IT Focus Area: Security
August 10, 2017
A Look Back at Black Hat & DEF CON 2017
Approximately 15,000 security executives, hackers, academics and government/law enforcement staffers from 80 countries filled the Mandalay Bay Hotel for Black Hat USA 2017. Now in its 20th year, the conference was immediately followed by the 25th anniversary of DEF CON, a less corporate, more festival-like conference at Caesar’s Palace that attracted an even larger group of hacker-oriented attendees.
Together, the conferences were a whirlwind of sessions, contests and parties. There were a lot of intellectually curious, technically skilled people on hand, reveling in the duo that have become affectionately known as Hacker Summer Camp.
Black Hat and DEF CON are among the oldest security conferences in the U.S., and each is filled with useful information that provides organizations in all industries with a glimpse of the latest threats.
“Communicating near me constitutes consent for monitoring,” said Black Hat attendee D4RKM4TTER, armed with WiFi Cactus.
The Business Halls at Black Hat were filled with a wide range of vendors, talking about all elements of security. Each was looking to connect with companies in an effort to help them tackle the increasingly connected world that is giving hackers so many opportunities to do damage.
During the opening keynote, Facebook CSO Alex Stamos took a serious tone, advising the security community to grow up. He urged security professionals to address broader problems than just those that make interesting presentations and to expand their focus beyond traditional defensive security efforts.
"The unfortunate truth is that our community overall, we’re not yet living up to our potential. We have perfected the art of finding problems over and over again while ignoring the root issues. We have a tendency to focus on the complexity of a flaw instead of focusing on the real human harm. The truth is that adversaries will do the simplest thing to affect [the] cause that they want. And in security academia and security research, we're still really focused on the really sexy difficult problems."
— Alex Stamos, Facebook CSO
Stamos went on to say that the security community "celebrates breaking much more than defense" and needs to work harder to eliminate entire classes of bugs, build architectures that are resilient to failure, and build relationships between the security side and developers.
Approximately 120 sessions took place over two days during Black Hat alone, covering attention-grabbing topics ranging from attacking wind farm control networks to breaking electronic door locks “like you’re on CSI” to subverting IoT devices in order to physically attack people. Common enterprise security subjects included artificial intelligence (AI) and machine learning, IoT security, automation and orchestration, drones, threat intelligence, threat hunting plans and purple-teaming engagements.
4 Key Themes
Four key themes in particular were stressed during the conferences:
1. Addressing the mindset gap
Picking up on the idea of advancing relationships between the security side and developers was was April Wright, Senior Security and Compliance Manager for Verizon Wireline. Her popular Black Hat session, “Orange is the New Purple", addressed the gap in the mindsets of software builders and security teams.
“We don't speak the same language. We don't share the same goals”, said Wright. Security’s objectives, she points out, involve secure software development lifecycle (SDLC), post-launch/ post-release operational security, compliance and sunsetting at end-of-life (EOL). Conversely, the top goals for builders are metrics and market-based with a focus on speed, cost, and quality.
It's no wonder, she said, that the builders (Yellow Teams) don't like the breakers (Red Teams) or the defenders (Blue Teams). Security’s interaction with builders is fairly infrequent, and usually only after an audit, or after a vulnerability is found in code. “We scold them after a Red test, tell them what they did wrong. We essentially point out the errors in their art. Imagine that feeling every time they interact with security teams”, she said.
While Purple Teams can maximize the results of Red Team activities and improve Blue Team capabilities, they don’t address what’s coming from upstream: the actual software. For that, says Wright, Orange Teams are needed.
What’s an Orange Team?
Yellow and red make orange; the Orange Team — according to Wright — consists of ongoing and/or formally structured interactions between Red and Yellow Team members, primarily in order to provide education and benefit to the Yellow Team.
Essentially, in order for all of us to realize we’re actually on the same team and work effectively together, we need to provide developers with meaningful security education and work to incorporate security into their overall mindset and idea of quality.
2. IoT and mobile device threats
Many speakers at Black Hat and DEF CON focused their presentations on IoT security problems. During Black Hat, Chinese researchers presented “Evilsploit – a Universal Hardware Hacking Toolkit”. Pointing out the fact that hardware hackers tend to spend a lot of time manually figuring out unlabeled interfaces to learn their pinout and communication protocols, they demonstrated a tool that can automatically enumerate the pins of any device it connects to, making the initial hardware reconnaissance of IoT targets easier for hackers.
A DEF CON talk called “All Your Things Are Belong to Us” featured hackers from the Exploitee.rs — who were back with “new zero day, new exploits and more fun”— highlighting flaws in over 20 different IoT devices ranging from Webcams to network attached storage (NAS) devices. After pointing out out over 80 vulnerabilities in Western Digital’s MyCloud NAS devices alone, they invited a popular tech rapper to the stage, and handed out custom printed circuit boards (PCBs) to help attendees grab IoT firmware via an eMMC chip.
On the topic of mobile device security, Black Hat featured a packed presentation given by Nitay Artenstein of Exodus Intelligence titled "Broadpwn: Remotely Compromising Android AND IOS Via a Bug in Broadcom’s WI-FI Chipsets". It highlighted a serious vulnerability in Broadcom's Wi-Fi chipsets that affects millions of Android and iOS devices and can be triggered remotely, without any user interaction. Affected Wi-Fi chips are found in an extraordinarily wide range of mobile devices — from various iPhone models, to HTC, LG, Nexus and nearly the full range of Samsung flagship devices.
3. Machine learning for attacks and defense
We all know that the security industry is adopting machine learning and AI to improve malware and attack detection. It became clear at Black Hat and DEF CON that attackers are looking for ways to break them.
During a Black Hat session called “Bot vs Bot: Evading Machine Learning Malware Detection”, Hyrum Anderson, Technical Director for Data Science at Endgame addressed the question, “Can you break machine learning?” The answer given was yes. Anderson explained that machine learning models have blind spots, and depending on the model and level of access, they can be straightforward to exploit. He highlighted how adversaries can potentially leverage the technology to figure out what machine-based malware detection tools are looking for and then create malware designed to avoid those things in order to evade detection.
At DEF CON, Bishop Fox researchers noted that artificial intelligence has entered many aspects of our lives, and invited attendees to help usher in the destruction of humanity as they presented “Weaponizing Machine Learning: Humanity Was Overrated Anyway”. They were, as they put it, “reveling in [their] latest unholy creation” as they introduced DeepHack: an open-source hacking AI — a bot that learns how to break into web applications using a neural network, trial and error, and a frightening disregard for humankind.
4. Political espionage
Both conferences highlighted nation-state hacking and other forms of governmental espionage. One Black Hat session, "Bug Collisions Meet Government Vulnerability Disclosure", featured a group of researchers from several organizations diving into the topic of governments stockpiling zero-day flaws. Another, "Industroyer/Crashoverride: Zero Things Cool About a Threat Group Targeting the Power Grid", covered the issue of nation states attacking industrial control systems (ICS,) with a central focus on technical analysis of the malware used during the 2015/2016 power grid incidents in Ukraine, and the impact to grid operations.
DEF CON featured a competition in its first-ever Voting Machine Hacking Village, in which participants attempted to exploit 30 voting machines used during the 2016 elections in an effort to find flaws. One machine was found to still have 600,000 voter registration records on it from Tennessee and within 90 minutes, participants found numerous flaws in the devices. Some enabled attackers to replace firmware, and other exploits worked wirelessly.
Leveraging Hacker Camp Insights
There are more Black Hat and DEF CON highlights than we can mention on a variety of other hot topics, including a popular session analyzing the Shadow Brokers that suggested disgruntled intelligence contractors are involved, and another on the science and psychology of phishing attacks. We’ve barely scratched the surface of Hacker Summer Camp 2017. If there is one key takeaway from these conferences it’s that after more than two decades, Black Hat and DEF CON continue to grow, providing us with an evolving image of the security community’s maturity, and its challenges. Some of the threats presented may sound frightening, but the goal is to provide insight into current security issues and, more importantly, into how to improve enterprise security overall.