Black Hat 2010 notebook: Day One

July 28, 2010

Here are some interesting tidbits coming out of the first day of the world's biggest hacker conference, taking place in Las Vegas. Consider it a running log, of sorts.

  • Adobe announced this morning that it will begin sharing vulnerability details through the Microsoft Active Protections Program (MAPP).

The initiative, announced in August 2008, originally was devised so Microsoft could share flaw information with approved software security providers prior to its monthly fixes being released. Now, Adobe now will be able to do the same with MAPP's 65 members.

"By receiving vulnerability information prior to the public release of a security update, MAPP partners get an early start over exploit code writers, enabling them to offer protection to customers in a timely manner," Adobe's Brad Arkin said in a blog post.

  • RFID researcher Chris Paget showed how he created equipment that allowed him to read an EPC Gen 2 RFID tag at 217 feet, believed to be a world record.

In his talk, Paget described how he replaced antennae and established a fixed frequency on the transmitter to increase range and power - all while staying in compliance with Federal Communications Commission ham radio laws.

He predicts that under the right testing conditions he could read a tag at 1,000 feet. There are ways to abuse the technology, though, Paget said. He said RFID tags should not be placed in identifying documents and retail stores should disable the tags (aka bar codes) upon customer checkout.

Best way to destroy an RFID tag? Place it in a microwave for three seconds. "Five seconds, and it will probably catch fire," Paget said.

  • Judging form reaction on Twitter, the keynote from Jane Lute, deputy secretary of the U.S. Department of Homeland Security, didn't seem to go over too well with the jeans-wearing, free-speech-loving Black Hat audience.

She described how government can help secure cyberspace, partially through DHS initiatives.

The most exciting part of the discussion came when an audience member asked Lute why people should trust DHS to secure the internet without slowing down "commerce and knowledge," especially when considering how much criticism the Transportation Security Administration has absorbed since it was founded.

Lute said DHS wants to serve as the "portal" for debate on how to strike this balance.

  • Open DNS founder Dave Ulevitch is unhappy that Craig Heffner, a researcher with Maryland-based security consultancy Seismic, hasn't contacted him regarding Heffner's scheduled presentation Thursday at Black Hat. Heffner plans to demonstrate how consumer routers can be exploited via DNS rebinding, a technique by which an attacker uses JavaScript embedded on a malicious web page to gain control of the victim's router.

"Since the vulnerability was first publicized, we've made several attempts to contact Craig Heffner, the    researcher, and get more detail," Ulevitch wrote in a blog post. "We've phoned. We've emailed. We've contacted reporters who've spoken to the researcher and had their help connecting to the researcher. I've even Facebook messaged his coworkers. I haven't had a single reply."

Ulevitch said OpenDNS is a free service that helps resolve "many problems system administrators and security pros face." He said the company would keep the details of the vulnerability private; its only goal is to protect users.

Heffner could not be reached for comment by SCMagazineUS.com.

prestitial ad