[ mainpage :: register :: conference :: training :: the venue ]
[ capture the flag (CTF) :: hitb cinema :: lock picking village :: zone-h/hitb hacking challenge :: bzflag ]
[ call for papers (CFP) :: conference agenda :: sponsors :: press/media :: forum ]
[ conference kit (PDF) :: past conferences :: contact us ]

Conference Materials: http://conference.hitb.org/hitbsecconf2007kl/materials/

Official Photos: http://photos.hitb.org

Billy K. Rios (Senior Researcher, Verisign)

Filed under: Main Page — Administrator @ 9:27 pm

Presentation Title: Slipping Past The Firewall
Presentation Details:

Using a lethal combination of various client side attacks we’ll smash the same origin policy, punch our way through your firewall, and dropkick an Oracle database on your internal network (and we’re NOT talking about SQL Injection!). Although the sophistication of client side attacks has dramatically increased over the last few years, many in the security community continue to dismiss the true dangers of these attacks. These �non-believers� feel that client side attacks are simply limited to HTTP based attacks or �phishing� attacks against careless individuals. This talk will demonstrate some techniques used by attackers to establish a �staging point� on your internal network. This staging point will be used to conduct NON-HTTP based attacks against various services on YOUR internal network. Specific demonstrations include:

  • Slipping attacks past the Firewall
  • Establishing a �Staging Point� on the internal network through the use of malicious Java Applets.
  • Breaking the JVM Same Origin Policy.
  • Establishing a bi-directional control channel from the attacker to the internal Network.
  • Initiating a Full Connect port scan of a system on the internal network.
  • Attacking an SMTP server on the internal network.
  • Brute forcing the credentials for an Oracle database server located on the internal network.
  • Attacking an Oracle Database on the internal network, giving the remote attacker the ability to issue SQL queries DIRECTLY to your database via JDBC and read the responses.

    About Billy

    Billy Rios is a Senior researcher for VeriSign. He has performed network, application, web-application, source-code, wireless, Internet, Intranet, and dial-up security reviews and security architecture design services for various clients in the Fortune 500.

    Prior to joining VeriSign, Billy worked as a penetration tester for E&Y’s Advanced Security Center. Billy also worked as an Intrusion Detection Analyst with the Defense Information Systems Agency (DISA). While at DISA, Billy provided vulnerability analysis, network intrusion detection, incident response, incident handling and formal incident reporting of incidents related to Department of Defense information systems throughout the entire Pacific Region.

    Billy has an undergraduate degree in Business (Information Systems) from the University of Washington and a Master of Science Degree in Information Systems (with Distinction) from Hawaii Pacific University. Billy is also a Captain in the United States Marine Corps Reserve and served as an active duty Marine Officer during Operation Iraqi Freedom.

  • ** Presenting with Nathan McFeters



    Event Organizer


    Hack In The Box (M) Sdn. Bhd.

    Supported & Endorsed By


    Malaysian Communications and Multimedia Commission (MCMC)


    Malaysian Administrative Modernisation & Management Planning Unit

    Platinum Sponsors


    Microsoft Corporation

    Gold Sponsors


    SCANIT ME LLC

    Official Airline Partner


    Internet Bandwidth Sponsor


    Global Transit

    CTF Sponsor


    Scan Associates

    CTF Prize Sponsor


    Scan Associates

    Sponsor for Zone-H/HITB Hacking Challenge


    Ascendsys

    HITB Cinema Sponsor


    Avenuz Sdn. Bhd.

    Official Creation Station


    The Womb.com

    Our Speakers are Supported By


    F-Secure Corporation


    Arbor Networks


    Mediaservice.net


    Bellua Asia Pacific


    ERNW GmbH


    Mozilla Corporation


    Mu Security

    Supporting Media:

    Virus Bulletin

    Virus Bulletin (VB)

    InfoSec News

    (ISN) InfoSec News

    InfoSec News

    XAKEP (Russia)

    Insecure Magazine

    PHRACK Magazine

    Hakin9 Magazine

    Supporting Organizations


    Chaos Computer Club


    ISECOM - Insititue for Security and Open Methodologies


    ISACA


    IT Underground


    X-Focus China

    Zone-H Defacement Mirror


    Xatrix Security


    Special Interest Group in Security & Information InteGrity Singapore


    Syscan