SecurityTubeBeta Watch ... Learn ... Contribute |
 |
 |
 |
 |
 |
  |
|
Attacking SSL PKI (Louisville Infosec)
This is the video of the talk "Attacking SSL PKI" given at Louisville Infosec by Mike Zusman.
Abstract: The last year has been a rough one for SSL PKI. Fraudulently provisioned certificates, MD5 collisions, SSL spoofing attacks, and most recently, attacks against EV SSL. The variety of these attacks shows us how big the attack surface of SSL really is. From crypto attacks to browser design flaws, attackers have choices when it comes to man-in-the-middling SSL protected web sites. This presentation covers one of these vectors: real attacks against CA web sites. While some folks look to CAs for guidance when it comes to conducting secure business on the Internet, the CAs themselves can fall victim to the same attacks consumers look to them for protection against. EV SSL is a step in the right direction, but with a heavy reliance on low-assurance domain validated SSL certificates, can we ever get SSL right?
Speaker Bio: Mike Zusman is a Principal Consultant with the Intrepidus Group. Prior to joining Intrepidus Group, Mike has held the positions of Escalation Engineer at Whale Communications (a Microsoft subsidiary), Security Program Manager at Automatic Data Processing, and lead architect & developer at a number of smaller firms. In addition to his corporate experience, Mike is an independent security researcher, and has responsibly disclosed a number of critical vulnerabilities to commercial software vendors and other third parties. He has spoken at a number of top industry events including Black Hat, CanSecWest, DEFCON, regional OWASP conferences, and also teaches Information Security & Penetration Testing at NYU/Polytechnic University. Mike brings 10 years of security, technology, and business experience to Intrepidus Group. He is a CISSP and an active member of the OWASP foundation.
Abstract: The last year has been a rough one for SSL PKI. Fraudulently provisioned certificates, MD5 collisions, SSL spoofing attacks, and most recently, attacks against EV SSL. The variety of these attacks shows us how big the attack surface of SSL really is. From crypto attacks to browser design flaws, attackers have choices when it comes to man-in-the-middling SSL protected web sites. This presentation covers one of these vectors: real attacks against CA web sites. While some folks look to CAs for guidance when it comes to conducting secure business on the Internet, the CAs themselves can fall victim to the same attacks consumers look to them for protection against. EV SSL is a step in the right direction, but with a heavy reliance on low-assurance domain validated SSL certificates, can we ever get SSL right?
Speaker Bio: Mike Zusman is a Principal Consultant with the Intrepidus Group. Prior to joining Intrepidus Group, Mike has held the positions of Escalation Engineer at Whale Communications (a Microsoft subsidiary), Security Program Manager at Automatic Data Processing, and lead architect & developer at a number of smaller firms. In addition to his corporate experience, Mike is an independent security researcher, and has responsibly disclosed a number of critical vulnerabilities to commercial software vendors and other third parties. He has spoken at a number of top industry events including Black Hat, CanSecWest, DEFCON, regional OWASP conferences, and also teaches Information Security & Penetration Testing at NYU/Polytechnic University. Mike brings 10 years of security, technology, and business experience to Intrepidus Group. He is a CISSP and an active member of the OWASP foundation.
Related Videos from: Louisville Infosec 2009 (2)
.jpg) | .jpg) | -(Louisville-Infosec).jpg) | .jpg) | .jpg) | |
You are Viewing this Video Now! | |||||
2586 views | 2718 views | 3571 views | 2540 views | 3262 views |
Author
Vivek Ramachandran is a security evangelist and has been working in computer security related fields for the past 7 years. In 2007, Vivek spoke at world renowned conferences Defcon (WEP Cloaking Exposed) and Toorcon (The Caffe Latte Attack). The discovery of the Caffe Latte Attack was covered by CBS5 news, BBC online, Network World etc news agencies.In 2006, Vivek was announced as one of winners of the Microsoft Security Shootout contest held in India among 65,000 participants. He has also been a recipient of a Team Achievement at Cisco Systems for his work on 802.1x and Port Security modules on the Catalyst 6500 switches. Currently he spends all of his time maintaining Security- Freak.Net , SecurityTube.Net and is the co-founder of Axonize. Vivek, is a Bachelor in Electronics and Communications Engineering from the prestigious Indian Institute of Technology, Guwahati.You can contact him at vivek[at]securitytube.net
©2007 Freak Labs |