Exploiting PKI for Fun & Profit or The Next Yellow Padlock Icon?

DerbyCon 1 - 2011

Presented by: Thomas Hoffecker
Date: Saturday October 01, 2011
Time: 11:00 - 11:50
Location: Track 2

Public Key Infrastructure (PKI) provides a large attack surface for the pentester. While attacking PKI directly may seem like a juicy target, using the information freely provided by PKI is of much more value than attempting to compromise well protected and monitored servers. This talk will demonstrate the information disclosure that is present in PKI implementations of large organizations in the private and public sector. It will explore the use of that information for purposes of social engineering, phishing, and network recon/profiling. Users have been groomed to accept anything that is signed or encrypted. Misusing the trust that users place in PKI is the new yellow padlock icon!

Thomas Hoffecker

Thomas Hoffecker is currently a senior Information Assurance (IA) leader at a DOD Agency in Northern Virginia. He oversees infusion of new IA technology to his Agency and supervises IA Managers that support enterprise business applications. He has worked for numerous DoD organizations including the Defense Logistics Agency (DLA), at Fort Belvoir, Virginia, the Army Network Operations & Security Center (NOSC) at Fort Belvoir, Virginia, and the 1st Information Operations Command’s Regional Computer Emergency Response Team (RCERT) Europe in Mannheim, Germany, DoD Education Activity (DoDEA) in Wiesbaden, Germany, and multiple contractors supporting the DoD. He has multiple industry certifications and holds a security clearance. In his spare time, he and his wife foster dogs for Maryland Westie Rescue (http://www.marylandwestierescue.org).


KhanFu - Mobile schedules for INFOSEC conferences.
Mobile interface | Alternate Formats