Posts Tagged ‘Black Hat’

Black Hat 2011 has kicked off in steamy Las Vegas (highs over 100 this week!). But Black Hat isn’t about the weather, it’s about the hacking. And there will be hacking. ZDNet has already rounded up this year’s “10 can’t miss hacks and presentations.” Among those that made our ears perk up, are Moxie Marlinspike’sSSL And The Future Of Authenticity” and Jerome Radcliffe’s “Hacking Medical Devices for Fun and Insulin: Breaking the Human SCADA System.” Of course, if you’re worried about being hacked, Network World’s Tim Greene has published a checklist on “How to Survive Black Hat and Defcon without getting hacked – maybe” – love the caveat.

On that note, today we continue our conversation Travis Carelock, technical director for Black Hat, to get his thoughts on the show’s online safety.

VPN Haus: Because so many people are doing demos of hacks at Black Hat, should attendees take more precaution in protecting their data and VPN networks, than they would at a show like, say, Interop?

Travis Carelock: To be honest the demos on stage are the least of the attendee’s concerns.  The Black Hat speakers generally do a very good job displaying and demo’ing their PoC(Proof of Concept) in responsible ways.  I have never heard of an attendee compromised because of a demo onstage.  However, I have heard of an attendee compromised because of the attendee sitting to their right.  One of the primary things that differentiate Black Hat from a show like Interop is our average attendee.  Over 6,000 cutting‐edge security experts (with average cost of $3000, most companies don’t send their junior squad) will be in attendance, each smarter than the next, each with a complete hacking tool set updated, locked, loaded and ready to go, and most with a hacker’s mindset.  So, yes taking more precautions at Black Hat is always good.

VPN Haus: How is Black Hat Las Vegas different than the DC, the Abu Dhabi, and the Europe show?

Carelock: Black Hat USA is our flagship event.  It is several times bigger than our other events and serves as the yearly round up for the entire security community.  The previous year’s trends are analyzed, predictions about the next year are made, awards are given based on community response and voting.   In general, the community comes together to swap stories, techniques, and network.  Our other events are more targeted affairs, in which we try to serve some of the specific concerns of the regions in which they are held.  At all our events we try to bring the latest offensive and defensive security presentations and techniques, the smaller events merely allow Black Hat to tailor what can be.

 Here’s to a great show – and stay safe, everyone. See part one of our conversation with Travis Carelock here.

Next week is Black Hat in Las Vegas, which is one of the world’s biggest shows for techies and hackers. We were lucky to catch up with Travis Carelock, technical director for the show, to chat with him about this year’s show.

VPN Haus: What are the expected trends at the this year’s show? What topics and sessions are getting a lot of buzz?

Travis Carelock: We are very excited about our keynotes.  We are very fortunate to have highly respected individuals from both the public and private sectors.  Ambassador Cofer Black, was director of the CIA’s Counterterrorist Center during the 9/11 attacks.  He has since gone on to have a very successful career in the private world serving the information security sphere.   His reflections over the last decade will provide attendees with an amazing view of the frontlines from someone who lived it. Our second keynote, Peiter “Mudge” Zatko of DARPA.  He is an infamous  “old school hacker” from the L0pht days.  Mudge will tell us what the government can learn from a hacker, and because turn about it always fair play, what a hacker can learn from the government.

At Black Hat we have always delivered content centered on the latest attacks and zero days in many of IT’s most ubiquitous systems. However, one of the most surprising trends this year is all the attack vectors that are “outside” of the norm.  We have some fascinating presentations on attacking SCADA systems, mobile device management systems, embedded webservers, wireless medical devices, laptop batteries, banking cards, USB devices, and even with UAVs (that’s right Unmanned Aerial Vehicles).  The obvious trend is the ever-increasing complexity of our modern world.  As more devices become “smarter” with code, hardware and features, history has told us that the unintended attack vectors will increase as well.  The IT/Security department must broaden its scope to include this brave new world.

VPN Haus: How should Black Hat attendees secure their data, if they plan to tap into their corporate networks at the show? Do you recommend attendees bring their own VPNs?

Carelock: The three most important words Black Hat attendees need to remember in regards to their data is encryption, encryption, and ENCRYPTION!  Realistically, users have not been able to store or send their data in cleartext and still maintain a reasonable expectation of security for many, many years now.  If it is data on your hard drive, then it should be encrypted.  If you are connecting back to your corporate network and passing the very lifeblood of your business (its data) through an unknown or hostile network, it HAS to be encrypted.  Personally, if it is possible, I would suggest even using your VPN connection in a “bridge mode” with no split tunneling, and do all your Internet surfing using your corporate infrastructure via the VPN tunnel.

Stay tuned for next week, when we talk to Travis about security issues that can emerge at Black Hat.

At this week’s Black Hat 2010 in Las Vegas, NCP engineering is releasing a new white paper that sheds light on common VPN vulnerabilities that put organizations at risk. It’s prudent to occasionally survey the threat landscape with a fresh lens because while VPNs aren’t new, the threats they combat are constantly changing and require regular monitoring and security updates to stop. The white paper, Remote Access—Attack Vectors: Threats, Findings & Remedies, chronicles recent breaches and gleans lessons for all organizations that allow remote access to their network. For example, the infamous breach at Heartland Payment Systems in 2008 occurred, in part, using a VPN. This was followed by incidents at Google earlier this year and a major breach at Energy Future Holdings that resulted in $26,000 of business.

The white paper explores the two primary reasons that hackers find VPNs so alluring. For one, VPNs transmit sensitive information over public and shared networks. The extension of the network outside the perimeter makes assets much more accessible. Second, a VPN typically does not have layers of security found in perimeter defenses, yet it will pro­vide access from outside a perimeter to inside networks. This can make VPN-based attacks that bypass a perimeter more attractive than attacks that directly target the perimeter.

The vulnerabilities that caused these breaches, and others like them, can be distilled into three categories. While the white paper delves deeper into these categories, in a nutshell, they include VPN quality, security, and management. For instance, VPN systems are expected to handle complex security operations but not all products are created equally. Most will contain some flaws but the severity of these varies on the importance placed on quality in the VPN’s engineering’s process. The level of security also fluctuates, depending on whether the VPN solution emphasizes security of simply ease of deployment and connectivity. Finally, proper management is essential to ensuring that VPNs effectively secure data and block unauthorized users from gaining access.

Although the vast majority of breaches involve management issues, design and quality are still very important considerations. When selecting VPN solution, consider that both design and quality are among the best ways to differentiate VPN prod­ucts and solutions.

[tweetmeme source=”vpnhaus” only_single=false]