There will be as many as 10k people attending this year’s Black Hat Conference in Las Vegas, Nevada. In preparation for the event, we’ve gone through and picked the 3 most interesting keynotes that discuss external threats and security outside the firewall.
1. ‘The Lifecycle of a Revolution’ – Speaker: Jennifer Granick
‘In this talk, Granick will look forward at the forces that are shaping and will determine the next 20 years in the lifecycle of the revolutionary communications technology that we've had such high hopes for.’
Why this is interesting:
Information security is now a part of popular culture. What’s terrifying this that currently shock and awe media, government regulators, and private industries control the narrative. Public opinion is a fickle thing, but fear mongering has a proven track record of persuading people to sacrifice freedoms for the promise of security. If the mob (i.e. the billion+ Internet users) are worked into a frenzy almost anything will be accepted under the guise of protection. It’s important that all who understand technology, and love the Internet for what is, actively participate in opposing blatant attempts to control it. As an industry it is our responsibility to offer better alternatives and keep the future of the Internet in the hands of the people.
2. ‘Stranger Danger! What is the Risk from 3rd Party Libraries? – Speaker: Jake Kouns
‘This presentation will also share case studies of companies who took action in 2014 to get ahead of 3rd party patch whack-a-mole, and provide concrete actions security practitioners can take to mitigate risk in their environments.’
Why this is interesting:
While no one is arguing the benefits of third-party code libraries, the security questions resound. Code libraries with massive user bases, have code running on sites across the Internet. These are rich targets for cyber thieves, nation-state threat actors and hacktivists. Securing them is a critical priority, yet some of the most popular libraries in the world, such as jQuery, are open source, and run by NPOs that simply can’t afford advanced security measures. These libraries formulate the backbone of most websites, and yet are beyond the control of the website operators and the security people responsible for protecting the sites themselves.
3. ‘Winning the Online Banking War’ – Speaker: Sean Park
‘Currently, most security products and financial institutions defending against banking malware rely on online banking page integrity check to detect the presence of financial malware. This technique works due to the inherent mechanics of financial malware injecting into the browser's DOM space. However, this purely web-based page integrity check can be subverted in many ways. This presentation will talk about evasion techniques such as replay attack, polymorphism, inject randomisation, and DOM stealth rootkit as well as countermeasures for those in clientless way.’
Why this is interesting:
Attacks using DOM based manipulations still have a major impact on websites and they’re incredibly difficult to detect. What is interesting is that Park claims to have methods for evading existing security measures, meant to prevent malicious DOM based injections. It seems as though the perception is that security controls exist, but the question is how efficacious they are. It will be interested to see how complex the above methods are, and how easy or hard they would be to replicate—particularly at scale.
Other interesting talks:
- Encryption backdoors and why that’s a HORRIBLE idea
- Front door access to pwning millions of androids
