HITB 2008 Malaysia conference
HITBSecConf2008 - one of the biggest security conducted is scheduled on 30 Oct 08 in Malaysia. The event details are as below:
Venue: The Crowne Plaza Mutiara Kuala Lumpur (http://www.crowneplazakl.com/)
Hands-On Technical Training Sessions – DAY 1
Date: 27th October 2008
Time: 0900 – 1830
TECH TRAINING 1 – Structured Network Threat Analysis and Forensics
TECH TRAINING 2 – Bluetooth, RFID & Wireless Hacking
TECH TRAINING 3 – Web Application Security – Advanced Attacks and Defense
TECH TRAINING 4 – The Exploit Laboratory
Hands-On Technical Training Sessions – DAY 2
Date: 28th October 2008
Time: 0900 – 1830
TECH TRAINING 1 – Structured Network Threat Analysis and Forensics
TECH TRAINING 2 – Bluetooth, RFID & Wireless Hacking
TECH TRAINING 3 – Web Application Security – Advanced Attacks and Defense
TECH TRAINING 4 – The Exploit Laboratory
Conference DAY 1
Date: 29th October 2008
Time: 0900 – 1800
Triple Track Security Conference featuring new HITB Labs
Capture The Flag (CTF)
Lock Picking Village
Wireless Village
Open Hack
Conference DAY 2
Date: 30th October 2008
Time: 0900 – 1930
Triple Track Security Conference featuring new HITB Labs
Capture The Flag (CTF)
Lock Picking Village
Wireless Village
Open Hack
But my most awaiting presentation there is by Adrian ‘pagvac’ Pastor. He will be presenting updated version of Cracking into Embedded Devices and Beyond!. It is a 0 day vulnerability for which he will be giving full details on 30th. According to him:
“In this case, the attacker exploits a vulnerability which doesn’t affect the targeted website, nor the software installed on the victim user’s computer. Instead, the attacker exploits a vulnerability on the firewall appliance in charge of
protectingthe corporate user. Additionally, the cross-domain vulnerability is of universal nature, which means that any website can be hijacked as long as the victim user’s connection isprotectedby a firewall appliance of the affected vendor in question.In summary, by exploiting this vulnerability the attacker:
- can hijack ANY website. i.e.: steal session IDs, inject non-legitimate HTML content, and other evil goodness
- doesn’t need to find any XSS on the website he/she wants to hijack
- doesn’t need to find any vulnerability on software present on the victim user’s computer
There is virtually nothing the victim user can do to protect against this attack if his/her connection is “protected” by a firewall appliance affected by this vulnerability. There are other factors that make this vulnerability quite special, but as I said, I can’t give too many details for now. All in all, this finding is a good reminder that our online security not only depends on end-point systems such as the client and server that have established a connection, but also all the hops/devices in between.”
Hmmm. Need to wait till he releases the details and the vendor releases the pactches.
Similar Posts you might be interested in:
- None Found
Penetration Testing | w0lf | October 3, 2008
