Establishing Digital Trust: Don't Sacrifice Security for Convenience
The annual Black Hat USA security conference has built a reputation for two things: Demonstrations of new 0-day security vulnerabilities, and presentations on security topics that make IT vendors very nervous.
Scheduled for July 21 - 26 in Las Vegas, the 2012 event will have a different look, with a new general manager taking ownership of topics including infrastructure, desktop, mobile, and even Apple security. Trey Ford is the new general manager, taking over from Black Hat founder Jeff Moss. Like Moss, Ford's background is in security research.
"Jeff Moss has moved over to bigger-picture Internet things, but his relationship to Black Hat is still as Founder and conference chair," Ford told eSecurity Planet. "He is still involved and helps source some of our keynotes and he has deep ties in the community."
Moss sold the Black Hat event to UBM TechWeb in 2005, and has remained active in the event as general manager until this year. In 2011, Moss was appointed as the Chief Security Officer of ICANN and is also part of the Obama Administration's Homeland Security Advisory Council. While Moss is not the general manager of Black Hat this year, he is still speaking at the event. Moss is participating in a roundtable discussion titled "Smashing the Future for Fun and Profit" that will be looking back on 15 years of security news from Black Hat.https://o1.qnsr.com/log/p.gif?;n=203;c=204650394;s=9477;x=7936;f=201801171506010;u=j;z=TIMESTAMP;a=20392931;e=i
Moss is also the founder of the DefCon security event, which he still owns and operates.
"When Black Hat was founded 15 years ago, it was five years after DefCon was started," Ford explained. "DefCon was a more of a hacker scene and those people were starting to get real corporate jobs that were yielding a paycheck instead of just being a hobby." Black Hat was born as a way to share training and briefings in a way that is accessible to those corporate researchers.
The Cancelled Talk Syndrome
One of the greatest allures of Black Hat over the years has been the attraction of the talk that is so hot that the affected vendor pushes to get the presentation pulled from the agenda. Back in 2005, security researcher Michael Lynn delivered a talk about hacking Cisco routers that provoked legal challenges from Cisco. In 2009, Cisco's networking rival Juniper Networks pulled a talk from security researcher Barnaby Jack about hacking ATM machines. Jack quit his job at Juniper and came back to Black Hat in 2010 to deliver his talk.
Over the years, Black Hat has developed a better relationship between researchers and the vendor community -- which will be evident at the 2012 event.
"Historically, the interaction between the vendor community and security researchers was tense, if not hostile at times -- with the knee jerk reflex to gag a speaker," Ford said. "The age of vendor innocence is over, the security community for years was dropping 0-day vulnerabilities because they had no ability to interact properly with the vendor community."
Ford added that on the other side, researchers didn't always realize the importance and the gravity of the research they were presenting. Black Hat is now at the center of the conversation bringing vendors and researchers together.
"Even this year there were three talks where I was engaged with the researcher and vendor to help provide a framework and an opportunity for a responsible disclosure process," Ford said.
Ford declined to provide the specifics of which three talks specifically were the subject of the responsible disclosure discussions. He did note that all three talks deal with memory handling, operating system, and protocol level issues.
In Ford's view, security researchers are not to be blamed for putting vendors at risk. Ford stressed that it's not as if security researchers are engineering the vulnerabilities into the products -- they are simply reporting on what they find.
Black Hat has a working relationship with the EFF (Electronic Frontier Foundation), to help provide legal advice for independent security researchers.
Black Hat 2012 Topics
For 2012, the Black Hat USA event received more speaking proposal submissions than in any previous year. According to Ford, there were approximately 500 proposals this year, up by over 100 from last year. Talks have been selected by a Black Hat review board comprised of 21 people.
According to Ford, one of the standout talks at this year's event is titled "PINPADPWN" and will cover pin pad terminal exploits. The talk is being delivered by security researchers Rafael Dominguez Vega and "Nils" (who goes by his first name only). Nils is famous in the security community for hacking all major browsers within minutes in dramatic fashion at the 2009 Pwn2Own hacking event. At Black Hat 2011, a different set of researchers presented some preliminary research about how to hack chip and pin card readers.
Another talk that Ford is looking forward to is titled "Ghost in the Air (Traffic)," by security researcher Andrei Constin.
"It's a talk about the ADSP peer-to-peer protocol used by aircraft to communicate their position and velocity," Ford explained. "The ramifications are farily widespread and it's a great example of how you need to bring researchers into the design process to help solve security."
Apple has been a Black Hat topic for many years. At the Black Hat 2007 event, researcher Charlie Miller publicly hacked the first generation iPhone at the live event, marking the first exploit of Apple's mobile device. Every year since then, researchers have poked holes in Apple's security.
2012 will be a bit different. For the first time ever, an Apple employee will be publicly presenting. Dallas de Atley, Manager of the Platform Security Team at Apple, is scheduled to present a talk on iOS Security. Apple researchers have been scheduled to talk at Black Hat in the past, though none of those planned talks actually panned out.
"We have received assurance that they will talk this year," Ford said. "Apple wants to partner with Black Hat to communicate that they take security seriously and this is a great opportunity for them to come out and start sharing some of that conversation with us."