Apple's First Ever Black Hat Security Talk

(close-up photo credit to Elinor Mills/CNET)

Dallas De Atley, Apple’s platform security team manager, was there to speak about iOS security.  It was the first time ever Apple had presented in the 15 years of the Black Hat security conference.  There was much anticipation.

And did he ever deflate the room, really underwhelmed.  He didn’t take questions either, and took off right after, the opposite of how it’s done.

I summarized below some intereting things, but first two observations:

1 – it wasn’t anything special, at all.  I sat there thinking, “I’m understanding too much, this is Black Hat, more should be going over my head“.  The articles that came out agree: Apple just read from the whitepaper they released in May, how meh.

2 – to my ear, Apple people speak with a similar tone, meter, pace… I wonder if they have a “presentation preparation department” where they’re groomed.

About Apple’s iOS Security

it’s built from the ground up, fully integrated, and as he said, “security is not something you can sprinkle over the code at the end”

applications are suspended by default when you hit the home button, increasing performance and battery life

patching holes and always updating keeps things secure, so Apple’s ‘software update’ was designed to be very easy.  80% of phones are running the latest iOS, they call that success.

all apps running on the device comes from a known location (iTunes), so this reduces the attack surface for malware (apps distributed through iTunes must first meet Apple’s strict security practices)

the device is divided into 2 partitions: read only partition, and data. Your data is separated from the OS

apps go through an Apple API to access user data, therefore the app can’t access your data directly

– direct data sharing between apps is not allowed

it takes 5.5 years to attempt every combo of a 6 number pass code because you have to do it manually

Further Reading

CNET

NY Times

Cult of Mac

The Register

GPS Tracking a Vegas Saturday Night

The tracker was the size of a pager, carried in a pocket.

It was a good test: a Saturday night in a busy area, everyone on their phones hammering the cell network, plus imagine all the casino’s communications flying around, and when zoomed in you can see small movements were even recorded.

It’s not perfect though, see where it has me in the middle of the fountains at the Bellagio?  Didn’t happen.

The output is a .log file that opens up in Google Earth beautifully.  Test complete, a successful test!

It was a really fun night.

I did it all in 5″ heels, too.  That’s a good CityGirl.

 

How I Went Online at Black Hat and DefCon

I didn’t. That’s the safest way.

When I absolutely had to, I connected from my hotel room, uncomfortably… they all have to stay somewhere.  And hotel WiFi networks are like, a sport.

  • 1 – if you have a newer laptop like mine, it didn’t come with an ethernet port. That $30 attachment gives you one
  • 2 – surge protect your laptop. Don’t plug $000s into a shoddy socket, and I doubt you’re backed up, I’ve mentioned this
  • 3 – I cover my camera

Don’t forget old-fashioned pen & paper.

Every year the press makes a big sensationalized deal about DefCon being “the most hostile network in the world“. Duh guys; it’s the world’s largest security conference, it’d be dissapointing if it wasn’t.

At DefCon they have the ‘Wall of Sheep‘.

It’s a ‘wall of shame’.  The network is passively watched, and if your security sucks, your username and password will be captured, displayed and mocked.

There was a time when the full name and password were displayed.  Not for years now though. And you know, DefCon felt different this year, I’ll explain in another post.

The easiest way to protect your phone in an uncertain enviroment:

  • 1 – turn off your Wifi
  • 2 – turn off your data connection
  • 3 – put your phone into ‘Airplane mode’ (extreme, but effective)

 

 

DefCon Badges are Worth Keeping

Human badge on the left, speaker badge on the right.

Admission is cash only, no information is exchanged, and there is no preferential treatment, you have to wait in a line of thousands. Then you receive a badge designated “human”.

This is my press badge. I did have to register for that, after passing through a door marked “non-human”.

Each year the badge is different, there’s an anticipation about it and the complex puzzle game competition starring the badge.  Neat, eh?! The badge is a game.

They are functioning circuit boards, and came with pieces to solder on, so you could hook up to a monitor and explore around, plus they interacted with one another, which were all pieces of the puzzle… read a better description at Wired.

Interesting the Egyptian theme carried on, it was on last year’s badge.

Polar opposite eh, a disc of metal.  I wore two last year (human and press), so I clank-clanked everywhere I went.

A DefCon17 Uber Badge.

Uber Badge – Free access for life, no waiting in line ever again, the ultimate badge.  A handful are awarded each year to the contest winners.

And ready? The first ever DefCon1 badge.

 Congratulations on 20 years, DefCon! :)