Software and Web Hacking Talk Highlights at Hacker Halted USA

News provided by

EC Council

Aug 27, 2013, 03:00 ET


Atlanta, GA (PRWEB) August 27, 2013 -- With a range of new software and web-based threats regularly exploited by nation-state hackers, organized crime, and sophisticated hacktivist groups, Hacker Halted USA, a leading information security conference in the US is hosting a range of advanced technical talks on new threats that enterprises need to consider. Hacker Halted USA runs from September 19-21 in Atlanta.

This year’s conference covers a variety of looming threats for the enterprise, from new mobile-based attacks, cloud vulnerabilities, SCADA exploits, encryption threats - and, perhaps most importantly, software and web-based attacks,” said Eric Lopez, director of conferences and events at EC-Council. “Several leading researchers in these fields will be presenting their findings at Hacker Halted USA - from browser botnets to IPv6.”

Here are a few highlighted talks at this year’s Hacker Halted USA:

• Adventures in Large Scale HTTP Header Abuse - Zach Wolff, LogRhythm - While the technique of sending malicious data through HTTP Header fields is not new, there is a conspicuous lack of information on the topic. This presentation explores research and testing results of random auditing of 1.6 million websites. The speaker will address the history of HTTP Header attacks, the logic that went into the creation of an HTTP Header Audit tool, and most interestingly, the findings of the test run. How many vulnerable websites were discovered? What attacks were they most susceptible to? Which Header fields are most likely to be vulnerable? Finally, the presentation will discuss defensive techniques around HTTP header abuse and how to efficiently audit a sites HTTP Header fields for vulnerabilities.

• The State of SAP Security 2013 - Dmitry Chastuchin, ERPScan - ERP Systems based on SAP are the heart of any large company, so it is necessary to increase awareness in this area, especially after the Anonymous attack on Greece Government where, probably, 0-day SAP vulnerability was used (however this information was neither proven nor refuted). ERP systems enable all the critical business processes from procurement, payment to human resources and financial planning. All the data stored in ERP systems is of great importance and any illegal access can mean enormous losses probably even termination of business processes.

• Wassup MOM? Owning the Message-Oriented Middleware - Gursev Kalra, Foundstone - Message Oriented Middleware (MOM) allows disparate applications to communicate with each other by exchanging information in the form of messages. A MOM and its clients create an enterprise messaging application that forms the transactional backbone of several large organizations worldwide. Security is therefore an important aspect of these applications. This research analyzes enterprise messaging security from three different perspectives: (1) The first perspective derives from the fact that most of the enterprise messaging products support the vendor-agnostic Java Messaging Service (JMS) API and therefore, focuses on the offensive uses of the JMS API to attack an enterprise messaging application. (2) The second perspective revolves around a JMS compliant message broker (or MOM) as message brokers form the core of the enterprise messaging.

• Using HTML5 to Make JavaScript (Mostly) Harmless - Mike Shema, Qualys - HTML5 provides new APIs that give JavaScript more power, browser more data, and, if not used correctly, security more nightmares. It’s the best way to create powerful apps and insidious hacks. New security controls like sandboxes, Cross Origin Resource Sharing (CORS) and Content Security Policy (CSP) contribute to a more secure browsing experience, but only against the flaws they were designed to mitigate. Each of them has important nuances to their deployment and effectiveness in protecting web apps. But they can also be leveraged against web apps.

• IPv6 Security - Scott Hogg, Global Technology Resources Inc. - Many international organizations already have IPv6 networks, the U.S. Federal organizations are working on their transitions to IPv6 and others are contemplating what IPv6 means to them. However, many organizations already have IPv6 running on their networks and they don’t even realize it. Many computer operating systems now default to running both IPv4 and IPv6 and it could cause security vulnerabilities if one is not prepared. IPv6 security vulnerabilities currently exist “in the wild” and as the popularity of the IPv6 protocol increases so will the number of threats. This talk surveys the threats against IPv6 networks and provides solutions on how to mitigate them. It covers the issues and the current practices for securing an IPv6 network.

• The Quest for Client-Side Elixir Against Zombie Browsers - Zoltan Balazs, Deloitte Hungary - In 2012, Balasz created and published proof-of-concept malicious browser extensions for Firefox, Chrome, and Safari. With these, one can steal cookies, passwords, spy on webcams, use the browser as a proxy, change financial transactions in the background, steal files, and many more malicious things. In this presentation, Balaxz will investigate the internet security suites, “safe browsers”, sandboxes and how they (don’t) protect against malicious browser extensions running in user space.

Hacker Halted USA is a three-day, three-track information security conference including 43 talks from top security researchers, organizations, independent security firms, the U.S. Army, U.S. Treasury, Facebook, Twitter, Square, RSA, Qualys, McAfee’s Foundstone Division, Verizon Terremark, Dell, Deloitte, Salesforce, and Penn State University. Topics covered include mobile security, the cloud, forensics, critical infrastructure attacks, malware analysis, and more. Registrations are still being accepted and anyone interested in attending is encouraged to visit the registration website or call 1-888-330-HACK.

For more information about Hacker Halted USA, visit http://www.hackerhalted.com. To view the online agenda, click here.

ABOUT EC-COUNCIL:

The International Council of E-Commerce Consultants (EC-Council) is a member-based organization that certifies individuals in various e-business and security skills. EC Council is the owner and developer of the world-famous E-Council Certified Ethical Hacker (CEH), Computer Hacking Forensics Investigator (C|HFI), Certified Security Analyst (ECSA), License Penetration Tester (LPT) programs, and various others offered in over 60 countries around the globe. These certifications are recognized worldwide and have received endorsements from various government agencies including the US Federal Government via the Montgomery GI Bill, and the US Government National Security Agency (NSA) and the Committee on National Security Systems (CNSS) certifying EC-Council’s Certified Ethical Hacking (CEH), Network Security Administrator (ENSA), Computer Hacking Forensics Investigator (CHFI), Disaster Recovery Professional (EDRP), Certified Security Analyst (E|CSA) and Licensed Penetration Tester (LPT) program for meeting the 4011, 4012, 4013A, 4014, 4015 and 4016 training standards for information security professionals and most recently EC-Council has received accreditation from the American National standards Institute (ANSI).

Amber Williams, EC Council, http://www.hackerhalted.com, +1 (505) 341-3228, [email protected]