What to watch at Black Hat and Defcon

Trying to predict the big news at Black Hat and Defcon isn't easy

Trying to predict the big news at this week's Black Hat and Defcon conferences is extremely tricky, if not impossible. Usually the most interesting stories pop up at the very last minute -- hackers tend to hold off on disclosing the really big talks because they don't want jittery lawyers to shut them down. And even when you think you know what's going on, sometimes one of the shows steps forward to take center stage, as Defcon did three years ago when Dateline NBC reporter Michelle Madigan was run out of the conference for trying to secretly film show attendees.

Black Hat, the more corporate event, and its unruly sister conference, Defcon, are held one after the other each year in Las Vegas. This year's Black Hat conference is on Wednesday and Thursday. Defcon runs Friday through Sunday.

So expect some chaos this week in Las Vegas. Expect some surprises. If you're attending, expect a hangover. But also look out for some interesting security stories on these topics:

1: Hitting the ATM Jackpot

This year's most-anticipated talk comes from Barnaby Jack, formerly of Juniper Networks. Jack has been toying around with ATMs (automated teller machines) for the past few years and is ready to talk about some of the bugs he's found in the products. We don't yet know whose ATMs are vulnerable -- or even if the manufacturers will be disclosed -- but ATMs are a green field for vulnerability researchers.

Black Hat conference director Jeff Moss says the work on ATM bugs is reminiscent of the voting machine research that came out a few years ago -- which showed serious security vulnerabilities in the systems and caused many government agencies to rethink the way they were rolling out e-voting.

Jack's talk is controversial. Juniper pulled it at the last minute ahead of last year's Black Hat conference, at the request of ATM makers. But now working for a new company, IOActive, Jack plans to show several new ways of attacking ATMs, including remote attacks. He will also reveal what he calls a "multi-platform ATM rootkit," according to a description of his talk.

"I've always liked the scene in 'Terminator 2' where John Connor walks up to an ATM, interfaces his Atari to the card reader and retrieves cash from the machine. I think I've got that kid beat," Jack writes in his abstract.

2: DNS

Two years ago, Dan Kaminsky made headlines worldwide by uncovering a flaw in the DNS (Domain Name System) used to look up the addresses of computers on the Internet. This year, Kaminsky is speaking again at Black Hat -- this time on Web security tools. But he's also been tapped to participate in a press conference where he and representatives from ICANN (Internet Corporation For Assigned Names and Numbers) and VeriSign will discuss Domain Name System Security Extensions (DNSSEC) -- a new way of doing DNS that provides a level of confidence that computers connected to the Internet are what they actually claim to be.

About two weeks ago, ICANN presided over the first cryptographic signing of a root server with a DNSSEC key. DNSSEC isn't yet widely supported, but ICANN hopes that by signing a root zone, it will spur others to support the protocol in their server and client software.

Researchers like Kaminsky say that widespread adoption of DNSSEC could curb a whole bunch of online attacks. "We've been looking at how DNSSEC is going to address not only DNS vulnerabilities, but some of the core vulnerabilities we have in security," Kaminsky said in an interview. "We're not going to solve all of those problems with DNSSEC... but there's an entire class of authentication vulnerabilities that DNSSEC does address."

3: Mobile bugs

Unleash the Kraken! That's just what GSM security researchers are going to do at Black Hat this year, in what could ultimately become a major headache for U.S. and European mobile network operators. Kraken is open-source GSM cracking software that's just been completed. Combined with some highly optimized rainbow tables (lists of codes that help speed up the encryption-breaking process), it gives hackers a way to decrypt GSM calls and messages.