Black Hat & Defcon 2008 – a brief summary

Sean wasn’t the only SophosLabs attendee at this years Black Hat – there was also Pete from the Australian lab, Mike S from the Canadian lab and myself from the UK lab. The plan had been to update the SophosLabs blog with regular comments on particularly interesting talks, but after Mike carried out some network traffic analysis and found (unsurprisingly for a ‘hackers’ conference) that port scanning was “off the charts” we decided to deem the provided wifi network as hostile and simply didn’t use it.

As Sean mentioned, the talks overlap so you are forced to choose the ones that you think will be most relevant. The talks I felt were most relevant to the AV industry were two given by Microsoft. The first was presented by Mike Reavey, Steve Adegbite and Katie Moussouris. They basically announced how they were going to be providing in depth detail of vulnerabilities found in Microsoft and other products to chosen security vendors (yet to be announced). Cynics I spoke to afterwards hinted that this was necessary on Microsoft’s part to avoid anti-competitive laws, but personally, I don’t care what the motivating factor was. I’m simply pleased to see Microsoft making quite a large leap in the correct direction. You can read more about this initiative on the Microsoft website.

The second excellent Microsoft presentation was given by Bruce Dang concerning exploited OLE2 documents. Pete blogged about malicious OLE2 files back in April and mentioned that part of the problem was the lack of information available to AV researcher. In this presentation, Bruce gave details of what is required in order to detect these files. Good stuff.

After Black Hat we all moved down the Strip to the Riviera to attend DefCon. One of the more interesting paper titles was “Good Viruses. Evaluating the Risks” by Dr. Igor Muttik of McAfee. Gamekeeper turned poacher perhaps?? Anyone who has been in the AV industry for any length of time will have heard crackpot theories about using self replicating code for various tasks (like patching vulnerabilities etc) so we all turned up to witness one of our own switching to the dark side. In the end, the title of the paper should have been “You already know it but self replicating code is never a good idea” since that is what Dr. Muttik’s conclusion was. Phew. The presentation did however have some very entertaining slides regarding viral outbreak in World of Warcraft a few years ago (see here for the wikipedia description ). I’d recommend checking that out, it was quite amusing.

I almost forgot – Sean signed his post off by saying “Oh yeah, there is also Vegas.. :-)” – I think this is possibly what he was referring to 😉 – Sorry Sean!

<img src="" title="Sean discusses computer security with a friendly Vegas resident"

Above: Sean and one of the locals.