Modernizing Authentication — What It Takes to Transform Secure Access
Over the years, Black Hat has created a mythos for itself as the conference where some of the most lethal hacking attacks are discussed and sometimes debunked. Black Hat is the place where Dan Kaminsky revealed his DNS flaw in 2008 and where Barnaby Jack hacked ATMs live on stage in 2010. For 2011, the topics are no less severe with researchers set to discuss vulnerabilities in mobile communications and even core infrastructure like water meters.
Multiple researchers over the two day event will be taking aim at Google's Android mobile operating system. Security researchers from Dasient are set to reveal new research that shows that a large percentage of Android apps are insecure and leak user information. Going a step further security researchers Riley Hassell and Shane Macaulay are scheduled to talk about, Hacking Androids for Profit.
Androids aren't the only mobile OS that will receive Black Hat scrutiny. Apple iOS which has been closely examined at Black Hat ever since the first iPhone back in 2007. Then it was security researcher Charlie Miller who was the first person to crack the iPhone. Four years later, Miller is back again and this time he's attacking Apple iOS from a spot that few have ever considered a security risk, the battery firmware. That's right, the battery firmware for an Apple iOS device is potentially at risk.
Mobile operating systems isn't the only technology under attack this week: Google's Chrome OS is under the gun at Black Hat this year, too. Matt Johansen a security researcher with Whitehat security is set to detail potential vulnerabilities in Google's new operating system.
Google is also a favorite for researchers to use as tool. In a talk by Stach and Liu researchers titled, "Pulp Google Hacking - The Next Generation Search Engine Hacking Arsenal," new tools are set to be released. Stach and Liu released Google Hacking tools in 2010 and they promise to have an update this year.
Microsoft, a perennial favorite of Black Hat researcher topics, will also be taken to task again. Security researchers from Norman Security are set to detail deep rooted flaws in a session titled, "Windows Hooks of Death: Kernel Attacks Through User-Mode Callbacks." These are attacks that Microsoft continues to patch in a cat and mouse game with hackers as new vulnerabilities are exposed in the user-mode callback system.
Looking beyond operating systems, Black Hat tends to also have multiple sessions in any given year looking at protocols that cross multiple operating systems and have the potential to put core Internet infrastructure at risk.
In 2011, SSL will once again be a topic of discussion in a pair of sessions. Security researcher Ivan Ristic is set to provide an update on SSL research he presented in 2010. Ristic warned in 2010 that most sites are improperly configured for SSL and this year he's set to provide even more detail on what's wrong and what's right with SSL with new research examining even more sites.
Going a level deeper will be researcher Moxie Marlinspike in a session titled, "SSL and the Future of Authenticity." At Black Hat 2009, Marlinspike detailed multiple risks in SSL that could have enabled wildcard SSL certificates to potentially enable phishing attacks. This year, Marlinspike will provide more details on why SSL still remains potentially at risk.
Another big talk this year is one that will examine credit card security. The risks of credit card skimmers are well known, which is why credit card companies have moved to a chip and PIN approach. Researchers Adam Laurie, Zac Franken, Andrea Barisani, Daniele Bianco will take the Black Hat stage in a talk titled, "Chip & PIN is Definitely Broken" to prove the credit card companies wrong.
The other interesting element that tends to come up year after year at Black Hat are infrastructure type attacks. In 2009, researchers demonstrated hacks against San Francisco parking meters. This year researcher John McNabb is talking about vulnerabilities in wireless water meter networks.
While Black Hat has the reputation for revealing new vulnerabilities, the focus is about providing lessons learned and mitigations for potential risks.
The Black Hat USA conference runs Wed August 2nd and Thursday August 3rd at Caesars Palace in Las Vegas.