An anonymous poll of attendees at last week’s Black Hat security conference in Las Vegas found that web services and web 2.0 technologies will pose the biggest security concerns to enterprises in the coming year, followed closely by security issues stirred up by virtualization. Commissioned by Symantec, the survey polled 500 attendees at the conference, which drew nearly 5,000 people this year.
According to the survey, Black Hat was attended primarily by security-minded individuals from North America. Though the conference focused heavily on hacks and vulnerabilities drummed up by security researchers attending the event, IT managers and enterprise security personnel dominated attendance.
Symantec found that 55 percent of those surveyed have never created any piece of malcode in the name of research or education and only 17 percent of respondents said they would create malware if they thought it helpful for research or their education.
Black Hat is generally known to be a stage for researchers to build awareness of critical and dangerous vulnerabilities that could negatively impact enterprises and government organizations. This year’s event did not disappoint, with the spotlight lingering on a DNS protocol vulnerability discovered by security researcher Dan Kaminsky that compromises the security of many Web sites online, as well as FTP and SSL (Secure Sockets Layer) certificates validated via the Web.
Though Kaminsky’s research was known before Black Hat, his talk on Aug. 6 reviewing the details was standing-room only. “That was a super highly attended talk,” said Zulfikar Ramzan, technical director for Symantec. “It was literally impossible to get into the room once it started.”
Beyond DNS buzz, Black Hat was also awash in discussions over Web 2.0 and virtualization. The Symantec survey found that 35 percent reported that virtualization will cause the most security issues next year and a whopping 46 percent of respondents believe Web 2.0 technologies will cause the top security issues next year.
“One of the issues that comes up from Web 2.0 is that it allows contributors to provide content for sites and what happens then is you have to worry about contributors putting something malicious up there,” Ramzan says.
The good news is that most of the companies who have been active in the space have done a fantastic job of really monitoring those pages for malicious content, but the possibility still remains and IT managers have to worry about it. I think at the end of the day you don’t want even one machine infected on the network because that machine can be piggybacked upon to gain entry to other points on the network and it’s that point of entry that it managers are really concerned about.”
Perhaps one of the most media-worthy happenings at the conference, however, was brought upon by the media itself.
Three French journalists were booted from the conference after setting up a trap for fellow journalists on the free wireless access within the press room tricking an eWEEK reporter into entering a corporate password in the clear over the network and stealing his credentials. Though they claimed it was all in the spirit of collegial Black Hat research, they were expelled from the conference.
The controversy highlights one of the major difficulties that full-time security researchers face when bringing new vulnerabilities and security problems to light, namely the ostracism and potential legal troubles they may face from those who would rather keep the lid on problems.
At Black Hat this year, the Electronic Frontier Foundation (EFF), a non-profit, advocacy organization that “confront(s) cutting-edge issues defending free speech, privacy, innovation, and consumer rights,” online (according to its Website), launched a new initiative entitled the Coders’ Rights Project meant to combat these threats faced by researchers.
“EFF’s Coders’ Rights Project will provide a front-line defense for coders facing legal challenges for legitimate research activities, ” says EFF Civil Liberties Director Jennifer Granick.