Posts tagged "DefCon"

Recap: BlackHat 2015 and r00tz@DefCon 2015

This year Adobe security team members were out in force attending BlackHat 2015 and – new this year – helping inspire the next generation of security professionals at the r00tz @ DefCon conference for kids. Adobe was a major sponsor of the r00tz conference this year helping to set up and run a 3D printing workshop and hackfest for the young attendees.

BlackHat brings together the top experts in the security field to discuss and expose current issues in the information security industry. While there were a variety of talks covering a wide breadth of topics, here are some talks that stood out to us during our time there.

In the discussion panel “Is the NSA Still Listening to Your Phone Calls?” Mark Jaycox from the Electronic Frontier Foundation (EFF) and Jamil Jaffer, former member of the House Permanent Select Committee on Intelligence (HPSCI), talked about government surveillance, and the tradeoffs between keeping our privacy and using surveillance to defend against current threats. It was interesting to see two people on opposite sides of the spectrum openly discussing this complex issue. I felt that by listening to the two parties discuss their points I was able to walk away with a more informed opinion on the current stance of government surveillance in the country today.

James Kettle from Portswigger talked about server side template injection and showed techniques to identify and exploit it on popular template engines such as FreeMarker, Velocity, Twig and Jade. This vulnerability occurs when users are allowed to edit templates or untrusted user input is embedded in the template. It was interesting to see how this vulnerability can be used to directly attack web servers and perform remote code execution instead of cross site scripting. The talk raised awareness on the damage one can do if an application is vulnerable to template injection. Our researchers and security champions will be able to apply the information gained from this talk to identify and mitigate template injection in Adobe products.

In “The Node.js Highway: Attacks are at Full Throttle” talk, Maty Siman and Amit Ashbel discussed the security issues and demonstrated new attack techniques against Node.js applications. The attack on pseudo random number generator in Node.js which allows an attacker to predict the next number given 3 consecutive numbers was quite interesting. This means an application generating password using PRNG might reveal the passwords of all the users. The talk educated our researchers and security champions on new vulnerabilities to look for while reviewing a Node.js application.

In addition to all of the great learnings and networking at BlackHat 2015, many from our team stayed around after BlackHat to attend DefCon and help out at the r00tz @ DefCon conference for kids. This was Adobe’s first year sponsoring the r00tz conference. With the help of our awesome Photoshop engineering teams, we were able to get kid-ready workstations set up with our creative tools and hooked up to cool MakerBot 3D printers. It was a lot of fun helping kids take all of the ideas in their heads and translate them into physical objects they could then take home with them – with, of course, a lot of hacking involved to get many of the ideas to work. In addition to our 3D printing workshop, there were other exercises including a capture the flag contest and robot building contest. It was very rewarding for all of us to sponsor and be a part of inspiring these kids to pursue careers in technology.


Tim Fleer
Security Program Manager

Karthik Thotta Ganesh
Web Security Researcher

Adobe Security Team @ BlackHat 2015

I am headed to BlackHat 2015 in Las Vegas this week with members of our Adobe product security teams. We are looking forward to connecting with the security community throughout the week. We also hope to meet up with some of you at the parties, at the craps tables, or just mingling outside the session rooms during the week. Make sure to follow our team on Twitter @AdobeSecurity. Feel free to follow me as well @BradArkin. We’ll be tweeting info as to our observations and happenings during the week. Look for the hashtag #AdobeBH2015.

This year we are also proud to sponsor the r00tz Kids Conference @ DefCon. Members of our teams will be helping out with 3D printing and other workshops during this great conference for future security pros. We hope you are able to bring your kids along to join our team at this fun event as part of your DefCon experience.

We are looking forward to a great week in Vegas.

Brad Arkin
VP and Chief Security Officer

Reflections on Black Hat & DefCon

This year the ASSET security team along with security engineers from several other Adobe teams travelled to Vegas to attend the summer’s largest security conferences – Black Hat and DefCon. The technical talks can typically range from “cool bugs” to “conceptual issues that require long term solutions.” While the bugs are fun, here’s my take on the major underlying themes this year.

One major theme is that our core cryptographic solutions such as RSA and TLS are beginning to show their age. There was more than one talk about attacking TLS and another presentation by iSEC Partners focused on advances related to breaking RSA. The iSEC team made a valid case that we, as an industry, are not prepared for easily deploying alternative cryptographic solutions. Our industry needs to apply the principles of “crypto agility” so that we can deploy alternative solutions in our core security protocols, should the need arise.

Another theme this year was the security issues with embedded systems. Embedded systems development used to be limited to small bits of assembly code on isolated chips. However, advances in disk storage, antenna size, and processors has resulted in more sophisticated applications powering more complex devices. This exposed a larger attack surface to security researchers at Black Hat and DefCon who then found vulnerabilities in medical devicesSIM cardsautomobilesHVAC systemsIP phonesdoor locksiOS chargersSmart TVsnetwork surveillance cameras, and similar dedicated devices. As manufacturing adopts more advanced hardware and software for devices, our industry will need to continue to expand our security education and outreach to these other industries.

In traditional software, OS enforced sandboxes and compiler flags have been making it more difficult to exploit software. However, Kevin Snow and Lucas Davi showed that making additional improvements to address space layout randomization (ASLR), known as “fine-grained ASLR,” will not provide any significant additional levels of security. Therefore, we must rely on kernel enforced security controls and, by logical extension, the kernel itself. Mateusz Jurczyk and Gynvael Coldwind dedicated significant research effort into developing tools to find kernel vulnerabilities in various operating system kernels. In addition, Ling Chuan Lee and Chan Lee Yee went after font vulnerabilities in the Windows kernel. Meanwhile, Microsoft offered to judge live mitigation bypasses of their kernel at their booth. With only a small number of application security presentations, research focus appears to be shifting back toward the kernel this year.

Ethics and the law had an increased focus this year. In addition to the keynote by General Alexander, there were four legal talks at Black Hat and DefCon from the ACLU, EFF and Alex Stamos. Paraphrasing Stamos’ presentation, “The debate over full disclosure or responsible disclosure now seems quaint.” There were no easy answers provided; just more complex questions.

Regardless of the specific reason that drew you to Vegas this year, the only true constant in our field is that we must continue learning. It is much harder these days to be an effective security generalist. The technology, research and ethics of what we do continues to evolve and forces deeper specialization and understanding. The bar required to wander into a random Black Hat talk and understand the presentation continues to rise. Fortunately, walking into a bar at Black Hat and offering a fellow researcher a drink is still a successful alternative method of learning.

Peleus Uhley
Platform Security Strategist