Black Hat USA 2014 Trainings are filling fast!

Register now so you don't miss out on the Training course you want | more info

With just a handful of days left to our early registration deadline, here's the Black Hat USA 2013 intel update for Tuesday - just one of multiple updates we'll be giving you this week, since we have a whole heap of amazing Briefings content to reveal.

This time, we're focusing on three talks presented for the first time at Black Hat USA 2013, each of which dip into clever exploits and workarounds for major protocols - from BlueTooth 4.0 through SSL to TLS sessions. Here's some more details on each of them:

  • In 'Bluetooth Smart: The Good, The Bad, The Ugly, and The Fix!', iSec Partners' Mike Ryan presents a painstakingly researched talk on the widely used protocol. This talk not only shows the weaknesses (both bad and ugly, as noted!) of BlueTooth 4.0, it shows the tools to hack it and even how to prevent being sniffed yourself. And even better, in a growing trend at Black Hat, more and more researchers are including guidance in how to fix the discovered issue. So if you'd like to see a live demonstration of sniffing and recovering encryption keys using open source tools Ryan and partners developed, alongside a clever fix to render the protocol secure against passive eavesdroppers, this'll be the lecture for you.
  • Next, we're focusing on 'SSL, gone in 30 seconds – A BREACH beyond CRIME', presented by Angelo Prado and Neal Harris. This talk is particularly important because HTTPS gives consumers the feeling of safety. Security professionals look to SSL to provide a notion of identity (you know who you are talking to) and confidentiality (the stream of data is just for you and the server!) This talk shows how to reliably retrieve encrypted messages like session IDs, OAuth tokens, email addresses, and more via an exploit. The presenters then explain how you can protect against this type of attack, and will even release a tool, BREACH, at the end of the session to help the community test and mitigate.
  • Finally, 'Truncating TLS sessions to violate beliefs' from Ben Smyth showcases attacks against a basic Internet communication security layer to do a number of eye-opening things. As Smyth explains, his research has "identified web applications which fail to maintain order between TLS sessions... thereby causing a desynchronisation between the expected state of the user and server." As a result, Smyth shows how he can exploit the Helios electronic voting system to cast votes on behalf of honest voters, take full control of Microsoft Live accounts, and gain temporary access to Google accounts - all substantive and notable exploits which will give major lessons to web security development professionals.

These three talks are but a small chunk of the newly revealed Briefings content with even more flowing in over the next few days - look out for more announcements on major content for our Black Hat show in Las Vegas this July, coming over the next couple of days.

LatestIntel

  • Black Hat USA 2014: Pentesting? Thought You'd Never Ask | more info
  • Black Hat Asia 2014: Clever Network
    Tricks | more info
  • Black Hat Asia 2014: Lurkers:
    APTs, RATs, Rootkits, and
    Response | more info
View More

UpcomingEvents

ShowCoverage

StayConnected

Fill out the form below to stay up to date on the latest Black Hat info, newsletters and intel.

Email*
First Name
Last Name
Subscription Group

Sustaining Sponsors