Black Hat

[paserbyp]

The show opened with a keynote panel discussion about cybersecurity issues affecting election security around the world. Considering that there are some 50 major elections slated for 2024 alone, including the US presidential election in November, it’s no wonder that concerns about cyberattacks and generative AI-assisted misinformation were major talking points.

The panelists, all high-ranking representatives from global cybersecurity groups, urged the cybersecurity community to come together to protect democracies from meddling via cyberattacks. After calling for more community members to become poll workers, Cybersecurity and Infrastructure Security Agency (CISA) Director Jen Easterly urged voters not to be swayed by disinformation gleaned from social media influencers or unofficial news sources.

Speaking of dubious news sources, a Black Hat panel discussion between high-profile tech reporters revealed that hackers are now using classic media relations strategies to publicize their crimes and pressure victims. This trend of “hacker-turned-PR flack” means that corporate response teams must move quicker and be more responsive when crafting public statements about cybersecurity incidents.

In other alarming news, researchers followed up on previous news about cybercrimes perpetrated via sports betting platforms. At Black Hat, representatives from Infoblox said DNS entries led them to link several popular gambling websites to human-trafficked slave labor.

You’d think that modern versions of Windows are hardened against every imaginable kind of hacking. A super-sensitive process like Windows Update surely is the safest of all, right? Well, a thought like that is nothing but a challenge to an ethical security hacker. Yes, most of the update process is armored against all tweaking, but one tiny hole in that armor proved sufficient to let a Black Hat speaker totally take over the update process, forcing it to downgrade security in unlimited ways. This attack proved invisible to security and impossible to undo. Next time you see that Windows Update prompt, just hope you don’t get a Windows downgrade instead.

The hacks demonstrated at Black Hat weren’t limited to software. A Dutch team showed off their skills on several home EV chargers. Their hacks allow anybody within Bluetooth range to take control of a charger. What does that control let them do? The attacker could overheat your charger, limit its current, or meddle with its charging schedule. More importantly, they could do anything at all to your billing, from zeroing it out to raising it sky-high. It’s true this hack isn’t super consequential, but the same persistence and ingenuity they used could serve to compromise just about any Internet of Things device.

Any smartphone that comes within range of your home router can and does identify it to one or more huge positioning databases owned by powers such as Apple, Google, and Microsoft. Apple’s database is open to anyone, making it simple to gather information about millions of routers around the world.

A Black Hat talk ran through just how this knowledge could be used or abused, from tracking a cheating spouse who skipped town to locating staging areas in Russia’s war on Ukraine. Fortunately, Apple released an opt-out solution. Unfortunately, Apple should have done much more. (Starlink solved the problem for its devices, which are often used in conflict areas.)

Also, we know that being emotionally vulnerable while on a dating app can be scary, but the risks to your privacy are scarier. At Black Hat this year, a team of researchers put 15 popular apps to the test and found that they leak personal information like crazy, from sexual orientation to exact location. You swipe left, they swipe right, the next thing you know they’ve swiped your purse. As is often the case, many of the apps cleaned up their acts after the research team contacted them.

n an age of deepfakes and online content swiped for AI training, it’s not surprising that industry leaders are coming up with ways to help identify and vet images and videos. At Black Hat, an Adobe representative spoke about the role of content credential labels within the digital media landscape. The labels, which are a bit like the nutrition labels for food, document how an image was created and what kind of software or AI tools were used to modify it later.

When we give large language models (LLMs) simple tasks like answering questions, they sometimes go wildly wrong. What if the task involves cyber security? Are LLMs dangerous? Can they help protect us? At Black Hat, MITRE researchers demonstrated tests to help answer such questions. For now, LLMs aren’t going to function as cyber warriors, but in the future, who knows?

In less scary news, Signal developer Moxie Marlinspike urged fellow developers to revel in the complexity of their creations but not pass that experience on to customers. Many people just aren’t interested in how or why their software or devices function, he argued. It’s up to developers to ensure users don't have to think about it.

As always, the sights and sounds from around the show floor were a lot to take in. Cybersecurity vendors from around the world converged at the Mandalay Bay casino and resort to show off their latest developments and rub elbows with customers and competitors alike. And the team in charge of keeping the Wi-Fi flowing had some interesting insights into the security practices of attendees who should probably know better. On Thursday afternoon, the two people handling Wi-Fi at the security conference here shared what they learned. As at previous iterations of this gathering, the network performed better than many of the humans on it.

Conference staffers Neil Wyler and Bart Stump (their respective day jobs are vice president of defensive services and managing principal at the security firm Coalfire) recounted how they built the conference network to be self-aware and speedy, starting with two 10Gbps circuits that far exceeded peak observed traffic of 3.16Gbps.

All that network analysis gear not only helped them spot attacks but also revealed how many attendees put themselves in positions to be pwned. Wyler’s one-word summary of how many of these professionals behaved: "poorly."

Both Wyler and Stump emphasized how essential automation was to monitor a network on which they had to expect malicious traffic and also allow much of it to proceed. People will test exploits at an event like Black Hat, so finding intentional attacks that need intervention is even harder.

“On this network, we're looking for a needle in a needlestack,” said Wyler. “We have to let most of that traffic go,” Stump added, “unless we see a direct attack on infrastructure or one of you.”

So of 2.65 million threats detected, the NOC blocked only 241.

But a disturbingly high number of attendees were oblivious about a much more basic aspect of online security: not sending data unencrypted.

Overall, 73.8% of network traffic was encrypted in transit (not the same as end-to-end encryption). That is an embarrassingly low number, considering that Google says 94% of web traffic is encrypted in Chrome for Windows, leaving only domain names visible to any online snoop. This figure is lower than in the Android, Mac, and ChromeOS versions of Google’s browser.

That share grew after years of work by security professionals and in-browser nagging by Google and other developers. Back in 2018, Chrome began slapping unencrypted sites with a “not secure” warning.

Stump called the amount of unencrypted email observed “just wild.” (Google’s data shows that 96% of messages sent to Gmail addresses is encrypted in transit.) Wyler’s advice to people using those insecure mail services: “Knock it off.”

Worse yet, the duo also spotted passwords being sent in the clear, which absolutely Should Not Happen. It doesn’t matter how complex your password is if anybody else on the same network can read it. For good measure, they saw one VPN transmit its user’s precise location in clear text.

The talk also included details about attendees' favorite sites and services. Google search was the top category of domain-name-system queries, Slack was the top chat app, Tinder was the top dating app, and the top porn site among a great many visited was a foot-fetish site that we’re not going to link to because we know many of you read us at work.

“So much adult traffic,” said Wyler. ”Seriously, wash your hands.”