When temperatures plummet, the leaves turn to yellow and red, and a large number of hackers begin flocking to Amsterdam, you know it's time for the annual Black Hat Europe information security conference.
See Also: Faster Payments, Faster Fraud?
The security event returns again to the Amsterdam RAI conference center this week for two days of hands-on technical training, followed by two days of briefings, in which researchers describe the latest vulnerabilities and attacks they've found, plus related defenses.
With the briefings set to launch on Nov. 12, here are a few of the sessions that top my must-see list:
The briefings are scheduled to begin on an existential note, with renowned technologist Haroon Meer set to riff on Marshall Goldsmith's 2007 best-seller "What Got You Here Won't Get You There," which looks at how individuals can overcome their own self-defeating bad tendencies in the workplace. Meer retools that approach to look instead at the security profession's collective failings. Since the 1990s, information security technology has continued to improve, teams have grown bigger and budgets have expanded. So why aren't enterprise information security programs more successful?
Self-Encrypted Drive Alert
Kevvie Fowler and Daniel Boteanu of KPMG Canada's Forensic Technology Group are set to describe a technique that can be used to bypass hardware-based full-disk encryption tools - better known as self-encrypting drives - as well as how to protect against related exploits. Vulnerabilities in SEDs are a big deal: Many enterprises now use such technology to protect critical data at rest, and numerous data breach regulations exempt organizations from having to issue a breach notification for lost or stolen laptops if FDE or an SED was in place.
Fumbling Cloud Security
Cloud-based infrastructure - sometimes obtained from backbone-as-a-service offerings such as the Amazon Elastic Compute Cloud and Amazon Simple Storage Service - enable developers to "cloud enable" their apps with just a few lines of code. Unfortunately, many of those developers also appear to be making some serious security mistakes, according to German Ph.D. students Siegfried Rasthofer and Steven Arzt. They plan to outline the types of coding mistakes that enabled them to retrieve 56 million records being stored in BaaS services, ranging from medical information and payment card data to photos and videos.
Hacking Self-Driving Vehicles
Hacking into a Jeep while a reporter is driving it at 70 mph? That is so summer 2015. Indeed, with numerous organizations - including Uber and Google - now attempting to build self-driving vehicles, the next hacking frontier is all about how to seize control of autonomous motor vehicles. Jonathan Petit, a principal scientist for software security and training firm Security Innovation, will describe how such vehicles rely on numerous computerized and Internet-connected components, many of which have vulnerabilities that can be exploited to disrupt automation and remotely locate vehicles.
Oil and Gas Attacks
Attackers are increasingly attempting to not just steal payment card data, but also sensitive information that could be used to commit fraud in more difficult-to-detect ways, for example, by running pump-and-dump penny-stock schemes (see Charges Announced in JPMorgan Chase Hack). Researchers Alexander Polyakov and Mathieu Geli - both part of the Enterprise Application Security Project - will describe how attackers could hack into oil and gas producers' SAP systems and alter the perceived volume of materials that are being sold. Such attacks could be used for economic gain as well as to target the physical infrastructure itself.
Cybercrime in the Deep, Dark Web
Just how big and bad is the so-called Dark Web, which refers to sites that obscure their IP addresses and users who anonymize their related activities? Trend Micro researchers Marco Balduzzi and Vincenzo Ciancaglini have set out to answer that question by automatically indexing and analyzing as many Dark Web sites as possible, including sites offering everything from illicit and counterfeit goods and underground hacker forums to stolen-data drop zones and malware hosting services.
That's just a sample of my must-see sessions for this year's Black Hat Europe. What are yours?