IT Focus Area: security
August 30, 2019
A Sirius Recap of Black Hat 2019
The information security conference trifecta of Black Hat, DEF CON and BsidesLV, dubbed Hacker Summer Camp, took over Las Vegas from August 3 to August 11, 2019. And what’s camping without bugs? Adding to an authentic camp experience, Vegas was still recovering from a grasshopper takeover large enough to show on radar when the 19,000-plus people connected to these events came to town.
Campers in attendance had a full schedule. First up was the lesser known BSidesLV. This non-profit organization is part of a global movement aimed at increasing awareness and community collaboration among the information security industry.
Next up was the linchpin event of Hacker Summer Camp, Black Hat. The event is known for a strong focus on security topics important to business outcomes. If you’re looking for a concentration of industry decision-makers and influencers, this is the place to be.
DEF CON immediately follows Black Hat and offers a less buttoned-up vibe as one of the world’s most notable hacker conferences.
To top it off, smaller, spin-off events were happening simultaneously, making Vegas the definitive map-pin location during the first week of August for anyone in the security industry.
Black Hat 2019
Black Hat is the largest, single-event training opportunity in the U.S. for the information security industry. Throughout its 22-year history, the conference has continued to grow in attendance, sessions and sponsors. Over the preceding 5 years, attendance grew at an annual rate of 21%. This year’s event attracted over 19,000 attendees aligned with the security industry. This speaks to the quality and volume of the learning opportunities available―and to the growing challenges facing the industry.
The conference was held at the Mandalay Bay and kicked off with four days of technical training followed by a two-day conference that included Briefings, Arsenal and the Business Hall. The Briefings are informational sessions featuring industry experts sharing their research, open-source tools and zero-day exploits. Arsenal features demos of open-source tools and gives attendees a hands-on experience with many of them. In the Business Hall, the industry’s top innovators and solution providers are present to showcase their latest solutions with knowledgeable staff on hand to answer questions.
Black Hat was the epicenter of the security industry during Hacker Summer Camp and some Sirius security experts attended to take full advantage of the centralized learning and networking. We’re rounding up their thoughts, comments and insights here.
Keynote Presentation Highlights Unified Security
Taking the stage with sparkly shoes and a laugh, Jeff Moss, founder of both Black Hat and DEF CON, welcomed everyone to the conference. He gave a shout-out to people who were the single attendee from their country and who helped bring the number of represented countries to 112. He also highlighted the conference’s continuing dedication to building skills and opportunities for the infosec community, sharing that over 300 scholarships were provided for attendance this year.
Security is now a priority topic for the business office, and Moss believes it’s time for security teams to ask for the support they need. The challenge is in getting the business segments to talk to one another in a common, understandable language.
As the 5th domain of war, the attack fronts are different for cyber—cyber is ruled by the geography of cyber, not land, air, sea or space. Jeff Moss says it will be up to the security industry to find the right ways to communicate these differences.
If communication is key to aligning a security strategy with a business strategy, Moss sees this challenge as good news. He says it's fixable, and that “communication is a soft skill that can be learned and will contribute to better business outcomes.”
With an introduction by Philippe Courtot, Chairman/CEO of Qualys, keynote speaker Dino Dai Zovi took the stage next. Currently serving as Mobile Security Lead at Square, this was his 20th Black Hat. He shared some throwback thoughts about the early days of Black Hat, and how the industry and the conference have changed.
With callouts to reading Phrack ezine, the movie “Short Circuit,” and thinking that hacking was some sort of magic, he recalled spending his first Black Hat playing Capture the Flag day and night. Fast forward to today, he’s now on the inside of security. The most important thing he’s learned? He says software is the universal substrate of value today and it is the key differentiator for organizations.
Keynote speaker Dino Dai Zovi of Square.
Dai Zovi gave attendees three important takeaways about unified security:
- Work backward from the job. Understand who you are solving a problem for and what they need from the solution. Talking directly with involved internal teams is vital.
- Seek and apply leverage. Build strong feedback loops because the tighter ones win.
- Culture is more powerful than strategy, which is more powerful than tactics. There needs to be shared risks to create a culture that moves away from fear, and “No,” as the first responses.
The key takeaways resonated because security is the responsibility of every employee and every department. The more that security in deliverables is a function of those creating deliverables, the more there will be high-quality security built into code. As this shift happens in dev and across organizations, security teams must realize that their services are a deliverable to the company and its customers.
― Dan Nickolaisen, Sirius Solutions Architect
Our Takeaways from Black Hat Briefings
Many of the Briefings on the agenda this year were about finding, reporting and mitigating vulnerabilities. Clever people with evil intent are finding new ways to attack publicly-exposed services and assets, often through social engineering attacks.
Over 120 Briefings were offered, with 21 available tracks, and choices of 25-minute or 50-minute sessions. The Sirius team took a selective approach, focusing on the topics we saw as being of foremost importance—including proactive response through visibility and automation.
Here’s a look at our takeaways:
Note: Click on the session names to access the presentation material.
Smartphones and cellular networks were featured in several sessions. The exposure of 5G networks to man-in-the-middle attacks was explored during the “New Vulnerabilities In 5G Networks” session, presented by Altaf Shaik and Ravishankar Borgaonkar.
The vulnerability revolves around chipsets and backbones. Before security checks are occurring, cellular networks are sharing information and capabilities with the connecting device (and vice versa), including which spectrums are supported, which features are enabled and more. This has led to new vulnerabilities that can be exploited using low-cost hardware and software.
Bypassing device biometric security was front and center at the “Biometric Authentication Under Threat: Liveness Detection Hacking” briefing. Liveness detection is defined as verifying that the biometric measure in use, such as fingerprint, voice, facial, etc., is an actual measurement from the authorized, live person. This is the Achille’s heel of biometric security and presenters Yu Chen, Bin Ma and Zhuou Ma showed a number of ways these can be bypassed.
The glasses pictured were used as an example of defeating liveness detection protocols with a simple biometric hack.
Remote Access Vulnerabilities
The session “Infiltrating Corporate Intranet Like NSA—Pre-auth RCE on Leading SSL VPNs” highlighted 20 – 30 different vulnerabilities with mobile VPN with SSL, both pre- and post-auth, including:
- Pre-auth remote code execution such as taking over a mobile VPN server without first authenticating it
- Post auth credential sniffing from a plain-text cache maintained by the serves
- Remote code execution on the client after infecting the server by first launching something on the client
- Heap and buffer overflows on both client and server sides
Researchers Orange Tsai and Meh Chang stressed that SSL VPN not only means Virtual Private Network, it also means a “Vulnerable Point of Your Network.” This session offered some immediately actionable items shared with the intent of helping enterprises apply immediate mitigation.
The Boeing 787 has been getting plenty of bad press, including recent reports of metal shards falling off during takeoff and landing at several airports, and the “ARM IDA and Cross Check: Reversing the Boeing 787’s Core Network” session was all about the Dreamliner’s vulnerabilities to hacker attack.
Presenter Ruben Santamarta called out a 2008 issue of Wired which exposed perceived risk to critical network systems related to the safety and maintenance of the aircraft through increased passenger connectivity. Through simple Google searches, he discovered an exposed Boeing server and was able to gain access to a critical device network.
He also reported on beaconing events happing during different stages of flight and a number of airports that have their receiving servers publicly available. For full disclosure, Boeing has already reacted to his Black Hat presentation and their denial of the validity of his research can be read here. With a “safety first” conclusion, he hoped a third-party could confirm or deny whether the vulnerabilities he presented were actually exploitable.
Sponsored Sessions Offer Valuable Solutions
If anyone stayed away from the sponsored sessions for fear of getting too much marketing push, it was an unfortunate decision. Of the sponsored sessions we attended, we found tremendous value hearing directly from the organizations working every day to produce viable, repeatable solutions for our industry’s challenges. Being exposed to logos during these sessions seemed like a small price to pay for the value of the information received. Here’s a quick overview of a few sessions that our team attended.
“Digital Transformation, Risk and the Identity Driven SOC,” sponsored by RSA, reviewed the challenges organizations are experiencing with threat hunting, detection and response processes. The problem: they aren’t documented, they don’t adapt, they’re too manual or they aren’t created at all. What’s the fix? Don’t create hard and fast processes. Adaptability is prime and, as we move into an era of no trust, two-factor authentication must be used for anything considered sensitive.
Silent malware that evades detection and modifies its behaviors was the topic of “Defeating Evasive Malware: Sacrifice is a Good Little Trick,” sponsored by Cisco. Penetration is generally happening through opening a PDF or document sent through email, although WordPress sites that haven’t been updated also create vulnerabilities. This session helped attendees learn more about the evasive maneuvers at work with evolving malware and also about the “Friday” kit developed to help learn, deceive, defeat and capture these evasive types of malware.
The Business Hall Gets Down to Business
With over a hundred exhibitors, the solutions offered in the Business Hall were some of the latest innovations from top solution providers. This is a great opportunity to gain hand-shake knowledge about what’s new, and mentally bookmark things that should get a deeper look after the conference.
F5 offered multiple hands-on experiences in their booth in the Business Hall.
What seemed especially in focus this year? Doug Piner, Sirius Solutions Architect, saw more focus on prevention solutions, underscoring the industry’s focus on being more proactive.
Having tools in place before a breach can be the difference between hours and weeks to contain a breach. Understanding the differences and which is the best fit for a given client is a challenge. Preventative solutions are a way to know many of them at a surface level. It is always important to continue to add solutions to our offerings.”
―Doug Piner, Sirius Solutions Architect
Bringing Black Hat Knowledge to Our Clients
So, what are our main takeaways from the conference as a whole? Nickolaisen felt that visibility, resilience and automation were top of mind for speakers, attendees and exhibitors.
Organizations are breached constantly because of what they didn’t know. Visibility is the first hurdle and must be built using a number of technologies and processes.
―Dan Nickolaisen, Sirius Solutions Architect
Visibility and Resilience
The infosec industry holds this truth: there are two types of organizations—those who have been breached and those who don’t know they’ve been breached. The pairing of resiliency and visibility is necessary to quickly identify and contain incidents that could otherwise go undetected for months and could lead to substantial losses of data, capital and reputation.
Services, programs and people will fail. That’s inevitable. A focus on resilience—the ability to quickly recover—is crucial for modern organizations to quickly address incidents and mitigate risks.
―Dan Nickolaisen, Sirius Solutions Architect
Many organizations, and the industry at large, are dealing with fewer resources and more cybersecurity skill gaps. Automation can help alleviate some of this burden with both proactive and reactive measures to serve as a force multiplier. Automation marries visibility with resilience, multiplies human capabilities and addresses the onslaught of security events that must be triaged, investigated, confirmed, contained and mitigated.
Campers, it’s Time to Head Home
The end of Hacker Summer Camp is just the beginning for attendees who leave inspired, educated and aware. Our team will leverage all that we learned to continue to help our clients advance their security programs.
The evolving landscape of cyberthreats isn’t getting any less complex so mark your calendars for next year. Black Hat 2020 happens in Las Vegas next August 1 - 6. We’ll be there, so if you can’t make it, look for our roundup again this time next year.