Abstract:
As a web application tester, I have rarely ever (except due to limited scope) delivered a report without SSL/TLS issues raised. While the impact can be high, the complexity of mounting an attack usually results in many SSL/TLS issues being rated low risk or medium at most. I see in my clients and many colleagues SSL issue fatigue.
Inspired by Geoff White’s new book Rinsed and the stark reality of the impact of cybercrime, I decided to take a look at the role of encryption. Geoff's book demonstrates the depths to which humanity will go when embroiled in exploitation of humans for drugs and money and cyber is undeniably entangled in this web of crime. I wanted to know if there is a direct path from my web app report to the most heineous crimes and if this real world impact is in fact relevant.
I want to dive into the typical web app SSL issues, explore the real world exploitation of these and track them through from what I identify and report to my clients as a web app tester, through exploitation, how that works, and how it has been a factor (if so, how much of a factor) in some of the greatest high profile hacks in the world, finally, what that real world impact could be of that little old common issue of supporting weak ciphers.
During my talk, I will demonstrate some exploitation of SSL/TLS vulnerabilities and if time show how to test for these vulnerabilities both using tools and using command line.
Speaker Bio:
Michelle Simpson; Head of Pen Testing @ Vertical Structure
A leader in the security space, Michelle heads up the Pen Testing team in Vertical Structure. Michelle is CISSP certified, is a Cyber Scheme Web App Team Leader and UKCSC Principal. She holds an MSc. In Security and Forensic Computing and a BSc. In Software Engineering.
During her many years in consulting, she has worked with a wide range of clients across a range of industries supporting them through hundreds of security penetration tests and has also performed forensic engagements and strategic security reviews across critical applications for large banking clients.
Michelle is committed to the local security community co-founding the OWASP Belfast chapter in 2014 and the BSidesBelfast conference in 2016. Her passion for security and encouraging others into the field is clearly expressed in her involvement with Cyber First schoold programmes and steering groups with a bid to drive the next generation and future pipeline of talent for the cyber security industry.
#bsides #securitybsides #infosec #bsidesbelfast #belfast #bsidesbelfast24