Join us for this informative workshop where we will discuss best practices for implementing security early in the software application lifecycle. Workshop participants will learn specific techniques that can be used to uncover and resolve security defects before hackers do.

Who should attend:
Developers, QA professionals and security professionals who are interested in Web application security.

Cost: Complementary
RSVP Required - email consulting@quietmove.com
Or fill out this Contact Form, letting us know in the comments you’d like to attend this event.

What you will learn:

• The evolution of Web applications and why they need to be secured
• Advanced hacking techniques like SQL Injection, Blind SQL Injection, Session Hijacking and several other hacks
• Why current HTTP security measures fall short
• Specific methods for integrating Web application security into your company’s software development and implementation processes
• How to build Web application security policies
• How legal and regulatory issues relate to Web application security

Richmond, VA
April 17, 2007

Omni Richmond Hotel
100 South 12th street
Richmond, VA 23219

Phone: 804-344-7000

Click here for directions

Continental Breakfast
9:00 A.M. - 9:30 A.M.

Workshop
9:30 A.M. - 12:00 P.M.

Optional Demo
12:00 P.M. - 12:30 P.M.

Join us for this informative workshop where we will discuss best practices for implementing security early in the software application lifecycle. Workshop participants will learn specific techniques that can be used to uncover and resolve security defects before hackers do.

Who should attend:
Developers, QA professionals and security professionals who are interested in Web application security.

Cost: Complementary
RSVP Required - email consulting@quietmove.com
Or fill out this Contact Form, letting us know in the comments you’d like to attend this event.

What you will learn:

• The evolution of Web applications and why they need to be secured
• Advanced hacking techniques like SQL Injection, Blind SQL Injection, Session Hijacking and several other hacks
• Why current HTTP security measures fall short
• Specific methods for integrating Web application security into your company’s software development and implementation processes
• How to build Web application security policies
• How legal and regulatory issues relate to Web application security

Minneapolis, MN
March 29, 2007

Minneapolis Marriott City Center
St. Croix room
30 South 7 th Street
Minneapolis , MN 55402

Phone: 612.349.4000

Click here for directions

Continental Breakfast
9:00 A.M.  - 9:30 A.M.

Workshop
9:30 A.M.  - 12:00 P.M.

Optional Demo
12:00 P.M. - 12:30 P.M.

From http://www.infozine.com/news/stories/op/storiesView/sid/21633/

A few snippets from the article:

“A federal grand jury in Omaha, Neb., has indicted three individuals on charges of conspiracy, fraud and aggravated identity theft stemming from a high-tech, international fraud scheme designed to hijack online brokerage accounts for profit…”

“As part of this ongoing investigation, at least 60 customers and nine brokerage firms in the United States and elsewhere have been identified as victims, with one of the brokerage firms reporting more than $2 million in losses. Today’s case marks the first time that individuals have been arrested overseas in connection with an online brokerage intrusion scheme perpetrated in the United States. “

Bravo for catching these guys, but I’m frankly surprised that it’s the first time an overseas arrest has happened for this kind of activity! Does that mean everyone else who has done it, has gotten away with it?

Here’s what they actually did. Smells like XSS flaws were involved but the article doesn’t say.

“Hack, Pump and Dump” Scheme

“In one of many examples alleged in the indictment, Marimuthu placed orders on Aug. 28, 2006, through his personal online brokerage account, to purchase 32,000 shares of stock in a company at prices from $2 to $3.20 per share. Chockalingam also placed an order through his personal online brokerage account to purchase 450 shares of the same stock for $3.20 per share.”

“The same day, the defendants gained unauthorized access to the online brokerage account of an unsuspecting investor. According to the indictment, the defendants used this account to illegally acquire 26,000 shares of the same stock at prices from $2.84 to $3.40 per share, causing the stock’s trading volume to rise to more than nine times its 15-day average.”

“Marimuthu then placed an order to sell 1,500 shares of the same stock from his personal online brokerage account at five dollars per share. This was one of at least 22 sell orders for this stock placed in Marimuthu’s personal online brokerage accounts between Aug. 28, 2006, and the morning of Aug. 29, 2006. These transactions allegedly resulted in the sale of 30,700 shares of this stock, yielding a substantial profit for the defendants over the course of just a few hours. The defendants used this type of scheme with various stocks between July and November. 2006.”

This was a creative way to apply hacking to the “pump and dump” stock scam. Fortunately the miscreants have been caught (except for one) and are being prosecuted.

I suspect it was a combination of phishing and XSS which was used to compromise the accounts. As the court cases unfold, I’m going to follow this because I am very curious to find out about how they were caught.

-Adam