A month from now I'll be at Black Hat USA 2014 with many of my Akamai colleagues. It's time to start thinking about the talks that will be most relevant to our interests. To that end, here's a look at some of the more interesting items on the agenda so far.
Note: This is not the full agenda, nor is it an objective list. It captures the talks that look most interesting to me.
Source: The Black Hat USA 2014 website
CYBERSECURITY AS REALPOLITIK
Power exists to be used. Some wish for cyber safety, which they will not get. Others wish for cyber order, which they will not get. Some have the eye to discern cyber policies that are "the least worst thing;" may they fill the vacuum of wishful thinking.
GOVERNMENTS AS MALWARE AUTHORS: THE NEXT GENERATION
After canceling his RSA talk in protest, Mikko delivered his talk on governments as Malware Authors at TrustyCon instead. This follow-up talk will look at what's changed since then, and what new we have learned about governments that write malware. Which governments are involved? Where do they get the skills? How big are the budgets for this? And, most importantly, do we have any hope of fighting malware of this caliber?
PULLING BACK THE CURTAIN ON AIRPORT SECURITY: CAN A WEAPON GET PAST TSA?
Every day, millions of people go through airport security. While it is an inconvenience that could take a while, most are willing to follow the necessary procedures if it can guarantee their safety. Modern airport security checkpoints use sophisticated technology to help the security screeners identify potential threats and suspicious baggage. Have you ever wondered how these devices work? Have you ever wondered why an airport security checkpoint was set up in a particular configuration? Join us as we present the details on how a variety of airport security systems actually work, and reveal their weaknesses. We'll present what we have learned about modern airport security procedures, dive deep into the devices used to detect threats, and we'll present some the bugs we discovered along the way.
THE BIG CHILL: LEGAL LANDMINES THAT STIFLE SECURITY RESEARCH AND HOW TO DISARM THEM
Security research is a dangerous business. The threat of lawsuits or even prosecution hangs heavy over the heads of white hat hackers as well as black hats. From Dmitry Skylarov being prosecuted for cracking ebook crypto back in 2001, to Weev being prosecuted today for exposing flaws in AT&T's website security, the legal landscape is littered with potential land mines for those trying to improve Internet and software security. When a major company like Google can be sued for billions over its interception of unencrypted WiFi signals, what's a wireless security researcher to do? When an Internet luminary like Aaron Swartz can be threatened with decades of jail time for his open data activism, what's your average pen tester supposed to think? How serious are these threats - and what can researchers do to avoid them, and maybe even fix the law? Two veteran digital rights lawyers - one who counsels companies and defends hackers, and another who is an expert in the DC policy game - and the lead strategist of a major security firm will use a game show format to share examples of legally risky research and ask the question: "Computer Crime or Legitimate Research?" Using the answer to that question, we'll start gaming out how to craft legislation that would provide a sensible security research exception to laws like the Wiretap Act, the Digital Millennium Copyright Act, and the Computer Fraud and Abuse Act.
Trey Ford, Marcia Hofmann and Kevin Bankston
EPIDEMIOLOGY OF SOFTWARE VULNERABILITIES: A STUDY OF ATTACK SURFACE SPREAD
Many developers today are turning to well established third-party libraries to speed the development process and realize quality improvements over creating an in-house proprietary font parsing or image rendering library from the ground up. Efficiency comes at a cost though: a single application may have as many as 100 different third party libraries implemented. The result is that third-party and open source libraries have the ability to spread a single vulnerability across multiple products, exposing enterprises and requiring software vendors and IT organizations to patch the same vulnerability repeatedly. How big of a problem is this? What libraries are the biggest offenders for spreading pestilence? And what can be done to minimize this problem? This presentation will dive deep into vulnerability data and explore the source and spread of these vulnerabilities through products, as well as actions the security research community and enterprise customers can take to address this problem.
Kymberlee Price and Jake Kouns
STAY OUT OF THE KITCHEN: A DLP SECURITY BAKE-OFF
Despite a plethora of data security and protection standards and certifications, companies and their systems are still leaking information like a sieve. Data Loss Prevention (DLP) solutions have often been touted as the "silver bullet" that will keep corporations from becoming the next headline. With deployment models ranging from a fat agent on an endpoint, to a blinky-lights box surveilling all network traffic, to some unified threat management gateway with DLP secret sauce, these solutions are ripe for bypass - or worse. This talk will discuss our research into a handful of DLP solutions, including their capabilities and their shortcomings. We will demonstrate flaws in administrative and programmatic interfaces and the inspection engines themselves.
Zach Lanier and Kelly Lum
BUILDING SAFE SYSTEMS AT SCALE - LESSONS FROM SIX MONTHS AT YAHOO
Our profession is at a crossroads. The success of malicious actors such as phishers, spammers, malvertisers, and other criminals combined with revelations of pervasive government surveillance has changed the way users look at technology and has greatly increased our responsibility for building safe software. The role of security has also evolved significantly for Internet companies. Companies that began with a mission to provide engaging or entertaining experiences now serve as a conduit for populist uprisings and free expression. That evolution comes with a cost, as the very same companies are now targets for top-tier intelligence agencies. This talk will recap the speaker's first six months as the CISO of Yahoo. We will review the impact of the government surveillance revelations on how Yahoo designs and builds hundreds of products for across dozens of markets. The talk includes discussion of the challenges Yahoo faced in deploying several major security initiatives and useful lessons for both Internet companies and the security industry from our experience. The session will close with a discussion of the fundamental challenges that are left to be tackled for large Internet companies as well as possible solutions.
48 DIRTY LITTLE SECRETS CRYPTOGRAPHERS DON'T WANT YOU TO KNOW
Over the past year, more than 10,000 people participated in the Matasano crypto challenges, a staged learning exercise where participants implemented 48 different attacks against realistic cryptographic constructions. In the process, we collected crypto exploit code in dozens of different languages, ranging from X86 assembly to Haskell. With the permission of the participants, we've built a "Rosetta Code" site with per-language implementations of each of the crypto attacks we taught. In this talk, we'll run through all 48 of the crypto challenges, giving Black Hat attendees early access to all of the crypto challenges. We'll explain the importance of each of the attacks, putting them into the context of actual software flaws. Our challenges cover crypto concepts from block cipher mode selection to public key agreement algorithms. For some of the more interesting attacks, we'll step-by-step the audience through exploit code, in several languages simultaneously.
Thomas Ptacek and Alex Balducci
EXPOSING BOOTKITS WITH BIOS EMULATION
Stealth and persistency are invaluable assets to an intruder. You cannot defend against what you cannot see. This talk discusses techniques to counter attempts at subverting modern security features, and regain control of compromised machines, by drilling down deep into internal structures of the operating system to battle the threat of bootkits. The security features added in modern 64-bit versions of Windows raise the bar for kernel mode rootkits. Loading unsigned drivers, which is what most rootkits will attempt to do, is denied by Driver Signature Enforcement. PatchGuard protects the integrity of the running kernel, preventing them from modifying critical structures and setting up hooks. Although time has shown that these security measures are not perfect, and some may in fact be bypassed while actively running, an alternative approach is to subvert the system by running code before any of the security features kick in. Secure Boot has been introduced to protect the integrity of the boot process. However, the model only works when booting from signed firmware (UEFI). Legacy BIOS systems are still vulnerable as the Master Boot Record, Volume Boot Record, and the bootstrap code all reside in unsigned sectors on disk, with no security features in place to protect them from modification. Using a combination of low-level anti-rootkit techniques, emulation, and heuristic detection logic, we have devised a way to detect anomalies in the boot sectors for the purpose of detecting the presence of bootkits.