Last month, The State of Security shared the details of 12 intriguing talks from this year’s BSidesLV along with several security experts’ comments about why BSides, as an institution, continues to hold substantial appeal among infosec folks.
Our post notes that BSidesLV, among other things, is held in Las Vegas at the same time as Black Hat USA – one of the giants in the world of information security events. Acknowledging this fact, we would be remiss to not pause and appreciate this particular event, as well.
History of Black Hat
Black Hat USA has been in operation for the past 16 years. As one of the most technical information security events in the world, each year’s conference focuses on offering top security research, which is selected by a board of 23 of the industry’s most esteemed information security professionals.
Trainings are now held in the United States, Europe and Asia every year. With security researchers, recruiters, vendors and members of the academia regularly in attendance, it is not surprising that Black Hat recently made the list of Tripwire’s Top 10 Conferences in Information Security.
Black Hat USA 2015: Threats, Trends, and Ideas
Every year, attendees and presenters alike leverage Black Hat’s prestige to share some of their research into the latest security threats, trends and ideas. Here is a snapshot of what some attendees observed at Black Hat USA 2015:
Automotive Security on the Rise
A big topic among infosec circles this year has been automotive security, particularly the story of how security researchers Charlie Miller and Chris Valasek remotely hacked a 2014 Jeep Cherokee driven by a news reporter. Craig Young, computer security researcher with Tripwire’s Vulnerability and Exposures Research Team (VERT), saw Miller and Valasek deliver their presentation “Remote Exploitation of an Unaltered Passenger Vehicle” at this year’s Black Hat USA.
“This was the talk that led to the recall of an astounding 1.4 million Chrysler-FIAT automobiles leading up to Black Hat,” commented Young. “It is amazing to see when security research can have such a sweeping impact beyond just the InfoSec community.”
Young went on to explain what he found most interesting about the presentation itself.
“Adding to the wow factor that they were able to locate and access remotely available services on so many cars is that fact that the primary attack vector didn’t even require a vulnerability. Instead the attack leveraged completely unauthenticated services on the entertainment system, allowing immediate control to a number of onboard systems and services. Of course, the most impressive aspect of this hack would have to be the ability to actually pivot from the entertainment system and load a backdoor firmware on a safety critical system thanks to a lack of cryptographic signing and many months of research.”
Along the same vein of automotive security, Craig Young also saw researcher Samy Kamkar present “Drive It Like You Hacked It: New Attacks And Tools To Wirelessly Steal Cars” at DEF CON 23.
“This was a fantastic presentation with a good mixture of story telling, comedy, and technical brilliance,” lauded Young. “Samy presented practical attacks against garage door openers, car key fobs, and smartphone car controls. While the smartphone SSL validation failure came as no surprise to me (having presented some very similar findings at the DEF CON 22 wireless village), the research on key fobs was fantastic. With respect to the key fobs for garage door opening, Samy wowed the crowd by showing off how he modified a children’s toy (Mattel IM-ME) to open most if not all fixed code garages in about 6 seconds.”
Whichever big issues seize the interest of the information security community next year, researchers will no doubt explore them at Black Hat.
The Changing Face of Anti-Virus
Another trend evident at this year’s conference was how both vendors and customers alike are trying to grapple with the reality that today’s threat landscape has rendered traditional anti-virus obsolete.
Todd Bell, CISO and Advisory Board Member with Forticode, as well as VP of Enterprise Security and Architecture at Intersec Worldwide, witnessed some vendors’ reactions to this development first hand at Black Hat USA 2015.
“The biggest thing I learned at Black Hat USA 2015 was how anti-virus vendors are becoming obsolete (which we already knew) and how some end-point security vendors are beginning to claim they can replace traditional anti-virus,” Bell explained.
“This is a bold claim; I have yet to see one end-point vendor capable of demonstrating third-party anti-virus certification that they can successfully unseat a number of the existing anti-virus vendors.”
To replace anti-virus software, more and more customers are beginning to opt instead for comprehensive threat detection solutions, as observed John Johnson, Global Security Architect at John Deere.
“Customers are adopting solutions, such as advanced threat prevention and whitelisting, and they want to know when systems are compromised, as well as have the forensic capability to understand the root cause and how the attack unfolded,” Johnson explained.
Johnson, who spoke on the issue of anti-virus solutions during two sessions at Black Hat USA 2015, has been tracking the ways in which the increasing sophistication of adversaries and their exploits, the latter of which are in turn commoditized for less advanced attackers, puts all companies at the risk of becoming collateral damage in attacks against specific industries, critical infrastructure, and anything connected to the Internet that might be vulnerable.
“It is our job to therefore better protect our assets and data, as well as detect and respond to incidents more quickly, for the volume and sophistication of attacks is only going to increase going forward,” notes Johnson.
Predicting the Future of Security
Black Hat is a suitable venue to discuss not only the current trends in information security but also tomorrow’s threats and ideas.
One such topic for consideration was how the role of the Chief Information Security Officer (CISO) will continue to evolve over the coming years. Johnson led the discussion on this issue.
“At this year’s Black Hat, I led a great panel at the CISO Summit on the topic of the CISO of 2016. We had three very experienced panelists share their experience as practitioners, and I invited the founder of IANS to shed some light on the analyst’s point of view,” Johnson explained.
“We reached the conclusion that the CISO role is still immature but that it is quickly evolving to meet the demands of the increased reliance of companies on new technologies. Panelists pointed out the need to develop business knowledge and soft skills necessary to communicate clearly to business leaders about information and technology risk.”
Additionally, Young had the pleasure of sitting in on “Pen Testing a City,” a presentation led by Greg Conti, Tom Cross, and David Raymond that explored the challenges of evaluating the security vulnerabilities that might affect an entire metropolis.
“Although confidentiality agreements and security concerns rightfully limited the details in some areas, they were able to provide a glimpse into a world few will ever be exposed to,” related Young.
“They also shared interesting, real-world stories reinforcing the need for penetration testing at a city level. (For example they touched on the story of a 14-year-old Polish student who caused a train derailment experimenting with a modified TV remote control configured to send rail switching signals.)”
Clearly, those who attend Black Hat can look forward to hearing about high profile hacks, ongoing trends in the field, and the direction in which information security is heading. At the end of the day, however, what keeps drawing back many attendees year after year is the conference’s practical knowledge and camaraderie.
“While high profile talks such as hacking cars gain most of the attention, it’s the practical knowledge that most interests me as well as the many attendees with whom I spoke,” stated Travis Smith, Senior Security Researcher Engineer at Tripwire.
“Being able to take what you learn and apply it at your workplace is one of the main benefits of a conference like Black Hat where so many information security experts gather together in a single place.”
Johnson could not agree more with this sentiment:
“By walking around and talking to others at the cons and hanging around in a few DEF CON villages, I made several new friends and learned about a lot of good resources for pursuing future research. This sense of open camaraderie and desire to share knowledge is a defining characteristic of DEF CON and Black Hat.”
“While the talks are definitely a big part of these two mega-events, it is important to remember that this aspect of both DEF CON and Black Hat is largely captured in videos, slide decks, and white papers, leaving perhaps some of the best parts of the conferences only to those who have the ability to experience it first hand.”