Category Archives: Conference

BlackHat USA 2009 – Day 2

Photo: Stephan Geyer

Photo: Stephan Geyer

This is the second in a two-part-series on BlackHat USA 2009. (Part 1)

As we stepped into the taxi the driver asked us, “Where To?”

“Caesar’s Palace.” I said.

“What are you guys in town for?” He said to the four of us in back seat of his cab.


“You guys are the hackers?!”

“Yes, We are ‘the’ hackers.”

“I talked to some of you last year. They told me  they could listen to my typing and blow up my computer! How are they able to do that?”

“They do that, using the Asparagus attack. As long as you don’t eat asparagus you will be fine.”

This is a conversation that a few of us had with a taxi driver last year while we were in Las Vegas attending BlackHat. If you happen to get this taxi driver. Please explain the Asparagus Attack. He was full of questions regarding how it is done.

We are now on to Day 2. The hangover should be maintainable enough to see the following talks:

Day 2 – Thursday – July 30th

[10:00am] Zane Lackey linkedin , Luis Miras Luis Miras on LinkedIn

Attacking SMS

[~10:30am] Kevin Stadmeyer linkedin, Garrett Held Garrett Held on LinkedIn

Worst of the Best of the Best

[11:15am] Jeremiah Grossman twitter, Trey Ford Trey Ford on LinkedIn

Mo’ Money Mo’ Problems: Making A LOT More Money on the Web the Black Hat Way

[1:45pm] Haroon Meer twitter, Nick Arvanitis Nicholas Arvanitis on LinkedIn, Marco Slaviero Marco Slaviero on LinkedIn

Clobbering the Cloud!

[~2:15pm] Tony Flick Tony Flick on LinkedIn

Hacking the Smart Grid

[~3:45pm] Peter Guerra Peter Guerra on LinkedIn

How Economics and Information Security Affects Cyber Crime and What It Means in the Context of a Global Recession

[4:45pm] Panel Discussion

A Black Hat Vulnerability Risk Assessment

Blackhat USA 2009 – Day 1

Photo: Roadsidepictures

This is the first in a three-part-series on BlackHat USA 2009. (part 2)

A dark cloud is about to approach Las Vegas. The city of sin will soon get cold sweats at night when they realize what is approaching. At the end of July, Las Vegas will be pounced upon by hundreds of security professionals at the annual BlackHat convention.

BlackHat is the most well known computer and Internet security conference in the world. I always have a hard time deciding what talks to go see. I typically end up flagging way too many talks, and get burned out rather quickly. In addition, there are the security booze-hounds/gamblers that are very persuading in swaying you away from the talks.

This year, I thought I would try something different. I am listing the talks I want to see on this blog in an attempt to make sure I show up to them. We will see if this happens.

Day 1 – Wednesday – July 29th

[10:00am] Rod Beckstrom Rod Beckstrom on Twitter

Beckstrom’s Law: A Model for Valuing Networks and Security

[11:15am] Nathan Hamiel , Shawn Moyer

Weaponizing the Web: More Attacks on User-Generated Content

[1:45pm] Nitesh Dhanjani Nitesh Dhanjani on Twitter

Recoverable Advanced Metering Infrastructure / Psychotronica

[3:15pm] Mark Dowd , Ryan Smith , David Dewey

The Language of Trust: Exploiting Trust Relationships in Active Content

[4:45pm] Thomas H. Ptacek , David Goldsmith , Jeremy Rauch

Hacking Capitalism ’09: Vulnerabilities In Markets And Trading Platforms

[6:00pm] The Pwnie Awards

What businness actually want: lessons learned on the RSA floor

From a security perspective, companies want simple solutions. As I walked the RSA expo floor a few weeks ago, this became very apparent.

Vendors were pitching products that were among other things, “in the cloud”, “self-maintained”, and “auto-updated.” It seems that companies are looking for simple solutions for complex problems. (Duh?)

As I walked around the exposition floor, I began to chuckle, realizing that there were more people in the Moscone center than there are attackers in the world. More money gets pumped into security products than actual money gets stolen. What an amazing idea.

Now, imagine I have a product that you can:

  1. Plug into your network or computer.
  2. Requires no “maintenance”.
  3. Will prevent your network/computer from being attacked.
  4. Alert you after it has successfully prevented the attack.

This was essentially every product that was being offered at RSA.

My two-cents: No product or grouping of products will prevent an attack. You can do some preventative measures, however, if an attacker wants to get you, they will.

Good Luck!