One of the highlights of my 2014 was speaking at DefCon 22 in early August. I got to present my ideas on a big stage, meet some interesting folks in the security community, and lose a small amount of money at Las Vegas casinos.
It was my first DefCon, so I was a bit overwhelmed. My coworkers and the Speaker Goons took good care of me, and I managed to survive the weekend.
The main idea of the presentation is that, to an attacker, web cookies can be more valuable than passwords. Sites generally send authentication cookies to your browser after two-factor authentication takes place. If someone can steal cookies off of your computer, they will be able log in as you without redoing two-factor authentication; a stolen password does not have this power.
In the talk, I went into detail about various ways that cookies can be stolen from popular web browsers. I focused on client-side attacks (malware and reading unencrypted hard drives), because sniffing cookies that are sent over plain HTTP connections has been done numerous times before.
DefCon was definitely a lot of fun. If you’re interested in computer security, it’s a great event. The DefCon documentary is worth watching, too. Thanks to everyone who helped put on the con, and for giving me the opportunity to speak!