Web Security Guide to Black Hat 2015

An important web security concept around “A Breach Anywhere is Breach Everywhere,” will be highlighted at Shape’s booth during Black Hat conference this week. Prominent attacks such as Uber account hijackings highlight how spilled credentials obtained from previous breaches can lead to account hijackings on another B2C site.

Make sure to check out Black Hat sessions relevant to escalating web security threats such as password cracking (Cracklord) as well as expanding web attack surface on technologies like EdgeHTML and Node.JS. You can also engage with web security anti-automation experts at the Shape Security booth #558. On Wednesday at 2:30 pm Shape will be hosting Ted Schlein, Partner at Kleiner Perkins (investor in ArcSight, Fortify, Mandiant), former CEO of Fortify and executive at Symantec.

Cracklord – A Friend of Credential Stuffers
If credential stuffing allows criminals to turn lead into gold, hash cracking is the act of digging lead from the Earth. Cracklord, a system designed to crack password hashes, will be explained by researchers from Crowe Horwath. As password cracking tools increase the pool of available credentials, B2C companies need to strengthen their web security defenses to defeat credential stuffing and account hijacking attacks.

New web attack surfaces revealed

Web attack surfaces are constantly expanding as new web technology frameworks and browser technologies continue to be developed and popularized. Those web frameworks offer both the opportunity for built-in security, as well as the risk of a vulnerability affecting the entire user base. In this year’s BlackHat, two briefings on EdgeHTML and Node.JS are particularly relevant.

Researchers from IBM will talk about new attack surfaces within Microsoft’s next generation rendering engine EdgeHTML (codename Project Spartan). Researchers from Checkmarx will talk about different attack methods on Node.JS as well. It’s important for B2C companies to be aware of these new vulnerabilities as attackers are likely to exploit them.

Stop by Shape’s booth #558
Stop by to engage with Shape’s anti-automation specialists to evaluate risks to your website and learn how to protect your web application and mobile API services. On Wednesday, you will get a chance to meet with Ted Schlein, Veteran VC at KPCB (investor in ArcSight, Fortify, Mandiant) and former CEO of Fortify and exec at Symantec.

Have fun and hope you enjoy your week at Black Hat!

Links for relevant sessions on web security


Please follow Shape Security on Twitter – #ShapeSecurity