I have been a big proponent of the Black Hat conference since I have been coming to it (2002) and DefCon (1999). One of the, I guess natural, side effects of this conference is the massive proliferation of vendor booths. Don’t get me wrong this is to be expected but, I almost wonder if this is leading to a dumbing down of the conference. I have seen more “hack this 101” type intros than I have in previous years. There have been good presentations by the likes of David Litchfield and John Heasman (any NGS staffer will bring the goods basically) and Billy Hoffman & Bryan Sullivan gave an enjoyable presentation entitled (no, I’m serious) “Premature Ajax-ulation”.
(sorry for the blurred image I had WAY too much coffee at this point)
But, I have also seen the likes of the presentation that Myrcurial and I attended yesterday where the presenters claimed to have broken EnCase. Well, that was the impression at least. Basically it was all flash and no pan.
The “vulnerability” amounted to little more than an analysis of the patent. Or as I mentioned to some folks later that evening it was like a fart in the wind. Sure, it stinks, but the likelihood that you will have to contend with it is remote at best. The crux of the matter was that when the EnCase servlet is pushed out to client machines there is no differentiation of agents. They went so far as to have a lawyer on hand to present about forensic evidence. I should point out that the presenters from iSECpartners were unaware of how this agent is distributed. Now, if they had downloaded and read the documentation they would have known. Myrcurial was good enough to point that out to them as I was still recovering from their first speaker who was human Novocaine. Novocaine went on and on about his fuzzing against TSK and EnCase and there really was little substance. It became readily apparent that they were not regular forensic software users. Frequently falling back on the refrain of “we didn’t test that”.
Indeed.
So, getting back to it, they argue you have to know for certain which machine you are running an acquisition against. OK, fair point. But, hardly a vulnerability. If this was for a legal preceding I would not rely on a remote acquisition when I could seize the box. When they prefaced their presentation with “send us your resumes” I got a leery feeling. Ah well. They can’t all be winners.
Now, the RSA Security effect started to sink in this morning as I looked at the growing pile of swag that I have been accumulating and I started to have flashbacks to RSA 2007. I had to get a second suitcase due to the 24 tshirts that I had shoved at me. Here, the swag is flowing as well as the catered parties. Am I complaining? No, not really. But, I have a sinking feeling that Black Hat might be getting too big for its own good.
From Infoworld:
While show founder Jeff Moss highlighted in the show’s keynote address that the conference has become increasingly corporate, with higher numbers of business users showing up every year, the site hack illustrates that the core audience of Black Hat — both ethical and nefarious hackers — remains intact.
The real blessing is that there are not 20 sales people for every attendee. That was the very real impression that I had at RSA Security 2007.
(sampling: LEGO from Ironport, Einstein from Configuresoft, blinking pen from Core Security and a couple of items from SPI Dynamics)
[tags]Black Hat, EnCase, Security Conferences[/tags]
Comments