The Black Hat security conference is full of drama again in Amsterdam, with the last-minute cancellation of a presentation by a group of researchers scheduled to reveal a dangerous software vulnerability.
In the run up to this week’s conference, organizers promoted a talk that would be on the scale of the flaw in the DNS (Domain Name System) highlighted by security researcher Dan Kaminsky at Black Hat’s U.S. conference last July.
But this one isn’t going to happen. A press conference tentatively planned for 5 p.m. on Thursday was suddenly canceled.
The flaw is so sensitive that even revealing the vendor affected could potentially cause hackers to start poking around with applications or operating systems to try to figure it out, said Jeff Moss, Black Hat’s CEO.
The unnamed vendor has told the researchers that it could have a patch ready in a month or so, but it could take as long as four months, Moss said.
“Apparently, it’s harder to patch and harder to fix so it’s taking longer than they thought,” Moss said.
Security researchers who present at Black Hat are encouraged to practice what’s called “responsible disclosure,” where the vendor is notified and allowed to create a patch before the vulnerability is publicly revealed. Moss said it’s hopeful that the vendor and the researchers will be able to release a patch and the details at the same time.
It wouldn’t be the first time Black Hat has been on the bleeding edge of vulnerability disclosure. This time at least there haven’t been any legal threats from the vendor, Moss said.
In 2005, Michael Lynn, who worked for Internet Security Systems (ISS) at the time, had prepared a talk about how Cisco Systems’ routers could be remotely compromised. Cisco and ISS didn’t want him to do the presentation and filed a lawsuit to stop him. Those companies also filed a lawsuit against the Black Hat conference.
Lynn changed his presentation and instead spoke about VoIP (voice over Internet Protocol). After hearing boos from the crowd, he switched to his original topic. He didn’t release attack code but instead provided proof it could be done.
Lynn had to quit his ISS job, and was sued by ISS and Cisco, but the lawsuit was eventually dropped after he agreed not to discuss its contents.
If the Black Hat organizers aren’t bluffing and the vulnerability is as serious as Kaminsky’s, it could mean that lots of companies are doing some secret patching.
Once exploit code is released for a vulnerability, it’s game on for hackers, who will immediately try to find vulnerable computers or servers.
Kaminsky’s research prompted an unprecedented, industry-wide effort to patch DNS servers, which are used by thousands of companies, ISPs and other entities running networks. Much of that work was done in secret so as to not tip off the bad guys.
The flaw showed that DNS servers were susceptible to an attack that could redirect Web surfers to fraudulent Web sites even if the URL was typed in correctly, among other scenarios.