paul sebastian ziegler
TRANSCRIPT
![Page 1: Paul Sebastian Ziegler](https://reader036.vdocument.in/reader036/viewer/2022081502/58a2dfda1a28ab37018b7f66/html5/thumbnails/1.jpg)
“I Honorably Assure You: It is Secure”
Hacking in the Far East
Paul S. Ziegler / HITB2012KL
Wednesday, October 10, 12
![Page 2: Paul Sebastian Ziegler](https://reader036.vdocument.in/reader036/viewer/2022081502/58a2dfda1a28ab37018b7f66/html5/thumbnails/2.jpg)
Introduction
Wednesday, October 10, 12
![Page 3: Paul Sebastian Ziegler](https://reader036.vdocument.in/reader036/viewer/2022081502/58a2dfda1a28ab37018b7f66/html5/thumbnails/3.jpg)
IntroductionIn 60 seconds or less
Wednesday, October 10, 12
![Page 4: Paul Sebastian Ziegler](https://reader036.vdocument.in/reader036/viewer/2022081502/58a2dfda1a28ab37018b7f66/html5/thumbnails/4.jpg)
Paul Sebastian Ziegler
Wednesday, October 10, 12
![Page 5: Paul Sebastian Ziegler](https://reader036.vdocument.in/reader036/viewer/2022081502/58a2dfda1a28ab37018b7f66/html5/thumbnails/5.jpg)
PentesterWednesday, October 10, 12
![Page 6: Paul Sebastian Ziegler](https://reader036.vdocument.in/reader036/viewer/2022081502/58a2dfda1a28ab37018b7f66/html5/thumbnails/6.jpg)
TecFeeds
Paul Sebastian Ziegler
Cross-Site Scripting (XSS) ist die Schwachstelle in Webanwendungen schlechthin. Wie kaum eine andere Technik kombiniert diese Technik einfache Methoden und Ansätze zu letztendlich verheerenden Angrif-fen. Jedoch ist das Wissen um diese Schwachstelle und die damit ver-bundenen Angriffe derzeitig lediglich Sicherheitsexperten vorbehal-ten. Es existieren zwar umfangreiche Berichte und Dokumentationen, aber diese können zumeist nur von Insidern verstanden werden. Der normale Programmierer oder Nutzer, der sich mit Cross-Site Scripting auseinandersetzen muss, bleibt in der Regel außen vor.Dieses TecFeed ist bemüht, das zu ändern. In einfachen Schritten führt Sie der Autor in das komplexe Thema ein. Sie werden lernen, was Cross-Site Scripting ist und wie man mit seiner Hilfe Webanwen-dungen angreifen kann. Nach der Lektüre dieses TecFeeds werden Sie in der Lage sein, Schwachstellen zu erkennen und zu beheben.
INHALT
Einleitung | 2
Aufbau eines XSS-Angriffs
gegen eine ungesicherte
Webanwendung | 2
Effekte, die ein Angreifer
durch XSS hervorrufen kann | 8
Schutzmechanismen,
die zu kurz greifen | 19
Der Aufbau starker Schutz-
mechanismen – Escapen und
listenbasiertes Filtern | 36
Das Gefahrenpotenzial von XSS
heute und in naher Zukunft | 47
Zusammenfassung | 52
Anhang A – Liste verschiedener
Angriffsvektoren | 53
Anhang B – safehtml | 54
Über den Autor | 72
Danksagung | 72
Cross-Site Scripting
www.tecfeeds.de
Wednesday, October 10, 12
![Page 7: Paul Sebastian Ziegler](https://reader036.vdocument.in/reader036/viewer/2022081502/58a2dfda1a28ab37018b7f66/html5/thumbnails/7.jpg)
Tokyo
Wednesday, October 10, 12
![Page 8: Paul Sebastian Ziegler](https://reader036.vdocument.in/reader036/viewer/2022081502/58a2dfda1a28ab37018b7f66/html5/thumbnails/8.jpg)
AsiaWednesday, October 10, 12
![Page 9: Paul Sebastian Ziegler](https://reader036.vdocument.in/reader036/viewer/2022081502/58a2dfda1a28ab37018b7f66/html5/thumbnails/9.jpg)
Wednesday, October 10, 12
![Page 10: Paul Sebastian Ziegler](https://reader036.vdocument.in/reader036/viewer/2022081502/58a2dfda1a28ab37018b7f66/html5/thumbnails/10.jpg)
Wednesday, October 10, 12
![Page 11: Paul Sebastian Ziegler](https://reader036.vdocument.in/reader036/viewer/2022081502/58a2dfda1a28ab37018b7f66/html5/thumbnails/11.jpg)
Anything else?Ask!
Feeling stalkerish?http://observed.de
Wednesday, October 10, 12
![Page 12: Paul Sebastian Ziegler](https://reader036.vdocument.in/reader036/viewer/2022081502/58a2dfda1a28ab37018b7f66/html5/thumbnails/12.jpg)
Before we begin
Wednesday, October 10, 12
![Page 13: Paul Sebastian Ziegler](https://reader036.vdocument.in/reader036/viewer/2022081502/58a2dfda1a28ab37018b7f66/html5/thumbnails/13.jpg)
Wednesday, October 10, 12
![Page 14: Paul Sebastian Ziegler](https://reader036.vdocument.in/reader036/viewer/2022081502/58a2dfda1a28ab37018b7f66/html5/thumbnails/14.jpg)
Less of this
HateWednesday, October 10, 12
![Page 15: Paul Sebastian Ziegler](https://reader036.vdocument.in/reader036/viewer/2022081502/58a2dfda1a28ab37018b7f66/html5/thumbnails/15.jpg)
Well then...
Wednesday, October 10, 12
![Page 16: Paul Sebastian Ziegler](https://reader036.vdocument.in/reader036/viewer/2022081502/58a2dfda1a28ab37018b7f66/html5/thumbnails/16.jpg)
Three Wise Monkeys
Wednesday, October 10, 12
![Page 17: Paul Sebastian Ziegler](https://reader036.vdocument.in/reader036/viewer/2022081502/58a2dfda1a28ab37018b7f66/html5/thumbnails/17.jpg)
See No Evil
Wednesday, October 10, 12
![Page 18: Paul Sebastian Ziegler](https://reader036.vdocument.in/reader036/viewer/2022081502/58a2dfda1a28ab37018b7f66/html5/thumbnails/18.jpg)
See No Evil
Hear No Evil
Wednesday, October 10, 12
![Page 19: Paul Sebastian Ziegler](https://reader036.vdocument.in/reader036/viewer/2022081502/58a2dfda1a28ab37018b7f66/html5/thumbnails/19.jpg)
See No Evil
Hear No Evil
Speak No Evil
Wednesday, October 10, 12
![Page 20: Paul Sebastian Ziegler](https://reader036.vdocument.in/reader036/viewer/2022081502/58a2dfda1a28ab37018b7f66/html5/thumbnails/20.jpg)
Wednesday, October 10, 12
![Page 21: Paul Sebastian Ziegler](https://reader036.vdocument.in/reader036/viewer/2022081502/58a2dfda1a28ab37018b7f66/html5/thumbnails/21.jpg)
Wednesday, October 10, 12
![Page 22: Paul Sebastian Ziegler](https://reader036.vdocument.in/reader036/viewer/2022081502/58a2dfda1a28ab37018b7f66/html5/thumbnails/22.jpg)
Wednesday, October 10, 12
![Page 23: Paul Sebastian Ziegler](https://reader036.vdocument.in/reader036/viewer/2022081502/58a2dfda1a28ab37018b7f66/html5/thumbnails/23.jpg)
Wednesday, October 10, 12
![Page 24: Paul Sebastian Ziegler](https://reader036.vdocument.in/reader036/viewer/2022081502/58a2dfda1a28ab37018b7f66/html5/thumbnails/24.jpg)
Wednesday, October 10, 12
![Page 25: Paul Sebastian Ziegler](https://reader036.vdocument.in/reader036/viewer/2022081502/58a2dfda1a28ab37018b7f66/html5/thumbnails/25.jpg)
Wednesday, October 10, 12
![Page 26: Paul Sebastian Ziegler](https://reader036.vdocument.in/reader036/viewer/2022081502/58a2dfda1a28ab37018b7f66/html5/thumbnails/26.jpg)
Wednesday, October 10, 12
![Page 27: Paul Sebastian Ziegler](https://reader036.vdocument.in/reader036/viewer/2022081502/58a2dfda1a28ab37018b7f66/html5/thumbnails/27.jpg)
Wednesday, October 10, 12
![Page 28: Paul Sebastian Ziegler](https://reader036.vdocument.in/reader036/viewer/2022081502/58a2dfda1a28ab37018b7f66/html5/thumbnails/28.jpg)
Wednesday, October 10, 12
![Page 29: Paul Sebastian Ziegler](https://reader036.vdocument.in/reader036/viewer/2022081502/58a2dfda1a28ab37018b7f66/html5/thumbnails/29.jpg)
Wednesday, October 10, 12
![Page 30: Paul Sebastian Ziegler](https://reader036.vdocument.in/reader036/viewer/2022081502/58a2dfda1a28ab37018b7f66/html5/thumbnails/30.jpg)
Wednesday, October 10, 12
![Page 31: Paul Sebastian Ziegler](https://reader036.vdocument.in/reader036/viewer/2022081502/58a2dfda1a28ab37018b7f66/html5/thumbnails/31.jpg)
“Hacker”
Wednesday, October 10, 12
![Page 32: Paul Sebastian Ziegler](https://reader036.vdocument.in/reader036/viewer/2022081502/58a2dfda1a28ab37018b7f66/html5/thumbnails/32.jpg)
“I humbly apologize, but I must ask you to kindly
leave this establishment.”
Wednesday, October 10, 12
![Page 33: Paul Sebastian Ziegler](https://reader036.vdocument.in/reader036/viewer/2022081502/58a2dfda1a28ab37018b7f66/html5/thumbnails/33.jpg)
\(^_^)/Wednesday, October 10, 12
![Page 34: Paul Sebastian Ziegler](https://reader036.vdocument.in/reader036/viewer/2022081502/58a2dfda1a28ab37018b7f66/html5/thumbnails/34.jpg)
Wednesday, October 10, 12
![Page 35: Paul Sebastian Ziegler](https://reader036.vdocument.in/reader036/viewer/2022081502/58a2dfda1a28ab37018b7f66/html5/thumbnails/35.jpg)
Exploitation Vector:Invest your time into
intelligence gathering or exploitation - not covert
operation.
Wednesday, October 10, 12
![Page 36: Paul Sebastian Ziegler](https://reader036.vdocument.in/reader036/viewer/2022081502/58a2dfda1a28ab37018b7f66/html5/thumbnails/36.jpg)
TheInvisibilityCloak
Wednesday, October 10, 12
![Page 37: Paul Sebastian Ziegler](https://reader036.vdocument.in/reader036/viewer/2022081502/58a2dfda1a28ab37018b7f66/html5/thumbnails/37.jpg)
Wednesday, October 10, 12
![Page 38: Paul Sebastian Ziegler](https://reader036.vdocument.in/reader036/viewer/2022081502/58a2dfda1a28ab37018b7f66/html5/thumbnails/38.jpg)
Wednesday, October 10, 12
![Page 39: Paul Sebastian Ziegler](https://reader036.vdocument.in/reader036/viewer/2022081502/58a2dfda1a28ab37018b7f66/html5/thumbnails/39.jpg)
Wednesday, October 10, 12
![Page 40: Paul Sebastian Ziegler](https://reader036.vdocument.in/reader036/viewer/2022081502/58a2dfda1a28ab37018b7f66/html5/thumbnails/40.jpg)
Wednesday, October 10, 12
![Page 41: Paul Sebastian Ziegler](https://reader036.vdocument.in/reader036/viewer/2022081502/58a2dfda1a28ab37018b7f66/html5/thumbnails/41.jpg)
Invisible Cloak You Say?
• Obliterates badge requirements (even better when talking on a cellphone in English)
• Reduces random police ID checks from once a month to never
• Lets you get away with virtually any social violation
Wednesday, October 10, 12
![Page 42: Paul Sebastian Ziegler](https://reader036.vdocument.in/reader036/viewer/2022081502/58a2dfda1a28ab37018b7f66/html5/thumbnails/42.jpg)
Works differently in South Korea
Wednesday, October 10, 12
![Page 43: Paul Sebastian Ziegler](https://reader036.vdocument.in/reader036/viewer/2022081502/58a2dfda1a28ab37018b7f66/html5/thumbnails/43.jpg)
Honor Cloak• Gets you service in restaurants as a
foreigner
• Triples native’s willingness to communicate in English / Japanese / Signs
• Strangers will walk you to the location you search for and randomly carry your stuff instead of running away or screaming
• Taxi acquisition time reduced to less than 60 seconds
Wednesday, October 10, 12
![Page 44: Paul Sebastian Ziegler](https://reader036.vdocument.in/reader036/viewer/2022081502/58a2dfda1a28ab37018b7f66/html5/thumbnails/44.jpg)
Honor Cloak
• Taxi drivers actually drop you off at your door instead of kicking you out at the nearest intersection
• In short: If you’re a foreign male, putting on a suit in Korea teleports you into a different country
Wednesday, October 10, 12
![Page 45: Paul Sebastian Ziegler](https://reader036.vdocument.in/reader036/viewer/2022081502/58a2dfda1a28ab37018b7f66/html5/thumbnails/45.jpg)
Swarm Effect
Wednesday, October 10, 12
![Page 46: Paul Sebastian Ziegler](https://reader036.vdocument.in/reader036/viewer/2022081502/58a2dfda1a28ab37018b7f66/html5/thumbnails/46.jpg)
Wednesday, October 10, 12
![Page 47: Paul Sebastian Ziegler](https://reader036.vdocument.in/reader036/viewer/2022081502/58a2dfda1a28ab37018b7f66/html5/thumbnails/47.jpg)
Wednesday, October 10, 12
![Page 48: Paul Sebastian Ziegler](https://reader036.vdocument.in/reader036/viewer/2022081502/58a2dfda1a28ab37018b7f66/html5/thumbnails/48.jpg)
Class Effect
Wednesday, October 10, 12
![Page 49: Paul Sebastian Ziegler](https://reader036.vdocument.in/reader036/viewer/2022081502/58a2dfda1a28ab37018b7f66/html5/thumbnails/49.jpg)
The three classes of foreigners
Wednesday, October 10, 12
![Page 50: Paul Sebastian Ziegler](https://reader036.vdocument.in/reader036/viewer/2022081502/58a2dfda1a28ab37018b7f66/html5/thumbnails/50.jpg)
The three classes of foreigners
Military
Wednesday, October 10, 12
![Page 51: Paul Sebastian Ziegler](https://reader036.vdocument.in/reader036/viewer/2022081502/58a2dfda1a28ab37018b7f66/html5/thumbnails/51.jpg)
The three classes of foreigners
Military
English Teachers
Wednesday, October 10, 12
![Page 52: Paul Sebastian Ziegler](https://reader036.vdocument.in/reader036/viewer/2022081502/58a2dfda1a28ab37018b7f66/html5/thumbnails/52.jpg)
The three classes of foreigners
Military
English Teachers
Business
Wednesday, October 10, 12
![Page 53: Paul Sebastian Ziegler](https://reader036.vdocument.in/reader036/viewer/2022081502/58a2dfda1a28ab37018b7f66/html5/thumbnails/53.jpg)
The three classes of foreigners
Military
English Teachers
Business
Wednesday, October 10, 12
![Page 54: Paul Sebastian Ziegler](https://reader036.vdocument.in/reader036/viewer/2022081502/58a2dfda1a28ab37018b7f66/html5/thumbnails/54.jpg)
Also Works in Hong Kong
“Hey, look - it’s another banker!”
Wednesday, October 10, 12
![Page 55: Paul Sebastian Ziegler](https://reader036.vdocument.in/reader036/viewer/2022081502/58a2dfda1a28ab37018b7f66/html5/thumbnails/55.jpg)
Exploitation Vector
Wednesday, October 10, 12
![Page 56: Paul Sebastian Ziegler](https://reader036.vdocument.in/reader036/viewer/2022081502/58a2dfda1a28ab37018b7f66/html5/thumbnails/56.jpg)
Wednesday, October 10, 12
![Page 57: Paul Sebastian Ziegler](https://reader036.vdocument.in/reader036/viewer/2022081502/58a2dfda1a28ab37018b7f66/html5/thumbnails/57.jpg)
If all else fails, use the “dumb foreigner” card.
Wednesday, October 10, 12
![Page 58: Paul Sebastian Ziegler](https://reader036.vdocument.in/reader036/viewer/2022081502/58a2dfda1a28ab37018b7f66/html5/thumbnails/58.jpg)
Home Insecurity
Wednesday, October 10, 12
![Page 59: Paul Sebastian Ziegler](https://reader036.vdocument.in/reader036/viewer/2022081502/58a2dfda1a28ab37018b7f66/html5/thumbnails/59.jpg)
Wednesday, October 10, 12
![Page 60: Paul Sebastian Ziegler](https://reader036.vdocument.in/reader036/viewer/2022081502/58a2dfda1a28ab37018b7f66/html5/thumbnails/60.jpg)
“Apartment”
Wednesday, October 10, 12
![Page 61: Paul Sebastian Ziegler](https://reader036.vdocument.in/reader036/viewer/2022081502/58a2dfda1a28ab37018b7f66/html5/thumbnails/61.jpg)
“Mansion”
Wednesday, October 10, 12
![Page 62: Paul Sebastian Ziegler](https://reader036.vdocument.in/reader036/viewer/2022081502/58a2dfda1a28ab37018b7f66/html5/thumbnails/62.jpg)
“Apartment”
• Cheap (rent & construction)
• Wood and Paper
• Not guaranteed to withstand a strong earthquake
• The concept of security just doesn’t apply
Wednesday, October 10, 12
![Page 63: Paul Sebastian Ziegler](https://reader036.vdocument.in/reader036/viewer/2022081502/58a2dfda1a28ab37018b7f66/html5/thumbnails/63.jpg)
Wednesday, October 10, 12
![Page 64: Paul Sebastian Ziegler](https://reader036.vdocument.in/reader036/viewer/2022081502/58a2dfda1a28ab37018b7f66/html5/thumbnails/64.jpg)
Wednesday, October 10, 12
![Page 65: Paul Sebastian Ziegler](https://reader036.vdocument.in/reader036/viewer/2022081502/58a2dfda1a28ab37018b7f66/html5/thumbnails/65.jpg)
Wednesday, October 10, 12
![Page 66: Paul Sebastian Ziegler](https://reader036.vdocument.in/reader036/viewer/2022081502/58a2dfda1a28ab37018b7f66/html5/thumbnails/66.jpg)
Wednesday, October 10, 12
![Page 67: Paul Sebastian Ziegler](https://reader036.vdocument.in/reader036/viewer/2022081502/58a2dfda1a28ab37018b7f66/html5/thumbnails/67.jpg)
Wednesday, October 10, 12
![Page 68: Paul Sebastian Ziegler](https://reader036.vdocument.in/reader036/viewer/2022081502/58a2dfda1a28ab37018b7f66/html5/thumbnails/68.jpg)
Wednesday, October 10, 12
![Page 69: Paul Sebastian Ziegler](https://reader036.vdocument.in/reader036/viewer/2022081502/58a2dfda1a28ab37018b7f66/html5/thumbnails/69.jpg)
Wednesday, October 10, 12
![Page 70: Paul Sebastian Ziegler](https://reader036.vdocument.in/reader036/viewer/2022081502/58a2dfda1a28ab37018b7f66/html5/thumbnails/70.jpg)
Wednesday, October 10, 12
![Page 71: Paul Sebastian Ziegler](https://reader036.vdocument.in/reader036/viewer/2022081502/58a2dfda1a28ab37018b7f66/html5/thumbnails/71.jpg)
“To prevent crime, you are prohibited by national law to create a copy of your key.”
-- AMMS Estate Rental Agreement (2008)
Wednesday, October 10, 12
![Page 72: Paul Sebastian Ziegler](https://reader036.vdocument.in/reader036/viewer/2022081502/58a2dfda1a28ab37018b7f66/html5/thumbnails/72.jpg)
Wednesday, October 10, 12
![Page 73: Paul Sebastian Ziegler](https://reader036.vdocument.in/reader036/viewer/2022081502/58a2dfda1a28ab37018b7f66/html5/thumbnails/73.jpg)
“Mansion”
• You’ll need to sell a kidney to afford one
• Sturdy construction
• Earthquake resistant
• Central lock
• (Often) Including security services
Wednesday, October 10, 12
![Page 74: Paul Sebastian Ziegler](https://reader036.vdocument.in/reader036/viewer/2022081502/58a2dfda1a28ab37018b7f66/html5/thumbnails/74.jpg)
Wednesday, October 10, 12
![Page 75: Paul Sebastian Ziegler](https://reader036.vdocument.in/reader036/viewer/2022081502/58a2dfda1a28ab37018b7f66/html5/thumbnails/75.jpg)
Wednesday, October 10, 12
![Page 76: Paul Sebastian Ziegler](https://reader036.vdocument.in/reader036/viewer/2022081502/58a2dfda1a28ab37018b7f66/html5/thumbnails/76.jpg)
Wednesday, October 10, 12
![Page 77: Paul Sebastian Ziegler](https://reader036.vdocument.in/reader036/viewer/2022081502/58a2dfda1a28ab37018b7f66/html5/thumbnails/77.jpg)
Safe!
Wednesday, October 10, 12
![Page 78: Paul Sebastian Ziegler](https://reader036.vdocument.in/reader036/viewer/2022081502/58a2dfda1a28ab37018b7f66/html5/thumbnails/78.jpg)
Wednesday, October 10, 12
![Page 79: Paul Sebastian Ziegler](https://reader036.vdocument.in/reader036/viewer/2022081502/58a2dfda1a28ab37018b7f66/html5/thumbnails/79.jpg)
Wednesday, October 10, 12
![Page 80: Paul Sebastian Ziegler](https://reader036.vdocument.in/reader036/viewer/2022081502/58a2dfda1a28ab37018b7f66/html5/thumbnails/80.jpg)
Damn it!
Wednesday, October 10, 12
![Page 81: Paul Sebastian Ziegler](https://reader036.vdocument.in/reader036/viewer/2022081502/58a2dfda1a28ab37018b7f66/html5/thumbnails/81.jpg)
Wednesday, October 10, 12
![Page 82: Paul Sebastian Ziegler](https://reader036.vdocument.in/reader036/viewer/2022081502/58a2dfda1a28ab37018b7f66/html5/thumbnails/82.jpg)
Wednesday, October 10, 12
![Page 83: Paul Sebastian Ziegler](https://reader036.vdocument.in/reader036/viewer/2022081502/58a2dfda1a28ab37018b7f66/html5/thumbnails/83.jpg)
Reducing Lock Efficiency to basically
zero-
In 4 easy steps
Wednesday, October 10, 12
![Page 84: Paul Sebastian Ziegler](https://reader036.vdocument.in/reader036/viewer/2022081502/58a2dfda1a28ab37018b7f66/html5/thumbnails/84.jpg)
Entropy:
20^8Wednesday, October 10, 12
![Page 85: Paul Sebastian Ziegler](https://reader036.vdocument.in/reader036/viewer/2022081502/58a2dfda1a28ab37018b7f66/html5/thumbnails/85.jpg)
1. Legally prohibit mail locks with more than 3
digit combinations
Wednesday, October 10, 12
![Page 86: Paul Sebastian Ziegler](https://reader036.vdocument.in/reader036/viewer/2022081502/58a2dfda1a28ab37018b7f66/html5/thumbnails/86.jpg)
Entropy:
20^3Wednesday, October 10, 12
![Page 87: Paul Sebastian Ziegler](https://reader036.vdocument.in/reader036/viewer/2022081502/58a2dfda1a28ab37018b7f66/html5/thumbnails/87.jpg)
2. Legally force all locks to open in a clockwise-
clockwise-counterclockwise
pattern
Wednesday, October 10, 12
![Page 88: Paul Sebastian Ziegler](https://reader036.vdocument.in/reader036/viewer/2022081502/58a2dfda1a28ab37018b7f66/html5/thumbnails/88.jpg)
Entropy:
1000Wednesday, October 10, 12
![Page 89: Paul Sebastian Ziegler](https://reader036.vdocument.in/reader036/viewer/2022081502/58a2dfda1a28ab37018b7f66/html5/thumbnails/89.jpg)
3. Legally force the first two digits of the
combination to be the same
Wednesday, October 10, 12
![Page 90: Paul Sebastian Ziegler](https://reader036.vdocument.in/reader036/viewer/2022081502/58a2dfda1a28ab37018b7f66/html5/thumbnails/90.jpg)
Entropy:
100Wednesday, October 10, 12
![Page 91: Paul Sebastian Ziegler](https://reader036.vdocument.in/reader036/viewer/2022081502/58a2dfda1a28ab37018b7f66/html5/thumbnails/91.jpg)
4. Don’t integrate a separate opening
crank, but simply open once the correct
combination is entered
Wednesday, October 10, 12
![Page 92: Paul Sebastian Ziegler](https://reader036.vdocument.in/reader036/viewer/2022081502/58a2dfda1a28ab37018b7f66/html5/thumbnails/92.jpg)
Time per attempt:
1.5 seconds
Wednesday, October 10, 12
![Page 93: Paul Sebastian Ziegler](https://reader036.vdocument.in/reader036/viewer/2022081502/58a2dfda1a28ab37018b7f66/html5/thumbnails/93.jpg)
50% unlock chance75 Seconds
100% unlock chance150 Seconds
Wednesday, October 10, 12
![Page 94: Paul Sebastian Ziegler](https://reader036.vdocument.in/reader036/viewer/2022081502/58a2dfda1a28ab37018b7f66/html5/thumbnails/94.jpg)
Jumping to Korea...
Wednesday, October 10, 12
![Page 95: Paul Sebastian Ziegler](https://reader036.vdocument.in/reader036/viewer/2022081502/58a2dfda1a28ab37018b7f66/html5/thumbnails/95.jpg)
Wednesday, October 10, 12
![Page 96: Paul Sebastian Ziegler](https://reader036.vdocument.in/reader036/viewer/2022081502/58a2dfda1a28ab37018b7f66/html5/thumbnails/96.jpg)
Entropy:
10^8Wednesday, October 10, 12
![Page 97: Paul Sebastian Ziegler](https://reader036.vdocument.in/reader036/viewer/2022081502/58a2dfda1a28ab37018b7f66/html5/thumbnails/97.jpg)
Well, albeit not a law, most locks only take up
to 4 digits...
Wednesday, October 10, 12
![Page 98: Paul Sebastian Ziegler](https://reader036.vdocument.in/reader036/viewer/2022081502/58a2dfda1a28ab37018b7f66/html5/thumbnails/98.jpg)
Entropy:
10^4Wednesday, October 10, 12
![Page 99: Paul Sebastian Ziegler](https://reader036.vdocument.in/reader036/viewer/2022081502/58a2dfda1a28ab37018b7f66/html5/thumbnails/99.jpg)
And the majority of them are not wired to
any monitoring...
Wednesday, October 10, 12
![Page 100: Paul Sebastian Ziegler](https://reader036.vdocument.in/reader036/viewer/2022081502/58a2dfda1a28ab37018b7f66/html5/thumbnails/100.jpg)
Or block you out after numerous attempts...
Wednesday, October 10, 12
![Page 101: Paul Sebastian Ziegler](https://reader036.vdocument.in/reader036/viewer/2022081502/58a2dfda1a28ab37018b7f66/html5/thumbnails/101.jpg)
Time per attempt:
0.85 seconds
Wednesday, October 10, 12
![Page 102: Paul Sebastian Ziegler](https://reader036.vdocument.in/reader036/viewer/2022081502/58a2dfda1a28ab37018b7f66/html5/thumbnails/102.jpg)
50% unlock chance66 Minutes 38 Seconds
100% unlock chance133 Minutes 16 Seconds
Wednesday, October 10, 12
![Page 103: Paul Sebastian Ziegler](https://reader036.vdocument.in/reader036/viewer/2022081502/58a2dfda1a28ab37018b7f66/html5/thumbnails/103.jpg)
Wednesday, October 10, 12
![Page 104: Paul Sebastian Ziegler](https://reader036.vdocument.in/reader036/viewer/2022081502/58a2dfda1a28ab37018b7f66/html5/thumbnails/104.jpg)
+ =
Wednesday, October 10, 12
![Page 105: Paul Sebastian Ziegler](https://reader036.vdocument.in/reader036/viewer/2022081502/58a2dfda1a28ab37018b7f66/html5/thumbnails/105.jpg)
Counter Exploitation:Work from the
assumption that if someone wants to get into your place - they
will.Wednesday, October 10, 12
![Page 106: Paul Sebastian Ziegler](https://reader036.vdocument.in/reader036/viewer/2022081502/58a2dfda1a28ab37018b7f66/html5/thumbnails/106.jpg)
Corporate Insecurity
Wednesday, October 10, 12
![Page 107: Paul Sebastian Ziegler](https://reader036.vdocument.in/reader036/viewer/2022081502/58a2dfda1a28ab37018b7f66/html5/thumbnails/107.jpg)
“Lifetime Employment”• Get a mediocre wage
• Guaranteed mediocre raises
• You can not be fired or laid off
• If you survive to retirement, the company pays you around 75% of your last wage until you die
• If you die, it pays your spouse until their death
Wednesday, October 10, 12
![Page 108: Paul Sebastian Ziegler](https://reader036.vdocument.in/reader036/viewer/2022081502/58a2dfda1a28ab37018b7f66/html5/thumbnails/108.jpg)
“Bonus”
• Officially rewards good work
• Unofficially often dependent on overtime
• Can contribute up to 50% to annual wage
• Easy tool to keep employees in line
Wednesday, October 10, 12
![Page 109: Paul Sebastian Ziegler](https://reader036.vdocument.in/reader036/viewer/2022081502/58a2dfda1a28ab37018b7f66/html5/thumbnails/109.jpg)
Don’t fuck up
Wednesday, October 10, 12
![Page 110: Paul Sebastian Ziegler](https://reader036.vdocument.in/reader036/viewer/2022081502/58a2dfda1a28ab37018b7f66/html5/thumbnails/110.jpg)
Don’t fuck up
Requires Action
Wednesday, October 10, 12
![Page 111: Paul Sebastian Ziegler](https://reader036.vdocument.in/reader036/viewer/2022081502/58a2dfda1a28ab37018b7f66/html5/thumbnails/111.jpg)
Make a judgement call that could potentially
save the company a lot and seems very clear.
Incur a small loss
Wednesday, October 10, 12
![Page 112: Paul Sebastian Ziegler](https://reader036.vdocument.in/reader036/viewer/2022081502/58a2dfda1a28ab37018b7f66/html5/thumbnails/112.jpg)
Make a judgement call that could potentially
save the company a lot and seems very clear.
Incur a small loss
You fucked up.Wednesday, October 10, 12
![Page 113: Paul Sebastian Ziegler](https://reader036.vdocument.in/reader036/viewer/2022081502/58a2dfda1a28ab37018b7f66/html5/thumbnails/113.jpg)
Pedantically stick to protocol even though it
is wrong for the current case and cost the company millions.
Wednesday, October 10, 12
![Page 114: Paul Sebastian Ziegler](https://reader036.vdocument.in/reader036/viewer/2022081502/58a2dfda1a28ab37018b7f66/html5/thumbnails/114.jpg)
Pedantically stick to protocol even though it
is wrong for the current case and cost the company millions.
Promotion secured.Wednesday, October 10, 12
![Page 115: Paul Sebastian Ziegler](https://reader036.vdocument.in/reader036/viewer/2022081502/58a2dfda1a28ab37018b7f66/html5/thumbnails/115.jpg)
Also, don’t work too fast and stay until 1am to secure that bonus.
Wednesday, October 10, 12
![Page 116: Paul Sebastian Ziegler](https://reader036.vdocument.in/reader036/viewer/2022081502/58a2dfda1a28ab37018b7f66/html5/thumbnails/116.jpg)
Also, don’t work too fast and stay until 1am to secure that bonus.
(Alternatively become a contractor.)
Wednesday, October 10, 12
![Page 117: Paul Sebastian Ziegler](https://reader036.vdocument.in/reader036/viewer/2022081502/58a2dfda1a28ab37018b7f66/html5/thumbnails/117.jpg)
Example A
Wednesday, October 10, 12
![Page 118: Paul Sebastian Ziegler](https://reader036.vdocument.in/reader036/viewer/2022081502/58a2dfda1a28ab37018b7f66/html5/thumbnails/118.jpg)
1) Run nmap on customer network
Wednesday, October 10, 12
![Page 119: Paul Sebastian Ziegler](https://reader036.vdocument.in/reader036/viewer/2022081502/58a2dfda1a28ab37018b7f66/html5/thumbnails/119.jpg)
1) Run nmap on customer network
2) Find Windows NT4 box
Wednesday, October 10, 12
![Page 120: Paul Sebastian Ziegler](https://reader036.vdocument.in/reader036/viewer/2022081502/58a2dfda1a28ab37018b7f66/html5/thumbnails/120.jpg)
1) Run nmap on customer network
2) Find Windows NT4 box
3) Find IRC server running on NT4 box
Wednesday, October 10, 12
![Page 121: Paul Sebastian Ziegler](https://reader036.vdocument.in/reader036/viewer/2022081502/58a2dfda1a28ab37018b7f66/html5/thumbnails/121.jpg)
1) Run nmap on customer network
2) Find Windows NT4 box
3) Find IRC server running on NT4 box
4) Find it runs on port 31337
Wednesday, October 10, 12
![Page 122: Paul Sebastian Ziegler](https://reader036.vdocument.in/reader036/viewer/2022081502/58a2dfda1a28ab37018b7f66/html5/thumbnails/122.jpg)
1) Run nmap on customer network
2) Find Windows NT4 box
3) Find IRC server running on NT4 box
4) Find it runs on port 31337
How do you react?
Wednesday, October 10, 12
![Page 123: Paul Sebastian Ziegler](https://reader036.vdocument.in/reader036/viewer/2022081502/58a2dfda1a28ab37018b7f66/html5/thumbnails/123.jpg)
“We’ll check into it.”
Wednesday, October 10, 12
![Page 124: Paul Sebastian Ziegler](https://reader036.vdocument.in/reader036/viewer/2022081502/58a2dfda1a28ab37018b7f66/html5/thumbnails/124.jpg)
2 Weeks Pass
Wednesday, October 10, 12
![Page 125: Paul Sebastian Ziegler](https://reader036.vdocument.in/reader036/viewer/2022081502/58a2dfda1a28ab37018b7f66/html5/thumbnails/125.jpg)
“We have decided against shutting down or altering the affected
machine...”
Wednesday, October 10, 12
![Page 126: Paul Sebastian Ziegler](https://reader036.vdocument.in/reader036/viewer/2022081502/58a2dfda1a28ab37018b7f66/html5/thumbnails/126.jpg)
“Because the guy who set it up no longer
works here...”
Wednesday, October 10, 12
![Page 127: Paul Sebastian Ziegler](https://reader036.vdocument.in/reader036/viewer/2022081502/58a2dfda1a28ab37018b7f66/html5/thumbnails/127.jpg)
“And we have no idea what it does...”
Wednesday, October 10, 12
![Page 128: Paul Sebastian Ziegler](https://reader036.vdocument.in/reader036/viewer/2022081502/58a2dfda1a28ab37018b7f66/html5/thumbnails/128.jpg)
“But it might be important, so we’ll just
leave it running.”
Wednesday, October 10, 12
![Page 129: Paul Sebastian Ziegler](https://reader036.vdocument.in/reader036/viewer/2022081502/58a2dfda1a28ab37018b7f66/html5/thumbnails/129.jpg)
Checklist
I didn’t touch it
It is not obviously horribly broken from a middle management PoV
If we get hacked, someone else “did it”
I still get my raise and keep my job
Wednesday, October 10, 12
![Page 130: Paul Sebastian Ziegler](https://reader036.vdocument.in/reader036/viewer/2022081502/58a2dfda1a28ab37018b7f66/html5/thumbnails/130.jpg)
Example B
Wednesday, October 10, 12
![Page 131: Paul Sebastian Ziegler](https://reader036.vdocument.in/reader036/viewer/2022081502/58a2dfda1a28ab37018b7f66/html5/thumbnails/131.jpg)
Setting
Wednesday, October 10, 12
![Page 132: Paul Sebastian Ziegler](https://reader036.vdocument.in/reader036/viewer/2022081502/58a2dfda1a28ab37018b7f66/html5/thumbnails/132.jpg)
Client operates an SaaS API that integrates into
their dashboard.
Wednesday, October 10, 12
![Page 133: Paul Sebastian Ziegler](https://reader036.vdocument.in/reader036/viewer/2022081502/58a2dfda1a28ab37018b7f66/html5/thumbnails/133.jpg)
Japanese company integrates their product
with it.
Wednesday, October 10, 12
![Page 134: Paul Sebastian Ziegler](https://reader036.vdocument.in/reader036/viewer/2022081502/58a2dfda1a28ab37018b7f66/html5/thumbnails/134.jpg)
If the API isn’t called for 24 hours, an error
message is displayed.
Wednesday, October 10, 12
![Page 135: Paul Sebastian Ziegler](https://reader036.vdocument.in/reader036/viewer/2022081502/58a2dfda1a28ab37018b7f66/html5/thumbnails/135.jpg)
Of 25 possible causes, number 22 names
“there may be issues with your encryption
certificate”.
Wednesday, October 10, 12
![Page 136: Paul Sebastian Ziegler](https://reader036.vdocument.in/reader036/viewer/2022081502/58a2dfda1a28ab37018b7f66/html5/thumbnails/136.jpg)
What do you do?
Wednesday, October 10, 12
![Page 137: Paul Sebastian Ziegler](https://reader036.vdocument.in/reader036/viewer/2022081502/58a2dfda1a28ab37018b7f66/html5/thumbnails/137.jpg)
Company Client
Wednesday, October 10, 12
![Page 138: Paul Sebastian Ziegler](https://reader036.vdocument.in/reader036/viewer/2022081502/58a2dfda1a28ab37018b7f66/html5/thumbnails/138.jpg)
Company Client
Wednesday, October 10, 12
![Page 139: Paul Sebastian Ziegler](https://reader036.vdocument.in/reader036/viewer/2022081502/58a2dfda1a28ab37018b7f66/html5/thumbnails/139.jpg)
Company Client
Wednesday, October 10, 12
![Page 140: Paul Sebastian Ziegler](https://reader036.vdocument.in/reader036/viewer/2022081502/58a2dfda1a28ab37018b7f66/html5/thumbnails/140.jpg)
Company Client
Wednesday, October 10, 12
![Page 141: Paul Sebastian Ziegler](https://reader036.vdocument.in/reader036/viewer/2022081502/58a2dfda1a28ab37018b7f66/html5/thumbnails/141.jpg)
Company Client
Wednesday, October 10, 12
![Page 142: Paul Sebastian Ziegler](https://reader036.vdocument.in/reader036/viewer/2022081502/58a2dfda1a28ab37018b7f66/html5/thumbnails/142.jpg)
Company Client
Wednesday, October 10, 12
![Page 143: Paul Sebastian Ziegler](https://reader036.vdocument.in/reader036/viewer/2022081502/58a2dfda1a28ab37018b7f66/html5/thumbnails/143.jpg)
Company Client
Wednesday, October 10, 12
![Page 144: Paul Sebastian Ziegler](https://reader036.vdocument.in/reader036/viewer/2022081502/58a2dfda1a28ab37018b7f66/html5/thumbnails/144.jpg)
Company Client
Wednesday, October 10, 12
![Page 145: Paul Sebastian Ziegler](https://reader036.vdocument.in/reader036/viewer/2022081502/58a2dfda1a28ab37018b7f66/html5/thumbnails/145.jpg)
Company Client
Wednesday, October 10, 12
![Page 146: Paul Sebastian Ziegler](https://reader036.vdocument.in/reader036/viewer/2022081502/58a2dfda1a28ab37018b7f66/html5/thumbnails/146.jpg)
Company Client
Wednesday, October 10, 12
![Page 147: Paul Sebastian Ziegler](https://reader036.vdocument.in/reader036/viewer/2022081502/58a2dfda1a28ab37018b7f66/html5/thumbnails/147.jpg)
Company Client
Wednesday, October 10, 12
![Page 148: Paul Sebastian Ziegler](https://reader036.vdocument.in/reader036/viewer/2022081502/58a2dfda1a28ab37018b7f66/html5/thumbnails/148.jpg)
Company Client
?
Wednesday, October 10, 12
![Page 149: Paul Sebastian Ziegler](https://reader036.vdocument.in/reader036/viewer/2022081502/58a2dfda1a28ab37018b7f66/html5/thumbnails/149.jpg)
Solution?
Wednesday, October 10, 12
![Page 150: Paul Sebastian Ziegler](https://reader036.vdocument.in/reader036/viewer/2022081502/58a2dfda1a28ab37018b7f66/html5/thumbnails/150.jpg)
2 months in, I suggested the client removed the SSL warning, then call the company and say
they fixed the problem.
Wednesday, October 10, 12
![Page 151: Paul Sebastian Ziegler](https://reader036.vdocument.in/reader036/viewer/2022081502/58a2dfda1a28ab37018b7f66/html5/thumbnails/151.jpg)
Product was launched within 24 hours.
Wednesday, October 10, 12
![Page 152: Paul Sebastian Ziegler](https://reader036.vdocument.in/reader036/viewer/2022081502/58a2dfda1a28ab37018b7f66/html5/thumbnails/152.jpg)
ChecklistIt says it may be the certificate
I didn’t put my neck out and escalated it
No one put their neck out
The entire operation delayed launch by 2 months and cost hundreds of thousands of dollars
Client took responsibility
I still get my raise and keep my job
Wednesday, October 10, 12
![Page 153: Paul Sebastian Ziegler](https://reader036.vdocument.in/reader036/viewer/2022081502/58a2dfda1a28ab37018b7f66/html5/thumbnails/153.jpg)
Exploitation Vectors
Wednesday, October 10, 12
![Page 154: Paul Sebastian Ziegler](https://reader036.vdocument.in/reader036/viewer/2022081502/58a2dfda1a28ab37018b7f66/html5/thumbnails/154.jpg)
1) Stuff won’t be fixed.
Wednesday, October 10, 12
![Page 155: Paul Sebastian Ziegler](https://reader036.vdocument.in/reader036/viewer/2022081502/58a2dfda1a28ab37018b7f66/html5/thumbnails/155.jpg)
2) Create a responsibility setting and no one disturbs
you.
Wednesday, October 10, 12
![Page 156: Paul Sebastian Ziegler](https://reader036.vdocument.in/reader036/viewer/2022081502/58a2dfda1a28ab37018b7f66/html5/thumbnails/156.jpg)
“I am here on behalf of *unreachable high ranking manager*.
Will YOU be responsible when he finds out you disturbed my work?”
Wednesday, October 10, 12
![Page 157: Paul Sebastian Ziegler](https://reader036.vdocument.in/reader036/viewer/2022081502/58a2dfda1a28ab37018b7f66/html5/thumbnails/157.jpg)
Wires? Where we’re going we don’t need
wires!
Wednesday, October 10, 12
![Page 158: Paul Sebastian Ziegler](https://reader036.vdocument.in/reader036/viewer/2022081502/58a2dfda1a28ab37018b7f66/html5/thumbnails/158.jpg)
Wednesday, October 10, 12
![Page 159: Paul Sebastian Ziegler](https://reader036.vdocument.in/reader036/viewer/2022081502/58a2dfda1a28ab37018b7f66/html5/thumbnails/159.jpg)
Cellphone hotspots
Wednesday, October 10, 12
![Page 160: Paul Sebastian Ziegler](https://reader036.vdocument.in/reader036/viewer/2022081502/58a2dfda1a28ab37018b7f66/html5/thumbnails/160.jpg)
Access filtered by a mix of Mac Address and User-Agent sent to
Gateway
Wednesday, October 10, 12
![Page 161: Paul Sebastian Ziegler](https://reader036.vdocument.in/reader036/viewer/2022081502/58a2dfda1a28ab37018b7f66/html5/thumbnails/161.jpg)
Absolutely Secure
Wednesday, October 10, 12
![Page 162: Paul Sebastian Ziegler](https://reader036.vdocument.in/reader036/viewer/2022081502/58a2dfda1a28ab37018b7f66/html5/thumbnails/162.jpg)
However Korea takes the Cake here
Wednesday, October 10, 12
![Page 163: Paul Sebastian Ziegler](https://reader036.vdocument.in/reader036/viewer/2022081502/58a2dfda1a28ab37018b7f66/html5/thumbnails/163.jpg)
Wednesday, October 10, 12
![Page 164: Paul Sebastian Ziegler](https://reader036.vdocument.in/reader036/viewer/2022081502/58a2dfda1a28ab37018b7f66/html5/thumbnails/164.jpg)
Exploitation Vector:Yeah, gee, I wonder
what anyone could ever do with anonymous
open internet access.
Wednesday, October 10, 12
![Page 165: Paul Sebastian Ziegler](https://reader036.vdocument.in/reader036/viewer/2022081502/58a2dfda1a28ab37018b7f66/html5/thumbnails/165.jpg)
Speaking of Korea
Wednesday, October 10, 12
![Page 166: Paul Sebastian Ziegler](https://reader036.vdocument.in/reader036/viewer/2022081502/58a2dfda1a28ab37018b7f66/html5/thumbnails/166.jpg)
Taking all guesses - what’s the browser
market share for IE in Korea.
Wednesday, October 10, 12
![Page 167: Paul Sebastian Ziegler](https://reader036.vdocument.in/reader036/viewer/2022081502/58a2dfda1a28ab37018b7f66/html5/thumbnails/167.jpg)
97%Wednesday, October 10, 12
![Page 168: Paul Sebastian Ziegler](https://reader036.vdocument.in/reader036/viewer/2022081502/58a2dfda1a28ab37018b7f66/html5/thumbnails/168.jpg)
Ninety-Seven-Percent
Wednesday, October 10, 12
![Page 169: Paul Sebastian Ziegler](https://reader036.vdocument.in/reader036/viewer/2022081502/58a2dfda1a28ab37018b7f66/html5/thumbnails/169.jpg)
Wednesday, October 10, 12
![Page 170: Paul Sebastian Ziegler](https://reader036.vdocument.in/reader036/viewer/2022081502/58a2dfda1a28ab37018b7f66/html5/thumbnails/170.jpg)
Wednesday, October 10, 12
![Page 171: Paul Sebastian Ziegler](https://reader036.vdocument.in/reader036/viewer/2022081502/58a2dfda1a28ab37018b7f66/html5/thumbnails/171.jpg)
Adaption of SSL
Wednesday, October 10, 12
![Page 172: Paul Sebastian Ziegler](https://reader036.vdocument.in/reader036/viewer/2022081502/58a2dfda1a28ab37018b7f66/html5/thumbnails/172.jpg)
SEED• Published in 1998 by the Korean
Information Security Agency
• 128-bit Block Cypher
• Alternative to SSL
• Required for online banking, online shopping, government transactions, etc
• Works as an ActiveX plugin compatible with some IE and Windows versions
Wednesday, October 10, 12
![Page 173: Paul Sebastian Ziegler](https://reader036.vdocument.in/reader036/viewer/2022081502/58a2dfda1a28ab37018b7f66/html5/thumbnails/173.jpg)
Effects• Extremely slow adaption to new Windows
versions
• Alternative browsers and OSs are virtually useless
• Also integrated with most cellphones (the iPhone was the first non-Korean cellphone sold)
• Very poor understanding of SSL
Wednesday, October 10, 12
![Page 174: Paul Sebastian Ziegler](https://reader036.vdocument.in/reader036/viewer/2022081502/58a2dfda1a28ab37018b7f66/html5/thumbnails/174.jpg)
Many SEED variations allow for user
identification, leading to a low perceived need
for security.
Wednesday, October 10, 12
![Page 175: Paul Sebastian Ziegler](https://reader036.vdocument.in/reader036/viewer/2022081502/58a2dfda1a28ab37018b7f66/html5/thumbnails/175.jpg)
Many SEED variations allow for user
identification, leading to a low perceived need
for security.
More on this later...
Wednesday, October 10, 12
![Page 176: Paul Sebastian Ziegler](https://reader036.vdocument.in/reader036/viewer/2022081502/58a2dfda1a28ab37018b7f66/html5/thumbnails/176.jpg)
Exploitation Vector
FUDWednesday, October 10, 12
![Page 177: Paul Sebastian Ziegler](https://reader036.vdocument.in/reader036/viewer/2022081502/58a2dfda1a28ab37018b7f66/html5/thumbnails/177.jpg)
Oppan SEED Style
Wednesday, October 10, 12
![Page 178: Paul Sebastian Ziegler](https://reader036.vdocument.in/reader036/viewer/2022081502/58a2dfda1a28ab37018b7f66/html5/thumbnails/178.jpg)
Too-Near Field Communication
Wednesday, October 10, 12
![Page 179: Paul Sebastian Ziegler](https://reader036.vdocument.in/reader036/viewer/2022081502/58a2dfda1a28ab37018b7f66/html5/thumbnails/179.jpg)
Wednesday, October 10, 12
![Page 180: Paul Sebastian Ziegler](https://reader036.vdocument.in/reader036/viewer/2022081502/58a2dfda1a28ab37018b7f66/html5/thumbnails/180.jpg)
Wednesday, October 10, 12
![Page 181: Paul Sebastian Ziegler](https://reader036.vdocument.in/reader036/viewer/2022081502/58a2dfda1a28ab37018b7f66/html5/thumbnails/181.jpg)
Wednesday, October 10, 12
![Page 182: Paul Sebastian Ziegler](https://reader036.vdocument.in/reader036/viewer/2022081502/58a2dfda1a28ab37018b7f66/html5/thumbnails/182.jpg)
Why?
• Used virtually everywhere
• Always carried on body
• Automatically recharged or charged to phone bill (loose and/or high limits)
• Accepted by lots of online stores
• Stores your purchase history and reveals it without authentication
Wednesday, October 10, 12
![Page 183: Paul Sebastian Ziegler](https://reader036.vdocument.in/reader036/viewer/2022081502/58a2dfda1a28ab37018b7f66/html5/thumbnails/183.jpg)
Wednesday, October 10, 12
![Page 184: Paul Sebastian Ziegler](https://reader036.vdocument.in/reader036/viewer/2022081502/58a2dfda1a28ab37018b7f66/html5/thumbnails/184.jpg)
Wednesday, October 10, 12
![Page 185: Paul Sebastian Ziegler](https://reader036.vdocument.in/reader036/viewer/2022081502/58a2dfda1a28ab37018b7f66/html5/thumbnails/185.jpg)
Location Tracking
Purchase Tracking
Wednesday, October 10, 12
![Page 186: Paul Sebastian Ziegler](https://reader036.vdocument.in/reader036/viewer/2022081502/58a2dfda1a28ab37018b7f66/html5/thumbnails/186.jpg)
Wednesday, October 10, 12
![Page 187: Paul Sebastian Ziegler](https://reader036.vdocument.in/reader036/viewer/2022081502/58a2dfda1a28ab37018b7f66/html5/thumbnails/187.jpg)
Wednesday, October 10, 12
![Page 188: Paul Sebastian Ziegler](https://reader036.vdocument.in/reader036/viewer/2022081502/58a2dfda1a28ab37018b7f66/html5/thumbnails/188.jpg)
Location Tracking
Purchase Tracking
Buying stuff on other people’s tab
Wednesday, October 10, 12
![Page 189: Paul Sebastian Ziegler](https://reader036.vdocument.in/reader036/viewer/2022081502/58a2dfda1a28ab37018b7f66/html5/thumbnails/189.jpg)
Location Tracking
Purchase Tracking
Buying stuff on other people’s tab
Wednesday, October 10, 12
![Page 190: Paul Sebastian Ziegler](https://reader036.vdocument.in/reader036/viewer/2022081502/58a2dfda1a28ab37018b7f66/html5/thumbnails/190.jpg)
But Paul, Felica Cards only work across
millimeters.You couldn’t possibly
get that close to a person with a reader
without them noticing!Wednesday, October 10, 12
![Page 191: Paul Sebastian Ziegler](https://reader036.vdocument.in/reader036/viewer/2022081502/58a2dfda1a28ab37018b7f66/html5/thumbnails/191.jpg)
You, sir or ma’am, have obviously never seen the Tokyo morning
rush-hour.
Wednesday, October 10, 12
![Page 192: Paul Sebastian Ziegler](https://reader036.vdocument.in/reader036/viewer/2022081502/58a2dfda1a28ab37018b7f66/html5/thumbnails/192.jpg)
Wednesday, October 10, 12
![Page 193: Paul Sebastian Ziegler](https://reader036.vdocument.in/reader036/viewer/2022081502/58a2dfda1a28ab37018b7f66/html5/thumbnails/193.jpg)
Location Tracking
Purchase Tracking
Buying stuff on other people’s tab
Wednesday, October 10, 12
![Page 194: Paul Sebastian Ziegler](https://reader036.vdocument.in/reader036/viewer/2022081502/58a2dfda1a28ab37018b7f66/html5/thumbnails/194.jpg)
Top 3 Hit List
Wednesday, October 10, 12
![Page 195: Paul Sebastian Ziegler](https://reader036.vdocument.in/reader036/viewer/2022081502/58a2dfda1a28ab37018b7f66/html5/thumbnails/195.jpg)
#3 Airport Security
Wednesday, October 10, 12
![Page 196: Paul Sebastian Ziegler](https://reader036.vdocument.in/reader036/viewer/2022081502/58a2dfda1a28ab37018b7f66/html5/thumbnails/196.jpg)
Wednesday, October 10, 12
![Page 197: Paul Sebastian Ziegler](https://reader036.vdocument.in/reader036/viewer/2022081502/58a2dfda1a28ab37018b7f66/html5/thumbnails/197.jpg)
Wednesday, October 10, 12
![Page 198: Paul Sebastian Ziegler](https://reader036.vdocument.in/reader036/viewer/2022081502/58a2dfda1a28ab37018b7f66/html5/thumbnails/198.jpg)
#2 Ultra Secure JavaScript
Wednesday, October 10, 12
![Page 199: Paul Sebastian Ziegler](https://reader036.vdocument.in/reader036/viewer/2022081502/58a2dfda1a28ab37018b7f66/html5/thumbnails/199.jpg)
Wednesday, October 10, 12
![Page 200: Paul Sebastian Ziegler](https://reader036.vdocument.in/reader036/viewer/2022081502/58a2dfda1a28ab37018b7f66/html5/thumbnails/200.jpg)
Wednesday, October 10, 12
![Page 201: Paul Sebastian Ziegler](https://reader036.vdocument.in/reader036/viewer/2022081502/58a2dfda1a28ab37018b7f66/html5/thumbnails/201.jpg)
Wednesday, October 10, 12
![Page 202: Paul Sebastian Ziegler](https://reader036.vdocument.in/reader036/viewer/2022081502/58a2dfda1a28ab37018b7f66/html5/thumbnails/202.jpg)
#1 Korean-Japanese Web Development
(The Grand Finale)
Wednesday, October 10, 12
![Page 203: Paul Sebastian Ziegler](https://reader036.vdocument.in/reader036/viewer/2022081502/58a2dfda1a28ab37018b7f66/html5/thumbnails/203.jpg)
SettingJapaneseCompany
KoreanCompany
Wednesday, October 10, 12
![Page 204: Paul Sebastian Ziegler](https://reader036.vdocument.in/reader036/viewer/2022081502/58a2dfda1a28ab37018b7f66/html5/thumbnails/204.jpg)
SettingJapaneseCompany
KoreanCompany
Wednesday, October 10, 12
![Page 205: Paul Sebastian Ziegler](https://reader036.vdocument.in/reader036/viewer/2022081502/58a2dfda1a28ab37018b7f66/html5/thumbnails/205.jpg)
SettingJapaneseCompany
KoreanCompany
Wednesday, October 10, 12
![Page 206: Paul Sebastian Ziegler](https://reader036.vdocument.in/reader036/viewer/2022081502/58a2dfda1a28ab37018b7f66/html5/thumbnails/206.jpg)
SettingJapaneseCompany
KoreanCompany
Wednesday, October 10, 12
![Page 207: Paul Sebastian Ziegler](https://reader036.vdocument.in/reader036/viewer/2022081502/58a2dfda1a28ab37018b7f66/html5/thumbnails/207.jpg)
SettingJapaneseCompany
KoreanCompany
Wednesday, October 10, 12
![Page 208: Paul Sebastian Ziegler](https://reader036.vdocument.in/reader036/viewer/2022081502/58a2dfda1a28ab37018b7f66/html5/thumbnails/208.jpg)
SettingJapaneseCompany
KoreanCompany
Wednesday, October 10, 12
![Page 209: Paul Sebastian Ziegler](https://reader036.vdocument.in/reader036/viewer/2022081502/58a2dfda1a28ab37018b7f66/html5/thumbnails/209.jpg)
SettingJapaneseCompany
KoreanCompany
Wednesday, October 10, 12
![Page 210: Paul Sebastian Ziegler](https://reader036.vdocument.in/reader036/viewer/2022081502/58a2dfda1a28ab37018b7f66/html5/thumbnails/210.jpg)
SettingJapaneseCompany
KoreanCompany
Wednesday, October 10, 12
![Page 211: Paul Sebastian Ziegler](https://reader036.vdocument.in/reader036/viewer/2022081502/58a2dfda1a28ab37018b7f66/html5/thumbnails/211.jpg)
SettingJapaneseCompany
KoreanCompany
Wednesday, October 10, 12
![Page 212: Paul Sebastian Ziegler](https://reader036.vdocument.in/reader036/viewer/2022081502/58a2dfda1a28ab37018b7f66/html5/thumbnails/212.jpg)
Critical Flaws
• Users not being logged in if name contains special characters
• Too quick session timeout annoying potential users
• Dislike colors
• Annoying SSL error
• Credit Card numbers stored in plain text
Wednesday, October 10, 12
![Page 213: Paul Sebastian Ziegler](https://reader036.vdocument.in/reader036/viewer/2022081502/58a2dfda1a28ab37018b7f66/html5/thumbnails/213.jpg)
Non-Critical Flaws
• SQL Injection on Login Form
• 207 counts of XSS
• Admin console “secured” by JavaScript
Wednesday, October 10, 12
![Page 214: Paul Sebastian Ziegler](https://reader036.vdocument.in/reader036/viewer/2022081502/58a2dfda1a28ab37018b7f66/html5/thumbnails/214.jpg)
Non-Critical Flaws
• SQL Injection on Login Form
• 207 counts of XSS
• Admin console “secured” by JavaScript
“We can launch with those. No one would check that.”
Wednesday, October 10, 12
![Page 215: Paul Sebastian Ziegler](https://reader036.vdocument.in/reader036/viewer/2022081502/58a2dfda1a28ab37018b7f66/html5/thumbnails/215.jpg)
SSLWednesday, October 10, 12
![Page 216: Paul Sebastian Ziegler](https://reader036.vdocument.in/reader036/viewer/2022081502/58a2dfda1a28ab37018b7f66/html5/thumbnails/216.jpg)
SSLWednesday, October 10, 12
![Page 217: Paul Sebastian Ziegler](https://reader036.vdocument.in/reader036/viewer/2022081502/58a2dfda1a28ab37018b7f66/html5/thumbnails/217.jpg)
Are we screwed?
Wednesday, October 10, 12
![Page 218: Paul Sebastian Ziegler](https://reader036.vdocument.in/reader036/viewer/2022081502/58a2dfda1a28ab37018b7f66/html5/thumbnails/218.jpg)
Yes.\<°_°>/
Wednesday, October 10, 12
![Page 219: Paul Sebastian Ziegler](https://reader036.vdocument.in/reader036/viewer/2022081502/58a2dfda1a28ab37018b7f66/html5/thumbnails/219.jpg)
Questions?
Wednesday, October 10, 12
![Page 220: Paul Sebastian Ziegler](https://reader036.vdocument.in/reader036/viewer/2022081502/58a2dfda1a28ab37018b7f66/html5/thumbnails/220.jpg)
Attribution• Slide 7 - apple 94
• Slide 8 - paukrus
• Slide 13 - Unknown. If you’re the artist, drop me a line and I’ll buy you a beer.
• Slide 14 - PSY
• Slide 16 - Anderson Mancini
• Slide 37 - Warner Brothers
• Slide 48 - diloz
• Slide 49 - Martijn Booister
• Slide 55 - Disney
• Slide 96 - Milre
• Slide 174 - PSY
• Slide 188 - d0b33
Wednesday, October 10, 12
![Page 221: Paul Sebastian Ziegler](https://reader036.vdocument.in/reader036/viewer/2022081502/58a2dfda1a28ab37018b7f66/html5/thumbnails/221.jpg)
Thank you for listening!
Wednesday, October 10, 12