Share with your network!
The Black Hat and Defcon conferences running back to back in Las Vegas this week are the annual coming together of the whole information security community. While the exhibit hall at the RSA convention in San Francisco may have many more security companies touting their wares, the low entry fee at Defcon attracts more than just the corporate wing of the hacking movement. The very best vulnerabilities and exploits get saved up for demonstration at these conferences, with announcements sometimes making the headlines in the weeks before.
A good example is Charlie Miller and Chris Valasek hacking a jeep over the Internet. I've already expressed my outrage over this vulnerability, but I have to say it again: there are lots of reasons for a car to be connected to the Internet (entertainment, navigation, tracking stolen vehicles) but there is no reason to connect the controls and transmission to the Internet, and lots of reasons not to. Miller and Valasek are two of them.
The remote car hacking presentation is at 3pm Wednesday. Perhaps to prevent the conference room getting overcrowded, this is at the same time as Joshua Drake's talk on the Stagefright exploit that makes any Android vulnerable to a malicious MMS message. While full details of this have not yet been published, you can still protect yourself against it by disabling the automatic download of MMS messages. I did this on Thursday, and on Friday I received an unsolicited MMS message that appears to have come from South Africa. It might just be a wrong number, but I'm not going to download it to find out.
Ethical hacking involves notifying the developers of vulnerable software and giving them a chance to fix the problem before announcing the bug. Thanks to Jonathan Foote for making sure that there was a fix for a vulnerability he discovered in BIND, the software than runs most of the DNS servers on the Internet. The bug allowed a malformed packet to crash vulnerable DNS servers. The fix is now published and hopefully anyone running BIND is busy installing it, but Mr. Foote has the distinction of being added, at least for a time, to my 1337 list of people who could break the Internet.
Defcon also has its share of cool demos. I think the one I am most anticipating is [cue Mission Impossible theme music] the one by Daniel Petro and Oscar Salazar who hacked into a super secure Brinks smart safe with nothing more than a USB stick. Dear Brinks, if you want to build a super secure smart safe, try basing the software on something a bit more modern than Windows XP, which isn't even supported by Microsoft any more.
Of course some of the best things at these conferences are not on the program at all - that conversation in the vendor area about evolutionary biology, the chance for a selfie with John McAfee, the stories from a bounty hunter (and I thought penetration testers were badass.) There is a reason why we all get together in person and don't just have a week of webinars. Cloudmark has a great team at Black Hat and Defcon this year, and we'll be blogging about our some of the more interesting events here throughout the week, for those of you who can't be here. But try and make it next year, OK?