IT Focus Area: Security
August 29, 2018
A Look Back at Hacker Summer Camp: Black Hat & DEF CON 2018
Approximately 19,000 security executives, analysts, hackers, academics and government/law enforcement staffers from 112 countries filled the Mandalay Bay Hotel for Black Hat USA 2018. Now in its 21st year, the conference was immediately followed by the 26th anniversary of DEF CON, a less corporate, more festival-like conference at Caesar’s Palace that attracted an even larger group of hacker-oriented attendees.
Together, the conferences were a whirlwind of sessions, contests and parties. There were a lot of intellectually curious, technically skilled people on hand, reveling in the duo that have become affectionately known as Hacker Summer Camp.
Black Hat and DEF CON are among the oldest security conferences in the U.S., and each is filled with useful information that provides organizations in all industries with a glimpse of the latest cybersecurity research, threats and trends.
The Business Halls at Black Hat were filled with a wide range of vendors, talking about all elements of security. Each was looking to connect with companies in an effort to help them tackle the increasingly connected world that is providing hackers with so many opportunities.
Black Hat and DEF CON founder Jeff Moss—known as Dark Tangent—kicked off Black Hat by telling attendees, “I feel like we’re at a final exam stage…world events have caught up with us, and we’re being tested. Are we as good as we say we are?” Offense is technical, while defense is largely political, he went on to point out. The technology we’re developing favors offense, and that’s where the momentum is but as defenders, facing issues such as GDPR compliance and third-party risks associated with the cloud, we’re caught up in political and internal disagreements that are slowing down our ability to protect against attackers who don’t have the same constraints. We need to build a culture around defense, and it’s a difficult problem.
“There are maybe 20 companies in the world that are in a position to do something about raising the level of security and resilience for all of us. They make operating systems, mobile operating systems, browsers…their decisions impact hundreds of millions or billions of people. It’s up to us to put our pressure on these companies and ask for features, and we can change the security posture of the entire world.” — Jeff Moss, Founder, Black Hat and DEF CON
As he prepared to welcome Google Director of Engineering and Project Zero “Security Princess” Parisa Tabriz to the stage, he pointed to the move of Google’s Chrome team to deprecate HyperText Transfer Protocol (HTTP) in favor of HyperText Transfer Protocol Secure (HTTPS) for safer browsing as an example of one such influential company that’s making a positive change that affects us all.
Google’s Parisa Tabriz during her Black Hat keynote.
Tabriz preceded her keynote with an image of the 1970’s arcade favorite Whac-A-Mole, noting that as things get more and more interconnected, security has come to feel like a reality version of the game.
“We have to stop playing Whac-A-Mole. We have to be more ambitious, more strategic, and more collaborative in our approach to defense.” — Parisa Tabriz, Google Director of Engineering
Poking fun at marketing hype in the industry, she said, “If there’s anything I’m certain of, it’s this: Blockchain is not going to solve all of our security problems!”
She pointed out three things we need to do to be successful:
- Identify and tackle the root cause of the problems we uncover; we cannot be satisfied with isolated fixes.
- Identify milestones in our defensive projects, work towards those milestones, and celebrate progress along the way to stay motivated.
- Build a coalition of champions and supporters outside of security so that our efforts are successful.
Approximately 120 sessions, or “briefings,” spanning 18 tracks took place over two days during Black Hat alone. Both conferences featured a variety of speakers, highlighting attention-grabbing topics ranging from cryptocurrency theft, drone vs. anti-drone competition, and self-driving car security to reverse engineering talking toy bear Teddy Ruxpin, computerizing Christmas cheer with “absurd light shows,” and avoiding burnout, depression, and suicide in the hacker community.
Election security was a major area of focus. At the DEF CON Voting Machine Hacking Village, an 11-year-old hacked into an exact replica of Florida’s state election website in just 10 minutes. Rob Joyce, senior advisor for cybersecurity strategy at the NSA, indulged in a DEF CON tradition for first-time presenters by drinking a shot on stage before sharing his approval of activities such as publicly hacking past the security of voting machines, and detailing how the NSA and private sector can work together to fight threats posed by Russia, China, Iran and North Korea.
Presenters including Jeff Moss (right) participating in “Shoot the N00b,” a DEF CON tradition.
A few of the enterprise security subjects that caught our interest included phishing, artificial intelligence (AI) and machine learning (ML), Internet of Things (IoT) security, container hacks, threat intelligence/hunting, and building security into the software development lifecycle (SDLC).
In “Every ROSE has its Thorn: The Dark Art of Remote Online Social Engineering,” Black Hat presenter Matt Wixey talked about how attackers are moving beyond traditional phishing and social engineering attack techniques to increasingly sophisticated and longer-term efforts involving self-referencing synthetic networks, multiple credible false personae, and highly targeted and detailed reconnaissance.
This approach, which he calls Remote Online Social Engineering, or ROSE, is a business-related variant of catfishing that is performed with the goal of compromising an organization's network. After amusing the audience with “new phishing categories,” including dead sea-phishing, kraken-phishing, and Loch Ness-monster phishing—“When you’re not sure your targets even exist, but you once saw a grainy black-and-white photo of them,”—he detailed three case studies of ROSE attacks in the wild, talked about ways in which specific techniques can be detected and prevented, and how ROSE could be used for “offensive defense.”
A DEF CON talk called “Dragnet—Your Social Engineering Sidekick” detailed a phishing framework that collects dozens of open source intelligence (OSINT) data points on past and present social engineering targets. It provides recommendations for use on attackers’ current targets: phishing templates, vishing scripts and physical pretexts, all to increase conversions with minimal effort, making Dragnet “one hell of a catch.”
Artificial Intelligence & Machine Learning
Not surprisingly, AI was a popular area of focus. Several talks and conference workshops, get-togethers, and dedicated groups focused on various aspects of the technology. One research group demonstrated a technique for hiding malware in typical applications—such as Microsoft Outlook—using AI to fend off traditional endpoint security solutions. The malware is activated using facial-recognition software; when the intended target sits in front of the computer, they suddenly find that it has been wiped.
In “AI & ML in Cyber Security - Why Algorithms Are Dangerous,” Black Hat presenter Raffael Marty noted that vendors are all talking about how they are applying machine learning, and as a security company you have to claim artificial intelligence to even be part of the conversation.
“Guess what? It's all baloney. We have entered a state in cybersecurity that is, in fact, dangerous. We are blindly relying on algorithms to do the right thing. We are letting deep learning algorithms detect anomalies in our data without having a clue what that algorithm just did.” — Raffael Marty, VP Corporate Strategy, Forcepoint
Instead of building systems with actual security knowledge, Marty said, companies are using algorithms that nobody understands and, in turn, discovering wrong insights. After highlighting infamous AI failures—including the “racist” Google Photos image recognition algorithm that made headlines in 2015—he pointed out the dangers of blindly applying algorithms to data like throwing spaghetti against a wall. Algorithms make assumptions about data, they are too easy to use, and they do not take domain knowledge into account.
Rather than algorithms that model the shape of data, he said, we need to take domain expertise into account through the use of a set of Bayesian belief networks in which indicators are fused together using a probabilistic graphical framework. Belief networks allow learned knowledge to be verified and extracted, and help systems accurately assess the likelihood of data theft and other data loss classes. With data scientists and security experts working together, machine learning and artificial intelligence can be applied to generate a risk score for various data security incidents that reflects not only the risk of the action, but also the sensitivity of the data.
Internet of Things (IoT)
IoT was another prevalent theme. Presenters pointed out vulnerabilities in everything from smart cities to smart toilet seats. Session titles were rife with warnings such as, “Your Watch Can Watch You!,” “We’re listening to You!” and “Vulnerable Out of the Box!” One particularly notable Black Hat presentation, "Legal Liability for IOT Cybersecurity Vulnerabilities", focused on the legal ramifications of IoT attacks. Speaker Ijay Palansky is the lead counsel for the class-action lawsuit against Fiat Chrysler, which stems from the infamous hacking of a 2014 Jeep Cherokee’s engine. Palansky warned that lawyers across the country will be keeping a close eye on the case, and it is likely to open the floodgates for future IoT security litigation.
Another session, “Understanding and Exploiting Implanted Medical Devices,” highlighted risks associated with vulnerabilities in critical medical devices, including insulin pumps and wireless pacemakers. Presenter Billy Rios described how attackers can exploit the vulnerabilities to modify delivery of patient therapy from numerous manufacturers’ devices, altering medicine dosages and administering shocks. Rios detailed attack surfaces, what exploits against the affected devices look like, and how manufacturers are responding to potentially life-threatening security issues.
The popularity of software container platforms such as Docker and Kubernetes has exploded over the past few years and as Black Hat presenter Wesley McGrew pointed out, “This is likely to make life a lot easier for attackers.” With containers, each application (or process) on a server gets its own environment to run that shares the host server's operating system (OS).
Since containers don't have to load an OS, they can be created almost instantly. They can be spun up and taken down much faster than virtual machines (VMs) and are more portable and easy to scale. The same hardware can support a much greater number of containers than VMs, reducing infrastructure costs and enabling applications to deploy faster.
However, the same elements that enable containers to increase agility also present security challenges. Because containers can be created in seconds, it is virtually impossible for traditional network and endpoint security controls to keep up with the changes required to secure them. And while exploitation and manipulation of traditional monolithic applications might require specialized experience and training in the target languages and execution environment, applications made up of services distributed among multiple containers can be effectively explored and exploited "from within," using many of the system and network-level techniques that attackers already know.
A DEF CON workshop called “Attacking & Auditing Docker Containers Using Open Source” focused on security issues and vulnerabilities in Dockerised environments. Attendees learned how to find security misconfigurations, insecure defaults, and container escape techniques to gain access to host operating system (or) clusters; they also looked at real-world scenarios where attackers compromised containers to gain the access to applications, data and other assets.
Threat Intelligence & Hunting
If an attacker had a foothold in your network today, would you know it? Black Hat session, “The New Pentest? Rise of the Compromise Assessment” focused on the importance of proactively finding attackers in an environment before they can cause damage (or at least stop the bleeding from continued exposure). Unfortunately, effective threat hunting practices remain out of reach for many organizations due to lack of security infrastructure and qualified people. Threat and vulnerability management services such as compromise assessments, along with threat intelligence and deception solutions can help organizations get the get the tactical, operational and strategic insights they need to understand how they are being targeted, and limit attackers’ dwell time.
Building Security into the SDLC
The need to bake security in rather than bolt it on was expressed by numerous presenters. For next-generation security to be most effective, it needs to be integrated deeply into an organization’s architecture. Barriers between security and application development and operations teams need to be overcome in order to glean meaningful feedback and ensure new systems are not introducing new threats that cannot be effectively countered.
Having personnel from development, security and operations collaborate on projects is vital. Security teams need to evolve and move faster in order to keep up and make an impact, so that DevOps and security can be aligned within a new approach—DevSecOps.
In “Stop that Release, There's a Vulnerability!,” Black Hat presenter Christine Gadsby offered tips on how to document, tag, and track security vulnerabilities, their fixes, and how to prioritize them into release targets. She outlined how to build a release review process, when to escalate to gate a release, who to inform, and how to communicate effectively.
Hack to the Future
Conference speakers eyed older technologies that businesses are still using, and looked to the future. In DEF CON’s “What the Fax!?,” security researchers posed the question, “Who on earth is still using fax machines?” The answer, they noted to their great horror, is just about everyone. Fax machines are still widely used in sectors such as healthcare, legal, banking and real estate—where organizations store and process vast amounts of highly sensitive personal data—despite their almost nonexistent security.
Hoping to disrupt “this insane state of affairs,” the presenters invited attendees to join them in the strange world of embedded operating systems, 30-year-old protocols, museum-grade compression algorithms, and un-debuggable environments as they conducted a live demonstration of the first ever full fax exploitation, leading to complete control over the entire device as well as the network using nothing but a standard telephone line.
“Searching for the Light: Adventures with OpticSpy” featured hacker Joe Grand pulling data out of a seemingly solid red LED. By modulating light in a way that the human eye cannot see, he said, a simple, yet clever, covert channel lets hackers hide in plain sight.
“In the counter-future where we, the dissidents and hackers, have control of technology, sending secret messages through blinkenlights can let us exchange information without being detected by dystopian leaders.” — Joe "Kingpin" Grand, electrical engineer, inventor, and hardware hacker
OpticSpy looks for and decodes data hidden in optical signals, enabling hobbyists and hackers to search for covert channels existing on modern devices, add optical data transfer functionality to a project, or capture and decode signals from remote controls and other consumer electronics that intentionally send information through light waves.
Leveraging Hacker Summer Camp Insights
We’ve barely scratched the surface of Hacker Summer Camp 2018! There are more Black Hat and DEF CON highlights than we can mention on a variety of other hot topics, including Windows vulnerabilities, 0365 and AWS threats, and ICS attacks. If there is one key takeaway from these conferences it’s that after more than two decades, Black Hat and DEF CON continue to grow, providing us with an evolving image of the security community’s maturity and its challenges. Some of the threats presented may sound frightening, but the goal is to provide insight into current security issues and, more importantly, into how to improve cybersecurity overall.