BlackHat/Defcon roundup

Posted onAugust 3, 2009 Edit on by Laura Raderman

Last week were two of the premier events in the security world- BlackHat and Defcon. Every year, we patiently wait with baited breath as new exploits are announced (and usually patched). I’ve been once, but until Caesar’s Palace (and the Las Vegas airport) bans smoking everywhere, I won’t be returning – so I watch from the sidelines and enjoy the smoke-free air of home.


This week saw several amusing incidents:
First, the fake ATM at Defcon. I can possibly forgive people if this happened at BlackHat, because the audience is slightly different, but at Defcon (and HOPE on the east coast), you should *never* *ever* use an ATM near the conference hotel – nor even within easy walking distance. Take the bus/train/car to another ATM far away, or just bring lots of cash.

Second, relatively high-profile attacks on several of the speakers at the conference. Most of these speakers are using hosted providers, or really aren’t technically savvy (a la Mitnick). But an impressive listing of files, e-mails, etc. Don’t get on their bad side!

Third, two new attacks against X.509 and SSL. Mostly it’s the CA’s fault: putting Null characters in PrintableString formats (not according to spec), and using MD2. The CAs have been soundly bashed for both, and while the MD2 issue is on its way to being fixed (it’s a hard problem to solve given that CAs have a 20 yr lifespan – at least), I predict the null characters will be on their way out shortly as well.

The SMS vulnerabilities in multiple phones were an issue that saw patches being released shortly after. But the ability to conduct those attacks seems to be limited (someone please tell me if I’m wrong), because of the number of SMS messages that must be sent. Most providers prevent SMS spamming, but I’m not familiar with what algorithms they use to do so.

What wasn’t presented at BlackHat/Defcon that I think merits more attention is a new attack on some implementations of AES-256. It’s not practical yet, because almost no one uses this particular implementation, but it’s close….

If you went to BlackHat/Defcon, what did you think of this year’s content, of the speakers, of the parties in the evenings, anything?

2 thoughts on “BlackHat/Defcon roundup

  1. Peter Hesse says:
    August 5, 2009 at 2:11 pm

    Just ran into this excellent roundup of all things Defcon: http://blog.security4all.be/2009/08/collection-of-defcon-17-articles-videos.html

  2. Contessa Sharman says:
    October 31, 2010 at 2:57 pm

    This site seems to get a large ammount of visitors. How do you get traffic to it? It gives a nice individual twist on things. I guess having something real or substantial to talk about is the most important thing.

Comments are closed.