Black Hat DC 2009

I’m on my way back from the Black Hat DC 2009 briefings, and thought I’d give a brief synopsis of my experience there while waiting to catch a plane.

This was the first opportunity I’ve had to attend such a conference, and it was made possible by Alan over at StillSecureAfterAllTheseYears.com (yes, you made my year!).  Being in the DC area, this smaller-brother version of the Black Hat Vegas conference is geared more towards the federal sector, which was perfect for me since that is where I work.

The conference was kicked off by Paul Kurtz (check it out here), former advisor to Presidents Clinton and Bush, and current candidate for President Obama’s Cyber-Czar position.  He described the complex, if not disturbing, state of our country’s cyber-readiness in response to a “cyber Katrina” disaster.

It is a grim situation for which a lack of communication between the various parts of our cyber infrastructure are at fault.  He likened it to the pilot training facility in Florida, which trained the pilots of the 9/11 attack, not passing along any info to the government about what was going on.  The same thing, said Kurtz, is occuring with our country’s ISP’s.  He didn’t really go into how to solve it in detail, but I was left fearing that an increase in communication between ISP’s and the government would only lead to more of a Big Brother scenario than we already have.

I chose to attend the Attack and Defense tract of briefings as opposed to the Reverse Engineering tract at Black Hat.  All in all, I was not disappointed, though a few of the topics were very dry and very granular.  Some of the other attendees I talked to were in agreement that the level of detail tended to get very specific, and thus less relevant to the majority of the people attending.

Still, I learned a lot in many of the briefings, including:

• Blinded by Flash: Widespread Security Risks Flash Developers Don’t See (presentation here)
• Dissecting Web Attacks (presentation here)
• Windows Vista Security Internals (presentation here)

The best presentation I saw this week was by an independent hacker going by the name of Moxie Marlinspike, who’s presentation on New Techniques for Defeating SSL/TLS generated the most buzz amongst the conference attendees and the blogosphere.

Moxie demonstrated a method he devised using a tool he wrote called SSLStrip, which allows one to launch a man-in-the-middle attack on someone attempting to log onto a secure site by taking advantage of “positive feedback” techniques currently employed by modern web browsers, and making someone think they are on a secure web site.  In actuality, they are on your version of the site, and once you have their login credentials captured, you send them on their way without knowing the difference.

Moxie had a 100% success rate of fooling people on the Tor network using this technique, collecting passwords for Paypal, Facebook, and other popular “secure logon” sites.

There were other good briefings, and I met a bunch of cool people.  As I posted on Twitter during the conference, rubbing elbows with the DC securiy elite made me realize how quaint Asheville is. I hope to be able to attend more conferences of this genre, and the opportunity for learning is much greater than sitting in a training room listening to a teach drone on about a single subject.