It's great to see signs of life in the corporate world, even if it's investment in the kind of defensive education that CISOs and their teams get when they travel to a security conference like Black Hat.
By all accounts Black Hat 2009 in Las Vegas was well attended, with some estimates that traffic was down only 10 to 15 percent in a year when a `slightly down' is the new flat. "I guess there's still a market for good, high quality content; people are still willing to pay for that content," says Jeremiah Grossman, founder and CTO of WhiteHat Security.
Grossman wasn't necessarily talking about his own session, of course, though even its title, "Mo Money, Mo Problems" was enough to elicit more than passing interest. Grossman and WhiteHat director of solutions architecture Trey Ford talked about some of the vulnerabilities that WhiteHat specializes in uncovering, like SQL injection and cross-site scripting, but primarily focused on showcasing scam after scam where Grossman says amateur hackers were making "anywhere from five to nine figures" online using coupon codes in unintended ways and circumventing business process flows.
Also of note to bank IT security gurus were three sessions that broke down SSL security from a variety of angles. The first was presented by Moxie Marlinspike and showcased how a criminal could use null characters when using a certificate authority's automated order processing system to obtain a certificate that could appear as if it really originated at a legitimate bank site.
Another session took apart the extended validation version of SSL certificates, the ones that institutions use to turn browser address bars green so that consumers know they're on a legit site. Presented by Alexander Sotirov and Mike Zusman, "Breaking the Security Myths of Extended Validation SSL Certificate" demonstrated an iFrame attack that's effective when sites mix content behind an EV certificate with that secured just by the normal DV certificate. "Consumers still see that pretty glowing green bar, however there's a man in the middle even though the visual indicators still tell you its an EV Website," says Ben Feinstein, director of SecureWorks counter-threat unit.
Tim Callan of EV proponent VeriSign gets a little defensive when asked about the attack that could compromise sites secured by EV certificates. "This is good, forward-looking advanced research, done by some forward-looking advanced researchers trying to figure out the potential ways for our infrastructure to be defeated," Callan says. "We don't want to confuse that with the attack of today, that's the attack of tomorrow they're talking about."
He says VeriSign's provisioning authority wouldn't allow the null character attack outlined by Marlinspike, adding both browser manufacturers and other CAs likely need to improve to prevent both kinds of attacks. He's right, and that's a positive outcome that a once nefarious conference like BlackHat can take credit for. "There's more collaboration than ever among the players in the industry and researchers, both corporate and independent," Feinstein says.
