Defcon, Black Hat to open this week

the Fed contest, a competition to find the best social engineer, and a Cannonball Run car race described as “a race against time over 288 miles of road” from Redondo Beach to Las Vegas on Thursday.

Despite the economic slowdown, both events are expected to be crowded. “We had been expecting 30 percent fewer attendees and in reality we’re only going to have 10 to 15 percent fewer,” Moss said. “The market went down and all of this research came up.”

The research topics run the gamut of vulnerabilities and exploits on everything from iPhones to smart grids. One session deals with air traffic control security (or lack thereof). Others have to do with injecting electromagnet pulses into the wiring system of jets, insecurities with Firefox plug-ins, cloud computing security issues (see 23 July 2009 HSNW) and a new tool to send controversial news to censored countries without using proxy servers.

Several researchers are going to release a tool for hacking into Oracle databases. Meanwhile, two Hewlett-Packard researchers plan to demonstrate a proof-of-concept browser-based darknet type of network called “Veiled” that allows for the creation of a secure, decentralized peer-to-peer network in which no client software is downloaded. “The clients are the owners of the files and there is no single point of failure,” said Matt Wood, a senior researcher in the Web Security Research Group at HP Software and Solutions. “No one in the government can go to you and say ‘we need the files.’”

Interesting session titles include “Cracking 400,000 Passwords, or How to Explain to Your Roommate why the Power Bill is a Little High,” “Manipulation and Abuse of the Consumer Credit Reporting Agencies,” “Hacking Capitalism ‘09,” and “‘Smart’ Parking Meter Implementations, Globalism, and You (aka Meter Maids Eat Their Young).”

As always, here will be a Meet the Fed panel with representatives from all the major defense and security-related government agencies. Well-known keynote speakers and presenters include Robert Lentz, chief security officer for the Department of Defense; Rod Beckstrom, former director of the National Cyber Security Center at DHS; Adam Savage, co-host of the “MythBusters” TV show; and perennial favorite Bruce Schneier, security guru and chief technology officer of BT Counterpane.

Mills notes that when hackers go public with details on exploits, vendors get nervous — companies have moved to block presentations at the shows over the years. This year is no exception. Juniper Networks pulled a talk one of its researchers was set to give about a flaw in ATM software after the ATM vendor complained. In his presentation entitled “Jackpotting Automated Teller Machines,” Barnaby Jack was planning to provide a live demonstration of an attack on an automated teller machine. “I’m disappointed Barnaby Jack’s talk was canceled,” said Moss. Another speaker this year was “forced or encouraged” not to release a tool, Moss said, but he couldn’t remember which speaker or talk it was.

Last year, a talk on hacking smartcards used in the Boston subway system was blocked after a federal judge granted the Massachusetts transit authority’s request for an injunction (see 19 August 2008 HSNW). In 2005 a security researcher was sued after giving a presentation at Defcon on how attackers could take over Cisco Systems routers. In 2001 the FBI took Russian crypto expert Dmitry Sklyarov into custody at his Las Vegas hotel the day after he gave a Defcon talk about insecurities in e-book security software. All cases were eventually settled.

Defcon averted another type of legal debacle this year — the importation of its microprocessor-dependent badges, which are needed for the badge-hacking contest. “I’m excited the badges for Defcon will be here,” Moss said gleefully. “They were held up in Chinese customs for two months. It was a complete nightmare.”