[ISN] Black Hat Descends on Washington

From: InfoSec News (alerts@private)
Date: Tue Feb 19 2008 - 22:38:48 PST


http://www.internetnews.com/security/article.php/3728856

By Sean Michael Kerner
InternetNews.com
February 19, 2008

WASHINGTON, D.C. -- The name "Black Hat" for years has been synonymous 
with shadowy hacker activities. Many also know that the term refers to 
the popular annual security conference of the same name, long held in 
Sin City itself -- Las Vegas.

This week, however, the Black Hats aren't flocking to Vegas. Instead, 
they're meeting in the heart of the federal government: Washington, 
D.C., a setting that makes for a very different type of security 
conference.

[cob:Related_Articles]"It's almost the 'white hat' Black Hat, with much 
more focus on defense than offense," said Brian Chess, founder and chief 
scientist at enterprise security player Fortify Software.

Chess is no stranger to either Black Hat or Washington. His firm is a 
partner with the government-funded Computer Emergency Response Team 
(CERT) on automated compliance checking.

At the last Black Hat Las Vegas event, Chess also ran the famed Iron 
Chef Black Hat hacking challenge.

This week, he's expected to speak once more on security issues. This 
time around, Chess will be talking about software testing and using 
functionally tests to find vulnerabilities.

"It's about how you build software right, as opposed to how you break 
something," Chess told InternetNews.com. "We'll be talking about some of 
the less-than-ideal ways that people go about finding security 
vulnerabilities in their code."

In Chess' view, developers often fail to do a great job of security 
testing simply because they don't have to. Since plenty of bugs can be 
found easily, they typically feel little incentive to undertake a more 
rigorous and thorough search that might find all bugs, he said.

On the flip side, "if you actually want to build something that is 
secure, there actually is a lot you can do," Chess said.

Not surprisingly, the security conference's inside-the-Beltway setting 
also means it will have a special focus on government. Among the week's 
sessions are a talk on phishing and the Internal Revenue Service (IRS), 
and a discussion of potential cyber-threats to the 2008 presidential 
election.

The government focus is also reflected in the background of some of the 
speakers at the event. The only keynote of the Black Hat D.C. event is 
being delivered by Jerry Dixon, a former deputy director of US-CERT and 
the founding director of the IRS's Computer Security Incident Response 
Capability.

A former U.S. spy is also on the speakers list. In a talk about social 
engineering, Peter Earnest, a 35-year veteran of the Central 
Intelligence Agency, will discuss his experiences in espionage.

While this week's conference will offer a different perspective compared 
to its larger, more free-for-all Las Vegas counterpart, followers of the 
goings-on at Black Hat can still expect much of the same.

"It's still Black Hat," Chess said. "The reason why people come out for 
Black Hat is they want to get a taste for what's going on from a 
technical, vulnerability-researcher point of view. So I expect the 
presentation style will be about the same."


___________________________________________________      
Subscribe to InfoSec News
http://www.infosecnews.org/mailman/listinfo/isn 



This archive was generated by hypermail 2.1.3 : Tue Feb 19 2008 - 22:54:43 PST