LAS VEGAS -- Security exploits are made public throughout the year, but no week is more prolific in generating details of vulnerabilities, exploits and potential threats than the week of the Black Hat USA security conference here in Las Vegas at Caesar's Palace Hotel and Casino.
For many in the business of IT security, hardware, software and online services, the annual security event is surrounded by an ominous air of anticipation as researchers prepare to unveil new security tools, research and advisories about nearly every category of enterprise technology.
The event has grown so prominent that this year there will also be a separate, unaffiliated event called BSides, located down the strip from Black Hat and occurring at the same time. BSides, born out of speaker rejections from the Black Hat USA 2009 event, is set to host discussions on topics that include PHP, VxWorks and Twitter security vulnerabilities.
But Bsides won't be the only venue where 2009's taboo subjects are now being brought to the fore. Among the big sessions at this year's Black Hat USA event is a talk that had originally been prepared for the 2009 event: security researcher Barnaby Jack's research into how ATM machines are at risk of falling prey to an attack that could "jackpot" them. Jack's 2009 presentation on the same subject was pulled from the 2009 event after ATM vendors pressured his then-employer, Juniper Networks, into canceling his talk. This time around, however, Jack is working for security research firm IOactive and so far, all indications suggest that his presentation will go on as planned.
With all eyes in the hardware, software and enterprise security markets watching Black Hat, it should come as no surprise that Jack's talk was far from the first presentation to be pulled due to vendor pressure. One of the most well-known instances occurred in 2005, when networking giant Cisco sought a restraining order against the conference.
This year, Cisco's security is again set to come under scrutiny at Black Hat. A pair of security researchers from Core Security are set to detail alleged vulnerabilities in Ciscos wireless access points, though unlike the 2005 incident, the 2010 Black Hat session on Cisco security is going forward with the company's knowledge and consent.
"The presenters for this session did contact the Cisco Product Security Incident Response Team (PSIRT) ahead of the Black Hat conference," Cisco said in an email to InternetNews.com. "We maintain a very open relationship with the security community and view this as vital to helping protect our customers networks."
Another ghost of Black Hats past will be present with a panel discussion on DNS security. In 2008, security researcher Dan Kaminsky used the Black Hat USA 2008 event as the venue for formally disclosing his DNS vulnerability, which could have disrupted the normal working operation of the Internet for hundreds of millions of users.
At this week's event, Kaminsky is back -- speaking on a panel alongside two major players in Internet infrastructure -- the president of ICANN, Rob Beckstrom, and VeriSign CTO Ken Silva. The panel will discuss the current state of DNS security.
Another core Internet security technology, SSL, is also in the spotlight this week, after having been a prime target for Black Hat researchers in 2009. Qualys security researcher Ivan Ristic is scheduled to detail the final results of a large study on SSL security validity. His talk will provide additional details on findings he discussed briefly during a Black Hat preview webcast in June. During that early look at his findings, Ristic noted that most SSL security certificates in use are not actually valid -- posing a potentially serious threat to secure Internet transactions.
The Internet's core infrastructure and enterprise giants like Cisco aren't the only topics in the crosshairs this year. With the booming popularity of the Apple iPhone and the growing prominence of Android-based devices, it's no wonder that researchers at Black Hat 2010 are set to detail the results of a landmark study looking at mobile application security for iPhone and Android apps.
Black Hat 2010 USA is taking place in Las Vegas through Thursday. Though the event is loaded with security news, the actual briefings portion of the event -- where the bulk of the show's vulnerability disclosures are likely to take place -- lasts only Wednesday and Thursday.