Back From Black Hat

Friday, August 06, 2010

Application Security, Inc.


Article by Alex Rothacker

I’m back from Las Vegas caught up with my e-mail, well sort of. And finally I got some time to sort out my thoughts about Black Hat 2010. I had skipped 2009 and was excited to get back to Caesars Palace, meet colleagues and friends and listen to some great presentations.


Let’s just say it’s gotten big– almost overwhelming.  

There are now 22 tracks, compared to 14 in 2008. Also the vendor section has really grown. What used to be a couple of booths at the side of the hallway is now a dedicated hall with almost every security vendor showing a presence.

As usual, right after registration on Tuesday night, I sat down and started marking up the talks I was interested in. With so many tracks there was no shortage of interesting topics at the same time slot.

Since there were no database specific talks on the first day, I had a great opportunity to expand my horizon and check out some areas that I’m only somewhat familiar with. The short:

Security and forensics in the cloud and corporate virtual environments is an up and coming field with some interesting and new challenges. Do you know where your data is? How many copies of it exist in the cloud on different continents? Which laws apply regarding privacy, security and forensics in different countries? What are the challenges involved with using public clouds? 

SCADA, especially Smart Grid stuff is just plain scary at this point. There’s a race to the market with new inexperienced startups that don’t have money for security and big corporations that are equally unaware of security best practices. With thousands of vulnerabilities in critical infrastructure components -- soon they will also be in a smart meter at your home. This makes hacking the grid seem like a close reality. I guess it’s time to stock up on candles.

Even hackers still think there is free money to be had in Vegas. Why else would Barnaby Jacks presentation about hacking into ATM’s have filled the room to the gills? This was probably one of the most entertaining of all the talks I attended. Watching an ATM’s screen turn into a slot machine and spit out funny money was great!  In reality, he was really just hacking WinCE, so it’s not like he was breaking into Fort Knox. Of course he did not reveal the PoC code of his attacks, no blue print to free money for this audience.

Dan Kaminsky is still on the DNS crusade. His talk was a huge sell for replacing existing DNS with DNSSEC. He is also getting really hip calling all his latest projects PhreeBird, PhreeShell, PhreeLoad and finally PhreeGP. Phreaky!

System privileges through token kidnapping. Windows is getting better with security, but the really good hackers can still find more stuff. Cesar Cerrudo had probably the most hard core technical talk that I went to. Good stuff.

Oracle DBMS. Oracle is releasing plenty of patches every quarter and it’s still a favorite amongst security researchers. Two great talks were “Hacking and Protecting Oracle Database Vault” by Esteban Martinez Fayo and “Hacking Oracle from Web Apps” by Sumit Siddharth.

Browsers are still bad. Finally one of my favorite presenters, Jeremiah Grossman, presented on “Breaking Browsers: Hacking Auto-Complete” with vendor patches coming out just before his talk. Now that’s the kind of Black Hat action I like.

That’s it for today. Keep coming back from more posts on database security and vulnerability issues that I find interesting. 

Alex Rothacker is the manager of Application Security, Inc.’s Team SHATTER (Security Heuristics of Application Testing Technology for Enterprise Research). Team SHATTER has been providing its customers and database vendors with the most up-to-date database vulnerability information to ensure the security of information stored in databases.

Possibly Related Articles:
Hacking Data Loss Prevention
Post Rating I Like this!
Terry Perkins Great article! Thanks for the information. One of these days, I'm going to this conference.
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.