Black Hat and Defcon 2006: Security Fix Heads to Vegas
Security Fix is headed to Las Vegas for the better part of the next week to cover two back-to-back hacker conferences. The first is Black Hat USA 2006, which runs Wednesday and Thursday and caters to security professionals and researchers whose bosses can afford to foot the $1,200 to $1,600 registration fees. The other is Defcon, 72 straight hours of presentations and non-stop hacker fun starting Friday morning.
Security researchers plan to detail more than a dozen new software and hardware security flaws at this year's Black Hat. While many of the presentations at Defcon will be retreads of those offered at Black Hat, no doubt there will be quite a few new security holes unveiled there as well.
Last year's Black Hat was overshadowed by a talk given by Mike Lynn, who quit his job at Atlanta-based Internet Security Systems Inc. in order to present his research on serious security flaws in Cisco Systems routers, the networking devices responsible for directing much of the Internet's traffic (Lynn since landed a job working for Cisco arch-rival Juniper Networks.
For more background on that controversy, check out the archives. Interestingly enough, Cisco has stepped up as a one of three "platinum" sponsors of this year's Black Hat (along with Microsoft and Ernst & Young); I couldn't find any mention of ISS as a sponsor of this year's con.
Probably one of the more newsy and relevant talks at Black Hat this year will be given in part by another researcher who recently left ISS -- David Maynor, who is now a senior researcher at Secure Works (also headquartered in Atlanta). Maynor and Jon "Johnny Cache" Ellch will show how flawed software drivers in common wireless devices can open up almost any laptop to hijacking by the bad guys. Check back with Security Fix on Wednesday for an exclusive inside look at their research.
Dan Larkin, unit chief of the FBI's Internet Crime Complaint Center, will be the keynote speaker on Day 1 of Black Hat, discussing "war stories and trends" in the government's ongoing battle with increasingly organized cyber criminals. The first session on Day 2 features the annual "Meet the Feds" panel. Featured speakers include David Thomas, chief of the FBI's counterterrorism/counterintelligence and criminal computer intrusion investigations; Jim Christy, director of the Defense Cyber Crime Institute (DCCI), and Linton Wells, principal deputy assistant secretary of defense (networks and Information integration) at the Department of Defense. Hackers at Defcon also will have a chance to meet the feds.
Prior to last year's trip to Vegas, I spoke with Jack Holleran, formerly head of the National Security Agency's National Computer Security Center. Holleran is now retired and is one of countless folks helping to organize the two conferences along with Black Hat and Defcon founder Jeff Moss.
When I spoke with Holleran recently, he recounted a notable "Meet the Feds" panel several years back. Someone on the panel invited anyone in the room to stand up if they had ever probed someone's network defenses without the target's permission. Holleran recalled that a good portion of the hackers in the room proudly stood up. Those standing were then asked to sit down if what had made them stand up wasn't so felonious as to land them in jail for a long time. Holleran said all but a handful of defiant young hackers took a seat. At that point, several law enforcement officials on the panel quickly pulled out cameras from beneath the table, pointed them at the crowd and began snapping away -- thus giving the feds photographs of potentially prosecutable attendees.
Also at Black Hat '06, Dan Moniz and HD Moore will be showing how common cross-site scripting flaws in popular social networking sites like Myspace.com and Xanga.com could be combined with Web browser vulnerabilities to power an Internet worm capable of infecting millions of users in a very short time frame. Whether their demo goes off without a hitch is of little concern, as their concept is ripe for exploitation (cross-site scripting flaws are ubiquitous on most major Web sites, and new browser flaws are discovered every day). On Monday, HD wrapped up his Month of Browser Bugs, wherein he detailed a new, previously undocumented browser security flaw for each day in July. Security Fix will have an exclusive look at their research just prior to their talk on Thursday afternoon.
Those are just a few highlights from this year's jam-packed conference schedule. Check back all week for updates.
The comments to this entry are closed.