Malware, Network Security, Security Strategy, Plan, Budget

Black Hat hacker con promises to “ruffle some feathers”

The annual Black Hat security conference, which kicks off in Las Vegas later this month, is full of sessions showcasing the latest research on vulnerabilities and defenses.

With more than 80 presentations, the conference can be overwhelming, so the organizers on Thursday highlighted some of the more interesting talks being planned for this year.

Black Hat is about creating conversations that challenge the security industry to look at things differently, Robert Richardson, the conference's editorial director, said during a webinar. The event is "committed to putting things out there that [are] going to ruffle some feathers," he said.

This year will be no different, as the Black Hat Review Board evaluated more than 500 submitted proposals to select the 80 sessions that would be presented over a two-day period, July 25 and 26.

The webinar highlighted the five tracks into which most of the presentations are grouped: mobile, defense, application security, "breaking things," and malware. Each of the track chairpeople highlighted some of the presentations that will be part of the conference this year.

One of the talks generating some excitement is InGuardian's Don Weber's, titled "Looking into the Eye of the Meter," said Stefano Zanero, an Italian researcher and chair of the malware track.

Weber is expected to discuss how criminals would be able to harvest various kinds of information from smart meters. They are becoming ubiquitous, and the session will center on the insecurity of embedded devices that are being installed in front of every home and connected to a network.

Weber was scheduled to present the talk earlier this year at ShmooCon 2012 in Washington, D.C., but pulled it at the last minute in response to requests from a smart grid vendor and several utilities.

The track called "Breaking Things" will include some of the most "cutting-edge research that is not being done elsewhere," said Chris Rohlf, independent security consultant and chair of the track. He spotlighted research by Fermin Serna, a Google engineer, who will be focusing on address space layout randomization (ASLR) in his talk about information leak vulnerabilities.

Rohlf also listed "PinPadPwn," a talk by security researchers Rafael Vega and "Nils" that will cover PIN-pad terminal exploits. The talk will highlight how these portals are readily available, but seriously vulnerable to attack.

Another session related to payment systems that is expected to generate a lot of interest is the near-frequency communications talk by well-known Apple researcher Charlie Miller, as part of the mobile track, said Vincenzo Iozzo, an independent security researcher from Italy. Miller will focus on how sensitive information can be lifted from mobile devices.

Mobile has generated significant interest, Iozzo said, and the selected talks will be taking an in-depth look at what can happen to devices like smartphones and tablets beyond what is generally discussed.

While Apple's session on iOS version 6 security is creating buzz because it will be the first time that Apple publicly has discussed security in-depth, Iozzo, the chair of the mobile track, said he wasn't sure "if there will be groundbreaking elements" disclosed.

Three talks selected for the application security track feature HTML5 in some way, said Nathan Hamiel, principal consultant at FishNet Security and chair of the track. This reflects the popularity of the new web standard and increased interest in mobile development, Hamiel said. Shreeraj Shah of Blueinfy Solutions will be presenting the top 10 threats in HTML5 applications.

Hamiel also highlighted the session on web exploit toolkits by Jason Jones, a researcher at HP DVLabs, calling it a "good primer" for people don't often think about how these popular, and often commercially available, frameworks are used.  

As for the malware track, Zanero said the selected papers either focused on techniques virus writers use to avoid detection, or methods researchers can leverage to better analyze malicious code.

A researcher named Rodrigo Branco will be examining how large-scale malware in the wild already use various tools to avoid being studied, Zanero said.

The defense track is a little different from all the other tracks because the focus is on getting security professionals to think about defense in a different, game-changing way, said Shawn Moyer, a security researcher from Accuvant Labs and chair of the track. He highlighted the "Control Alt Hack" talk, which is based on a card game designed by Microsoft's Adam Shostack and two students from University of Washington to make the players to think about security.

The conference this year is scheduled for July 21 to July 26, with the first half of the show devoted to training sessions. The briefings are scheduled for July 25 and July 26. A full program guide is here.

Unlike last year, there won't be a way to view the sessions remotely during the conference via Uplink, Richardson. Recordings and slide presentations will be available afterwards, as usual.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.