Presentation Title Web in the Middle – Attacking Clients
Presentation Abstract
This talk aims at explaining interesting issues related to Man In The Middle attacks in Web environments. By using some features of HTTP, or by using some problems related to HTTP, we will show how it might sometimes be really dangerous for clients to browse web services.
We will first look at intrusions that happen on local environments, like public or private networks (corporate network, hotel wired network, Hotspot wifi, etc). We will also talk about remote attacks, that are used by skilled intruders to drill deeper into a targeted network thanks to LAN MITM Web attacks (like by bouncing from a DMZ to a private protected unreachable LAN).
To give real examples, and to offer an interesting disclosure during HITB Amsterdam, we will evaluate the security of widely used tools (IE, Firefox, MS Office, iWork, iPhone Applications) and of known web services (Twitter, Facebook, Hotmail, etc).We will announce some security problems and vulnerabilities in this field (0-days), that can lead to evil actions against the end-users of those tools and public services: i.e. penetrating the computers or devices of the end-users, launching phishing / fraud attacks against the end-users, spying / stealing information etc.
We hope that this talk will help improve the security of the Web by explaining these issues and by proposing ways to harden these tools and services which are widely used over the Internet.
About Laurent
Laurent is a French senior IT Security consultant, who founded TEHTRI-Security (http://www.tehtri-security.com) in 2010.
Last 15 years, he has been hired as a security expert to protect and pentest networks and systems of highly sensitive places like the French Nuclear Warhead Program, the French Ministry of Defense, the United Nations, etc.
He has been doing research on defensive technologies and underground activities with numerous security projects handled, and he was a member of the team RstAck and of the Steering Committee of the Honeynet Research Alliance.
Laurent has been a frequent presenter and instructor at computer security and academic conferences like Cansecwest, Pacsec, Black Hat USA-Asia-Europe, Hack-In-The-Box Dubai, US DoD/US DoE, Defcon, Hope, Honeynet, PH-Neutral, Hack.LU, as well as a contributor to several research papers for SecurityFocus, MISC Magazine, IEEE, etc.