Posted by Robert Vamosi on July 31, 2017
Another week of InfoSec in the desert is history. Black Hat USA started as the Black Hat Briefings in 1997, and has remained mostly corporate. It grew out of the hacker-friendly environment of DEF CON which started as a going away party for a friend of the founder, Jeff Moss, in 1993. Together, the two conference represent the largest annual gathering of InfoSec experts in the world.
There’s the public side of Black Hat USA which includes talks starting on Wednesday and Thursday. However, the conference officially starts on Saturday morning with two- and four-day training classes. These classes are used by attendees to help retain certification status by providing continuing education credits.
Before the Black Hat talks started, Synopsys hosted codenomi-con, the ninth annual gathering of security experts on Tuesday night. Once again, the event was held at the House of Blues in Mandalay Bay, and this year was the first time it was broadcast live on Facebook and Twitter. The event featured speakers including Chenxi Wang and Graham Cluley. Numerous experts sat on various panels, concluding with the annual Super Hacker panel featuring Dr. Charlie Miller, Dr. Jarred DeMott, Matt Carpenter, Jonathan Butt, and Billy Rios with Josh Corman in the hot seat as moderator.
On Wednesday, general themes for Black Hat were set forth early by Alex Stamos (CSO Facebook) in his keynote speech. He looked back at his own 20 years in InfoSec and talked about how the industry isn’t good at empathy. And, how some security experts still look down on people who don’t get it.
He also spoke about security nihilism. Stamos cited an example from his own company in which WhatsApp was faulted for an implementation of encryption. He said these were carefully considered choices that resulted in stronger security for millions worldwide. However, at the time people claimed there was a backdoor, which cryptographers later said simply wasn’t true. He noted that some in the security community only know how to criticize and not make things better for everyone.
IoT was also prominent this year. Among the array of interesting talks given Wednesday and Thursday, Billy Rios and Jonathan Butts presented on hacking automated car washes (which are mini-ICS systems). The duo presented a video with car being attacked by an automated car wash machine under their control.
Another IoT talk focused on radiation monitors. Rubin Santamarta said since he couldn’t get access to nuclear power plants directly, he could get access to the radiation monitors. He pointed out that the incident at Three Mile Island in 1979 was made worse because of false readings from the radiation sensors. Flooding the sensors along the perimeter of the nuclear plant with fake data could lead to a nuclear mistake inside the plant.
Finally, Lucas Lundgren presented on MQTT, a little known protocol that is now widely used in IoT. He said in one year it has grown in use from roughly 59,000 instances to over 87,000 instances as of Black Hat. He showed examples of how he could read data from a Tesla car (Tesla does not formally support MQTT), a train station with departure information, a particle accelerator, and a gas and power system. His message was it’s not the protocol’s fault, it’s the people using it that need to secure the information with a username and password. And, ideally perform certificate pinning on the device itself as well.
There were no less than five talks about fuzzing, perhaps the most in any one year at the event. Most of these talks focused on a new area known as differential fuzzing, where two or more systems undergoing fuzzing are compared. There was also a presentation on fuzzing cryptographic systems.
Other topics at Black Hat included machine learning and AI. It should be no surprise that machine learning can be used to defend against an attack and to cause an attack. In defense, a machine might learn the types of attacks a system faces and create rules that defend it. However, a bad actor might also use machine learning to find which avenues have been shut down and create new vectors for attack.
Similarly, AI can be used by the bad actors to skillfully and quickly create spear-phishing attacks by scanning social media on the web, a process that used to take humans several hours.
On Thursday, DEF CON kicked off at Caesar’s Palace in the conference center once used for Black Hat. The hotel and casino are undergoing some renovation which made threading through the narrowed escalators and corridors much more of a challenge than previous years at the Rio—or even at Bally’s and Paris.
There are more villages this year, special interest rooms where the focus might be social engineering, IoT, or car hacking.
During the conference, Fault Injection co-hosts, myself and Chris Clark, recorded several episodes. First up, guest Kevin Mitnick provided recommendations on how to stay safe while attending hostile security conferences such as Black Hat and DEF CON. Upcoming Fault Injection podcasts include InfoSec superstars, including: Chenxi Wang, Ken Modeste, and Jarred DeMott. Look for these episodes in the coming weeks.