Hat Briefings had little of the
drama of last year's
conference, but did provide some interesting presentations on
security vulnerabilities and techniques to detect and avoid them. There was
little in the way of full disclosure this year at Black Hat, most
presentations obscured the specific sites or vendors affected and
instead concentrated on the underlying technology and how it could be
exploited. Most of the presenters represented companies engaged in
security research and penetration testing for their clients and seemed to
want to protect those clients and/or bring in new ones by their 'responsible'
disclosure. How exactly that helps the users of vulnerable software is, of
course, the obvious question.
The purported 'main event' of the conference was the presentation on device
drivers by David Maynor and johnny cache. LWN
reported on this wireless
vulnerability several weeks ago and looked forward to more details being
released. Unfortunately, the session was rather anticlimactic; the 'demo'
was a video and the details were still obscured. Maynor and cache were
concerned that attendees with wireless cards would packet capture the demo
and decided to use video instead. The only new information released about
the vulnerability was that it was against a third party wireless adapter
MacOS X. It is a shame that the session was over-hyped because the
rest of the information presented, fingerprinting wireless cards
based on their 802.11 behavior, was quite interesting.
Two major themes were evident, at least in the talks the author attended:
approaches. Fuzzing is the process of
modifying data in a file format or protocol to attempt to subvert the
program and it comes in (at least) two flavors: dumb and targeted. Dumb
fuzzing just randomly changes values within the format or protocol to
elicit unexpected behavior. Targeted fuzzing is, as the name implies,
more focused on the details of the format or protocol and tries to change
things that logically fit within the structure but may be corner cases
that the implementer did not expect. Several tools and techniques to
automate fuzzing of both varieties were presented in different sessions.
AJAX is, of course, the 'Web 2.0' technology that is becoming the buzzword
of choice for startup companies. It is also a way to increase the risk of
web application vulnerabilities if implemented poorly. AJAX increases
the attack surface of an application by exposing more interfaces that can
potentially be exploited. It is also a relatively immature technique and
much of the instructional material, particularly tutorials available on
the web, do not even bring up the topic of security. Several sessions were
devoted to discussing areas of concern in AJAX and how using other
techniques (such as cross-site scripting) can lead to web worms and viruses.
LWN will be covering both of these topics in more detail over the coming
More than 3000 people attended this year - a 30% increase
over last year; this increase was very evident when trying to maneuver through the
hallways or attend a popular talk in a smaller room. Several comments were
heard about Black Hat outgrowing Caesar's Palace and potentially moving
elsewhere sometime in the future. Even with the unexpected level of
attendance, the show was very well run and provided many interesting
sessions; it is certainly worth a look as a security conference to
attend in the future.
[ The author wishes to thank his employer,
Privacy Networks, for financial
support for his trip to Las Vegas for Black Hat.]
to post comments)