Story Lines Abound On Eve Of Black Hat 2006

At Black Hat 2005, Lynn--then a researcher at Internet Security Systems--was sued by Cisco Systems and investigated by the FBI after giving a presentation on a vulnerability he discovered in the operating system that runs Cisco routers. At the last minute, Cisco and ISS had tried to pull Lynn's presentation, and one of the lasting images from the event was the army of temporary workers that Cisco had sent in before the show to tear the PowerPoint slide shots from each and every conference program.

Lynn has since moved on to Juniper Networks and isn't on this year's conference agenda. Still, there are intriguing story lines at this year's confab, which is expected to draw about 3,000 attendees, including security researchers, hackers, technology vendors and government officials.

Microsoft is making its first appearance at the event and will spend a day's worth of presentations touting the stronger security measures in Windows Vista. Microsoft also will join Cisco and Ernst and Young as Platinum Sponsors of the event.

On the same day, Joanna Rutkowska, a security researcher at COSEINC, a Singapore-based IT security company, will give a presentation titled "Subverting Vista Kernel For Fun And Profit." Rutkowska will provide details of a technology called Blue Pill that she has developed for creating stealth malware in Windows Vista x64 systems.

Network access control (NAC) is one of the hottest topics in the security industry these days, but the technology is far from bulletproof, said Ofir Arkin, CTO and co-founder of Insightix, an Israel-based security startup. Arkin plans to give a presentation that examines various NAC solutions on the market and demonstrate methods of bypassing their security measures.

Although NAC is a valid technology that plays a key role in network security, Arkin said companies need accurate knowledge about what's on the network for the NAC to be effective. "There's a lack of contextual knowledge regarding what is on the network that actually harms the way NAC provides security and controls," he said.

Melanie Rieback, a Ph.D. student in computer systems at the Vrije Universiteit in Amsterdam, will give a presentation on RFID malware. In a report published in March, Rieback and other researchers recommended that developers of RFID-enhanced systems take steps to add stronger security to limit the potential damage from the coming wave of hackers experimenting with RFID exploits, worms and viruses. Joe Bardwell, president and chief scientist at Connect802, a San Ramon, Calif.-based solution provider, said it's helpful that researchers are discovering potential flaws with the integration of RFID at this early stage of deployment.

"The problems [with RFID] will, in my opinion, continue to be related to the integration of RFID with existing systems, and not somehow inherently within the realm of RFID technology per se," Bardwell said.

The security implications of Asynchronous JavaScript and XML--better known as Ajax, a technology for creating interactive Web applications--will be the focus of a presentation by Billy Hoffman, a security researcher at Atlanta-based vendor SPI Dynamics.

Although feature-rich Web sites like Google Maps wouldn't be possible without Ajax, the technology adds more instability into applications and gives hackers more potential avenues to exploits, according to Hoffman. "Ajax increases the attack surface of applications by having all the services running on a Web server," he said.

Brian Caswell, research engineer at Sourcefire, and H.D. Moore, director of security research at BreakingPoint Systems, will give a presentation demonstrating weaknesses in current intrusion detection and prevention solutions (IDS/IPS). They plan to show how IDS/IPS solutions use a "fast path" for normal traffic and a "slow path" for handling exceptions and how attackers could use the latter to bypass security on these systems.

Greg Hanchin, a principal at DirSec, a Denver-based security solution provider, said that in recent weeks he has begun to see a new type of vulnerability emerge that could allow an attacker to evade IDP/IPS detection. Many new notebooks' wireless cards are misconfigured to automatically attach to anything that is a wireless LAN access point, which could allow a hacker to attach to the laptop and cross through the wireless physical layer and onto the LAN layer, he said.

"It's ironic because you spend all this money on wired network-based IDS and IPS solutions, and someone could come in over a wireless card and into your corporate network," Hanchin said.