Paid Advertising
web application security lab

Where is/was RSnake?

This is a non-technical post, just to let everyone know what’s going on. It’s been a crazy last few weeks and it only gets more crazy. After moving to Texas, I’ve been working really hard on a client of ours, getting our office set up, and learning my way around. It’s been a lot of fun but a lot of hard work. But over the next week it’s going to get more interesting.

Next week I am going to be doing a lot of talks. Firstly I’m doing three talks (two short ones for executives and one long one for the developers) at Microsoft’s Bluehat conference. I’m doing a talk on Death by 1000 cuts (well, not entirely, but similar concept - on how small holes become a big deal). Here’s the overview:

Web application security is the new security frontier. Firewalls, IDSs, and IPSs have become all but commodities. Today’s threats completely circumvent the whole concept of network security, attacking websites, web browsers and the victim’s themselves. Many modern threats don’t damage websites at all, but they can have drastically bad effects on users and corporate perception. Phishing, cross-site scripting, cross site request forgeries and dozens of technologies tied together greatly increase the threat landscape. This talk will do a deep dive into the technical aspects of the threat, while keeping a steady eye on the consumer issues that drive large-scale website design.

That’ll be fun, and I’m sure I’ll have a lot more stories once I get back. After that I’ll be doing a very short talk at Toorcon’s Seattle Beta conference. It’s an invite-only conference with 150 people or so (not on their website). Here’s the overview on my “Master Recon Tool” talk:

A 5 minute power presentation that just discusses a new tool that helps combine many known browser based information disclosure issues into one (hence the word “Master”). It also turns into a cool acronym when you spell it out. MR-T (Mr. T - as in, “I pity the foo who uses JavaScript”). When combined they can tell a lot about the target, or multiple targets who visit the website under an attacker’s control. Since we know 80% of websites are XSS-able, 99% of users use JavaScript and 100% of web users use more than one website it provides a good framework for knowing more about your or other people’s web users.

So if anyone is going to be at either of those, drop me a line if you want to meet up at some point. So if I don’t do a lot of posting over the next week that’s what’s going on.

One Response to “Where is/was RSnake?”

  1. hackathology Says:

    finally on the microsoft. Do send my regards to tareeq