Black Hat Briefings (commonly referred to as Black Hat ) is a computer security conference that provides security consulting, training, and briefings to hackers, corporations, and government agencies around the world. Black Hat brings together a variety of people interested in information security ranging from non-technical individuals, executives, hackers , and security professionals. The conference takes place regularly in Las Vegas , Barcelona , London and Riyadh . The conference has also been hosted in Amsterdam , Tokyo , and Washington, D.C. in the past.
62-617: The first Black Hat was held July 7-10, 1997 in Las Vegas, immediately prior to DEF CON 5. The conference was aimed at the computer industry, promising to give them privileged insight into the minds and motivations of their hacker adversaries. Its organizers stated: "While many conferences focus on information and network security, only the Black Hat Briefings will put your engineers and software programmers face-to-face with today's cutting edge computer security experts and ' hackers .'" It
124-477: A FidoNet protocol based hacking network from Canada . The party was planned for Las Vegas a few days before his friend was to leave the United States, because his father had accepted employment out of the country. However, his friend's father left early, taking his friend along, so Jeff was left alone with the entire party planned. Jeff decided to invite all his hacker friends to go to Las Vegas with him and have
186-502: A botnet , and has been unusually difficult to counter because of its combined use of many advanced malware techniques. The Conficker worm infected millions of computers including government, business and home computers in over 190 countries, making it the largest known computer worm infection since the 2003 SQL Slammer worm. Despite its wide propagation, the worm did not do much damage, perhaps because its authors – believed to have been Ukrainian citizens – did not dare use it because of
248-458: A bug in the game ( privilege dropping and forking were inverted), allowing them to have such a massive lead that they spent most of the CTF playing Guitar Hero . In 2009, it was announced that "Diutinus Defense Technology Corp" (DDTEK) would be the new organisers, but nobody knew who they were. It was revealed at the end of the game that the team playing as sk3wl0fr00t was the organizer. "Hacking
310-474: A vulnerability that he said could let hackers virtually shut down the Internet. However, in recent years, researchers have worked with vendors to resolve issues, and some vendors have challenged hackers to attack their products. Conference attendees had been known to hijack wireless connections of the hotels, hack hotel television billing systems, and in one instance, deploy a fake automated teller machine in
372-676: A DEF CON Black Badge was featured in an exhibit in the Smithsonian Institution 's National Museum of American History entitled "Innovations in Defense: Artificial Intelligence and the Challenge of Cybersecurity". The badge belongs to ForAllSecure's Mayhem Cyber Reasoning System, the winner of the DARPA 2016 Cyber Grand Challenge at DEF CON 24 and the first non-human entity ever to earn a Black Badge. The first instance of
434-606: A detectable signature when scanned remotely. The peer-to-peer command protocol used by variants D and E of the virus has since been partially reverse-engineered , allowing researchers to imitate the virus network's command packets and positively identify infected computers en-masse. Signature updates for a number of network scanning applications are now available. It can also be detected in passive mode by sniffing broadcast domains for repeating ARP requests. The United States Computer Emergency Readiness Team (US-CERT) recommends disabling AutoRun to prevent Variant B of
496-401: A general conference attendee (HUMAN) badge, a Staff member (GOON), Vendor, Speaker, Press, and other badges. In addition, individuals and organizations have begun creating their own badges in what has become known as badgelife. These badges may be purchased in many cases, or earned at the conference by completing challenges or events. Some badges may give the holder access to after hours events at
558-399: A general interest in software , computer architecture , hardware modification, conference badges, and anything else that can be "hacked". The event consists of several tracks of speakers about computer and hacking-related subjects, as well as cyber-security challenges and competitions (known as hacking wargames ). Contests held during the event are extremely varied and can range from creating
620-522: A hotel lobby. In 2009, web sites belonging to a handful of security researchers and groups were hacked and passwords, private e-mails, instant messaging chats, and sensitive documents were exposed on the vandalized site of Dan Kaminsky , days before the conference. During Black Hat USA in 2009, a USB thumb drive that was passed around among attendees was found to be infected with the Conficker virus , and in 2008, three men were expelled for packet sniffing
682-568: A non-electronic badge such as a vinyl record . Conference badges often contain challenges or callbacks to hacker or other technology history, such as the usage of the Konami Code in the DEF CON 24 badge, or the DEF CON 25 badge reverting to the look of the DEF CON 1 badge. DEF CON Badges do not (generally) identify attendees by name; however, the badges are used to differentiate attendees from others. One way of doing this has been to have different badges,
SECTION 10
#1733093676859744-472: A second year at their urging. The event's attendance nearly doubled the second year, and has enjoyed continued success. In 2019, an estimated 30,000 people attended DEF CON 27. For DEF CON's 20th Anniversary, a film was commissioned entitled DEF CON: The Documentary . The film follows the four days of the conference, events and people (attendees and staff), and covers history and philosophy behind DEF CON's success and unique experiences. In January 2018,
806-499: A setting where attendees can ask questions about the tools and sometimes use them. It was added in 2010. ToolsWatch maintains an archive of all Black Hat Briefings Arsenals. Black Hat had historically been known for the antics of its hacker contingent, and the disclosures brought in its talks. In the past, companies have attempted to ban researchers from disclosing vital information about their products. At Black Hat USA in 2005, Cisco Systems tried to stop Michael Lynn from speaking about
868-413: Is a crucial step. Microsoft released a removal guide for the virus, and recommended using the current release of its Windows Malicious Software Removal Tool to remove the virus, then applying the patch to prevent re-infection. Newer versions of Windows are immune to Conficker. Many third-party anti-virus software vendors have released detection updates to their products and claim to be able to remove
930-640: Is equivalent to (MSFT) D. None To start itself at system boot, the virus saves a copy of its DLL form to a random filename in the Windows system or system32 folder, then adds registry keys to have svchost.exe invoke that DLL as an invisible network service. The virus has several mechanisms for pushing or pulling executable payloads over the network. These payloads are used by the virus to update itself to newer variants, and to install additional malware. To prevent payloads from being hijacked, variant A payloads are first SHA-1 - hashed and RC4 - encrypted with
992-659: Is in keeping with the hacker community's desire for anonymity. Some known handles include DEF CON founder Jeff Moss ' handle of " Dark Tangent ". A notable event at DEF CON is DEF CON 101 which starts off the conference and may offer the opportunity for an individual to come up on stage and be assigned a handle by a number of members of the community. A notable part of DEF CON is the conference badge, which identifies attendees and ensures attendees can access conference events and activities. The DEF CON badge has historically been notable because of its changing nature, sometimes being an electronic badge ( PCB ), with LEDs , or sometimes being
1054-559: Is offered by various computer security vendors and individual security professionals. The conference has hosted the National Security Agency 's information assurance manager course, and various courses by Cisco Systems , Offensive Security , and others. Arsenal is a portion of the conference dedicated to giving researchers and the open source community a place to showcase their latest open-source information security tools. Arsenal primarily consists of live tool demonstrations in
1116-595: Is widely accepted in the cybersecurity field. In 2011, working with the FBI, Ukrainian police arrested three Ukrainians in relation to Conficker, but there are no records of them being prosecuted or convicted. A Swede, Mikael Sallnert, was sentenced to 48 months in prison in the U.S. after a guilty plea. Due to the lock of the virus files against deletion as long as the system is running, the manual or automatic removal itself has to be performed during boot process or with an external system installed. Deleting any existing backup copy
1178-632: The Atlantic Council and the paper went on to win an O'Reilly Defender Research Award. Marcus Hutchins , better known online by his handle MalwareTech , the 23-year-old British security researcher who was credited with stopping the WannaCry outbreak was arrested by the FBI at the airport preparing to leave the country after attending DEF CON over his alleged involvement with the Kronos banking trojan . Each conference venue and date has been extracted from
1240-580: The Electronic Frontier Foundation (EFF). The first fundraiser was a dunk tank and was an "official" event. The EFF now has an event named "The Summit" hosted by the Vegas 2.0 crew that is an open event and fundraiser. DEF CON 18 (2010) hosted a new fundraiser called MohawkCon. Within DEF CON there are many contests and events which range from, Capture the Flag, Hacker Jeopardy, Scavenger Hunt, Capture
1302-481: The FBI , DoD , United States Postal Inspection Service , DHS (via CISA ) and other agencies regularly attend DEF CON. Some have considered DEF CON to be the "world's largest" hacker conference given its attendee size and the number of other conferences modeling themselves after it. DEF CON was founded in 1993, by then 18-year-old Jeff Moss as a farewell party for his friend, a fellow hacker and member of "Platinum Net",
SECTION 20
#17330936768591364-610: The Police National Computer as a precautionary measure; during that time, officers had to ask other forces to run routine checks on vehicles and people. Although almost all of the advanced malware techniques used by Conficker have seen past use or are well known to researchers, the virus's combined use of so many has made it unusually difficult to eradicate. The virus's unknown authors are also believed to be tracking anti-malware efforts from network operators and law enforcement and have regularly released new variants to close
1426-479: The 15th edition of the CTF was done in partnership with the DARPA , as part of its Cyber Grand Challenge program, where teams wrote autonomous systems to play the game without any human interaction. In 2017, the Legitimate Business Syndicate came up with their very own CPU architecture called cLEMENCy: a middle-endian with 9 bits bytes CPU . With its specifications released only 24 hours before
1488-505: The 2009 Black Hat Briefings that Ukraine is the probable origin of the virus, but declined to reveal further technical discoveries about the virus's internals to avoid tipping off its authors. An initial variant of Conficker did not infect systems with Ukrainian IP addresses or with Ukrainian keyboard layouts. The payload of Conficker.E was downloaded from a host in Ukraine. In 2015, Phil Porras, Vinod Yegneswaran and Hassan Saidi – who were
1550-450: The 512-bit hash as a key . The hash is then RSA -signed with a 1024-bit private key. The payload is unpacked and executed only if its signature verifies with a public key embedded in the virus. Variants B and later use MD6 as their hash function and increase the size of the RSA key to 4096 bits. Conficker B adopted MD6 mere months after it was first published; six weeks after a weakness
1612-503: The Conficker Cabal, includes Microsoft , Afilias , ICANN , Neustar , Verisign , China Internet Network Information Center , Public Internet Registry, Global Domains International, M1D Global, America Online , Symantec , F-Secure , ISC, researchers from Georgia Tech , The Shadowserver Foundation, Arbor Networks, and Support Intelligence. On 13 February 2009, Microsoft offered a $ USD 250,000 reward for information leading to
1674-859: The Cyber Grand Challenge was "Mayhem", an AI created by ForAllSecure of Pittsburgh, Pennsylvania. Mayhem then went on to participate in the previously humans-only DEF CON Capture the Flag Contest, where it finished in last place, despite pulling ahead of human teams often in a contest for which it was not specifically designed. In September 2017, the Voting Machine Village produced " DEF CON 25 Voting Machine Hacking Village: Report on Cyber Vulnerabilities in US Election Equipment, Databases and Infrastructure " summarizing its findings. The findings were publicly released at an event sponsored by
1736-457: The DEF CON CTF was held in 1996, at the 4th DEF CON, and has been held since then every year. It's one of the few CTF in the attack/defense format. The prize of the winning team is a couple of black badges. In 1996, the first DEF CON CTF was organized, with a couple of servers for participants to hack, and judges to decide if a machine has been hacked, and award points accordingly. In 2002,
1798-529: The DEF CON China Beta event was announced. The conference was held May 11–13, 2018 in Beijing, and marked DEF CON's first conference outside the United States. The second annual DEF CON China was canceled due to concerns related to COVID-19 . In 2020, due to safety concerns over COVID-19 the DEF CON 28 in-person Las Vegas event was cancelled and replaced with DEF CON Safe Mode, a virtual event planned for
1860-577: The DEF CON archives for easy reference. DEF CON Multimedia Conficker Conficker , also known as Downup , Downadup and Kido , is a computer worm targeting the Microsoft Windows operating system that was first detected in November 2008. It uses flaws in Windows OS software (MS08-067 / CVE-2008-4250) and dictionary attacks on administrator passwords to propagate while forming
1922-485: The Packet, Crash and Compile, and Hackfortress to name a few. The Black Badge is the highest award DEF CON gives to contest winners of certain events. Capture the flag (CTF) winners sometimes earn these, as well as Hacker Jeopardy winners. The contests that are awarded Black Badges vary from year to year, and a Black Badge allows free entrance to DEF CON for life, potentially a value of thousands of dollars. In April 2017,
Black Hat Briefings - Misplaced Pages Continue
1984-539: The Windows 7 Beta was not publicly available until January 2009. Although Microsoft released an emergency out-of-band patch on October 23, 2008, to close the vulnerability, a large number of Windows PCs (estimated at 30%) remained unpatched as late as January 2009. A second variant of the virus, discovered in December 2008, added the ability to propagate over LANs through removable media and network shares . Researchers believe that these were decisive factors in allowing
2046-490: The Windows Update service. Variant E of the virus was the first to use its base of infected computers for an ulterior purpose. It downloads and installs, from a web server hosted in Ukraine, two additional payloads: Symptoms of a Conficker infection include: On 12 February 2009, Microsoft announced the formation of an industry group to collaboratively counter Conficker. The group, which has since been informally dubbed
2108-459: The area code of the area where they are located in the US, and by other numbers when outside of the US e.g., DC801, DC201. DEF CON Groups may seek permission to make a logo that includes the official DEF CON logo with approval. Following are a list of high-profile issues which have garnered significant media attention. In 2008's contest "Race to Zero," contestants submitted a version of given malware which
2170-486: The arrest and conviction of the individuals behind the creation and/or distribution of Conficker. ICANN has sought preemptive barring of domain transfers and registrations from all TLD registries affected by the virus's domain generator. Those which have taken action include: By mid-April 2009 all domain names generated by Conficker A had been successfully locked or preemptively registered, rendering its update mechanism ineffective. Working group members stated at
2232-552: The attention it drew. Four men were arrested, and one pled guilty and was sentenced to four years in prison. Estimates of the number of infected computers were difficult because the virus changed its propagation and update strategy from version to version. In January 2009, the estimated number of infected computers ranged from almost 9 million to 15 million. Microsoft has reported the total number of infected computers detected by its antimalware products has remained steady at around 1.7 million from mid-2010 to mid-2011. By mid-2015,
2294-456: The beginning of the CTF, it was designed with the explicit goals of both surprising the teams, and leveling the playing field by breaking all their tools. DEF CON Groups are worldwide, local chapters of hackers, thinkers, makers and others. DEF CON Groups were started as a splinter off of the 2600 meetup groups because of concerns over politicization. Local DEF CON groups are formed and are posted online. DEF CON Groups are usually identified by
2356-514: The city of Sheffield reported infection of over 800 computers. On 2 February 2009, the Bundeswehr , the unified armed forces of Germany, reported that about one hundred of its computers were infected. An infection of Manchester City Council's IT system caused an estimated £1.5m worth of disruption in February 2009. The use of USB flash drives was banned, as this was believed to be the vector for
2418-430: The company Immunix took part in the game under the moniker "immunex", to benchmark the security of their Linux-based operating system, with modifications including StackGuard , FormatGuard , OpenWall 's non-executable stack , SubDomain (the ancestor of AppArmor ), ... Confident in their defense capabilities, they even opened access to their servers to other teams, and even spent some time taunting them. The team got
2480-592: The conference. In 2018, the evolution of this came with what was termed "shitty addon's" or SAOs. These were miniature (usually) PCBs that connected to the official and other badges that may extend functionality or were just collected. Villages are dedicated spaces arranged around a specific topic. Villages may be considered mini conferences within the con, with many holding their own independent talks as well as hands-on activities such as CTFs, or labs. Some villages include Aerospace Village, Car Hacking Village, IoT Village, Recon, Biohacking , lockpicking , ham radio , and
2542-403: The convention DEF CON. However, to a lesser extent, CON also stands for convention and DEF is taken from the letters on the number 3 on a telephone keypad , a reference to phreakers . The official name of the conference includes a space in-between DEF and CON. Though intended to be a one-time event, Moss received overwhelmingly positive feedback from attendees, and decided to host the event for
Black Hat Briefings - Misplaced Pages Continue
2604-568: The domain name trafficconverter.biz (with the letter k, not found in the domain name, added as in "trafficker", to avoid a "soft" c sound) which was used by early versions of Conficker to download updates. The first variant of Conficker, discovered in early November 2008, propagated through the Internet by exploiting a vulnerability in a network service (MS08-067) on Windows 2000 , Windows XP , Windows Vista , Windows Server 2003 , Windows Server 2008 , and Windows Server 2008 R2 Beta. While Windows 7 may have been affected by this vulnerability,
2666-555: The first to detect and reverse-engineer Conficker – wrote in the Journal of Sensitive Cyber Research and Engineering , a classified, peer-reviewed U.S. government cybersecurity publication, that they tracked the malware to a group of Ukrainian cybercriminals. Porras et al. believed that the criminals abandoned Conficker after it had spread much more widely than they assumed it would, reasoning that any attempt to use it would draw too much attention from law enforcement worldwide. This explanation
2728-666: The information security field, including Robert Lentz, Chief Security Officer , United States Department of Defense ; Michael Lynn; Amit Yoran , former Director of the National Cyber Security Division of the Department of Homeland Security ; and General Keith B. Alexander , former Director of the National Security Agency and former commander of the United States Cyber Command . Training
2790-671: The initial infection. A memo from the Director of the UK Parliamentary ICT service informed the users of the House of Commons on 24 March 2009 that it had been infected with the virus. The memo, which was subsequently leaked, called for users to avoid connecting any unauthorised equipment to the network. In January 2010, the Greater Manchester Police computer network was infected, leading to its disconnection for three days from
2852-677: The longest Wi-Fi connection to finding the most effective way to cool a beer in the Nevada heat. Other contests, past and present, include lockpicking , robotics-related contests , art, slogan, coffee wars, scavenger hunt , and Capture the Flag . Capture the Flag (CTF) is perhaps the best known of these contests and is a hacking competition where teams of hackers attempt to attack and defend computers and networks using software and network structures. CTF has been emulated at other hacking conferences as well as in academic and military contexts (as red team exercises). Federal law enforcement agents from
2914-423: The party with them instead. Hacker friends from far and wide got together and laid the foundation for DEF CON, with roughly 100 people in attendance. The term DEF CON comes from the movie WarGames , referencing the U.S. Armed Forces defense readiness condition ( DEF CON) . In the movie, Las Vegas was selected as a nuclear target, and since the event was being hosted in Las Vegas, it occurred to Jeff Moss to name
2976-665: The press room local area network . Black Hat had initially started within the United States but expanded over the years across USA, Europe, Asia, Middle East, Africa, Washington DC, and Abu Dhabi: DEF CON DEF CON (also written as DEFCON, Defcon, or DC ) is a hacker convention held annually in Las Vegas , Nevada . The first DEF CON took place in June 1993 and today many attendees at DEF CON include computer security professionals, journalists , lawyers, federal government employees, security researchers, students, and hackers with
3038-512: The same August 6–9 dates as DC 28. In 2021, DEF CON 29 was held on August 5–8 in-person in Las Vegas and virtually (via Twitch and Discord ). In-person attendees were required to wear masks in conference areas and to show proof of COVID-19 vaccination. Attendees with verified vaccine records (verified by a 3rd party) were given a wristband which was required for entry into the conference areas. Attendees at DEF CON and other Hacker conferences often utilize an alias or "handle" at conferences. This
3100-460: The second place, and all their services deployed on their Immunix stack were never compromised. It was also the first year the contest had an organiser-provided services infrastructure connected to a real-time scoreboard. In 2003, the game had become so popular that a qualification round was introduced, with the previous winner automatically qualified. In 2008, the Sk3wl of Root team took advantage of
3162-472: The top hacker contest seemed like a fun way to introduce ourselves to CTF organization. The yells of "bullshit" from CTF teams during the DEF CON 17 awards ceremony were very gratifying." said vulc@n, a member of DDTEK, on the topic. In 2011, the team "lollerskaters dropping from roflcopters" used a 0day in FreeBSD (namely CVE-2011-4062 ) to escape jails , causing havoc in the game's infrastructure. In 2016,
SECTION 50
#17330936768593224-497: The total number of infections had dropped to about 400,000, and it was estimated to be 500,000 in 2019. The origin of the name Conficker is thought to be a combination of the English term "configure" and the German pejorative term Ficker (engl. fucker ). Microsoft analyst Joshua Phillips gives an alternative interpretation of the name, describing it as a rearrangement of portions of
3286-495: The user network services . Variant C of the virus resets System Restore points and disables a number of system services such as Windows Automatic Update , Windows Security Center , Windows Defender and Windows Error Reporting . Processes matching a predefined list of antiviral, diagnostic or system patching tools are watched for and terminated. An in-memory patch is also applied to the system resolver DLL to block lookups of hostnames related to antivirus software vendors and
3348-596: The virus to propagate quickly. Intramar, the French Navy computer network, was infected with Conficker on 15 January 2009. The network was subsequently quarantined, forcing aircraft at several airbases to be grounded because their flight plans could not be downloaded. The United Kingdom Ministry of Defence reported that some of its major systems and desktops were infected. The virus had spread across administrative offices, NavyStar/N* desktops aboard various Royal Navy warships and Royal Navy submarines, and hospitals across
3410-477: The virus's own vulnerabilities. Five variants of the Conficker virus are known and have been dubbed Conficker A, B, C, D and E. They were discovered 21 November 2008, 29 December 2008, 20 February 2009, 4 March 2009 and 7 April 2009, respectively. The Conficker Working Group uses namings of A, B, B++, C, and E for the same variants respectively. This means that (CWG) B++ is equivalent to (MSFT) C and (CWG) C
3472-728: The well known Social Engineering and vote hacking villages. In 2018 the vote hacking village gained media attention due to concerns about US election systems security vulnerabilities. DEF CON has its own cultural underground which results in individuals wanting to create their own meetups or "cons" within DEF CON. These may be actual formal meetups or may be informal. Well known cons are: Workshops are dedicated classes on various topics related to information security and related topics. Historical workshops have been held on topics such as Digital Forensics investigation, hacking IoT devices, playing with RFID , fuzzing and attacking smart devices. Since DEF CON 11, fundraisers have been conducted for
3534-495: The worm. The evolving process of the malware shows some adoption to the common removal software, so it is likely that some of them might remove or at least disable some variants, while others remain active or, even worse, deliver a false positive to the removal software and become active with the next reboot. On 27 March 2009, Felix Leder and Tillmann Werner from the Honeynet Project discovered that Conficker-infected hosts have
3596-470: Was discovered in an early version of the algorithm and a new version was published, Conficker upgraded to the new MD6. The DLL- Form of the virus is protected against deletion by setting its ownership to " SYSTEM ", which locks it from deletion even if the user is granted with administrator privileges. The virus stores a backup copy of this DLL disguised as a .jpg image in the Internet Explorer cache of
3658-419: Was no intentional domestic surveillance. In June 2013, NSA surveillance programs which collected data on US citizens, such as PRISM , had been exposed. Andy Greenberg of Forbes said that NSA officials, including Alexander, in the years 2012 and 2013 "publicly denied–often with carefully hedged words–participating in the kind of snooping on Americans that has since become nearly undeniable." The winner of
3720-573: Was presented by DEF CON Communications and Cambridge Technology Partners. It was founded by Jeff Moss , who also founded DEF CON, and is currently the Conference Chair of the Black Hat Review Board. Black Hat started as a single annual conference in Las Vegas , Nevada and is now held in multiple locations around the world. Black Hat Briefings was acquired by CMP Media , a subsidiary of U.K.-based United Business Media (UBM) in 2005 which
3782-440: Was required to be undetectable by all of the antivirus engines in each round. The contest concept attracted much negative attention. On March 12, 2013, during a United States Senate Select Committee on Intelligence hearing, Senator Ron Wyden quoted the 2012 DEF CON keynote speech and asked Director of National Intelligence James Clapper if the U.S. conducted domestic surveillance; Clapper made statements saying that there
SECTION 60
#17330936768593844-591: Was then acquired by Informa Tech in June 2018. Black Hat is typically scheduled prior to DEF CON with many attendees going to both conferences. It has been perceived by the security industry as a more corporate security conference whereas DEF CON is more informal. The conference is composed of three major sections: the Black Hat Briefings, Black Hat Trainings, and Black Hat Arsenal. The Briefings are composed of tracks, covering various topics including reverse engineering , identity and privacy, and hacking. The briefings also contain keynote speeches from leading voices in
#858141