This year's Black Hat information security
conference in Las Vegas set an attendance record -- and brought attention to a host of severe security threats. Presentations ranged from how any USB device could be hacked and creating fake Web sites, to the discoveries that Russian hackers had amassed 1.2 billion logins and that 2 billion smartphones were vulnerable to hijacking.
Dan Geer, the chief information security officer for In-Q-Tel, an Arlington, Virginia-based non-profit venture capital firm, focused on public policy recommendations for information security in his keynote address.
Geer said a mandatory reporting system for significant security vulnerabilities should be created, similar to the system the federal Centers for Disease Control and Prevention has for pandemic outbreaks. He also said software developers should legally liable for their source code, and the government should compensate people who discover security flaws.
Geer supported a recent European Union court finding that individuals have the "right to be forgotten." "There is something important about being able to reinvent ourselves," he said at a press conference following his keynote.
New Year, New Threats
Attendance at Black Hat grew from 7,500 last year to a record 8,000 this year, forcing the conference to relocate from Caesar's Palace to the more spacious Mandalay Bay Convention Center, with attendees from 91 countries. The conference, which wrapped up Thursday, was the 17th such meeting since its launch in 1997.
Researchers presented their latest findings on the newest threats and vulnerabilities to information security. This year's conference touched not only on security for Web sites and personal computers, but also on the increasing number of devices and infrastructure being connected through the Internet. Researchers from Qualys, for example, demonstrated that airport scanners used by the U.S. Transportation Security Administration could be attacked through backdoor accounts embedded in the agency's firmware.
Berlin-based security firm Security Research Labs demonstrated that the firmware that controls USB functions could be used by hackers to take control of computers. The finding could represent an entirely new class of attack for which there are no current defenses. The flaw allows hackers to reprogram a USB device's firmware with malicious code, allowing them to gain access to PCs connected to the infected device, and issue their own commands. Unauthorized users could use the flaw to install malware, access files, or issue commands.
Another major vulnerability revealed at Black Hat affects the HTTPS protocol, which uses encryption to help users browse the Web securely. The so-called Cookie Cutter attack detailed at the conference allows hackers to steal users' cookies and impersonate Web sites hosted by Akamai, including popular sites such as CNN, LinkedIn and the National Security Agency (NSA). (continued...)