The Black Hat security conference wrapped up today in Las Vegas. For those who couldn't attend, here are a few of the stories that came out of it.
As always, the Black Hat security conference has put our collective eyes on the latest research. This time around, attendees walk away from the conference with a fresh
set of concerns about everything from the smart grid to the X.509
authentication scheme. The event wraps up today, as its sister
conference, DEFCON 17, kicks off at the Riviera Hotel and Casino inLas Vegas.
This year's Black Hat featured more than 50 training courses and 70
briefings. Though I was physically unable to attend this year, media
coverage of research in several areas stood out. Here is a shortlist of
some of the highlights from Black Hat for all those who missed it.
Smartphone Security in the Spotlight - Researchers Charlie Miller and
Collin Mulliner shared their research on using SMS to attack Apple's
iPhone and Google Android. The duo published their findings in a paper last month.
Two other researchers, Zane Lackey and Luis Miras, demonstrated how to
spoof SMS messages that would normally only be sent by servers on the
carrier. Certificate Issues - Continuing his assault on SSL certificates, researcher Moxie Marlinspike demonstrated how it was
possible to spoof a certificate and impersonate a legitimate Website.
Researchers Dan Kaminsky and Len Sassaman used their time at Black Hat
to targetSSL as
well. The duo also criticized the use of the MD2 hashing algorithm to
sign certificates, a practice VeriSign says it has discontinued in
recent months. Certificate
Issues Reloaded - Mike Zusman, principal consultant at Intrepidus
Group, and independent security researcher Alex Sotirov demonstrated a
man-in-the-middle attack that allowed them to silently sniff traffic on
EV SSL-protected Websites. The vulnerability in the way browsers treat EV SSL certificates makes them no more valuable than the cheapest SSL certificate, the researchers told eWEEK before the conference. Mac Attack
- Noted Mac hacker Dino Dai Zovi unveiled the proof-of-concept for his
rootkit, "Machiavelli," at this year's show. More on this here. Clamping Down on Clampi-
Joe Stewart, director of malware research for SecureWorks' Counter
Threat Unit, revealed details of the Clampi Trojan, a sneaky piece of
malware believed to have been infecting Windows PCs since 2007.