Black Hat 2006: Chicken Little Returns to Vegas

by Michael Gavin, with Jennifer Albornoz Mulligan, Paul Stamp, Khalid Kark and Ronald J. Furstoss

Black Hat USA 2006 Briefings grabbed the attention of the technology press and onlookers, providing lots of fuel for the computer insecurity fire. It also provided a few ideas for security folks trying to gain the attention of their executives. Hot topics included Web 2.0, radio frequency identification (RFID) and Windows Vista security. The conference gave attendees the usual insight into whats brewing in the researcher community and which tools and techniques can be used to manage new and developing risks.

By No Analyst or Consultant

August 25, 2006 — CSO —

Black Hat Presenters Exhibit New Attack and Defense Techniques

Researchers presenting at the Black Hat USA 2006 Briefings, held Aug. 2-3 in Las Vegas, delivered the expected "sky is falling" view of information security by showing how to exploit weaknesses in the newest technologies. However, this years presentations focused more on business and defender perspectives largely absent in previous years. Highlights included attack techniques and exploits for SQL databases, Ajax-based Web applications, voice over IP, Windows Vista and RFID systems. Rootkitsattack tools that conceal their presence on the victims machinehad a prominent place at the show too, as did Metasploit, a platform for developing, testing and using exploit code.

But apart from the latest techniques and vulnerabilities, many presentations covered oft-ignored security engineering topics like secure software development and other defense and response technologies. Microsofttraditionally a pariah at events like Black Hatwas a prominent participant, presenting case studies of security engineering in the development of Windows Vista and Internet Explorer 7. Microsoft also demonstrated its new, more open relationship with the research community by distributing a beta copy of Vista to security researchers and inviting them to find and report prerelease vulnerabilities. However, the main takeaways of the conference were:

• Attack tools can be both friend and foe. Many speakers describing attack techniques recommended using them as part of a penetration testing program, to check the effectiveness of the controls you already have in place, and get an attackers-eye view of your environment. Presenters came from a wide variety of security consulting companies, including McAfees Foundstone, SPI Dynamics and WhiteHat Security. These and other companies use research both to present themselves as thought leaders and to hone their technical security skills, which they can then in turn use to secure their clients.
• The best way to persuade superiors is to put attack information into executive speak. Almost all of the briefings were technical and detail-oriented, but the Executive Womens Forum panel took the 10,000-foot view. Panelists acknowledged that technical security is importantin fact, critical infrastructure support was a top concernbut they focused on how security practitioners can influence their superiors best: by speaking their language (i.e., money, brand protection and compliance). They pointed out that a technical-based argument will be largely ignored.
• Vendors are not blacklisted. Microsoft made a bold change in its researcher relationship strategy by giving six sessions sharing different aspects of Vistas security. While these presentations were not marketing or vendor spin, for the most part they differed from many of the other presentations; they primarily addressed practical security engineering on a large scale. Microsoft also extended the olive branch to security researchers by distributing the latest beta of Vista, appealing to their vanity and desire to find flaws. Black Hat, by offering a vendor-specific track, is showing a willingness to work with vendors to improve security. While Microsoft is no longer persona non grata, Joanna Rutkowskas presentation on hacking the Vista kernel was standing-room only and was received enthusiastically.

• Print