Black Hat Researchers Overcome Security Learning Curve

The Black Hat Briefings return to Caesars Palace this week with a new batch of hands-on security research for a crowd of 4,000 IT administrators, hackers, industry experts and government officials.

Security issues continue to get more challenging each year and hacking no longer is child's play, said Black Hat founder Jeff Moss. "Over the last year the attacks have gotten better," he said. "On the organized-crime side, they have gotten better organized. The bad guys have continued to grow up."

The Black Hat Briefings have evolved from an adjunct of the annual Defcon hackers' convention to a premier venue for presenting the latest security research. "I noticed two trends" in this year's presentations, Moss said. Web applications continue to be the low-hanging fruit of IT security. Moss wanted to focus more on other areas this year, but "we still ended up finding a lot that was interesting" in Web application security.

The second trend is the strength of the original research being done. One of the most high-profile examples is the discovery of a design flaw in the Doman Name Service that resulted last month in a coordinated multi-vendor patch release by Dan Kaminsky, director of penetration testing for IOActive Inc. Some details of the vulnerability already have been leaked, but Kaminsky is scheduled to go into more detail at this week's conference.

Research has produced something of an embarrassment of riches this year, Moss added. Competing presentations during one "power hour" will make it difficult for attendees and even speakers to hear everything they want to.

"One speaker told me [he didn't] want to show up at [his] own talk" because he wanted to listen to another speaker scheduled at the same time next door, Moss said.

Three such conflicting presentations scheduled for Aug. 7 are "How to Impress Girls with Browser Memory Bypasses" by researchers Alexander Sotirov and Mark Dowd; "The Internet is Broken," an examination of client-side threats by Ernst & Young security advisers Nathan McFeters and Rob Carter, and John Heasman, vice president of research at United Kingdom-based NGS Software; and "Get Rich or Die Trying" by White Hat Security Chief Technology Officer Jeremiah Grossman and researcher Arian Evans, about the profit potential in some online scams that aren't, strictly speaking, illegal -- yet.

As in past years, most of the work being presented focuses on software. Yet as operating systems become more challenging, the hacking landscape is slowly shifting to other targets, such as applications.

But hardware is coming under attack as well, and research in this area has not kept up with threats. "I've been trying to bring more hardware security in," Moss said. "[But] that's been a tough nut to crack. In government, they think that because it's hardware, it can't be hacked," he added.

One new feature of this year's briefings is letting attendees have a say in selecting presentations. Registered attendees were able to view submissions to the call for papers online and pass on comments and suggestions to the selection committee, which made the final decision. Submitters got to choose how much of their material was available for review.

"This is a system I wanted to build for years," Moss said. As the presentations become more technically sophisticated, the selection committee needs more expertise in reviewing submissions for accuracy and relevance. "It was a work in progress this year, but we got good results. There weren't too many surprises. What attendees wanted generally was what the reviewers wanted," but there were a few presentations that were selected that might have otherwise been passed over.

About the Author

William Jackson is the senior writer for Government Computer News (