20 Hot Sessions: Black Hat 2017 Cybersecurity Researchers Hit Las Vegas, as Annual Security Conference Turns 20 Black Hat, which turns 20, runs this week at Mandalay Bay in Las Vegas. (Photo: Håkan Dahlström, via Flickr/CC)
Security comes to Las Vegas: This week’s Black Hat USA 2017 security conference is in full swing at the Mandalay Bay hotel.
Highlights of this, the 20th edition of Black Hat in Vegas, will no doubt include the annual Pwnie Awards – celebrating the cybersecurity industry’s biggest failings – not to mention parties ranging from poolside to late-night clubs.
Of course, Black Hat also includes two days of top-notch briefings, ranging from attacking wind farm control networks and “breaking electronic door locks like you’re on CSI: Cyber” to Web cache deception attacks and subverting internet of things devices to physically attack unsuspecting individuals.
Here are just some of the other hot sessions in store for this year:
Wednesday, July 26
- Stepping Up Our Game (9:00 a.m.): In a keynote speech subtitled “refocusing the security community on defense and making security work for everyone,” Facebook CSO Alex Stamos promises a post mortem on notable cybersecurity events of the past year, and how the information security could have – but failed – to meet the challenge. “This talk will explore how we can adapt to better confront the obstacles we face as security practitioners,” he says in a preview. “How do we foster intelligent discussion of real-world trade-offs while avoiding sensationalism?”
- Battling DDoS Attacks With Statistics (10:30 a.m.): High-impact, low-cost distributed denial-of-service attacks remain an ongoing problem for network operators. But Ph.D. student Stefan Prandl says a statistical concept – power law distributions – can be applied to network traffic “to develop a new method of denial of service detection based entirely on packet header inspection,” as well as potentially for intrusion detection. Further bonus: Such analytical techniques are largely tamper-proof, Prandl says, and carry low-level computing costs.
- Industroyer/Crashoverride: Zero Things Cool About A Threat Group Targeting The Power Grid (11:15 a.m.): Slovakian security company ESET and U.S. industrial cybersecurity firm Dragos have joined forces to analyze the 2015 and 2016 malware-driven attacks against Ukraine’s power grid. The attacks are notable in part because previously researchers had only ever seen three pieces of malware designed to target industrial control systems: Stuxnet, Havex, and BlackEnergy2. And the malware recovered from last year’s attack – called both Industroyer and Crashoverride – could be repurposed to target almost any other power grid, the researchers warn.
- Real Humans, Simulated Attacks: Usability Testing With Attack Scenarios (11:15 a.m.) “User studies are critical to understanding how users perceive and interact with security and privacy software and features,” according to Lorrie Faith Cranor, a professor of computer science and of engineering and public policy at Carnegie Mellon University, and former chief technologist at the U.S. Federal Trade Commission. Ethically speaking, however, it’s not acceptable to put actual users at risk, for testing purposes. Cranor promises to detail techniques for addressing this challenge.
- The Avalanche Takedown: Landslide For Law Enforcement (11:15 a.m.): Tom Grasso, a member of the FBI’s Cyber Division, will detail the joint takedown – by the FBI and law enforcement partners in 40 countries – of Avalanche, a resilient network rented by cybercriminals and used to spread malware and exfiltrate stolen data (see Police Shut Down Global Cybercriminal Fraud Service).
- SS7 Attacker Heaven Turns Into Riot (1:30 p.m.): Subtitled “how to make nation-state and intelligence attackers’ lives much harder on mobile networks,” this talk will round up the serious – and so far, largely unfixed – Signaling System 7 protocol flaws in mobile networks worldwide (see Bank Account Hackers Used SS7 to Intercept Security Codes). To battle attempts to exploit these flaws, security researchers Martin Kacer and Philippe Langlois have developed an open source SS7 firewall, due to be released following the talk, that they promise will make exploits of SS7 for eavesdropping and geolocation purposes much more difficult.
- ShieldFS: The Last Word In Ransomware Resilient File Systems (2:40 p.m.): Can Windows be patched against ransomware? That’s the goal of the seven Italian security researchers behind ShieldFS, a Windows driver they’ve developed that “makes the Windows native file system immune to ransomware attacks,” even if anti-malware defenses fail to detect or nuke the ransomware executable. “ShieldFS dynamically toggles a protection layer that acts as a copy-on-write mechanism whenever its detection component reveals suspicious activity,” the researchers say.
- So You Want To Market Your Security Product … (2:40 p.m.): Truth in advertising, meet the FTC, which regulates vendors’ marketing tactics, claims and advertisements. (Hint: They have to be true.) Two members of the FTC – commissioner Terrell Mcsweeny and attorney Aaron Alva – promise “guidance on what security companies should do to avoid making deceptive claims,” as well as some of the best questions “researchers and security professionals can ask to challenge claims companies make.”
- Ochko123 – How the Feds Caught Russian Mega-Carder Roman Seleznev (4 p.m.): Who doesn’t love a good cybercrime story, ranging from identifying and detaining a suspected mega-hacker, to defeating his defense in court, which hinged on digital forensic evidence contained on his laptop. Hear how the U.S. Department of Justice caught Russian hacker Roman Seleznev – tied to 400 point-of-sale hack attacks and $169 million in credit card fraud – from Harold Chun and Norman Barbosa, who both worked and prosecuted the case for the Justice Department. Spoiler: Seleznev this year was hit with a 27-year prison sentence (see Russian Receives Record-Setting US Hacking Sentence).
- Offensive Malware Analysis (5:505 p.m.): Biomedical research institutions have been targeted this year – and likely before then, too – by OS X malware dubbed FruitFly (see Mac Malware Targets Biomedical Institutions). Patrick Wardle of security vendor Synack promises to demonstrate the malware’s tricks in a live demonstration that involves feeding commands to its command-and-control server, and notes that takeaways don’t apply just to malware written for macOS.
- Tracking Ransomware End To End (5:05 p.m.): Three Google researchers – Luca Invernizzi, Kylie McRoberts and Elie Bursztein – promise to “demonstrate a method to track the ransomware ecosystem at scale, from distribution sites to the cash-out points,” as well as to detail how the two largest ransomware families operate. “We uncover the cash-out points, tracking how the money exits the bitcoin network, enabling the authorities to pick up the money trail using conventional financial tracing means,” they promise.
- The Life and Times of Zero-Day Vulnerabilities and Their Exploits (5:05 p.m.:) Lillian Ablon, an information scientist at the RAND Corporation, details lessons learned from her organization’s analysis of more than 200 zero-day software vulnerabilities and related exploits – many of which have not yet been publicly revealed (see Zero-Day Facts of Life Revealed in RAND Study).
Thursday, July 27
- The Epocholypse 2038: What’s In Store For The Next 20 Years (9 a.m.): On the occasion of the 20th Black Hat in Las Vegas, what’s in store for the next 20 years? Hear predictions on upcoming information security developments, including attackers and motives, from the always-insightful Mikko Hypponen, chief research officer at Finnish security firm F-Secure.
- The Shadow Brokers – Cyber Fear Game-Changers (9:05 a.m.): “Who are The Shadow Brokers? I have no clue. Nobody really does,” says security researcher Matt Suiche, managing director of Dubai-based incident response firm Comae Technologies. In this presentation, however, Suiche promises to detail the “cyber fear as a service” outfit’s impact on the information security space, which has included leaking attack tools designed by the Equation Group – apparently the National Security Agency. Suiche says he’ll also “perform a deep dive” on some of the most powerful tools to have been leaked so far.
- Practical Tips For Defending Web Applications In The Age Of DevOps (11:00 a.m.): Zane Lackey, CSO at Signal Sciences and the former director of security engineering at Etsy, shares techniques Etsy honed for building more secure web applications, including applying static analysis and dynamic scanning to code, and measuring security maturity efforts “in a non-theoretical way.”
- Attacking Encrypted USB Keys The Hard(ware) Way (12:10 p.m.): Do AES hardware-encrypted USB devices truly safeguard the data they store? Three Google security researchers Jean-Michel Picod, Rémi Audebert and Elie Bursztein audited multiple such USB keys, and promise to detail related vulnerabilities – and how to exploit them – to help others better evaluate the security of these devices before they make any related purchases.
- Taking Over The World Through MQTT – Aftermath (2:30 p.m.): One year ago, researchers at security services firm IOActive found an open port on a server that traced to a protocol called MQTT, which is used by internet of things devices, and especially low-power devices. Unfortunately, securing MQTT appears to have been an afterthought, at least in many cases, since IOActive’s Lucas Lundgren says the firm quickly found itself looking at coordinates for airplanes, and with access to “prisons with door control, cars, electrical meters, medical equipment, mobile phones, status of home alarm and home automation systems and a whole lot of other devices.” Researchers also had the ability to control those devices. One year later, what’s changed?
- Exploiting Network Printers (3:50 p.m.): Security researcher Jens Müller details a large-scale analysis of printer attacks, leading him and fellow researchers at Germany’s Ruhr University Bochum to develop an open source tool called PRinter Exploitation Toolkit. “We used PRET to evaluate 20 printer models from different vendors and found all of them to be vulnerable to at least one of the tested attacks,” he says. “These attacks included, for example, simple DoS attacks or skilled attacks, extracting print jobs and system files.”
- Intel AMT Stealth Breakthrough (3:50 p.m.): Researchers promise to demonstrate just how easily the critical Active Management Technology – AMT – flaw present in the firmware running on many Intel chips since 2010 can be remotely exploited (see Intel’s AMT Flaw: Worse Than Feared). “During this talk we will discuss methods of remote pwning of almost every Intel based system, manufactured since 2010 or later,” they say.
- Lies and Damn Lies: Getting Past The Hype Of Endpoint Security Solutions (3:50 p.m.): For battling malware, what works best: signatures, machine learning, artificial intelligence, math models, or lions, tigers and bears? In an effort to move past hype into actionable information, security researchers Lidia Giuliano and Mike Spaulding, armed with thousands of malware samples, anti-virus console interfaces and more, say they spent five months testing how to test endpoint security products. Here’s what they’ve learned.