This is Black Hat Security Conference 2012

The Black Hat Briefings – the world’s largest computer security conference.  In its 15th year, it’s held each year in Vegas at the end of July.

Me and my press badge.  Proud.

Same as when I attended last year – it’s bad manners to wave your camera about. This conference attracts all kinds.

There’s a little trick:

embedding text in a photo still gets your message out,

but without it being crawled and picked up by the bots.

There are briefings and trainings. Not much point to me attending the latter, I’d be so lost, the biggest brains give these. The briefings are very interesting though, here’s my report on Apple’s first ever talk, where not enough went over my head.

I listened to cyberpunk author Neil Stephenson interviewed by Brian Krebs, who is awesome. If you ever are stuck for security help check his site.

Neil’s book ‘Reamde’ is a neat premise: a virus is unleashed through a popular online game that encrypts the player’s hard drive, and holds it for ransom.

See the yellow * above? I joined the taxi line, oh wait it’s Neil, hi great talk! Know we know he has duct tape on his old-school phone, which he keeps in a pocket I’m not sure is the most secure place.

It’s okay to take photos here, this is the other half of Black Hat – the vendor area.

All the top security merchants selling their wares.

I did the same thing I did last year: started in the far corner and walked up and down every aisle, every booth. This stuff isn’t for us though, it’s for enterprises and large corporations.

Thanks for a great time Black Hat, see ya next year!

 

 

 

Apple's First Ever Black Hat Security Talk

(close-up photo credit to Elinor Mills/CNET)

Dallas De Atley, Apple’s platform security team manager, was there to speak about iOS security.  It was the first time ever Apple had presented in the 15 years of the Black Hat security conference.  There was much anticipation.

And did he ever deflate the room, really underwhelmed.  He didn’t take questions either, and took off right after, the opposite of how it’s done.

I summarized below some intereting things, but first two observations:

1 – it wasn’t anything special, at all.  I sat there thinking, “I’m understanding too much, this is Black Hat, more should be going over my head“.  The articles that came out agree: Apple just read from the whitepaper they released in May, how meh.

2 – to my ear, Apple people speak with a similar tone, meter, pace… I wonder if they have a “presentation preparation department” where they’re groomed.

About Apple’s iOS Security

it’s built from the ground up, fully integrated, and as he said, “security is not something you can sprinkle over the code at the end”

applications are suspended by default when you hit the home button, increasing performance and battery life

patching holes and always updating keeps things secure, so Apple’s ‘software update’ was designed to be very easy.  80% of phones are running the latest iOS, they call that success.

all apps running on the device comes from a known location (iTunes), so this reduces the attack surface for malware (apps distributed through iTunes must first meet Apple’s strict security practices)

the device is divided into 2 partitions: read only partition, and data. Your data is separated from the OS

apps go through an Apple API to access user data, therefore the app can’t access your data directly

– direct data sharing between apps is not allowed

it takes 5.5 years to attempt every combo of a 6 number pass code because you have to do it manually

Further Reading

CNET

NY Times

Cult of Mac

The Register

GPS Tracking a Vegas Saturday Night

The tracker was the size of a pager, carried in a pocket.

It was a good test: a Saturday night in a busy area, everyone on their phones hammering the cell network, plus imagine all the casino’s communications flying around, and when zoomed in you can see small movements were even recorded.

It’s not perfect though, see where it has me in the middle of the fountains at the Bellagio?  Didn’t happen.

The output is a .log file that opens up in Google Earth beautifully.  Test complete, a successful test!

It was a really fun night.

I did it all in 5″ heels, too.  That’s a good CityGirl.

 

How I Went Online at Black Hat and DefCon

I didn’t. That’s the safest way.

When I absolutely had to, I connected from my hotel room, uncomfortably… they all have to stay somewhere.  And hotel WiFi networks are like, a sport.

  • 1 – if you have a newer laptop like mine, it didn’t come with an ethernet port. That $30 attachment gives you one
  • 2 – surge protect your laptop. Don’t plug $000s into a shoddy socket, and I doubt you’re backed up, I’ve mentioned this
  • 3 – I cover my camera

Don’t forget old-fashioned pen & paper.

Every year the press makes a big sensationalized deal about DefCon being “the most hostile network in the world“. Duh guys; it’s the world’s largest security conference, it’d be dissapointing if it wasn’t.

At DefCon they have the ‘Wall of Sheep‘.

It’s a ‘wall of shame’.  The network is passively watched, and if your security sucks, your username and password will be captured, displayed and mocked.

There was a time when the full name and password were displayed.  Not for years now though. And you know, DefCon felt different this year, I’ll explain in another post.

The easiest way to protect your phone in an uncertain enviroment:

  • 1 – turn off your Wifi
  • 2 – turn off your data connection
  • 3 – put your phone into ‘Airplane mode’ (extreme, but effective)