Great story about BlackHat USA'2014

Just the other day (August 2-7), the most famous security conference in the world was held - BlackHat USA'2014 in which we took part in all its sections: trainings, presentations and participated as sponsors with a stand in the business hall. A lot of interesting, personal impressions and in general - in detail about the konfu under the cut!

So, about BlackHat. BlackHat - one of the oldest and most famous security conferences in the world, takes place throughout the year in different parts of the world, but the most important one is in the USA, Las Vegas. Most often, the coolest reports can be heard for the first time right here, as many scribes “keep” their results until the last, waiting for a performance on BH. In general, it was there that we visited :)


Venue - Hotel Mandalay Bay (with a very non-trivial plan - it's pretty easy to get lost)

Part One - Training

As I said, BH “consists” of three parts. The first is training (August 2-5, 4 days). The bottom line is this: different companies and independent reporters submit applications with a description of the training on a topic that somehow relates to information security (reverse, web, network, social engineering, hardware hacking, etc.). The organizers consider applications, publish the selected trainings on the website and then they are responsible for recruiting students for the training, accept payment (average price ~ 2-4 thousand dollars) and do other org. questions (providing a room for the training itself, typical equipment, dinners, etc.). We also submitted an application with the theme ENTERPRISE BUSINESS APPLICATION SECURITY: ATTACK AND DEFENSE and passed the selection, becoming the first company in Russia to conduct training at BlackHat! Almost all places were sold out.


In training withAlexandrPolyakov

It is worth noting that for me it was the third training with this topic (the first was in Denmark with chipik (for various corporate customers), the second at Hack In Paris in France according to a similar scheme with BlackHat and the third, actually, at BlackHat). During this time, I realized that the level of students is very “jumping” and it is almost impossible to prepare material of one level - some people rewrite the exploit before you explain it, while others sit still not knowing how to copy from cmd to cmd and ask what is python. Therefore, it is important to be able to teach everyone so that everyone is satisfied and gets what they expect from the training:]

BlackHat stood out by the fact that there were still more “rummaging” people who were able to clearly and quickly complete practical tasks and evaluate the whole fan from some attack vectors.
After finishing two days of training, teaching people how to break SAP, exploiting vulnerabilities and misconfigs in Oracle, as well as other business applications from Oracle and Microsoft, there were two days off (some other trainings lasted longer or started later). During this time, someone is going somewhere - who is in LA, who is at Grand Canyon or somewhere else closer to have time to return to the beginning of the second and third part of the conference.

A little about the prices. An average lunch is more expensive than usual - $ 12-14, a ticket for two on a Las Vegas - LA - Las Vegas bus = $ 90, you can fly a little more expensive by plane if you buy tickets in advance (I always wanted to take the bus between the cities, it happened, more do not want). Hotels are very cheap - something very simple in the center of Vegas with Wi-Fi and breakfast - 30 bucks, if a good hotel (for example, where the conference takes place) - from 100 and higher per day (the price of the most ordinary hotel in Moscow). Traveling is almost always only by taxi - it costs about 10 for a trip inside the city (along the strip, central street). A lot of paid and free entertainment (for example, a fire show, Bellagio's fountains, etc.). Well and everywhere tips from 15% and taxes :)

Part 2 and 3 - exhibition of vendors and reports

I combine these parts, since they go in parallel (August 6-7).
About the exhibition.


Photo from blackhat. Showroom

If the company wants to sponsor BlackHat, then naturally it gets something in return ( here pdf'ka with prices and goodies). We were there with such a stance:


Here, almost all of our team, which took part at BlackHat, excluding dark_k3y , reads a report on ICS

In total - a hefty room where there are just a bunch of vendors, some buns are being handed out near each counter (sometimes quite expensive - prizes of $ 100 + can be used for some random instant lottery) and try to tell you something about their product. But first, everyone at the booth reads your NFC badge, where is your mail, name and other data ... And the next Monday after the conference you can find a lot of spam :) Also, there were absolutely no hacker competitions, such as duck shooting. Although, sometimes there were local CTFs (just as part of the exhibition).


With chipik we try to win in a kicker and pick up a prize

Nevertheless, about hacker competitions - I took part in a couple of them - from HP (give 15 minutes, you need to find typical web bugs, 10 tasks, easy) and from Symantec - it was more difficult there and the main prize - 5k cu (no one took it). I managed to take a few flags honestly and accidentally hack a backup server through MS08-067 (it’s very strange that there was such an old unpatched machine), where there were almost all the flags:] In general, different things were distributed that were distributed by the most resistant and who ever I decided (it makes no sense in vraytap).

Papers are an epic part of the conference. I think many have heard about the report how to deanonymize any user in TOR for $ 3000 and about its subsequent cancellation, it's all on BlackHat, like so many other passions and intrigues. Also, this is a great time to personally get to know many famous reporters.

There was a report from our company on how to crack an ERP system through a current loop (what is only one name worth, huh?) From dark_k3y . By the way, I think it’s just appropriate to insert a paragraph from it here, since we are discussing the topic of reports:

Of the reports that we managed to go to, we can highlight several of the most interesting. Firstly, this is Jeong Wook Oh's
“REVERSE ENGINEERING FLASH MEMORY FOR FUN AND BENEFIT” report (reverse engineering of flash memory for fan and income), which
showed techniques for restoring and reverse engineering firmware from NAND memory. At the same time, the speaker danced from the stove, that is,
from how to properly remove the NAND chip from the device board and before disassembling the firmware in IDA, while demonstrating the
developed utilities for correctly extracting firmware from chips from different manufacturers. I also really liked the report
"MULTIPATH TCP: BREAKING TODAY'S NETWORKS WITH TOMORROW'S PROTOCOLS", which talks about the extension of the TCP protocol - MPTCP and
security issues that may arise when using it. And of course, Charlie Miller has traditionally been very good
with his next car safety study “A SURVEY OF REMOTE AUTOMOTIVE ATTACK SURFACES”.

Bonus Part: Parties

There is also the traditional end of the day - parties from various companies at the end of the day (usually days of reports). It looks like this: we go to www.blackhat.com/us-14/party-and-networking.html , we also just talk and look around in the business hall, choose parties at a convenient time (usually 2-3 parties in the evening, from, for example, from 7 a.m. to 9 p.m. and further), we register (sometimes it is necessary to personally record on a booth in the business lounge) and go to a party at the appointed time :) Free strong drinks, cocktails, music, etc. - everything for those who came to the party. At the same time, I did not see any advertising or PR at any party. Just as if everyone had gathered in one place and resting.


Microsoft party at hakkasan

In the balance (IMHO)

BlackHat is very cool and expensive (for the same DefCon entrance costs $ 220, here $ 2k +). But there are also disappointments. I walked around different booths of companies and many sell such a huge amount ... Absolutely unimpressive products. And many have a problem in general with preparation. I understand that sales managers are mainly on the racks, but they should know at least the OS on which their product can work. Or just meet a completely typical product for another analysis of the network and building its map. Some fairly honestly answer - “Do you know the product XXX? So, we are the same, only cheaper "(while the rack of the product XXX stands opposite). Perhaps it’s just that techies don’t need to go into the business hall, that’s why it is business :) But there are also cool parts - trainings and reports, they are at an excellent level.

And in Vegas, and specifically at BlackHat, it’s cool, it’s definitely worth going not only for fun, but also for experience, personal acquaintances and knowledge.