lya Nesterov is currently an engineering manager at Shape Security. Prior to Shape, Ilya worked at F5 Networks, and earned his master's degree from Tomsk Polytechnic University. His interests include, but are not limited to, modern Web Application security threats and countermeasures, botnets, malware infrastructure, exploits and honeypot development. Ilya also works as an independent security researcher and is a speaker on security topics.
Maxim Goncharov is a Threat Analyst with 16 years working experience in the field of computer security. He is equipped with knowledge in research and development of threat analytics systems, producing white papers based on research work and presenting these research results at security conferences. Maxim participates as speaker at various security conferences and training seminars regarding the topic of cybercrime and related issues (e.g.cyberterrorism, cybersecurity, underground economy, etc.), like PacSec,Power of Community, DeepSec, VB, APWG. He performs underground research and the development of secure analytics tools are some of the most important parts of his day- to-day work.
[Abstract]
==========
One of the central points of failure is an email address. We used to get access to our bank accounts, social networks and much more. For SMB and Enterprise - email address most often targeted entry point for advanced persistent threat (APT) attacks.
But how good we are at protecting our e-mail accounts?
There is always a compromise between security and usability. Still remember times when you need to enter obtain all information about smtp/pop/imap servers and enter them in order to configure your e-mail account. Now it is as simple as just typing your email and password. But when you rely on technology that simplifies your life, it is always complex and sophisticated inside and there is always huge chance of failure to implement it.
In our presentation we will disclose severe vulnerability of mail clients ,as well, as software services that could lead an attacker to take over the access to sensitive user information, sometimes including usernames and passwords.
We’ll also demonstrate how improper email client implementation leak user credentials and what software developers, server administrators and users can do to prevent it.
Attendees will see live data feed with popular email client names and who’s leaking what. We will demo Apple iPhone wiping using above mentioned vulnerability.