The Good and the Terrifying Things at Black Hat 2016
Black Hat is a gathering of security researchers, hackers and industry that meets in Las Vegas to do three things: outline the latest threats, show how the good guys and the bad guys can be defeated and launch attacks on the attendees. This year saw plenty of scary attacks, including one against show attendees, along with car hacks, new ways to steal cash from ATMs and why smart lightbulbs might not be as safe as we thought. But we also saw lots of reason to hope, like teaching machines to spot dangerous servers, using Dungeons and Dragons to train employees on handling security threats and how Apple handles the security of your iPhone. It was, all told, a pretty mind-bending year.
Yes, Apple announced a bug bounty program at Black Hat. But that was just the last 10 minutes of a presentation by Ivan Krstic, Apple's head of security engineering and architecture. During the preceding 40 minutes he offered an unprecedented deep dive into the ways Apple protects users' devices and data, both from malefactors and from itself. And yes, it does involve using an honest-to-God blender.
As Internet of Things devices become more and more popular, security professionals are becoming more and more concerned. These are, after all, devices with microcomputers connected to networks and fully capable of running code. That's an attacker's dream. The good news is, at least in the case of the Philip's Hue system, creating a worm to jump from lightbulb to lightbulb is very difficult. The bad news? It's apparently very simple to trick Hue systems into joining an attacker's network.
Every security training in every business include the admonition that employees should never click links in emails from unknown sources. And employees continue to be duped into clicking them regardless. Dr. Zinaida Benenson, from the University of Erlangen-Nuremberg, concluded that it's simply not reasonable to expect employees to resist curiosity and other motivations. If you want them to be James Bond, you should put that in the job description and pay them accordingly.
A lot of security research and execution can be mind-numbingly tedious, but new techniques in machine learning might soon lead to a safer Internet. Researchers detailed their efforts at teaching machines to identify botnet command and control servers, which allow the bad guys to control hundreds of thousands (if not millions) of infected computers. The tool could help keep a lid on such nefarious activity, but it wasn't all heavy research. To conclude their session, researchers demonstrated how machine learning systems could be used to generate a passable Taylor Swift song.
The who-knows hotel network may be fine for a pet supply conference, but not for Black Hat. The conference has its own entirely separate network and an impressive Network Operations Center to manage it. Visitors can peer in through the glass wall at the many glowing screens, hacker movies and long-term security experts in the NOC, which gets packed up in its entirety and moved around the world to the next Black Hat conference.
IT security wonks and white-hat hackers just can't get enough of security trainings, but they're not the ones that really need them. The sales staff, HR team, and call center crew don't necessarily understand or appreciate security trainings, and yet you really need them to step up their security game. Researcher Tiphaine Romand Latapie suggested reworking security training as a role-playing game. She found that it totally worked, and produced significant new engagement between the security team and the rest of the staff. Dungeons and dragons, anyone?
Scam phone call are a huge problem. IRS scams convince unsuspecting Americans to fork over cash. Password reset scams trick call centers into giving away customer data. Professor Judith Tabron, a forensic linguist analyzed real scam calls and devised a two-part test to help you spot them. Read this and learn, OK? It's a simple and worthwhile technique.
Pwnie Express builds devices that monitor network airspace for anything untoward, and it's a good thing, too, because the company discovered a massive Man-in-the-Middle attack at Black Hat this year. In this case, a malicious access point changed its SSID in order to fool phones and devices into joining the network, thinking it to be a safe, friendly network the device had seen before. In doing so, the attackers tricked some 35,000 people. While it's great that the company was able to spot the attack, the fact that it was so massive is a reminder of how successful these attacks can be.
Last year, Charlie Miller and Chris Valasek presented what many assumed was the pinnacle of their car hacking careers. They returned this year with even more daring attacks, ones that are able to apply the brakes or nab control of the steering wheel when the car is moving at any speed. Previous attacks could only be carried out when the car is traveling at 5Mph or lower. These new attacks could pose great risk to drivers, and will hopefully be swiftly patched by auto manufacturers. For their part, Valasek and Miller said they're done hacking cars, but encouraged others to follow in their footsteps.
If you watch Mr. Robot, you know that it's possible to infect a victim's computer by strewing USB drives around the parking lot. But does it really work? Elie Bursztein, anti-fraud and abuse research lead at Google, presented a two-part talk on the subject. The first part detailed a study that clearly showed it does work (and parking lots are better than hallways). The second part explained, in great detail, exactly how to build a USB drive that would totally take over any computer. Did you take notes?
Drones were a hot item last holiday shopping season, and maybe not just for geeks. A presentation showed how the DJI Phantom 4 could be used to jam industrial wireless networks, spy on employees, and worse. The trick is that many critical, industrial sites use what's called an "air gap" to protect sensitive computers. Basically, these are networks and devices that are isolated from the outside Internet. But small, maneuverable drones can bring the Internet to them instead.
Machine learning is on the cusp of revolutionizing numerous tech industries, and that includes scammers. Researchers at Black Hat demonstrated how machines could also be taught to produce highly effective spear phishing messages. Their tool determines high-value targets, and then scours the victim's tweets in order to craft a message that's both relevant and irresistibly clickable. The team didn't spread anything malicious with their spam bot, but it's not hard to imagine scammers adopting these techniques.
You expect free Wi-Fi in a hotel, and you may be savvy enough to realize it's not necessarily secure. But an Airbnb or other short-term rental, security can potentially have the worst security ever. Why? Because guests before you had physical access to the router, meaning they could totally own it. Jeremy Galloway's talk detailed what a hacker can do (it's bad!), what you can do to stay safe, and what the property owner can do to deter such attacks. It's a problem that's not going away.
In one of the most comprehensive talks at Black Hat, Rapid7's Senior Pentester Weton Hecker demonstrated what might be a new model for fraud. His vision includes a massive network of compromised ATMs, point of sale machines (like in the grocery store) and gas pumps. These could steal victim's payment information in real-time and then quickly enter them with the help of a motorized PIN-pushing device. The talk ended with an ATM spewing cash, and a vision of the future where scammers buy not individuals' credit card information, but access to a massive real-time network of payment scams.
That wasn't the only presentation at Black Hat to detail attacks on payment systems. Another group of researchers showed off how, with a Raspberry Pi and a little effort, they were able to intercept oodles of personal information from chip card transactions. That's particularly notable not only because chip cards (AKA EMV cards) are considered more secure than magswipe cards, but because the US has just begun rolling out chip cards domestically.
Next year will bring new research, new hacks and new attacks. But Black Hat 2016 has set the tone for the year, showing that a hacker's work (whether white- or black-hatted) is never really done. Now if you'll excuse us, we're going to shred our credit cards and go off to live in a Faraday Cage in the woods.