My final account of Black Hat 2007 and Defcon 15 is not nearly as entertaining as my wife Llana’s. First of all, Black Hat is by far my favorite conference and I look forward to it every year. The talks and speakers are top notch (well most are), the attendees comes from all over the world with interesting stories to share, and there is always something going on day or night. This years show was bigger than ever, 4,000 strong, with security professionals, press, analysts, hackers, government employees, vendors, etc. Black Hat is totally worth every penny spent if only to meet the people there.
In the aftermath, Richard Bejtlich and Michael Farnum moved along to the Depression stage of web security grief:
Between our presentation and the DNS Rebinding talks, I think we really drove the point home that the Intranet is no longer off limits and browser security needs be rethought. And soon! Now it’s the browser vendor’s turn and with all the press I’m sure they’ve been queued up.
The slides and most of the PoC have been made available. Hopefully we get the video soon to post that as well.
Two great talks: Intranet Invasion With Anti-DNS Pinning by David Byrne and Attacking Web Service Security: Message Oriented Madness, XML Worms and Web Service Security Sanity by Brad Hill. I learned several things in each of these and the content was well presented.
Iron Chef Blackhat: OK, I have know idea how Brian Chess
During the hacking, The President was non-stop cracking jokes saying sarcastic things like “this is blowing my mind”, making comparative references to Paris Hilton, and busting John’s Symantec chops for not ridding his computer of viruses. So damn funny. At the end the winner didn’t really matter. Both Iron Chefs showed well, people learned a thing or two about the VA process, and everyone seemed to really enjoy the show. Hopefully Brian and Fortify will keep this going. It was a lot of fun.
Side-channel conversations: There was a good bit of chitchat about BJJ and MMA. A lot of people in infosec train in various forms of martial arts. Makes sense I guess. However, I was not prepared for Chris Hoff’s unprovoked attack. In the front of PURE Chris comes out of no where like the Blaire Witch, hugs me and says, “all I want to do is get in your butterfly guard big boy.“ I think Mike Rothman was standing there just as confused as I was. :) Then later there was talk about some Hacker MMA Smackdown event rumor I hadn’t heard about. RSnake had and immediately said in his best Tyler Durden voice, “I’d fight Erik Birkholz.” I kid you not. Ask the Mozilla guys, there were there! Gotta be on guard at all times around these infosec guys, sheesh.
CiscoGate and Predictable Resource Location: Jeff Moss gave an excellent and entertaining presentation about the timeline of events circling around Michael Lynn, ISS, and Cisco fiasco from a while back. One thing I thought was interesting was that after a federal judge issued a TRO against BlackHat, they removed the offending files from the web server. Strike that, in their haste, they removed the links to the files and forgot to remove the originals. Someone took the opportunity to guess for the files on the web server for 8 straight hours until they finally found it, then shortly thereafter it flooded to every corner of the web. Cisco complained in court that this violated the TRO, but the court saw it otherwise.