Presentations
The following presentations are available:
Testing the Tester - Measuring Quality of Security Testing Testing the Tester - Measuring Quality of Security Testing
One of the hardest challenges for organizations wishing to engage a security testing project is the ability to assess the quality of the proposed solutions. In this lecture we discuss this controversial topic by attempting to provide clear criteria for determining quality of security testing, followed by a review of advantages and disadvantages each testing approach has for each of these criteria. Lastly, we examine which tools are available for the organization to attempt and identify the quality of proposed solutions. Achilles’ Heel – Hacking Through Java Protocols
Web applications normally use clear HTTP protocols to communicate, and can be manipulated with interception proxies such as Achilles, WebScarab and Paros. However, many modern applications utilize thick clients (such as applets) which are based on binary protocols that cannot be easily manipulated in such methods. In this lecture we present techniques for manipulating such applications, including new techniques for live manipulation of Java serialized protocols, allowing the tester to overcome many of the obstacles associated with the testing of such applications. The PKI Lie - Attacking Certificate-Based Authentication
While public key cryptography and client side certificates have certainly proved to be a very valuable security mechanism, blind reliance on them may lead to a disaster. These complex technologies are prone to implementation and deployment mistakes that hinders them useless. In this lecture we discuss and demonstrate some common implementation pitfalls we often see in real life PKI based authentication systems. Application Denial of Service - Is It Really That Easy?
Denial of Service (DoS) and Distributed Denial of Service (DDoS) attacks have been around for years. The motivation of taking down sites has always existed, usually driven by political or social activism. In the past years the DoS/DDoS attacks are joining the rest of hacking vectors and start to move to the application space. This lecture presented a case-study of a recent DDoS/DoS project conducted for one of Hacktics' customers utilizing advanced application DoS attacks and evasion of Anti-DDoS protection. The lecture included a review the current and future trends of denial of service attacks, and provided some tips for reducing the risk of application denial of service. With the improvement in server side solutions, attackers turn to client-based attacks in order to gain unauthorized access. Attacks using phishing, trojans, and other techniques are used to perform mass credential theft, thus gaining access without actually breaking the remote system. This session included an explanation of these attack vectors, a live demonstration of how it really works, and real-world hacking stories demonstrating how common these attacks are. Application security has recently become a hot topic in the information security community. Terms such as SQL Injection, URL Tampering, Cookie Poisoning, Session Hijacking and others are used by consultants, vendors and the technical media. But how well do we understand these threats? A live demonstration of application hacking techniques executed against a demo online banking application. This demonstration covered all common web application attacks, explains the flaws which cause them, and demonstrates actual exploit used by hackers in the real world. At the end of this session, each attendee was able to truly understand the real essence of web application attacks and the threat they pose to the business of their organization. Application security has recently become a hot topic in the information security community. Terms such as SQL Injection, URL Tampering, Cookie Poisoning, Session Hijacking and others are used by consultants, vendors and the technical media. But how well do we understand these threats? A live demonstration of application hacking techniques executed against a demo online banking application. This demonstration covered all common web application attacks, explains the flaws which cause them, and demonstrates actual exploit used by hackers in the real world. At the end of this session, each attendee was able to truly understand the real essence of web application attacks and the threat they pose to the business of their organization. While distributed port scanning is not a new concept, it is rarely possible to use it in real world environment. This session presented a new approach for distributed port scanning through widely available free HTTP proxy servers. It showed how HTTP proxies are able to identify open ports, and demonstrated how distributed port scanning can be achieved. Cross site scripting (XSS) attacks are usually undervalued since the do not affect the organization but rather its users. They are also disregarded since many associate them with blogs, webmail services and other socially oriented web applications and not with serious web sites. New XSS attack techniques enable much deeper exploitation of XSS. One such example is employing XSS to generate highly effective phishing attacks. This presentation discussed such new XSS techniques including a live demonstration and mitigation techniques. Application Security Overview
These presentations, for the Microsoft Developer's Security Forum, demonstrate application security vulnerabilities and hacking tactics. The first presentation includes an introduction to application attacks, overview of application penetration techniques, and describes some of the basic attacking techniques. In the second presentation, some more advanced techniques are covered, including SQL Injection, Cross Site Scripting, Parameter Tampering, Cookie Poisoning and others.
Hacktics helps developers understand the risks posed by hackers at a Microsoft developer's security forum, enlightens IT professionals about password hacking, bank hacking, distributed port scanning, and a variety of security related issues. Hacktics continues to educate IT professionals on an ongoing basis.
Achilles’ Heel – Hacking Through Java Protocols
The PKI Lie - Attacking Certificate-Based Authentication
Application Denial of Service - Is It Really That Easy?
Password Hacking Done Easy
Bank Hacking Live
Live Hacking - Threats & Countermeasures in Action
Divide and Conquer - Real World Distributed Port Scanning
Scripting with the Phishes - Advanced Cross Site Scripting and Phishing Attacks
Application Security Overview
Speaker: Ofer Maor, CTO
Presented in: OWASP Israel 2008 Conference, Sep 2008Back to Presentations List
Speaker: Shay Chen, Senior Consultant & Team Leader
Presented in: OWASP Israel 2008 Conference, Sep 2008Back to Presentations List
Speaker: Ofer Maor, CTO
Presented in: 7th OWASP AppSec Conference - San Jose, Nov 2007Back to Presentations List
Speaker: Ofer Maor, CTO
Presented in: Microsoft SecureDev Forum, Feb 2007Back to Presentations List
Password Hacking Done Easy
Speaker: Ofer Maor, CTO
Presented in: InfoQuest Security Conference, Nov 2006Back to Presentations List
Bank Hacking Live!
Speaker: Ofer Maor, CTO
Presented in: CSI NetSec, June 2006Back to Presentations List
Live Hacking - Threats & Countermeasures in Action
Speaker: Ofer Maor, CTO
Presented in: Microsoft TechEd, May 2006Back to Presentations List
Divide and Conquer: Real World Distributed Port Scanning
Speaker: Ofer Maor, CTO
Presented in: RSA Conference, February 2006Back to Presentations List
Scripting with the Phishes - Advanced Cross Site Scripting and Phishing Attacks
Speaker: Ofer Maor, CTO
Presented in: OWASP-IL, September 2005 (Part of OWASP-IL Leaders Group)Back to Presentations List
Speaker: Ofer Maor, CTO
Presented in: Microsoft Security Forum, February 2005Back to Presentations List