It’s that time of year again… A time when all the most interesting people, ideas, concepts, and attacks are on display in Las Vegas. That’s right, we are talking about Blackhat USA and associated conferences. Every year about a week before conference time, all the security analysts, researchers, and talking heads begin to espouse their thoughts regarding which of of the conference sessions will be the highlights of the week. Each person’s idea of what will be “the best talk of the week” is colored through his or her own biased lens. To this end, we asked some of our blog writers to narrow down their list to the top 3 Blackhat presentations (sorry Defcon and BSides, you guys are awesome too.. but we only have so much available time and space). Since no two lists are alike, we bring you the Veracode Zero Day Labs’ must see presentation list for Blackhat 2011.
Chris Wysopal’s List
- How a Hacker Has Helped Influence the Government – and Vice Versa – Peiter “Mudge” Zatko: Mudge is a great speaker and I always learn a new ways of looking at security from him. Now that he has immersed himself into the DoD way of looking at things I am positive some new insights will flow out of him. Note that this is a keynote so there is no excuse for missing this one.
- Femtocells: A Poisonous Needle in the Operator’s Hay Stack – Ravishankar Borgaonkar & Nico Golde & Kevin Redon: If you are like me the first time you saw a Femtocell (a small cellular base station for home use) you thought, “If I could hack that I could MITM mobile calls”. Well these guys went out and did it! They are going to discuss attacking both mobile devices and the mobile infrastructure from a hacked femtocell.
- The Law of Mobile Privacy and Security – Jennifer Granick: It’s an unfortunate fact but security researchers need to keep up with the changing legal landscape that surrounds technology. Mobile research is exploding and stepping into areas covered by different laws than the traditional CFAA or DMCA. This is a good way to keep up if you are a mobile researcher.
Tyler Shields’ List
- Apple iOS Security Evaluation: Vulnerability Analysis and Data Encryption – Dino Dai Zovi: This talk is going to be awesome. Nobody knows Apple products as well as Dino, and if he says he has tested iOS, you better believe he’s gone deep.
- Hacking Androids for Profit – Riley Hassell & Shane Macaulay: A discussion on Android security both on the device and in the marketplace and some Android 0day to boot?! What an opening gambit this talk is going to be.
- War Texting: Identifying and Interacting with Devices on the Telephone Network – Don Bailey: With the continued advent of mobility and GPS positioning, devices are being hooked up to the phone network faster than ever before. Don will demonstrate some really cool ways of analyzing and testing these devices.
Chris Eng’s List
- A second vote for Apple iOS Security Evaluation: Vulnerability Analysis and Data Encryption – Dino Dai Zovi.
- Sophail: A Critical Analysis of Sophos Antivirus – Tavis Ormandy: Why should anti-virus tools be safe from scrutiny. Let’s see what Tavis has up his sleeve.
- Chip and Pin is Definitely Broken – Adam Laurie et al: Steal a card, use it to make charges, bank thinks you used the PIN? Sounds like a winning situation to me.
Brandon Creighton’s List
- A second vote for Sophail: A Critical Analysis of Sophos Antivirus – Tavis Ormandy.
- SSL and the Future of Authenticity – Moxie Marlinspike: Moxie never fails to disappoint. That and he has awesome hair.
- Sticking to the Facts: Scientific Study of Static Analysis Tools – Willis and Britton: We might be a little biased in finding this one interesting.. static analysis is kind of our game.
Talks Presented by Veracode!
If the above doesn’t excite you, the following definitely should. Veracode researchers are participating in the following panels and talks at venues throughout Las Vegas.
- Panel: Owning Your Phone At Every Layer- Moderated by Tyler Shields: This panel, which will include our own Chris Wysopal, brings some of the best mobile researchers together to determine where the real risks in mobile devices comes from. Is the applications you install on your phone, is it the weak infrastructure, or is the operating system to blame? Come participate in this battle royale to determine what really should be keeping you up at night.
- The Web Browser Testing System – Isaac Dawson at Blackhat Arsenal: The Web Browser Testing System WBTS was built to quickly automate and test various browser and user-agents for security issues. It contains all the necessary services required for testing a browser. The following services are included: DNS, HTTP(S), Logging Services and support for VirtualHosts.
- Communicating in Code – Chris Lytle at DEFCON Kids: Cryptography is the art and science of making and breaking secret codes and ciphers. Learn about the history of cryptography, practice it for yourself, and make your very own secret cipher! There will be prizes! Please note, kids will get more from this session if they have basic reading and writing skills.
Veracode Security Solutions