Black Hat 2010 - Day One Roundup

Las Vegas, NV. Black Hat 2010 – The Tech Herald is in Las Vegas this week, covering one of the largest security gatherings of the summer. Here is where you will find a recap of day one.

Adobe joins MAPP program

Adobe and Microsoft announced today that, before the year is out, security vendors enrolled in the Microsoft Active Protections Program (MAPP) program will start getting vulnerability information from the electronic document vendor.

Instead of developing a similar program, Adobe took an easier route, and said that it will start sending detailed vulnerability information to all 65 partners enrolled in MAPP. The plan is expected to start in the fall.

Microsoft also released EMET, a free tool offering security mitigations to older Microsoft platforms and applications. EMET helps block targeted attacks against unfixed vulnerabilities, according to Microsoft. The tool will be available in August.

Apple fixes Safari issue before Grossman's talk

WhiteHat Security CTO Jeremiah Grossman is set to give a talk at Black Hat tomorrow on practical attacks against the auto-complete functions used by major Web browsers. Safari was one of those included on the list of vulnerable applications, but Apple fixed the flaw before the talk in an update for Safari that addressed 14 other problems. While some argue that the fix is shady, it's actually a smart tactic, and one many vendors have used in the past.

Grossman discovered an attack against the data stored in the Address Book Card. A malicious website could create form fields corresponding to the data used in the Address Book Card and run a JavaScript application that will simulate keystrokes from A-Z and pull the data. In addition to Safari, Grossman will cover problems with Internet Explorer and Firefox.

Jackpotted ATMs

We missed this talk, due to scheduling conflicts and an interview. However, it was all the buzz in the halls after it was over. Barnaby Jack, the director of security research at IOActive Labs, demonstrated a physical attack and a remote attack on two ATMs. While one attack required him to open an ATM and use a Malware-laced USB drive to gain control, a second attack allowed him to remotely jack the money machine.

For more information, a great write up of the attacks can be found here.

SSL is broken? No, not really.

“SSL is broken, and while it's great to see things are going better now it's a long way down the line.”

Those were the words of Black Hat founder Jeff Moss during the keynote this morning. His address centered on the current state of Internet security for both businesses and consumers.

We spoke to a few people, who agreed Moss he had some valid points, but aside from the known 'Man-in-the-Middle' attacks, and the MD5 attacks on SSL, which can be mitigated, it wasn't clear what exactly is broken on SSL this time around.

An interesting side note to the scary and often mistaken claims that SSL is broken, is that a majority of SSL issues are caused by the users themselves when they improperly implement SSL. Details of these types of problems will be addressed in a talk by Qualys.

Another boost to SSL will be the implementation of DNSSEC, which will boost the proof of identity that comes from EVSSL. When DNSSEC is completely deployed, it will provide websites with a way to use stronger DNS to prove they are who they say they are. This will enable not just browsers, but any Internet-based application to check the ID issued by DNSSEC to confirm that the site is what it reports it to be.

In a standing room only talk on Tuesday, Dan Kaminsky introduced his vision for Domain Key Infrastructure, which will ultimately be “one of the biggest things that we've seen infrastructure change-wise that will make the Internet a safer place.”

It's not going to make changes overnight, he said, but “this stuff is powerful.”

We'll stick with the DNSSEC and SSL story as it develops.

Like this article? Please share on Facebook and give The Tech Herald a Like too!