Black Hat and Def Con came and went as quickly as it ever does. The week-long pair of back-to-back conferences, referred to as “hacker summer camp,” draws in the security crowd from across the world onto Las Vegas, where startups tout their technologies as hackers and researchers reveal their findings.
This year we saw ordinary-looking charging cables that can hack your computer, we found out that cloud backups are easily exposed, robocall blocking apps aren’t as privacy-focused as you might think, and your corporate VPN and office printer are targets for hackers (and if they fail there they’ll just ship a hardware exploit to your mailroom.) Even students can easily hack their own school systems.
The obvious takeaways might be to never plug anything into your computer and that all your data is already ‘pwned’.
But what does that all mean to the average security professional, let alone the CISO at the top of the corporate chain? Between the villages and the many speaker tracks — not to mention the darting between hotels — it’s tough to know exactly what we should take away from the shows.
We spoke to four security experts who were there and asked them what their primary takeaways were for security decision-makers.
Internet of Things is a risk factor
We may think of the Internet of Things (IoT) as connected appliances, toasters and other household items, but the increasingly connected nature of traditionally offline devices — like air conditioning units, heating, and building automation — is making the surface area for security flaws and vulnerabilities far greater.
“Digital security vulnerabilities are no longer in the abstract, virtual space — they affect safety and entire economies,” Chris Kubecka, a security researcher and founder of HypaSec, told TechCrunch.
Security decision-makers need to know more about the devices they connect to their networks, she said. With an ever increasingly complex supply chain, devices are made up of components from various sources, nations and manufacturers. One talk at Black Hat described how you wouldn’t buy food items without knowing its ingredients. Kubecka said device makers need to be more transparent about what components are in their devices and technology to help plug security holes.
IoT can also “introduce real risk into an otherwise secure environment,” she said, and often these devices are “rarely if ever patched or with almost no ability to do so.”
Election security has a way to go
QUIQUE GARCIA / AFP / Getty Images
The security of election equipment and voting machines were a major hot button issue at this year’s Def Con, ahead of the upcoming presidential election in 2020. While less an issue for security decision-makers in the enterprise, election security remains the bedrock for U.S. democracy — and a key priority for state authorities and election overseers.
After confirmed Russian interference in the 2016 election, securing election equipment is more important than ever. Rachel Tobac, co-founder and chief executive of SocialProof Security, said we still have a way to go.
“I worked alongside other hackers in Voting Village to test an exploit on a voting machine used in the 2018 general election in Williamsburg, VA and we found we were able to break out of the voting terminal and affect the memory, crashing the machine, in less than one minute using only a USB keyboard,” Tobac said.
Because electronic election equipment has security flaws and some are even left connected to the internet, potentially allowing bad actors to manipulate voting results, many have called on states to use paper-verified ballots to help prevent tampering or computer error. Tobac said voter-marked paper ballots along with computer counting — and an audit to verify those counts — would be a major step to securing future elections.
“This will take time, government pressure and funding,” she said. “In the meantime, we have to encourage everyone to vote despite security concerns — because of course, if we don’t vote we self-own.”
Open-source intelligence and corporate scamming
There are so many scams, it’s hard to keep up. One of the big takeaways for IBM’s Stephanie Carruthers, a white hat hacker and social engineering expert, was how hackers are using open-source intelligence (OSINT) — information that’s already out in the public — to target companies with scams.
You’ve probably seen them already. Those W-2 scams involve scammers sending trick emails to senior executives in a company to try to convince them into turning over W-2 tax forms. From there, scammers file false returns and fraudulently claim their victims’ refunds.
“It was apparent that Def Con 27’s Social Engineering Capture The Flag (SECTF) winner invested a lot of time performing open-source intelligence gathering against her target company,” said Carruthers. “She crafted her pretexts custom to the organization’s environment and was able to build trust with targets immediately, which allowed her to elicit sensitive information, in real-time, on the phone.”
Carruthers said it’s an area where we’re likely to see more targeted attacks in the future — “a focus on thorough OSINT with custom pretexts and less ‘spray and pray’ style social engineering campaigns,” she said.
Defending the network without snake-oil
There’s are a near-limitless number of platforms, services, white boxes, black boxes, servers, solutions and technologies slated to protect networks from outside threats.
Many of them claim and promise, but do little to step in between the threats and their network without a ream of false positives first.
Johnny Xmas, director at anti-bot startup Kasada, said network defenders are inundated with a “snake oil concoction” of machine learning and artificial intelligence technologies that try to brute-force their jobs for them. Even the newer approaches are “still also relying almost entirely on defensive methodologies invented in the 1990s,” he told TechCrunch.
“Attackers, on the other hand, are becoming more efficient, utilizing mostly basic automation, GPU computing and yes: some properly-implemented machine learning, to make short work of large, repetitive tasks,” he said.
That, he said, is creating “nearly-guaranteed return of investment on the attacker side,” making it better than ever to go black hat.
