July 30, 2007 4:00 AM PDT

Black Hat 'supersizes' in Las Vegas

LAS VEGAS-- The 11th annual Black Hat security conference will occupy more space at Caesar's Palace this year in order to accommodate more people, more topics, and, of course, more controversy.

The conference kicked off over the weekend, starting with four days of topic-specific training, before concluding Wednesday and Thursday with two days of public sessions.

If past conferences are any guide, expect the overall total attendance to be more than last year. With that in mind, Black Hat is expanding its footprint within the Caesar's Palace resort here.

But count out at least one prospective attendee. On Sunday, Thomas Dullien, CEO of the German company Sabre Security, reported in his personal blog that he had been denied entry to the U.S. for reasons having to do with H-1B visa regulations. He says that U.S. Customs officials detained him over material he was carrying to Black Hat in order to teach what was billed as an "intense course encompassing binary analysis, reverse engineering and bug finding."

A larger conference means not one but two keynote addresses. One is from Richard Clarke, President Bush's former special adviser on cyberspace security. Clarke, whose 2002 Black Hat keynote speech stated that software vendors and Internet providers must share the blame for malicious software, is now with Good Harbor Security. This year, he will talk about those "who seek truth through science, even when the powerful try to suppress it." The other keynote speaker will be Tony Sager, vulnerability chief of the National Security Agency, who will talk about creating government security standards while working with commercial vendors.

Unlike last year, when Microsoft hosted an entire series of sessions focusing on the yet-to-be released Windows Vista platform, there will be no similar tracks offered this year. Returning tracks include sessions on voice services security, forensics, hardware, zero-day attacks and zero-day defenses. New tracks include operating system kernels, application security, reverse engineering, fuzzing and the testing of application security.

But it's the individual sessions that could get heated.

Several presenters are familiar to Black Hat attendees and not without controversy. Neal Krawetz is returning to tackle image forensics, showing how to peel back the layers to find less-than-obvious manipulation; Dan Kaminsky is presenting his annual Black Ops survey; and Phil Zimmerman is returning to talk once again about his vision of a secure telephone for the Internet, called the Z Phone.

Meanwhile, Jeremiah Grossman will talk more about "Hacking Intranet Websites from the Outside (Take 2)--Fun with and without JavaScript malware", and Billy Hoffman will team with Brian Sullivan to discuss "Ajax-ulation," a talk about building a secure Ajax-laden Travel Web site.

The talk "Breaking Forensics" is already controversial. iSec researchers Chris Palmer, Tim Newsham and Alex Stamos have stated they've found up to six vulnerabilities within Guidance Software EnCase, a digital forensics program used primarily by government and law enforcement, prompting swift denials from the company.

Also controversial is Joanna Rutkowska, whose presentation last year drew a standing ovation from the crowd. This time, Rutkowska is appearing alongside Alexander Tereshkin to talk about methods for compromising the Vista x64 kernel. Luis Miras will reprise a talk he gave this past spring at CanSecWest on hacking peripheral devices such as mice and pointers.

In the evening, there will a mock hacker trial presided over by a real judge, and a talk by security researcher Johnny Long titled "No-tech Hacking"--and that's all just within the first day.

On Thursday, there will be only one keynote speaker, Bruce Schneier, who will talk about the psychology of security. Then David Maynor, who last year presented an Apple wireless flaw, will return with "tips your security vendor doesn't want you to know." Mozilla's Window Snyder and Mike Shaver will introduce new tools to fuzz browsers as well as talk about the security features expected in Firefox 3 due later this fall.

Also, Hoffman will give a second talk along with John Terrill on the possibility of a Web-based Ajax-enabled worm and how antivirus companies might cope with it; Gregg Hoagland will give a talk about reverse engineering; Adam Laurie will talk about RFID vulnerabilities; Gadi Evron will discuss the supposed cyberwar in Estonia; and retired Special Agent Jim Christy will host a regular feature called "Meet the Feds."

At the end of the second day, F-Secure's Mikko Hypponen will talk about mobile phone vulnerabilities. Meanwhile, Brian Chess and Jacob West will have some fun with something they're calling "Iron Chef Black Hat," a session where two different methods of vulnerability testing will be used to try to discover the "secret ingredient" nestled within in an open-source application.

All Black Hat events are being held here at Caesar's Palace. A sister conference, Defcon 15, will run Friday through Sunday at the Riviera Hotel, also in Las Vegas.

See more CNET content tagged:
Black Hat, forensics, application security, Richard Clarke, reverse engineering

9 comments

Join the conversation!
Add your comment
Sucks that I will miss it
nt
Posted by The_Decider (3097 comments )
Reply Link Flag
Black Hat=Black Arts
What better way to perpetuate your career than to undermine the works of a productive society? I bet most attendees are frustrated lawyers.
Posted by Schratboy (122 comments )
Reply Link Flag
spooky
"undermine the works of a productive society"

spooks...
Posted by wone111 (6 comments )
Link Flag
Attendees
The attendees to Black Hat is diverse. From white hat security people, to the government to black hatters, and everyone in between.

If someone wants to work in any area of computer security, then they better know the tools and methods of the black hats.
Posted by The_Decider (3097 comments )
Link Flag
lol...
What better way to understand how to protect a companies assets than to learn how others could harm them.

No wait... let's just hide under the bed sheets and pretend nobody would ever want to hurt us. We can use the "honor system".
Posted by Malenx (23 comments )
Link Flag
We've all seen it
I think we've all seen the effects of software and systems designed by people who don't know enough about hacking.
The best and most dangerous black hat hackers don't need these conferences.
Posted by tobart (24 comments )
Link Flag
Black Hat is Black Hat
LOL - There are no legit uses for BlackHat that's why it is called BlackHat not nicet-piciey Search Engine Marketing. So there is no point to pretend otherwise. If it was a security conference it would have been called <i>"Fight dirty Black Hat Spammers Now"</i> or something like that. Get real.
besides as it was mentioned: <i>The best and most dangerous black hat hackers don't need these conferences.</i>
Posted by LZZR (1 comment )
Reply Link Flag
 

Join the conversation

Add your comment

The posting of advertisements, profanity, or personal attacks is prohibited. Click here to review our Terms of Use.

What's Hot

Discussions

Shared

RSS Feeds

Add headlines from CNET News to your homepage or feedreader.