Matt Johansen, Manager of the Threat Research Center at WhiteHat Security, gave a very interesting talk to a packed room at the Austin OWASP chapter meeting on 3/31.
Matt and Johnathan Kuskos conducted a research project involving having people nominate web hacks from 2014. These were then judged by a panel of judges – Jeff Williams, Zane Lackey, Daniel Messler, Troy Hunt, Giorgio Maone, Peleus Uhley and Rohit Sethi – into the list of the top 10.
- Web hacks own headlines; cool branding increases notoriety of hacks
- The fact that everybody’s data is on the web makes it increasingly attractive as a target
- Some hacks are dastardly but very simple; some require lots of crazy hard work
- Transport layer remains a tasty target
And the “winner” is Heartbleed!
Heartbleed has the additional “feature” of being undetectable – there is not way to see if you’ve been attacked.
With ShellShock, AKA bashdoor in second place. Matt described it as “stupid easy” and talked about it having been around in bash for 25 years before detection.
The complete video of Matt’s presentation is here https://vimeo.com/channels/owaspaustin
Matt and Johnathan's slides are here https://twitter.com/mattjay/status/583063734605631488