In this talk, I will show off real-world examples of misuse & abuse, and improper data handling of sensitive passwords that has happened inside an application that contained 1.2M user credentials. When doing penetration testing, we must remember a breech in one system, can lead to a breach on another system because of the implicit trust relationships we build to get the job done. I will talk about how our attack progressed, what controls were missed, and how we used 4xGraphic Processing Unit (GPU) video cards to recover 600 thousand user passwords in <24 hour period.
David M. N. Bryan has over 16+ years of experience & is part of IBM's X-Force Red. He also helps run Thotcon.