It turns out that even with the best intentions, writing dailyupdates from BlackHat and Defcon is a very difficult endeavour. ClearlyI failed at it this year with only a single first day post. The truthis that there’s just too much going between the two events. Each eventis packed with great content and any time you find between sessions orin the evenings is taken up with parties and meetings. There are justtoo many smart people in one place to spend time blogging at thecomputer. It’s often referred to as the “hallway track”, but it’scertainly one of the most useful aspects of any good conference. Thehallway track isn’t bound by any rules or restrictions and there ismuch to be learned.
You might say “I don’t need to go to the conference – I can downloadthe presentations online”, and you’d be half correct. There’s no copyof the hallway track online, and it’s the reason to make sure youattend in person. Having said that, there is much said in the hallwaytrack that isn’t suitable for a blog or press – but if you want a lookat what research people are doing, it’s the place to be.
Back to the conference sessions, certainly this was the year to pickon SSL. Moxie Marlinspike, Mike Zusman, Dan Kaminski, Alex Sotirov andothers pulled apart the technology. Demonstrating everything fromsocial engineering attacks, to x.509 weaknesses, to how easy it is toget certs for domains you shouldn’t be allowed a cert for. It turns outthat even the EV (extended validation) certs have a number of feasibleattacks. (For instance you can deliver DV content during an EV sessionand the browser bar stays green).
You’ve likely also read about the SMS flaw on the iPhone that waspresented this year. It turns out there’s flaws in more than just theiPhone. We’ll post on this in more detail in the next few days, butsuffice to say that it’s disturbing that with all the fuzzing toolsavailable today, so many phone vendors aren’t writing secure softwarefor their devices.
A number of the cloud talks are also worthy of watching. There’s agreat deal of issues covered at Blackhat that businesses will need tothink about it. For instance: search and seizure of your data, incidentresponse, secure application coding, infrastructure as a serviceattacks, penetration testing and so much more. I’ll try to consolidatea variety of the presentations into a summary blog post over the courseof the week.
I’ll be posting more here, but I also encourage you to attend thismonth’s TASK user group event on Wednesday August 26 where we’ll reviewall the best of Blackhat/Defcon. As always, there is no registrationand attendance is free. Check http://www.task.to for details.