Black Hat '09 Shines Light on Security

The Black Hat security conference wrapped up today in Las Vegas. For those who couldn't attend, here are a few of the stories that came out of it.

As always, the Black Hat security conference has put our collective eyes on the latest research.

This time around, attendees walk away from the conference with a fresh set of concerns about everything from the smart grid to the X.509 authentication scheme. The event wraps up today, as its sister conference, DEFCON 17, kicks off at the Riviera Hotel and Casino in Las Vegas.

This year's Black Hat featured more than 50 training courses and 70 briefings. Though I was physically unable to attend this year, media coverage of research in several areas stood out. Here is a shortlist of some of the highlights from Black Hat for all those who missed it.

Smartphone Security in the Spotlight - Researchers Charlie Miller and Collin Mulliner shared their research on using SMS to attack Apple's iPhone and Google Android. The duo published their findings in a paper last month. Two other researchers, Zane Lackey and Luis Miras, demonstrated how to spoof SMS messages that would normally only be sent by servers on the carrier.

Certificate Issues - Continuing his assault on SSL certificates, researcher Moxie Marlinspike demonstrated how it was possible to spoof a certificate and impersonate a legitimate Website. Researchers Dan Kaminsky and Len Sassaman used their time at Black Hat to target SSL as well. The duo also criticized the use of the MD2 hashing algorithm to sign certificates, a practice VeriSign says it has discontinued in recent months.

Certificate Issues Reloaded - Mike Zusman, principal consultant at Intrepidus Group, and independent security researcher Alex Sotirov demonstrated a man-in-the-middle attack that allowed them to silently sniff traffic on EV SSL-protected Websites. The vulnerability in the way browsers treat EV SSL certificates makes them no more valuable than the cheapest SSL certificate, the researchers told eWEEK before the conference.

Mac Attack - Noted Mac hacker Dino Dai Zovi unveiled the proof-of-concept for his rootkit, "Machiavelli," at this year's show. More on this here.

Clamping Down on Clampi - Joe Stewart, director of malware research for SecureWorks' Counter Threat Unit, revealed details of the Clampi Trojan, a sneaky piece of malware believed to have been infecting Windows PCs since 2007.