Website Impersonation Attacks: Who is REALLY Behind That Mask?

Global Events / Cybersecurity Books

Jason Mortensen has been practicing information security for over a decade, solving real world business problems in a global, corporate environment. He has demonstrated technical leadership in numerous areas in information security, including web application security, risk assessment and management, user authentication, identity and access management, and security standards development.

Learning Objectives:

Jason will explain:

Questions and answers

Max, Concise Courses:
Are you familiar with the firefox addon “HTTPS Everywhere”? Should I get my team to install it on their browsers?

Jason Mortensen:
Yes, HTTPS Everywhere is a really good idea. What the [Firefox add-on] does is it [acts] like a plug-in and it takes your Firefox and when you try going to a website, for example Facebook and go to the regular HTTP Facebook, this browser extension will intercept that and force your browser to try to go to the HTTPS website. I think it’s a good idea to force HTTPS wherever you can, and this is certainly a tool that will help you do that just in case you do go to a website that is not encrypted this will attempt to force you to use the encrypted part of the website to make sure that any passwords or session tokens are protected.

Max, Concise Courses:
What do you think of Web Goat, is it worth learning and what is your favorite resource for this subject?

Jason Mortensen:
There are a number of different tools that help people to learn Web Application Security. I think that Web Goat is a good resource, there are a number out there, I know that Foundstone has a number of vulnerable websites that you can use to practice hacking techniques for Web Hacking. Typically you want to make sure that you testing a website that you have access to, so some of the websites that are vulnerable on purpose – that’s a great way to test out these things without getting into trouble.

There are a number of tools. You ought to use a local proxy tool that will allow you to intercept the HTTP traffic and manipulate it before you send it back. OWASP has the ZAP Tool and I know BURP Proxy is a very common and very well done tool. Web Goat is fine though.