Thursday, July 30, 2009

Thoughts from Black Hat USA 2009

Black Hat USA 2009 is history. My two classes of TCP/IP Weapons School 2.0 went very well. I should be back to teach in DC, Barcelona, and Las Vegas next year. Thank you to my students for your positive feedback and cooperation in class! Despite your numbers we had little to no problems and I believe everyone learned something useful. For future classes I will add a table of contents, focus the questions, add more on my personal methodologies, and add more consistent page numbers to the class books. I added two of your comments to my Training page, and I'll add one other here:

The instructor was great. Very informative and very "in the weeds" for a Director!

That made me laugh.

I recorded my take-aways from the Briefings using my new account. Moxie Marlinspike delivered my favorite briefing. He completely demolished SSL, and he presented the material in a very understandable story. As one attendee commented to me: "he told a story we could all follow, unlike some of the other speakers." In addition to Moxie, Dan Kaminsky, and Alex Sotirov & Mike Zusman also showed SSL problems.

I paid a decent amount of attention to the "mobile" track this year. The outside world seems to not realize that the iPhone or Blackberry in your pocket is a computer. Some of the vendors don't think that way either. Apple is becoming the new Microsoft as mentioned by several people this week. Start with the page listing Apple security updates: What kind of a URL is that?

Now look for iPhone updates:

Can you spot the problem here? How about more timely updates?

Now select the latest update and search for "arbitrary code execution". I counted 27 instances. The bottom line is that Apple needs to step up to the plate. How about creating a PSIRT like the grown-up vendors have?

A close second favorite talk was "Fighting Russian Cybercrime Mobsters" by Dmitri Alperovitch and Keith Mularski. That's the kind of threat-centric talk that everyone can understand. Jeremiah Grossman and Trey Ford again brought it strong with their latest on making money through cybercrime. The last talk I attended, by Bill Blunden, featured an updated version of the slide where he posts my picture, except he used the more recent, grayer-beard photo. Thanks Bill -- nice to meet you!


Anonymous said...

Certainly agree that Apple has to improve on reducing the "window of exposure" with regards to known vulnerabilities (especially since they use many third-party packages that have obvious visibility as to when and what got patched).

On the other hand, they do have a product security team (i.e. and in my book are top notch, but unfortunately it appears that their marketing department rules the roost when all thing are said and done (just an observation from one of their customers).

Anonymous said...

No cookies here :( Yeah, what a place ..


fusion said...

Thanks for post. It’s really imformative stuff.
I really like to read.Hope to learn a lot and have a nice experience here! my best regards guys!

seo jaipur--seo jaipur

Anonymous said...

I was actually in your second class for TCP/IP Weapons this year and it was great. I meant to ask you if you knew of any ways to get windows event logs to a splunk box over an encrypted channel or at least over TCP.

Richard Bejtlich said...

Thanks Anonymous. I don't have a good answer for this using open source tools. I've been doing some research but nothing jumps out at me.

Richard Bejtlich said...

Anonymous, I forgot to mention that has some potentially useful posts on this subject.

Zamankhan said...

your blog is nice

Anonymous said...
This comment has been removed by a blog administrator.