In its sixteenth year, Black Hat USA 2013 will introduce nearly a hundred new security tools and 35 0-days in a record 110 unique Briefings (talks) and workshops, with 131 companies showcasing their security solutions on-site.
An estimated 7,000 high-level security experts are set to attend Black Hat this year. It takes place this week, July 27 – August 1, 2013, at Caesars Palace in Las Vegas.
A security conference leader, Black Hat blends hackers, corporations, researchers of all kinds, law enforcement and Feds, in hats ranging from snow-white to so black they actually absorb light.
These attendees will be wearing their nicest professional, casual-Friday armor to meet on neutral territory - all comprising an event that may be the world's biggest confluence of virtual arms dealers.
Black Hat has cautioned press, "You are about to enter one the most hostile environments in the world."
The list of precautions is long, and includes not to use any ATM machines around the conference, keep our hotel keys deep in our belongings, not to use the wi-fi unless we are security experts, not to leave any devices out of sight (EVER!), and to change all of our passwords immediately after leaving Las Vegas.
Still, the list of cautions will probably not be enough.
There is so much to see and absorb at Black Hat 2013, it will likely be a Vegas gamble worth taking. The packed schedule proves that Black Hat wanted to raise the excitement meter to eleven this year.
To mediate overwhelm, we've compiled an insider's 'hot list'.
Outside of the usual press releases, we asked organizers what they think will be hot, as well as compiling our own list. Combining the results, we've got a hell of a starting point for attendees listed here:
- Black Hat's Day 1 Keynote (Wednesday, July 31) is Gen. Keith Alexander, Commander, U.S. Cyber Command (USCYBERCOM) and Director, National Security Agency. Here he will "give attendees an insider’s look into the U.S. Cyber Command and the interworking of offensive cyber strategy."
- Mactans: Injecting Malware into iOS Devices via Malicious Chargers - Billy Lau. They'll demonstrate how an Apple iOS device can be compromised within one minute of being plugged into a malicious charger, and disclose the details of the vulnerability on-site – something they've held back on so far.
- Rooting SIM Cards - Karsten Nohl. Karsten will disclose his vulnerability onsite; the UN's ITU issued a global warning about it.
- Compromising Industrial Facilities from 40 Miles Away - Lucas Apa. Compromises around nuclear/energy, gas and oil facilities, among others - including shutting them down remotely - even from 40 miles away.
- Energy Fraud and Orchestrated Blackouts: Issues With Wireless Metering Protocols (WM-Bus) - Cyrill Brunschwiler. Energy fraud + widespread orchestrated blackouts are far easier than anyone thinks; Brunschwiler will disclose new flaws in wireless smart meters, resulting in not only a good cheat on your energy bill... but also widespread blackouts as the energy grid is directly impacted. Californians take note.
- Lets Get Physical: Breaking Home Security Systems and Bypassing Buildings' Controls - Drew Porter, Stephen Smith. Hardware-based vulnerabilities impacting a very broad audience – specifically impacts smart homes.
- Home Invasion v2.0: Attacking Network Controlled Hardware Jennifer Savage, Daniel Crowley, David Bryan. This team has hacked home-based network-connected devices and reveal how havoc or danger could be unleashed at home - specifically, ones that have been 'impossible' to hack until now - from space heaters to door locks, surveillance systems and much more.
- OPSEC Failures of Spies - Matthew Cole. "A rare peek inside the CIA's intelligence gathering operations and the stunning lack of expertise they can bring to the job."
- Above my Pay Grade: Cyber Response at the National Level - Jason Healey. Examining the decisions and actions at all levels of response escalation when a cyber attack is also a national security event, using an example attack on the finance sector, from banks to the military and presidential level.
- Combating the Insider Threat at the FBI: Real World Lessons Learned - Patrick Reidy (CSO of the FBI). "Come hear how the FBI uses a surprising variety of methods to combat insiders. In this session the FBI will provide five key lessons learned about effective detection and deterrence techniques used in the FBI's insider threat program developed over the last decade."
- Exploiting Network Surveillance Cameras Like a Hollywood Hacker - Craig Heffner. A live demonstration of leveraging vulnerabilities described in this talk to freeze and modify legitimate video streams from cameras such as those found in in homes, businesses, hotels, casinos, banks and prisons, as well as military and industrial facilities.
- Aaron Swartz, Weev, the CFAA and The Future - Kurt Opsahl, EFF [panel]. With the dangers of the CFAA and overzealous, uneducated prosecutors now known, the infosec community has been thrust into the role of educating and persuading lawmakers to reform this dangerous law. The EFF's Opsahl leads a panel and on-the-spot outreach to the community to discuss and propose tactics on all levels.
- Lawful Access - Matt Blaze, Brewster Kahle, Jennifer Valentino-DeVries, Alan Davidson [panel]. "When you get a National Security Letter, no one can hear you scream." Being served with a search warrant for a criminal investigation can be scary enough, but if you're the target of a national security investigation, you won't be allowed to tell anyone about it. This panel discusss the technical risks of surveillance architectures, the legal and technical defenses against over-broad or invasive searches, and actual experiences fighting against secret surveillance orders.
Mobile hot list highlights:
Threats to mobile devices such as injecting malware into Apple’s iOS devices with malicious chargers, intercepting traffic and SMS messages through compromised femtocells cracking BlackBerry’s new OS 10, rooting SIM cards and building a spyphone that can record conversations and send messages without you ever knowing.
Infrastructure hot list highlights:
Preventing attacks on critical infrastructure and national security with talks around insider threats at the FBI, energy fraud and orchestrated blackouts, compromising industrial facilities, threats to major oil and gas pipelines and exploiting network surveillance cameras.
Home attacks hot list:
Exposing vulnerabilities within our homes from automation systems such as HVAC and lighting, to other network-controlled devices such as door locks and garage sensors, to hacking some of the most well known home security systems and even the newest smart TVs.
At the Black Hat Arsenal:
Researcher demo highlights: bypassing a car’s security for less than 25 dollars, to analyzing smartphone penetration testing and performing web application security audits.
Can't make it, or just want to keep pace with Black Hat?
Follow Black Hat Briefings on Twitter @BlackHatEvents, check Black Hat on Facebook, and connect with Black Hat on its LinkedIn Group - social updates can be found at hashtag #BlackHat. Watch for photos on the Black Hat Events Flickr account.
An item I had selected for this list was Implantable Medical Devices: Hacking Humans by Barnaby Jack - it had been recommended to me by all experts and organizers I queried. There are many heavy hearts at the passing of Mr. Jack, and the sadness is palpable. He will be so very deeply missed. Black Hat has held his room time and talk slot open: Black Hat will not be replacing Barnaby’s talk on Thursday, Aug. 1. The hour will be left vacant for friends and family to gather: Black Hat has set aside the time to commemorate his life and work and stated to this year's attendees, "we encourage you to join us as we celebrate the legacy that he leaves behind."