Zombies
Stories of zombies originated in the African Caribbean spiritual belief system of Voodoo, which told of the people being controlled as laborers by a powerful wizard.

Blackhat Briefings 2009 – Las Vegas, NV – Day Two

Posted: August 17th, 2009 | Author: Matt | Filed under: Conferences, InfoSec | Tags: , , | No Comments »

Day Two of Blackhat

(aka. The Day of the Cloud)

Day two of Blackhat was definitely “The Day of the Cloud”. That and possibly also “Revenge of the Mobile Handset”, but I don’t know enough movie titles to really make this as witty and as crowd pleasing as possible…

In all seriousness, day two was just a tough as day one to do the whole “I want to see X” game. Before we get into that in too much detail it’s worth mentioning the size of Blackhat for those who didn’t get to go. I realize I should have done this for day one, but alas I’ve never really followed a check list. Blackhat was held at Caesars Palace. There were 8 tracks on day one and 7 on day two so getting to see everything was nigh on impossible. They were selling DVD’s of the whole show but the only one really worth getting (Blackhat + DefCon Combo) was $499 !!! For someone coming from South Africa, already on a shoe string budget (read company per diem) this was just a non starter. I guess we will just have to wait the 4 months or so before they release it to the public and download…

Moving swiftly forward…

Great talks for day two:

Fuzzing the Phone in Your Phone: Charlie Miller and Collin Mulliner

Yes, they dropped 0-days. Yes, they provided great technical details and yes, I was able to follow most of it even though I know a dangerous amount about the mobile platforms. Charlie and Collin dropped a huge amount of really great info on the iPhone, Windows Mobile and Android platforms. Their talk on how they actually fuzzed the phones to get the required data for the 0-days was not only technically useful enough to do the work required but got me very interested in the topic. Needless to say, people were turning off their phones in the audience and the live demo worked like a charm. Being an iPhone user (read fanboy) I am more than a little concerned. Yes, Apple did patch the SMS vulnerability the day after, but really, how many people are THAT efficient at patching their phones. This is definitely a talk to check out when it’s available…

Clobbering the Cloud: Haroon Meer, Nick Arvanitis, Marco Slaviero

I was fortunate enough to not only catch the SensePost guys at this years ITWeb Security Summit and again they proved why they’re at Blackhat year after year. Haroon and the guys gave not only a very technical but entertaining talk on how they simply broke a number of the main stream “cloud” applications. I won’t go into too much detail as it was a fairly technical talk with some very scary demos done. If you think the main stream cloud applications are secure and you don’t really need to worry about putting your “stuff” into the cloud, watch this talk. Then lock all your data in a nuclear bomb shelter in Alaska. This talk just re-enforces my lack of trust for “the cloud”. Charl and the guys from SensePost did South Africa proud. Keep up the great work guys…

I did attend most of the much hyped Cloudburst: Hacking 3D and Breaking out of VMware but to be honest the speaker wasn’t very engaging and I did lose interest. We know that Cloudburst works and is available for a fairly significant fee in the CANVAS Framework by Immunity. It does change the game again completely but this goes with the whole theme I took away from Blackhat, EVERYTHING is broken in some way or form and to some degree we’re building “secure” protocols over very insecure protocols…but that’s a story for another day.

Wrapping Up

In all Blackhat Briefings 2009 was very very cool. For someone coming from South Africa, the WOW factor was huge, not only in coming to Las Vegas, but simply the scale of the talks. Having 8 tracks on the go at the same time in some very big rooms AND having them fill up to the brim with some of the most intelligent people on the planet was simply awesome. What I find coming away from events like this isn’t just all the “cool tech” and great talks, it’s that feeling of “wow, I actually know NOTHING.” and that’s not a bad thing. It revs me up to get back into learning, reading books, listening to podcasts and generally expanding my base of knowledge. I’m hoping to use what I learned not only in giving talks to anyone interested in Durban but also to people in my workplace. Security awareness is of vital importance in this day and age and going to Blackhat gives me fuel for this engine.

Will I be back next year ?

You better believe it.