Black Hat Researchers Overcome Security Learning Curve
The Black Hat Briefings return to Caesars Palace this week with a new batch
of hands-on security research for a crowd of 4,000 IT administrators, hackers,
industry experts and government officials.
Security issues continue to get more challenging each year and hacking no longer
is child's play, said Black Hat founder Jeff Moss. "Over the last
year the attacks have gotten better," he said. "On the organized-crime
side, they have gotten better organized. The bad guys have continued to grow
The Black Hat Briefings have evolved from an adjunct of the annual Defcon hackers'
convention to a premier venue for presenting the latest security research. "I
noticed two trends" in this year's presentations, Moss said. Web
applications continue to be the low-hanging fruit of IT security. Moss wanted
to focus more on other areas this year, but "we still ended up finding
a lot that was interesting" in Web application security.
The second trend is the strength of the original research being done. One of
the most high-profile examples is the discovery of a design flaw in the Doman
Name Service that resulted last month in a coordinated multi-vendor
patch release by Dan Kaminsky, director of penetration testing for IOActive
Inc. Some details of the vulnerability already have been leaked, but Kaminsky
is scheduled to go into more detail at this week's conference.
Research has produced something of an embarrassment of riches this year, Moss
added. Competing presentations during one "power hour" will make
it difficult for attendees and even speakers to hear everything they want to.
"One speaker told me [he didn't] want to show up at [his] own talk"
because he wanted to listen to another speaker scheduled at the same time next
door, Moss said.
Three such conflicting presentations scheduled for Aug. 7 are "How to Impress
Girls with Browser Memory Bypasses" by researchers Alexander Sotirov and Mark
Dowd; "The Internet is Broken," an examination of client-side threats by Ernst
& Young security advisers Nathan McFeters and Rob Carter, and John Heasman,
vice president of research at United Kingdom-based NGS Software; and "Get Rich
or Die Trying" by White Hat Security Chief Technology Officer Jeremiah Grossman
and researcher Arian Evans, about the profit potential in some online scams
that aren't, strictly speaking, illegal -- yet.
As in past years, most of the work being presented focuses on software. Yet
as operating systems become more challenging, the hacking landscape is slowly
shifting to other targets, such as applications.
But hardware is coming under attack as well, and research in this area has
not kept up with threats. "I've been trying to bring more hardware
security in," Moss said. "[But] that's been a tough nut to
crack. In government, they think that because it's hardware, it can't
be hacked," he added.
One new feature of this year's briefings is letting attendees have a
say in selecting presentations. Registered attendees were able to view submissions
to the call for papers online and pass on comments and suggestions to the selection
committee, which made the final decision. Submitters got to choose how much
of their material was available for review.
"This is a system I wanted to build for years," Moss said. As the
presentations become more technically sophisticated, the selection committee
needs more expertise in reviewing submissions for accuracy and relevance. "It
was a work in progress this year, but we got good results. There weren't
too many surprises. What attendees wanted generally was what the reviewers wanted,"
but there were a few presentations that were selected that might have otherwise
been passed over.
William Jackson is the senior writer for Government Computer News (GCN.com).