I attended two days of Black Hat Federal Briefings 2006. I paid my own way, and I must say the conference was worth every penny. If you didn't attend, I highly recommend registering for next year's conference. I spoke briefly with Jeff Moss, who said Black Hat will return to DC in February 2007 for another Federal conference. This is welcome news. I taught Foundstone's Ultimate Hacking: Expert class at Black Hat Federal 2003, which was the last Black Hat conference in DC.
My summaries cannot do most of the speakers justice. I will attempt to offer highlights for most talks, along with links to relevant techniques or tools.
Jeff Moss began the conference by noting its main theme: paranoia. After attending many of the sessions, I understand why. Jeff didn't want Federal to be "Las Vegas-lite," and I think he succeeded in assembling a conference that truly delivered.
Dr. Linton Wells II from DoD offered the keynote. He briefly discussed the Quadrennial Defense Review, which will be delivered to Congress on 6 Feb. He lamented the fact that the DoD budgets in 6 year increments, beyond which the department has to look 10 more years. He asked the audience to consider what the world was like in 1990 compared to today. How could planners in a pre-Gulf War, Soviet-facing, Internet-minimal world anticipate the current landscape? He mentioned that the DoD Directive 3000.05, "Military Support for Stability, Security, Transition, and Reconstruction (SSTR) Operations," dated November 28, 2005, emphasizes the traditional non-combat activities like network defense are on par with combat operations.
With regards to threats facing DoD, Dr. Wells said the threat is the "patient, skilled, well-resourced adversary with intent to do harm." (Dr. Wells did not say a hole in OpenSSH is a threat!) He noted that US Strategic Command has command over DoD networks now, and that DISA is trying to "minimize the number of connections from the Internet to the NIPRNet." DoD has recognized and is beginning to treat NIPRNet as the "command network" that it is, especially for logistics and health care users. Dr. Well said classic security labels (unclassified, secret, etc.) "just don't work anymore," and current 30, 45, or 60 day patch cycles "have to change." DoD has even spoken with Google about how that company decides how to internally select and fund projects on 3-6 development cycles.
I asked Dr. Wells about the security stand-down that happened in November. (More details here He said "we have a problem, and people need to pay attention to it." He said the stand-down included a password change and patching of applications, and that DoD has about 100,000 people with sys admin duties. I followed up with a question to two of Dr. Wells' team about DoD usage of Snort, given that Sourcefire was purchased by Checkpoint -- an Israeli company. They said there was "concern at high levels," and that a deputy secretary of defense had just been briefed on the issue on Tuesday. They emphasized that, in the future, DoD might require vendors to provide source code of their products to "assure the pedigree of their software." DoD is worried about foreign elements introducing back doors into code. Finally, of the $450 billion spent by DoD each year, $29-30 billion is IT-related. Of that amount, about $2 billion is IA-related.