Black Hat 2006: Feeling Insecure in Sin City


The people who discover and exploit computer insecurities are at the root of those insecurities. They call them “black hats.”

Sometimes, black
hats hide in the crevices and under the rocks of the Internet fabric, and
sometimes they come out into the open. And what better place than the sin of all cities: Las Vegas?


This year’s Black Hat 2006 Conference promises to be the biggest event in its
nearly 10-year history, with more attendees, more topics and more space than
ever before, according to conference organizers.

The event highlights the key trends in computer insecurity, and in the past has been a stage upon which security bombshells have been dropped exposing previously unknown vulnerabilities.


A mirror for computer security in 2006


The list of topics this year is an index of computer
insecurity. Jeff Moss, founder of Black Hat told
internetnews.com that the talks always seem to be a reflection of
what is going on in the industry, and this year is no different.


“There is a lot of VoIP, Web application, Web 2.0 style hacking and more
reverse-engineering type talks,” Moss said. “I think that is just a
reflection of things to come.

“In this last year, things have really shifted. Instead of only one or two Web-type talks, there are a zillion.”


Another key trend that has emerged in security circles over the past year is
network access control technologies, or NAC as Cisco calls it (Juniper calls
it UAC).


NAC will be under attack at Black Hat.


“It’s going to be a big focus at Black Hat this year, just as it has been at
the other big shows,” Alan Shimel, chief strategy officer at StillSecure,
told internetnews.com.

“The buzz will be compounded by companies
like Insightix that think they’ve found a way to bypass NAC products.”


Shimel expects that the Insightix’s methodology will cause debate between
security experts that understand the benefits and drawbacks of installing
network access control in various methods (DHCP, 802.1x, etc.) on the network.


The insecurity of security products is the topic of a large number of
presentations. In Shimel’s estimation there will be at least 15 new exploits
discussed at the show.


“It will be interesting to see what kinds of methodologies these individuals
and organizations base their research of off,” Shimel commented.

“Some,
we’ll find, are legitimate, and bring good insight to the market. Others
will only examine one aspect of an issue without taking into account certain
insecurities inherent in the network architecture.”


Avishai Avivi, Director of Security Engineering & Research at Juniper, told internetnews.com that his team will be looking
into talks about IPS technologies and exploitation techniques.

In particular, Avivi noted that there is an entire
track this year dedicated to Voice over IP(VoIP) security, while in past years
there were only one or two.


“This year you can go an entire day and hear nothing but how to break VoIP
systems,” Avivi said. “VoIP security has always been of interest, but to me
this indicates that this area of research is really picking up.

“There are
probably some really significant flaws lurking in VoIP systems, and the more
attention VoIP receives, the more likely it is these flaws will be
found.”

Rootkits are also an area of security research that has a dedicated track
at this year’s Black Hat.

Once a relatively obscure technology used to help obtain
backdoor control over a system or application, they are now more front line.
There are five talks about advances in rootkit technology with one talk on
advances in rootkit detection.


“To me this indicates the gap in sophistication between the bad guys — the
ones using the rootkits — and the good guys — the ones trying to detect the
rootkits,” Avivi said.

Windows Vista: Under the Gun


Speaking about rootkits, Avivi said Windows Vista is supposed to
provide some advanced anti-rootkit functionality that has already been
bypassed using the latest hardware.

Windows Vista Security will be getting a
lot of attention at Black Hat this year, with an entire days’ worth of
talks.


“This is hopefully a good thing in that security holes may be discovered
and fixed before the OS is released,” Avivi said.

“On the downside, if holes
are discovered and not fixed before release, sophisticated attacks against
Vista may show up within weeks of it being available to consumers.”


Irresponsible disclosure: good or bad for Black Hat?


The exposure of an unreported
Cisco vulnerability highlighted last year’s event.

The disclosure triggered some legal wrangling and ended up with the security researcher in question being hired by Cisco’s rival Juniper Networks.


Such surprises aren’t expected this year. Or are they?


“You never know about the surprises cause you think it’s not a big deal until
it blows up in your face,” Jeff Moss, founder of Black Hat, told
internetnews.com.

“I don’t know of any red alert situation yet and not
expecting one but just like last year, you never know.”


But the Cisco security incident may not necessarily have been a bad thing for the
Black Hat event.


“Everybody was speculating last year after all the publicity around the
Cisco lawsuit that this year the event would be bigger because of all the
free marketing,” Moss said.

“Don’t know if
that’s true or not since that marketing happened a year ago, but I wouldn’t
be suspired if it hadn’t raised our profile a little bit.”


That said, Moss noted that he is strongly in favor of the responsible
disclosure model, and that as far as he is aware, the people that are
disclosing new bugs have already disclosed them to vendors.


“I don’t like people just springing huge bombs, dropping grenades in peoples
laps. That’s just not very cool,” Moss said.

“I hope not to have any rude
awakenings where the first the world hears about it is on the stage. But even
if that does happen, I’m not going to lose a whole lot of sleep over it; it
happens every day on mailing lists.”


Moss added that he probably would reconsider having a person speak again if
they didn’t have the foresight to notify.


With the 2005 Cisco incident, though, the security researcher in question did
get a new job — from Cisco competitor Juniper.

Juniper’s Avivi
commented that Juniper does not discuss individual employees. That said, the
even could well be a great recruiting opportunity.


“Juniper Networks is always looking to hire talented people who can enhance
the security and capabilities of its product lines,” Avivi said. “The
Black Hat conference tends to draw such talent.”


The training portion of the Black Hat conference kicks off July 29th and
goes till August 1, with the briefings to take place August 2 and 3.

News Around the Web