Thursday, July 31, 2008

My Picks for BlackHat USA 2008

Loads of awesome looking presentations this year! So hard to choose from. I really hope I’ll have time to see most of them and not stuck 24x7 in little rooms answering questions with people holding microphones. :) I hear the conference attendance is PACKED and suggest if you want to get in to see a popular speaker/talk, get there early. Oh, the same goes for the OWASP/WASC Party, get the Breach booth early.

Day 1: 10:00 to 11:00

Bad Sushi: Beating Phishers at Their Own Game
Nitesh Dhanjani, Senior Manager
Billy Rios, Microsoft

I saw this talk at Blue Hat is Seattle a couple months back. Not only is the data they present extremely compelling, but their humor and speaking style really put it over the top. With so many dry talks in our industry, when speakers are actively engaging it really makes a difference.

Day 1: 11:15 to 12:30

DNS Goodness
Dan Kaminsky

The vulnerability itself and disclosure drama aside, I have it on good authority that Dan will provide some important lessons learned as a result of the fiasco with regards to software serviceability. I’m really interested in hearing what he has to say about how we can improve our situation so we can adapt better to a similar scenario down the road.

Day 1: 13:45 to 15:00

Iron Chef: Fuzzing Challenge

This event was a lot of fun last year when I participated as a “celebrity judge”. Just don’t be under the impression that this is a scientific experiment or any kind. Instead simple enjoy the “show” where you can participate if you'd like. You get some code, find vulnerabilities however you want, and share your results. Simple! We should give them RSnake’s blog software. :)

Day 1: 15:15 to 16:30

Xploiting Google Gadgets: Gmalware and Beyond
Tom Stracener
Robert Hansen

My man RSnake accompanied by Tom Stracener delivering Google zero-days and JavaScript malware PoC abound. Who could miss that! Keep your eyes peeled for Googlers in the front row feverishly taking notes and radioing live information back to the Googleplex. This talk might also renew our sense of paranoia about browser security, if there is such a thing.

Day 1: 16:45 to 18:00

FLEX, AMF 3 and BlazeDS: An Assessment
Jacob Carlson
Kevin Stadmeyer

Don’t know much about the speakers or the talk itself, but the subject matter looks compelling and particularly timely. I’ve been doing a lot of my own research in Flash/Flex are well and there is a lot of unexplored territory within. XSS and CSRF malware payloads can and will get a lot worse with this stuff.

Day 2: 10:00 to 11:00

Encoded, Layered and Transcoded Syntax Attacks: Threading the Needle Past Web Application Security
Arian Evans

Going only because I have to speak alongside Arian. :) This presentation is the result of a large amount of experimentation on live websites using seriously obfuscated attack techniques. Some of the methods we’re still not exactly sure why they work, only that they do in extreme edge cases. What we’re also learning is that there is A LOT of web application vulnerability edge cases out there.

Day 2: 11:15 to 12:30

No More Signatures: Defending Web Applications from 0-Day Attacks with ModProfiler Using Traffic Profiling
Ivan Ristic
Ofar Shezaf

A serious toss up between this one and Threats to the 2008 Presidential Election, which I’m sure is also going to be a stellar. For me, I need to stay as up-to-date as I can in WAF technology evolution and Ivan is THE MAN in the open source space.

Day 2: 13:45 to 15:00

REST for the Wicked
Bryan Sullivan

Love the talk title and really interested in learning about any new attack techniques on SOAP and surrounding technologies. This area also continues to be a struggle for automated testing.

Day 2: 15:15 to 16:30

Get Rich or Die Trying – Making Money on the Web, the Black Hat Way
Jeremiah Grossman
Arian Evans

Again, only because I HAVE to be there. :) I’ve been wanting to do a presentation like this for quite some time and have finally been able to pull together enough data and public examples to make it possible. The idea is to demonstrate how to make serious money illicitly using the most simplistic of web attack techniques, all of which have already been used in the real world, and then speculate a little on other possibilities. All story driven, not meant to be grown breaking attack wise, just really thought provoking and fun.

Day 2: 16:45 to 18:00

Pushing the Camel Through the Eye of a Needle

Only because the Sensepost guys are super l33t, always have exceptional material, and I’ve never been to a bad presentation yet. Didn’t even bother to read the description, I know it’ll be worthwhile. Hopefully I can make it over there after my presentation.


Anonymous said...

I hope any new research makes its way to this blog, or ha.ckers. By the way I see that you are presenting at the upcoming OWASP NYC Appsec 2008 convention. Is the cost of the two days combined $400, or is that a single day? I might have to take a few personal days so I can attend.

Jeremiah Grossman said...

hey Andrew. I'll be posting the BH slides publicly so nothing is missed. And I'll probably host a webinar a week or two after for anyone remote to see it as well. All based covered. :)

As for AppSec, for $400 is fully worth it. Two days or nothing but webappsec stuff. Unless you live in the area the hotels will probably more costsly than the show. RSnake and I are considering combining our talks together since the stuff we've been quietly working on are closely related and useful to each other. More details to come later.

pdp said...

what, you are not attending my talk? ok, I am not coming to yours either :)

Anonymous said...


He said he was only going to good talks....

Jeremiah Grossman said...

hey pdp, actually I would have, but the title make me think I'd already seen it. However, given your recent blog post it sounds like you updated the material. Argh the choices!

pdp said...

@j I am joking... :) of course... the knowledge sharing will go beyond the talks.

Anonymous said...

@pdp @jeremiah

Plus, I think for talks you HAVE to be at, you should plug the one(s) you'd be at otherwise. So there. =p

This is a killer year for BH, past few have been less to write home about. Don't remember being this excited to go in awhile.

Anonymous said...

If I rememeber correctly I made a promise to drop by :) sadly not this year :(. Anyway I will wait for the slides then. Btw does Blackhat also tape speeches? I know the DefCon does. I guess they could earn an extra buck there since I would pay for it to download a couple of them.

Goodluck J!


Jeremiah Grossman said...

No problem, there will be other times. And yes, BH does record the video, I usually get a copy of the DVD. But I also plan to do a webinar encore sometime afterwards as well. So, nothing will be missed.

Anonymous said...

im new here guys!!! ... wanna visit here everyday