BlackHat EU 2012 - Day two and three summaries

I have been enjoying myself at BlackHat Europe 2012, soaking up some of the leetness, absorbing some of the technologies I am less familiar with, meeting great people, and talking with them about things which really interest me - which is all good.


BlackHat EU 2012 - Day two

My Presentation seemed to go well, with several interested people coming up to ask various questions afterwards, maybe due to the fact that I described and showed around 10 exploits I recently discovered in common security products (all patched now BTW - but some very interesting, some creative, and several rather ironic - for example: "a spam the reconfigures the spam-filter", "a URL that owns the URL-filter").


My favourite presentation of Day two was "Data mining a mountain of Vulnerabilities" with Chris Wysopal.

This was quite a dry subject, but very well presented. Lots of data on vulnerabilities, with statistics on vulnerabilites sorted by application language, platform, horizontal and vertical markets, (among many other things)

Really interesting data, and something I feel that I might consult when doing application testing.

Chris had some really interesting graphs, the one above showing clearly that most web-apps contain at least one of the most serious flaws.

Day three

Some really interesting presentations today on mobile/smartphone security. It's hard to choose the best one really, as the following three were very good, and looked like the conclusions were based on very solid research (and many hours of work).

• "Secure Password Managers" and "Military-Grade Encryption" on Smartphones: Oh Really? by Andrey Belenko + Dmitry Sklyarov
• Hmm... so password managers on smartphones are not very well coded - not a surprise really but, a lot of work has been done by these guys to review some of the most popular ones and find some bugs
• Apple vs. Google Client Platforms by Felix 'FX' Lindner
• A great talk this, delivered in FX's highly amusing style
• The Mobile Exploit Intelligence Project by Dan Guido + Mike Arpaia
• Interesting perspective from acedemia on the stats behind mobile exploits, it seems that the hype might be just hype (at least on the iOS platform, more potential on Android though, but still, not a great deal of real platform-pwnage happening)

Anyway, I am in the airport on the way home, and it has been a very good week...