Tuesday, August 7th, 2007
Blackhat and Defcon are now officially in history books! Nate and I had the opportunity to catch up with lots of old friends, as well as make a few new friends in the security world. Nate and I were lucky enough to get a speaking spot at DEFCON (which was AWESOME) and I’ll be posting the slides and demos on the site within the next few days.
I had a lot of questions about the specifics of the Flash demo I finished with during my DEFCON talk. I’ll be putting up some PoCs on how to force well known web mail servers to take ownership of a custom Crossdomain.xml file, which could allow for crossdomain requests through flash applets (as demonstrated in the DEFCON demo).
We also had a lot of questions about URI exploitation. Nate and I should have some more examples coming soon… but in the meantime, any questions we didn’t get a chance to answer in Vegas can be sent to our email accounts.
I’ll be in and out for the next few days as I wrap up some forensics training, so my response may be a little slow. If anyone is interested in talking about forensics, shoot me an email.
Next up on the list for me is HITB Malaysia! It should be interesting as I’ll be showing how to pull off Anti-DNS Pinning in full blown Java Applets (JVM, not LiveConnect). It works with IE and no proxy is required!