RealTime IT News

Black Hat 2006: Feeling Insecure in Sin City

The people who discover and exploit computer insecurities are at the root of those insecurities. They call them "black hats."

Sometimes, black hats hide in the crevices and under the rocks of the Internet fabric, and sometimes they come out into the open. And what better place than the sin of all cities: Las Vegas?

This year's Black Hat 2006 Conference promises to be the biggest event in its nearly 10-year history, with more attendees, more topics and more space than ever before, according to conference organizers.

The event highlights the key trends in computer insecurity, and in the past has been a stage upon which security bombshells have been dropped exposing previously unknown vulnerabilities.

A mirror for computer security in 2006

The list of topics this year is an index of computer insecurity. Jeff Moss, founder of Black Hat told internetnews.com that the talks always seem to be a reflection of what is going on in the industry, and this year is no different.

"There is a lot of VoIP, Web application, Web 2.0 style hacking and more reverse-engineering type talks," Moss said. "I think that is just a reflection of things to come.

"In this last year, things have really shifted. Instead of only one or two Web-type talks, there are a zillion."

Another key trend that has emerged in security circles over the past year is network access control technologies, or NAC as Cisco calls it (Juniper calls it UAC).

NAC will be under attack at Black Hat.

"It's going to be a big focus at Black Hat this year, just as it has been at the other big shows," Alan Shimel, chief strategy officer at StillSecure, told internetnews.com.

"The buzz will be compounded by companies like Insightix that think they've found a way to bypass NAC products."

Shimel expects that the Insightix's methodology will cause debate between security experts that understand the benefits and drawbacks of installing network access control in various methods (DHCP, 802.1x, etc.) on the network.

The insecurity of security products is the topic of a large number of presentations. In Shimel's estimation there will be at least 15 new exploits discussed at the show.

"It will be interesting to see what kinds of methodologies these individuals and organizations base their research of off," Shimel commented.

"Some, we'll find, are legitimate, and bring good insight to the market. Others will only examine one aspect of an issue without taking into account certain insecurities inherent in the network architecture."

Avishai Avivi, Director of Security Engineering & Research at Juniper, told internetnews.com that his team will be looking into talks about IPS technologies and exploitation techniques.

In particular, Avivi noted that there is an entire track this year dedicated to Voice over IP(VoIP) security, while in past years there were only one or two.

"This year you can go an entire day and hear nothing but how to break VoIP systems," Avivi said. "VoIP security has always been of interest, but to me this indicates that this area of research is really picking up.

"There are probably some really significant flaws lurking in VoIP systems, and the more attention VoIP receives, the more likely it is these flaws will be found."

Rootkits are also an area of security research that has a dedicated track at this year's Black Hat.

Once a relatively obscure technology used to help obtain backdoor control over a system or application, they are now more front line. There are five talks about advances in rootkit technology with one talk on advances in rootkit detection.

"To me this indicates the gap in sophistication between the bad guys -- the ones using the rootkits -- and the good guys -- the ones trying to detect the rootkits," Avivi said.

Windows Vista: Under the Gun

Speaking about rootkits, Avivi said Windows Vista is supposed to provide some advanced anti-rootkit functionality that has already been bypassed using the latest hardware.

Windows Vista Security will be getting a lot of attention at Black Hat this year, with an entire days' worth of talks.

"This is hopefully a good thing in that security holes may be discovered and fixed before the OS is released," Avivi said.

"On the downside, if holes are discovered and not fixed before release, sophisticated attacks against Vista may show up within weeks of it being available to consumers."

Irresponsible disclosure: good or bad for Black Hat?

The exposure of an unreported Cisco vulnerability highlighted last year's event.

The disclosure triggered some legal wrangling and ended up with the security researcher in question being hired by Cisco's rival Juniper Networks.

Such surprises aren't expected this year. Or are they?

"You never know about the surprises cause you think it's not a big deal until it blows up in your face," Jeff Moss, founder of Black Hat, told internetnews.com.

"I don't know of any red alert situation yet and not expecting one but just like last year, you never know."

But the Cisco security incident may not necessarily have been a bad thing for the Black Hat event.

"Everybody was speculating last year after all the publicity around the Cisco lawsuit that this year the event would be bigger because of all the free marketing," Moss said.

"Don't know if that's true or not since that marketing happened a year ago, but I wouldn't be suspired if it hadn't raised our profile a little bit."

That said, Moss noted that he is strongly in favor of the responsible disclosure model, and that as far as he is aware, the people that are disclosing new bugs have already disclosed them to vendors.

"I don't like people just springing huge bombs, dropping grenades in peoples laps. That's just not very cool," Moss said.

"I hope not to have any rude awakenings where the first the world hears about it is on the stage. But even if that does happen, I'm not going to lose a whole lot of sleep over it; it happens every day on mailing lists."

Moss added that he probably would reconsider having a person speak again if they didn't have the foresight to notify.

With the 2005 Cisco incident, though, the security researcher in question did get a new job -- from Cisco competitor Juniper.

Juniper's Avivi commented that Juniper does not discuss individual employees. That said, the even could well be a great recruiting opportunity.

"Juniper Networks is always looking to hire talented people who can enhance the security and capabilities of its product lines," Avivi said. "The Black Hat conference tends to draw such talent."

The training portion of the Black Hat conference kicks off July 29th and goes till August 1, with the briefings to take place August 2 and 3.