As usual, Black Hat USA brought with it a new round of exploits, innovative hacks and offensive and defensive tools.
So what were the talks and news items in 2011 that caused the most buzz? There were many, but here are a few highlights from the conference in the eyes of SecurityWeek, in no particular order:
• Hacking Insulin Pumps: Security researcher and diabetic Jay Radcliffe uncovered a way to remotely hijack his insulin pump and send commands to it. A motivated attacker could use the vulnerability to potentially pump too much – or too little – insulin into the body of diabetic.
• Your Own Personal Spy Plane: For a reported cost of $6,000, security researchers Mike Tassey and Richard Perkins turned a surplus FMQ-117B U.S. Army target drone into a makeshift remote-controlled spy plane armed with Wi-Fi and hacking tools.
• Hacking Google Chrome OS: Matt Johansen and Kyle Osborn of WhiteHat Security demonstrated how to compromise Google’s Chrome OS via Web extensions vulnerable to cross-site scripting bugs that can be used to inject JavaScript into user machines by leveraging the permissions the extensions use.
• Facing Facebook: Alessandro Acquisti of Carnegie Mellon University showed how, using off-the-shelf tools, it is possible to assemble a database of Facebook photos and positively identify people by matching their Facebook pictures with other photos. Among those identified included users of an online dating site that had registered using pseudonyms.
• Are you a Mac or a PC?: A security smack down between Microsoft Windows 7 and the latest version of Apple Mac OS X briefly took center stage at the conference as security researchers from iSEC Partners ranked the operating systems according to how they fare against advanced persistent threats (APT). The verdict – Mac and Windows are even in some respects, but network privilege escalation poses a serious challenge in Mac environments when it comes to APT.
• Uncle Sam Steps In: Ex-CIA official Cofer Black spoke at the conference about the threat of cyber-warfare, while famed security expert Peiter “Mudge” Zatko talked up the Defense Advanced Research Projects Agency’s (DARPA) Cyber Fast Track Program, which is meant to reach out to the security community by funding experimental technologies that could be used by the military.
• Hack Your Way into a Car: Don Bailey and Mathew Solnik of iSEC Partners were able to remotely send commands that unlocked the doors of a Subaru Outback and started the engine. They called the technique “war texting.”
Though Black Hat has now come to a close, many attendees are expected to stick around for DEF CON 19, Black Hat’s sister conference, where some of the sessions will be repeated.