Security/BlackHat 2012: Difference between revisions

From MozillaWiki
Jump to navigation Jump to search
No edit summary
Line 10: Line 10:


=== Interesting-sounding Blackhat and DEFCON sessions ===
=== Interesting-sounding Blackhat and DEFCON sessions ===
* [https://www.blackhat.com/html/bh-us-12/bh-us-12-briefings.html#Argyroudis Exploiting the jemalloc Memory Allocator: Owning Firefox's Heap]
* [https://www.blackhat.com/html/bh-us-12/bh-us-12-briefings.html#Argyroudis Exploiting the jemalloc Memory Allocator: Owning Firefox's Heap] -''Who is attending, if anyone? Name here''
* [https://www.blackhat.com/html/bh-us-12/bh-us-12-briefings.html#Shekyan Hacking with WebSockets]
* [https://www.blackhat.com/html/bh-us-12/bh-us-12-briefings.html#Shekyan Hacking with WebSockets] -''Who is attending, if anyone? Name here''
* [https://www.blackhat.com/html/bh-us-12/bh-us-12-briefings.html#Rohlf Google Native Client - Analysis Of A Secure Browser Plugin Sandbox]
* [https://www.blackhat.com/html/bh-us-12/bh-us-12-briefings.html#Rohlf Google Native Client - Analysis Of A Secure Browser Plugin Sandbox] -''Who is attending, if anyone? Name here''
* [https://www.blackhat.com/html/bh-us-12/bh-us-12-briefings.html#Shah HTML5 Top 10 Threats – Stealth Attacks and Silent Exploits]
* [https://www.blackhat.com/html/bh-us-12/bh-us-12-briefings.html#Shah HTML5 Top 10 Threats – Stealth Attacks and Silent Exploits] -''Who is attending, if anyone? Name here''
 
* [https://www.blackhat.com/html/bh-us-12/bh-us-12-briefings.html#Argyroudis "Exploiting the jemalloc Memory Allocator: Owning Firefox's Heap"] -''Who is attending, if anyone? Name here''
==== From dveditz's mail to security-group: ====
At the top of my list is the one with '''Owning Firefox''' in the title. Is there anyone working on jemalloc we could send? The speakers will be releasing debugging utilities at the talk.
* [https://www.blackhat.com/html/bh-us-12/bh-us-12-briefings.html#Argyroudis "Exploiting the jemalloc Memory Allocator: Owning Firefox's Heap"]


Attacks (ab)using recent web features. Need to be considered especially in the context of apps and our web services and what
Attacks (ab)using recent web features. Need to be considered especially in the context of apps and our web services and what
mitigations should be built into Gecko
mitigations should be built into Gecko
* [https://www.blackhat.com/html/bh-us-12/bh-us-12-briefings.html#Shekyan "Hacking with WebSockets"]
* [https://www.blackhat.com/html/bh-us-12/bh-us-12-briefings.html#Shekyan "Hacking with WebSockets"] -''Who is attending, if anyone? Name here''
* [https://www.blackhat.com/html/bh-us-12/bh-us-12-briefings.html#Shah "HTML5 Top 10 Threats – Stealth Attacks and Silent Exploits"]
* [https://www.blackhat.com/html/bh-us-12/bh-us-12-briefings.html#Purviance "Blended Threats and JavaScript: A Plan for Permanent Network Compromise"] -''Who is attending, if anyone? Name here''
* [https://www.blackhat.com/html/bh-us-12/bh-us-12-briefings.html#Purviance "Blended Threats and JavaScript: A Plan for Permanent Network Compromise"]


For Gaia/WebAPI folks some attacks on Chrome extensions that may
For Gaia/WebAPI folks some attacks on Chrome extensions that may
have relevance to types of attacks we face on apps.
have relevance to types of attacks we face on apps.
* [https://www.blackhat.com/html/bh-us-12/bh-us-12-briefings.html#Osborn "Advanced Chrome Extension Exploitation - Leveraging API Powers for the Better Evil"]
* [https://www.blackhat.com/html/bh-us-12/bh-us-12-briefings.html#Osborn "Advanced Chrome Extension Exploitation - Leveraging API Powers for the Better Evil"] -''Who is attending, if anyone? Name here''


For the B2G folks there are a couple that might help us with our
For the B2G folks there are a couple that might help us with our
phone designs. If nothing else they may inform our testing.
phone designs. If nothing else they may inform our testing.


* [https://www.blackhat.com/html/bh-us-12/bh-us-12-briefings.html#Ridley "Advanced ARM exploitation"]
* [https://www.blackhat.com/html/bh-us-12/bh-us-12-briefings.html#Ridley "Advanced ARM exploitation"] -''Who is attending, if anyone? Name here''
* [https://www.blackhat.com/html/bh-us-12/bh-us-12-briefings.html#Weinmann "Scaling Up Baseband Attacks: More (Unexpected) Attack Surface"]
* [https://www.blackhat.com/html/bh-us-12/bh-us-12-briefings.html#Weinmann "Scaling Up Baseband Attacks: More (Unexpected) Attack Surface"] -''Who is attending, if anyone? Name here''
* [https://www.blackhat.com/html/bh-us-12/bh-us-12-briefings.html#Miller "Don't Stand So Close To Me: An Analysis of the NFC Attack Surface"]
* [https://www.blackhat.com/html/bh-us-12/bh-us-12-briefings.html#Miller "Don't Stand So Close To Me: An Analysis of the NFC Attack Surface"] -''Who is attending, if anyone? Name here''


Defeating ASLR through info leaks, and how to cause them.
Defeating ASLR through info leaks, and how to cause them.


* [https://www.blackhat.com/html/bh-us-12/bh-us-12-briefings.html#Serna "The Info Leak Era on Software Exploitation"] (an example of one he wrote up on Flash is http://seclists.org/bugtraq/2012/Apr/63 )
* [https://www.blackhat.com/html/bh-us-12/bh-us-12-briefings.html#Serna "The Info Leak Era on Software Exploitation"] (an example of one he wrote up on Flash is http://seclists.org/bugtraq/2012/Apr/63 ) -''Who is attending, if anyone? Name here''


A comparison of three different Flash sandboxes, Chrome, IE, and Firefox
A comparison of three different Flash sandboxes, Chrome, IE, and Firefox


* [https://www.blackhat.com/html/bh-us-12/bh-us-12-briefings.html#Sabanal "Digging Deep Into The Flash Sandboxes"]
* [https://www.blackhat.com/html/bh-us-12/bh-us-12-briefings.html#Sabanal "Digging Deep Into The Flash Sandboxes"] -''Who is attending, if anyone? Name here''


New defensive features of Win8 we should consider using. Some may be
New defensive features of Win8 we should consider using. Some may be

Revision as of 23:51, 17 July 2012

Black Hat & DEFCON 2012

This is to track organization and attendees for Black Hat and DEFCON 2012 security conferences this coming Summer. Black Hat is at Caesars Palace and DEFCON is at the Rio.

Dates

Black Hat is from July 21 through 26, 2012. DEFCON 20 is from July 26 through 29.

Sessions to be covered

Interesting-sounding Blackhat and DEFCON sessions

Attacks (ab)using recent web features. Need to be considered especially in the context of apps and our web services and what mitigations should be built into Gecko

For Gaia/WebAPI folks some attacks on Chrome extensions that may have relevance to types of attacks we face on apps.

For the B2G folks there are a couple that might help us with our phone designs. If nothing else they may inform our testing.

Defeating ASLR through info leaks, and how to cause them.

A comparison of three different Flash sandboxes, Chrome, IE, and Firefox

New defensive features of Win8 we should consider using. Some may be compiler/linker features that will help on other versions of windows, too.

For the privacy geeks -- decloaking "private browsing" among other ways to track people.

A wildcard... Math.random() isn't crytographically secure, could we be vulnerable to anything like these PHP issues? If you go bring your open mind and wear your brainstorming hat.

dinners/meetups

Tuesday Night Dinner Sign Up

8:30 PM ??
  • Joe Stevensen
  • Eric Parker
  • Guillaume Destuynder
  • Gary Kwong
  • Adam Muntner
  • Ben Kero
  • Brian Hourigan

Wed Night Dinner Sign Up

8:30 PM ??
  • Joe Stevensen
  • Michael Herny :tinfoil
  • Gary Kwong
  • Ben Kero
  • Brian Hourigan

Thurs Night Dinner Sign Up

8:30 PM ??
  • Joe Stevensen
  • Gary Kwong
  • Ben Kero
  • Brian Hourigan

Friday Night Dinner Sign Up

8:30 PM ??
  • Joe Stevensen
  • Gary Kwong
  • Ben Kero
  • Brian Hourigan

Sat Night Dinner Sign Up

8:30 PM ??
  • Joe Stevensen
  • Gary Kwong
  • Ben Kero
  • Brian Hourigan

Attendees

Enter your name below if you plan on attending one or both conferences.

Name Black Hat? DEFCON? Arrival Date Departure Date
Al Billings Yes Yes ? ?
Raymond Forbes Yes Yes 2012-07-24 2012-07-30
Joe Stevensen Yes Yes 2012-07-24 2012-07-29
Gary Kwong Yes Yes 2012-07-24 2012-07-29
Guillaume Destuynder Yes Yes 2012-07-24 2012-07-29
Jorge Villalobos Yes Yes 2012-07-24 2012-07-29
Adam Muntner Yes Yes 2012-07-24 2012-07-29
Michael Henry :tinfoil No Yes 2012-07-24 2012-07-30
Jesse Ruderman Yes Yes ? ?
Anthony Hughes Yes Yes 2012-07-24 2012-07-30
John Morrison :jrgm Yes No 2012-07-24 ?
Kevin Brosnan :kbrosnan Yes Yes 2012-07-24 2012-07-29
Ben Kero :bkero Yes Yes 2012-07-24 2012-07-29
Brian Hourigan :digi Yes Yes 2012-07-24 2012-07-29

Conference registration numbers for attendees

hotel reservation confirmations

Flight planning

Name Outbound Flight Return Flight Notes
Joe Stevensen VX906 Arrives 7/24 14:55 VX905 Departs 7/29 11:00
Guillaume Destuynder VX906 Arrives 7/24 14:55 VX905 Departs 7/29 11:00
Kevin Brosnan VX906 Arrives 7/24 14:55 VX901 Departs 7/29 09:20
Al Billings VX260 Arrives 7/24 13:35 VX915 Departs 7/29 17:30
Jorge Villalobos UA1608 Arrives 7/24 22:01 UA1254 Departs 07/29 01:16
Ben Kero AS620 Arrives 7/24 20:06 AS621 Departs 7/29 20:50
Retrieved from "https://wiki.allizom.org/index.php?title=Security/BlackHat_2012&oldid=451783"