July 23, 2014

Black Hat 2014: Interesting Topics at this Year's Conference

In today's Whiteboard Wednesday, Trey Ford, Global Security Strategist at Rapid7 will discuss the talks that he will most likely be attending at Black Hat 2014 this year.

Read Video Transcript

Hi, I'm Trey Ford with Rapid7. This week's Whiteboard Wednesday we're going to talk about Black Hat 2014. One of the things I spend my time working on here at Rapid7 is on the Review Board at Black Hat. We help review, and score, and provide feedback on the talks programmingness. I wanted to highlight a couple of the talks that I'm personally excited to about for this year's Black Hat event.

The first is bring software-defined radio to the Pen Testing Community. Now, when we talk about software-defined radio we're not talking about this ghetto blaster, giant stereo. What we're actually talking about is application of wireless protocols in devices. We're seeing this more and more, whether it's your new fancy smart watch connected to your phone, if you're talking about internet of things, or other technologies communicating wirelessly in your home or in the office.

A lot of these devices require very specialized hardware, access to specific frequencies, and protocols. And far more efficient would be to have a software-defined radio connected to your computer allowing you to interact with those protocols, those communications, the same way you would do a packet capture on the network.

The second talk is building safe systems at scale, lessons learned from six months at Yahoo. So one of the Review Boards own, Alex Stamos, about six months ago just started with Yahoo. It's interesting. We had another former Yahoo member, Jeremiah Grossman on the Review Board that came from Yahoo and started White Hat security. Alex just left a security firm in San Francisco to start one as the Chief Security Office at Yahoo, so it's interesting to see a security professional brought in to Yahoo to help build that. We're all excited to see how things are going. Yahoo is a property we've all used, all know, all love, so excited to see how Alex is doing there.

Third up is ICS Corsair, how I will PWN your entire ERP. The drawing today is of the Springfield power plant, but what's interesting about ICS Corsair is this is a specific device designed to grant access into protocols inside of SCADA and control environment, so like Fieldbus, Modbus, other protocols as well. I think a lot of pen tests don't always dive in quite as far. We're looking at standard admin interfaces and those sorts of things.

These guys have built a hardware platform that plugs straight into the bus so you can start looking into other vulnerabilities inside of the actual control bus and platform. Very excited to see what they're up to and this is highly relevant because we're all paying attention to SCADA and critical infrastructure.

Fourth talk, point-of-sale system architecture and security. My friend Lucas is a long-time proponent and professional focused on payment infrastructure. And so he's going to do a breakdown of a tax against point-of-sale systems. He's going to talk about EMV chip of pin and a tax against that environment, when things are encrypted, when they're not. For those of you that work around PCI, the Payment Card Industry, handle credit cards on a daily basis, if you can't catch this talk, you're going to want to watch this video. I'm excited to see Lucas talk on this.

Finally, unveiling the open source visualization engine for busy hackers. Visualization is so important. We spent a lot of time handling a lot of data. We tear through a lot of logs and sometimes this stuff is machine readable, but it comes at us so fast it's not really human parsable.

In one specific event that I worked at one of my former employers under a denial of service attack, the only way we found to pick this thing apart was to visualize the data coming off the firewall. So I think this is really great. There are a lot of people like Rafael Marty that has been spending time working on visualizing. We need to take a hard look at this. This is going to be a great talk. Looking forward to this.

I've got to make a shameless plug. We've got several of our own here at Rapid7 doing talks at Black Hat this year. First up, "Internet Scanning: Current State, Lessons Learned." Mark Schlosser is going to be doing a talk, reporting on scans.IO, what we're doing here, some of our research projects, and just updating on that. Very excited to see Mark up.

"Why you need to detect more than PTH" Pass the Hash. Matthew Hathaway is going to be doing a talk on taking a look at malicious movement and risky user behaviors inside of your corporate network. Some of the current deficiencies we've been tearing apart passing the hash type of attacks for a long time at Black Hat. This is going to be more of a defender oriented talk. Very excited about that work.

Finally, I'm speaking with Marsha Hoffman and Kevin Bankston. We're going to be talking about some of the unintended consequences from the Computer Fraud and Abuse Act in "The Big Chill: Legal Landmines That Stifle Security Research". We're going to be doing a little bit of a less than standard approach for a Black Hat talk.

Anyway, look forward to seeing you in Vegas. Tune in next week.