Internet Security Systems - AlertCon(TM)

Blackhat & DefCon - Las Vegas 2008

Posted by Gunter Ollmann on August 04, 2008 at 8:06 AM EDT.

As most technical security professionals are profoundly aware of already, its Blackhat and DefCon week in Las Vegas this week, and it’s going to be a long and sleepless week for those attending. I’m actually looking forward to attending both events this week, but it’s tempered with having to be in Vegas for 6 days straight!

The speakers lineup for Blackhat is pretty interesting this year, and I thought that (unlike previous years) I’d actually take a stab at pseudo-deciding which talks I’d try attending (I’m prefixing it with “try” because, as anyone who’s been to Blackhat Las Vegas before knows, there are a lot of last minute distractions, pullouts and overlapping talks).

Now, if you’ve been watching the preamble press for Blackhat (i.e. feeding frenzy), you’ll be aware that there are three critical talks this year and, like the 4,000 other attendees, I’m aiming to include those talks…

(1) Dan Kaminsky’s “Black Ops 2008 -- Its The End Of The Cache As We Know It” is probably the most overhyped talk for the event and, while I’m not expecting to see anything new from what’s already been published over the last few weeks relating to that DNS issue, I do like to people watch – and I’m pretty sure that the media swarm this year is going to be of epic proportions.

(2) Mark Dowd’s “How To Impress Girls With Browser Memory Protection Bypasses” will be the most awe-inspiring talk of the show and will likely blow the minds of anyone that’s not regularly sitting in front of IDA Pro for more than 4 hours every day. That said, if you’re a top-end developer having to code memory protection mechanisms, you’d have to be out of your mind to not sit in on this talk. Look, listen, take notes, and remember!

(3) John Heasman’s “The Internet is Broken: Beyond Document.Cookie - Extreme Client Side Exploitation” (along with Nathan McFeters and Rob Carter of course) talk covering new browser attack vectors including the evolving GIFAR (JAR archives that look like GIF images) will be very interesting.

Of course, the first immediate problem I see is that Mark Dowd is on at exactly the same time as John Heasman (3:15pm on Thursday). Given that hiccup, I’ll probably end up attending John’s talk because I’m more in to studying client-side attacks at the moment; and besides, it’s not as though I couldn’t catch up with Mark back in the office afterwards. That said, Jeff Moss, if you’re reading this blog, can I convince you to make a last minute change to the schedule and remove the overlap? There’s a beer in it for you ;-)

The other talks sounding the most interesting to me, and are ones that I’m adding to my hit-list, are:

(4) Michael Ossmann’s “Software Radio and the Future of Wireless Security” because it’s an area I’ve been interested in ever since I shoved a 100MHz Oscillator card in to my 486DX and hooked it up to an X-band radar – and the fact that software radio’s are the bread & butter research tools for any current generation RF hacking.

(5) Lukas Grunwald’s “Hacking and Injecting Federal Trojans” because I’ve been heavily involved in the new banking Trojan attack vectors for quite some time and have keeping an eye on what’s happening with German lawful interception technologies. (But it’s on at the same bl**dy time as Dowd’s and Heasman’s presentations! Jeff, come on, are you doing this on purpose?)

(6) Shawn Embleton’s “A New Breed of Rootkit: The System Management Mode (SMM) Rootkit” because, as a former silicon guy, I like hearing about new dirty tricks – although I have some doubts about its stealth.

While those 6 talks are on my hit-list, I’ll be playing it by ear on the day as to which other talks I end up attending.

DefCon

Then of course there’s DefCon running Friday through Sunday.

I always enjoy DefCon – perhaps more so than BlackHat – because of the shear breadth of talks and more relaxed feel to the proceedings. I’ve also found that speakers that have done the BlackHat/DefCon circuit give much better talks the second-time round at DefCon because they’re similarly relaxed - and the Q&A times tend to be more insightful.

I’m not going to even try to list the talks I’m aiming to attend because there are too many and, based upon any previous year’s experience, bumping in to former colleagues and clients often means that the plan of the hour gets rapidly ditched.

That said, there is one slot I HAVE to attend – 10:00 Sunday morning – as I’m delivering the talk “Exploiting A Hundred-Million Hosts Before Brunch” with my good friend Stefan Frei. I guess we must have upset the scheduling gods (or did I offend too many of the Goons last year?) to have been cursed with such a soul-damaging slot. I just need to decide whether 10:00am is a very early or a very late slot to give the talk – it all depends upon what the evening before has planned...

Comments or opinions expressed on this Weblog are the opinions of the authors alone. They are not necessarily reviewed in advance by anyone but the individual authors, and neither IBM Internet Security Systems nor any other party necessarily agrees with them. The views expressed by outside contributors and links to outside websites do not represent the views of IBM Internet Security Systems, its management or employees. All content on this Weblog has been made available on an “as-is” basis, and IBM Internet Security Systems shall not be liable for any direct or indirect damages arising out of use of this Weblog.