Blackhat Briefings 2009 – Las Vegas, NV – Day One

Getting Started

Late July I was lucky, nay privileged enough to be one of the few South Africans making the yearly pilgrimage out to the hot as hell desert of Las Vegas, Nevada for Black Hat Briefings ’09. It’s the more “corporate”, main stream version of DefCon (which I will talk about later). There were some great talks and looking through the program on the Tuesday before the con opened officially I realized doing the “pick and choose” was going to be akin to choosing between Angelina Jolie and Scarlett Johansson.

Here’s a quick tip for you. Pitch up the day before registration. You will get your badge and bag and all the accompanying goodies and you won’t have to sit in huge queues for the majority of the opening day. This theme was to be repeated for the entire weekend of DefCon. With that said, the registration and general running of the entire conference was handled much like the Swiss make watches. Very well done there guys…

Now I’m not going to go through everything, simply because there is just too much to go through.  What I will do is pick some of my favourite moments or talks and share that madness with you. Needless to say the vendor area was huge. There were more free t-shirts, free bags and other detritus with a logo or witty saying on it than you could shake the proverbial stick at.

Overshadowing Themes

There were a number of themes that seemed to take focus over the course of the two days that make up Blackhat. Yes there were the usual privacy, exploitation and legal type talks but above this came these topics. I believe it’s because of the way we as an Internet using community are going but perhaps there is something more to be said. I’ll leave that for you to decide..

• Rootkits – not your run of the mill rootkits either. Advanced rootkits for Mac OS X comes to mind.
• Mobile – Aside from Charlie Millers talks on the iPhone/SMS vulnerability
• Cloud / Virtualization – Not just a generic overview

Day 1 Highlights :

I went to: Veiled – A Browser Based Darknet        (I wanted to go to: Stoned Bootkit)

While Billy and Matt didn’t release any code which was a little disappointing, their talk was technical enough that anyone with more than two braincells (the entire audience) could come up with some workable proof of concept. The general idea was to use web browsers to create a darknet without the need for a central server that isn’t under the control of the darknet operators. It also allowed for the quick construction and destruction of the darknet. Very cool ideas and with some very interesting real world applications. Let’s hope the guys can get through the HP red tape and release their code sometime.

Note: The 11:15-12:20 slot was impossible to go to simply because out of the 8 tracks I wanted to go to 6 of the talks. This was the first time this happened, but it was by no means the last. All I can say is thank GOD for DefCon17

I went to: Weaponizing the Web            (I wanted to go to: See note above)

Nathan and Shawn gave a great talk on CSRF and how it’s still in use today. There were some great examples and they also released their tool MonkeyFist. There were examples on SocNets, blogs and the various Wikis floating around the ‘net these days. Aggregated news also featured in their rants on the general fail of user generated content.

“Complexity breeds exposure…”

Awesome talk of the day: Moxie Marlinspike – More Tricks for Defeating SSL

This was one of those talks where he builds you up, feeding you enough to keep you interested until it hits you in the face and you go “Daaaammmmnnn….there it is. We’re screwed.” There was talk about sslstrip and the new improved sslsniff. Both very cool tools to check out, if only to re-enforce the “Oh my god SSL is very broken” feeling. Add this talk to the one Dan Kaminsky gave directly after and you have a very good case for not trusting the foundations we seem to build all of our security houses on.

End of Day One.

I was going to put all of Blackhat into a single blog post, but looking at this length of this post, I see that’s not going to be possible. Tune in later for Day Two.