A report from the Black Hat Briefings

Last week's Black Hat Briefings had little of the drama of last year's conference, but did provide some interesting presentations on security vulnerabilities and techniques to detect and avoid them. There was little in the way of full disclosure this year at Black Hat, most presentations obscured the specific sites or vendors affected and instead concentrated on the underlying technology and how it could be exploited. Most of the presenters represented companies engaged in security research and penetration testing for their clients and seemed to want to protect those clients and/or bring in new ones by their 'responsible' disclosure. How exactly that helps the users of vulnerable software is, of course, the obvious question.

The purported 'main event' of the conference was the presentation on device drivers by David Maynor and johnny cache. LWN reported on this wireless vulnerability several weeks ago and looked forward to more details being released. Unfortunately, the session was rather anticlimactic; the 'demo' was a video and the details were still obscured. Maynor and cache were concerned that attendees with wireless cards would packet capture the demo and decided to use video instead. The only new information released about the vulnerability was that it was against a third party wireless adapter for MacOS X. It is a shame that the session was over-hyped because the rest of the information presented, fingerprinting wireless cards based on their 802.11 behavior, was quite interesting.

Two major themes were evident, at least in the talks the author attended: Asynchronous Javascript and XML (AJAX) security and automated fuzzing approaches. Fuzzing is the process of modifying data in a file format or protocol to attempt to subvert the program and it comes in (at least) two flavors: dumb and targeted. Dumb fuzzing just randomly changes values within the format or protocol to elicit unexpected behavior. Targeted fuzzing is, as the name implies, more focused on the details of the format or protocol and tries to change things that logically fit within the structure but may be corner cases that the implementer did not expect. Several tools and techniques to automate fuzzing of both varieties were presented in different sessions.

AJAX is, of course, the 'Web 2.0' technology that is becoming the buzzword of choice for startup companies. It is also a way to increase the risk of web application vulnerabilities if implemented poorly. AJAX increases the attack surface of an application by exposing more interfaces that can potentially be exploited. It is also a relatively immature technique and much of the instructional material, particularly tutorials available on the web, do not even bring up the topic of security. Several sessions were devoted to discussing areas of concern in AJAX and how using other techniques (such as cross-site scripting) can lead to web worms and viruses.

LWN will be covering both of these topics in more detail over the coming weeks.

More than 3000 people attended this year - a 30% increase over last year; this increase was very evident when trying to maneuver through the hallways or attend a popular talk in a smaller room. Several comments were heard about Black Hat outgrowing Caesar's Palace and potentially moving elsewhere sometime in the future. Even with the unexpected level of attendance, the show was very well run and provided many interesting sessions; it is certainly worth a look as a security conference to attend in the future.

[ The author wishes to thank his employer, Privacy Networks, for financial support for his trip to Las Vegas for Black Hat.]