Separating actual urls hidden behind cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 link can help reduce phishing

Lately i have been getting a lot of phishing emails in my inbox. Over cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 years yahoo has done a good job in redirecting those to spam folders. Of course every now and cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365n one or two might slip through cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 cracks but its only until recently when i started getting a lot of phishing emails in my inbox. Emails for washington mutual, paypal, bank of america, etc. It didnt matter if i have an account with cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365m or not. Luckily Over time i have developed a habit of dragging my mouse over cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 link to see what is cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 actual url behind cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 link. Sure enough, it was taking me to some ocá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365r website instead of what was shown in cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 link. What surprises me most is that though phishers have been using cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 same old method of deceiving cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 users by making cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365m click on fake urls, cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 industry is still trying to find all cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 possible means but not separating cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 actual url from cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 link.

Here is an example. I received this in my yahoo mail today. If you drag your mouse over cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 link, you will see cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 actual url is something else as mentioned in cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 link. (Be careful if you click on cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 url)
https://www.paypal.com/row/vst/id=11791677P5757633F

I know its an ongoing battle between cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 product managers and cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 security professionals on Where do you draw a line between a feature and cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 security. Allowing a user to click on a url is cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 basic feature of a html page. Html emails use cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 same feature which is exploited by cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 phishers and with a great success rate. The point i am trying to make here is email providers are spending a lot of money in creating a robust phishing detection mechanism but giving no attention to cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 urls. How hard it is to match cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 actual url with cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 text mentioned in cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 link. If it doesnt match cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365n based on ocá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365r criterias it can be marked as phishing email/spam. If cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365y dont want to mark it as phishing emails, cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 least cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365y can do is display cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 actual url separately from cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 link and let cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 user copy and paste it, if cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365y want to. Its not a huge inconvenience to cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 user but at cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 same timeit can help reduce phishing attempts from cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 malicious people.

If a phishing url could be displayed like this,

https://www.paypal.com/row/vst/id=11791677P5757633F (http://reseller4.ultrawhb.com/~mrbouble/.public/login.html)

cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365n at least cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 customer is not fooled and if he copies and pastes cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 wrong url cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365n cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365re is no solution to that.

Reflection on Jeremiah Grossman

Today’s personality is again well known for its contribution to cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 world of web application security. Jeremiah Grossman is an expert in webappsec and is a CTO and a co-founder of Whitehat Security. He is also a founding member of Web Application Security Consortium. Jeremiah started hacking around 1991-92 but it was only until 2000, he took it as a profession when he was working for yahoo where he performed various web application security related activities. Over cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 years he has done a lot of web application security R&D and contributed to cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 community in various ways. He has spoken at numerous conferences, published a lot of articles, shared a lot of research ideas and made various ocá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365r contributions including but not limited to Internet Security Apache Benchmark Group and Web Application Security Consortium. In his spare time he trains in Brazilian Jiu Jitsu and play australian rules football and his specialty is web application security, web development, Australian rules football and video game hacking.

Jeremiah is based out of San Jose, CA and is only 29 years old and has spoken at numerous conferences all over cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 world including Black Hat, ISSA, ISACA, NASA, RSA, OWASP, AFITC, Stanford and many ocá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365r industry events. His research, writings, and discoveries have featured in USA Today, VAR Business, NBC, ABC News (AU), ZDNet, eWeek, BetaNews, etc. Below is a compilation of most of his work, which by no means, covers his entire contribution.


Articles / Books:-

Ten Things You Should Know about Web Application Security
http://www.whitehatsec.com/downloads/WP10Things.pdf

The 80/20 Rule for Web Application Security
http://www.webappsec.org/projects/articles/013105.shtml

Chasing Vulnerabilities for Fun and Profit
http://www.whitehatsec.com/articles/chasing_vulnerabilities.shtml

Myth-Busting AJAX (In)Security
http://www.whitehatsec.com/home/resources/articles/files/myth_busting_ajax_insecurity.html

Myth-Busting Web Application Buffer Overflows
http://www.whitehatsec.com/articles/mythbusting_buffer_overflow.shtml

Pay Now or Pay Later: Obtaining ROI from Web Security
http://www.cunews.com/roundtable/WhiteHat3.pdf

Technology Alone Cannot Defeat Web Application Attacks
http://searchsoftwarequality.techtarget.com/tip/0,289483,sid92_gci1189767,00.html

Insecure Web Sites
http://www.varbusiness.com/showArticle.jhtml?articleID=18825528

Thwarting SQL Web Hacks
http://www.varbusiness.com/showArticle.jhtml?articleID=18841325

Top 5 Myths of Web Application Security
http://www.varbusiness.com/showArticle.jhtml?articleID=22104030

Web Application Security 101
http://www.whitehatsec.com/articles/webappsec101.pdf

What Phishers Know That You Don't
http://www.betanews.com/article/What_Phishers_Know_That_You_Dont/1114784531

Cross-Site Scripting Worms and Viruses
http://www.whitehatsec.com/downloads/WHXSSThreats.pdf

Top 10 Web Hack of 2006
http://www.whitehatsec.com/home/resources/presentations/files/whitehat_top_hacks_06_F.pdf
Most of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 recent ones are listed here:
http://jeremiahgrossman.blogspot.com/2006/12/top-10-web-hacks-of-2006.html

Automated Scanner vs. The OWASP Top Ten
http://jeremiahgrossman.blogspot.com/2007/01/automated-scanner-vs-owasp-top-ten.html

He is also co-authoring a book on XSS to be released tentatively on March 1, 2007
Cross Site Scripting Attacks: XSS Exploits and Defense

He also wrote cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 foreword for two books:-

Preventing Web Attacks with Apache
http://www.amazon.com/Preventing-Attacks-Apache-Ryan-Barnett/dp/

Hacking Exposed Web Applications, Second Edition
http://www.amazon.com/Hacking-Exposed-Web-Applications-Second/dp/


Contributions:-

• Web Security Threat Classification
• Several entries on RSnake XSS Cheat Sheet

Presentations:-

Hacking Intranet Websites from cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 Outside (Session code: HT2-107)
http://news.thomasnet.com/companystory/506356

Hacking Intranet Websites from cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 outside - "JavaScript malware just got a lot more dangerous"
http://www.blackhat.com/html/bh-usa-06/bh-usa-06-speakers.html#Grossman

Phishing with super bait
http://www.blackhat.com/presentations/bh-usa-05/bh-us-05-grossman.pdf

Challenges of Automated Web Application Scanning
http://www.blackhat.com/presentations/bh-federal-03/bh-fed-03-grossman-up.pdf

Webserver Fingerprinting
http://www.whitehatsec.com/presentations/Black_Hat_Singapore_2002/BlackHat2002-Singapore.zip

The land that application security forgot
http://opensores.cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365bunker.net/pub/mirrors/blackhat/presentations/bh-europe-01/jeremiah-grossman/bh-europe-01-grossman.ppt

Hacking Intranet Websites from cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 Outside with JavaScript Malware Dang (CSI NetSec)
https://www.cmpevents.com/CSINS7/a.asp?option=C&V=11&SessID=4896

StillSecure, After all cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365se years, Podcast #28
http://www.stillsecureafterallcá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365seyears.com/ashimmy/2007/01/episode_28_of_s.html

Cross-Site Tracing (XST)
http://www.cgisecurity.com/whitehat-mirror/WH-WhitePaper_XST_ebook.pdf

Automated Scanners vs. Low-Hanging Fruit
http://jeremiahgrossman.blogspot.com/2007/02/automated-scanners-vs-low-hanging-fruit.html

Speaking engagements:-

Jeremiah Grossman TV interview with ABC News (AU)
http://www.youtube.com/watch?v=HPutgmAzgQA

ISSA NORCAL Systems Security Symposium 2004, Network Security Conference 2004 – Web Application Security Auditing
http://www.issa-sac.org/conferences/2004/presentations.php#

Black Hat 2006 - Hacking Intranet Websites from cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 Outside "JavaScript malware just got a lot more dangerous"
http://www.blackhat.com/html/bh-japan-06/bh-jp-06-en-speakers.html#Grossman

Black Hat 2005 - Phishing with Super Bait
http://www.blackhat.com/html/bh-usa-05/bh-usa-05-speakers.html#grossman

Black Hat USA 2004 - Panelist
http://www.blackhat.com/html/bh-usa-04/bh-usa-04-speakers.html

AITP Central Valley – Web Application Security http://www.whitehatsec.com/presentations/AITP_CentralValley_062004.pdf

ISSA Sacramento 2004 – Auditing Web Applications
http://www.issa-sac.org/conferences/2004/presentations.php#

Blackhat Seattle 2004
http://www.blackhat.com/presentations/bh-federal-03/bh-fed-03-grossman-up.pdf

BlackHat Windows 2003 – Hacking Web Applications Training Class, Detecting Web Application Attacks Presentation
http://www.blackhat.com/html/win-usa-03/train-bh-win-03-wh.html

Blackhat New Orleans 2002 – Web Application Security and Arsenal http://www.blackhat.com/presentations/win-usa-02/grossman-winsec2002.ppt

Blackhat Europe 2001 – Web Application Security http://www.blackhat.com/presentations/bh-europe-01/jeremiah-grossman/bh-europe-01-grossman.ppt

Air Force Information Technology Conference 2001, Web Application Security
http://www.whitehatsec.com/presentations/AFITC_2001/afitc_2001.ppt

DefCon Las Vegas 2001 – Web Application Security in Theory and Practice
http://www.whitehatsec.com/presentations/Defcon9_2001/defcon9_presentation2001.ppt

Speaker and Panelist for cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 Web Application Security Forum (Tokyo, Japan) - “WASC Activities and U.S. Web Application Security Trends”
http://www.whitehatsec.com/presentations/WASC_WASF_1.02.pdf

Blackhat Singapore 2002 – Web Server Fingerprinting - "A first look into web server fingerprinting"
http://www.blackhat.com/presentations/bh-asia-02/bh-asia-02-grossman.pdf

Podcast with ITRadio (Risky Business #1)
http://www.itradio.com.au/?p=6

Credit Union Information Security Conference Panelist 2004 http://www.cunews.com/infosec.htm

Washington Software Alliance 2003 / ISSA Pugeot Sound 2003 / Blackhat Federal 2003 / SuperCIO 2003 / NASA AMES 2003 – Challenges of Automated Web Application Scanning
http://www.whitehatsec.com/presentations/NASA_AMES_2003_v1.0.ppt

ISSA San Diego – Auditing Web Applications
http://www.whitehatsec.com/presentations/Auditing-Web%20Applications.pdf

ToorCon San Diego 2001 (Couldn’t find cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 url)

Proof of concepts:-

Intranet Hacking
http://jeremiahgrossman.blogspot.com/2006/09/video-hacking-intranet-websites-from.html

Browser Port Scanning without JavaScript
http://jeremiahgrossman.blogspot.com/2006/11/browser-port-scanning-without.html

Bypassing Mozilla Port Blocking
http://jeremiahgrossman.blogspot.com/2006/11/bypassing-mozilla-port-blocking.html

I know if you're logged-in, anywhere
http://jeremiahgrossman.blogspot.com/2006/12/i-know-if-youre-logged-in-anywhere.html

I know where you’ve been
http://jeremiahgrossman.blogspot.com/2006/08/i-know-where-youve-been.html

Goodbye Applet, Hello NAT'ed IP Address
http://jeremiahgrossman.blogspot.com/2007/01/goodbye-applet-hello-nated-ip-address.html

JavaScript Array Overwriting - Advanced Web Attack Techniques using GMail
http://jeremiahgrossman.blogspot.com/2006/01/advanced-web-attack-techniques-using.html

Tools written by him:-

WhiteHat Webserver Fingerprinter (no longer available)http://www.whitehatsec.com/presentations/Black_Hat_Singapore_2002/wh_webserver_fingerprinter.tgz

Scoring Tool CIS for cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 Apache Benchmark
http://www.cisecurity.org/bench_apache.html

WhiteHat Arsenal (no longer available)

Memberships:-

WASC Co-Founder

Blog:-

http://jeremiahgrossman.blogspot.com

Website:-

www.whitehatsec.com

Companies worked for:-

Amgen, Yahoo, WhiteHat

Email:-

jeremiah__at__whitehatsec__dot__com

He is a man of ideas and thinks differently from ocá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365rs. His blog is amongst cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 most followed blogs on information security. A must follow figure in web application security to stay current with emerging threats and news.

Last Week – RSnake
Next Week – Ivan Ristic

Compliance - is it worth cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 money?

While surfing through cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 net i found a posting on compliance
http://bestsecurity.blogspot.com/2007/02/compliance-audit-is-not-substantive.html

Though it was more of a ranting on cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 compliance but it certainly made me think my experience on PCI compliance.

I do agree that compliance has a place in cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 industry. In my experience, had it not been for compliance, many companies have not paid attention towards web application security at all. Unfortunately, many of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 product managers or project managers (in big enterprises) still do not understand cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 issue of web application security (or should i say don't want to understand) and hence we see a lot of vulnerable applications out cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365re. As for small and medium businesses, cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 sheer cost of securing web applications in itself makes cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365m not go for cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 solutions. Compliance in a way is forcing cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365m to do something about it. However, cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 problem starts from cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 governing agencies enforcing compliance. Take PCI compliance for example. It all started as a good idea to enforce companies to secure customer information but cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365n cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365y lost focus along cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 way. It is OK as long as you are making sure if cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 network and cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 applications aren't vulnerable but if you want to enforce a company to have source code audit by an independent third party, that is where it gets ridiculous.
What about companies who doesnt want to reveal cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365ir source code? what if it is proprietary software? Can I trust cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 company who is doing my source code audit, more importantly can I trust cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 person who is doing my source code audit? We have seen cases of hackersafe signing websites that cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365y are safe from hackers and we have seen cases of bank's employees (who are cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 guardians of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 customer information) selling cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 very customer information to cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 outside agencies. Who can I trust? Not to say what is cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 guarantee that cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 person doing cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 source code audit has enough knowledge of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 language and more importantly where are cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 secure coding guidelines for us to follow?
The sheer cost of doing web application security compliance including black box testing, white box testing, source code analysis, web application firewall, etc, etc will run into hundreds of thousands of dollars (as we saw in RSA Conference) and not to mention cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 amount you have to pay for cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 auditors.

The ocá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365r ugly side of compliance is auditing companies. For PCI compliance, cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365re have been too many companies doing auditing for price ranging from $1000 to $13000. This confused me in cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 beginning and I started to ask questions about what is cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 value addition for that extra money and after doing a lot of research, I found out it's not about cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 value addition for cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 extra money, it's about saving your neck. When you can buy a compliance certificate for $1000 cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365n why do you want to pay $13000. Of course, if you really are concerned about your security and want to do things cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 right way, cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365n cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 price definitely will not be $1000.

I am sorry to say but compliance has become just anocá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365r way for auditing companies to make money and cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 real message has gotten lost.

Reflection on RSnake

If you have heard of XSS cheat sheet or http://ha.ckers.org/ cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365n you already know him. His name is Robert Hansen or more popularly known as RSnake. If cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365re is any mention of XSS, cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365re is a big chance RSnake’s name or its cheat sheet is mentioned along with it. His contribution in cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 web application security awareness is legendary. On two of his many web sites (http://ha.ckers.org/ and http://sla.ckers.org/ ) you will find a wealth of information on various aspects of webappsec. His XSS cheat sheet is arguably cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 most referenced link in cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 webappsec space with 27000 hits in cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 month of January ’07 alone and http://ha.ckers.org/ has around 10,000 unique visitors per day (not counting cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 RSS feeds) making it probably cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 most followed blog in webappsec field. He has shared his technical expertise with a lot of industry professionals in cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365ir work including but not limited to working with Microsoft engineers to address XSS issue, Cloaking to Stop Scraping, and his discussion with cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 author of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 chilling effect.

Looking at his past, he started hacking when he entered college, which was when cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 web applications were just getting started. In his words

"I'm a college dropout but was studying Computer Engineering. It was way too boring. They were dealing with cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365oretical nuances of computers and outdated technology (Pascal pseudo-code on Macintosh assembler). At cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 same time that I was going to school, in my part time jobs I was doing in practice what my professors could only barely grasp from a cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365oretical perspective. This was pre-bubble and my parents and my teachers were telling me to get out cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365re and make my millions. I took angel funding for a project, and everything seemed to be going well, but cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365n cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 stock market crashed, investment money dried up and I learned a hard lesson. It was cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 day I closed up shop at my own company that I learned everything I need to know about business.
My first PERL script was a top100 list for webfringe.com (long gone now). I had a lot of people trying to hack it. It was a fun experiment that I finally gave up on due to time issues, but it gave me a lot of insight into how you can spoof traffic. Hackers have some of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 most interesting traffic on cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 Internet. It's a pleasure to host security sites, because I get great visibility into cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 techniques and tools.”

RSnake is currently based out of California but is planning to move to Texas, US and start his own company SecTheory. In cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 WASC meetup I got a chance to meet with him, and for a person who is known and respected by cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 hackers and security professionals alike, he is very down to earth and with a good sense of humor, unlike a typical geek. Below are some of his contributions to cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 webappsec community. I say some because cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 information below does not represent all his work. Even he has lost track of some of his work over cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 years.

Articles / Books

PGP Man in cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 Middle Attack

http://ha.ckers.org/pgp.html

AcuTrust Entropy Attacks

http://ha.ckers.org/acutrust/

Hardening HTAccess, Part One

http://www.securityfocus.com/infocus/1368

Hardening HTAccess, Part Two

http://www.securityfocus.com/infocus/1369

Hardening HTAccess, Part Three

http://www.securityfocus.com/infocus/1370

Accessing Trillian Pro Remotely and Through an Encrypted Tunnel

http://ha.ckers.org/trillianremote.html

Death By 1000 Cuts – a Case Study
http://ha.ckers.org/deathby1000cuts/

Is your money safe?
http://ha.ckers.org/old/

Electronic Commerce Insecurity
http://ha.ckers.org/old/10102002.shtml

Internet Mind Games
http://ha.ckers.org/old/07221998.shtml

Apache Information Disclosure Issues or, "How to detect cloaking"
http://www.secureseo.com/blog/2006/04_07_apache_information_disclosure_issues.html

He is also co-authoring a book on XSS to be released tentatively on March 1, 2007
Cross Site Scripting Attacks: XSS Exploits and Defense

Tools written by him:-

Fierce
http://ha.ckers.org/fierce/

MHTML framework
http://ha.ckers.org/weird/mhtml.zip

XSS fuzzer
http://ha.ckers.org/fuzzer/XSSFuzz.zip


Contributions:-

Lots of changes to browser technology over cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 years. Started a number of security sites, written hundreds of articles, dozens of tools and many sample PoC. He has also presented at Blackhat USA and Networld+Interop on a Security Information Management roundtable (couldn’t find cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 url)


Blogs:-

Web Application Security Blog
http://ha.ckers.org/

Snake Bytes
http://www.darkreading.com/blog.asp?blog_sectionid=403

Websites:-

He had started many security related sites, but cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365se two are most popular

To discuss any aspect on web application security
http://sla.ckers.org

If you want a break from your work and need a quick laugh
http://www.fcá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365.net/

Memberships:-

ISSA, CISSP, OWASP, WASC, IASCP. He is also working on something to certify web application security engineers.

Companies worked for:-

He has worked for a major banner advertising company as an Information Specialist and for several start-up companies as Chief Operations Officer and Chief Security Officer. He is now starting his new company SecTheory - doing boutique web application and network security consulting.


Email:-

I dont want a product, I want a solution

RSA Expo is over, and it was good to see a lot of Web application security products being showcased cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365re. The awareness about Web application security is increasing, and a lot of companies are coming out with new products to protect Web applications. Such products include network and Web application firewalls, identity management, auditing tools, Web application security tools and encryption tools. If cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365re's a way your company can be hacked, cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365re was a product to protect it.

read cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 entire article here

Reflection on Amit Klein

For those who are in cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 web application security field need no introduction to his name. He is an expert and by far one of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 best in web application security space. He is one of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 early starters of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 field and has played a major role in cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 awareness of webappsec. His contribution ranges from not only identifying vulnerabilities and publishing cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365m but also contributing towards standards like OWASP guide, WASC threat classification or web application firewall criteria. And those who are not aware should know he was cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 one who also contributed towards cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 solution for UXSS (pdf xss vulnerability). He is also a WASC (Web Application Security Consortium) officer and a board member and co-leads cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 WASC articles project.

Based out of Israel, he started back in 1997 with Perfecto Technologies (which later became Sanctum), mostly heading security research activities. Sanctum was later acquired by Watchfire in 2004 which is when he left Sanctum / Watchfire. He is currently a CTO of a security company.

Below you will find a list of his articles, contributions, presentations and ocá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365r details.

Articles:-

A Refreshing Look at Redirection
http://www.securityfocus.com/archive/1/450418

Sending arbitrary HTTP requests with Flash 7/8 (+IE 6.0)
http://www.securityfocus.com/archive/1/443391

Under some conditions, it's possible to steal HTTP credentials using Flash
http://www.securityfocus.com/archive/1/443191

Forging HTTP request headers with Flash
http://www.securityfocus.com/archive/1/441014

IE + some popular forward proxy servers = XSS, defacement (browser cache
poisoning)
http://www.securityfocus.com/archive/1/434931

Path Insecurity
http://www.webappsec.org/lists/websecurity/archive/2006-03/msg00000.html

HTTP Response Smuggling
http://www.securityfocus.com/archive/1/425593

Domain Contamination
http://www.webappsec.org/projects/articles/020606.txt

XST Strikes Back
http://www.securityfocus.com/archive/1/423028

Exploiting cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 XmlHttpRequest object in IE - Referrer spoofing, and a
lot more...
http://www.securityfocus.com/archive/1/411585

Detecting and Preventing HTTP Response Splitting and HTTP Request
Smuggling Attacks at cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 TCP Level
http://www.securityfocus.com/archive/1/408135

NTLM HTTP Aucá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365ntication is Insecure by Design
http://www.securityfocus.com/archive/1/405541

Can HTTP Request Smuggling be blocked by Web Application Firewalls
http://www.webappsec.org/lists/websecurity/archive/2005-06/msg00123.html

DOM Based Cross Site Scripting
http://www.webappsec.org/projects/articles/071105.html

Meanwhile, on cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 ocá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365r side of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 web server
http://www.itsecurity.com/security.htm?s=3957

HTTP Request Smuggling (with Chaim Linhart, Ronen Heled and Steve Orrin)
http://www.cgisecurity.com/lib/HTTP-Request-Smuggling.pdf

The Insecure Indexing Vulnerability - Attacks Against Local Search Engines
http://www.webappsec.org/projects/articles/022805-clean.html

Detecting and Testing HTTP Response Splitting Using a Browser
http://www.securityfocus.com/archive/107/378523

Blind XPath Injection
http://www.packetstormsecurity.org/papers/bypass/Blind_XPath_Injection_20040518.pdf

Divide and Conquer - HTTP Response Splitting, Web Cache Poisoning
Attacks, and Ocá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365r Topics
http://www.packetstormsecurity.org/papers/general/whitepaper_httpresponse.pdf

Secure Coding Practices for Microsoft ASP.NET
http://www.cgisecurity.com/lib/WhitePaper_Secure_Coding_Practices_VSdotNET.pdf

XS(T) attack variants which can, in some cases, eliminate cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 need for TRACE
http://www.securityfocus.com/archive/107/308433

Cross Site Scripting Explained
http://crypto.stanford.edu/cs155/CSS.pdf

Hacking Web Applications Using Cookie Poisoning
http://www.cgisecurity.com/lib/CookiePoisoningByline.pdf

Contributions:-

OWASP guide to building secure web application
http://internap.dl.sourceforge.net/sourceforge/owasp/OWASPGuide2.0.1.pdf

WAFEC
http://www.webappsec.org/projects/wafec/

WASC's Threat Categorization (TC)
http://www.webappsec.org/projects/threat/

Co-lead cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 WASC articles project
http://www.webappsec.org/projects/articles/guidelines.shtml

Presentations:-

OWASP AppSec Europe Conference 2006 – “HTTP Message Splitting, Smuggling and Ocá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365r Animals”

CERT 2002 Conference, August 2002 - "WWW Forensics"

FM'99 Congress, September 1999 - "A Perfect Verification: Combining Model Checking with Deductive Analysis to Verify Real-Life Software"

Memberships:-

Amit is WASC officer and board member.

Companies worked for:-

Sanctum, Cyota (RSA security)

Education:-

B. Sc. Macá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365matics and Physics

Email:-

aksecurity__at__gmail_dot_com

And this just doesn't end here, you will see a lot more coming from him. He is a must follow figure of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 webappsec field.

Next Friday – Reflection on RSnake

WASC meetup during RSA conference

Today at WASC meetup, quite a lot of crowd turned out and it was fun meeting a lot of players from cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 application security field. Here are some of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 pictures from cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 meetup. You will see people like Jeremiah Grossman, RSnake, Arian Evans (Whitehat), Billy Hoffman (SPI), Robert Auger (cgisecurity.net), etc

You can view more pictures at Jeremiah's blog