Black Hat is over. The year’s biggest and probably most influential IT security conference again had a lot of interesting talks to offer, and of course also the most important part: Meeting with other people from the industry to share news, ideas (and beer). As for the talks, there wasn’t much earth-shattering this year. Aside from sessions on Apple’s view on security and improvements in Windows 8, the mobile talks were what got most of my attention.
Because mobile platforms have become so important, they have gotten the attention of cybercriminals. (Check the McAfee Threats Report for more information.) There is also a lot of interesting stuff going on. And a lot of mistakes being repeated. Again. An eye opener should be Collin Mulliner’s talk about scanning mobile IP ranges and seeing what kind of devices are there. The result is really scary. Apparently people do not realize that often when you’re online with a mobile device using GSM, GPRS, G3, etc. that the device is not only able to access the Internet. It is also accessible from the Internet. So putting up sensitive hardware without any access authorization is a bad idea. Bad as in “it could cause a power failure in the company” or “it may cause the plant to burn down.” To have your surveillance cameras exposed is not exactly ideal either.
Even more disturbing was Charlie Miller’s talk on near-field communications (NFC) on some mobile devices. He highlighted one major point of failure in the IT industry that is repeated over and over again. Say you have something that security wise is pretty solid. Meanwhile marketing and product management add an additional feature. That’s happened in the case of NFC on mobile devices, which would be great for authentication or payments. They just got “enhanced” with device-to-device communications. What’s wrong about that?
Instead of exposing just NFC-related apps, if you can send someone to a web page without his acknowledging it, your attack surface is suddenly the web browser and everything (multimedia, documents, Flash, etc.) related to it. During the session Georg Wicherski demonstrated such an attack nicely using a webkit exploit. Thus another good technology turns into a security hazard because of one too many additions. My obvious advice: Disable NFC on your phone until vendors came up with ways to secure it.
Now I have another three days of conference to attend: Defcon, which has run for 20 years. (That time is exceeded only by the Chaos Communication Congress, which will take place for the 29th time this year.) Defcon looks massive in the number of its sessions and attendance. (Some major talks, such as “FX” and Greg’s event on Sunday, for example, were not presented at Black Hat, instead exclusively at Defcon.) We’ll see what is going on there.
PS: Best hack at Black Hat? I met a woman at a vendor’s party who hacked her way into the VIP area. The vendor had given out different “coins,” one golden, another black, which was the VIP coin. After obtaining the normal gold coin, which wasn’t easy as she had no ticket for Black Hat to begin with, she simply painted the background black with a pen. Worked.
I gave her a new challenge: Gatecrash the VIP area of Defcon’s Freak Show, which McAfee will sponsor this year. Infected Mushroom will play. See you there!