A Presentation by Thomas Powell (PINT) and me at the Bird Rock Systems luncheon at the Del Mar Race Track on 11th August 2010. We talked about web attacks and the threat landscape as it stands today.

2. There Be Web Orcs! I can SQL injectz you!

3. Why me ? You’re a commodity (at least your id or cc# is)

4. Better off undead “ Awake my Zombie army and attack!”

5. Big Tuna! “ Let’s go spear phising”

6. Hack for hire

8. Bad people are real credit: From Russia With Love - Fyodor Yarochkin and The Grugq - http://tinyurl.com/frmrussiawlove

9. Build some walls

10. Man the defenses! “ No worry, firewall’s in place”

11. We’re awake! and what do you see?

12. Attack #1 “ Charge!” ../cmd.exe &1=1;droptable

13. Attack #2

14. We need a bouncer “ Yer not on the list, so come on in!”

15. The weak minded are easily tricked “ These are not the requests you are looking for”

16. 0-day to the Face! “ To get our new signature files you need a valid support plan”

17. Mutations Multiply

18. The Appearance of Security The Intent Thief: “How quaint a club!”

19. Real Security Tradeoffs This...

20. Security Tradeoffs ...or this?

21. I want it all!

22. Attack Surfaces and many more

23. The Usual Suspects Input Tampering SQL Injection XSS CSRF RFI/LFI

24. Demo Time Presto!

25. I want to believe! Your Only Defense: Trust No One (User, Packet, Input, etc.)

26. Next Steps?

27. Questions? Thomas A. Powell [email_address] http://www.pint.com Twitter: PINTSD Saumil Shah [email_address] http://net-square.com