Here are five (abbreviated) highlights, in no particular order, that we put together based on news reports of the event:
- Dan Kaminsky - The researcher who made all the news at last year's Black Hat Vegas show over the big DNS flaw he discovered (by accident) stumped for the first time for DNSSEC, an Internet Engineering Task Force set of specifications that secures communication between DNS name servers and clients. Kaminsky had never spoken favorably about the implementation, which he said is riddled with challenges, until now. He said we have find a way to make DNSSEC deployments - now a requirement for all federal agencies - easier.
- Michael Sutton - The vice president of research at online web startup Zscaler showed how Google Gears, a browser plugin that allows web apps to work offline, when used on a site vulnerable to cross-site scripting, can be exploited by hackers to steal sensitive, locally stored data. He described the attack scenario (better than I certainly can) on his company blog.
- Nguyen Minh Duc - The researcher at a Vietnam-based security firm demonstrated how hackers can fool facial-recognition technologies of Lenova, Toshiba and Asus, allowing them access to computers. The vulnerability exists because the solutions can't tell a real face from a digitally mastered one.
- Paul Kurtz - The current executive director of SAFECode and a member of the Obama transition team delivered a keynote that warned audience members that the government has a poor disaster recovery plan in place in case of a major cyberattack. Likening the situation to Hurricane Katrina, Kurtz said no agencies are prepared to take an immediate lead role. To respond to a massive assault, the United States should considering militarizing cyberspace, he said.
- "Moxie Marlinspike" - The researcher detailed the use of a "SSLstrip" app that enables the launch of a man-in-the-middle attack that will bring users who try to access an "https" version of a website to the unencrypted "http" version. The only way users could tell anything is up is if they look in the browser, but few would notice the URL switched to "http."