Web application security highlighted at Black Hat

Researchers will shine a light on Web application security at this year's Black Hat USA 2006 gathering.

LAS VEGAS -- The hacker community will dissect the security of Windows Vista, databases, Web applications and technologies like NAC (network admission control) and VoIP (voice over IP) at this year's Black Hat USA 2006 gathering, which starts Wednesday.

Microsoft hopes to convince attendees that Windows Vista is the most secure operating system ever, with an entire track of presentations scheduled on the subject. Security researchers will also unveil 15 new exploits, including two targeting NAC and VoIP vulnerabilities in products from Cisco Systems Inc. and other vendors. Database security, particularly regarding Oracle Corp., will also come under scrutiny.

Also at Black Hat, which will be held at Caesars Palace:

  • Jeremiah Grossman, founder and CTO of Santa Clara, Calif.-based WhiteHat Security Inc., will give a presentation demonstrating how invisible JavaScript exploit code can be used to spy on Web site visits, hijack cookies and record keyboard strokes.

  • Researchers from Atlanta, Ga.-based SPI Dynamics Inc. will offer presentations called "Zero Day Subscriptions: Using RSS and Atom Feeds as Attack Delivery Systems," and "AJAX (in)Security." AJAX, which stands for Asynchronous JavaScript and XML, has become a popular interactive Web design method.

  • Joanna Rutkowska, a security researcher for Singapore-based IT security firm COSEINC, will give a presentation on "Blue Pill," technology she said could be used to create "100% undetectable malware." Rutkowska has said that Blue Pill is important because it demonstrates how hardware virtualization technology could become a major security threat in the coming years, when more people will use processors with hardware virtualization support.

  • On the Oracle security front, Alexander Kornbrust, database security researcher and business director at German firm Red-Database-Security GmbH, will offer a presentation on Oracle rootkits. Plus Pete Finnigan, author of Oracle Security Step By Step and keeper of a popular blog on the subject of Oracle security, will speak on the security weaknesses of PL/SQL, the flagship language used inside the Oracle database.

    David Litchfield, managing director at UK-based Next Generation Security Software Ltd., has unveiled mountains of Oracle flaws at past Black Hat appearances. He will be presenting again this year, though details of this year's presentation were not immediately available.

    This year's Black Hat is expected to have a different flavor from recent years for a few reasons. For starters, this will be Microsoft's first appearance at the hacker-oriented gathering. Microsoft security program manager Stephen Toulouse said recently that the idea is to provide deeply technical presentations on Windows Vista security to the hacker community and demonstrate how it's the most secure operating system Microsoft has ever developed.

    John Lambert, group manager in Microsoft's Security Engineering and Communications Group, will also be on hand to discuss the security engineering process behind Vista. Specifically, he will show how Vista's engineering process differs from that of Windows XP, and he'll display new features designed to blunt memory-overwrite flaws.

    Some attendees may be curious to learn whether the tone of the event will be different from previous years, since the conference is now organized by CMP Media LLC. Black Hat Briefings Director and Founder Jeff Moss sold it to CMP last year.

    In a statement, Moss also noted that this is the first year entire tracks will be focused on topics such as databases, VoIP, rootkits, Microsoft and forums.

    Last year's confab was dominated by the controversy caused by researcher Michael Lynn's Black Hat demonstration of a Cisco router exploit. Lynn isn't scheduled as a presenter at this year's proceedings, which take place Aug. 2 and 3, but Cisco's products may be under the microscope again as researchers discuss the weaknesses in NAC and VoIP.

    Black Hat and Cisco settled a lawsuit about the Lynn affair after conference organizers promised not to proliferate Lynn's findings. A Cisco lawsuit regarding any potential disclosures at this week's conference is considered unlikely because the NAC and VoIP exploits being featured are said to be related to underlying technologies used in many products, not just those offered by Cisco.

    This year's conference is expected to attract more than 3,000 technically advanced computer security experts, bringing together a unique mix of federal agents, corporate security professionals and the best underground hackers, CMP said in a press release.

    "Highlights include new rootkit tools, new VoIP exploits, a dozen high-level feds, exciting zero-days, new contests, and some secret golden eggs," Moss said.

    This article originally appeared on SearchSecurity.com.

  • Read more on Voice networking and VoIP