Cатсн²² (in)sесuяitу / ChrisJohnRiley

Because we're damned if we do, and we're damned if we don't!

Tag Archives: blackhat

[Guest Post] A first-timers view of the “Hacker Summer Camp”

As many people are aware, the big „Hacker Summer Camp“ took again place in Las Vegas this August. This get-together describes the occasion of Black Hat, for the Business sponsored InfoSec employee, BSides Las Vegas, for the techies, and DEF CON, which apparently became object of both type of folks already years ago, and many more little side conventions.

As these types of conferences are usually a big chance to meet all of the friends that you don’t see the rest of the year, attending many talks is never a goal. Especially not, as these days most of the talks are recorded. As for the full lists of recordings, please check the following links:

The DEF CON 22 Talks will be published by the speakers on YouTube, or can be bought, some of the slides are also already available here: https://www.DEF CON.org/html/links/dc-archives/dc-22-archive.html

The Black Hat Talks will show up here: https://www.youtube.com/user/BlackHatOfficialYT

Over the last few weeks already many Blogposts arose that listed personal favorite talks and what the learnings are. For such a reference, check out other European sites like http://www.scip.ch/?labs.20140819 in German or http://blog.csnc.ch/2014/08/blackhat-and-def-con-usa-2014/ in English.

The big topics this year were infections over USB and wireless transmission of signals like the ones that can be read with a HackRF. One topic that isn’t completely over yet, is hacking of Point of Sale devices. Although they are usually very specific by the country the research originates, and therefore can’t be applied to every vendor or product. They are still interesting though and give new hints on what to consider when securing such an infrastructure.

As an outlook we were informed at the Closing Ceremony of DEF CON, that the next year DEF CON will be hold at the Paris and Bally’s. With DEF CON becoming not only bigger in numbers of attendees, but also space, and seeing the changes that just happened to the German Chaos Communication Congress, I personally like the change. More space can give more ways to be creative.

The CCC has become a very colorful but dizzying experience, which makes it hard for new people to find navigation or orientation in. But CCC, early on, started having villages where like minded people and friends have a “public” space where they can be found and present their stuff. The concept becomes very visible at the hacker camps, where usually even more equipment is brought in and spaces are decorated with lots of creativity and love. DEF CON has also started with the villages, by having for example, Hardware, Social Engineering and Wireless villages. This concept of organized interest groups can be quite a help, if an event becomes too big. I personally also wouldn’t mind seeing more talks in villages, which have smaller audiences but also give the speaker more chance to interact and talk, learn and share information. I always feel sorry for speakers who prepare a talk and only get to hold it once. Presenting a talk several times with slight variations, depending on the target audience, might improve the rate of knowledge exchange and therefore be beneficial for both sides. The big talks still should be held in big rooms of course, but information overflow has become such a big topic, that the concept of split, addressed information might help. If there were more spaces like DEF CON SkyTalks, the chance exists that the quality of the presented information would also improve again.

- Des

Vegas Baby!

It’s been an odd year so far… the blog has been quiet, and I’ve stepped back a little due to personal reasons over the past few months. Still, it’s overdue time for the summer cons, and this years trivector of chaos (BSidesLV, Blackhat and Defcon) is looking to be the biggest yet.

This will be my 4th trip to Las Vegas, and one thing I learnt from my first visit was to “throw the plans out the window!”. I spent far too long planning each and every aspect of my trip that first year, and as a result I missed out on a lot of things. Still, live and learn eh!

There will (almost) always be the chance to go back and watch the videos from most presentations (excluding those from Skytalks and the underground track at BSidesLV). So take time to meet people, talk shop and discuss things. One of my big goals this year is to meet new people… so say hi if  you see me. I only bite when provoked ;)

Instead of setting things in stone I wanted to pick a couple of talks I really want to hit when in Vegas. So, without further ado, here’s my top talks to attend… it’s a short list, so don’t take offence if you’re talks not on it. Sorry….

- BSidesLV -

Top Picks:

  • Empirical Exploitation (HD Moore)
  • Burp Suite – Informing the 99% of What the 1%’ers Are Knowingly Taking Advantage Of (James Lester & Joseph Tartaro)
HD always puts on a good show, so I’m interested to see what comes out from his bag of crazy this year. The Burp Suite talk also looks to be interesting. Like many I spend a good deal of my life stuck in Burp Suite, so anything that can be done to expand and improve is a good thing in my book!

Bonus Round:

  • Breaking Microsoft Dynamics Great Plains – An Insider’s Guide (David Keene)

I have a soft spot for Microsoft Dynamics, as my girlfriend is an AX programmer… What can I say ;)

Note:

BSidesLV has an entire track (underground) that won’t be recorded or discussed in the press… if you can, these are probably some of the best talks to see. Unedited, raw, and unapologetic!

- Blackhat -

Due to Blackhat and BSidesLV taking place at the same time I’m not sure how long I’ll have to look around and see talks. Still, if possible I want to swing by and catch at least one talk…

Top Picks:

  • SexyDefense – Maximizing the home-field advantage (Iftach Ian Amit)
  • Confessions of a WAF Developer: Protocol-Level Evasion of Web Application Firewalls (Ivan Ristic)
I’m interested to see where Ian has gone with this since discussions (started?) in Cali last year. Sexy Defense has been talked about a lot, so I hope to see some actionable pointers.

Bonus Round:

  • iOS Security (Dallas De Atley)

How can I not put Apple’s official talk on the list… although I’m not heavy into iOS or mobile, I’m interested to see what Apple talk about, given their historic silence on anything even remotely security related!

- Defcon 20 -

Defcon turns 20… almost old enough to get wasted and wake up in its own vomit! Still, this year looks like it’s going to be fun.

Top Picks:

  • Don’t Stand So Close To Me: An Analysis of the NFC Attack Surface (Charlie Miller)
  • Uncovering SAP Vulnerabilities: Reversing and Breaking the Diag Protocol (Martin Gallo)
  • Weaponizing the Windows API with Metasploit’s Railgun (David ‘thelightcosine’ Maloney)

SAP, NFC and Metasploit… what’s not to love!

Bonus Round:

Note:

Skytalks are a side area where unrecorded presentations take place. Last year it was home to some of the best presentations of the con… if you take the time to see just one talk, make it something from Skytalks!

Hope to see you in Vegas!

Bigger, Better, Faster, More!

Las Vegas – The entertainment capital of the world.

Where your every desire is catered for, and you never have to go without. If there’s another place on earth with so many flashy lights, then I’ve certainly never heard about it!

Still, When I saw that this year Blackhat had gone to 11 tracks, I couldn’t help but think they’d were going a little bit too far, even for Vegas!

There’s a fine line between offering good content and swamping visitors with just too much choice…  and no matter how much I try, I just can’t help but get the feeling that Blackhat Las Vegas just jumped the shark!

I go to more than my fair share of conferences, and one thing that connects them all for me is the excitement and anticipation I get when looking over the list of speakers and talks. Picking out the ones I really want to see, the people I want to meet and the things I want to learn about, are one of the highlights of a conference for me. The build-up is almost as important as the event after all. When I saw the schedule for this years Blackhat however, I didn’t feel excited. It wasn’t because there were no good talks, because there were a lot of great talks and great speakers. It was just too much. In my mind Blackhat had hit that point where it just didn’t matter what talks people went to anymore. It was just too big, too complex, and too confusing to me. I couldn’t help but get the feeling that no matter what talk I saw, I’d always be thinking about the other 10 tracks and what I was missing out on!

Maybe it’s just me, maybe everybody else thinks this was the best Blackhat ever. Everybody has his/her own opinion, and mine is that Blackhat (at least in Vegas) is dead to me. I doubt I’ll be attending next year for the new improved 12 track program (they have to make it more impressive next year after all… there’s no backing down now!). If you want to find me, I’ll be sitting by the pool at BSides talking to people who do this for the love of it, and not the money.

Blackhat/BSides/DefCon

I’ve been putting off my selections for this years Blackhat/Bsides/DefCon for as long as I could for a number of reasons. The biggest is, that I have absolutely no idea where I should be and what I should be trying to see. As if things weren’t already confusing enough, this years conferences schedules are even more packed than last years. More tracks at Blackhat, and the addition of BSides (which I totally missed last year).

Still, I guess it’s about as late as it can be, and it’s time to put down a few key presentations that I hope to see. I’m going to limit myself to 3 per conference, as after last year, I know that seeing that talks isn’t as easy as it seems ;)

  • Ivan Ristic: State of SSL on the Internet: 2010 Survey, Results and Conclusions Routers
  • Nathan Hamiel, Marcin Wielgoszewski: Constricting the Web: Offensive Python for Web Hackers
  • Barnaby Jack: Jackpotting Automated Teller Machines Redux

  • Dave Kennedy (Rel1K): SET 0.6 release with special PHUKD Key
  • frank^2: Fuck Tools, Do It yourself Jerk
  • Frank Breedijk, Ian Southam: The road to hell is paved with best practices

  • Ed Schaller: Exploiting WebSphere Application Server’s JSP Engine
  • Joseph McCray: You Spent All That Money And You Still Got Owned…
  • Chema Alonso, José Palazón “Palako”: FOCA2 – The FOCA Strikes Back

I’ll be in town a few days before the conference to take part in some training… so if anybody is about and wants to catchup for some drinks, just shoot me a message.

Looking forward to seeing you all in Vegas…

Follow

Get every new post delivered to your Inbox.

Join 133 other followers