Breaking things--that's what the very bright and super curious do; they look beyond the obvious to see what's truly lurking beneath the surface. On Wednesday and Thursday, attendees at Black Hat D.C. 2008 got a window into the latest research being done on Web applications, wireless, and embedded technologies.
On Wednesday, researchers David Hulton and "Steve" showed how with about $1,000 with of equipment they can decrypt A5/1 cellular GSM traffic in less than a hour. Following that, Adam Laurie reprised his popular RFIDiots talk from last year's Black Hat briefings with a new program that allows him to read the data off smart credit cards "hands free."
Perhaps the best new presentation at Black Hat D.C. 2008 took place in the early afternoon. In "Bad sushi: Beating phishers at their own game" researchers Nitesh Dhanjani and Billy Rios relentlessly tracked down the origins of several online phishing sites to reveal, not super-smart ninja hackers, but sloppy coders who cut and paste and even steal from one another. Following that, David Litchfield, a substitute for a canceled talk on VoIP, presented on new Oracle vulnerabilities. Finishing the day was Neal Krawetz, who expanded his talk from Black Hat Las Vegas on image analysis, this time including his research into the veracity of Osama bin Laden's beard in a recent video.
Wednesday night included a social. There was also a speaker from the Washington, D.C.-based Spy Museum with stories of real-life spies.
On Thursday, Tiller Beauchamp and David Weston gave a presentation on DTrace, a security research application that is now available within Mac OS X Leopard and coming soon to various distributions of Linux. Following that, Zac Franken reprised his previous talk on biometric and token-based access control systems with new information on work access cards. After lunch, talks included Chris Wysopal on classification and detection of backdoors, Jason Larson on SCADA security, and Jon Oberheide on exploiting virtual machine migrations.