[Infowarrior] - Black Hat Descends on Washington

Tue Feb 19 20:02:26 UTC 2008

Black Hat Descends on Washington

Hackers flock to D.C. during this week's conference to talk government,
security and going on the defense -- for a change.

http://www.internetnews.com/security/article.php/3728856

February 19, 2008
By Sean Michael Kerner: More stories by this author:

WASHINGTON, D.C. -- The name "Black Hat" for years has been synonymous with
shadowy hacker activities. Many also know that the term refers to the
popular annual security conference of the same name, long held in Sin City
itself -- Las Vegas.

This week, however, the Black Hats aren't flocking to Vegas. Instead,
they're meeting in the heart of the federal government: Washington, D.C., a
setting that makes for a very different type of security conference.

"It's almost the 'white hat' Black Hat, with much more focus on defense than
offense," said Brian Chess, founder and chief scientist at enterprise
security player Fortify Software.

Chess is no stranger to either Black Hat or Washington. His firm is a
partner with the government-funded Computer Emergency Response Team (CERT)
on automated compliance checking.

At the last Black Hat Las Vegas event, Chess also ran the famed Iron Chef
Black Hat hacking challenge.

This week, he's expected to speak once more on security issues. This time
around, Chess will be talking about software testing and using functionally
tests to find vulnerabilities.

"It's about how you build software right, as opposed to how you break
something," Chess told InternetNews.com. "We'll be talking about some of the
less-than-ideal ways that people go about finding security vulnerabilities
in their code."

In Chess' view, developers often fail to do a great job of security testing
simply because they don't have to. Since plenty of bugs can be found easily,
they typically feel little incentive to undertake a more rigorous and
thorough search that might find all bugs, he said.

On the flip side, "if you actually want to build something that is secure,
there actually is a lot you can do," Chess said.

Not surprisingly, the security conference's inside-the-Beltway setting also
means it will have a special focus on government. Among the week's sessions
are a talk on phishing and the Internal Revenue Service (IRS), and a
discussion of potential cyber-threats to the 2008 presidential election.

The government focus is also reflected in the background of some of the
speakers at the event. The only keynote of the Black Hat D.C. event is being
delivered by Jerry Dixon, a former deputy director of US-CERT and the
founding director of the IRS's Computer Security Incident Response
Capability.

A former U.S. spy is also on the speakers list. In a talk about social
engineering, Peter Earnest, a 35-year veteran of the Central Intelligence
Agency, will discuss his experiences in espionage.

While this week's conference will offer a different perspective compared to
its larger, more free-for-all Las Vegas counterpart, followers of the
goings-on at Black Hat can still expect much of the same.

"It's still Black Hat," Chess said. "The reason why people come out for
Black Hat is they want to get a taste for what's going on from a technical,
vulnerability-researcher point of view. So I expect the presentation style
will be about the same."