Black Hat 2006: Chicken Little Returns to Vegas

Black Hat Presenters Exhibit New Attack and Defense Techniques

Researchers presenting at the Black Hat USA 2006 Briefings, held Aug. 2-3 in Las Vegas, delivered the expected “sky is falling” view of information security by showing how to exploit weaknesses in the newest technologies. However, this years presentations focused more on business and defender perspectives largely absent in previous years. Highlights included attack techniques and exploits for SQL databases, Ajax-based Web applications, voice over IP, Windows Vista and RFID systems. Rootkitsattack tools that conceal their presence on the victims machinehad a prominent place at the show too, as did Metasploit, a platform for developing, testing and using exploit code.

But apart from the latest techniques and vulnerabilities, many presentations covered oft-ignored security engineering topics like secure software development and other defense and response technologies. Microsoft

• Attack tools can be both friend and foe. Many speakers describing attack techniques recommended using them as part of a penetration testing program, to check the effectiveness of the controls you already have in place, and get an attackers-eye view of your environment. Presenters came from a wide variety of security consulting companies, including McAfees Foundstone, SPI Dynamics and WhiteHat Security. These and other companies use research both to present themselves as thought leaders and to hone their technical security skills, which they can then in turn use to secure their clients.
• The best way to persuade superiors is to put attack information into executive speak. Almost all of the briefings were technical and detail-oriented, but the Executive Womens Forum panel took the 10,000-foot view. Panelists acknowledged that technical security is importantin fact, critical infrastructure support was a top concernbut they focused on how security practitioners can influence their superiors best: by speaking their language (i.e., money, brand protection and compliance). They pointed out that a technical-based argument will be largely ignored.
• Vendors are not blacklisted. Microsoft made a bold change in its researcher relationship strategy by giving six sessions sharing different aspects of Vistas security. While these presentations were not marketing or vendor spin, for the most part they differed from many of the other presentations; they primarily addressed practical security engineering on a large scale. Microsoft also extended the olive branch to security researchers by distributing the latest beta of Vista, appealing to their vanity and desire to find flaws. Black Hat, by offering a vendor-specific track, is showing a willingness to work with vendors to improve security. While Microsoft is no longer persona non grata, Joanna Rutkowskas presentation on hacking the Vista kernel was standing-room only and was received enthusiastically.

Black Hat is Going Gray

Black Hat demonstrated that there is still, and likely always will be, a subset of researchers so parochial in their view that they will deliver their news like Chicken Little did. However, Black Hat also revealed a growing breed of mature researchers who put their findings into the perspective of the larger business picture. While a particular vulnerability or attack technique can cause significant damage to some organizations, predicting the impending demise of the Web and Internet is not useful or likely to be remotely accurate. Organizations need to wade through the hype that remains and realistically assess the risk to their environment. Assessing security risks from a business perspective and understanding the associated probabilities and business impact of these risks will help organizations make better mitigation decisions.