Blackhat 2010 Round Up

Tenable was in attendance for Black Hat 2010 in Las Vegas last week. In addition to having a vendor’s booth, we presented four days of Nessus training, our very own Carole Fennelly organized Hacker Court and we hosted a party at Margaritaville. Below are some pictures and more details on the events:

I taught the course titled "Advanced Vulnerability Scanning Techniques Using Nessus", which was well received by the students. We had a pretty full class for both sessions and the students were exceptional. They worked through all of the exercises and even participated in group discussions that covered vulnerability management, enterprise security monitoring and presenting security metrics to management.

The students (and the instructors) had a great time as the students learned how to use the advanced features of Nessus, such as creating their own audit files, using the Nessus API and configuring web application vulnerability scans.

David Poynter, pictured above enjoying a noodle break, was assisting with the instruction of the course, providing his expertise using Nessus and Tenable's enterprise tools such as SecurityCenter.

Barnaby Jack gave a fantastic presentation and showed several different methods for attacking ATMs. He found an authentication bypass vulnerability that allowed him to upload malware to two different ATM models. The malware could be accessed remotely or allow a user at the terminal to interact with a hidden menu. In both cases he could "make all the money come out" without using a valid ATM card and PIN number.

The picture above shows one of the two ATMs that were attacked by Barnaby during the live demonstration. This model is typically found in a bar, restaurant or convenience store.

Chris Paget gave a fascinating talk on extending the range of RFID. He believes he may have set a world record by reading a non-powered RFID tag at 217 feet. He used two very large antennas (one for sending and one for receiving) in addition to a power amplifier to achieve this distance.

Tenable hosted a well-attended party at Margaritaville. The first 100 people received Tenable/Nessus Hawaiian shirts and a Nessus cigar.

Ron and Cyndi Gula, sporting their Tenable/Nessus Hawaiian shirts, talking with Nmap creator Gordon "Fyodor" Lyons at the Tenable booth.

Hacker Court was in session where a fictional case titled “Subject to Monitoring…” addressed issues of wiretapping, spying on competition, waterboarding employees and privacy. One of the interesting points raised by EFF attorney Kevin Bankston is that wiretap laws have not been updated in 24 years and only apply to audio. What this means is that you can take all the video you want of someone and not be subject to wiretap laws as long as there is no accompanying audio.

Overall, Black Hat was an excellent conference and we are looking forward to returning next year!