Black Hat gears up in Las Vegas

The eleventh annual Black Hat security conference will occupy more space at Caesars Palace in Las Vegas this year in order to accommodate more people, more topics, and, of course, more controversy.

The conference kicked off over the weekend, starting with four days of topic-specific training, before concluding on Wednesday and Thursday with two days of public sessions.

If past conferences are any guide, expect the overall total attendance to be more than last year. With that in mind, Black Hat is expanding its footprint within the Caesars Palace resort.

But count out at least one prospective attendee. On Sunday, Thomas Dullien, chief executive of the German company Sabre Security, reported in his personal blog that he had been denied entry to the US for reasons to do with H-1B visa regulations. He says that US Customs officials detained him over material he was carrying to Black Hat in order to teach what was billed as an “intense course, encompassing binary analysis, reverse engineering and bug finding”.

A larger conference means not one but two keynote addresses. One is from Richard Clarke, President Bush’s former special advisor on cyberspace security. Clarke, whose 2002 Black Hat keynote speech stated that software vendors and internet providers must share the blame for malicious software, is now with Good Harbor Consulting. This year, he will talk about those “who seek truth through science, even when the powerful try to suppress it”. The other keynote speaker will be Tony Sager, vulnerability chief of the National Security Agency, who will talk about creating government security standards while working with commercial vendors.

Unlike last year, when Microsoft hosted an entire series of sessions focusing on the yet-to-be released Windows Vista platform, there will be no similar tracks offered this year. Returning tracks include sessions on voice-services security, forensics, hardware, zero-day attacks and zero-day defences. New tracks include operating system kernels, application security, reverse engineering, fuzzing and the testing of application security.

Potential controversy
But it’s the individual sessions that could get heated.

Several presenters are familiar to Black Hat attendees and not without controversy. Neal Krawetz is returning to tackle image forensics, showing how to peel back the layers to find less-than-obvious manipulation; Dan Kaminsky is presenting his annual Black Ops survey; and Phil Zimmerman is returning to talk once again about his vision of a secure telephone for the internet, called the Zfone.

Meanwhile, Jeremiah Grossman will talk more about “Hacking intranet websites from the outside (Take 2) — fun with and without JavaScript malware”, and Billy Hoffman will team with Brian Sullivan to discuss “Ajax-ulation”, a talk about building a secure Ajax-laden travel website.

The talk “Breaking forensics” is already controversial. ISec researchers Chris Palmer, Tim Newsham and Alex Stamos have stated they’ve found up to six vulnerabilities within Guidance Software’s EnCase, a digital forensics program used primarily by US government and law enforcement, prompting swift denials from the company.

Also controversial is Joanna Rutkowska, whose presentation last year drew a standing ovation from the crowd. This time, Rutkowska is appearing alongside Alexander Tereshkin to talk about methods for compromising the Vista x64 kernel. Luis Miras will reprise a talk he gave this past spring at CanSecWest on hacking peripheral devices, such as mice and pointers.

In the evening, there will a mock hacker trial presided over by a real judge, and a talk by security researcher Johnny Long titled “No-tech hacking” — and that’s all just within the first day.

On Thursday, there will be only one keynote speaker, Bruce Schneier, who will talk about the psychology of security. Then David Maynor, who last year presented an Apple wireless flaw, will return with “Tips your security vendor doesn’t want you to know”. Mozilla’s Window Snyder and Mike Shaver will introduce new tools to fuzz browsers as well as talk about the security features expected in Firefox 3, due later this autumn.

Also, Hoffman will give a second talk along with John Terrill on the possibility of a web-based Ajax-enabled worm and how antivirus companies might cope with it; Gregg Hoagland will give a talk about reverse engineering; Adam Laurie will talk about RFID vulnerabilities; Gadi Evron will discuss the supposed cyberwar in Estonia; and retired special agent Jim Christy will host a regular feature called “Meet the feds”.

At the end of the second day, F-Secure’s Mikko Hypponen will talk about mobile-phone vulnerabilities. Meanwhile, Brian Chess and Jacob West will have some fun with something they’re calling “Iron chef Black Hat”, a session where two different methods of vulnerability testing will be used to try to discover the “secret ingredient” nestled within in an open-source application.

All Black Hat events are being held here at Caesars Palace. A sister conference, Defcon 15, will run from Friday until Sunday at the Riviera Hotel, also in Las Vegas.