - SSL VPN Security (different from what I'll be presenting at BlackHat)

June 18 2007 OWASP NY/NJ - Reverse Proxy Abuse

Here are videos of the demos I tried to show last night:
Abusing XMLHTTP for local resource access
Exploiting 5 WebApps with 1 HTTP Request

I had some resolution issues that prevented me from getting them up on YouTube, but I'll try again later when I have more time.

Thursday, June 5, 2008

CAPTCHAs anyone?

Man Allegedly Bilks E-trade, Schwab of $50,000 by Collecting Lots of Free 'Micro-Deposits'

Talk about abuse of functionality! Doesn't look like this guy did much to fly under the radar either. He was opening THOUSANDS of accounts per day with these brokers. In some cases, he even linked fraudulent accounts and accounts opened with his real personal details to the same bank account.

The best part, in my opinion, is that he did the same thing the Google checkout service, seemingly within their terms of service:

"When the bank asked Largent about the thousands of small transfers, he told them that he'd read Google's terms of service, and that it didn't prohibit multiple e-mail addresses and accounts. 'He stated he needed the money to pay off debts and stated that this was one way to earn money, by setting up multiple accounts having Google submit the two small deposits.'

The Google caper is not charged in the indictment. (.pdf)"

Monday, June 2, 2008

[insert interesting title here]

I guess you could tell by my lack of posts that I've been pretty busy recently. Fortunately, it's been mostly with fun and interesting things.

One of the projects I've been working on is reversing a patched SSL VPN ActiveX component in preparation for my BlackHat talk. I've been staring at Olly and IDA until my eyes feel like their going to bleed. But, I've been making progress, learning a lot, and I've come up with some additional material to talk about. One such topic is that of hard coded passwords in binaries. Jeez. If you work for a security product vendor, you should know better!

I've also been getting ready for my first SSL VPN talk next week at Froc.us. I have some cool stuff to share with those folks, and it should be a good time. Plus, I've never partied in Denver before. Looking forward to seeing a new city.