Black Hat 2008 - Day One

The opening day of Black Hat 2008 was a mix of highs and lows that makes this annual technology conference so much fun to attend. The Bad Sushi phishing presentation by Nitesh Dhanjani and Billy Rios lived up to its name. Together they effectively demonstrated just how simple it is for a phisher to get started in the identity theft business and the variety of "phisher-on-phisher" crime that occurs in the "phishing ecosystem".

During the Highway to Hell: Hacking Toll Systems presentation by Mark Lawson, Root Labs, demonstrated how you could steal and change the unique FasTrak toll pay system transponder identification code commonly used in the San Francisco Bay area. Although the Bay Area Transportation Administration (BATA) states that the transponder device is read-only according to the manufacturer's specifications, Mr. Lawson presented credible information to the contrary.

The DNS Goodness presentation presented by IOActive, Director of Penetration Testing, Dan Kaminisky was definitely the big event of the day. With over 2,000 attendees packed in to a room suitable for about 800, Dan told the intriguing story of his discovery of the Internet-wide DNS vulnerability and the careful planning by the world's leading technology companies to distribute a fix. We'll have more on the Kaminisky DNS exploit in a later article from our private interview with Dan.

In a pre-presentation demonstration by Michael Zusman, Intrepidus Group, we got to see a potentially very dangerous vulnerability that runs through a variety of vendors SSL VPN (Virtual Private Network) clients commonly used in web browsers. Michael demonstrated how simply having the vulnerable ActiveX or Java control installed in a web browser , allowed him to gain full access to a remote user's laptop by simply visiting a web page.

We had one of those serendipitous Black Hat moments during an unexpectedly interesting presentation by researchers Tadayoshi Kohno and Kevin Fu from academia on the Security and Privacy Vulnerabilities for Implantable Wireless Medical Devices. Together they showed how private patient data could be extract from an implanted medical device such as an implanted cardiac defibrillator. The presenters also showed how device could be altered via radio transmissions to harm or possibly even kill a patient.

Today we are looking forward to attending presentations on attacking social network, virtualization security, cutting-edge computer forensic visualization and database tools. Our wildcard presentations of the day include technical threats to the 2008 presidential elections and targeted attacks on Microsoft Office documents.

Submit to Delicious Submit to Digg Submit to Facebook Submit to Google Bookmarks Submit to Stumbleupon Submit to Twitter Submit to LinkedIn
© 2012 Jones Dykstra & Associates, Inc.
5850 Waterloo Rd, Suite 140, Columbia, MD 21045
P:(410) 480-7190 F:(410) 480-7191
contact@jonesdykstra.com