Security professionals attending the Black Hat Briefings in Las Vegas this week left with a lot to think and worry about.
Nearly 2,000 attendees flocked to the conference, which included sessions on Google hacking, Pocket PC abuse, vulnerabilities in RFID (Radio Frequency Identification) tags, and liabilities in security investigations.
Paul Simmonds, CISO of U.K.-based ICI kicked off the conference with keynote about how border security has become obsolete, requiring a new model of “deperimeterization.” Simmonds is one of the founders of the Jericho Forum, a group of European security chiefs promoting the deperimeterization concept.
While his presentation drew tepid responses from a couple of attendees, who said they preferred the more technical sessions to his theoretical talk, a session on Metasploit – an exploit framework – attracted an overflow crowd.
Clad in work coveralls, an independent security researcher named “spoonm” presented the session with HD Moore, co-founder of security firm Digital Defense who created a network game that evolved into Metasploit.
“We think of it as a tool for developing exploits more than an exploit tool,” said spoonm, who described Metasploit as the only open-source exploit framework. Recently enhanced with improved exploit techniques and advanced payloads, the framework is widely used by security firms in penetration tests and is increasingly used by administrators to verify scan results, he said.
Another session covered the legal liabilities associated with security incident investigations and “strike back” technologies.
“The force you use in defending must be proportional,” Jennifer Stisa Granick, a lawyer and executive director of the Center for Internet and Society at Stanford Law School, told attendees, who peppered her with questions throughout her session.
Other presentations covered web application security, electronic voting issues, and zero-day attacks.
The huge crowd at Black Hat – which organizers said was up 10 percent from last year – indicates how security is an industry-wide issue, observed Kevin Kean, director at the Microsoft Security Response Center (MSRC).
Microsoft hoped to reach out to security researchers at the conference, said Stephen Toulouse, MSRC security program manager. “We very much care what researchers have to say,” he said, adding, “People have very passionate viewpoints on how to make things more secure… We want people to understand that we want to be part of the dialogue.”
MSRC investigates reports of security vulnerabilities affecting Microsoft products. “We take anything that anyone reports to us very seriously,” Kean added.