New attacks and vulnerability trends highlighted at Black Hat

LAS VEGAS -- Nearly 2,000 hackers of all stripes are expected at the 8th Annual Black Hat Briefings USA this week. Presentations beginning today will analyze vulnerabilities, zero-day code, phishing and secure wireless deployment, among many other topics.

According to conference organizer Jeff Moss, this year's event will demonstrate three significant exploits, 20 new freeware releases and new research on almost 50 topics. This year's focus will be on application security.

"The Black Hat Briefings have become the place where first demonstrations of relevant issues are discussed in the security industry," Jack Holleran, former technical director of the National Computer Security Center at the NSA, said in a statement. "This is where researchers unveil information that pushes the entire industry forward."

The two-day conference, which precedes the better known DEFCON, will offer a number of ground-breaking sessions, including:

• Phillip Hallam-Baker, principal scientist of VeriSign, presenting "Phishing: Committing Fraud in Public," on new research that tracks organized crime through forensics and data trending.



• Joseph Ansanelli, CEO of Vontu, and Mary Ann Davidson, CSO of Oracle, presenting "The Black Hat Hearings" on protecting customer data, followed by a question and answer session with privacy experts from Motorola, In-QTel and Informed Security.



• JD Glaser, founder of NT Objectives, on "Hacking with Executives," including new research, freeware and panel discussion with executives from VeriSign, Siebel and Safeway on the connection between banks and corporate networks where fraud and financial information leaks takes place.



• Peter Silberman and Richard Johnson, iDefense security engineers, releasing a new exploit and tool on buffer-overflow prevention. This presentation will focus on the most commonly exploited software vulnerability in the security world and include the first public discussion of available third-party buffer overflow prevention software for the Windows operating system.



• Gerhard Eschelbeck, CTO of Qualys, presenting "The Laws of Vulnerabilities for Internal Networks" based on research derived from real-world vulnerability data.

"This is an extension of Gerhard's popular talk from last year, this time focusing on internal vulnerability trends," said Moss. "I haven't seen a whole lot of statistics based on internal attack data, so I'm hoping his presentation will shed light about what's going on.

"This year, attendees will be able to play with Paul Wouters' unique WaveSEC deployment, the first wireless network I would consider using in my own home or office," added Moss. "On the more controversial side, David Litchfield will release zero-day code exposing a never before seen security flaw."