RealTime IT News

Black Hat Cometh; You Afraid?

There is a certain mystique about the Black Hat conference in Las Vegas that it's a place where bad things are talked about openly and things that we once thought were secure get thrown out the window.

It's a perception that is well founded and one that I expect will be further reinforced at this week's event.

Without a doubt the most highly anticipated vulnerability that will be publicly discussed at the event is a vulnerability in Apple's iPhone. That particular presentation, however, isn't scheduled until the last day of Black Hat. In the last time slot.

There is a lot of other stuff in between, including some new takes on things first discussed at last year's show.

Last year Cisco Network Access Control (NAC) was proven fallible; this year at least two different security researchers will be presenting additional findings on how to bypass NAC.

In a presentation titled NACATTACK, security researchers Dror-John Roecher and Michael Thumann are going to release a tool that may well be able to help get around NAC.

"We do not wish to simply release a tool; we want the audience to understand how Cisco NAC works, why it is not as secure as Cisco wants us to believe and which mitigations exist," the Black Hat abstract for the NACATTACK session states.

One of the other highlights of 2006 was Joanna Rutkowska's landmark presentation on how to attack Windows Vista with a virtualized rootkit. Rutkowska is back this year with more of the same on virtualization-based malware. She also plans to reveal new, practical methods for compromising the Vista x64 kernel on the fly.

Rutkowska is also the subject of another presentation titled, "Don't Tell Joanna, The Virtualized Rootkit Is Dead" where researchers from Matasano Security will attempt to prove that the virtualized rootkit approach can be detected.

Web services will also be violated in a talk titled, "Attacking Web Service Security: Message Oriented Madness, XML Worms and Web Service Security Sanity." C++ developers won't be safe, either, as IBM ISS researchers are set to discuss how to break C++ applications.

According to the session abstract, the researchers claim that this presentation will include a discussion of bug classes that have yet to be discussed or exploited in a public forum.

Join the crowd.

Speaking of crowds, it might be a good idea to stay off the streets for a few days, too. One of the more esoteric sessions is titled, "Injecting RDS-TMC Traffic Information Signals a.k.a. How to freak out your Satellite Navigation."

"We'll discover the obscure (but scary!) messages that can be broadcast (and that are not usually seen over legitimate RDS-TMC traffic), the limits of standard SatNav systems when flooded with unusual messages and the role that RDS-TMC injection/jamming can play in social engineering attempts (hitmen in the audience will love this!)," the session abstract states.

Everyday browser users might have a cause for concern, as well.

Mozilla Chief Security Officer Window Snyder is set to deliver a session about how to break the modern Web browser. But wait, it gets better.

Mozilla will also be releasing protocol fuzzers for HTTP and FTP and a fuzzer for JavaScript. These are the same tools that Mozilla themselves have used to secure Firefox. Score one for the good guys here. Better to break it yourself before others do it for you.

Speaking of when it's appropriate to talk about breaking applications, there is a legal aspect to Black Hat this year, too (And no all attendees won't be rounded up by the DHS and arrested)

Stanford Law School educator Jennifer Granick will discuss when a research can or cannot disclose vulnerability. As a very appropriate case in point she'll be talking about the 2005 Black Hat incident involving Cisco and researcher Michael Lynn where legal takedown threats and suits flew back and forth.

Black Hat has become the premiere place to disclose high-profile vulnerabilities, of that I have no doubt. Whether certain vulnerabilities are disclosed, such as the high-profile iPhone issue, remains to be seen.

I'm not afraid of the Black Hat vulnerabilities. I'm more worried about the ones we don't know about, i.e. the lurkers that don't disclose.

Thanks to Black Hat we know about broken applications and processes. We are no longer naïve or ignorant. More so than just disclosing security vulnerabilities Black Hat has also become the place to discover how to discover those vulnerabilities, which can make us all safer.