Sunday, August 5, 2012

An interesting identity verification threat, observed

A threat model I have occasionally considered for things in the past is the use of a system for identity verification.  This could be verifying full stolen identities, or in the perhaps more common case, verifying stolen credit card numbers.

However, I've never actually seen this "in the wild" until recently.  A few weeks ago, I did some log analysis for a site that was suffering a high number of invalid donations in a short period of time (after they'd blocked the offending IPs and renamed the donation form).

It was good fun - I actually was able to observe the behavior of "analyze site, write script, run script from a compromised client, get confused when 404s show up, give up."

Wednesday, August 1, 2012

Cryptohaze Cloud Cracking Slides & Writeup

If you just want the slides of the talk, here you go:

If you're interested in a commentary on the slides, read on!