Black Hat draws world hacking gang – and Apple – to Sin City
New faces, and a few old ones
Agentless Backup is Not a Myth
Black Hat 2012 The 2012 Black Hat conference is kicking off in Las Vegas, and this year's session will see Apple presenting for the first time, as well as a reunion of some of the team behind the first briefings 15 years ago.
Black Hat, and the associated DefCon sessions which follows it, is probably the largest collection of hardcore computer security experts on the planet, and features the latest updates on hacking opportunities and serious vulnerabilities. Nearly 10,000 people are expected to attend and share or use the knowledge gleaned to protect – or crack – systems.
While Apple has had security staff among the attendees for many years, the company has never actually made a presentation until this year. The recent spate of attacks on its products, however, appears to have engendered a new awareness that it can't go it alone – and so the delightfully named Dallas De Atley, manager of the platform security team at Apple, will deliver a talk on iOS security.
Microsoft recognized the importance of Black Hat relatively early, and has been sending staff since the late 1990s, although Redmond's problems with security make Apple's recent public failings look like a mere flea bite by comparison. A session on Windows 8 vulnerabilities is scheduled that should prove both enlightening and worrying for Redmond – given we're getting close to the launch of the new OS.
There's also a reunion of some of the first Black Hat attendees. Jeff Moss, who started the conference before selling it, will join a panel with security guru Bruce Schneier, Adam Shostack, Marcus Ranum, and Jennifer Granick. The talk, entitled "Smashing the future for fun and profit", will look at how things have developed in the last decade and a half, as well as considering what the next hot targets will be.
Another regular, Dan Kaminsky, will also be addressing the crowds on the latest naughtiness he's proved possible. Kaminsky, who was instrumental in proving the need for and implementing DNSSEC as well as fixing SSL, is fast becoming one of the regulars at the show after deciding to go totally legitimate because, as he told us in 2010, he "didn't want his mother to have to visit him in prison."
While Black Hat is always informative, it also engenders a certain level of risk. Already someone has sent out a bogus password reset email to some attendees, and cracking the organizers is something many of the more mischievous attendees try – and anyone attending the show, including your Reg reporter, is considered fair game.
This year the organizers have warned attendees to avoid using Wi-Fi or other radio connections in the conference venue, steer clear of ATM machines (after a bogus one was set up near the venue in 2009), shield RFID-equipped cards and passports, and advises that all passwords are changed after the show.
"Wear a tinfoil hat," the advisory email states. "OK, kidding about this one ... although I do see one every show." ®
COMMENTS
do not use : Wi-Fi or other radio connections, ATM machines.
shield : RFID-equipped cards and passports
When the world's "largest collection of hardcore security experts" is given warnings like that, what chance have the great unwashed got? The proverbial man on the street can't function without these things any more, but as the Black Hat organisers say, even if you're an expert at defending yourself, these technolgies we all depend on are flaky in the extreme.
Consumers, be they organisations or individuals, pay for convenient, expedient and fashionable solutions. They do not pay for security. It has no value for them until after they've paid, by which time the vendor is no longer bothered.
>"Redmond's problems with security make Apple's [...] look like a mere flea bite"
No, they don't, not to anyone with a memory of history. What all of Apple's recent security failings should make clear to anyone who understands computer security is that Apple are now repeating all the mistakes Microsoft made years ago, having failed to learn anything from them but having inherited their position as a corrupt monopoly. How could anyone make a mistake as stupid as Microsoft did in the original LanMan protocol where they hashed each 7-byte part of the password separately, thereby reducing the difficulty from 2^(14*8) to 2^(7*8)*2 == 2^(7*8+1)? Oh wait, Apple just did that too! Only fifteen years later!
There's also an element of risk-to-reward tradeoffs here.
You might consider wearing body armour if you were working in some of the more... exciting areas of iraq or afghanistan, but it isn't really worth the weight, discomfort or expense to do the same if you were in, say, Knightsbridge.
Most of us do not spend much time in close proximity to a large concentration of capable hackers, so we need not tinfoil ourselves up to the nines.
IT infrastructure monitoring strategies
Requirements Checklist for Choosing a Cloud Backup and Recovery Service Provider
Data control in the cloud
Cloud based data management
Agentless Backup is Not a Myth
