Another Year @ Black Hat

So, another year at Black Hat in Las Vegas has come and gone.  While attendance may have been down a little and there wasn't any legal gunslinging' like in past years when talks were pulled or moderated as a result of legal threats from the vendor community, there were more interesting talks than one person could fit into two very full days.  The challenge, like usual, was trying to decide which to attend, especially when several interesting sessions were scheduled at the same time.  I participated on a couple of panels so that decreased my viewing availability and I missed a couple I really wanted to hear.  Not only were there a lot of great talks, the creative session naming by those selected to present was enticing.  Some of the better session titles were:  "I Just found 10 Million SSN's" (more below); "Exploratory Android Surgery"; "Mo' Money Mo' Problems: Making A LOT More Money on the Web the Black Hat Way"; "Reverse Engineering By Crayon: Game Changing Hypervisor Based Malware Analysis and Visualization"; and my favorite, "Psychotronica: Exposure, Control, and Deceit".

A couple of the sessions I attended and thought were particularly interesting were the "I Just found 10 Million SSN's" by Alessandro Acquisti, "Cloud Computing Models and Vulnerabilities: Raining on the Trendy New Parade" by Alex Stamos, and the always popular Bruce Schneier gave a presentation called "Re-conceptualizing Security."

"I Just found 10 Million SSN's" caught my eye because it made headlines a few weeks ago when Wired magazine published an article on the subject called "Social Security Numbers Deduced from Public Data" located here Predicting SSNs.  Making predictions based entirely on public data, Alessandro and his colleagues at Carnegie Mellon were able to detects patterns from Social Security Administration Death Master File (DMF) information that are highly reliable.  Essentially, by knowing date and location of birth, in less than 1000 attempts, the CMU folks were able to correlate and determine all nine digits of the SSN's for 8.5% the study group.  One of the funnier things Alessandro mentioned was that during their research, in coordinating with the Social Security Administration and telling them that they thought they may have found a way to predict SSN's, he got an email back that said something like, "if you think you can figure out a way to determine the SSNs of individuals, you are smarter than I am."  What else can you say?

Cloud Computing Models and Vulnerabilities: Raining on the Trendy New Parade" is the topic de jour and faddish to talk about.  Alex Stamos is one of the smarter guys I know and deceptively funny.  He's also good at understanding his audience so he takes a very complicated subject and presents it so everyone gets it.  One of the more important points of his Cloud Security presentation were the legal concerns about search and seizure.  Essentially, by moving data to the cloud, Alex' research says that you give up some of your 4^th Amendments rights against search and seizure because the physical location of the data, legally speaking, is critically important.  So, where you have valid expectations of protection against unreasonable search and seizure for data in your home, putting the same data out in the cloud changes the equation and you may lose your: 1)  protection of a warrant; 2) guarantee of notice; and 3) your ability to fight the seizure beforehand.  These are things that should be consciously addressed before making the move to the cloud.

Finally, Bruce Schneier talked about Re-conceptualizing Security.  If you've been following Bruce's work for the past couple of years you know that he has been engaged in studying behavioral economics, the psychology of decision making, and evolutionary biology and how these relate to security.  Well known for his thoughts about Security Theater, where security measures that do little to improve actual security but give the impression that the security measures are effective, Bruce gave a very interesting talk on the perception of security, risk, and cost.