Saturday, March 17, 2007

Reflection on Billy Hoffman

This week on Reflection we have a very young guy from the webappsec field. Billy Hoffman is a lead security researcher for SPI dynamics where he works on discovering and automating web application vulnerabilities and improving their crawling technology. He has presented at a lot of conferences including (ToorCon, Black Hat, etc). Billy’s knowledge on Ajax is tremendous and he has written many papers and presented at many conferences on dangers of using Ajax. Based out of Atlanta, Georgia, he is only 26 years old, the youngest webappsec expert I know of (I am sure there may be younger people too but I am yet to meet them) and like every webappsec expert, his ability to think differently has helped him achieve so much in such a short time. Here he shares with us how he got started in webappsec field. In his own words

“I got started in fall of 1996. My older brother had left for college and he was the one who understood computers. One day the computer stopped working and I wanted to play Doom. So I started fiddling with it and fixed it. About this time I also got a graphing calculator for geometry, so I spend my days writing programs for the TI-85 in Basic and z80 assembler, and my nights writing Basic and learning C. Soon afterwards I actually used one of those AOL disks, discovered the Internet, and learned how to create fake accounts and phish people in the New User Lobby. I wasn’t much of a network guy, let a lone a web hacking guy. In college most of my hacking was focused on hardware or other things that popped on my radar like spy software. I met Caleb Sima, the co-founder and CTO of SPI Dynamics at an Atlanta hacker conference, and he told me to come in for an interview. I was amazed by how vulnerable companies were through their websites. I started in QA, where my job was to verify our crawler and audit engines worked properly. Pretty quickly I saw ways we could improve both, I am now the lead researcher focusing on crawlers and automated vulnerability detection. I continue to speak at security conferences much like I did in college. The only differences now are I speak under my real name, I have an expense report, and there are more middle aged men in Dockers and polos and fewer guys in black t-shirts and green hair! I’ve done a good bit of non-web stuff too. Mainly lots of presentations at different conferences (Interz0ne, Phreaknic, The Fifth Hope), some articles for 2600, O’Reilly’s Make Magazine, etc.”

I got a chance to meet with him in the WASC meetup at RSA. He is a very lively character. Let me put it this way, if billy is a part of a conversation, you won’t get bored even if you just stand there and listen. Below is a list of his contribution to the industry.


Upcoming book from Addison Wesley this summer tentatively titled “Securing Ajax Applications”


“Patching the Holes in Ajax Security,” Cover Story, Software Test and Performance Magazine

Stealing Search Engine Queries with JavaScript –

Detecting, Analyzing, and Exploiting Intranet Applications using JavaScript –

Application Error Handling: How to Avoid Death by a Thousand Cuts

Security Brief - Yamanner Web Worm

Security Brief – MySpace Quicktime Web Worm

Ajax Security Dangers Whitepaper

Buiding a Magstripe reader, Cover Story, O’Reilly’s Make Magazine, Issue 1


JavaScript Malware for a Grey Goo Tomorrow - Toorcon 8, Security Opus 2006

Ajax (in)security – BlackHat USA 2006, AJAXWorld, InfoSecurity Canada , SPICON, RSA Conference 2007

Analysis of Web Application Worms and Viruses – BlackHat USA 2006 and BlackHat Federal 2006

Covert Crawling: A Wolf Among Lambs – Shmoocon 2006, LayerOne 2006. Technology for this talk is used by the MITRE honeyclient project.

Layer 7 Fun: Extending Web Apps in Interesting Ways – Phreaknic 9

Phuture of Phishing – Toorcon 7, FBI Cyber Security Summit

Proof of Concepts:

Stealing Search Engine queries with JavaScript

Portscanning and fingerprinting with JavaSript

TinyDisk – Filesystem mashup that stores and retrieves data in TinyURL


“Well, ain't it a small world, spiritually speaking. Pete and Delmar just been baptized and saved. I guess I'm the only one that remains unaffiliated.” –Oh Brother Where Art Thou


StripSnoop - Suite of research tools that captures, modifies, validates, generates, analyzes, and shares data from magstripe cards. This has received a lot of attention, having been Slashdotted twice, appeared on G4TechTV’s The Screen Savers, and at O’Reilly Emerging Technologies Conference Makers Faire.

Phasmatis – Read and Edits captured data from SpectorSoft’s computer monitoring software

TinyDisk – Filesystem mashup that stores and retrieves data in TinyURL

NanoURL – Web Application that provides link shortening services exactly like TinyURL

LineBreaker – Anti Phishing Web proxy, released at Toorcon 2005

Company working for:

SPI Dynamics



Most Significant Bit Labs

Companies worked for:

Crawford and Company, and NetEffects


BS in Computer Science from Georgia Tech, graduated in 2005.

Billy has a very sharp mind and is very passionate about the webappsec field. He has a bright career ahead of him and is definitely amongst the ones to follow.

Last Week : Sheeraj Shah
Next Week : Robert Auger

No comments: