Slide Show: Memorable Moments From Black Hat 2012
A look at some of the demos, hacks, awards, and parties at this year's Black Hat USA 2012 convention
![](https://eu-images.contentstack.com/v3/assets/blt6d90778a997de1cd/bltc94608acf452fd67/655cf371ab171e040a838b2a/329050_DR23_Graphics_Website_V5_Default_Image_v1.png?width=700&auto=webp&quality=80&disable=upscale)
The memories of last month's Black Hat are starting to fade, the happy hour beers consumed have long since sloshed in our bellies, and (most) of the expense reports have been filed. But the talks, demos, and zero-day exploits presented at this year's Black Hat USA are just now starting to affect the information security community. Dark Reading takes a look at the highlights among these talks, along with other fun moments and perennial sights seen at Black Hat USA 2012.
Here, the throng of attendees surges in the halls between sessions. Black Hat organizers say that more than 6,500 attendees participated at the event at Caesar's Palace this year.
Photo Credit: Black Hat Events
During a Black Hat press conference, IOActive's Iftach Ian Amit spoke about steps companies can take tobetter defend their networks. Amit advocatedvwhat he dubbed Sexydefense for his talk at the show -- he art of being more proactive about defending networks.
"Counterintel is fair game," he said. "Everything around is yours; you better know everything that goes on out there."
Photo Credit: Rob Lemos
Tim Tomes, John Strand, and Paul Asadoorian of PaulDotCom took the proactive defense to its offensive extreme, with an in-depth training class on how to confuse attackers with offensive methods that put the skids on current attack techniques.
"Originally developed for fighter pilots, the concept of Observe, Orient, Decide, and Act (OODA) basically means that those who do those things the fastest will survive, according to Asadoorian," wrote Dark Reading Evil Bytes blogger John Sawyer in his wrap-up of the class. "By disorienting attackers through offensive countermeasures, defenders have a better opportunity to identify the attack and react before the attacker realizes he has been tricked."
Here Tomes reviews the in-class scoreboard during the training.
Photo Credit: Sarah Sawyer
They've been saying for years now that there's loads more money to be made in security than most IT fields these days. Who knew it was as easy as grabbing it straight out of the air? Attendees lined up to do just that on the vendor showroom floor at RSA's popular Vault booth. The contestant here managed to snag a $100 billion from among those flying around him.
Photo Credit: Ericka Chickowski
Apple finally made its debut at the show this year when Dallas De Atley, manager of Apple's platform security team, stepped on the stage to discuss the security measures Apple built into iOS.
Mobile security was generally a hot topic at Black Hat this year, with a range of talks focusing on mobile topics, including:
training on "The Dark Art of iOS Application Hacking";
a session on how Microsoft Exchange man-in-the-middle attacks could lead to unauthorized remote wipes;
Photo Credit: Black Hat Events
According to speaker Alex Stamos, chief technology officer at security firm Artemis, the introduction of IPv6, a coming deluge of new top-level domainsm and DNSSEC will all serve to transform the Internet's attack surface.
"Because IP addresses are rare and valuable [today], someone owns it and someone is responsible for the IP address," he said. "That model is going to completely go away."
Photo Credit: Black Hat Events
As HTML5 adoption ramps up, developers need to be mindful that the power of the tools in the HTML5 feature-set can be abused to great effect, Shreeraj Shah, founder and director of Blueinfy Solutions, warned at the show. His presentation detailed the top 10 HTML5 vulnerabilities, which were lumped into three main categories: XHR and tag vulnerabilities, thick feature vulnerabilities, and DOM vulnerabilities.
His talk on HTML5 was among several at Black Hat. Others included a discussion on ways to abuse HTML5 WebSockets and the demonstration of a technique that can be used against HTML5 browsers to deliver malicious firmware that could be used for mass router infections.
Photo Credit: Black Hat Events
The ballroom lunch was a great setting for some friendly networking among attendee practitioners and speakers. Diners compared notes about sessions, like the ones about FAA flight control system flaws and on using processor chip malfunctions to gain encryption keys for Open SSL deployments using RSA encryption. They also dished on the latest scuttlebutt, including news that Symantec's Enrique Salem stepped down from his CEO post.
Photo Credit: Black Hat Events
Smart grid researcher Don Weber, senior security analyst for InGuardians, presented data-eavesdropping techniques that can be used against smart meters, and demonstrated one of two tools highlighted at Black Hat that can be used to test the security of smart meter devices.
Photo Credit: Black Hat Events
Offensive countermeasures may work, but these "hack back" techniques could have legal implications, Robert Clark, an operations lawyer with the U.S. Army Cyber Command, told his audience.
"Get a good lawyer. Get them involved early and often. They can be a valued team member," Clark said in an interview with InformationWeek after his presentation.
Photo Credit: Black Hat Events
Black Hat played host once again to the lighthearted Pwnie Awards ceremony, which highlighted the best in security research discoveries and the worst in security vendor and practitioner fails. The awards also bestowed its golden My Little Pony statue to nerd-core sensation Dual Core for this year's best hacker song, Control. Here, rapper IntEighty picks up his prize.
Photo Credit: Black Hat Events
Former FBI cybercop Shawn Henry, who recently was named president of the services division of startup CrowdStrike, frontlined one of Black Hat's keynotes to discuss some valuable lessons security practitioners should learn to improve enterprise security.
"One of the things I learned at the FBI is that there are certain types of things we don't put on the network," Henry said. "I don't understand why more companies aren't compartmentalizing their data."
Photo Credit: Black Hat Events
The more intimate venue of off-strip Artisan Hotel played host to the alternative technical tracks served up by BSides Las Vegas, run concurrently during Black Hat and Def Con. Here, Kristov Widak, security consultant for FishNet Security, discussed how SQL injection attacks can be used against websites that serve up binary file content, like PDFs from dynamically built URLs.
Photo Credit: Ericka Chickowski
Microsoft knows how to throw a party--it's why conference attendees always seem to have boundless patience to wait in the inevitable line that snakes through the show floor when the company gives away its Black Hat party tokens. This year was no different, though Microsoft did up the ante by kicking off its shindig by giving away a cool $200,000 to the winner of its BlueHat Prize, Vasilis Pappas, for his work on techniques to mitigate risks of Return Oriented Programming (ROP) exploits.
Photo Credit: Ericka Chickowski
Spanish security researcher Chema Alonso eavesdropped on malicious Internet users by using Javascript and a proxy server. Within a day, he had access to the communications of some 4,000 bots. Alonso admitted that his methods may skirt the bounds of the law.
"It is better to search for servers in countries without law," he said.
Photo Credit: Rob Lemos
Spanish security researcher Chema Alonso eavesdropped on malicious Internet users by using Javascript and a proxy server. Within a day, he had access to the communications of some 4,000 bots. Alonso admitted that his methods may skirt the bounds of the law.
"It is better to search for servers in countries without law," he said.
Photo Credit: Rob Lemos
Spanish security researcher Chema Alonso eavesdropped on malicious Internet users by using Javascript and a proxy server. Within a day, he had access to the communications of some 4,000 bots. Alonso admitted that his methods may skirt the bounds of the law.
"It is better to search for servers in countries without law," he said.
Photo Credit: Rob Lemos
Read more about:
Black Hat NewsAbout the Author(s)
You May Also Like
CISO Perspectives: How to make AI an Accelerator, Not a Blocker
August 20, 2024Securing Your Cloud Assets
August 27, 2024