RSA APJ 2014, CDS-W07 Slides

Here are the slides for my presentation, Building and Breaking Privacy Barriers, at this year’s RSA Asia Pacific and Japan conference in Singapore.

The slides convey more theory than practical examples, but the ideas should come across without too much confusion. I expect to revisit the idea of a Rot network (a play on Tor) and toy with an implementation. Instead of blocking tracking bugs, the concept is to reduce their utility by sharing them across unrelated browsers — essentially polluting the data.

In any case, with this presentation over and out of the way, it’s time to start working on more articles!

RSA US 2013, ASEC-F41 Slides

Here are the slides for my presentation, Using HTML5 WebSockets Securely, at this year’s RSA US conference in San Francisco.

It’s a continuation of the content created for last year’s BlackHat and BayThreat presentations. RSA wants slides to be in a specific template. So, these slides are less visually stimulating than I usually have the freedom to create. (RSA demands an “Apply” slide at the end. Otherwise they don’t know if you told attendees how to apply what you were talking about for the last 45 minutes.) Still, the slides should convey some useful concepts for understanding and working with WebSockets.

This is hardly the end for this topic. But there’s a long list of other material that I need to finish before this protocol gets more attention.

RSA Europe 2012, ASEC-303 Slides

Here are the slides for my presentation,¬†Mitigating JavaScript Mistakes Using HTML5, at this year’s RSA Europe.

The goal is to show that the move towards more complex web apps demands more complex JavaScript, which in turn creates more potential for security bugs. Yet rather than audit every line of deployed JavaScript, we can apply controls like Cross-Origin Request Sharing, HTML5 sandboxes, and Content Security Policy headers to improve the security of apps within the browser. These countermeasures don’t fix server-side code, but they do help reduce the impact to users when hackers try to exploit vulns within a web site.

I’ll continue to post more articles here that expand and explain the slides. For example, the references to BeEF are intended to show the relation of variable scope, objects, prototypes, and hijacking content within JavaScript in a sort of hack-the-hacker approach. Since BeEF relies heavily on JavaScript, it’s a nice way to explore concepts with a real-life scenario that could attack any site, rather than show the concepts against some fake sites.

And thanks in advance to all who attended.

RSA Europe 2011

Here are the slides I used for my presentation at RSA 2011 Europe. The topic was HTML5 with an emphasis on distinguishing between HTML5 features that may present vulnerabilities vs. how HTML5 would simply be leveraged as part of older exploits. It also touches on broader aspects of web security such as design vs. implementation issues, the impact of mobile devices, and how using frameworks can improve security — as long as the frameworks themselves are good.

RSA Presentation

Last week San Francisco hosted the RSA USA 2010 Conference. I gave a presentation with the buzzword-heavy title, “Does Web 2.0 Need Web Security 2.0?“. (The presentation was lamentably labeled Advanced, even though it didn’t touch on in-depth technical details.)

The basic premise is that the term “web 2.0” as typically used bears little meaning for security (or otherwise). Most of the security problems of today, let alone the types of web sites, have precedents at least 10 years old. The distinguishing factor is that, although most of the vulnerabilities have remained the same, the number and sophistication of threats has increased.

Of course, there are emerging areas for web development and security, specifically the shift toward heavy client-side computing with JavaScript. So, while sites may be adopting new design patterns based on JSON, the xmlHttpRequest object, and DOM manipulation, they may also be lagging behind on enforcing state management, authorization, and authentication for the server-side aspect of the web site.

As developers continue to struggle with securing complex web applications, consumers of these allegedly 2.0 sites, i.e. Infrastructure, Platform, or Software as a Service, face security and privacy concerns outside of technical vulnerabilities like XSS or SQL injection. Information has value and when the information resides solely in the browser, attackers don’t need to worry about buffer overflows or firewalls in order to compromise that data.