SAN FRANCISCO — The RSA Conference 2007, a gathering of 15,000 of computer security professionals, is getting under way this morning with keynote presentations from Microsoft Chairman Bill Gates and Chief Research and Strategy Officer Craig Mundie. Their topic: “The Imperative to Connect: Advancing Trust in Computing.” Also on the agenda: Executives of EMC’s security division, RSA; John W. Thompson, chairman and CEO of Symantec; and a panel of cryptographers.
So who’s here? Presumably, at least some of the attendees can step up to the consumer-facing Web site of a fictional bank — Big Safe Bank — and do some damage. The attackers in this fictional scenario are given some “helpful information,” including customer ID numbers, account numbers and passwords.
Here are five tasks laid out as part of the conference’s interactive testing challenge. I imagine most would attendees say they’re here to stop people from doing these and other nefarious things.
Find a way to impersonate a user when sending a message using the “Contact Us” feature.
Create a new account and escalate user privileges by exploiting the Web site’s vulnerability to a SQL injection.
Execute a phishing attack that would cause an actual user to unknowingly transfer money to a West Indies Bank account.
Transfer money to the West Indies account without any intervention from the victim user.
Borrow money past the user’s allowed loan amount.