BlackHat作为全球信息安全行业的最高盛会,有着悠久历史,今年已经进入了第21个年头,每次会议的议题筛选都极为严格。众多议题提交后通过率不足20%,所以Black Hat也被称为最具技术性的信息安全会议。
时间:2018年8月8日-9日
Black Hat官网地址:https://www.blackhat.com/
议题速递――首日下半场Mental Health Hacks: Fighting Burnout, Depression and Suicide in the Hacker Community
演讲人:
Christian Dameff | Emergency Medicine Physician & Clinical Informatics Fellow, University of California San Diego
Jay Radcliffe | Security Researcher, Boston Scientific
演讲时间:14:40-15:30
主题标签:Community
It’s not easy to miss the gunshot wound in the trauma bay, or the cough of a rip-roaring pneumonia. But as anyone who has struggled with mental illness can attest- psychic wounds run just as deep, yet are often shunned or ignored by family, friends, coworkers, and even healthcare professionals. This needs to change.
Mental illness affects one in five Americans, and suicide is the second leading cause of death for people in their early twenties. Chances are if you haven’t struggled with depression yourself you know someone who has, and the hacker community is not immune to the pressures of high stress jobs, abnormal sleep schedules, social depersonalization, and many of the other risk factors predisposing to substance use disorders or suicide.
Join Christian Dameff, a hacker moonlighting on the front lines of healthcare as an emergency medicine physician, and Jay Radcliffe, world-renowned security researcher who has struggled with and depression, ADHD and a variety of other mental health conditions, as they work to shatter the stigma and silence surrounding this monumental crisis affecting the hacker community and society- at large. Combining the latest in evidence based medicine and pharmacology with powerful anecdotes of personal experience combatting depression, this talk will educate, challenge, and invigorate you with a hope-filled and simple message- you are not alone, and you are surrounded by friends who want to help.
Compression Oracle Attacks on VPN Networks
演讲人:Ahamed Nafeez | Security Researcher, Independent
演讲时间:13:30pm-14:20pm
主题标签:Enterprise, Cryptography
Security researchers have done a good amount of practical attacks in the past using chosen plain-text attacks on compressed traffic to steal sensitive data. In spite of how popular CRIME and BREACH were, little was talked about how this class of attacks was relevant to VPN networks. Compression oracle attacks are not limited to TLS protected data. Regardless of the underlying encryption framework being used, these VPN networks offer a very well used feature usually known as TCP Compression which in a way acts almost similar to the TLS compression feature pre-CRIME era.
In this talk, we try these attacks on browser requests and responses which usually tunnel their HTTP traffic through VPNs. We also explore the possibility of attacking ESP Compression and other such optimizations in any tunneled traffic which does encryption. We also show a case study with a well-known VPN server and their plethora of clients.
We then go into practical defenses and how mitigations in HTTP/2’s HPACK and other mitigation techniques are the way forward rather than claiming ‘Thou shall not compress traffic at all.’ One of the things that we would like to showcase is how impedance mismatches in these different layers of technologies affect security and how they don’t play well together.
Don’t @ Me: Hunting Twitter Bots at Scale
演讲人:
Jordan Wright | Principal R&D Engineer, Duo Security
Olabode Anise | Data Scientist, Duo Security
演讲时间:14:40-15:30
主题标签:Applied Security, Human Factors
Threat Modeling in 2018: Attacks, Impacts and Other Updates
演讲人:Adam Shostack | President, Shostack & Associates
演讲时间:14:40-15:30
主题标签:Security Development Lifecycle
Attacks always get better, and that means your threat modeling needs to evolve. This talk looks at what’s new and important in threat modeling, organizes it into a simple conceptual framework, and makes it actionable. This includes new properties of systems being attacked, new attack techniques (like biometrics confused by LEDs) and a growing importance of threats to and/or through social media platforms and features. Take home ways to ensure your security engineering and threat modeling practices are up-to-date.
